#!/bin/bash

IPT=/sbin/iptables
IPTS=/usr/sbin/netfilter-persistent

IFLAN=enp1s0
IFWAN=enp1s0

# -------------------------------
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle

$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

# -------------------------------
# lo
$IPT -A INPUT -p all -i lo -j ACCEPT
$IPT -A OUTPUT -p all -o lo -j ACCEPT
$IPT -A OUTPUT -p all -o $IFLAN -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p all -o $IFWAN -m state --state NEW -j ACCEPT

# -------------------------------
# allow
$IPT -A INPUT -p all -s 10.0.68.0/25 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p all -s 10.0.69.0/25 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p all -s 10.0.70.128/25 -m state --state NEW -j ACCEPT

$IPT -A INPUT -p tcp -s 10.110.140.226/32 -m multiport --dports 80,5432 -m state --state NEW -j ACCEPT	#mz.rostvertol.ru
$IPT -A INPUT -p tcp -s 10.110.140.28/32 -m multiport --dports 80,5432 -m state --state NEW -j ACCEPT	#cpc.rostvertol.ru

# -------------------------------
$IPT -A INPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -p all -m state --state ESTABLISHED,RELATED -j ACCEPT

# -------------------------------
$IPTS save