#!/bin/bash

INSIDE=eth0
OUTSIDE=eth1

iptables -A INPUT -p tcp -m tcp --dport ssh -j ACCEPT

# pings
iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT 

# anything from loopback is okay
iptables -A INPUT -i lo -j ACCEPT 

# if you're going to be an NFS server and SMB and ... you might just:
#iptables -A INPUT -i $INSIDE -j ACCEPT

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited

# pure paranoia, the REJECT already got it
iptables -P INPUT DROP  
 
iptables -A FORWARD -i $INSIDE -m state --state NEW -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# only a forged packet would ever get here...
iptables -P FORWARD DROP  

iptables -t nat -A POSTROUTING -o $OUTSIDE -j MASQUERADE