iptables-script

#!/bin/sh

# iptables script generated -
# http://www.mista.nu/iptables

IPT="/sbin/iptables"

# Flush old rules, old custom tables
$IPT --flush
$IPT --delete-chain

# Set default policies for all three default chains
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP

# Enable free use of loopback interfaces
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# All TCP sessions should begin with SYN
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -s 0.0.0.0/0 -j DROP

# Accept inbound TCP packets
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow incoming SSH on port other than 22 (sshd runs on 9282)
$IPT -A INPUT -p tcp --dport 9282 -m state --state NEW -j ACCEPT

# Accept outbound packets, and outgoing DNS.
$IPT -I OUTPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT

# Outgoing http to certain hosts: Ubuntu APT, PyPy
$IPT -A OUTPUT -p tcp --dport 80 -d azure.archive.ubuntu.com,security.ubuntu.com,pypi.python.org -m state --state NEW -j ACCEPT

# Outgoing https for certain hosts: Let's encrypt: PyPy
$IPT -A OUTPUT -p tcp --dport 443 -d acme-v01.api.letsencrypt.org,pypi.python.org,letsencrypt.org  -m state --state NEW -j ACCEPT

## Incoming Webserver 80/443
$IPT -A INPUT -p tcp --dport 80 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT
$IPT -A INPUT -p tcp --dport 443 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT