#! /bin/sh

# macros
ext_if="fxp0"
int_if="xl0"

tcp_services="22,113"
icmp_types="ping"

comp3="192.168.0.3"

# nat/rdr
modprobe ip_nat_ftp
iptables -t nat -A POSTROUTING -o $ext_if -j MASQUERADE
iptables -t nat -i -A PREROUTING $ext_if -p tcp --dport 80 -j DNAT --to-destination $comp3

# filter rules
# Forward only from external to webserver.
iptables -A FORWARD -m state --state=ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $ext_if -p tcp -d $comp3 --dport 80 --syn -j ACCEPT

# From internal is fine, rest rejected.
iptables -A FORWARD -i $int_if -j ACCEPT
iptables -A FORWARD -j REJECT

# External can only come in to $tcp_services, and $icmp_types.
iptables -A INPUT -m state --state=ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $ext_if -p tcp --dport $tcp_services --syn -j ACCEPT
for icmp in $icmp_types; do
    iptables -A INPUT -p icmp --icmp-type $icmp -j ACCEPT
done

# Internal and loopback are allowed to send anything.
iptables -A INPUT -i $int_if -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -j REJECT

# No funny-sourced packets in ext_if, please...
echo 1 > /proc/sys/net/ipv4/conf/$ext_if/rp_filter