Enhance Linuxbox Security : Basic Iptables Firewall Configuration

If you are not familiar with Iptables, read this posts first.
http://linux-techy.blogspot.com/2010/04/enhance-linux-box-security-iptables.html
http://linux-techy.blogspot.com/2010/04/enhance-linux-box-security-iptables_30.html
http://linux-techy.blogspot.com/2010/06/enhance-linux-box-security-iptables.html
http://linux-techy.blogspot.com/2010/06/enhance-linux-box-security-iptables_27.html
http://linux-techy.blogspot.com/2010/06/enhance-linux-box-security-iptables_2179.html
http://linux-techy.blogspot.com/2010/12/enhance-linuxbox-security-know-all.html
 In this post, I have tried to build a simple & basic iptables firewall for filtering the outside traffic.  I’m going to create a simple shell script  which is independent to the topology of network. Later on we will add complexity to the file as per the need & topology.
It should be executed on startup.  Create a file named firewall.sh

#!/bin/bash
# please verify if the Source Address Verifcation in /etc/sysctl.conf is enabled: 
#net.ipv4.conf.all.rp_flter = 1
# Define some variables
# Location of the binaries
IPTABLES="/sbin/iptables"
# Loopback Interface
LOOPBACK="lo" 
# Flush all rules
$IPTABLES -F
# Set default policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
# Allow access to the Loopback host, so that you can ping yourself
$IPTABLES -A INPUT -i $LOOPBACK -j ACCEPT
$IPTABLES -A OUTPUT -o $LOOPBACK -j ACCEPT
# Incoming external traffic rules 
# Accept ICMP echo-replay incoming traffic for outgoing PINGs, so that when you 
# ping other pc your pc don't drop the echo-reply & you can detect alive coms.   
$IPTABLES -A INPUT  -p icmp --icmp-type echo-reply -j ACCEPT
#Accepting communication at specific ports. Use command netstat --inet -pln . 
# If firefox is running on #8008
$IPTABLES -A INPUT -p tcp --dport  8008 -j ACCEPT
#For allowing ssh to whole world, can create security problem
# always allow to a particular ip. 
$IPTABLES -A INPUT -p tcp --dport  22 -j ACCEPT
 # Accept all established incoming traffic
$IPTABLES -A INPUT  -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
# Log all dropped incoming traffic
# iptables -A INPUT -j LOG -log-prefix="myLogInput:"

The sequence of rules defines the way in which they are executed. Therefore the sequencing the rules in a correct way is  important. 
If you want to display all the blocked packets from the INPUT chain, type the following command:

# cat /var/log/syslog | grep "myLogInput:" 

Finally, you can save the firewall configuration with the following command:

# iptables-save > /etc/sysconfg/iptables 

And then you can make your firewall configuration bootable with the following command:

# chkconfg iptables on

We will further append new rules at the end of this file as per our need & condition. We will discuss those in upcoming posts.