!/bin/sh
#
# allow me to initiate TCP connections to anywhere
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# identd (fauxident.py) for cvs, et al.
#
iptables -t filter -I INPUT -i ppp0 -m tcp -p tcp --dport 113 -j ACCEPT

# NETBIOS (Wind0ws broadcast).
#
iptables -t filter -I INPUT -i ppp0 -m udp -p udp --dport 137 -j DROP
iptables -t filter -I INPUT -i ppp0 -m udp -p udp --dport 138 -j DROP

# -----------------------------------------------------------------------
# Network Time Protocol - for chronyd
# 
# http://linuxreviews.org/howtos/ntp/
# 
iptables -A INPUT -j ACCEPT -p tcp --dport 123

# allow no externally initiated connections.
#
iptables -A INPUT -s ! 127.0.0.1/32 -m state --state NEW -j LOG
iptables -A INPUT -s ! 127.0.0.1/32 -m state --state NEW -j DROP

# This will give the RFC-compliant "closed port" response for TCP and
# UDP, but it breaks slrn:
#
# iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
# iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable

# allow established and related connections to come in
#
iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT