iptables

HOW TO

sudo cp iptables_rules.sh /etc/init.d/iptables
#edit rules/port before
sudo chmod +x /etc/init.d/iptables
#run the script automatically during start up 
update-rc.d iptables defaults

/etc/init.d/iptables start

iptables_rules.sh

#!/bin/bash
# iptables-default
# www.tym-project.fr/blog
# [email protected]
### BEGIN INIT INFO
# Provides:          iptables
# Required-Start:    $local_fs $remote_fs $network $syslog
# Required-Stop:     $local_fs $remote_fs $network $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Set up iptables at boot time
# Description:       Enable service provided by iptables.
### END INIT INFO
PATH="/sbin"
TCP_PORTS="22 80 443"

function stop {
    for IPTABLES in iptables ip6tables;do
        $IPTABLES -P INPUT ACCEPT
        $IPTABLES -P FORWARD ACCEPT
        $IPTABLES -P OUTPUT ACCEPT
        $IPTABLES -F
        $IPTABLES -X
    done
    if [ -e /etc/init.d/fail2ban ]; then
        /etc/init.d/fail2ban restart
    fi
}

function start {
    for IPTABLES in iptables ip6tables;do
        $IPTABLES -F
        $IPTABLES -P INPUT DROP
        $IPTABLES -P FORWARD DROP
        $IPTABLES -P OUTPUT DROP
        $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    for port in $TCP_PORTS;do
        $IPTABLES -A INPUT -p tcp --dport $port -j ACCEPT
        $IPTABLES -A INPUT -p udp --dport $port -j ACCEPT
    done
    $IPTABLES -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
    $IPTABLES -A INPUT -i lo -j ACCEPT
    $IPTABLES -A OUTPUT -o lo -j ACCEPT
    # ICMP (Ping)
    $IPTABLES -A INPUT -p icmp -j ACCEPT
    done
    if [ -e /etc/init.d/fail2ban ];then
        /etc/init.d/fail2ban restart
    fi
}

function restart {
    stop
    start
}

case $1 in
    start)
    start
    ;;
    stop)
    stop
    ;;
    restart)
    restart
    ;;
    *)
    echo "usage: iptables {start|stop|restart}"
    exit 1
    ;;
esac