export WAN=eth0
export LAN=eth1

# Flush Rules
iptables -F
iptables -t nat -F

# Setup default policies to handle unmatched traffic
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

# Lock our services so they only work from the LAN
iptables -I INPUT 1 -i ${LAN} -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -p UDP --dport bootps ! -i ${LAN} -j REJECT
iptables -A INPUT -p UDP --dport domain ! -i ${LAN} -j REJECT

# Allow access to our local services on WAN
iptables -A INPUT -p TCP --dport ssh  -i ${WAN} -j ACCEPT
iptables -A INPUT -p TCP --dport ftp  -i ${WAN} -j ACCEPT
#iptables -A INPUT -p TCP --dport http -i ${WAN} -j ACCEPT
iptables -A INPUT -p TCP --dport auth -i ${WAN} -j ACCEPT
iptables -A INPUT -p TCP --dport 6890:6999 -i ${WAN} -j ACCEPT
iptables -A INPUT -p UDP --dport 6890:6999 -i ${WAN} -j ACCEPT

# Drop TCP / UDP packets to privileged ports
iptables -A INPUT -p TCP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP
iptables -A INPUT -p UDP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP

# Finally we add the rules for NAT
iptables -I FORWARD -i ${LAN} -d 10.0.0.0/255.255.255.0 -j DROP
iptables -A FORWARD -i ${LAN} -s 10.0.0.0/255.255.255.0 -j ACCEPT
iptables -A FORWARD -i ${WAN} -d 10.0.0.0/255.255.255.0 -j ACCEPT
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

# Tell the kernel that ip forwarding is OK
echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done

# Port Forwarding
#iptables -t nat -A PREROUTING -p tcp --dport 1122  -i ${WAN} -j DNAT --to 10.0.0.35:22
#iptables -t nat -A PREROUTING -p udp --dport 4444  -i ${WAN} -j DNAT --to 10.0.0.35
#iptables -t nat -A PREROUTING -p udp --dport 20800  -i ${WAN} -j DNAT --to 10.0.0.35
#iptables -t nat -A PREROUTING -p udp --dport 20810  -i ${WAN} -j DNAT --to 10.0.0.35
#iptables -t nat -A PREROUTING -p udp --dport 28960:28970 -i ${WAN} -j DNAT --to 10.0.0.35
#iptables -t nat -A PREROUTING -p udp --dport 13389  -i ${WAN} -j DNAT --to 10.0.0.171:3389
#iptables -t nat -A PREROUTING -p udp --dport 46991  -i ${WAN} -j DNAT --to 10.0.0.35:46991
#iptables -t nat -A PREROUTING -p tcp --dport 46991  -i ${WAN} -j DNAT --to 10.0.0.35:46991


iptables -t nat -A PREROUTING -p tcp --dport 8000  -i ${WAN} -j DNAT --to 10.0.0.40
iptables -t nat -A PREROUTING -p tcp --dport 4662  -i ${WAN} -j DNAT --to 10.0.0.40
iptables -t nat -A PREROUTING -p tcp --dport 5900  -i ${WAN} -j DNAT --to 10.0.0.40
iptables -t nat -A PREROUTING -p tcp --dport 59803 -i ${WAN} -j DNAT --to 10.0.0.40
iptables -t nat -A PREROUTING -p udp --dport 59803 -i ${WAN} -j DNAT --to 10.0.0.40
iptables -t nat -A PREROUTING -p tcp --dport 2222  -i ${WAN} -j DNAT --to 10.0.0.40
iptables -t nat -A PREROUTING -p tcp --dport 5901  -i ${WAN} -j DNAT --to 10.0.0.40
iptables -t nat -A PREROUTING -p tcp --dport 9090  -i ${WAN} -j DNAT --to 10.0.0.42
iptables -t nat -A PREROUTING -p tcp --dport 3389  -i ${WAN} -j DNAT --to 10.0.0.230

# WoW
iptables -t nat -A PREROUTING -p tcp --dport 1119  -i ${WAN} -j DNAT --to 10.0.0.40
iptables -t nat -A PREROUTING -p tcp --dport 1120  -i ${WAN} -j DNAT --to 10.0.0.40
iptables -t nat -A PREROUTING -p udp --dport 3724  -i ${WAN} -j DNAT --to 10.0.0.40
iptables -t nat -A PREROUTING -p tcp --dport 3724  -i ${WAN} -j DNAT --to 10.0.0.40
iptables -t nat -A PREROUTING -p tcp --dport 6112  -i ${WAN} -j DNAT --to 10.0.0.40
iptables -t nat -A PREROUTING -p tcp --dport 6881:6999 -i ${WAN} -j DNAT --to 10.0.0.40

iptables -t nat -A PREROUTING -p tcp --dport 80  -i ${WAN} -j DNAT --to 10.0.0.40
iptables -t nat -A PREROUTING -p tcp --dport 443  -i ${WAN} -j DNAT --to 10.0.0.23

#playstation test
iptables -t nat -A PREROUTING -p udp --dport 3074  -i ${WAN} -j DNAT --to 10.0.0.23
iptables -t nat -A PREROUTING -p udp --dport 3075  -i ${WAN} -j DNAT --to 10.0.0.23
iptables -t nat -A PREROUTING -p udp --dport 3478  -i ${WAN} -j DNAT --to 10.0.0.23
iptables -t nat -A PREROUTING -p udp --dport 3479  -i ${WAN} -j DNAT --to 10.0.0.23
iptables -t nat -A PREROUTING -p udp --dport 3658  -i ${WAN} -j DNAT --to 10.0.0.23
iptables -t nat -A PREROUTING -p udp --dport 10070 -i ${WAN} -j DNAT --to 10.0.0.23
iptables -t nat -A PREROUTING -p udp --dport 50100  -i ${WAN} -j DNAT --to 10.0.0.23
iptables -t nat -A PREROUTING -p tcp --dport 3074 -i ${WAN} -j DNAT --to 10.0.0.23
iptables -t nat -A PREROUTING -p tcp --dport 5223 -i ${WAN} -j DNAT --to 10.0.0.23
iptables -t nat -A PREROUTING -p tcp --dport 10070 -i ${WAN} -j DNAT --to 10.0.0.23
iptables -t nat -A PREROUTING -p tcp --dport 10080 -i ${WAN} -j DNAT --to 10.0.0.23

#block ID Software CD Key server
#iptables -A INPUT -p all -d 192.246.40.244 -j DROP

# http://www.gentoo.org/doc/en/home-router-howto.xml