iptables rules for home server

iptables rules for home server:

real network, virtual network, nat, upnp, services and port forwarding,
accepted output traffic and dropped input one.

#!/bin/bash

#Variables
IPT=/sbin/iptables
UNPRIPORTS="1024:65535"
ext_if="eth0"
int_if="eth1"
virt_if1="vmbr1"
virt_if2="venet0"
laptop="172.16.0.3"

#Default polices
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT

#Flush all
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X

#DHCP queries
$IPT -A INPUT -p udp -m udp -i $ext_if --dport 68 --sport 67 -j ACCEPT

#loopback
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

#internal network
$IPT -A INPUT -i $int_if -j ACCEPT
$IPT -A OUTPUT -o $int_if -j ACCEPT

#virtual network
$IPT -A INPUT -i $virt_if1 -j ACCEPT
$IPT -A OUTPUT -o $virt_if1 -j ACCEPT
$IPT -A INPUT -i $virt_if2 -j ACCEPT
$IPT -A OUTPUT -o $virt_if2 -j ACCEPT

#Multicast
$IPT -A FORWARD -d 224.0.0.0/240.0.0.0 -j ACCEPT
$IPT -A FORWARD -s 224.0.0.0/240.0.0.0 -j ACCEPT
$IPT -A INPUT  -m pkttype --pkt-type multicast -j ACCEPT
$IPT -A OUTPUT -m pkttype --pkt-type multicast -j ACCEPT
$IPT -A INPUT  --protocol igmp -j ACCEPT
$IPT -A OUTPUT --protocol igmp -j ACCEPT
$IPT -A INPUT  --dst «224.0.0.0/4» -j ACCEPT
$IPT -A OUTPUT --dst «224.0.0.0/4» -j ACCEPT

#ESTABLISHED
$IPT -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#UPnP
$IPT -N UPNP
$IPT -A FORWARD -j UPNP

#ICMP
$IPT -A INPUT -p icmp -j ACCEPT

#TRACEROUTE
$IPT -A INPUT -p udp --dport 33434:33500 -j ACCEPT

#SSH server
$IPT -A INPUT -p tcp -m tcp -i $ext_if --dport 22 -j ACCEPT

#NAT
$IPT -A POSTROUTING -t nat -o $ext_if -j MASQUERADE

##Web
#Ruby
$IPT -A PREROUTING -t nat -i $int_if -p tcp --source 172.16.0.0/24 --destination nozdrik.ru --dport 80 -j DNAT --to 10.0.0.12:4567
$IPT -A PREROUTING -t nat -i $ext_if -p tcp --dport 80 -j DNAT --to-destination 10.0.0.12:4567

#TORRENT DHT at laptop
$IPT -A PREROUTING -t nat -i $ext_if -p udp --dport 7881 -j DNAT --to-destination $laptop:7881
$IPT -A PREROUTING -t nat -i $ext_if -p tcp --dport 6881 -j DNAT --to-destination $laptop:6881
$IPT -A PREROUTING -t nat -i $ext_if -p tcp --dport 8881 -j DNAT --to-destination $laptop:8881

#PSI at laptop
$IPT -A PREROUTING -t nat -i $ext_if -p tcp --dport 60000 -j DNAT --to-destination $laptop:60000
$IPT -A PREROUTING -t nat -i $ext_if -p udp --dport 60000 -j DNAT --to-destination $laptop:60000
$IPT -A PREROUTING -t nat -i $ext_if -p udp --dport 60001 -j DNAT --to-destination $laptop:60001
$IPT -A PREROUTING -t nat -i $ext_if -p udp --dport 60002 -j DNAT --to-destination $laptop:60002
$IPT -A PREROUTING -t nat -i $ext_if -p udp --dport 60003 -j DNAT --to-destination $laptop:60003