Permalink
Fetching contributors…
Cannot retrieve contributors at this time
executable file 22 lines (21 sloc) 910 Bytes
#!/usr/bin/env iptables-restore
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Block invalid (according to conntrack) packets.
-A INPUT -m state --state INVALID -j DROP
# Block fragmented ICMP.
-A INPUT -p icmp --fragment -j DROP
# Allow keep state.
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow localhost (so Webconverger can speak to itself).
-A INPUT -i lo -j ACCEPT
-A INPUT -m udp -p udp --dport 631 -j ACCEPT
# Allow incoming Path MTU Discovery (ICMP destination-unreachable/fragmentation-needed)
-A INPUT -p icmp --icmp-type 3/4 -m state --state NEW -j ACCEPT
# Allow incoming request to decrease rate of sent packets (ICMP Source Quench)
-A INPUT -p icmp --icmp-type 4 -m state --state NEW -j ACCEPT
# Allow and throttle incoming ping (ICMP Echo-Request).
-A INPUT -p icmp --icmp-type 8 -m state --state NEW -m limit --limit 2/s --limit-burst 5 -j ACCEPT
COMMIT