*raw
:PREROUTING ACCEPT [16844:4134331]
:OUTPUT ACCEPT [14817:3557010]
-A PREROUTING -i lo -j CT --notrack
-A OUTPUT -o lo -j CT --notrack
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [7035:765322]
-I INPUT -p icmp --icmp-type echo-request -m recent --set
-I INPUT -p icmp --icmp-type echo-request -m recent --update --seconds 10 --hitcount 5 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
# Drop new connection unless they are SYN
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Packets with incoming fragments drop them
-A INPUT -f -j DROP
# Incoming malformed XMAS packets drop them
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# Incoming malformed NULL packets
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
-A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
-A INPUT -j DROP
-A OUTPUT -o lo -j ACCEPT
COMMIT
