*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# allow established connections
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# allow traffic from private LAN
-A INPUT -i eth1 -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT

# allow ICMP (ping)
-A INPUT -p icmp -j ACCEPT

# allow loopback
-A INPUT -i lo -j ACCEPT

# uni subnets
:uni - [0:0]
-A INPUT -s 141.30.0.0/16 -j uni 
-A INPUT -s 141.76.0.0/16 -j uni

# public internet
:public - [0:0]
-A INPUT -j public

# all traffic from here on is being logged
:logging - [0:0]
-A INPUT -j logging
-A FORWARD -j logging

# reject unknown traffic with nice errors
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j REJECT --reject-with icmp-proto-unreachable

# sshguard chain
:sshguard - [0:0]

# uni internal traffic
-A uni -p tcp --dport 22 -j sshguard
-A uni -p tcp --dport 22 -j ACCEPT

# public traffic ---------------------------------------------------------------

# traffic logging
-A logging -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4

COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# masquerading (NAT)
-A POSTROUTING -o eth0 -j MASQUERADE

COMMIT