Untitled

##############################################
# INPUT RULES
##############################################

# loopback adapter
iptables -A INPUT -i lo -j ACCEPT

# drop private petworks
iptables -A INPUT -s 192.168.0.0/24 -j DROP # (C)
iptables -A INPUT -s 172.16.0.0/12 -j DROP # (B)
iptables -A INPUT -s 224.0.0.0/4 -j DROP # (MULTICAST D)
iptables -A INPUT -s 240.0.0.0/5 -j DROP # (E)
iptables -A INPUT -s 10.0.1.1 -j DROP # router
iptables -A INPUT -d 10.0.1.255 -j DROP # broadcast
iptables -A INPUT -d 255.255.255.255 -j DROP # broadcast

# related/established
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# invalid
iptables -A INPUT -m state --state INVALID -j DROP

# syn-flood protection
iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j ACCEPT

# allow http
iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT

# allow ssh only from LAN
iptables -A INPUT -s 10.0.1.0/24 -m state --state NEW -p tcp --dport 65212 -j ACCEPT

# allow ping only from LAN
iptables -A INPUT -s 10.0.1.0/24 -m state --state NEW -p icmp --icmp-type 8 -m limit --limit 1/s -j ACCEPT

# log the rest
iptables -A INPUT -m limit --limit 2/min --limit-burst 2 -j LOG --log-prefix "INPUT DROP: "

# block everything else
iptables -A INPUT -j DROP

##############################################
# OUTPUT RULES
##############################################

# loopback adapter
iptables -A OUTPUT -o lo -j ACCEPT

# related/established
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# allow dns queries
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT

# allow http/https queries
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT

# log the rest
iptables -A OUTPUT -m limit --limit 2/min --limit-burst 2 -j LOG --log-prefix "OUTPUT DROP: "

# block everything else
iptables -A OUTPUT -j DROP