# rules.v4 template

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
#TODO local nat
COMMIT

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [121:69818]
:OUTPUT ACCEPT [7:580]

# accept already established incoming connections
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# allow loopback, drop all traffic to local that isn't from lo
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

# Drop packets with invalid headers, checksums, flags, out of sequence, etc
-A INPUT -m conntrack --ctstate INVALID -j DROP

# accept new ping requests. the rest is handled by related,established
-A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT

# TODO local nat

# TODO local services
#-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -m comment --comment "allow ssh"
#-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT -m comment --comment "allow dns"
#-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -m comment --comment "allow http"
#-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -m comment --comment "allow https"
#-A INPUT -p tcp -m tcp --dport 123 -j ACCEPT -m comment --comment "allow ntp"
#-A INPUT -p tcp -m tcp --sport 67 --dport 68 -j ACCEPT -m comment --comment "allow dhcp"

# log denied
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# reject TCP connections with TCP RST packets and UDP streams
# with ICMP unreachable messages if the ports are not opened
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable

# drop everything else with no error
-A INPUT -j DROP

# TODO depends of local nat
-A FORWARD -j DROP

COMMIT

*mangle
:PREROUTING ACCEPT [133:70558]
:INPUT ACCEPT [12:740]
:FORWARD ACCEPT [121:69818]
:OUTPUT ACCEPT [10:825]
:POSTROUTING ACCEPT [128:70398]
COMMIT