Script iptables on mail server

 root@smtp:/home/man# cat /etc/init.d/iptables

---------------------Begin-----------------------------------
 #!/bin/sh
#
# Firewall script for ChilliSpot
# A Wireless LAN Access Point Controller
#
# Uses $EXTIF (eth0) as the external interface (Internet or intranet) and
# $INTIF (eth1) as the internal interface (access points).
#
#
# SUMMARY
# * All connections originating from chilli are allowed.
# * Only ssh is allowed in on external interface.
# * Nothing is allowed in on internal interface.
# * Forwarding is allowed to and from the external interface, but disallowed
#   to and from the internal interface.
# * NAT is enabled on the external interface.

IPTABLES="/sbin/iptables"
EXTIF="eth0"
INTIF="eth1"

$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F FORWARD
$IPTABLES -F OUTPUT

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT

#Allow related and established on all interfaces (input)
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
#$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

#Block ip Spam with IP
$IPTABLES -A INPUT -s 41.203.64.0/24 -p tcp --dport 25 -j DROP
$IPTABLES -A INPUT -s 41.203.64.131 -p tcp --dport 25 -j DROP
$IPTABLES -A INPUT -s 41.203.64.132 -p tcp --dport 25 -j DROP
$IPTABLES -A INPUT -s 41.203.64.133 -p tcp --dport 25 -j DROP
$IPTABLES -A INPUT -s 41.203.64.134 -p tcp --dport 25 -j DROP
$IPTABLES -A INPUT -s 41.203.64.135 -p tcp --dport 25 -j DROP
$IPTABLES -A INPUT -s 67.15.76.50 -p tcp --dport 25 -j DROP
$IPTABLES -A INPUT -s 186.82.169.236 -p tcp --dport 25 -j DROP
$IPTABLES -A INPUT -s 122.164.34.182 -p tcp --dport 25 -j DROP
$IPTABLES -A INPUT -s 89.123.161.227 -p tcp --dport 25 -j DROP
$IPTABLES -A INPUT -s 208.83.136.12 -p tcp --dport 25 -j DROP
$IPTABLES -A INPUT -s 208.83.136.13 -p tcp --dport 25 -j DROP
curl -s http://www.spamhaus.org/drop/drop.lasso |grep ^[1-9]|cut -f 1 -d ' ' | xargs -iX -n 1 /sbin/iptables -A INPUT -s X -p tcp --dport 25 -j DROP

#Allow http and https on other interfaces (input).
$IPTABLES -A INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 22 -i $EXTIF -m state --state NEW -m recent --set
$IPTABLES -A INPUT -p tcp --dport 22 -i $EXTIF -m state --state NEW -m recent --update --seconds 600 --hitcount 3 -j DROP
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 465 --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 110 --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 10000 --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 3990 --syn -j ACCEPT

# Drop everything to and from $INTIF (forward)
$IPTABLES -A FORWARD -i lo -j ACCEPT

#Protect Syn Flood
$IPTABLES -N syn-flood
$IPTABLES -A syn-flood -i eth0 -m limit --limit 75/s --limit-burst 100 -j RETURN
$IPTABLES -A syn-flood -j LOG --log-prefix "SYN-FLOOD: "
$IPTABLES -A syn-flood -j DROP

-----------------//End//--------------------------------------

Run script boot up!

#update-rc.d iptables defaults

show iptables
#iptables -L --line-number
#iptables -S
#iptables -L -v

Save iptable
1. install package to autosave during install have a question choose Yes to save rule

aptitude install iptables-persistent

2. command: iptables-save

----For Centos----------พิมพ์คำสั่งด้านล่าง service ssh port 55001--------------------------------------

iptables -F

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p tcp -m tcp --dport 55001 --syn -j ACCEPT

iptables -A INPUT -p tcp --dport 55001 -m state --state NEW -m recent --set

iptables -A INPUT -p tcp --dport 55001 -m state --state NEW -m recent --update --seconds 600 --hitcount 3 -j DROP

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

-----------------------------------------------------------------------------

#For samba
iptables -A INPUT -p tcp -m tcp --dport 445 --syn -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 139 --syn -j ACCEPT


Ref: digitalocean
Ref: serverfault.com