iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-N BASE_FORWARD_CHAIN
-N BASE_INPUT_CHAIN
-N BASE_OUTPUT_CHAIN
-N DMZ_FORWARD_IN_CHAIN
-N DMZ_FORWARD_OUT_CHAIN
-N DMZ_INET_FORWARD_CHAIN
-N DMZ_INPUT_CHAIN
-N DMZ_LAN_FORWARD_CHAIN
-N DMZ_OUTPUT_CHAIN
-N EXT_FORWARD_IN_CHAIN
-N EXT_FORWARD_OUT_CHAIN
-N EXT_ICMP_FLOOD_CHAIN
-N EXT_INPUT_CHAIN
-N EXT_OUTPUT_CHAIN
-N FORWARD_CHAIN
-N HOST_BLOCK_DROP
-N HOST_BLOCK_DST
-N HOST_BLOCK_SRC
-N INET_DMZ_FORWARD_CHAIN
-N INPUT_CHAIN
-N INT_FORWARD_IN_CHAIN
-N INT_FORWARD_OUT_CHAIN
-N INT_INPUT_CHAIN
-N INT_OUTPUT_CHAIN
-N LAN_INET_FORWARD_CHAIN
-N OUTPUT_CHAIN
-N POST_FORWARD_CHAIN
-N POST_INPUT_CHAIN
-N POST_INPUT_DROP_CHAIN
-N POST_OUTPUT_CHAIN
-N RESERVED_NET_CHK
-N SPOOF_CHK
-N VALID_CHK
-A INPUT -j BASE_INPUT_CHAIN
-A INPUT -j INPUT_CHAIN
-A INPUT -j HOST_BLOCK_SRC
-A INPUT -j SPOOF_CHK
-A INPUT -i ppp0 -j VALID_CHK
-A INPUT -i ppp0 ! -p icmp -m state --state NEW -j EXT_INPUT_CHAIN
-A INPUT -i ppp0 -p icmp -m state --state NEW -m limit --limit 60/sec --limit-burst 100 -j EXT_INPUT_CHAIN
-A INPUT -i ppp0 -p icmp -m state --state NEW -j EXT_ICMP_FLOOD_CHAIN
-A INPUT -i eth0 -j VALID_CHK
-A INPUT -i eth0 ! -p icmp -m state --state NEW -j EXT_INPUT_CHAIN
-A INPUT -i eth0 -p icmp -m state --state NEW -m limit --limit 60/sec --limit-burst 100 -j EXT_INPUT_CHAIN
-A INPUT -i eth0 -p icmp -m state --state NEW -j EXT_ICMP_FLOOD_CHAIN
-A INPUT -i eth1 -j INT_INPUT_CHAIN
-A INPUT -j POST_INPUT_CHAIN
-A INPUT -m limit --limit 1/sec -j LOG --log-prefix "AIF:Dropped INPUT packet: " --log-level 6
-A INPUT -j DROP
-A FORWARD -j BASE_FORWARD_CHAIN
-A FORWARD -o ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -j FORWARD_CHAIN
-A FORWARD -j HOST_BLOCK_SRC
-A FORWARD -j HOST_BLOCK_DST
-A FORWARD -i ppp0 -j EXT_FORWARD_IN_CHAIN
-A FORWARD -o ppp0 -j EXT_FORWARD_OUT_CHAIN
-A FORWARD -i eth0 -j EXT_FORWARD_IN_CHAIN
-A FORWARD -o eth0 -j EXT_FORWARD_OUT_CHAIN
-A FORWARD -i eth1 -j INT_FORWARD_IN_CHAIN
-A FORWARD -o eth1 -j INT_FORWARD_OUT_CHAIN
-A FORWARD -j SPOOF_CHK
-A FORWARD -i eth1 -o eth1 -j ACCEPT
-A FORWARD -i eth1 -o ppp0 -j LAN_INET_FORWARD_CHAIN
-A FORWARD -i eth1 -o eth0 -j LAN_INET_FORWARD_CHAIN
-A FORWARD -j POST_FORWARD_CHAIN
-A FORWARD -m limit --limit 1/min --limit-burst 3 -j LOG --log-prefix "AIF:Dropped FORWARD packet: " --log-level 6
-A FORWARD -j DROP
-A OUTPUT -j BASE_OUTPUT_CHAIN
-A OUTPUT -o ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -j OUTPUT_CHAIN
-A OUTPUT -j HOST_BLOCK_DST
-A OUTPUT -f -m limit --limit 3/min -j LOG --log-prefix "AIF:Fragment packet: " --log-level 6
-A OUTPUT -f -j DROP
-A OUTPUT -o ppp0 -j EXT_OUTPUT_CHAIN
-A OUTPUT -o eth0 -j EXT_OUTPUT_CHAIN
-A OUTPUT -o eth1 -j INT_OUTPUT_CHAIN
-A OUTPUT -j POST_OUTPUT_CHAIN
-A OUTPUT -j ACCEPT
-A BASE_FORWARD_CHAIN -m state --state ESTABLISHED -j ACCEPT
-A BASE_FORWARD_CHAIN -p tcp -m state --state RELATED -m tcp --dport 1024:65535 -j ACCEPT
-A BASE_FORWARD_CHAIN -p udp -m state --state RELATED -m udp --dport 1024:65535 -j ACCEPT
-A BASE_FORWARD_CHAIN -p icmp -m state --state RELATED -j ACCEPT
-A BASE_FORWARD_CHAIN -i lo -j ACCEPT
-A BASE_INPUT_CHAIN -m state --state ESTABLISHED -j ACCEPT
-A BASE_INPUT_CHAIN -p tcp -m state --state RELATED -m tcp --dport 1024:65535 -j ACCEPT
-A BASE_INPUT_CHAIN -p udp -m state --state RELATED -m udp --dport 1024:65535 -j ACCEPT
-A BASE_INPUT_CHAIN -p icmp -m state --state RELATED -j ACCEPT
-A BASE_INPUT_CHAIN -i lo -j ACCEPT
-A BASE_OUTPUT_CHAIN -m state --state ESTABLISHED -j ACCEPT
-A BASE_OUTPUT_CHAIN -o lo -j ACCEPT
-A EXT_FORWARD_IN_CHAIN -j VALID_CHK
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 3 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-unreachable flood: " --log-level 6
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 3 -j POST_INPUT_DROP_CHAIN
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 11 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-time-exceeded fld: " --log-level 6
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 11 -j POST_INPUT_DROP_CHAIN
