#
# /etc/sysconfig/iptables (0600): workstation iptables configuration
#
# See http://iptables-tutorial.frozentux.net/iptables-tutorial.html
#
# Always remember with security configurations: KISS.
#


#
# MANGLE TABLE
#
*mangle

# Set default policies
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

COMMIT


#
# NAT TABLE
#
*nat

# Set default policies
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

# Enable masquerading
#-A POSTROUTING -o eth0 -j MASQUERADE

COMMIT


#
# FILTER TABLE
#
*filter

# Set default policies
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# Allow already established connection traffic
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow loopback traffic
-A INPUT -i lo -j ACCEPT

# Allow local intranet traffic
-A INPUT -s 192.168.1.0/255.255.255.0 -j ACCEPT

# Allow ICMP traffic globally
-A INPUT -p icmp --icmp-type any -j ACCEPT

# Allow SSH traffic globally
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

# Allow HTTP/HTTPS traffic from outer network
#-A INPUT -s 10.0.0.0/255.0.0.0 -p tcp -m tcp --dport 80 -j ACCEPT
#-A INPUT -s 10.0.0.0/255.0.0.0 -p tcp -m tcp --dport 443 -j ACCEPT

# Allow already established, forwarded connection traffic
#-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow local masquerading
#-A FORWARD -s 192.168.1.0/255.255.255.0 -j ACCEPT

# Drop Windows networking data and broadcast traffic
-A INPUT -p tcp -m multiport --dports 137,138,139,445,1026,1434 -j DROP
-A INPUT -p udp -m multiport --dports 137,138,139,445,1026,1434 -j DROP
#-A INPUT -d 10.255.255.255 -j DROP
-A INPUT -d 255.255.255.255 -j DROP
-A INPUT -d 224.0.0.1 -j DROP

# Log and reject the rest with reasonable rates
-A INPUT -m limit --limit 1/sec --limit-burst 10 -j LOG --log-prefix "iptables rejecting: "
-A INPUT -p tcp -m limit --limit 10/sec --limit-burst 100 -j REJECT --reject-with tcp-reset
-A INPUT -p ! tcp -m limit --limit 10/sec --limit-burst 100 -j REJECT --reject-with icmp-host-prohibited

COMMIT