Very Simple Firewall

#!/bin/sh
# ~/bin/firewall

[ `whoami` != 'root' ] && echo 'You must be root' && exit 126

ext=eth0
int=eth1

clean_rules()
{
	iptables -P INPUT ACCEPT
	iptables -P OUTPUT ACCEPT
	iptables -P FORWARD ACCEPT
	iptables -F
	iptables -X
	iptables -t nat -F
}

firewall_start()
{
	# Policies
	iptables -P INPUT DROP
	iptables -P OUTPUT DROP
	iptables -P FORWARD DROP

	# Loopback
	iptables -A INPUT -i lo -j ACCEPT
	iptables -A OUTPUT -o lo -j ACCEPT

	# General
	iptables -A INPUT -i $ext -m state --state ESTABLISHED,RELATED -j ACCEPT
	iptables -A OUTPUT -o $ext -m state --state NEW,ESTABLISHED -j ACCEPT
	iptables -A FORWARD -i $ext -m state --state ESTABLISHED,RELATED -j ACCEPT

	# Allow ping
	iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
	iptables -A OUTPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT
	
	# NAT
	# Start dnsmasq in Slackware
	#ps aux | grep dnsmasq >/dev/null || sh /etc/rc.d/rc.dnsmasq start
	#
	# Start dnsmasq in Debian (comment the Slackware entry)
	#ps aux | grep dnsmasq >/dev/null || /etc/init.d/dnsmasq start
	#
	#iptables -t nat -A POSTROUTING -o $ext -j MASQUERADE
	#echo 1 > /proc/sys/net/ipv4/ip_forward
	#iptables -A INPUT -i $int -j ACCEPT
	#iptables -A OUTPUT -o $int -j ACCEPT
	#iptables -A FORWARD -i $int -j ACCEPT
	#

	# Http server 
	#iptables -A INPUT -p tcp --dport 80 -j ACCEPT
	#iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT

	# Ftp server
	#iptables -A INPUT -p tcp --dport 21 -j ACCEPT
	#iptables -A OUTPUT -p tcp --sport 21 -j ACCEPT
	
	# SSH server
	#iptables -A INPUT -p tcp --dport 22 -j ACCEPT
	#iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
}

case "$1" in
	stop)
		clean_rules
		echo "firewall rules cleaned up"
		;;
	start|restart)
		clean_rules
		firewall_start
		echo "firewall rules applied"
		;;
	*)
		echo "Usage: `basename $0` {start|stop|restart}"
		exit 1
		;;
esac

exit 0