*filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :in-new - [0:0] ### INPUT chain # allow all loopback traffic -A INPUT -i lo -j ACCEPT # RT0 processing is disabled since 2.6.20.9 #-A INPUT -m rt --rt-type 0 -j REJECT # allow all ICMP traffic -A INPUT -p icmpv6 -j ACCEPT # packets belonging to an establish connection or related to one can pass -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # packets that are out-of-sequence are silently dropped -A INPUT -m state --state INVALID -j DROP # new connections unknown to the kernel are handled in a separate chain -A INPUT -m state --state NEW -j in-new # pass SYN packets for SSH -A in-new -p tcp -m tcp --dport 22 --syn -j ACCEPT # log and reject everything else -A INPUT -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[INPUT6]: " -A INPUT -j REJECT ### OUTPUT chain # RT0 processing is disabled since 2.6.20.9 #-A OUTPUT -m rt --rt-type 0 -j REJECT # allow outgoing traffic, explicitly (despite chain policy) -A OUTPUT -j ACCEPT ### FORWARD chain # RT0 processing is disabled since 2.6.20.9 #-A FORWARD -m rt --rt-type 0 -j REJECT # disallow forwarded traffic, explicitly (despite chain policy) -A FORWARD -j REJECT COMMIT