# This firewall configuration written by David Means
#  Version of 2-Feb-2004 09:44
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.207.0/255.255.255.0 -j SNAT --to-source 216.39.145.64 
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:ICMP-CHK - [0:0]
:UDP-CHK - [0:0]
:TCP-CHK - [0:0]
:TCP-SYN - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -p tcp -j TCP-CHK
-A INPUT -p udp -j UDP-CHK
-A INPUT -p icmp -j ICMP-CHK
-A INPUT -j LOG --log-prefix INPT:
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags SYN,ACK,FIN,RST SYN,ACK -j ACCEPT
-A FORWARD -p tcp -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -p udp -m udp --dport 1024:65535 -j ACCEPT
-A FORWARD -j LOG --log-prefix PASS:
-A ICMP-CHK -p icmp --icmp-type echo-reply -j ACCEPT
-A ICMP-CHK -p icmp --icmp-type echo-request -j ACCEPT
-A ICMP-CHK -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ICMP-CHK -p icmp --icmp-type source-quench -j ACCEPT
-A ICMP-CHK -p icmp --icmp-type redirect -j ACCEPT
-A ICMP-CHK -p icmp --icmp-type time-exceeded -j ACCEPT
-A UDP-CHK -p udp --sport 1024:65535 --dport 53 -j ACCEPT
-A UDP-CHK -p udp --sport 53 --dport 53 -j ACCEPT
-A UDP-CHK -p udp --sport 53 --dport 1024:65535 -j ACCEPT
-A UDP-CHK -p udp -s 216.27.190.202 --sport 123 --dport 123 -j ACCEPT
-A UDP-CHK -p udp -s 66.13.45.202 --sport 123 --dport 123 -j ACCEPT
-A UDP-CHK -p udp -s 192.83.249.28 --sport 123 --dport 123 -j ACCEPT
-A UDP-CHK -p udp --dport 137 -j DROP
-A UDP-CHK -p udp --dport 139 -j DROP
-A UDP-CHK -p udp --dport 1434 -j DROP
-A UDP-CHK -j LOG --log-prefix IN-UDP:
-A UDP-CHK -j DROP
-A TCP-CHK -p tcp --dport 80 -j ACCEPT
-A TCP-CHK -p tcp --sport 80 -j ACCEPT
-A TCP-CHK -p tcp --dport 22 -j ACCEPT
-A TCP-CHK -p tcp --dport 25 -j ACCEPT
-A TCP-CHK -p tcp -s 216.39.128.0/24 --dport 53 -j ACCEPT
-A TCP-CHK -p tcp --dport 0:1023 --syn -j TCP-SYN
-A TCP-CHK -p tcp --dport 1024:65535 -j ACCEPT
-A TCP-CHK -j LOG --log-prefix IN-TCP:
-A TCP-CHK -j DROP
-A TCP-SYN -p tcp --dport 135 -j DROP
-A TCP-SYN -p tcp --dport 139 -j DROP
-A TCP-SYN -p tcp --dport 443 -j DROP
-A TCP-SYN -p tcp --dport 445 -j DROP
-A TCP-SYN -p tcp --dport 901 -j DROP
-A TCP-SYN -j LOG --log-prefix IN-TCP:
-A TCP-SYN -j DROP
COMMIT