#!/bin/sh
# Network settings
PROXY=10.10.10.100
MAN1=10.10.10.1
MAN2=10.10.10.2
WEB=1.1.1.1
FTP=1.1.1.2

ip link set eth0 up
ip addr add 1.1.1.10/24     brd + dev eth0 label eth0 # Internet
ip addr add 1.1.1.10/24     brd + dev eth1 label eth1 # DMZ
ip addr add 10.10.10.254/24 brd + dev eth2 label eth2 # LAN

# Routing settings
ip route add $WEB/32 dev eth1
ip route add $FTP/32 dev eth1
ip route add 0/0 via 1.1.1.100 table main dev eth0

# Some firewall settings
modprobe iptable_nat
iptables -F
iptables -F PREROUTING -t mangle
iptables -X

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -t nat -A POSTROUTING -o eth0 -s 10.10.10.0/255.255.255.0 -j MASQUERADE
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Setting up the internet interface
iptables -A FORWARD -i eth0 -d $WEB_SERVER -j ACCEPT
iptables -A FORWARD -i eth0 -d $FTP_SERVER -j ACCEPT

# Marking the packets on LAN interface
iptables -A PREROUTING -i eth2 -t mangle           -j MARK --set-mark 3
iptables -A PREROUTING -i eth2 -t mangle -s $PROXY -j MARK --set-mark 1
iptables -A PREROUTING -i eth2 -t mangle -s $MAN_1 -j MARK --set-mark 2
iptables -A PREROUTING -i eth2 -t mangle -s $MAN_2 -j MARK --set-mark 2
iptables -A PREROUTING -i eth2 -t mangle -j ACCEPT

# Marking the packets on DMZ interface
iptables -A INPUT -i eth1 -s $FTP   -t mangle -j MARK --set-mark 4
iptables -A INPUT -i eth1 -s $WEB   -t mangle -j MARK --set-mark 5