IPTables Part The Second
Slightly more than basic script, with important guards against attacks.
#!/bin/sh
IPT=$(which iptables) # set path to iptables
IPT -F # flush any existing rules
$IPT -P OTPUT ACCEPT # accept anything going out
$IPT -P INPUT DROP # drop everything coming in
$IPT -P FORWARD DROP # no forwarding internally
$IPT -N SERVICES # custom policy
# drop spoofed packets
$IPT -A INPUT --in-interface ! lo --source 127.0.0.0/8 -j DROP
# limit pings
$IPT -A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT
# drop what does not make sense
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
# allow in
$IPT -A INPUT --in-interface lo -j ACCEPT # allow local machine
$IPT -A INPUT -j SERVICES # branch to services
# allow response
$IPT -A INPUt -m state --state ESTABLISHED,RELATED -j ACCEPT #established
# allow services
$IPT -A SERVICES -p tcp --dport 22 -j ACCEPT #allow ssh