#!/bin/bash

# TCP flags
iptables -A INPUT  -i ppp+ -p tcp --tcp-flags SYN,RST,ACK,FIN SYN,ACK -j ACCEPT  -m comment --comment "incoming syn,ack"
iptables -A INPUT  -i ppp+ -p tcp --tcp-flags SYN,RST,ACK,FIN ACK     -j ACCEPT  -m comment --comment "incoming ack"
iptables -A INPUT  -i ppp+ -p tcp --tcp-flags SYN,RST,ACK,FIN RST     -j ACCEPT  -m comment --comment "incoming rst"
iptables -A INPUT  -i ppp+ -p tcp --tcp-flags SYN,RST,ACK,FIN ACK,RST -j ACCEPT  -m comment --comment "incoming ack,rst"
iptables -A INPUT  -i ppp+ -p tcp --tcp-flags SYN,RST,ACK,FIN FIN     -j ACCEPT  -m comment --comment "incoming fin"
iptables -A INPUT  -i ppp+ -p tcp --tcp-flags SYN,RST,ACK,FIN FIN,ACK -j ACCEPT  -m comment --comment "incoming fin,ack"

# DNS
iptables -A INPUT  -i ppp+ -p udp --dport 53 -j ACCEPT  -m comment --comment "tinydns"
iptables -A INPUT  -i ppp+ -p udp --sport 53 -j ACCEPT  -m comment --comment "stub resolver"

# Log everything else
iptables -A INPUT  -j LOG  --log-prefix "Conntack:"

# libipq
iptables -I OUTPUT -p tcp --dport 80 -m owner ! --uid-owner root -j QUEUE
iptables -I OUTPUT -p tcp --dport 443 -m owner ! --uid-owner root -j QUEUE