firewall.sh

#!/bin/sh
# Provides:          firewall
# Short-Description: Firewall script
# Description:       Sets up iptables rules

IPT=/sbin/iptables
IF="eth0"
MY_IP="1.2.3.4"

d_start() {
	# Temporarily set default policy to accept
	$IPT -P INPUT ACCEPT
	# Flush input chain
	$IPT -F INPUT

	# Allow related packets
	$IPT -A INPUT -i $IF -m state --state ESTABLISHED,RELATED -j ACCEPT

	# Accept all traffic from the local network
	$IPT -A INPUT -i $IF -s ${MY_IP}/30 -j ACCEPT
	$IPT -A INPUT -i lo -s 127.0.0.1/8 -j ACCEPT
	$IPT -A INPUT -i lo -j ACCEPT

	# limit icmp
	$IPT -A INPUT -i $IF -p icmp ! -f -m limit --limit 100/second --limit-burst 50 -j ACCEPT
	$IPT -A INPUT -i $IF -p icmp -j DROP

	# Open specific ports to the world
	$IPT -A INPUT -i $IF -m state --state NEW -p tcp --syn --destination-port 23 -j ACCEPT
	$IPT -A INPUT -i $IF -m state --state NEW -p tcp --syn --destination-port 6668 -j ACCEPT
	$IPT -A INPUT -i $IF -m state --state NEW -p tcp --syn --destination-port 10025 -j ACCEPT
	$IPT -A INPUT -i $IF -m state --state NEW -p tcp --syn --destination-port 3128 -j ACCEPT
	$IPT -A INPUT -i $IF -m state --state NEW -p tcp --syn --destination-port 443 -j ACCEPT
	$IPT -A INPUT -i $IF -m state --state NEW -p tcp --syn --destination-port 80 -j ACCEPT
	$IPT -A INPUT -i $IF -m state --state NEW -p tcp --syn --destination-port 9875 -j ACCEPT

	# Reject everything else
	$IPT -P INPUT DROP
}

d_stop() {
	# Set default policy to accept, and flush
	$IPT -P INPUT ACCEPT
	$IPT -F INPUT
}

case "$1" in
	start)
		echo -n "Starting firewall"
		d_start
		echo "."
	;;
	stop)
		echo -n "Stopping firewall"
		d_stop
		echo "."
	;;
	restart)
		echo -n "Restarting firewall"
		d_stop
		d_start
		echo "."
	;;
	*)
		echo "Usage: $0 {start|stop|restart}" >&2
		exit 3
	;;
esac

exit 0