#!/bin/sh
# Disable forwarding (as there is only one interface)
echo 0 >/proc/sys/net/ipv4/ip_forward
# Flush all specific rules
iptables -F
iptables -F -t mangle
iptables -F -t nat
iptables -F -t filter
# Set counters to zero
iptables -Z
iptables -Z -t mangle
iptables -Z -t nat
iptables -Z -t filter
# Configure default policies (-P), meaning default rule to apply if no
# more specific rule below is applicable.  These rules apply if a more specific rule below
# is not applicable.  Defaults are to DROP anything sent to firewall or internal
# network, permit anything going out.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
##########
# Allow  #
##########
# Allow ICMP from anywhere
iptables -A INPUT -p icmp -j ACCEPT
# Permit packets in to firewall itself that are part of existing and related connections.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow all inputs to firewall from the internal network and local interfaces
iptables -A INPUT -i lo -j ACCEPT
# Accept all tcp SYN packets for necessary protocols:
# Enable SSH on port 22 from anywhere
iptables -A INPUT -p tcp --destination-port 22 --syn -j ACCEPT
# FTP server, see /etc/proftpd.conf
iptables -A INPUT -p tcp --destination-port 21 --syn -j ACCEPT
iptables -A INPUT -p tcp --destination-port 6100:7000 --syn -j ACCEPT
# HTTP:
iptables -A INPUT -p tcp --destination-port 80 --syn -j ACCEPT
iptables -A INPUT -p tcp --destination-port 443 --syn -j ACCEPT
# Finally, DROP all connection requests not yet provided
iptables -A INPUT -p udp -j DROP
iptables -A INPUT -p tcp --syn -j DROP
#### the end