Оцените и посоветуйте по поводу iptables-firewall.sh

#!/bin/bash
PATH=/bin:/sbin:/usr/bin:/usr/sbin

#Services that the system will offer to the network
TCP_SERVICES="80"
UDP_SERVICES="138"

#Services the system will use from the network
REMOTE_TCP_SERVICES=""
REMOTE_UDP_SERVICES="53 67"

if ! [ -x /sbin/iptables ]; then  
         exit 0
fi

fw_start () {
	/sbin/modprobe ipt_LOG
	/sbin/modprobe ipt_REJECT
	/sbin/modprobe ipt_owner
	/sbin/modprobe ipt_limit
	/sbin/modprobe ipt_state
	/sbin/modprobe ip_conntrack
	/sbin/modprobe ip_conntrack_ftp ports=21,20

	#######################################
	# INPUT
	#######################################

	## nmap -sS (Scan: SYN+ACK = no defense... )
	## nmap -sX (Scan: SYN+ACK+FIN+RST [+PSH+URG] = not implemented in TCP)
	iptables -A INPUT -p tcp -m state --state ! ESTABLISHED --tcp-flags SYN,ACK,FIN,RST ALL -j LOG --log-prefix "IPT: Scan: XMAS0: "
	iptables -A INPUT -p tcp -m state --state ! ESTABLISHED --tcp-flags SYN,ACK,FIN,RST ALL -j REJECT --reject-with tcp-reset 
	iptables -A INPUT -p tcp -m state --state ! ESTABLISHED --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix "IPT: Scan: XMAS1: "
	iptables -A INPUT -p tcp -m state --state ! ESTABLISHED --tcp-flags ALL FIN,URG,PSH -j REJECT --reject-with tcp-reset
	iptables -A INPUT -p tcp -m state --state ! ESTABLISHED --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "IPT: Scan: XMAS2: "
	iptables -A INPUT -p tcp -m state --state ! ESTABLISHED --tcp-flags ALL SYN,RST,ACK,FIN,URG -j REJECT --reject-with tcp-reset
	iptables -A INPUT -p tcp -m state --state ! ESTABLISHED --tcp-flags ALL ALL -j LOG --log-prefix "IPT: Scan: XMAS2: "
	iptables -A INPUT -p tcp -m state --state ! ESTABLISHED --tcp-flags ALL ALL -j REJECT --reject-with tcp-reset
	iptables -A INPUT -p tcp -m state --state ! ESTABLISHED --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "IPT: Scan: SYN-RST: "
	iptables -A INPUT -p tcp -m state --state ! ESTABLISHED --tcp-flags SYN,RST SYN,RST -j REJECT --reject-with tcp-reset

	#FINGERPRINTING
	/sbin/iptables -A INPUT -p tcp --dport 0 -j DROP
	/sbin/iptables -A INPUT -p udp --dport 0 -j DROP
	/sbin/iptables -A INPUT -p tcp --sport 0 -j DROP
	/sbin/iptables -A INPUT -p udp --sport 0 -j DROP

	## nmap -sN (Scan: none of any flags = not implemented in TCP)
	iptables -A INPUT -p tcp -m state --state ! ESTABLISHED --tcp-flags SYN,ACK,FIN,RST NONE -m limit --limit 10/minute --limit-burst 10 -j LOG --log-prefix "IPT: Scan: empty flags: "
	iptables -A INPUT -p tcp -m state --state ! ESTABLISHED --tcp-flags SYN,ACK,FIN,RST NONE -j REJECT --reject-with tcp-reset

	## nmap -sF (Scan: only FIN)
	iptables -A INPUT -p tcp -m state --state ! ESTABLISHED --tcp-flags SYN,ACK,FIN,RST FIN -m limit --limit 10/minute --limit-burst 10 -j LOG --log-prefix "IPT: Scan: only FIN: "
	iptables -A INPUT -p tcp -m state --state ! ESTABLISHED --tcp-flags SYN,ACK,FIN,RST FIN -j REJECT --reject-with tcp-reset
	
	#Reject invalid NEW connections
	/sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW ! --dport 80 -j LOG --log-prefix "NEW_NOT_SYN:"
	/sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW ! --dport 80 -j REJECT --reject-with tcp-reset

	#icmp
	/sbin/iptables -A INPUT -p icmp --icmp-type address-mask-request -j DROP
	/sbin/iptables -A INPUT -p icmp --icmp-type address-mask-reply -j DROP
	/sbin/iptables -A INPUT -p icmp -j ACCEPT
	
	#Loopback spoofing defence and invalid packets
	/sbin/iptables -A INPUT -m state --state INVALID -j DROP
	/sbin/iptables -A INPUT -p ALL -i lo   -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
	/sbin/iptables -A INPUT -p ALL -i ! lo -d 127.0.0.0/8 -j DROP
	
	#Accept established connections
	/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

