43 lines
1.3 KiB
Plaintext
43 lines
1.3 KiB
Plaintext
*filter
|
|
:INPUT DROP [0:0]
|
|
:FORWARD DROP [0:0]
|
|
:OUTPUT ACCEPT [0:0]
|
|
|
|
# ============================================================
|
|
# Stateful connection tracking
|
|
# ============================================================
|
|
|
|
# Allow established and related connections (return traffic)
|
|
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
|
|
# ============================================================
|
|
# Loopback interface - always allow
|
|
# ============================================================
|
|
|
|
-A INPUT -i lo -j ACCEPT
|
|
|
|
# ============================================================
|
|
# Trusted networks - full access
|
|
# ============================================================
|
|
|
|
# VPN/overlay network interface (uncomment and customize)
|
|
# -A INPUT -i <vpn-interface> -j ACCEPT
|
|
|
|
# Trusted local network (uncomment and customize to your network)
|
|
# -A INPUT -s <your-network>/24 -j ACCEPT
|
|
|
|
# ============================================================
|
|
# ICMP - allow ping for diagnostics
|
|
# ============================================================
|
|
|
|
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
|
|
-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
|
|
|
|
# ============================================================
|
|
# Default deny - drop everything not explicitly allowed
|
|
# ============================================================
|
|
|
|
-A INPUT -j DROP
|
|
|
|
COMMIT
|