# {{ ansible_managed }}
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

#Syn-flood protection
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP

#Force SYN packets check
-A INPUT -f -j DROP

#Force Fragments packets check
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP

#XMAS packets
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP

# Accept packets belonging to established and related connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow pings
-A INPUT -p icmp --icmp-type any -j ACCEPT

# Set access for localhost
-A INPUT -i lo -j ACCEPT

# Allow SSH connections on tcp port 22
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

# Set default policies for INPUT, FORWARD and OUTPUT chains
-P INPUT DROP 
-P FORWARD DROP
-P OUTPUT ACCEPT

COMMIT