*filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] # allow local loopback connections -A INPUT -i lo -j ACCEPT # drop INVALID connections -A INPUT -m state --state INVALID -j DROP -A OUTPUT -m state --state INVALID -j DROP -A FORWARD -m state --state INVALID -j DROP # allow all established and related -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # allow connections to my ISP's DNS servers -A OUTPUT -d 2.3.4.10 -m state --state NEW -p udp --dport 53 -o eth0 -j ACCEPT -A OUTPUT -d 2.3.4.11 -m state --state NEW -p udp --dport 53 -o eth0 -j ACCEPT -A FORWARD -d 2.3.4.10 -m state --state NEW -p udp --dport 53 -i eth1 -o eth0 -j ACCEPT -A FORWARD -d 2.3.4.11 -m state --state NEW -p udp --dport 53 -i eth1 -o eth0 -j ACCEPT # allow outgoing connections to web servers -A OUTPUT -d 0/0 -m state --state NEW -p tcp -m multiport --dport http,https -o eth0 -j ACCEPT -A FORWARD -d 0/0 -m state --state NEW -p tcp -m multiport --dport http,https -o eth0 -i eth1 -j ACCEPT # allow outgoing mail connections to my ISP's SMTP and POP3 server only -A OUTPUT -d mail.my-isp.com -m state --state NEW -p tcp -m multiport --dport smtp,pop3 -o eth0 -j ACCEPT -A FORWARD -d mail.my-isp.com -m state --state NEW -p tcp -m multiport --dport smtp,pop3 -o eth0 -j ACCEPT # log all other attempted out going connections -A OUTPUT -o eth0 -j LOG -A FORWARD -j LOG # default is to DROP out-going connections COMMIT *nat # set up IP forwarding and nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4 COMMIT