*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# ============================================================
# Stateful connection tracking
# ============================================================

# Allow established and related connections (return traffic)
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# ============================================================
# Loopback interface - always allow
# ============================================================

-A INPUT -i lo -j ACCEPT

# ============================================================
# Trusted networks - customize for your environment
# ============================================================

# Example: Allow from specific interface (VPN, etc.)
# -A INPUT -i tun0 -j ACCEPT

# Example: Allow from local network
# -A INPUT -s 192.168.1.0/24 -j ACCEPT

# ============================================================
# ICMP - allow ping for diagnostics
# ============================================================

-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

# ============================================================
# Default deny - drop everything not explicitly allowed
# ============================================================

-A INPUT -j DROP

COMMIT