Index: TipAndDoc/iptables/ufw/after.rules
===================================================================
--- TipAndDoc/iptables/ufw/after.rules	(revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e)
+++ TipAndDoc/iptables/ufw/after.rules	(revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e)
@@ -0,0 +1,37 @@
+#
+# rules.input-after
+#
+# Rules that should be run after the ufw command line added rules. Custom
+# rules should be added to one of these chains:
+#   ufw-after-input
+#   ufw-after-output
+#   ufw-after-forward
+#
+
+# Don't delete these required lines, otherwise there will be errors
+*filter
+:ufw-after-input - [0:0]
+:ufw-after-output - [0:0]
+:ufw-after-forward - [0:0]
+# End required lines
+
+## allow connections to the local services from WAN
+# ssh 22/tcp
+-A ufw-after-input -p tcp --syn -m state --state NEW --dport 22 -j ACCEPT
+# https 443/tcp
+-A ufw-after-input -p tcp --syn -m state --state NEW --dport 443 -j ACCEPT
+
+# don't log noisy services by default
+-A ufw-after-input -p udp --dport 137 -j RETURN
+-A ufw-after-input -p udp --dport 138 -j RETURN
+-A ufw-after-input -p tcp --dport 139 -j RETURN
+-A ufw-after-input -p tcp --dport 445 -j RETURN
+-A ufw-after-input -p udp --dport 67 -j RETURN
+-A ufw-after-input -p udp --dport 68 -j RETURN
+
+# catchall for logging
+-A ufw-after-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK INPUT]: " --log-level err
+-A ufw-after-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK FORWARD]: " --log-level err
+
+# don't delete the 'COMMIT' line or these rules won't be processed
+COMMIT
Index: TipAndDoc/iptables/ufw/before.rules
===================================================================
--- TipAndDoc/iptables/ufw/before.rules	(revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e)
+++ TipAndDoc/iptables/ufw/before.rules	(revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e)
@@ -0,0 +1,90 @@
+#
+# rules.before
+#
+# Rules that should be run before the ufw command line added rules. Custom
+# rules should be added to one of these chains:
+#   ufw-before-input
+#   ufw-before-output
+#   ufw-before-forward
+#
+
+# Don't delete these required lines, otherwise there will be errors
+*filter
+:ufw-before-input - [0:0]
+:ufw-before-output - [0:0]
+:ufw-before-forward - [0:0]
+:ufw-not-local - [0:0]
+# End required lines
+
+
+# allow all on loopback
+-A ufw-before-input -i lo -j ACCEPT
+-A ufw-before-output -i lo -j ACCEPT
+
+# connection tracking rules
+-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+# drop INVALID packets
+# uncomment to log INVALID packets
+-A ufw-before-input -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW BLOCK INVALID]: " --log-level err -m limit --limit 3/min --limit-burst 10
+-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
+
+## Ingress filter (see RFC 2827) (eth0:LAN<192.168.100.0/24>)
+-A ufw-before-forward -i eth0 -s ! 192.168.100.0/24 -j LOG --log-tcp-options --log-ip-options --log-prefix "[UFW BLOCK LOG_INGRESS]: " --log-level err -m limit --limit 3/min --limit-burst 10
+-A ufw-before-forward -i eth0 -s ! 192.168.100.0/24 -j DROP
+
+## DROP CIFS(Samba) access from/to WAN(eth1)
+-A ufw-before-input   -i eth1 -p tcp -m multiport --dports 135,137:139,445 -j DROP
+-A ufw-before-input   -i eth1 -p udp -m multiport --dports 135,137:139,445 -j DROP
+-A ufw-before-forward -i eth1 -p tcp -m multiport --dports 135,137:139,445 -j DROP
+-A ufw-before-forward -i eth1 -p udp -m multiport --dports 135,137:139,445 -j DROP
+-A ufw-before-forward -o eth1 -p tcp -m multiport --dports 135,137:139,445 -j DROP
+-A ufw-before-forward -o eth1 -p udp -m multiport --dports 135,137:139,445 -j DROP
+-A ufw-before-output  -o eth1 -p tcp -m multiport --dports 135,137:139,445 -j DROP
+-A ufw-before-output  -o eth1 -p udp -m multiport --dports 135,137:139,445 -j DROP
+
+## Access from LAN
+-A ufw-before-input -i eth0 -j ACCEPT
+-A ufw-before-forward -i eth0 -j ACCEPT
+
+# connection tracking for outbound
+-A ufw-before-output -p tcp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
+-A ufw-before-output -p udp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
+
+# ok icmp codes
+-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
+-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
+-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
+-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
+-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
+
+# allow dhcp client to work
+-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT
+
+#
+# ufw-not-local
+#
+-A ufw-before-input -j ufw-not-local
+
+# if LOCAL, RETURN
+-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
+
+# if MULTICAST, RETURN
+-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
+
+# if BROADCAST, RETURN
+-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
+
+-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK NOT-TO-ME]: " --log-level err
+
+# all other non-local packets are dropped
+-A ufw-not-local -j DROP
+
+# allow MULTICAST, be sure the MULTICAST line above is uncommented
+-A ufw-before-input -s 224.0.0.0/4 -j ACCEPT
+-A ufw-before-input -d 224.0.0.0/4 -j ACCEPT
+
+
+# don't delete the 'COMMIT' line or these rules won't be processed
+COMMIT
Index: TipAndDoc/iptables/ufw/mangle.rules
===================================================================
--- TipAndDoc/iptables/ufw/mangle.rules	(revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e)
+++ TipAndDoc/iptables/ufw/mangle.rules	(revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e)
@@ -0,0 +1,12 @@
+#
+# This file is used by /etc/init.d/setfilter
+#
+# Rules that should be stored in mangle table.
