rules.sh

#!/bin/bash

# https://wiki.archlinux.org/index.php/simple_stateful_firewall

iptables -F
iptables -X

iptables -N TCP
iptables -N UDP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT

iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

# polite way to reject all that was not accepted until this point
iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable

iptables -A TCP -p tcp -s 192.168.1.0/24 -j ACCEPT
iptables -A TCP -p tcp -s 10.0.0.0/8 -j ACCEPT
iptables -A TCP -p tcp -s 192.168.0.0/24 -j ACCEPT
#
iptables -A UDP -p udp -s 192.168.1.0/24 -j ACCEPT
iptables -A UDP -p udp -s 10.0.0.0/8 -j ACCEPT
iptables -A UDP -p udp -s 192.168.0.0/24 -j ACCEPT


## synergy
#iptables -A TCP -p tcp --dport 24800 -s 192.168.1.247 -j ACCEPT
## ssh from LAN
#iptables -A TCP -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT