#!/bin/sh # Ignore ICMP_ECHO packets sent to broadcast addresses echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Disable IP forwarding echo "0" > /proc/sys/net/ipv4/ip_forward # Flush chains iptables -F iptables -t nat -F iptables -t mangle -F iptables -t filter -F # Default policies iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT # Allow local traffic iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -s 127.0.0.1 -j ACCEPT # Allow traffic on established connections iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow access to specific services iptables -A INPUT -p tcp --dport ssh -m state --state NEW -j ACCEPT # Allow pings iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT # Ignore invalid packets iptables -t mangle -A PREROUTING -m state --state INVALID -j DROP