*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:LW_RULES - [0:0]

# Always allow loopback
-A INPUT -i lo -j ACCEPT

# LW_RULES are processed before anything else.
-A INPUT -j LW_RULES 

# Globally allow these.
-A LW_RULES -s 10.30.2.0/24 -j ACCEPT
-A LW_RULES -s 10.30.104.0/24 -j ACCEPT
-A LW_RULES -s 10.255.251.0/24 -j ACCEPT
-A LW_RULES -s 10.255.242.0/24 -j ACCEPT

# Allow Related/Established
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow ping to internal interface.
-A INPUT -i eth0.VLAN_eth0 -p icmp --icmp-type any -j ACCEPT

# Allow webservice access for internal interface.
-A INPUT -i eth0.VLAN_eth0 -p tcp --dport 8080 -j ACCEPT

# By default at least, we only allow port ranges 5000-6000 in
# /etc/prx_admin/prx_admin.conf. So allow this access here.
# Additionally, this should only be allowed for the public
# interface.
-A INPUT -i eth1.VLAN_eth1 -p tcp --match multiport --dports 5000:6000 -j ACCEPT

# SSH
##########################
## Rate limit incoming SSH connections to private interface for anyone 
## not in LW_RULES table to 20 connections within 10 minutes.
##########################
-A INPUT -i eth0.VLAN_eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource
-A INPUT -i eth0.VLAN_eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 600 --hitcount 20 --name SSH --rsource -m limit --limit 1/min -j LOG --log-prefix "SSH Bruteforce: " --log-level 4
-A INPUT -i eth0.VLAN_eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 600 --hitcount 20 --name SSH --rsource -j DROP
-A INPUT -i eth0.VLAN_eth0 -p tcp --dport 22 -j ACCEPT

# Drop everything not yet allowed.
-A INPUT -j DROP
COMMIT