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 12 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-param-problem fld: " --log-level 6
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 12 -j POST_INPUT_DROP_CHAIN
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-request(ping) fld: " --log-level 6
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 8 -j POST_INPUT_DROP_CHAIN
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 0 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-reply(pong) flood: " --log-level 6
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 0 -j POST_INPUT_DROP_CHAIN
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 4 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-source-quench fld: " --log-level 6
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 4 -j POST_INPUT_DROP_CHAIN
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP(other) flood: " --log-level 6
-A EXT_ICMP_FLOOD_CHAIN -p icmp -j POST_INPUT_DROP_CHAIN
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 0 -m limit --limit 6/hour --limit-burst 1 -j LOG --log-prefix "AIF:Port 0 OS fingerprint: " --log-level 6
-A EXT_INPUT_CHAIN -p udp -m udp --dport 0 -m limit --limit 6/hour --limit-burst 1 -j LOG --log-prefix "AIF:Port 0 OS fingerprint: " --log-level 6
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 0 -j POST_INPUT_DROP_CHAIN
-A EXT_INPUT_CHAIN -p udp -m udp --dport 0 -j POST_INPUT_DROP_CHAIN
-A EXT_INPUT_CHAIN -p tcp -m tcp --sport 0 -m limit --limit 6/hour -j LOG --log-prefix "AIF:TCP source port 0: " --log-level 6
-A EXT_INPUT_CHAIN -p udp -m udp --sport 0 -m limit --limit 6/hour -j LOG --log-prefix "AIF:UDP source port 0: " --log-level 6
-A EXT_INPUT_CHAIN -p tcp -m tcp --sport 0 -j POST_INPUT_DROP_CHAIN
-A EXT_INPUT_CHAIN -p udp -m udp --sport 0 -j POST_INPUT_DROP_CHAIN
-A EXT_INPUT_CHAIN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 20/sec --limit-burst 100 -j ACCEPT
-A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-request: " --log-level 6
-A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 3 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-unreachable: " --log-level 6
-A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 11 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-time-exceeded: " --log-level 6
-A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 12 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-param.-problem: " --log-level 6
-A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 3 -j POST_INPUT_DROP_CHAIN
-A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 11 -j POST_INPUT_DROP_CHAIN
-A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 12 -j POST_INPUT_DROP_CHAIN
-A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -j POST_INPUT_DROP_CHAIN
-A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 0 -j POST_INPUT_DROP_CHAIN
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 1024:65535 ! --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth scan? (UNPRIV): " --log-level 6
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 0:1023 ! --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth scan? (PRIV): " --log-level 6
-A EXT_INPUT_CHAIN -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j POST_INPUT_DROP_CHAIN
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV connect attempt: " --log-level 6
-A EXT_INPUT_CHAIN -p udp -m udp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV connect attempt: " --log-level 6
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 1024:65535 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV connect attempt: " --log-level 6
-A EXT_INPUT_CHAIN -p udp -m udp --dport 1024:65535 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV connect attempt: " --log-level 6
-A EXT_INPUT_CHAIN -j POST_INPUT_CHAIN
-A EXT_INPUT_CHAIN -p tcp -j POST_INPUT_DROP_CHAIN
-A EXT_INPUT_CHAIN -p udp -j POST_INPUT_DROP_CHAIN
-A EXT_INPUT_CHAIN -p icmp -j POST_INPUT_DROP_CHAIN
-A EXT_INPUT_CHAIN -m limit --limit 1/min -j LOG --log-prefix "AIF:Connect attempt: " --log-level 6
