iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -N allowed
iptables -A allowed -p TCP --syn -j ACCEPT
iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT

# 53:DNS 80:http 443:https 110:pop3 113:identd  515:LPD   9100:HP_TCP/IP
iptables -N tcp_packets
iptables -A tcp_packets -p TCP -s 0/0 --dport 53 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 443 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 110 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
iptables -A tcp_packets -p TCP -s 202.X.Y.Z/32 --dport 515 -j allowed
iptables -A tcp_packets -p TCP -s 202.x.Y.Z/32 --dport 9100 -j allowed

iptables -A FORWARD -s 192.168.0.0/255.255.0.0 -d 0/0 -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp -d 192.168.3.254/32 --dport 110 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp -d 192.168.3.254/32 --dport 25 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp -d 192.168.3.254/32 --dport 80 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp -d 192.168.3.198/32 --dport 515 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp -d 192.168.3.198/32 --dport 9100 -j ACCEPT
iptables -A FORWARD -p all -j REJECT

# allow all service from internal
iptables -A INPUT -s 192.168.0.0/255.255.0.0 -d 0/0 -j ACCEPT
iptables -A INPUT -s 0/0 -d 0/0 -i lo -j ACCEPT

# smtp
iptables -A INPUT -p tcp --dport 25 --syn -j DROP
iptables -A INPUT -p tcp --dport 25 -j ACCEPT

# DNS
iptables -A INPUT -p udp --dport 53 -j ACCEPT

# All other allowed tcp services
iptables -A INPUT -p tcp -i eth0 -j tcp_packets


# ping. 0: echo type 3:unreachable 5:redirect 11:time exceed
iptables -A INPUT -p ICMP -i eth0 -s 0/0 --icmp-type 0 -j ACCEPT
iptables -A INPUT -p ICMP -i eth0 -s 0/0 --icmp-type 3 -j ACCEPT
iptables -A INPUT -p ICMP -i eth0 -s 0/0 --icmp-type 5 -j ACCEPT
iptables -A INPUT -p ICMP -i eth0 -s 0/0 --icmp-type 11 -j ACCEPT

# UDP. 53:DNS lookup 123:set clock with time serve NTP
iptables -A INPUT -p UDP -i eth0 -s 0/0 --source-port 53 -j ACCEPT
iptables -A INPUT -p UDP -i eth0 -s 0/0 --source-port 123 -j ACCEPT

# Packets not match any rule, reject
iptables -A INPUT -p all -j REJECT