*nat
:PREROUTING ACCEPT [835:126580]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [594:35952]
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
# Completed on Tue Mar 26 21:46:52 2002
# Generated by iptables-save v1.2.5 on Tue Mar 26 21:46:52 2002
*filter
:INPUT ACCEPT [121:7388]
:FORWARD DROP [6821:2861953]
:OUTPUT ACCEPT [44148:41807530]
# IP spoofing
-A INPUT -s 10.0.0.0/255.0.0.0 -i ppp0 -j DROP
-A INPUT -s 172.16.0.0/255.240.0.0 -i ppp0 -j DROP
-A INPUT -s 192.168.0.0/255.255.0.0 -i ppp0 -j DROP
-A OUTPUT -d 10.0.0.0/255.0.0.0 -o ppp0 -j DROP
-A OUTPUT -d 172.16.0.0/255.240.0.0 -o ppp0 -j DROP
-A OUTPUT -d 192.168.0.0/255.255.0.0 -o ppp0 -j DROP
# Trusted device
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
# Microsoft network
-A OUTPUT -p tcp -m tcp --dport 137:139 -j DROP
-A OUTPUT -p tcp -m tcp --dport 445 -j DROP
# UDP - DNS & NTP
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -p udp -m udp --sport 123 -j ACCEPT
-A INPUT -p udp -j DROP
# Servers - HTTP, SSH, SMTP, IDENT
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP
COMMIT