#!/bin/bash

# clear / flush all iptables rules
iptables -F

# build new rules

# allow established connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# allow incomming ssh connections
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# allow incomming dns port
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
# allow incomming port 80
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# allow incomming port 443
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

iptables -A INPUT -p tcp --dport 631 -j ACCEPT

iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
# allow incomming bitcoin
iptables -A INPUT -p tcp --dport 8333 -j ACCEPT

iptables -A INPUT -p tcp --dport 9000 -j ACCEPT

# allow postgres
iptables -A INPUT -p tcp --dport 5432 -j ACCEPT
# allow openvpn connections
iptables -A INPUT -p udp --dport 1194 -j ACCEPT
# allow polipo proxy incomming connections
iptables -A INPUT -p tcp --dport 8123 -j ACCEPT
# allow apache couchdb (NoSql database)
iptables -A INPUT -p tcp --dport 5984 -j ACCEPT

# to redirect port 80 to 5984 use command below:
#iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 5984

# list iptables
#iptables -L
iptables -A INPUT -p icmp -j ACCEPT

# drop all incomming packets, not matching a rule
iptables -A INPUT -j DROP

# insert a row at postion 1 (first) for allowing loopback connections
iptables -I INPUT 1 -i lo -j ACCEPT

# list configuration in detail
iptables -L -v

## save configuration
iptables-save > iptables.rules

## restore configuration
#iptables-restore

## log invalid packets
#iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7


# ipv6 
ip6tables -F

ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -p icmpv6 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 53 -j ACCEPT
ip6tables -A INPUT -p udp --dport 53 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 443 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 631 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 3306 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 5432 -j ACCEPT

# allow apache couchdb (NoSql database)
ip6tables -A INPUT -p tcp --dport 5984 -j ACCEPT

# allow openvpn connections
ip6tables -A INPUT -p udp --dport 1194 -j ACCEPT

# allow polipo proxy incomming connections
ip6tables -A INPUT -p tcp --dport 8123 -j ACCEPT

ip6tables -A INPUT -j DROP

# insert a row at postion 1 (first) for allowing loopback connections
ip6tables -I INPUT 1 -i lo -j ACCEPT

ip6tables -L -v

ip6tables-save > ip6tables.rules
(Run as root)

#!/bin/bash
cp iptables.rules /etc/
cp ip6tables.rules /etc/
(Run on system/network startup)

#!/bin/bash

#
# script for setup ip address, route and gateway
#

ip=/sbin/ip
action=$1
device=$2

gateway_v4="192.168.2.254"
static_v4="192.168.2.29/24"
static_v6="fc00::1/64"

function start() 
{
	stop	

	setup_firewall

	$ip link set dev $device up
	$ip addr add $static_v4 dev $device
	$ip route add default via $gateway_v4
	#$ip link show $device
	$ip addr show $device
	$ip -6 addr add $static_v6 dev $device
	$ip -6 addr show $device
}

function stop() 
{
	$ip addr flush dev $device
	$ip -6 addr flush dev $device
	$ip link set dev $device down
}

function setup_firewall() 
{
	iptables-restore < /etc/iptables.rules
	ip6tables-restore < /etc/ip6tables.rules
}

function main() {

	if [ "$action" == "start" ]; then	
		echo Starting $device
		start
	fi

	if [ "$action" == "stop" ]; then
		echo Stopping $device
		stop
	fi
	echo Finished
}

main
(Example systemd file)

[Unit]
Description=Wired network configuration
Wants=network.target
Before=network.target
BindTo=sys-subsystem-net-devices-enp2s0.device
After=sys-subsystem-net-devices-enp2s0.device

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/etc/configscripts/network-setup start enp2s0
ExecStop=/etc/configscripts/network-setup stop enp2s0

[Install]
WantedBy=multi-user.target