jamesgolick/gist:14576

## gistfile1.txt
# Remove all rules and chains
iptables -F
iptables -X

# first set the default behaviour => accept connections
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

# Create 2 chains, it allows to write a clean script
iptables -N FIREWALL
iptables -N TRUSTED

# Allow ESTABLISHED and RELATED incoming connection
iptables -A FIREWALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow loopback traffic
iptables -A FIREWALL -i lo -j ACCEPT
# Send all package to the TRUSTED chain
iptables -A FIREWALL -j TRUSTED
# DROP all other packets
iptables -A FIREWALL -j DROP

# Send all INPUT packets to the FIREWALL chain
iptables -A INPUT -j FIREWALL

# DROP all forward packets, we don't share internet connection in this example
iptables -A FORWARD -j DROP

iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT

## gistfile2.txt
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  12M 1058M FIREWALL   all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 7722K packets, 27G bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FIREWALL (1 references)
 pkts bytes target     prot opt in     out     source               destination
  11M 1017M ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
 330K   30M ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
 199K   11M TRUSTED    all  --  *      *       0.0.0.0/0            0.0.0.0/0
 5373  243K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain TRUSTED (1 references)
 pkts bytes target     prot opt in     out     source               destination
  176 10536 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22
 194K   11M ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80
	# Remove all rules and chains
	iptables -F
	iptables -X

	# first set the default behaviour => accept connections
	iptables -P INPUT ACCEPT
	iptables -P OUTPUT ACCEPT
	iptables -P FORWARD ACCEPT

	# Create 2 chains, it allows to write a clean script
	iptables -N FIREWALL
	iptables -N TRUSTED

	# Allow ESTABLISHED and RELATED incoming connection
	iptables -A FIREWALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
	# Allow loopback traffic
	iptables -A FIREWALL -i lo -j ACCEPT
	# Send all package to the TRUSTED chain
	iptables -A FIREWALL -j TRUSTED
	# DROP all other packets
	iptables -A FIREWALL -j DROP

	# Send all INPUT packets to the FIREWALL chain
	iptables -A INPUT -j FIREWALL

	# DROP all forward packets, we don't share internet connection in this example
	iptables -A FORWARD -j DROP

	iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
	iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
	Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
	pkts bytes target prot opt in out source destination
	12M 1058M FIREWALL all -- * * 0.0.0.0/0 0.0.0.0/0

	Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
	pkts bytes target prot opt in out source destination
	0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

	Chain OUTPUT (policy ACCEPT 7722K packets, 27G bytes)
	pkts bytes target prot opt in out source destination

	Chain FIREWALL (1 references)
	pkts bytes target prot opt in out source destination
	11M 1017M ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
	330K 30M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
	199K 11M TRUSTED all -- * * 0.0.0.0/0 0.0.0.0/0
	5373 243K DROP all -- * * 0.0.0.0/0 0.0.0.0/0

	Chain TRUSTED (1 references)
	pkts bytes target prot opt in out source destination
	176 10536 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
	194K 11M ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80