# Firewall minimal configuration
# Use it as example and starting point
#==============================================================
*filter
:INPUT		ACCEPT	[0:0]
:FORWARD	ACCEPT	[0:0]
:OUTPUT		ACCEPT	[0:0]
:std		-	[0:0]
:good	-	[0:0]
#--------------------------------------------------------------
#NFLOG need ulogd daemon to report dropped/rejected packets
#Defining a log drop rule
-N logdrop
-A logdrop	-j NFLOG	--nflog-prefix "DROP "
-A logdrop	-j DROP
#Defining a log reject rule
-N logrjct
-A logrjct	-j NFLOG	--nflog-prefix "RJCT "
-A logrjct	-j REJECT	--reject-with icmp-host-prohibited
#--------------------------------------------------------------
#accepting local loop
-A INPUT	 -j ACCEPT	-i lo
#--------------------------------------------------------------
#Merge INCOMING(server/station) and FORWARD (router) Packet handling
#--------------------------------------------------------------
-A FORWARD	-j std
-A INPUT	-j std
#--------------------------------------------------------------
#Accepting incoming packet for established connexion
-A std	-j ACCEPT	-m state --state ESTABLISHED,RELATED
#--------------------------------------------------------------
#managing icmp
-A std	-j ACCEPT	-p icmp --icmp-type echo-reply
-A std	-j ACCEPT	-p icmp --icmp-type destination-unreachable
-A std 	-j ACCEPT	-p icmp --icmp-type source-quench
-A std 	-j ACCEPT	-p icmp --icmp-type echo-request
-A std 	-j ACCEPT	-p icmp --icmp-type time-exceeded
-A std 	-j ACCEPT	-p icmp --icmp-type parameter-problem
-A std 	-j logdrop 	-p icmp
#--------------------------------------------------------------
#accept only request from the good local network
#information extracted from current network setup 
-A std	-j good		-s 0.0.0.0/0.0.0.0		
#Rejecting all other ungood packet
-A std	-j logrjct
#--------------------------------------------------------------
#accepting few services from good origin
#service ssh (remote consols access)
-A good	-j ACCEPT	-m state --state NEW	-p tcp	--dport ssh	
#imap and pop (email reading)
-A good	-j ACCEPT	-m state --state NEW	-p tcp	--dport pop3
-A good	-j ACCEPT	-m state --state NEW	-p tcp	--dport imap
-A good	-j ACCEPT	-m state --state NEW	-p tcp	--dport pop3s
-A good	-j ACCEPT	-m state --state NEW	-p tcp	--dport imaps
#Web access
-A good	-j ACCEPT	-m state --state NEW	-p tcp	--dport http
-A good	-j ACCEPT	-m state --state NEW	-p tcp	--dport https
#SMTP (email sending)
-A good	-j ACCEPT	-m state --state NEW	-p tcp	--dport smtp
-A good	-j ACCEPT	-m state --state NEW	-p tcp	--dport submission
-A good	-j ACCEPT	-m state --state NEW	-p tcp	--dport submissions
#Printing protocol channel
-A good	-j ACCEPT	-m tcp			-p tcp	--dport ipp
-A good	-j ACCEPT	-m udp			-p udp 	--sport svrloc
-A good	-j ACCEPT	-m udp			-p udp	--sport mdns
#routing information (ripd)
-A good	-j ACCEPT	-m udp			-p udp	--dport router
#clock information (ntp)
-A good	-j ACCEPT	-m udp			-p udp	--dport ntp
#allowing SNMP probing
-A good	-j ACCEPT	-m udp			-p udp	--dport snmp
#allowing NFS probing
-A good	-j ACCEPT	-m tcp			-p tcp	--dport sunrpc
-A good	-j ACCEPT	-m tcp			-p tcp	--dport nfs
#Rejecting all others
-A good	-j logrjct
#--------------------------------------------------------------
#Commiting filter rules
COMMIT
#==============================================================
*raw
:PREROUTING	ACCEPT	[0:0]
:OUTPUT		ACCEPT	[0:0]
:std		-	[0:0]
#--------------------------------------------------------------
-A PREROUTING	-j std
-A OUTPUT	-j std
#--------------------------------------------------------------
#To keeep track of ftp connection
-A std	-j CT	-p tcp --dport ftp --helper ftp
#--------------------------------------------------------------
#Commiting raw rules
COMMIT
