#!/bin/sh

modprobe ip_tables
modprobe iptable_nat
modprobe iptable_filter
modprobe iptable_mangle

modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
echo '1' > /proc/sys/net/ipv4/ip_forward

EXT_DEV=eth0
INT_DEV=venet0
INT_NET=10.0.0.0/8

# Set up basic firewalling to prevent just anyone from forwarding packets
# through my firewall
iptables -P FORWARD DROP
iptables -A FORWARD -i $INT_DEV -s $INT_NET -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED,DNAT -j ACCEPT
# Enable source NAT and forwarding
iptables -t nat -A POSTROUTING -p tcp -s $INT_NET -o $EXT_DEV -j MASQUERADE --to-ports 10000-50000
iptables -t nat -A POSTROUTING -p udp -s $INT_NET -o $EXT_DEV -j MASQUERADE --to-ports 10000-50000
iptables -t nat -A POSTROUTING -p icmp -s $INT_NET -o $EXT_DEV -j MASQUERADE
#  Allow VEs to make outbound connections only to a few things.

# Allow all containers to access the submit server on the local machine.
iptables -A FORWARD -i venet0 -o $EXT_DEV  -p tcp --dport 830:831 -j ACCEPT
# Hub Web Server
iptables -A FORWARD -i venet0 -o $EXT_DEV -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i venet0 -o $EXT_DEV -p tcp --dport 443 -j ACCEPT
# DNS Servers
iptables -A FORWARD -i venet0 -o $EXT_DEV -p udp --dport 53 -j ACCEPT

# Turn on input filtering firewall
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow ssh from anywhere
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
# Allow mail from anywhere
iptables -A INPUT -p tcp --dport smtp -j ACCEPT
# Allow mysql from anywhere
iptables -A INPUT -p tcp --dport mysql -j ACCEPT
# Allow ldap from anywhere
iptables -A INPUT -p tcp --dport ldap -j ACCEPT
# Allow http/https/vncproxy/submit from venet
iptables -A INPUT -p tcp -i venet0 --dport http -j ACCEPT
iptables -A INPUT -p tcp -i venet0 --dport https -j ACCEPT
iptables -A INPUT -p tcp -i venet0 --dport http-alt -j ACCEPT
iptables -A INPUT -p tcp -i venet0 --dport 830:831 -j ACCEPT
# Allow http/https/vncproxy from everywhere
iptables -A INPUT -p tcp --dport http -j ACCEPT
iptables -A INPUT -p tcp --dport https -j ACCEPT
iptables -A INPUT -p tcp --dport http-alt -j ACCEPT
# Allow access the groupauth port.
iptables -A INPUT -p tcp --dport 1170 -j ACCEPT
# Allow ping
iptables -A INPUT -p icmp -j ACCEPT