-A EXT_INPUT_CHAIN -j POST_INPUT_DROP_CHAIN
-A HOST_BLOCK_DROP -m limit --limit 1/min --limit-burst 1 -j LOG --log-prefix "AIF:Blocked host(s): " --log-level 6
-A HOST_BLOCK_DROP -j DROP
-A INT_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 20/sec --limit-burst 100 -j ACCEPT
-A INT_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-request: " --log-level 6
-A INT_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -j DROP
-A INT_INPUT_CHAIN -j ACCEPT
-A LAN_INET_FORWARD_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 20/sec --limit-burst 100 -j ACCEPT
-A LAN_INET_FORWARD_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-request: " --log-level 6
-A LAN_INET_FORWARD_CHAIN -p icmp -m icmp --icmp-type 8 -j DROP
-A LAN_INET_FORWARD_CHAIN -p tcp -j ACCEPT
-A LAN_INET_FORWARD_CHAIN -p udp -j ACCEPT
-A LAN_INET_FORWARD_CHAIN -j ACCEPT
-A POST_INPUT_DROP_CHAIN -j DROP
-A RESERVED_NET_CHK -s 10.0.0.0/8 -m limit --limit 1/min --limit-burst 1 -j LOG --log-prefix "AIF:Class A address: " --log-level 6
-A RESERVED_NET_CHK -s 172.16.0.0/12 -m limit --limit 1/min --limit-burst 1 -j LOG --log-prefix "AIF:Class B address: " --log-level 6
-A RESERVED_NET_CHK -s 192.168.0.0/16 -m limit --limit 1/min --limit-burst 1 -j LOG --log-prefix "AIF:Class C address: " --log-level 6
-A RESERVED_NET_CHK -s 169.254.0.0/16 -m limit --limit 1/min --limit-burst 1 -j LOG --log-prefix "AIF:Class M$ address: " --log-level 6
-A RESERVED_NET_CHK -s 224.0.0.0/24 -m limit --limit 1/min --limit-burst 1 -j LOG --log-prefix "AIF:Multicast address: " --log-level 6
-A RESERVED_NET_CHK -s 239.0.0.0/24 -m limit --limit 1/min --limit-burst 1 -j LOG --log-prefix "AIF:Multicast address: " --log-level 6
-A RESERVED_NET_CHK -s 10.0.0.0/8 -j POST_INPUT_DROP_CHAIN
-A RESERVED_NET_CHK -s 172.16.0.0/12 -j POST_INPUT_DROP_CHAIN
-A RESERVED_NET_CHK -s 192.168.0.0/16 -j POST_INPUT_DROP_CHAIN
-A RESERVED_NET_CHK -s 169.254.0.0/16 -j POST_INPUT_DROP_CHAIN
-A RESERVED_NET_CHK -s 224.0.0.0/24 -j POST_INPUT_DROP_CHAIN
-A RESERVED_NET_CHK -s 239.0.0.0/24 -j POST_INPUT_DROP_CHAIN
-A SPOOF_CHK -s 192.168.3.0/24 -i eth1 -j RETURN
-A SPOOF_CHK -s 192.168.3.0/24 -m limit --limit 3/min -j LOG --log-prefix "AIF:Spoofed packet: " --log-level 6
-A SPOOF_CHK -s 192.168.3.0/24 -j POST_INPUT_DROP_CHAIN
-A SPOOF_CHK -j RETURN
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth XMAS scan: " --log-level 6
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth XMAS-PSH scan: " --log-level 6
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth XMAS-ALL scan: " --log-level 6
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth FIN scan: " --log-level 6
-A VALID_CHK -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth SYN/RST scan: " --log-level 6
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth SYN/FIN scan?: " --log-level 6
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth Null scan: " --log-level 6
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j POST_INPUT_DROP_CHAIN
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j POST_INPUT_DROP_CHAIN
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j POST_INPUT_DROP_CHAIN
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j POST_INPUT_DROP_CHAIN
-A VALID_CHK -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j POST_INPUT_DROP_CHAIN
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j POST_INPUT_DROP_CHAIN
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j POST_INPUT_DROP_CHAIN
-A VALID_CHK -p tcp -m tcp --tcp-option 64 -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "AIF:Bad TCP flag(64): " --log-level 6
-A VALID_CHK -p tcp -m tcp --tcp-option 128 -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "AIF:Bad TCP flag(128): " --log-level 6
-A VALID_CHK -p tcp -m tcp --tcp-option 64 -j POST_INPUT_DROP_CHAIN
-A VALID_CHK -p tcp -m tcp --tcp-option 128 -j POST_INPUT_DROP_CHAIN
-A VALID_CHK -m state --state INVALID -j POST_INPUT_DROP_CHAIN
-A VALID_CHK -f -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "AIF:Fragment packet: "
-A VALID_CHK -f -j DROP