iptables

iptables.conf

*filter

#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT  -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

-A INPUT  -d 127.0.0.0/8 -j REJECT
#  Allow input establish
-A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  HTTP / HTTPS
-A INPUT  -p tcp -m multiport --dports 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m multiport --dports 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT

#  SSH
-A INPUT  -p tcp --dport 12345 -m state --state NEW,ESTABLISHED -j ACCEPT
#  SSH(this can not be state = NEW, since we only validate the source port)
-A OUTPUT -p tcp --sport 12345 -m state --state ESTABLISHED     -j ACCEPT

#  DNS(not need this rule, as we only accept the input with [ESTABLISHED,RELATED])
#-A INPUT  -p udp --dport 53 -j ACCEPT
#  DNS
-A OUTPUT -p udp --dport 53 -j ACCEPT

#  PING(IN->OUT)
-A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
-A INPUT  -p icmp --icmp-type echo-reply   -j ACCEPT

#  DDoS
-A INPUT  -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

#  Log
-A INPUT  -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A OUTPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

#  Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT  -j DROP
-A OUTPUT -j DROP
-A FORWARD -j DROP

COMMIT