Just a firewall script configuring iptables.

firewall.sh

#!/bin/bash
# Description: Firewall script. This is great, but maybe you should consider 'iptables-persistent'

iptables=/sbin/iptables

function start_firewall {
  # Clean Rules
  $iptables -F

  # Politica general
  $iptables -P INPUT DROP
  $iptables -P FORWARD DROP
  $iptables -P OUTPUT ACCEPT

  # localhost
  $iptables -A INPUT -i lo -j ACCEPT
  $iptables -A INPUT -s localhost -d localhost -j ACCEPT
  $iptables -A INPUT -s `hostname` -d `hostname` -j ACCEPT

  # SSH
  $iptables -A INPUT -i eth0 -p tcp --dport ssh -j ACCEPT

  # DNS
  $iptables -A INPUT -i eth0 -p udp --sport domain -j ACCEPT
  $iptables -A INPUT -i eth0 -p tcp --sport domain -j ACCEPT

  # HTTP
  $iptables -A INPUT -i eth0 -p tcp --dport www -j ACCEPT
  $iptables -A INPUT -i eth0 -p tcp --dport https -j ACCEPT

  # PostgreSQL
  # $iptables -A INPUT -i eth0 -p tcp -s 188.165.208.168 --dport 5432 -j ACCEPT

  # MySQL
  # Input connections from CINK HQs
  $iptables -A INPUT -i eth0 -p tcp -s 62.97.101.26 --dport 3306 -j ACCEPT

  # NTP
  $iptables -A INPUT -i eth0 -p udp --sport ntp -m state --state ESTABLISHED -j ACCEPT

  # BS2C Sentry - Conexión desde bcn.cink.es
  # $iptables -A INPUT -i eth0 -p tcp -s 80.39.72.43 --dport 9091 -j ACCEPT

  # connections
  $iptables -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT

  # ICMP
  # $iptables -A OUTPUT -p icmp --icmp-type 8 -o eth0 -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j
  $iptables -A INPUT -p icmp --icmp-type 0 -s 0/0 -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

  ###############################################################
  # RTM: Real Time Monitoring                                   #
  # OVH necesita los siguientes accesos para la monitorizacion, #
  # intervenciones, RTM y las MRTG.                             #
  ###############################################################

  # PING (monitoring from OVH)
  $iptables -A INPUT -i eth0 -p icmp -s ping.ovh.net -j ACCEPT
  $iptables -A INPUT -i eth0 -p icmp -s cache.ovh.net -j ACCEPT
  $iptables -A INPUT -i eth0 -p icmp -s proxy.ovh.net -j ACCEPT
  $iptables -A INPUT -i eth0 -p icmp -s proxy.p19.ovh.net -j ACCEPT
  $iptables -A INPUT -i eth0 -p icmp -s proxy.sbg.ovh.net -j ACCEPT
  $iptables -A INPUT -i eth0 -p icmp -s proxy.gra.ovh.net -j ACCEPT
  $iptables -A INPUT -i eth0 -p icmp -s proxy.rbx.ovh.net -j ACCEPT
  $iptables -A INPUT -i eth0 -p icmp -s proxy.rbx2.ovh.net -j ACCEPT
  $iptables -A INPUT -i eth0 -p icmp -s proxy.rbx3.ovh.net -j ACCEPT
  $iptables -A INPUT -i eth0 -p icmp -s proxy.rbx4.ovh.net -j ACCEPT
  $iptables -A INPUT -i eth0 -p icmp -s a2.ovh.net -j ACCEPT

  # RTM (servidor SLA)
  $iptables -A INPUT -i eth0 -p icmp -s 188.165.208.250 -j ACCEPT
  # MRTG (servidor monitoring)
  $iptables -A INPUT -i eth0 -p icmp -s 188.165.208.251 -j ACCEPT

  # SSH (acceso admins OVH)
  $iptables -A INPUT -i eth0 -p tcp --dport ssh -s cache.ovh.net -j ACCEPT

  # NTP (acceso ntp OVH)
  $iptables -A INPUT -i eth0 -p udp --dport ntp -s ntp.ovh.net -j ACCEPT
}

function enable_logging {
  $iptables -N LOGGING
  $iptables -A INPUT -j LOGGING
  $iptables -A LOGGING -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
  $iptables -A LOGGING -j DROP
}

function disable_logging {
  $iptables -F LOGGING
  $iptables -X LOGGING
}

function stop_firewall {
  # Clean Rules
  $iptables -F

  # Politica general
  $iptables -P INPUT ACCEPT
  $iptables -P FORWARD ACCEPT
  $iptables -P OUTPUT ACCEPT

  $iptables -X LOGGING
}

case "$1" in
start)
  start_firewall
  exit 0
  ;;
stop)
  stop_firewall
  exit 0
  ;;
restart)
  stop_firewall
  start_firewall
  exit 0
  ;;
log)
  enable_logging
  exit 0
  ;;
unlog)
  disable_logging
  exit 0
  ;;
*)
  echo "Usage: /etc/init.d/firewall {start|stop|restart|log|unlog}"
  exit 1
  ;;
esac