«IMPORT org::myfirewall::myFirewall»
«EXTENSION templates::Extensions»

«DEFINE main FOR Script-»
«FILE name-»
#!/bin/sh

# no network address translation
/sbin/iptables -t nat -F
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT

# prepare filtering tables
/sbin/iptables -t filter -F
/sbin/iptables -t filter -P INPUT REJECT
/sbin/iptables -t filter -P OUTPUT ACCEPT
/sbin/iptables -t filter -P FORWARD REJECT

# always allow inbound connections from loopback and the internal network
/sbin/iptables -t filter -A INPUT --in-interface lo --jump ACCEPT
/sbin/iptables -t filter -A INPUT --in-interface «ifInternal» --jump ACCEPT

# enable connection tracking
/sbin/iptables -t filter -A FORWARD --match state --state INVALID --jump DROP
/sbin/iptables -t filter -A FORWARD --match state --state ESTABLISHED,RELATED --jump ACCEPT

# inbound connections
	«FOREACH incomingRules AS rule-»
		«EXPAND rule(ifExternal, ifInternal) FOR rule-»
	«ENDFOREACH-»

# outbound connections
	«FOREACH outgoingRules AS rule-»
		«EXPAND rule(ifInternal, ifExternal) FOR rule-»
	«ENDFOREACH-»
«ENDFILE-»
«ENDDEFINE»

«DEFINE rule(String fromInterface, String toInterface) FOR Rule-»
#   from «source.getName()» to «destination.getName()»
	«FOREACH services AS service-»
		«FOREACH service.protocols AS protocol-»
			«FOREACH service.ports AS port-»
/sbin/iptables -t filter -A FORWARD --in-interface «fromInterface» --out-interface «toInterface» \
                                    --source «source.getAddress()» --destination «destination.getAddress()» \
                                    --protocol «protocol» --dport «port» --jump ACCEPT
			«ENDFOREACH-»
		«ENDFOREACH-»
	«ENDFOREACH-»
«ENDDEFINE»