*filter

# accept established connections
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# accept local traffic
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

# accept ping
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT

# accept ssh with rate limiting
-N LOGREJECTSSH
-A LOGREJECTSSH -j LOG --log-prefix "iptables deny: " --log-level 7
-A LOGREJECTSSH -j REJECT
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name SSH --rsource
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 4 --name SSH --rttl --rsource -j LOGREJECTSSH
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

# drop invalid
-A INPUT -m conntrack --ctstate INVALID -j DROP

# reject all others (linux compliant blacklist)
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-rst
-A INPUT -j REJECT --reject-with icmp-proto-unreachable

# drop forwards
-A FORWARD -j DROP

COMMIT