@def $IF_ADMIN = eth3;
@def $IF_FRONT = eth0;
@def $IF_BACK = (eth1 eth2);
@def $OPEN_PORT_FRONT = (22 80 443);
@def $PROTO_FRONT = (tcp);
@def $OPEN_PORT_BACK = (22 80);
@def $PROTO_BACK = (tcp);
@def $HAVE_BACK = 1; #0 pour NON 1 pour OUI

table filter {
    chain INPUT {
        policy DROP;
        mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;
        interface lo ACCEPT;
        interface $IF_ADMIN ACCEPT;
        interface $IF_FRONT proto $PROTO_FRONT dport $OPEN_PORT_FRONT ACCEPT;

        @if $HAVE_BACK {
            interface $IF_BACK proto $PROTO_BACK dport $OPEN_PORT_BACK ACCEPT;
        }

        proto icmp icmp-type echo-request ACCEPT;
    }

    chain OUTPUT policy ACCEPT;

    chain FORWARD policy DROP;
}