+
+
+*mangle
+# to overcome criminally braindead ISPs or servers which block ICMP Fragmentation Needed packets
+# see iptables(8)
+-A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+
+COMMIT
Index: TipAndDoc/iptables/ufw/nat.rules
===================================================================
--- TipAndDoc/iptables/ufw/nat.rules	(revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e)
+++ TipAndDoc/iptables/ufw/nat.rules	(revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e)
@@ -0,0 +1,18 @@
+#
+# This file is used by /etc/init.d/setfilter
+#
+# Rules that should be stored in nat table.
+# These are mainly used to IP MASQUERADE and REDIRECT.
+
+
+*nat
+
+## port REDIRECT to local services
+# 8443/tcp -> 443/tcp
+-A PREROUTING -p tcp --dport 8443 -j REDIRECT --to-port 443
+# WAN 8000/tcp -> 443/tcp
+-A PREROUTING -p tcp -i eth1 --dport 8000 -j REDIRECT --to-port 443
+# LAN 8000/tcp -> 22/tcp
+-A PREROUTING -p tcp -i eth0 --dport 8000 -j REDIRECT --to-port 22
+
+COMMIT
Index: TipAndDoc/iptables/ufw/raw.rules
===================================================================
--- TipAndDoc/iptables/ufw/raw.rules	(revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e)
+++ TipAndDoc/iptables/ufw/raw.rules	(revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e)
@@ -0,0 +1,33 @@
+#
+# This file is used by /etc/init.d/setfilter
+#
+# Rules that should be stored in raw table.
+# These are mainly used to filter evil or wrong packets.
+
+
+*raw
+:LOG_ICMP - [0:0]
+:LOG_SPOOF - [0:0]
+
+## LOG and DROP fragmented packets (not head fragments)
+-A PREROUTING --fragment -j LOG --log-prefix "[UFW BLOCK FRAGMENTED]: " --log-level err -m limit --limit 3/min --limit-burst 10
+-A PREROUTING --fragment -j DROP
+
+## LOG and DROP strange icmp packets
+-A LOG_ICMP -j LOG --log-prefix "[UFW BLOCK BAD-ICMP]: " --log-level err -m limit --limit 3/min --limit-burst 10
+-A LOG_ICMP -j DROP
+# Too large icmp requests
+-A PREROUTING -p icmp --icmp-type echo-request -m length --length 128: -j LOG_ICMP
+# Too many times of icmp requests (only 5 packets per second if over 10pkts/sec)
+-A PREROUTING -p icmp --icmp-type echo-request -m limit --limit 5/s --limit-burst 10 -j ACCEPT
+-A PREROUTING -p icmp --icmp-type echo-request -j LOG_ICMP
+
+## LOG and DROP IP spoofing (eth1:WAN)
+-A LOG_SPOOF -j LOG --log-prefix "[UFW BLOCK IP-SPOOFING]: " --log-level err -m limit --limit 3/min --limit-burst 10
+-A LOG_SPOOF -j DROP
+-A PREROUTING -i eth1 -s    127.0.0.0/8 -j LOG_SPOOF
+-A PREROUTING -i eth1 -s     10.0.0.0/8 -j LOG_SPOOF
+-A PREROUTING -i eth1 -s  172.16.0.0/12 -j LOG_SPOOF
+-A PREROUTING -i eth1 -s 192.168.0.0/16 -j LOG_SPOOF
+
+COMMIT