*raw
-A PREROUTING -j NOTRACK
-A OUTPUT -j NOTRACK
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

##  Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT

## allow incoming SSH, change port here:
-A INPUT -p tcp --dport 23942 -j ACCEPT
## only allow on one of our IPs:
#-A INPUT -p tcp -d 123.456.789.01 --dport 23942 -j ACCEPT

## allow munin from webserver
-A INPUT -p tcp --dport 4949 -s 194.150.168.61 -j ACCEPT

## DirPort, ORPort (optional: Webserver)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

## Allow several ICMP types 
## http://www.oregontechsupport.com/articles/icmp.txt
-A INPUT -p icmp -m icmp --icmp-type host-unreachable -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type port-unreachable -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
-A INPUT -p icmp --icmp-type echo-request -m limit --limit 2/s -j ACCEPT
-A INPUT -p icmp --icmp-type echo-request -j DROP

## to log denied packets uncomment this line
#-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

## drop non-established TCP
-A INPUT -p tcp --syn -j DROP

## allows all udp in, but avoids conntrack

COMMIT