How to set up a simple iptables based firewall. (Disclaimer: this script has not been tested at all and currently is not in use at any installation)
# IP/Network Configuration
INT_INTF="eth0"
INT_IP="192.168.47.0/24"
EXT_INTF="eth1"
EXT_INTF_IP="10.0.0.1"
# set up default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# Block XMAS packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# Block NULL packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -i "$INT_INTF" -s \! "$INT_IP" -j DROP
iptables -A INPUT -i "$EXT_INTF" -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i "$EXT_INTF" -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i "$EXT_INTF" -s 10.0.0.0/8 -j DROP
# Allow new/established outgoing packets and
# established incoming packets on external network
iptables -A OUTPUT -o "$EXT_INTF" -s "$EXT_INTF_IP" \
-m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i "$EXT_INTF" -d "$EXT_INTF_IP" \
-m state --state ESTABLISHED -j ACCEPT
# Allow established packets on internal network
iptables -A OUTPUT -o "$INT_INTF" \
-m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i "$INT_INTF" \
-m state --state ESTABLISHED -j ACCEPT
# Allow related ICMP packets from external network
iptables -A INPUT -i "$EXT_INTF" \
-p icmp -m state --state RELATED -j ACCEPT
# Allow related ICMP packets to internal network
iptables -A OUTPUT -o "$INT_INTF" -d "$INT_IP" \
-p icmp -m state --state RELATED -j ACCEPT
# Allow access to our proxy services: DNS, Socks, HTTP
iptables -A INPUT -i "$INT_INTF" -p tcp --dport 53 \
-m state --state NEW -j ACCEPT
iptables -A INPUT -i "$INT_INTF" -p udp --dport 53 \
-m state --state NEW -j ACCEPT
iptables -A INPUT -i "$INT_INTF" -p tcp --dport 1080 \
-m state --state NEW -j ACCEPT
iptables -A INPUT -i "$INT_INTF" -p tcp --dport 3128 \
-m state --state NEW -j ACCEPT
