Simplest Firewall Script

Nothing fancy - just a few lines of Bash adding or removing a few iptables rules. But I keep forgetting where is the plain version of it, so here it goes. This particular flavor is for Debian.

It is a standard script for /etc/init.d and is parametrized by two files containing simple lists.

/etc/firewall/listen_ports - lists the ports open for listening, you may use sets of ports delimited by a comma
/etc/firewall/listen_sources - lists of addresses able to connect to any port, one per line (put at least 127.0.0.1 here)

Source code

#!/bin/bash
# Simplest Firewall by Remigiusz Modrzejewski [http://lrem.net]
# Treat this as Public Domain, or Simplified BSD if you have to

case "$1" in
   start)

      export PATH="/sbin:$PATH"

      iptables -P INPUT ACCEPT

      iptables -F
      iptables -Z

      iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
      iptables -A INPUT -p icmp -j ACCEPT

      for port in `cat /etc/firewall/listen_ports`; do
         iptables -A INPUT -p tcp -m multiport --ports `cat /etc/firewall/listen_ports` -j ACCEPT;
         iptables -A INPUT -p udp -m multiport --ports `cat /etc/firewall/listen_ports` -j ACCEPT;
      done

      for source in `cat /etc/firewall/listen_sources`; do
         iptables -A INPUT -s $source -j ACCEPT;
      done

      iptables -P INPUT DROP
      ;;
   stop)
      iptables -F
      iptables -Z
      iptables -F -t nat
      iptables -Z -t nat
      iptables -F -t filter
      iptables -Z -t filter
      iptables -F -t mangle
      iptables -Z -t mangle
      iptables -X -t mangle
      iptables -P INPUT ACCEPT
      ;;
   restart | force-reload)
      $0 stop
      $0 start
      ;;
   *)
      echo "Usage: /etc/init.d/firewall {start|stop|restart|force-reload}"
      exit 1 
esac

exit 0

You can simply download the script.