Here is a basic firewall script for servers running HTTP and FTP. The script is commented so its easy to put in additional rules. Also note that you have to put your own DNS server in $dnsIP variable. Additional ports (tcp or udp) to be opened may placed in allow_tcp and allow_udp variables. Before using the script make sure to do chmod +x iptables.sh first.

Usage:


./iptables.sh start
or
./iptables.sh stop

and now the script:

#!/bin/sh
# John Homer H Alvero
# [email protected]
# March 9, 2010

set -e

iptables="/sbin/iptables"
modprobe="/sbin/modprobe"
dnsIP="8.8.8.8"         #IP Address of DNS server
allow_tcp="80 22"       #This will allow SSH and HTTP, add more ports as needed
allow_udp=""

load () {
        echo "Loading Kernel modules"
        $modprobe ip_tables
        $modprobe ip_conntrack
        $modprobe iptable_filter
        $modprobe ipt_state
        echo "Kernel modules loaded."

        echo "Loading rules"

        #Set Default policy
        $iptables -P FORWARD DROP
        $iptables -P INPUT DROP
        $iptables -P OUTPUT DROP

        #Allow RELATED and ESTABLISHED connections
        $iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

        #Allow traffic to localhost
        $iptables -A INPUT -s 127.0.0.1 -j ACCEPT

        #Allow DNS Queries to DNS Server
        $iptables -A INPUT -p udp -s $dnsIP/32 --source-port 53 -d 0/0 --destination-port 1024:65535 -j ACCEPT
        $iptables -A OUTPUT -p udp --destination $dnsIP --dport 53  -j ACCEPT

        if [ -n "$allow_tcp" ]; then
        for i in $allow_tcp
        do
                $iptables -A INPUT -p tcp -m tcp --destination-port $i -j ACCEPT
        done
        fi

        if [ -n "$allow_udp" ]; then
        for i in $allow_udp
        do
                $iptables -A INPUT -p udp --destination-port $i -j ACCEPT
        done
        fi


        #Add additional rules here.

        echo "Rules loaded."
}

flush () {
        echo "Flushing rules..."
        $iptables -P FORWARD ACCEPT
        $iptables -P OUTPUT ACCEPT
        $iptables -P INPUT ACCEPT
        $iptables -F
        echo "Rules flushed."
}

case "$1" in
        start|restart)
                flush
                load
                ;;
        stop)
                flush
                ;;
        *)
                echo "usage: start|stop|restart"
                ;;
esac
exit 0