*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:TCP - [0:0]
:UDP - [0:0]
:SSH - [0:0]

# Rate limit ping requests
-A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
-A INPUT -p icmp --icmp-type echo-request -j DROP

# Accept established connections
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Accept all traffic on loopback interface
-A INPUT -i lo -j ACCEPT

# Drop packets declared invalid
-A INPUT -m conntrack --ctstate INVALID -j DROP

# SSH rate limiting
-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
-A SSH -m recent --name sshbf --set -j ACCEPT

# Send TCP and UDP connections to their respective rules chain
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

# Reject dropped packets with a RFC compliant responce
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-rst
-A INPUT -j REJECT --reject-with icmp-proto-unreachable

## TCP PORT RULES
# -A TCP -p tcp -j LOG

## UDP PORT RULES
# -A UDP -p udp -j LOG

COMMIT