[...]

echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
[...]

#  Rule 0(NAT)
$IPTABLES -t nat -A POSTROUTING -o eth2 -s 192.168.0.0/24 -j MASQUERADE
[...]

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
[...]

# Rule 0(eth2)
# anti-spoofing Regel
$IPTABLES -N eth2_In_RULE_0
$IPTABLES -A INPUT -i eth2 -s $interface_eth2 -j eth2_In_RULE_0
$IPTABLES -A INPUT -i eth2 -s 192.168.1.1 -j eth2_In_RULE_0
$IPTABLES -A INPUT -i eth2 -s 192.168.0.1 -j eth2_In_RULE_0
$IPTABLES -A INPUT -i eth2 -s 192.168.0.0/24 -j eth2_In_RULE_0
$IPTABLES -A INPUT -i eth2 -s 192.168.1.2 -j eth2_In_RULE_0
$IPTABLES -A FORWARD -i eth2 -s $interface_eth2 -j eth2_In_RULE_0
$IPTABLES -A FORWARD -i eth2 -s 192.168.1.1 -j eth2_In_RULE_0
$IPTABLES -A FORWARD -i eth2 -s 192.168.0.1 -j eth2_In_RULE_0
$IPTABLES -A FORWARD -i eth2 -s 192.168.0.0/24 -j eth2_In_RULE_0
$IPTABLES -A FORWARD -i eth2 -s 192.168.1.2 -j eth2_In_RULE_0
$IPTABLES -A eth2_In_RULE_0 -m limit --limit 10/second -j LOG --log-level info
--log-prefix "RULE 0 -- DENY "
$IPTABLES -A eth2_In_RULE_0 -j DROP
[...]

# Rule 0(global)
# allow ssh from Management to the firewall 
$IPTABLES -N RULE_0
$IPTABLES -A INPUT -p tcp -s 192.168.0.2 -d $interface_eth2 --destination-port 22 -m state
--state NEW  -j RULE_0
$IPTABLES -A INPUT -p tcp -s 192.168.0.2 -d 192.168.1.1 --destination-port 22 -m state
--state NEW  -j RULE_0
$IPTABLES -A INPUT -p tcp -s 192.168.0.2 -d 192.168.0.1 --destination-port 22 -m state
--state NEW  -j RULE_0
$IPTABLES -A RULE_0 -m limit --limit 10/second -j LOG --log-level info --log-prefix
"RULE 0 -- ACCEPT "
$IPTABLES -A RULE_0  -j ACCEPT