rules.sh

#!/bin/sh
# 10.0.1.130 is my home router (testing before I physically move the servers)
EXTERNAL_NIC="enp3s0"
INTERNAL_NIC="enp5s0"

# flush everything
iptables -F
iptables -X

# set default policies
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# allow loopback free reign
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# allow internal nic free reign
iptables -A INPUT -i $INTERNAL_NIC -j ACCEPT
iptables -A OUTPUT -o $INTERNAL_NIC -j ACCEPT

# allow internal nic to get to external nic
iptables -A INPUT -i $INTERNAL_NIC -o $EXTERNAL_NIC -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_NIC -i $INTERNAL_NIC -j ACCEPT
iptables -A FORWARD -i $INTERNAL_NIC -o $EXTERNAL_NIC -j ACCEPT
iptables -A FORWARD -i $EXTERNAL_NIC -o $INTERNAL_NIC -j ACCEPT

# allow traffic on specific ports of external nic
iptables -A INPUT -i $EXTERNAL_NIC -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_NIC -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_NIC -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_NIC -p tcp --dport 53 -j ACCEPT

# enable masquerading
iptables -t nat -A POSTROUTING -o $EXTERNAL_NIC -j MASQUERADE