#!/bin/sh
iptables -t filter --flush
iptables -t nat --flush
iptables -t filter --delete-chain
iptables -t nat --delete-chain

iptables -t filter -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A INPUT -i natbr0 -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT
iptables -t filter -A INPUT -d 172.16.0.0/16 -i natbr0 -j ACCEPT
iptables -t filter -A INPUT -s 172.16.0.0/16 -i natbr0 -j ACCEPT
iptables -t filter -A FORWARD -i natbr0 -j ACCEPT
iptables -t filter -A FORWARD -o natbr0 -j ACCEPT

iptables -t filter -A INPUT -j DROP
iptables -t filter -A OUTPUT -j ACCEPT
iptables -t filter -A FORWARD -j DROP

# NAT table
iptables -t nat -A POSTROUTING -s 172.16.0.0/16 -j MASQUERADE

sysctl net.ipv4.ip_forward=1