43 lines
1.3 KiB
Plaintext
43 lines
1.3 KiB
Plaintext
*filter
|
|
:INPUT DROP [0:0]
|
|
:FORWARD DROP [0:0]
|
|
:OUTPUT ACCEPT [0:0]
|
|
|
|
# ============================================================
|
|
# Stateful connection tracking
|
|
# ============================================================
|
|
|
|
# Allow established and related connections (return traffic)
|
|
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
|
|
# ============================================================
|
|
# Loopback interface - always allow
|
|
# ============================================================
|
|
|
|
-A INPUT -i lo -j ACCEPT
|
|
|
|
# ============================================================
|
|
# Trusted networks - customize for your environment
|
|
# ============================================================
|
|
|
|
# Example: Allow from specific interface (VPN, etc.)
|
|
# -A INPUT -i tun0 -j ACCEPT
|
|
|
|
# Example: Allow from local network
|
|
# -A INPUT -s 192.168.1.0/24 -j ACCEPT
|
|
|
|
# ============================================================
|
|
# ICMP - allow ping for diagnostics
|
|
# ============================================================
|
|
|
|
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
|
|
-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
|
|
|
|
# ============================================================
|
|
# Default deny - drop everything not explicitly allowed
|
|
# ============================================================
|
|
|
|
-A INPUT -j DROP
|
|
|
|
COMMIT
|