This is my new basic firewall script. For updates, check my github: https://github.com/xdth

Screenshot

Code

#! /bin/bash

# ######################### qFirewall (qfw) 0.1 ########################
#
# This is a basic iptables firewall script.
#
# Usage:
# ./qfw {start|stop}
#
# Notes:
# 1. Comment or uncomment the firewall rules below according to your
#    needs.
# 2. For convenience, add this script to your /usr/bin or alike with
#    chmod +x permissions.
# 2. License: MIT
# 3. Author: dth at dthlabs dot com
#    Site:   https://dthlabs.com
#    github: https://github.com/xdth
#
# Brussels, Jan 23, 2018
# note: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
# #######################################################################


# #######################################################################
# ## Rules function -- edit this according to your needs

function qfw_rules {
  # Block everything
  iptables -t filter -P INPUT DROP
  iptables -t filter -P FORWARD DROP
  iptables -t filter -P OUTPUT DROP
  echo "     > Block everything"

  # Don't break established connections
  iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  echo "     > Don't break established connections"

  # Authorize loopback (127.0.0.1)
  iptables -t filter -A INPUT -i lo -j ACCEPT
  iptables -t filter -A OUTPUT -o lo -j ACCEPT
  echo "     > Authorize Loopback"

  # ICMP (ping)
  iptables -t filter -A INPUT -p icmp -j ACCEPT
  iptables -t filter -A OUTPUT -p icmp -j ACCEPT
  echo "     > Authorize ICMP (ping)"

  # SSH in/out
  iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
  iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT
  iptables -t filter -A INPUT -p tcp --dport 9000 -j ACCEPT
  iptables -t filter -A OUTPUT -p tcp --dport 9000 -j ACCEPT
  echo "     > Authorize SSH"

  # DNS in/out
  iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
  iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
  iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
  iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
  echo "     > Authorize DNS"

  # NTP Out
  iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
  echo "     > Authorize NTP outbound"

  # HTTP + HTTPS Out
  iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
  iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
  # iptables -t filter -A OUTPUT -p tcp --dport 8080 -j ACCEPT

  # HTTP + HTTPS In
  iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
  iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
  # iptables -t filter -A INPUT -p tcp --dport 8443 -j ACCEPT
  # iptables -t filter -A INPUT -p tcp --dport 8080 -j ACCEPT
  echo "     > Authorize http and https"

  # FTP Out
  iptables -t filter -A OUTPUT -p tcp --dport 21 -j ACCEPT
  iptables -t filter -A OUTPUT -p tcp --dport 20 -j ACCEPT

  # FTP In
  iptables -t filter -A INPUT -p tcp --dport 20 -j ACCEPT
  iptables -t filter -A INPUT -p tcp --dport 21 -j ACCEPT
  iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  echo "     > Authorize FTP"

  # Mail SMTP
  iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
  iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT
  iptables -t filter -A INPUT -p tcp --dport 587 -j ACCEPT
  iptables -t filter -A OUTPUT -p tcp --dport 587 -j ACCEPT
  iptables -t filter -A INPUT -p tcp --dport 465 -j ACCEPT
  iptables -t filter -A OUTPUT -p tcp --dport 465 -j ACCEPT

  # Mail POP3:110
  iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT
  iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT

  # Mail IMAP:143
  iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT
  iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT

  # Mail POP3S:995
  iptables -t filter -A INPUT -p tcp --dport 995 -j ACCEPT
  iptables -t filter -A OUTPUT -p tcp --dport 995 -j ACCEPT
  echo "     > Authorize mail"

  # OpenVZ Web Pannel
  # iptables -t filter -A OUTPUT -p tcp --dport 3000 -j ACCEPT
  # iptables -t filter -A INPUT -p tcp --dport 3000 -j ACCEPT
  # echo "     > Authorize OpenVZ panel"

  # Allow WMs
  # iptables -P FORWARD ACCEPT
  # iptables -F FORWARD
  # echo "WMs ok"
  # echo "     > Authorize WMs"

  # Saltstack
  # iptables -t filter -A OUTPUT -p tcp --dport 4505 -j ACCEPT
  # iptables -t filter -A INPUT -p tcp --dport 4505 -j ACCEPT
  # iptables -t filter -A OUTPUT -p tcp --dport 4506 -j ACCEPT
  # iptables -t filter -A INPUT -p tcp --dport 4506 -j ACCEPT
  # echo "     > Authorize Saltstack"

  # Block UDP attack
  # iptables -A INPUT -m state --state INVALID -j DROP
  # echo "     > Block UDP attack"

}


# #######################################################################
# ## Other functions

function qfw_help {
  echo "qFirewall usage: ./qfw {start|stop}"
  exit 1
}

function qfw_seeya {
  echo "     > Thanks for using qFirewall (qfw) v1. Have a good day."
  echo ""
  echo ""
}

function qfw_separator {
  echo ""
  echo ""
  echo "===================== qFirewall (qfw) v0.1 ====================="
  echo ""
}

function qfw_reset {
  iptables -F
  iptables -X
  iptables -t nat -F
  iptables -t nat -X
  iptables -t mangle -F
  iptables -t mangle -X
  iptables -P INPUT ACCEPT
  iptables -P FORWARD ACCEPT
  iptables -P OUTPUT ACCEPT
  iptables -t filter -F
  iptables -t filter -X
}

function qfw_start {
  qfw_separator
  echo "     > Starting qFirewall..."
  qfw_clean
  echo "     > Loading the rules..."
  qfw_rules
  echo "     > Rules loaded"
  echo "     > qFirewall started"
}

function qfw_clean {
  echo "     > Cleaning rules..."
  qfw_reset
  echo "     > Rules cleaned"
}

function qfw_stop {
  qfw_separator
  echo "     > Stopping qFirewall..."
  qfw_clean
  echo "     > qFirewall stopped"
}


# #######################################################################
# ## Main

case "$1" in
  start)
  qfw_start
  ;;
  stop)
  qfw_stop
  ;;
  *)
  qfw_help
  exit 1
  ;;
esac

qfw_seeya

exit 0