######################################
#                                    #
#           EXAMPLE                  #
# Read this file before using fire   #
#                                    #
######################################


#
# By default all,  except already estabished/related connections, is blocked
# See /usr/lib/fire/fire-header for details 
#

###############################
######### INPUT ###############
###############################

# pings for diagnostics 
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT

# minimum icmp for neighbour-scovery 
ip6tables -A INPUT -p icmpv6 -m icmp6 --icmpv6-type neighbour-advertisement -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p icmpv6 -m icmp6 --icmpv6-type neighbour-solicitation  -m hl --hl-eq 255 -j ACCEPT

# pings for diagnostics
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type echo-request -j ACCEPT
ip6tables -A FORWARD -p ipv6-icmp --icmpv6-type echo-request -j ACCEPT
ip6tables -A OUTPUT -p ipv6-icmp --icmpv6-type echo-request -j ACCEPT


# Initially open ssh
/sbin/iptables -A INPUT  -p tcp --dport 22 -j ACCEPT

# EXAMPLE Trusted IP addresses
#TRUSTED_IP="{ 127.0.0.1 192.168.0.2 10.10.10.3 }"
#EXT_ETH="eth0"
#iptables -A INPUT -i $EXT_ETH -p tcp -s $TRUSTED_IP --dport 22 -j ACCEPT -m state --state NEW
#TRUSTED_IP="{ ::1 ::2 ::3 }"
#ip6tables -A INPUT -i $EXT_ETH -p tcp -s $TRUSTED_IP --dport 22 -j ACCEPT -m state --state NEW

###############################
######### FORWARD #############
###############################

#
# nat example
#

#LAN_ETH=br1
#LAN_IP="172.16.18.0/24"
#WAN_ETH=eth3
#WAN_IP="10.11.12.13"

#iptables -t nat -A POSTROUTING -s $LAN_IP -o $WAN_ETH -j SNAT --to-source $WAN_IP
#iptables -A FORWARD -i $LAN_ETH -o $WAN_ETH -s $LAN_IP -j ACCEPT -m state --state NEW


#
# rdr example
#

#LAN_ETH=br1
#LAN_IP="172.16.18.51"
#WAN_ETH=eth3
#WAN_IP="10.11.12.13"

#PORT="{ 80 443 15000 }"
#PROTO=tcp
#iptables -A PREROUTING -t nat -j DNAT -p $PROTO -i $WAN_ETH -d $WAN_IP --dport $PORT --to-destination $LAN_IP
#iptables -A FORWARD -p $PROTO --dport $PORT -i $WAN_ETH -o $LAN_ETH -d $LAN_IP -j ACCEPT -m state --state NEW


#
# bridge example
#

# ruch z bazy danych do www z tej samej pary
#BRIDGE=br1
#LAN_ETH=eth1
#LAN_IP="172.16.18.51"
#WAN_ETH=eth3
#WAN_IP="10.11.12.13"

#iptables -A FORWARD -i $BRIDGE -o $BRIDGE -m physdev --physdev-in $LAN_IP --physdev-out $WAN_ETH -s $LAN_IP  -j ACCEPT -m state --state NEW

###############################
######### OUTPUT #############
###############################

# all output is legal
iptables -A OUTPUT -p all -j ACCEPT -m state --state NEW

################################
########## Log all dropped  ####
################################
#
#log_limit="-m limit --limit 600/m "
#
#iptables  -A INPUT -p all -j LOG $log_limit
#iptables   -A FORWARD -p all -j LOG $log_limit
#iptables   -A OUTPUT -p all -j LOG $log_limit



