#
# filter table
#
*filter

#
# set policies
#
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

#
# new chains
#
:bad_tcp_packets - [0:0]
:allow - [0:0]
:tcp_rules - [0:0]
:udp_rules - [0:0]
:icmp_rules - [0:0]

#
# bad_tcp_packets chain
#
-A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
-A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# allowed chain
#
-A allow -p tcp --syn -j ACCEPT
-A allow -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A allow -p tcp -j DROP

#
# tcp rules
#

# http
-A tcp_rules -i eth1 -p tcp -s 0/0 --dport 80 -j allow
# https
-A tcp_rules -i eth1 -p tcp -s 0/0 --dport 443 -j allow
# ssh 
-A tcp_rules -i eth1 -p tcp -s 0/0 --dport 58422 -j allow
# squid 
-A tcp_rules -i eth1 -p tcp -s 0/0 --dport 58423 -j allow

#
# udp rules
#
#-A udp_rules -p udp -s 0/0 --dport 53 -j ACCEPT

#
# icmp rules
#
-A icmp_rules -p icmp -s 0/0 --icmp-type 8 -j ACCEPT
-A icmp_rules -p icmp -s 0/0 --icmp-type 11 -j ACCEPT


#
# input chain
#

# self connect
-A INPUT -i lo -j ACCEPT

# accept for RELATED or ESTABLISHED
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# bad tcp packets check
-A INPUT -p tcp -j bad_tcp_packets

# rules for special networks
#-A INPUT -p all -i eth0 -s 10.241.219.0/24 -j ACCEPT
#-A INPUT -p all -i lo -s 127.0.0.1 -j ACCEPT
#-A INPUT -p all -i lo -s 10.241.219.48 -j ACCEPT
#-A INPUT -p all -i lo -s 42.121.194.229 -j ACCEPT

# for dhcp
#-A INPUT -p udp -i eth0 --dport 67 --sport 68 -j ACCEPT

# rules for incoming packets
-A INPUT -p tcp -i eth1 -j tcp_rules
-A INPUT -p udp -i eth1 -j udp_rules
-A INPUT -p icmp -i eth1 -j icmp_rules

# reject all
-A INPUT -j REJECT --reject-with icmp-net-prohibited


#
# forword chain
#
#-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
#-A FORWARD -p tcp -j bad_tcp_packets

# reject all
#-A FORWARD -j DROP

#
# output chain
#
#-A OUTPUT -p tcp -j bad_tcp_packets

# special output rules
#-A OUTPUT -p all -s 127.0.0.1 -j ACCEPT
#-A OUTPUT -p all -s 10.241.219.48 -j ACCEPT
#-A OUTPUT -p all -s 42.121.194.229 -j ACCEPT

# reject all
#-A OUTPUT -j DROP


COMMIT

#
# nat table
#
*nat

#
# set policies
#
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# squid rules
#-A OUTPUT -p tcp --sport 58423 -m owner --uid-owner squid -j ACCEPT
#-A PREROUTING -p tcp --dport 58423 -j DNAT --to-destination 192.200.200.2:58423 
#-A POSTROUTING -p tcp --dport 80 -m owner --uid-owner squid -j SNAT --to-source 192.200.200.2
COMMIT