# Created: Fri Nov 14 2003
# By     : Mikhail Tchoudinov
# URL    : http://www.smartpost.ro

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:LINWIZ-INPUT - [0:0]
:REJECT-PKT - [0:0]

-A INPUT -j LINWIZ-INPUT

######################################################################
# Allow all loopback interface traffic
#-A LINWIZ-INPUT -i lo -j ACCEPT
-A LINWIZ-INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

# Block all attempts to spoof the local IP address
 -A LINWIZ-INPUT -s 192.168.1.1 -j DROP

# Ensure that TCP connections start with syn packets
-A LINWIZ-INPUT -p tcp -m tcp ! --syn -m state --state NEW -j DROP

# Allow session continuation traffic
-A LINWIZ-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow ICMP ping requests from all hosts
-A LINWIZ-INPUT -p icmp -m icmp --icmp-type ping -j ACCEPT

# Allow selected TCP/IP and/or UDP services
-A LINWIZ-INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A LINWIZ-INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A LINWIZ-INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A LINWIZ-INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A LINWIZ-INPUT -p tcp -m tcp --dport 143 -j ACCEPT

# Block all other TCP/IP and UDP traffic
-A LINWIZ-INPUT -j REJECT-PKT

######################################################################
# Chain used to reject all TCP/IP, UDP and ICMP/PING packets
-A REJECT-PKT -p tcp -m tcp -j REJECT --reject-with tcp-reset
-A REJECT-PKT -p udp -m udp -j REJECT --reject-with icmp-port-unreachable

COMMIT