*filter :drop-non-local - [0:0] :remote - [0:0] # allow all on loopback -I INPUT -i lo -j ACCEPT # quickly process packets for which we already have a connection -I INPUT 2 -m state --state RELATED,ESTABLISHED -j ACCEPT # two chains: one for rules that allow certain remote connections, # and another that denies the rest -A INPUT -j remote -A INPUT -j drop-non-local # == drop-non-local chain == # if LOCAL, RETURN -A drop-non-local -m addrtype --dst-type LOCAL -j RETURN # if MULTICAST, RETURN -A drop-non-local -m addrtype --dst-type MULTICAST -j RETURN # if BROADCAST, RETURN -A drop-non-local -m addrtype --dst-type BROADCAST -j RETURN # all other non-local packets are dropped ##-A drop-non-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny -A drop-non-local -j DROP