A simple Stateful Firewall using iptables for a Linux Webserver. The rules are given in an order that will prevent you from immediate disconnection of your SSH session, in case if you are logged into a remote machine.

fw-server.sh

#!/bin/bash
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -N TCP
iptables -N UDP
iptables -A INPUT -p icmp --icmp-type echo-request -m recent --name ping_limiter --set
iptables -A INPUT -p icmp --icmp-type echo-request -m recent --name ping_limiter --update --hitcount 6 --seconds 4 -j DROP
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A TCP -p tcp --dport 22 -j ACCEPT
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
iptables -I TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst
iptables -A INPUT -p tcp -m recent --set --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst
iptables -I UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -p udp -m recent --set --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreachable
iptables -A TCP -p tcp --dport 80 -j ACCEPT
iptables -A TCP -p tcp --dport 443 -j ACCEPT
iptables -A UDP -p udp --dport 53 -j ACCEPT
iptables -A TCP -p tcp --dport 21 -j ACCEPT
iptables -A TCP -p tcp --sport 20 -j ACCEPT
iptables -A TCP -p tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
iptables -A INPUT -p udp --sport 123 -j ACCEPT
#iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable