iptables hopefully final

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1:60]

#Accepts all traffic from loopback
-A INPUT -i lo -j ACCEPT

#Allows existing connections
-A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

#Drops packets w/ unneccessary flags
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP

#SSH rules. Allows SSH. Drops after 3 failed attempts within 60 seconds (Change dport as necessary)
-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name SSH
-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 --rttl --name SSH -j LOG --log-prefix "SSH break in attempt "
-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 --rttl --name SSH -j DROP
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

#Allow TFTP, SIP, and Voice stream from SIP client IPs (change or add IP(s) as necessary); only SIP for trunks
-A INPUT -i eth0 -p udp -m udp --dport 5060 -s 64.136.173.31,64.136.174.30,209.166.154.70 -j ACCEPT
-A INPUT -i eth0 -p udp -m multiport --dports 69,5060,10000:20000  -s 104.192.65.0/21,68.169.169.0/24,108.174.105.177,173.247.19.21,173.166.244.106,74.221.189.40,68.42.4.138,75.130.71.66,24.107.250.225,96.4.234.152 -j ACCEPT
-A INPUT -i eth0 -p udp -m multiport --dports 69,5060,10000:20000 -j DROP

#HTTP Whitelist. Add IPs and Networks as necessary
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -s 104.192.66.244 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j DROP

#Allow Access to FOP (Replace IP with whitelisted IP(s). Add as necessary)
#-A INPUT -i eth0 -p udp -m udp --dport 4445 -s 96.4.234.151 -j ACCEPT
#-A INPUT -i eth0 -p udp -m udp --dport 4445 -j DROP

#Drop Ping echo requests
-A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW -j DROP

COMMIT