Okay nobody laugh
#!/bin/bash
#Fischer Price "My First Firewall"
#define variables
#services must be defined in /etc/services
SERVICES="ftp ssh"
INT=""
EXT="eth0"
if [ "$1" = "start" ]
then
echo "Starting firewall..."
# Flush all existing chains and erase personal chains
CHAINS=$(cat /proc/net/ip_tables_names 2>/dev/null)
for i in $CHAINS;
do
$IPT -t $i -F
done
for i in $CHAINS;
do
$IPT -t $i -X
done
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#creating rules
iptables -P INPUT REJECT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -P OUTPUT ACCEPT
#enable services
for x in ${SERVICES}
do
iptables -A INPUT -p tcp --dport ${x} -m state --state NEW -j ACCEPT
done

iptables -A INPUT -p udp -i ${EXT}-j REJECT --reject-with icmp-port-unreachable
#hide our firewall
iptables -A INPUT -p tcp -i ${EXT}-j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp -i ${EXT} -j REJECT --reject-with icmp-port-unreachable

# disable ECN
if [ -e /proc/sys/net/ipv4/tcp_ecn ]
then
echo 0 > /proc/sys/net/ipv4/tcp_ecn
fi

#disable spoofing on all interfaces
for x in ${INT} ${EXT}
do
echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
done

echo 1 > /proc/sys/net/ipv4/ip_forward
#ping rules
PERMIT_ICMP="destination-unreachable echo-reply time-exceeded"
for i in ${PERMIT_ICMP}
do
iptables -A INPUT -p icmp --icmp-type ${i} -j ACCEPT
done
elif [ "$1" = "stop" ]
then
echo "Stopping firewall..."
iptables -F INPUT
iptables -P INPUT ACCEPT
fi