*filter

# Create filter chain for Physics subnets only
-N PHYSICSONLY
-A PHYSICSONLY -s 130.209.45.0/24 -j ACCEPT
-A PHYSICSONLY -s 130.209.202.0/24 -j ACCEPT
-A PHYSICSONLY -s 130.209.204.0/24 -j ACCEPT
-A PHYSICSONLY -s 172.20.45.0/24 -j ACCEPT
-A PHYSICSONLY -s 172.20.202.0/24 -j ACCEPT
-A PHYSICSONLY -s 172.20.204.0/24 -j ACCEPT

# Filter chain for VPN subnet
-N VPNONLY
-A VPNONLY -s 130.209.155.0/24 -j ACCEPT

# Filter chain for Physics + VPN
-N PHYSICSANDVPN
-A PHYSICSANDVPN -j PHYSICSONLY
-A PHYSICSANDVPN -j VPNONLY

# Filter chain for University subnets
-N UNIONLY
-A UNIONLY -s 130.209.0.0/16 -j ACCEPT
-A UNIONLY -s 172.20.0.0/16 -j ACCEPT

# This will allow all loopback (lo0) traffic and drop all traffic to 127/8
# that does not use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

#  This accepts all already established connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# This allows all outbound traffic
-A OUTPUT -j ACCEPT

# SSH and pings
-A INPUT -p tcp -m state --state NEW --dport 22 -j PHYSICSANDVPN
-A INPUT -p icmp -m icmp --icmp-type echo-request -j PHYSICSANDVPN

# Allow HTTP(S)
#-A INPUT -p tcp -m state --state NEW --dport 443 -j PHYSICSANDVPN
#-A INPUT -p tcp -m state --state NEW --dport 80 -j PHYSICSANDVPN

# Allow LDAP(S)
#-A INPUT -p tcp -m state --state NEW --dport 389 -j PHYSICSONLY
#-A INPUT -p tcp -m state --state NEW --dport 636 -j PHYSICSONLY

# Allow MySQL
#-A INPUT -p tcp -m state --state NEW --dport 3306 -j PHYSICSANDVPN

# Reject all other inbound traffic
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT