# clear the tables

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth0 -s 10.100.10.0/24 -j MASQUERADE

COMMIT

*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]


# 20120331 Roey Katz

# accept inbond traffic from localhost
-A INPUT -i lo -j ACCEPT

# accept inbound traffic from established connections
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# drop any non-standard TCP packets
-A INPUT -m tcp -p tcp ! --tcp-flags SYN,RST,ACK,FIN SYN -j DROP

# allow SSH
-A INPUT -p tcp --dport 22 -j ACCEPT

# allow sending out on IRC
-A OUTPUT -p tcp -m multiport --dports 54000:54019 -j ACCEPT

# Allow Yahoo Chat
# -A INPUT -p tcp --dport 5050 -j ACCEPT

# Allow OpenVPN
-A INPUT -p tcp --dport 1194 -j ACCEPT
-A INPUT -p udp --dport 1194 -j ACCEPT


# temporary workaround for places that don't let me SSH into my box:
## -A INPUT -p tcp --dport 443 -j ACCEPT

# enable natting for the openvpn server
#-A POSTROUTING -t nat -s 10.100.10.0/24 -o eth0 -j MASQUERADE

COMMIT