/sbin/iptables -v -t filter -F INPUT
/sbin/iptables -v -t filter -F OUTPUT

for interface in /proc/sys/net/ipv4/conf/*/accept_redirects; do
   /bin/echo "0" > ${interface}
done
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

##############################
### localhost input/output ###
##############################
/sbin/iptables -A INPUT  -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
/sbin/iptables -A OUTPUT -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT
/sbin/iptables -A INPUT -m pkttype --pkt-type multicast -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type 0  -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type 8  -j ACCEPT
/sbin/iptables -A INPUT -p udp --destination-port 67 -j DROP
/sbin/iptables -A INPUT -p udp --destination-port 68 -j DROP
/sbin/iptables -A INPUT -p udp --destination-port 137 -j DROP
/sbin/iptables -A INPUT -j REJECT

/sbin/iptables -t nat -N OKTRAFFIC
/sbin/iptables -t nat -v -F OKTRAFFIC
/sbin/iptables -t nat -A OKTRAFFIC -p udp --destination-port 53 -j ACCEPT
/sbin/iptables -t nat -A OKTRAFFIC -d 128.223.51.19 -j ACCEPT
/sbin/iptables -t nat -A OKTRAFFIC -d 128.223.51.51 -j ACCEPT
/sbin/iptables -t nat -A OKTRAFFIC -p udp --destination-port 67 -j ACCEPT
/sbin/iptables -t nat -A OKTRAFFIC -p icmp -j ACCEPT
/sbin/iptables -t nat -A OKTRAFFIC -j RETURN

/sbin/ip6tables -N OKTRAFFIC
/sbin/ip6tables -v -F OKTRAFFIC
/sbin/ip6tables -A OKTRAFFIC -p icmpv6 -j ACCEPT
/sbin/ip6tables -A OKTRAFFIC -m pkttype --pkt-type multicast -j ACCEPT
/sbin/ip6tables -A OKTRAFFIC -j RETURN

/sbin/iptables -v -F FORWARD
/sbin/iptables -A FORWARD -m physdev ! --physdev-in eth1+ -j ACCEPT
/sbin/iptables -A FORWARD -p tcp -m physdev --physdev-in eth1+ -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -p udp -m physdev --physdev-in eth1+ -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -p icmp -j ACCEPT
/sbin/iptables -A FORWARD -p igmp -j ACCEPT
/sbin/iptables -A FORWARD -m pkttype --pkt-type multicast -j ACCEPT
/sbin/iptables -A FORWARD -p udp --destination-port 67 -j ACCEPT
/sbin/iptables -A FORWARD -p udp --destination-port 68 -j ACCEPT
/sbin/iptables -A FORWARD -p 50 -j ACCEPT
/sbin/iptables -A FORWARD -m physdev --physdev-in eth1+ -j LOG --log-prefix "drop-insidev4-fwd: "
/sbin/iptables -A FORWARD -m physdev --physdev-in eth1+ -j DROP

/sbin/ip6tables -F FORWARD
/sbin/ip6tables -p tcp -A FORWARD -m physdev --physdev-in eth1+ -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/ip6tables -p udp -A FORWARD -m physdev --physdev-in eth1+ -m state --state ESTABLISHED,RELATED -j ACCEPT

/sbin/iptables -t nat -F PREROUTING 
/sbin/iptables -t nat -N auth2
/sbin/iptables -t nat -F auth2
/sbin/iptables -t nat -A auth2 -j RETURN
/sbin/iptables -t nat -A PREROUTING -m physdev --physdev-in eth1.2 -j auth2

/sbin/ip6tables -N auth2
/sbin/ip6tables -F auth2
/sbin/ip6tables -A auth2 -j RETURN
/sbin/ip6tables -A FORWARD -m physdev --physdev-in eth1.2 -j auth2

/sbin/iptables -t nat -I PREROUTING -m physdev ! --physdev-in eth1+ -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -j OKTRAFFIC
/sbin/iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT
/sbin/iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT
/sbin/iptables -t nat -A PREROUTING -j DNAT --to 0

/sbin/ip6tables -I FORWARD -m physdev ! --physdev-in eth1+ -j ACCEPT
/sbin/ip6tables -A FORWARD -j OKTRAFFIC
/sbin/ip6tables -A FORWARD -j LOG --log-prefix "drop-insidev6-fwd: "
/sbin/ip6tables -A FORWARD -j DROP