iptables example

iptables

*nat
:PREROUTING ACCEPT [0.0]
:INPUT ACCEPT [0.0]
:OUTPUT ACCEPT [0.0]
:POSTROUTING ACCEPT [0.0]

-A POSTROUTING -o enp1s0 -j MASQUERADE
# -A PREROUTING -p tcp -m tcp -i enp1s0 --dport 80 -j DNAT --to-destination 192.168.1.100:80

COMMIT

*filter
:INPUT ACCEPT [0.0]
:FORWARD ACCEPT [0.0]
:OUTPUT ACCEPT [0.0]

# SERVICE RULES
-A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
-A INPUT -s 127.0.0.0/8 -p icmp -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT

-A INPUT -p udp -m udp --dport 33434:33523 -j REJECT --reject-with icmp-port-unreachable

# -A INPUT -i enp2s0 -s 192.168.1.100/24 -p tcp --dport 53 -j ACCEPT
# -A INPUT -i enp2s0 -s 192.168.1.100/24 -p tcp --dport 22 -j ACCEPT
# -A INPUT -i enp2s0 -s 192.168.1.100/24 -p udp --dport 67:68 -j ACCEPT
-A INPUT -i enp2s0 -s 192.168.1.100/24 -j ACCEPT

-A INPUT -j DROP


# FORWARDING RULES

-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -i enp2s0 -o enp1s0 -j ACCEPT

# -A FORWARD -p tcp -d 192.168.1.100 --dport 80 -j ACCEPT

-A FORWARD -j DROP

COMMIT

job

[Unit]
Description = Apply iptables rules

[Service]
Type=oneshot
ExecStart=/bin/sh -c 'iptables-restore < /etc/network/iptables'

[Install]
WantedBy=network-pre.target