#### Setting up filter table ####
*filter

# Policy setup
:INPUT DROP
:FORWARD DROP
:OUTPUT DROP

# User defined chains
:syn_flood -
:bad_tcp_packets -
:bad_input -
:allowed -
:ms_packets_udp -
:ms_packets_tcp -
:tcp_packets -
:udp_packets -
:icmp_packets -

## Rules setup
# syn_flood chain rules
-A syn_flood -m limit --limit 3/second --limit-burst 15 -j RETURN
-A syn_flood -j DROP

# bad_tcp_packets chain rules
-A bad_tcp_packets -d 127.0.0.1 -s 127.0.0.1 -j RETURN
-A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
-A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-level info --log-prefix "NEW not SYN: "
-A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
-A bad_tcp_packets -i eth0 -p tcp --syn -m state --state NEW -j syn_flood

# bad_input chain rules
-A bad_input -p all -s 192.168.1.1 -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level info --log-prefix "Spoofed packets: "
-A bad_input -p all -s 192.168.1.1 -j DROP
-A bad_input -p all -s 127.0.0.0/8 -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level info --log-prefix "Spoofed packets: "
-A bad_input -p all -s 127.0.0.0/8 -j DROP
-A bad_input -p all -s 192.168.1.0/24 -j RETURN
-A bad_input -p all -s 192.168.0.0/16 -j DROP
-A bad_input -p all -s 10.0.0.0/8 -j DROP
-A bad_input -p all -s 172.16.0.0/12 -j DROP
-A bad_input -p all -d 224.0.0.0/8 -j DROP
-A bad_input -p tcp --dport 80 -j RETURN
-A bad_input -p all -m state --state INVALID -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level info --log-prefix "INVALID packets: "
-A bad_input -p all -m state --state INVALID -j DROP

# allowed chain rules
-A allowed -p tcp --tcp-flags SYN,ACK,RST SYN -j ACCEPT
-A allowed -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
-A allowed -p tcp -j DROP

# ms_packets_udp chain rules
-A ms_packets_udp -p udp -d 192.168.1.255 --dport 137:139 -j DROP

# ms_packets_tcp chain rules
-A ms_packets_tcp -p tcp -d 192.168.1.255 -m multiport --dports 135,139,445 -j DROP

# tcp_packets chain rules
-A tcp_packets -p tcp -m multiport --dports 80,110,25,22,443 -j allowed
-A tcp_packets -p tcp -i eth0 -j ms_packets_tcp

# udp_packets chain rules
-A udp_packets -p udp -s 192.168.1.0/24 --dport 123 -j ACCEPT
-A udp_packets -p udp -i eth0 --dport 67:68 -j DROP
-A udp_packets -p udp -i eth0 -j ms_packets_udp

# icmp_packets chain rules
-A icmp_packets -p icmp --icmp-type 8 -m limit --limit 1/second --limit-burst 5 -j ACCEPT
-A icmp_packets -p icmp --icmp-type 11 -j ACCEPT

# INPUT chain rules
-A INPUT -p tcp -j bad_tcp_packets
-A INPUT -p all -i eth0 -j bad_input
-A INPUT -p all -i lo -s 127.0.0.1 -j ACCEPT
-A INPUT -p all -i lo -s 192.168.1.1 -j ACCEPT
-A INPUT -p all -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp -j tcp_packets
-A INPUT -p udp -j udp_packets
-A INPUT -p icmp -j icmp_packets
-A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level info --log-prefix "IPT INPUT packs died: "

# FORWARD chain rules
-A FORWARD -p tcp -j bad_tcp_packets

# OUTPUT chain rules
-A OUTPUT -p all -s 127.0.0.1 -j ACCEPT 
-A OUTPUT -p all -s 192.168.1.1 -j ACCEPT
-A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level info --log-prefix "IPT OUTPUT packs died: "
COMMIT

#### Setting up nat table ####
*nat
# Policy setup
:PREROUTING ACCEPT
:POSTROUTING ACCEPT
:OUTPUT ACCEPT
COMMIT