iptables.rules

*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPT
# Input requests setup
## Accept every local input (packets comming to the loopback interface)
-A INPUT -i lo -j ACCEPT
## Keep accepting already established connections
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
## Reject invalid packets
-A INPUT -m conntrack --ctstate INVALID -j REJECT --reject-with icmp-host-unreachable
## Accept ping (useful to test that your server is reachable with 'ping')
-A INPUT -p icmp -j ACCEPT
## Accept SSH, i.e., new TCP connections on port 22
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -j ACCEPT
## Log every denied input but limit the number of messages
## You can read these logs with the command 'dmesg -w'
-A INPUT -m limit --limit 30/min -j LOG --log-prefix "iptables INPUT denied: " --log-level 7
# Right now every forward request will be denied
## Log every denied forward but limit the number of messages
-A FORWARD -m limit --limit 30/min -j LOG --log-prefix "iptables FORWARD denied: " --log-level 7
COMMIT

restore.sh

#!/bin/sh
CURRENTSCRIPT=$(readlink -f $0)
CURRENTPATH=$(dirname $CURRENTSCRIPT)
OKFILE=/tmp/root_firewall_restore_sh.ok

# if iptables already restored since last boot, don't touch
if [ -f $OKFILE ]; then
    exit 0
else
    touch $OKFILE
fi

# restore iptables
set -e
echo "$(date) WAS CALLED 0:$CURRENTSCRIPT CURRENTPATH:$CURRENTPATH" >> /root/call.log
iptables-restore < $CURRENTPATH/iptables.rules
# enabling forwarding is necessary if you have a VPN
# sysctl -w net.ipv4.conf.all.forwarding=1 >/dev/null 2>/dev/null
# do not forget ipv6 firewall if your server is ipv6 enabled
# ip6tables-restore < $CURRENTPATH/ip6tables.rules
set +e