*filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] # Accept communication on loopback device -A INPUT -i lo -j ACCEPT -A OUTPUT -o lo -j ACCEPT # Allow established connections -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Allow SSH connections -A INPUT -m conntrack --ctstate NEW -p tcp --dport 22 -j ACCEPT -A OUTPUT -m conntrack --ctstate NEW -p tcp --dport 22 -j ACCEPT # Allow ping -A INPUT -m conntrack --ctstate NEW -p icmp -j ACCEPT -A OUTPUT -m conntrack --ctstate NEW -p icmp -j ACCEPT # Allow outgoing DNS -A OUTPUT -m conntrack --ctstate NEW -p tcp --dport 53 -j ACCEPT -A OUTPUT -m conntrack --ctstate NEW -p udp --dport 53 -j ACCEPT # Allow outgoing NTP -A OUTPUT -m conntrack --ctstate NEW -p udp --dport 123 -j ACCEPT # Allow outgoing DHCP -A OUTPUT -m conntrack --ctstate NEW -p udp --dport 67:68 -j ACCEPT # Allow outgoing HTTP(S) -A OUTPUT -m conntrack --ctstate NEW -p tcp --dport 80 -j ACCEPT -A OUTPUT -m conntrack --ctstate NEW -p tcp --dport 443 -j ACCEPT # Allow outgoing FTP -A OUTPUT -m conntrack --ctstate NEW --protocol tcp --dport 21 -j ACCEPT # Allow outgoing git -A OUTPUT -m conntrack --ctstate NEW --protocol tcp --dport 9418 -j ACCEPT # Allow ingoing Mumble -A INPUT -m conntrack --ctstate NEW --protocol tcp --dport 64738 -j ACCEPT -A INPUT -m conntrack --ctstate NEW --protocol udp --dport 64738 -j ACCEPT # Allow Mosh on UDP 60000 -A INPUT -m conntrack --ctstate NEW --protocol udp --dport 60000 -j ACCEPT # Drop broadcasted packets -A INPUT -m pkttype --pkt-type broadcast -j DROP # Drop invalid packets -A INPUT -m conntrack --ctstate INVALID -j DROP # Logging for psad # Log every unmatched input/forward packet for psad -A INPUT -j LOG -A FORWARD -j LOG # Allow outgoing IRC -A OUTPUT -m conntrack --ctstate NEW -p tcp --dport 6667 -j ACCEPT -A OUTPUT -m conntrack --ctstate NEW -p tcp --dport 6697 -j ACCEPT -A OUTPUT -m conntrack --ctstate NEW -p tcp --dport 6666 -j ACCEPT -A OUTPUT -m conntrack --ctstate NEW -p tcp --dport 6660 -j ACCEPT -A OUTPUT -m conntrack --ctstate NEW -p tcp --dport 3724 -j ACCEPT -A OUTPUT -m conntrack --ctstate NEW -p tcp --dport 3725 -j ACCEPT -A INPUT -m conntrack --ctstate NEW -p tcp --dport 9001 -j ACCEPT -A INPUT -m conntrack --ctstate NEW -p tcp --dport 9002 -j ACCEPT # Allow incoming Git -A INPUT -m conntrack --ctstate NEW -p tcp --dport 9418 -j ACCEPT # Allow incoming XMPP + outgoing s2s xmpp -A INPUT -m conntrack --ctstate NEW -p tcp --dport 5222 -j ACCEPT -A INPUT -m conntrack --ctstate NEW -p tcp --dport 5269 -j ACCEPT -A OUTPUT -m conntrack --ctstate NEW -p tcp --dport 5222 -j ACCEPT -A OUTPUT -m conntrack --ctstate NEW -p tcp --dport 5269 -j ACCEPT # Allow SMTP and Submission -A INPUT -m conntrack --ctstate NEW -p tcp --dport 25 -j ACCEPT -A OUTPUT -m conntrack --ctstate NEW -p tcp --dport 25 -j ACCEPT -A INPUT -m conntrack --ctstate NEW -p tcp --dport 587 -j ACCEPT -A OUTPUT -m conntrack --ctstate NEW -p tcp --dport 587 -j ACCEPT # Allow incoming IMAP -A INPUT -m conntrack --ctstate NEW -p tcp --dport 993 -j ACCEPT # Allow outgoing communication with rspamd.com -A OUTPUT -m conntrack --ctstate NEW -p udp --dport 11335 -j ACCEPT # Allow incoming HTTP(S) -A INPUT -m conntrack --ctstate NEW -p tcp --dport 80 -j ACCEPT -A INPUT -m conntrack --ctstate NEW -p tcp --dport 443 -j ACCEPT # VPN rules # Allow incoming VPN -A INPUT -m conntrack --ctstate NEW -p tcp --dport 1194 -j ACCEPT # Allow VPN clients to query local unbound -A INPUT -s 10.8.0.0/24 -i tun0 -m conntrack --ctstate NEW -p tcp --dport 53 -j ACCEPT -A INPUT -s 10.8.0.0/24 -i tun0 -m conntrack --ctstate NEW -p udp --dport 53 -j ACCEPT -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i tun0 -o eth0 -j ACCEPT -A FORWARD -m state --state ESTABLISHED,RELATED -o tun0 -i eth0 -j ACCEPT # End of *filter table COMMIT # Allow forward for VPN clients *nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE # End of *nat table COMMIT