# Generated by iptables-save v1.2.9 on Sun Sep 11 05:30:05 2005
# 192.168.1.101 == Desktop IP address
# 192.168.1.102 == Laptop IP address

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [109:12928]
:RH-Firewall-1-INPUT - [0:0]

# user-defined chain to handle input and forward
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT 

-A RH-Firewall-1-INPUT -i lo -j ACCEPT 
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT 
-A RH-Firewall-1-INPUT -p esp -j ACCEPT 
-A RH-Firewall-1-INPUT -p ah -j ACCEPT 

# Drop if no flags set or all flags set
-A INPUT -p tcp -s 0/0 -d 192.168.1.101 --tcp-flags ALL NONE -j DROP
-A INPUT -p tcp -s 0/0 -d 192.168.1.101 --tcp-flags ALL ALL  -j DROP
# Drop stealth scans
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,RST FIN,RST
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags ACK,FIN FIN
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags ACK,URG URG

# Allow pop3 on port 110
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 110 --state NEW -j ACCEPT 

# Allow smtp on port 25
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 25 --state NEW -j ACCEPT 

# Allow web server on port 80
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 80 --state NEW -j ACCEPT 

# Allow ssh on port 22 from laptop
-A RH-Firewall-1-INPUT -s 192.168.1.102 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT 

# Allow nfs on ports 111 (portmapper), 2049 (nfs), and 33333 (mountd)
# (port numbers obtained from `rpcinfo -p`
-A RH-Firewall-1-INPUT -s 192.168.1.102 -p icmp -m icmp --icmp-type 3 -j ACCEPT
# portmapper
-A RH-Firewall-1-INPUT -s 192.168.1.102 -p udp -m udp --dport 111 -m state --state NEW -j ACCEPT 
-A RH-Firewall-1-INPUT -s 192.168.1.102 -p tcp -m tcp --dport 111 -m state --state NEW -j ACCEPT 
# nfs
-A RH-Firewall-1-INPUT -s 192.168.1.102 -p udp -m udp --dport 2049 -m state --state NEW -j ACCEPT 
-A RH-Firewall-1-INPUT -s 192.168.1.102 -p tcp -m tcp --dport 2049 -m state --state NEW -j ACCEPT 
# mountd: This assumes that mountd is running on port 33333 only.  
# This can be forced by adding "MOUNTD_PORT=33333" just before first occurance
# of MOUNTD_PORT in /etc/init.d/nfs.
-A RH-Firewall-1-INPUT -s 192.168.1.102 -p udp -m udp --dport 33333 -m state --state NEW -j ACCEPT 
-A RH-Firewall-1-INPUT -s 192.168.1.102 -p tcp -m tcp --dport 33333 -m state --state NEW -j ACCEPT 

# Allow bittorrent on ports 6881-6889 from desktop
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 6881:6889 -m state --state NEW -j ACCEPT 

-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited 
COMMIT
# Completed on Sun Sep 11 05:30:05 2005