	#ACCEPT netbios udp datagram
	/sbin/iptables -A INPUT -p udp --sport 137 --dport 137 -j ACCEPT
	/sbin/iptables -A INPUT -p udp -d <ip is sensored> --sport 138 --dport 138 -j ACCEPT

	#Services
	for PORT in $TCP_SERVICES; do
		/sbin/iptables -A INPUT -p tcp --dport ${PORT} -j ACCEPT
	done
	for PORT in $UDP_SERVICES; do
		/sbin/iptables -A INPUT -p udp --dport ${PORT} -j ACCEPT
	done

	#125 port mystery
	/sbin/iptables -A INPUT -p tcp --dport 125 -j LOG --log-prefix "PORT125: "

	#makroeuro shit
	/sbin/iptables -A OUTPUT -p all -d <ip is sensored> -j LOG --log-prefix "MAKROSEURO: "
	/sbin/iptables -A OUTPUT -p all -d <ip is sensored> -j LOG --log-prefix "MAKROSEURO: "

	#Allow ssh to moderators
	/sbin/iptables -A INPUT -p tcp -s x.x.0.0/12 --dport 22 -j ACCEPT
	/sbin/iptables -A INPUT -p tcp -s <ip is sensored> --dport 22 -j ACCEPT
	/sbin/iptables -A INPUT -p tcp -s <ip is sensored> --dport 22 -j ACCEPT
	/sbin/iptables -A INPUT -p tcp -s <ip is sensored> --dport 22 -j ACCEPT
	/sbin/iptables -A INPUT -p tcp -s <ip is sensored> --dport 22 -j ACCEPT

	#Allow ftp to moderators
	/sbin/iptables -A INPUT -p tcp -s x.x.0.0/12 --dport 21 -j ACCEPT
	/sbin/iptables -A INPUT -p tcp -s <ip is sensored> --dport 21 -j ACCEPT
	/sbin/iptables -A INPUT -p tcp -s <ip is sensored> --dport 21 -j ACCEPT
	/sbin/iptables -A INPUT -p tcp -s <ip is sensored> --dport 21 -j ACCEPT

	/sbin/iptables -A INPUT -j LOG --log-prefix "REJECTED[INPUT]: "
	/sbin/iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
	/sbin/iptables -A INPUT -p all -j REJECT
	/sbin/iptables -P INPUT DROP

	#######################################
	# OUTPUT
	#######################################
	/sbin/iptables -A OUTPUT -j ACCEPT -o lo
	/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
	/sbin/iptables -A OUTPUT -p icmp -j ACCEPT

	#Allow some programs to connect
	/sbin/iptables -A OUTPUT -m owner --cmd-owner up2date -j ACCEPT
	/sbin/iptables -A OUTPUT -m owner --cmd-owner wget -j ACCEPT
	/sbin/iptables -A OUTPUT -m owner --cmd-owner rpm -j ACCEPT

	for PORT in $REMOTE_TCP_SERVICES; do
		/sbin/iptables -A OUTPUT -p tcp --dport ${PORT} -j ACCEPT
	done
	for PORT in $REMOTE_UDP_SERVICES; do
		/sbin/iptables -A OUTPUT -p udp --dport ${PORT} -j ACCEPT
	done

	#Allow to connect to external mysql server
	/sbin/iptables -A OUTPUT -p tcp -d <ip is sensored> --dport 3306 -j ACCEPT

	#ACCEPT established connections
	/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
	/sbin/iptables -A OUTPUT -p tcp -s <ip is sensored> --sport 80 -j ACCEPT

	#Reject all other packets
	/sbin/iptables -A OUTPUT -j LOG --log-prefix "REJECTED[OUTPUT]: "
	/sbin/iptables -A OUTPUT -j REJECT 
	/sbin/iptables -P OUTPUT DROP
	
	echo 1 > /proc/sys/net/ipv4/tcp_syncookies
	echo 0 > /proc/sys/net/ipv4/ip_forward 
	echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 
	echo 1 >/proc/sys/net/ipv4/conf/all/log_martians
	echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
	echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
	echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
	echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
}

fw_stop () {
	/sbin/iptables -F
	/sbin/iptables -t nat -F
	/sbin/iptables -t mangle -F
	/sbin/iptables -P INPUT DROP
	/sbin/iptables -P FORWARD DROP
	/sbin/iptables -P OUTPUT DROP
}
     
fw_clear () {
	/sbin/iptables -F
	/sbin/iptables -t nat -F
	/sbin/iptables -t mangle -F
	/sbin/iptables -P INPUT ACCEPT
	/sbin/iptables -P FORWARD ACCEPT
	/sbin/iptables -P OUTPUT ACCEPT
}

case "$1" in
start|restart)
	echo "Starting firewall.."
	fw_stop 
	fw_start
	echo "done."
	;;
stop)
	echo "Stopping firewall.."
	fw_stop
	echo "done."
	;;
clear)
	echo "Clearing firewall rules.."
	fw_clear
	echo "done."
	;;
*)
	echo "Usage: $0 {start|stop|restart|clear}"
	exit 1
	;;
esac
exit 0