You want to implement an iptables firewall on a server. You may have an external firewall already, and you want to do the fine-tuning on the server, or you have a server directly connected to the Internet. You pay careful attention to hardening your server, and are confident it could survive without a firewall. This is an extra layer of defense in case of mistakes. You want to drop all traffic that doesn't belong on your server, like all the automated brute-force attacks and worms that pummel the Internet unceasingly.

This script allows only traffic destined for the correct ports, such as port 80 for a web server, or port 25 for an SMTP server, and so on:

 #!/bin/sh ##/usr/local/bin/fw_server #for a server #chkconfig: 2345 01 99 #define variables ipt="/sbin/iptables" mod="/sbin/modprobe" #Flush all rules, delete all chains $ipt -F $ipt -X $ipt -t nat -F $ipt -t nat -X $ipt -t mangle -F $ipt -t mangle -X #Zero out all counters $ipt -Z $ipt -t nat -Z $ipt -t mangle -Z #basic set of kernel modules $mod ip_tables $mod ip_conntrack $mod iptable_filter $mod iptable_nat $mod iptable_mangle $mod ipt_LOG $mod ipt_limit $mod ipt_state #optional for irc and ftp #$mod ip_conntrack_irc #$mod ip_conntrack_ftp #Set default policies $ipt -P INPUT DROP $ipt -P FORWARD DROP $ipt -P OUTPUT ACCEPT $ipt -t nat -P OUTPUT ACCEPT $ipt -t nat -P PREROUTING ACCEPT $ipt -t nat -P POSTROUTING ACCEPT $ipt -t mangle -P PREROUTING ACCEPT $ipt -t mangle -P POSTROUTING ...