#!/bin/sh
function get_addr()
{
IFCONFIG='/sbin/ifconfig';
HEAD='head -2';
TAIL='tail -1';
CUT='cut -d: -f2';
IP=`$IFCONFIG $1 | $HEAD | $TAIL | awk '{print $2}' | $CUT`;
echo $IP;
}

EXTDEV="ppp0"
EXTDEV2="ppp1"

INETWORKIP="10.167.109.0/255.255.255.0"

INTDEV="eth0"

EXTERNALIP=`get_addr $EXTDEV`
ENETWORKIP=$EXTERNALIP+"/255.255.255.255"

EXTERNALIP2=`get_addr $EXTDEV2`
ENETWORKIP2=$EXTERNALIP2+"/255.255.255.255"

INTERNALIP=`get_addr $INTDEV`
LOOPBACK="127.0.0.1"
ANYWHERE="0.0.0.0/0"
PORTS="1024:65535"
INTDEV="ppp+"
/sbin/depmod -a
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ipt_owner
/sbin/modprobe ipt_REJECT
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
for file in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $file
done

for file in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $file
done

for file in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $file
done

/sbin/iptables -F
/sbin/iptables -F -t nat
/sbin/iptables -N ALLOW_ICMP
/sbin/iptables -N ALLOW_PORTS
/sbin/iptables -N CHECK_FLAGS
/sbin/iptables -N DENY_PORTS
/sbin/iptables -N DST_EGRESS
/sbin/iptables -N KEEP_STATE
/sbin/iptables -N SRC_EGRESS

/sbin/iptables -P INPUT DROP
/sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
/sbin/iptables -A INPUT -j ACCEPT -s $EXTERNALIP -d $ANYWHERE
/sbin/iptables -A INPUT -j ACCEPT -s $ANYWHERE -d $ANYWHERE -i $INTDEV
/sbin/iptables -A INPUT -j ACCEPT -s $ANYWHERE -d $ANYWHERE -i lo
/sbin/iptables -A INPUT -j ACCEPT -s $ANYWHERE -d $ANYWHERE -i $EXTDEV -m state --state RELATED,ESTABLISHED
/sbin/iptables -A INPUT -j ACCEPT -p icmp -s $ANYWHERE -d $ANYWHERE
/sbin/iptables -A INPUT -j ACCEPT -p udp -s $INETWORKIP --sport 53 -d $ANYWHERE
/sbin/iptables -A INPUT -j ACCEPT -s $EXTERNALIP2 -d $ANYWHERE
/sbin/iptables -A INPUT -j ACCEPT -s $ANYWHERE -d $ANYWHERE -i $EXTDEV2 -m state --state RELATED,ESTABLISHED


/sbin/iptables -P OUTPUT DROP
/sbin/iptables -A OUTPUT -j ACCEPT -s $ANYWHERE -d $ANYWHERE -o $INTDEV
/sbin/iptables -A OUTPUT -j ACCEPT -s $ANYWHERE -d $EXTERNALIP
/sbin/iptables -A OUTPUT -j ACCEPT -s $ANYWHERE -d $ANYWHERE -o lo
/sbin/iptables -A OUTPUT -j ACCEPT -s $ANYWHERE -d $ANYWHERE -o $EXTDEV -m state --state RELATED,ESTABLISHED
/sbin/iptables -A OUTPUT -j ACCEPT -p udp -s $EXTERNALIP -d $ANYWHERE --dport 53
/sbin/iptables -A OUTPUT -j ACCEPT -p icmp -s $ANYWHERE -d $ANYWHERE
/sbin/iptables -A OUTPUT -j ACCEPT -s $ANYWHERE -d $ANYWHERE -o $EXTDEV -m state --state RELATED,ESTABLISHED
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -A FORWARD -j ACCEPT -s $ANYWHERE -d $ANYWHERE -i $INTDEV
/sbin/iptables -A FORWARD -j ACCEPT -p icmp -s $ANYWHERE -d $ANYWHERE -i $INTDEV
/sbin/iptables -A OUTPUT -j ACCEPT -s $ANYWHERE -d $EXTERNALIP2
/sbin/iptables -A OUTPUT -j ACCEPT -s $ANYWHERE -d $ANYWHERE -o $EXTDEV2 -m state --state RELATED,ESTABLISHED
/sbin/iptables -A OUTPUT -j ACCEPT -p udp -s $EXTERNALIP2 -d $ANYWHERE --dport 53
/sbin/iptables -A OUTPUT -j ACCEPT -s $ANYWHERE -d $ANYWHERE -o $EXTDEV2 -m state --state RELATED,ESTABLISHED


/sbin/iptables -t nat -A POSTROUTING -j SNAT -s 10.167.109.200 -d $ANYWHERE -o $EXTDEV --to $EXTERNALIP
/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE -s 10.167.109.200 -d $ANYWHERE -o $EXTDEV
/sbin/iptables -t nat -A POSTROUTING -j SNAT -s 10.167.109.200 -d $ANYWHERE -o $EXTDEV2 --to $EXTERNALIP2
/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE -s 10.167.109.200 -d $ANYWHERE -o $EXTDEV2

/sbin/iptables -A INPUT -j ACCEPT -s 10.167.109.200 -d 10.167.109.199
/sbin/iptables -A OUTPUT -j ACCEPT -s 10.167.109.199 -d 10.167.109.200