# cat ./set_firewall
Result:
#!/bin/bash
# Flush all the chains in filter (default) table.
iptables -F
# Attempt to delete every non-builtin chain in filter (default) table.
iptables -X
# Set the policy for INPUT chain to DROP target.
iptables -P INPUT DROP
# Set the policy for FORWARD chain to DROP target.
iptables -P FORWARD DROP
# Set the policy for OUTPUT chain to ACCEPT target.
iptables -P OUTPUT ACCEPT
# Append rules to INPUT chain.
# Protocol of the rule is icmp (Internet Control Message Protocol) which is the protocol for ping.
# Target is ACCEPT.
iptables -A INPUT -p icmp -j ACCEPT
# Append rules to INPUT chain.
# The rule is for Loopback network interface.
# Target is ACCEPT.
iptables -A INPUT -i lo -j ACCEPT
# Append rules to INPUT chain.
# The rule is for tcp protocol on port 80.
# Target is ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# Append rules to INPUT chain.
# The rule is for tcp protocol on port 22.
# Target is ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Append rules to INPUT chain.
# The rule for packets after session ESTABLISHED and RELATED packets.
# Target is ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Dump iptables rules to stdout
iptables-save
Command:
# ./set_firewall
Result:
# Generated by iptables-save v1.4.21 on Tue May 24 23:44:34 2016
*nat
:PREROUTING ACCEPT [41489:3695453]
:INPUT ACCEPT [15:960]
:OUTPUT ACCEPT [628:160830]
:POSTROUTING ACCEPT [628:160830]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_ZONES_SOURCE - [0:0]
:POSTROUTING_direct - [0:0]
:POST_public - [0:0]
:POST_public_allow - [0:0]
:POST_public_deny - [0:0]
:POST_public_log - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES_SOURCE
-A POSTROUTING -j POSTROUTING_ZONES
-A POSTROUTING_ZONES -o enp0s3 -g POST_public
-A POSTROUTING_ZONES -g POST_public
-A POST_public -j POST_public_log
-A POST_public -j POST_public_deny
-A POST_public -j POST_public_allow
-A PREROUTING_ZONES -i enp0s3 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Tue May 24 23:44:34 2016
# Generated by iptables-save v1.4.21 on Tue May 24 23:44:34 2016
*mangle
:PREROUTING ACCEPT [58667:5285859]
:INPUT ACCEPT [58666:5285283]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [28814:3788418]
:POSTROUTING ACCEPT [28814:3788418]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A PREROUTING_ZONES -i enp0s3 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Tue May 24 23:44:34 2016
# Generated by iptables-save v1.4.21 on Tue May 24 23:44:34 2016
*security
:INPUT ACCEPT [17193:1591366]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [28814:3788418]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Tue May 24 23:44:34 2016
# Generated by iptables-save v1.4.21 on Tue May 24 23:44:34 2016
*raw
:PREROUTING ACCEPT [58667:5285859]
:OUTPUT ACCEPT [28814:3788418]
:OUTPUT_direct - [0:0]
:PREROUTING_direct - [0:0]
-A PREROUTING -j PREROUTING_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Tue May 24 23:44:34 2016
# Generated by iptables-save v1.4.21 on Tue May 24 23:44:34 2016
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Tue May 24 23:44:34 2016
Command:
# iptables -L -v
Result:
Chain INPUT (policy DROP 4 packets, 128 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- any any anywhere anywhere
0 0 ACCEPT all -- lo any anywhere anywhere
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http
57 3900 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 29 packets, 7336 bytes)
pkts bytes target prot opt in out source destination