Firewall Script

_start()
{
# enable the kernel's spoof protection
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# Delete old iptables rules
# and temporarily block all traffic.
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -F

# set a default DROP policies except for output
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

# allow all local traffic
iptables -A INPUT -i lo -j ACCEPT

# allow all established traffic
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# drop un-associated packets
iptables -A INPUT -m state --state INVALID -j DROP

# drop ICMP pings
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

# things to accept
# http
# iptables -A INPUT -p tcp -d 192.9.202.129 --dport 80 -j ACCEPT
# ssh
# iptables -A INPUT -p tcp -d 192.9.202.129 --dport 30 -j ACCEPT

# drop any broadcast messages
iptables -A INPUT -d ! 192.9.202.129 -j DROP

# log and drop everything else
iptables -A INPUT -m limit -j LOG --log-prefix "FIREWALL: "
iptables -A INPUT -j DROP
}

_stop()
{
# flush rules
iptables -F

# zero counters
iptables -Z

# set policy back to ACCEPT
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
}

case "$1" in
start)
echo -n "Starting firewall: "
_start
echo done
;;
stop)
echo -n "Stoping firewall: "
_stop
echo done
;;
restart)
$0 stop
$0 start
;;
status)
iptables -L
;;
*)
echo "Usage: $0 {start|stop|restart|status}"
exit 1
;;
esac