*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# ============================================================
# Stateful connection tracking
# ============================================================

# Allow established and related connections (return traffic)
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# ============================================================
# Loopback interface - always allow
# ============================================================

-A INPUT -i lo -j ACCEPT

# ============================================================
# Trusted networks - full access
# ============================================================

# VPN/overlay network interface (uncomment and customize)
# -A INPUT -i <vpn-interface> -j ACCEPT

# Trusted local network (uncomment and customize to your network)
# -A INPUT -s <your-network>/24 -j ACCEPT

# ============================================================
# ICMP - allow ping for diagnostics
# ============================================================

-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

# ============================================================
# Default deny - drop everything not explicitly allowed
# ============================================================

-A INPUT -j DROP

COMMIT