Simple Firewall script

firewall.sh

#!/bin/bash
# create date: 2016-11-24
# last change: 2016-11-24
# author: Timo Stankowitz <[email protected]>
# purpose: Firewall

ipt=/sbin/iptables
ipt6=/sbin/ip6tables
ext=eth0

do_start() {
   echo "starting firewall"
  
   # set default rules
   $ipt -P INPUT ACCEPT
   $ipt -P FORWARD ACCEPT
   $ipt -P OUTPUT ACCEPT

   # allow localhost
   $ipt -A INPUT -i lo -j ACCEPT

   # blocking ssh 
   $ipt -A INPUT -i $ext -s 218.65.30.170 -j DROP
   $ipt -A INPUT -i $ext -s 221.229.172.80 -j DROP

   # portscans are not allowed
   # attacking IP will be blocked for 1 hour (3600 x 1 = 1h)
   $ipt -A INPUT -m recent --name portscan --rcheck --seconds 3600 -j DROP
   $ipt -A INPUT -m recent --name portscan --remove
   $ipt -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP

   # allow ping from everywhere
   $ipt -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT 

   # allow outgoing traffic e.g. update
   $ipt -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 

   echo "firewall is now loaded"

}

do_stop() {
   echo "stopping firewall"

   $ipt -F
   $ipt -F -t nat
   $ipt -F -t mangle
}

do_status() {
   echo "status of the firewall"
   $ipt -L -v

   #$ipt -L -t nat -v
   #$ipt -L -t mangle -v
}

do_restart() {
   echo "restarting firewall"
   do_stop
   do_start
}

do_help() {
   echo "Usage: $0 start or stop or status or restart"
   exit 1
}


case "$1" in
   start)
      do_start
      ;;

   stop)
      do_stop
      ;;

   status)
      do_status
      ;;

   restart|reload|force-reload)
      do_restart
      ;;

   *)
      do_help
      ;;
esac