davidlonjon/gist:811e610e36568353e214

## gistfile1.txt
*filter

# Base policy: Allow outgoing traffic and disallow any passthroughs
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

#  Accepts all established inbound connections
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT  -m comment --comment "allow already established connections"

#  Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT -m comment --comment "allows all loopback (lo0) traffic "
-A INPUT -i lo -d 127.0.0.0/8 -j REJECT -m comment --comment "drop all traffic to 127/8 that doesn't use lo0"

#  Allows SSH connections
-A INPUT -i eth0 -p tcp -m tcp -m conntrack --ctstate NEW --dport 22 -j ACCEPT -m comment --comment "allow SSH: ssh"

# Allows HTTP connections from anywhere (the normal ports for websites)
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT -m comment --comment "allow HTTP (apache/nxing/lighttpd)"

# Uncomment below if you also want to allow HTTPS connections too!
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT -m comment --comment "allow HTTPS (apache/nxing/lighttpd)"

# Allows mysql/ariadb connections from localhost only
-A INPUT -i eth0 -p tcp -m tcp --dport 3306 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT -m comment --comment "allow MariaDB/MySQL from localhost: mysql"

# Allow IMCP
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT -m comment --comment "allow ICMP: echo-reply"
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -m comment --comment "allow ICMP: echo-request"
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT -m comment --comment "allow ICMP: destination-unreachable"
-A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT -m comment --comment "allow ICMP: source-quench"
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT  -m comment --comment "allow ICMP: time-exceeded"

# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -m comment --comment "allow ping"

# Allow mosh
-A INPUT -i eth0 -p udp -m multiport --dports 60000:61000 -j ACCEPT -m comment --comment "allow mosh"

# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

COMMIT
	*filter

	# Base policy: Allow outgoing traffic and disallow any passthroughs
	:INPUT DROP [0:0]
	:FORWARD DROP [0:0]
	:OUTPUT ACCEPT [0:0]

	# Accepts all established inbound connections
	-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "allow already established connections"

	# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
	-A INPUT -i lo -j ACCEPT -m comment --comment "allows all loopback (lo0) traffic "
	-A INPUT -i lo -d 127.0.0.0/8 -j REJECT -m comment --comment "drop all traffic to 127/8 that doesn't use lo0"

	# Allows SSH connections
	-A INPUT -i eth0 -p tcp -m tcp -m conntrack --ctstate NEW --dport 22 -j ACCEPT -m comment --comment "allow SSH: ssh"

	# Allows HTTP connections from anywhere (the normal ports for websites)
	-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT -m comment --comment "allow HTTP (apache/nxing/lighttpd)"

	# Uncomment below if you also want to allow HTTPS connections too!
	-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT -m comment --comment "allow HTTPS (apache/nxing/lighttpd)"

	# Allows mysql/ariadb connections from localhost only
	-A INPUT -i eth0 -p tcp -m tcp --dport 3306 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT -m comment --comment "allow MariaDB/MySQL from localhost: mysql"

	# Allow IMCP
	-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT -m comment --comment "allow ICMP: echo-reply"
	-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -m comment --comment "allow ICMP: echo-request"
	-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT -m comment --comment "allow ICMP: destination-unreachable"
	-A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT -m comment --comment "allow ICMP: source-quench"
	-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT -m comment --comment "allow ICMP: time-exceeded"

	# Allow ping
	-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -m comment --comment "allow ping"

	# Allow mosh
	-A INPUT -i eth0 -p udp -m multiport --dports 60000:61000 -j ACCEPT -m comment --comment "allow mosh"

	# log iptables denied calls
	-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

	COMMIT