iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -N allowed
iptables -A allowed -p TCP --syn -j ACCEPT
iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
# 53:DNS 80:http 443:https 110:pop3 113:identd  515:lpd  9100:HP_JetDirect
iptables -N tcp_packets
iptables -A tcp_packets -p TCP -s 0/0 --dport 53 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 443 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 110 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 515 -j allowed
iptables -A tcp_packets -p TCP -s External_Host_Real_ip/32  -j allowed
iptables -A FORWARD -s 192.168.0.0/255.255.0.0 -d 0/0 -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp -d 192.168.3.254/32 --dport 110 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp -d 192.168.3.254/32 --dport 25 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp -d 192.168.3.254/32 --dport 80 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp -d Printer_Virtual_ip/32 -j ACCEPT
iptables -A FORWARD -p all -j REJECT
# allow all service from internal
iptables -A INPUT -s 192.168.0.0/255.255.0.0 -d 0/0 -j ACCEPT
# loopback
iptables -A INPUT -s 0/0 -d 0/0 -i lo -j ACCEPT
# smtp
iptables -A INPUT -p tcp --dport 25 --syn -j DROP
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
# Printer
iptables -A INPUT -p tcp --dport 515 -j ACCEPT
# DNS
iptables -A INPUT -p udp --dport 53 -j ACCEPT
# All other allowed tcp services
iptables -A INPUT -p tcp -i eth0 -j tcp_packets
# ping. 0: echo type 3:unreachable 5:redirect 11:time exceed
iptables -A INPUT -p ICMP -i eth0 -s 0/0 --icmp-type 0 -j ACCEPT
iptables -A INPUT -p ICMP -i eth0 -s 0/0 --icmp-type 3 -j ACCEPT
iptables -A INPUT -p ICMP -i eth0 -s 0/0 --icmp-type 5 -j ACCEPT
iptables -A INPUT -p ICMP -i eth0 -s 0/0 --icmp-type 11 -j ACCEPT
# UDP. 53:DNS lookup 123:set clock with time serve NTP
iptables -A INPUT -p UDP -i eth0 -s 0/0 --source-port 53 -j ACCEPT
iptables -A INPUT -p UDP -i eth0 -s 0/0 --source-port 123 -j ACCEPT
# Packets not match any rule, reject
iptables -A INPUT -p all -j REJECT 
modprobe ipt_MASQUERADE
modprobe ip_nat_ftp
modprobe ipt_state
modprobe ipt_LOG
modprobe iptable_nat
modprobe ip_conntrack_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Stop spoof IP
iptables -t nat -A PREROUTING -i eth0 -s 192.168.0.0/16 -j DROP
iptables -t nat -A PREROUTING -i eth0 -s 10.0.0.0/8 -j DROP
iptables -t nat -A PREROUTING -i eth0 -s 172.16.0.0/12 -j DROP
# Virtual mapping for internal hosts and printer
iptables -t nat -A PREROUTING -d Printer_Real_ip -p tcp -m tcp -j DNAT --to-destination Printer_Virtual_ip
# postroutning for masquerade, link to production,printer
iptables -t nat -A POSTROUTING -s Printer_Virtual_ip/32 -j SNAT --to-source Printer_Real_ip
iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -j SNAT --to-source Firewall_real_ip