Simple iptables rules

iptables.rules

#load firewall config with iptables-restore < iptables.rules
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
#The following rules required for normal communication
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

#allow incomming ping (optional, can be commented out)
-A INPUT -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT

#single port
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
#multiple ports
#-A INPUT -p tcp -m state --state NEW -m multiport --dports 22,80,443 -j ACCEPT
#single port from a specific source
#-A INPUT -p tcp -s 192.167.19.1 -m state --state NEW -m tcp --dport 22 -j ACCEPT
#or from a network
#-A INPUT -p tcp -s 192.168.0.0/24 -m state --state NEW -m tcp --dport 22 -j ACCEPT

#enable firewall denied connections logging
#keep rules commented unless troubleshooting
#-N LOGGING
#-A LOGGING -p tcp -m limit --limit 2/min -j LOG --log-prefix "iptables DROP: " --log-level 4
#-A LOGGING -j RETURN
#-A INPUT -j LOGGING
#-A FORWARD -j LOGGING

#Required, any traffic that is not allowed will be dropped by these rules
#Never comment these out unless you know what you're doing.
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT