But before we add any enhancements to our half-baked firewall, let's get everything organized into a bash script:

    #!/bin/bash



    IPT=/sbin/iptables


    #interfaces:


    # eth0: 192.168.1.1 (our LAN)


    # eth1: 216.223.235.2 (our bridged DSL router)



    case "$1" in


    start)


       #Set a default policy of DROP;

    deny-by-default for security:


       $IPT -P INPUT DROP


       $IPT -P FORWARD DROP


       echo 1 >

    /proc/sys/net/ipv4/ip_forward


       ;;


    stop)


       echo 0 >

    /proc/sys/net/ipv4/ip_forward


       $IPT -P INPUT ACCEPT


       $IPT -P FORWARD ACCEPT


       ;;


    esac

Our firewall script still does basically the same thing as our earlier commands except that it is in a much more convenient package.  After making our script executable, we can type "./firewall start" to start our firewall, and "./firewall stop" to tear it down.  We also enable IP forwarding when our firewall is active, and disable it when it is not.  This will come in handy later on when we start allowing our machine to forward certain types of traffic. And of course, we've added the appropriate iptables commands to set our INPUT and FORWARD policy back to ACCEPT when "./firewall stop" is called.  Also note the comments at the top of the script; in them, I record the interfaces on my machine, their associated IP addresses, and the networks to which they are connected—handy information to have right in front of you when you are designing a firewall.  In my particular scenario, I trust the traffic originating from eth0 but need to be wary of anything coming from eth1.