#!/bin/bash 

set -e
modprobe ip_conntrack
modprobe ip_conntrack_ftp

flush_and_load_fw(){

iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
iptables --policy INPUT DROP
iptables --policy OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP
iptables -A INPUT -m pkttype --pkt-type multicast -j DROP
iptables -A INPUT -j LOG
}

flush_fw(){
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
iptables --policy INPUT ACCEPT
iptables --policy OUTPUT ACCEPT
}

show_fw(){
iptables -L -n
}

case "$1" in

  start)
        flush_and_load_fw
        ;;
  stop)
        flush_fw
        ;;
  restart|reload|force-reload)
        flush_and_load_fw
        ;;
  show)
        show_fw
        ;;
  *)
  echo "$0 {start|stop|restart|reload|force-reload|show}"
  exit 1
        ;;
esac

exit 0