# Firewall configuration for a web and SMTP server. # See http://ferm.foo-projects.org/ table filter { chain INPUT { policy DROP; # connection tracking mod state state INVALID DROP; mod state state (ESTABLISHED RELATED) ACCEPT; # allow local connections interface lo ACCEPT; # respond to ping proto icmp icmp-type echo-request ACCEPT; # expose our services to the world: # web, ssh, imap + ssl, smtp + ssl, jabber/xmpp, dns, znc proto tcp dport (53 http https ssh smtp 993 465 5222 5223 5269 6697) ACCEPT; # openvpn proto udp dport 1194 ACCEPT; # mosh port range proto udp dport 60000:61000 ACCEPT; # the rest is dropped by the above policy } # outgoing connections are not limited chain OUTPUT policy ACCEPT; # this is not a router chain FORWARD policy DROP; }