Configure IPTables. Source https://wiki.archlinux.de/title/Iptables

set_iptables.sh

 #!/bin/bash
 
 # Ports: Hier eintragen welche Ports geöffnet werden sollen
 SERVICES_UDP="1194" #freigegebene UDP-Ports 
 SERVICES_TCP="22 25 1883 8080 8883 22044 80 5000 443 943" #freigegebene TCP-Ports (Hier sshd und http)
 
# Delete all chains 
iptables -F  # flush all chains (delete rules one by one) on default table
iptables -t nat -F  # flush all chains on nat table
iptables -t mangle -F  # flush all chains on mangle table
iptables -X  # delete all user-defined chains in default table
iptables -t nat -X  # delete all user-defined chains in nat table
iptables -t mangle -X  # delete all user-defined chains in mangle talbe

# Basic rules by setting policy (executed if no filter applied)
iptables -P OUTPUT  ACCEPT  # allow connections outwards
iptables -P INPUT   DROP  # drop inward connections
iptables -P FORWARD DROP  # drop forwarded connections

# Security
iptables -N other_packets  # create table "other_packets"
iptables -A other_packets -p ALL -m state --state INVALID -j DROP  # drop invalid packages 
iptables -A other_packets -p icmp -m limit --limit 1/s -j ACCEPT   # limit ICMP to max. 1 package/sec
iptables -A other_packets -p ALL -j RETURN  # leave table "other_packets"

iptables -N service_sec  # create table "services_sec"
iptables -A service_sec -p tcp --syn -m limit --limit 2/s -j ACCEPT  # accept tcp packages with only syn flag but limit to 2 packages/s (SYN-Flood attacks)
iptables -A service_sec -p tcp ! --syn -m state --state NEW -j DROP  # drop new packages without the syn flag 
iptables -A service_sec -p tcp --tcp-flags ALL NONE -m limit --limit 1/h -j ACCEPT  # strongly limit portscanners to 1/h
iptables -A service_sec -p tcp --tcp-flags ALL ALL -m limit --limit 1/h -j ACCEPT   # strongly limit portscanner to 1/h
iptables -A service_sec -p ALL -j RETURN  # leave table "service_sec" 

iptables -N reject_packets  # create table "reject_packets"
iptables -A reject_packets -p tcp -j REJECT --reject-with tcp-reset  # reject tcp packages
iptables -A reject_packets -p udp -j REJECT --reject-with icmp-port-unreachable  # reject udp packages
iptables -A reject_packets -p icmp -j REJECT --reject-with icmp-host-unreachable  # reject ICMP packages (if more then 1/s s.o.)
iptables -A reject_packets -j REJECT --reject-with icmp-proto-unreachable  # reject all other packages (protocols)
iptables -A reject_packets -p ALL -j RETURN  # leave table "reject_packets"

# Services
iptables -N services  # create table "services"
for port in $SERVICES_TCP ; do  # add the following chains to each tcp port in SERVICES_TCP
       iptables -A services -p tcp --dport $port -j service_sec  # jump to table "services_sec"
       iptables -A services -p tcp --dport $port -j ACCEPT  # accept packages with the allowed ports as dest
done
for port in $SERVICES_UDP ; do  # add the following chains to each tcp port in SERVICES_UDP
       iptables -A services -p udp --dport $port -j service_sec  # jump to tables "services_sec"
       iptables -A services -p udp --dport $port -j ACCEPT  # accept UDP packages with the allowed ports as dest
done
iptables -A services -p ALL -j RETURN  # leave table "services"

#INPUT
iptables -A INPUT -p ALL -i lo -j ACCEPT  # accept all packages from loopback interface
iptables -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT  # accept established connections
iptables -A INPUT -p ALL -j other_packets  # jump to table "other_packets"
iptables -A INPUT -p ALL -j services  # jump to table "services" 
iptables -A INPUT -p ALL -m limit --limit 10/s -j reject_packets  # limit not allowed packages to 10packages/sec and jump to table "reject_packets"
iptables -A INPUT -p ALL -j DROP  # drop all others

#OUTPUT:
iptables -A OUTPUT -p ALL -j ACCEPT  # allow outgoing packages