iptables -F
# loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Logging
iptables -A INPUT -i eth0 -j LOG --log-prefix "IPT_INPUT " --log-level warning
iptables -A OUTPUT -o eth0 -j LOG --log-prefix "IPT_OUTPUT " --log-level warning
# DNS queries
iptables -A INPUT -i eth0 -p udp -d 192.168.2.11 --sport domain  -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp -s 192.168.2.11 --dport domain -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 192.168.2.11 --sport domain  -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -s 192.168.2.11 --dport domain -m state --state NEW,ESTABLISHED -j ACCEPT
# Web Browsing
iptables -A INPUT -i eth0 -p tcp -d 192.168.2.11 --sport http -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -s 192.168.2.11 --dport http -m state --state NEW,ESTABLISHED -j ACCEPT
# SSH incoming (Host as Server)
iptables -A INPUT -i eth0 -p tcp -s 192.168.2.0/24 --dport ssh -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -d 192.168.2.0/24 --sport ssh -m state --state ESTABLISHED -j ACCEPT
# SSH outgoing
iptables -A INPUT -i eth0 -p tcp -d 192.168.2.11 --sport ssh -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -s 192.168.2.11 --dport ssh -m state --state NEW,ESTABLISHED -j ACCEPT
# ICMP Chain Creation
iptables -N ICMP_IN
iptables -N ICMP_OUT
iptables -A INPUT -p icmp -j ICMP_IN
iptables -A OUTPUT -p icmp -j ICMP_OUT
# ICMP Chain Rulues
# Disallow incoming ping
iptables -A ICMP_IN -p icmp --icmp-type echo-request -j DROP
# Allow reply to outgoing ping and traceroute
iptables -A ICMP_IN -i eth0 -p icmp --icmp-type echo-reply -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A ICMP_IN -i eth0 -p icmp --icmp-type 3 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A ICMP_IN -i eth0 -p icmp --icmp-type 11 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Log and then drop all other ICMP traffic
iptables -N LOG_DROP
iptables -A ICMP_IN -i eth0 -p icmp -j LOG_DROP
iptables -A LOG_DROP -i eth0 -p icmp -j LOG --log-prefix "IPT_ICMP_IN "
iptables -A LOG_DROP -i eth0 -p icmp -j DROP
# ICMP Outbound rules
iptables -A ICMP_OUT -o eth0 -p icmp --icmp-type 8 -m state --state NEW -j ACCEPT
iptables -A ICMP_OUT -o eth0 -p icmp -j LOG_DROP
iptables -A LOG_DROP -o eth0 -p icmp -j LOG --log-prefix "IPT_ICMP_OUT "
iptables -A LOG_DROP -o eth0 -p icmp -j DROP
# Banning spoofed traffic
iptables -A INPUT -i eth0 -s 192.168.2.11 -j DROP
iptables -A OUTPUT -o eth0 -s ! 192.168.2.11 -j DROP
iptables -A INPUT -i eth0 -s 168.254.0.0/16 -j DROP
iptables -A INPUT -i eth0 -s 224.0.0.0/4 -j DROP
iptables -A INPUT -i eth0 -s 240.0.0.0/5 -j DROP
iptables -A INPUT -i eth0 -s 248.0.0.0/5 -j DROP
iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP
iptables -A INPUT -i eth0 -s 255.255.255.255/32 -j DROP
iptables -A INPUT -i eth0 -s 0.0.0.0/8 -j DROP
# Banning TCP flags
iptables -N BAD_FLAGS
iptables -A INPUT -p tcp -j BAD_FLAGS
iptables -A BAD_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "IPT: Bad SF Flag "
iptables -A BAD_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A BAD_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "IPT: Bad SR Flag "
iptables -A BAD_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A BAD_FLAGS -p tcp --tcp-flags SYN,FIN,PSH SYN,FIN,PSH -j LOG --log-prefix "IPT: Bad SFP Flag "
iptables -A BAD_FLAGS -p tcp --tcp-flags SYN,FIN,PSH SYN,FIN,PSH -j DROP
iptables -A BAD_FLAGS -p tcp --tcp-flags SYN,FIN,RST SYN,FIN,RST -j LOG --log-prefix "IPT: Bad SFR Flag "
iptables -A BAD_FLAGS -p tcp --tcp-flags SYN,FIN,RST SYN,FIN,RST -j DROP
iptables -A BAD_FLAGS -p tcp --tcp-flags SYN,FIN,RST,PSH SYN,FIN,RST,PSH -j LOG --log-prefix "IPT: Bad SFRP Flag "
iptables -A BAD_FLAGS -p tcp --tcp-flags SYN,FIN,RST,PSH SYN,FIN,RST,PSH -j DROP
# Banning Single and Multiple TCP Flags
iptables -A BAD_FLAGS -p tcp --tcp-flags FIN FIN -j LOG --log-prefix "IPT: Bad F Flag "
iptables -A BAD_FLAGS -p tcp --tcp-flags FIN FIN -j DROP
iptables -A BAD_FLAGS -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "IPT: Null Flag "
iptables -A BAD_FLAGS -p tcp --tcp-flags ALL NONE -j DROP
iptables -A BAD_FLAGS -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "IPT: All Flag "
iptables -A BAD_FLAGS -p tcp --tcp-flags ALL ALL -j DROP
iptables -A BAD_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix "IPT: Xmas Flags "
iptables -A BAD_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A BAD_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "IPT: FUll Xmas Flag "
iptables -A BAD_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
# Limit packets
iptables -A INPUT -p tcp -m limit --limit 10/second -j LOG
iptables -A INPUT -p tcp -m limit --limit-burst 100 --limit 10/minute -j LOG
# --syn == --tcp-flags SYN,ACK,RST SYN
iptables -A INPUT -i eth0 -p tcp --syn -m limit --limit 5/second -j ACCEPT
#Clean up rules
iptables -A INPUT -m state --state INVALID -j LOG --log-prefix "IPT INV_STATE "
iptables -A INPUT -m state --state INVALID -j DROP
# IPRANGE Module
#iptables -A INPUT -p tcp -m iprange --src-range 192.168.2.1-192.168.2.20 -j ACCEPT
#Multiport Module
#iptables -A INPUT -i eth0 -p tcp -m multiport -d 192.168.2.11 --sport 80,443 -m state --state ESTABLISHED -j ACCEPT