*filter

# Create filter chain for Physics subnets only
-N PHYSICSONLY
-A PHYSICSONLY -s 130.209.45.0/24 -j ACCEPT
-A PHYSICSONLY -s 130.209.202.0/24 -j ACCEPT
-A PHYSICSONLY -s 130.209.204.0/24 -j ACCEPT
-A PHYSICSONLY -s 172.20.45.0/24 -j ACCEPT
-A PHYSICSONLY -s 172.20.202.0/24 -j ACCEPT
-A PHYSICSONLY -s 172.20.204.0/24 -j ACCEPT

# This will allow all loopback (lo0) traffic and drop all traffic to 127/8
# that does not use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

#  This accepts all already established connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# This allows all outbound traffic
-A OUTPUT -j ACCEPT

# Allow SSH and pings from Physics subnets only
-A INPUT -p tcp -m state --state NEW --dport 22 -j PHYSICSONLY
-A INPUT -p icmp -m icmp --icmp-type echo-request -j PHYSICSONLY
-A INPUT -p tcp -m state --state NEW --dport 443 -j PHYSICSONLY

# Allow HTTP(S) from anywhere
#-A INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT
#-A INPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT

# Allow LDAP(S) queries from Physics only
-A INPUT -p tcp -m state --state NEW --dport 389 -j PHYSICSONLY
-A INPUT -p tcp -m state --state NEW --dport 636 -j PHYSICSONLY

# Reject all other inbound traffic
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT