[root@monitoring ~]# cat /etc/rc.d/rc.

firewall
# Abhishek Singh Okheda
# 22nd Feb, 2012
# Worldlink Communication Pvt. Ltd.

# modified - abhishek - Jun 03, 2013 : TCP_ALLOWS and UDP_ALLOWS variable

functionality
# eg: SSH_PORT, SSH_ALLOWS -> TCP_ALLOWS="SSH"

IPFW="/sbin/iptables"

########################################################## CONFIGURATION STARTS

SERVER_NET="202.79.32.0/24"
LOG="202.79.32.85"
CORPORATE_LAN="202.79.36.0/24"
OVPN="202.79.38.0/24"
BRANCH_NET="202.166.196.0/24"
CTRL="202.79.36.80"
CTRL01="202.79.36.40"
ESUPPORTDB="202.79.36.4"
CYBEROAM="202.79.40.24"
MONINFO="202.79.32.195"
NAGIOS_SRV_01="202.79.32.94"
CACTI_SRV_01="202.79.32.63"

SSH_PORT="22"
SSH_ALLOWS="$LOG $SERVER_NET"

SNMP_PORT="161"
SNMP_ALLOWS="$CTRL $CTRL01 $CACTI_SRV_01 $NAGIOS_SRV_01"

HTTP_PORT="80"
HTTP_ALLOWS="$SERVER_NET $OVPN $CORPORATE_LAN $BRANCH_NET $CYBEROAM"

MYSQL_PORT="3306"
MYSQL_ALLOWS="$ESUPPORTDB $MONINFO"

TCP_ALLOWS="SSH SNMP HTTP MYSQL"

UDP_ALLOWS="SNMP"

TCP_ALL_ALLOWS=""
UDP_ALL_ALLOWS=""

########################################################## CONFIGURATION STARTS

echo ""
# Flush Iptables
echo "[+] Flushing Rules"
${IPFW} -F

## Delete Chains
echo "[+] Deleting All Iptables CHAINS"
for chain in $(iptables -nL | grep ^Chain | awk '{print $2}' | grep -v "^INPUT$" |
grep -v "^OUTPUT$" | grep -v "^FORWARD$")
{
${IPFW} -X $chain
}

## Create Chains
#echo "[+] Creating Iptables CHAINS"
# echo -e "\t - CHAIN1"
# ${IPFW} -N CHAIN1

#Setting Default Rules

echo "[+] Setting Default Rules"
${IPFW} -A INPUT -i lo -j ACCEPT
${IPFW} -A INPUT -p icmp --icmp-type any -j ACCEPT
${IPFW} -A OUTPUT -p icmp --icmp-type any -j ACCEPT
${IPFW} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#Allow TCP to ALL

for ALLOW in $TCP_ALL_ALLOWS
{
PORTVAR=$ALLOW"_PORT"
PORT=${!PORTVAR}
echo "[+] Setting up INPUT chain for $ALLOW (T$PORT)"
${IPFW} -A INPUT --src 0.0.0.0/0 -p tcp --dport $PORT -j ACCEPT
}

#Allow UDP to ALL

for ALLOW in $UDP_ALL_ALLOWS
{
PORTVAR=$ALLOW"_PORT"
PORT=${!PORTVAR}
echo "[+] Setting up INPUT chain for $ALLOW (U$PORT)"
${IPFW} -A INPUT --src 0.0.0.0/0 -p udp --dport $PORT -j ACCEPT
}

#Allow TCP
for ALLOW in $TCP_ALLOWS
{
ALLOWVAR=$ALLOW"_ALLOWS"
PORTVAR=$ALLOW"_PORT"
PORT=${!PORTVAR}
echo "[+] Setting up INPUT chain for $ALLOW (T$PORT)"
for PORT_ALLOW in ${!ALLOWVAR}
{
${IPFW} -A INPUT --src ${PORT_ALLOW} -p tcp --dport $PORT -j ACCEPT
#${IPFW} -A OUTPUT --dst ${PORT_ALLOW} -p tcp --sport $PORT -j ACCEPT
}
}

#Allow UDP
for ALLOW in $UDP_ALLOWS
{
ALLOWVAR=$ALLOW"_ALLOWS"
PORTVAR=$ALLOW"_PORT"
PORT=${!PORTVAR}
echo "[+] Setting up INPUT chain for $ALLOW (U$PORT)"
for PORT_ALLOW in ${!ALLOWVAR}
{
${IPFW} -A INPUT --src ${PORT_ALLOW} -p udp --dport $PORT -j ACCEPT
#${IPFW} -A OUTPUT --dst ${PORT_ALLOW} -p udp --sport $PORT -j ACCEPT
}
}
# Reject All
echo "[+] Rejecting All Others"
${IPFW} -A INPUT -j REJECT --reject-with icmp-host-prohibited
#${IPFW} -A OUTPUT -j REJECT --reject-with icmp-host-prohibited
#${IPFW} -A INPUT -j DROP

echo ""