*filter # Set up logging for dropped packets -N LOGDROP -A LOGDROP -m limit --limit 15/min -j LOG --log-prefix "iptables dropped: " --log-level 7 -A LOGDROP -j DROP # Allow all outbound traffic -A OUTPUT -j ACCEPT # Accept all loopback traffic -A INPUT -i lo -j ACCEPT # Drop all traffic to loopback IPs on other interfaces -A INPUT ! -i lo -d 127.0.0.0/8 -j LOGDROP # Accept incoming traffic related to established connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Accept incoming traffic on TCP ports 22 (SSH), 80 (HTTP), 443 (HTTPS), and 5432 (Postgres) -A INPUT -p tcp --dport 22 -j ACCEPT -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT -A INPUT -p tcp --dport 5432 -j ACCEPT # Drop everything else -A INPUT -j LOGDROP -A FORWARD -j LOGDROP COMMIT