#Change policy to drop for input and forward
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

#Flush the current chains
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t nat

#Keep established connections (don't lock your ass out of the box when you screw up)
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

#If a request on the external interface comes from an internal ip, it is malicious so we drop those
iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j DROP
iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP

#ssh
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 22 -j ACCEPT

#web traffic
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 443 -j ACCEPT 	#ssl
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 80 -j ACCEPT		#standard

#mail traffic
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 25 -j ACCEPT 		#smtp
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 587 -j ACCEPT		#smtp submissions
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 465 -j ACCEPT		#smtp over ssl
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 110 -j ACCEPT		#pop3
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 995 -j ACCEPT		#pop3 over ssl
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 143 -j ACCEPT		#imap
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 993 -j ACCEPT		#imap over ssl

#snmp
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 161 -j ACCEPT		#tcp
iptables -A INPUT -p udp -s 0/0 -d 0/0 --destination-port 161 -j ACCEPT		#udp

#allow ping to the host for monitoring
iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -d 0/0 -j ACCEPT


#Ensure a drop of all packets on the input
iptables -A INPUT -s 0/0 -d 0/0 -p udp -j DROP
iptables -A INPUT -s 0/0 -d 0/0 -p tcp --syn -j DROP