*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# Allow established connections
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow loopback
-A INPUT -i lo -j ACCEPT

# External -> DMZ (attacker can reach web/mail)
-A FORWARD -s 10.0.0.0/24 -d 10.0.1.0/24 -p tcp --dport 80 -j ACCEPT
-A FORWARD -s 10.0.0.0/24 -d 10.0.1.0/24 -p tcp --dport 443 -j ACCEPT
-A FORWARD -s 10.0.0.0/24 -d 10.0.1.0/24 -p tcp --dport 25 -j ACCEPT

# DMZ -> Internal (web can reach db/files)
-A FORWARD -s 10.0.1.0/24 -d 10.0.2.0/24 -p tcp --dport 3306 -j ACCEPT
-A FORWARD -s 10.0.1.0/24 -d 10.0.2.0/24 -p tcp --dport 445 -j ACCEPT

# DMZ -> Management (web can reach ldap)
-A FORWARD -s 10.0.1.0/24 -d 10.0.3.0/24 -p tcp --dport 389 -j ACCEPT
-A FORWARD -s 10.0.1.0/24 -d 10.0.3.0/24 -p tcp --dport 636 -j ACCEPT

# Internal -> Management (db/files can reach ldap)
-A FORWARD -s 10.0.2.0/24 -d 10.0.3.0/24 -p tcp --dport 389 -j ACCEPT

{% for rule in firewall_rules %}
{% if rule.action == 'allow' %}
{% for port in rule.ports %}
-A FORWARD -s {{ zone_cidrs.get(rule.from_zone, '0.0.0.0/0') }} -d {{ zone_cidrs.get(rule.to_zone, '0.0.0.0/0') }} -p tcp --dport {{ port }} -j ACCEPT
{% endfor %}
{% elif rule.action == 'deny' %}
-A FORWARD -s {{ zone_cidrs.get(rule.from_zone, '0.0.0.0/0') }} -d {{ zone_cidrs.get(rule.to_zone, '0.0.0.0/0') }} -j DROP
{% endif %}
{% endfor %}

# Default deny forward
-A FORWARD -j DROP

# Log dropped packets
-A FORWARD -j LOG --log-prefix "iptables-dropped: " --log-level 4

COMMIT