# NEW TCP without SYN
/sbin/iptables -A BADTCP -p tcp ! --syn -m conntrack --ctstate NEW -j NEWNOTSYN
+ /sbin/iptables -A INPUT -p tcp -j BADTCP
+ /sbin/iptables -A FORWARD -p tcp -j BADTCP
+
# Connection tracking chain
/sbin/iptables -N CONNTRACK
/sbin/iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
- /sbin/iptables -A INPUT -j BADTCP
- /sbin/iptables -A FORWARD -j BADTCP
-
# Fix for braindead ISP's
/sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
/sbin/iptables -A INPUT -j GUIINPUT
/sbin/iptables -A GUIINPUT -p icmp --icmp-type 8 -j ACCEPT
+ # Accept everything on loopback
+ /sbin/iptables -N LOOPBACK
+ /sbin/iptables -A LOOPBACK -i lo -j ACCEPT
+ /sbin/iptables -A LOOPBACK -o lo -j ACCEPT
+
+ /sbin/iptables -A INPUT -j LOOPBACK
+ /sbin/iptables -A OUTPUT -j LOOPBACK
+
# Accept everything connected
for i in INPUT FORWARD OUTPUT; do
/sbin/iptables -A ${i} -j CONNTRACK
done
- # Accept everything on lo
- iptables -A INPUT -i lo -m conntrack --ctstate NEW -j ACCEPT
- iptables -A OUTPUT -o lo -m conntrack --ctstate NEW -j ACCEPT
-
# trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
/sbin/iptables -N IPSECINPUT
/sbin/iptables -N IPSECFORWARD