*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

# Accept communication on loopback device
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

# Allow established connections
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Allow SSH connections
-A INPUT -m conntrack --ctstate NEW -p tcp --dport 22 -j ACCEPT
-A OUTPUT -m conntrack --ctstate NEW -p tcp --dport 22 -j ACCEPT

# Allow ping
-A INPUT -m conntrack --ctstate NEW -p icmp -j ACCEPT
-A OUTPUT -m conntrack --ctstate NEW -p icmp -j ACCEPT

# Allow outgoing DNS
-A OUTPUT -m conntrack --ctstate NEW -p tcp --dport 53 -j ACCEPT
-A OUTPUT -m conntrack --ctstate NEW -p udp --dport 53 -j ACCEPT

# Allow outgoing NTP
-A OUTPUT -m conntrack --ctstate NEW -p udp --dport 123 -j ACCEPT

# Allow outgoing DHCP
-A OUTPUT -m conntrack --ctstate NEW -p udp --dport 67:68 -j ACCEPT

# Allow outgoing HTTP(S)
-A OUTPUT -m conntrack --ctstate NEW -p tcp --dport 80 -j ACCEPT
-A OUTPUT -m conntrack --ctstate NEW -p tcp --dport 443 -j ACCEPT

# Allow outgoing FTP
-A OUTPUT -m conntrack --ctstate NEW --protocol tcp --dport 21 -j ACCEPT

# Allow outgoing git
-A OUTPUT -m conntrack --ctstate NEW --protocol tcp --dport 9418 -j ACCEPT

# Allow ingoing Mumble
-A INPUT -m conntrack --ctstate NEW --protocol tcp --dport 64738 -j ACCEPT
-A INPUT -m conntrack --ctstate NEW --protocol udp --dport 64738 -j ACCEPT

# Allow Mosh on UDP 60000
-A INPUT -m conntrack --ctstate NEW --protocol udp --dport 60000 -j ACCEPT

# Drop broadcasted packets
-A INPUT -m pkttype --pkt-type broadcast -j DROP

# Drop invalid packets
-A INPUT -m conntrack --ctstate INVALID -j DROP

# Logging for psad
# Log every unmatched input/forward packet for psad
-A INPUT -j LOG
-A FORWARD -j LOG
# Allow outgoing IRC
-A OUTPUT -m conntrack --ctstate NEW -p tcp --dport 6667 -j ACCEPT
-A OUTPUT -m conntrack --ctstate NEW -p tcp --dport 6697 -j ACCEPT
-A OUTPUT -m conntrack --ctstate NEW -p tcp --dport 6666 -j ACCEPT
-A OUTPUT -m conntrack --ctstate NEW -p tcp --dport 6660 -j ACCEPT
-A OUTPUT -m conntrack --ctstate NEW -p tcp --dport 3724 -j ACCEPT
-A OUTPUT -m conntrack --ctstate NEW -p tcp --dport 3725 -j ACCEPT
-A INPUT -m conntrack --ctstate NEW -p tcp --dport 9001 -j ACCEPT
-A INPUT -m conntrack --ctstate NEW -p tcp --dport 9002 -j ACCEPT
# Allow incoming Git
-A INPUT -m conntrack --ctstate NEW -p tcp --dport 9418 -j ACCEPT
# Allow incoming XMPP + outgoing s2s xmpp
-A INPUT -m conntrack --ctstate NEW -p tcp --dport 5222 -j ACCEPT
-A INPUT -m conntrack --ctstate NEW -p tcp --dport 5269 -j ACCEPT
-A OUTPUT -m conntrack --ctstate NEW -p tcp --dport 5222 -j ACCEPT
-A OUTPUT -m conntrack --ctstate NEW -p tcp --dport 5269 -j ACCEPT
# Allow SMTP and Submission
-A INPUT -m conntrack --ctstate NEW -p tcp --dport 25 -j ACCEPT
-A OUTPUT -m conntrack --ctstate NEW -p tcp --dport 25 -j ACCEPT
-A INPUT -m conntrack --ctstate NEW -p tcp --dport 587 -j ACCEPT
-A OUTPUT -m conntrack --ctstate NEW -p tcp --dport 587 -j ACCEPT
# Allow incoming IMAP
-A INPUT -m conntrack --ctstate NEW -p tcp --dport 993 -j ACCEPT
# Allow outgoing communication with rspamd.com
-A OUTPUT -m conntrack --ctstate NEW -p udp --dport 11335 -j ACCEPT
# Allow incoming HTTP(S)
-A INPUT -m conntrack --ctstate NEW -p tcp --dport 80 -j ACCEPT
-A INPUT -m conntrack --ctstate NEW -p tcp --dport 443 -j ACCEPT
# VPN rules
# Allow incoming VPN
-A INPUT -m conntrack --ctstate NEW -p tcp --dport 1194 -j ACCEPT
# Allow VPN clients to query local unbound
-A INPUT -s 10.8.0.0/24 -i tun0 -m conntrack --ctstate NEW -p tcp --dport 53 -j ACCEPT
-A INPUT -s 10.8.0.0/24 -i tun0 -m conntrack --ctstate NEW -p udp --dport 53 -j ACCEPT
-A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i tun0 -o eth0 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -o tun0 -i eth0 -j ACCEPT
# End of *filter table
COMMIT

# Allow forward for VPN clients
*nat
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
# End of *nat table
COMMIT