*filter
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp -m multiport --dports 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m multiport --sports 80,443 -m state --state ESTABLISHED -j ACCEPT
# THE dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE 642/25042
-A INPUT -p tcp --dport 642 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 642 -m state --state ESTABLISHED -j ACCEPT
# Allow outbound DNS
-A OUTPUT -p udp -s EX_IP --sport 1024:65535 -d 199.195.255.68 --dport 53 -j ACCEPT
-A INPUT -p udp -s 199.195.255.68 --sport 53 -d EX_IP --dport 1024:65535 -j ACCEPT
-A OUTPUT -p tcp -s EX_IP --sport 1024:65535 -d 199.195.255.69 --dport 53 -j ACCEPT
-A INPUT -p tcp -s 199.195.255.69 --sport 53 -d EX_IP --dport 1024:65535 -j ACCEPT
# Help prevent DoS Attacks
-A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
# Kill SYN attacks
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Drop fragments
-A INPUT -f -j DROP
# Drop XMAS packets
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# Drop NULL packets
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# Log iptables denied calls (access via 'dmesg' command)
# Logging CHAIN
-N LOGGING
-A INPUT -j LOGGING
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTABLES Dropped: " --log-level 6
-A LOGGING -j DROP
COMMIT