DeadAlready/ip4

## ip4
*filter

# Default policy is to drop all traffic
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP

# Allow all loopback traffic
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

# Allow ping.
-A INPUT -p icmp -m state --state NEW --icmp-type 8 -j ACCEPT

# Allow incoming SSH, HTTP and HTTPS traffic
-A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT

# Allow inbound traffic from established connections.
# This includes ICMP error returns.
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Log what was incoming but denied (optional but useful).
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables_INPUT_denied: " --log-level 7

# Allow outgoing SSH, HTTP and HTTPS traffic
# This is useful because we won't be able to download and install
# NPM packages otherwise and use git over SSH
-A OUTPUT -o eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT

# Allow dns lookup
-A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
-A INPUT -p udp -i eth0 --sport 53 -j ACCEPT

# Set rate limits for DOS attack prevention (optional)
# The rates here greatly depend on your application
-A INPUT -p tcp -m multiport --dports 80,443 -m limit --limit 250/minute --limit-burst 1000 -j ACCEPT

# Log any traffic which was sent to you
# for forwarding (optional but useful).
-A FORWARD -m limit --limit 5/min -j LOG --log-prefix "iptables_FORWARD_denied: " --log-level 7

COMMIT
	*filter

	# Default policy is to drop all traffic
	-P INPUT DROP
	-P FORWARD DROP
	-P OUTPUT DROP

	# Allow all loopback traffic
	-A INPUT -i lo -j ACCEPT
	-A OUTPUT -o lo -j ACCEPT

	# Allow ping.
	-A INPUT -p icmp -m state --state NEW --icmp-type 8 -j ACCEPT

	# Allow incoming SSH, HTTP and HTTPS traffic
	-A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
	-A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT

	# Allow inbound traffic from established connections.
	# This includes ICMP error returns.
	-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

	# Log what was incoming but denied (optional but useful).
	-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables_INPUT_denied: " --log-level 7

	# Allow outgoing SSH, HTTP and HTTPS traffic
	# This is useful because we won't be able to download and install
	# NPM packages otherwise and use git over SSH
	-A OUTPUT -o eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
	-A INPUT -i eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT

	# Allow dns lookup
	-A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
	-A INPUT -p udp -i eth0 --sport 53 -j ACCEPT

	# Set rate limits for DOS attack prevention (optional)
	# The rates here greatly depend on your application
	-A INPUT -p tcp -m multiport --dports 80,443 -m limit --limit 250/minute --limit-burst 1000 -j ACCEPT

	# Log any traffic which was sent to you
	# for forwarding (optional but useful).
	-A FORWARD -m limit --limit 5/min -j LOG --log-prefix "iptables_FORWARD_denied: " --log-level 7

	COMMIT