#!/bin/sh
# Start/stop/restart my iptables configuration for server.
#

start() {

# load modules
/sbin/modprobe ip_conntrack_ftp

iptables -F

# default policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# enable all lookback packets
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# disable all fragment packets
iptables -A INPUT -f -j DROP

# enable responded and related messages
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# enable services
# ping
#iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# ssh
#iptables -A INPUT -p tcp --dport ssh -m state --state NEW -j ACCEPT
# http(s)
#iptables -A INPUT -p tcp --dport http -m state --state NEW -j ACCEPT
#iptables -A INPUT -p tcp --dport https -m state --state NEW -j ACCEPT
# ftp
#iptables -A INPUT -p tcp --dport ftp -m state --state NEW -j ACCEPT

# other

}

resume_all() {

# enable all
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

}

stop() {

iptables -F

}


case "$1" in
'start')
	start
	;;
'stop')
	stop
	resume_all
	;;
'restart')
	stop
	start
	;;
*)
	echo "usage $0 start|stop|restart"
esac