<pre>
#!/bin/sh 

#   This scripts sets up a router/firewall on your Ubuntu Linux 
# computer.  Lines that start with the "#" character are comments.  As 
# in many shell scripts, the first thing we do is establish values for 
# variables.  This is done to allow you to change the behavior of the 
# program without modifying too many lines, and keeps you from having 
# to change anything in the "guts" of the script. 

IPTABLES_PROGRAM="/sbin/iptables"
OUTSIDE_INTERFACE="eth0"
INSIDE_INTERFACE="eth1"

#   These next items are optional -- are there any types of traffic you 
# want to send to a particular machine on your network?  In this 
# example, we have TCP ports 22=ssh (secure shell), 25=smtp (mail), 
# 80=http (web server) and UDP port 6112, which is used for some 
# games.  Those are all useful to some people, but most people won't 
# want even one of those.  It's a security hole, after all.  The 
# variable INSIDE_COMPUTER is the IP address of the desktop computer 
# that has a ssh server, a web server or what have you. 

#   Uncomment these three lines to make them active, but it's probably
# best to leave them commented out. 
# TCP_PORTS_TO_ALLOW="22 25 80" 
# UDP_PORTS_TO_ALLOW="6112" 
# INSIDE_COMPUTER=192.168.3.17 

# You should never have to modify anything below this line. 
################################################################## 


#   Now we'll remove any existing rules.  We flush out all the old 
# rules from the chains, then we delete the chains, now that they're 
# empty.  We do this for both the default chain and the "nat" chain. 
$IPTABLES_PROGRAM --flush
$IPTABLES_PROGRAM --delete-chain
$IPTABLES_PROGRAM --table nat --flush
$IPTABLES_PROGRAM --table nat --delete-chain

#   Now we establish a rule setting up masquerading (NAT).  This forces every
# packet which is pushed out of the outside interface to get the interface's 
# IP address, even if it would normally have the IP address of some 
# other, client computer.  The packet's IP address is stored so that 
# when the far away computer responds, the old IP address is stuffed 
# back into the response packet and it can be delivered back to the 
# originating computer. 
$IPTABLES_PROGRAM -t nat -A POSTROUTING -o $OUTSIDE_INTERFACE -j MASQUERADE

#   We also need a rule which pushes packets which come from the inside 
# interface out to the outside interface. 
$IPTABLES_PROGRAM -A FORWARD -i $INSIDE_INTERFACE -o $OUTSIDE_INTERFACE \
	-m state --state NEW,ESTABLISHED -j ACCEPT


#   This part of the script is designed to allow connections for a 
# specific port or ports (we go through each in the list, 
# TCP_PORTS_TO_ALLOW) to connect to your main server.  This is usually not 
# wanted or needed in a home network. 

#   The following "if" statement checks to see if the variable 
# TCP_PORTS_TO_ALLOW has anything in it.  If you left it commented out at 
# the top, it will be empty, and the program will skip the rest of the 
# craziness below. 
if [ -n "$TCP_PORTS_TO_ALLOW" ]; then
    for PORT_NUMBER in $TCP_PORTS_TO_ALLOW ; do
        $IPTABLES_PROGRAM -A FORWARD -i $OUTSIDE_INTERFACE -o $INSIDE_INTERFACE \
		-p tcp -d $INSIDE_COMPUTER --dport $PORT_NUMBER -j ACCEPT
        $IPTABLES_PROGRAM -t nat -A PREROUTING -p tcp -i $OUTSIDE_INTERFACE \
		--dport $PORT_NUMBER -j DNAT --to $INSIDE_COMPUTER:$PORT_NUMBER
    done
fi
if [ -n "$UDP_PORTS_TO_ALLOW" ]; then
    for PORT_NUMBER in $UDP_PORTS_TO_ALLOW ; do
        $IPTABLES_PROGRAM -t nat -A PREROUTING -p udp -i $OUTSIDE_INTERFACE \
		--dport $PORT_NUMBER -j DNAT --to $INSIDE_COMPUTER:$PORT_NUMBER
    done
fi

#   Zero out the counters on the chains, so that if we execute the 
# command "iptables -L -v", we'll see how many packets each chain 
# has seen. 
$IPTABLES_PROGRAM --zero
$IPTABLES_PROGRAM --table nat --zero

#   Lastly, we place a "1" in the file /proc/sys/net/ipv4/ip_forward, 
# which tells Linux to behave like a router and forward IP packets. 
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward

# Done.  Your firewall is installed.
</pre>