# $Id: iptables.rules,v 1.1 2004/07/12 20:03:44 mpatters Exp $
# mpatters@cs.uwaterloo.ca
# We can load it like this: iptables-restore /etc/iptables.rules
# We want it to:
# * default deny
# * allow ssh from anywhere
# * allow anything from ns1/ns2 (NTP, DNS)
# * keep state on anything outbound

# Just the filter rules, ma'am.
*filter

# Builtin chains have default policy being DROP except from the
# OUTPUT chain.
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# User defined chains
:UDPINPUT - [0:0]
:TCPINPUT - [0:0]
:TCPOUTPUT - [0:0]

# ===== INPUT =====

# First the usual stuff
-A INPUT -i lo -j ACCEPT
-A INPUT -s 127.0.0.0/8 -j DROP
-A INPUT -d 127.0.0.0/8 -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# All tcp and udp packets get processed by separate chains in
# order to keep a little structure to the rules, and probably
# improve performance.
-A INPUT -p tcp -j TCPINPUT
-A INPUT -p udp -j UDPINPUT

# I allow a limited amount of ICMP echo request packets. So
# ping will work, but flooding will result in silent drops.
# To the attacker this will look like congestion.
#-A INPUT -m limit --limit 79/minute --limit-burst 4 -p icmp -m icmp --icmp-type 8 -j ACCEPT

# Drop the rest.
-A INPUT -j DROP

# ===== UDPINPUT ======

# I use this to allow traceroute to work
-A UDPINPUT -p udp -m udp --sport 1024:65535 --dport 1024:65535 -j REJECT

# ===== TCPINPUT ======

# Here is where we allow SSH.
-A TCPINPUT -p tcp -m tcp --dport 22 -j ACCEPT

# REJECT the rest.
-A TCPINPUT -j REJECT

# ===== OUTPUT =====
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow local packets
-A OUTPUT -o lo -j ACCEPT

# TCP gets rejected with tcp-reset
# This breaks us?
#-A REJECT -p tcp -j REJECT --reject-with tcp-reset

# UDP gets rejected with icmp-port-unreachable
# This probably breaks us too.
#-A REJECT -p udp -j REJECT --reject-with icmp-port-unreachable

# The rest gets rejected with icmp-host-unreachable (actually
# only used for outgoing packets, no incoming packet ever reaches
# this point.)
# Yup, this breaks us.
#-A REJECT -j REJECT --reject-with icmp-host-unreachable

COMMIT