# Comments start with a #, but must not share a line with a command.
*filter
# Not sure what *filter is for.

:INPUT DROP [0:0]
# The default policy for all incoming connections is to DROP (refuse them)
:FORWARD DROP [0:0]
# Likewise for all forwarded connections (is this even used?)
:OUTPUT ACCEPT [0:0]
# Outgoing connections are all accepted. If I was really paranoid I might change this.

# All localhost interface traffic is OK
-A INPUT -i lo -j ACCEPT

# All ICMP (management protocol, for ping and stuff I think) is OK
-A INPUT -p icmp -j ACCEPT

# I think this says "Don't boot me off if I've already got a connection". Not sure though.
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# The next 8 commands just say accept all incoming TCP traffic on these ports
# (iptables knows a few keywords like http and https,
#  but I could have just as well have said 80 and 443)
-A INPUT -p tcp --dport ssh -j ACCEPT
-A INPUT -p tcp --dport http -j ACCEPT
-A INPUT -p tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp --dport https -j ACCEPT
# 110=pop3 143=imap 585=secure-imap 995=secure-pop3
-A INPUT -p tcp --dport 110 -j ACCEPT
-A INPUT -p tcp --dport 143 -j ACCEPT
-A INPUT -p tcp --dport 585 -j ACCEPT
-A INPUT -p tcp --dport 995 -j ACCEPT

# Yeah not really sure what these were so I just commented them out.
#-A INPUT -p tcp -j REJECT --reject-with tcp-reset
#-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
#-A INPUT -j REJECT --reject-with icmp-proto-unreachable
COMMIT

sudo iptables -L -v # print out the current rules
sudo /etc/rc.d/iptables restart # restart iptables

#!/bin/sh
iptables-restore < /etc/firewall.conf