rules.v4

## FILTER ##

*filter

:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

:UDP - [0:0]
:TCP - [0:0]
:ICMP - [0:0]

# Acceptable UDP traffic
-A UDP -p udp --dport 655 -j ACCEPT

# Acceptable TCP traffic
-A TCP -p tcp --dport 22 -j ACCEPT
-A TCP -p tcp --dport 655 -j ACCEPT

# Acceptable ICMP traffic
-A ICMP -p icmp --icmp-type echo-request -j ACCEPT

# Boilerplate acceptance policy
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -j ACCEPT

# Drop invalid packets
-A INPUT -m conntrack --ctstate INVALID -j DROP

# Pass traffic to protocol-specific chains
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
-A INPUT -p icmp -m conntrack --ctstate NEW -j ICMP

# Reject anything that's fallen through to this point
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable

# Rules to forward ports to server
-A FORWARD -i eth0 -o tun0 -p tcp --syn --dport 80 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -i eth0 -o tun0 -p tcp --syn --dport 443 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -i eth0 -o tun0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i tun0 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

COMMIT


## NAT ##

*nat

:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

# Rules to translate requests to server
-A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.10.10.21
-A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination 10.10.10.21
-A POSTROUTING -d 10.10.10.21 -o tun0 -p tcp --dport 80 -j SNAT --to-source 10.10.10.12
-A POSTROUTING -d 10.10.10.21 -o tun0 -p tcp --dport 443 -j SNAT --to-source 10.10.10.12

COMMIT