Put in /etc/init.d/rc.firewall

Firewall.sh

#! /bin/sh
### BEGIN INIT INFO
# Provides:          rc.firewall
# Required-Start:    $all
# Required-Stop:     $all
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: starts the firewall, NAT
# Description:       starts the firewall, NAT
### END INIT INFO


# Author: Rustam Zagirov <rustam@zagirov.name>
#
# Do NOT "set -e"

# PATH should only include /usr/* if it runs after the mountnfs.sh script
PATH=/sbin:/usr/sbin:/bin:/usr/bin
DESC="Firewall"
NAME=rc.firewall
SCRIPTNAME=/etc/init.d/$NAME


IPTABLES="/sbin/iptables"
#
# Function that starts the daemon/service
#
do_start()
{
# Open for this subnet all access!
HOME_MASKS="192.168.0.0/24"
OPEN_PORTS="22,80,443"
WHITE_IP="##"



echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 1 > /proc/sys/net/ipv4/ip_forward
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe nf_nat_pptp
modprobe nf_conntrack_pptp
modprobe nf_conntrack_proto_gre
modprobe nf_nat_proto_gre
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ipt_LOG



$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP

$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F PREROUTING
$IPTABLES -t nat -F POSTROUTING

############ DELETE IF ALL WORKING FINE ######
$IPTABLES -A INPUT -j ACCEPT
##############################################


# DENY SECTIONS
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j DROP

## local interface, allow all
$IPTABLES -A INPUT -i lo -j ACCEPT

## ALLOW PACKETS IF CONNECTION ESTABLISHED
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

## access from home net
for i in $HOME_MASKS; do
	$IPTABLES -A INPUT -s $i -j ACCEPT
done


## Deny nmap
$IPTABLES -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j LOG --log-prefix "Stealth scan"
$IPTABLES -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP

## access from white ip
$IPTABLES -A INPUT -s $WHITE_IP -j ACCEPT



## defence for ssh for server

$IPTABLES -N ssh_brute_check
$IPTABLES -A ssh_brute_check -m recent --update --seconds 600 --hitcount 5 -j DROP
$IPTABLES -A ssh_brute_check -m recent --set -j ACCEPT
# for this ip, don't check brute
$IPTABLES -A INPUT -p tcp ! -s #IP#/32 -m conntrack --ctstate NEW --dport 22 -j ssh_brute_check

# Open ports
$IPTABLES -A INPUT -p tcp --syn -m multiport --destination-ports $OPEN_PORTS -j ACCEPT





####################################


## ping
$IPTABLES -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
## deny other ICMP packets
$IPTABLES -A INPUT -p icmp -j DROP

## other reject
$IPTABLES -A INPUT -j DROP
$IPTABLES -A FORWARD -j DROP
}




do_stop()
{
	$IPTABLES -F
	$IPTABLES -X
	$IPTABLES -t nat -F PREROUTING
	$IPTABLES -t nat -F POSTROUTING
}

#
# Function that sends a SIGHUP to the daemon/service
#
do_reload() {
	do_stop
	do_start
	return 0
}

case "$1" in
  start)
	do_start
	;;
  stop)
	do_stop
	;;
  restart)
	do_reload
	;;
  *)
	echo "Usage: $SCRIPTNAME {start|stop|status|restart}" >&2
	exit 3
	;;
esac