solutions to first iptables assignment

Part 1

A1. iptables -A INPUT/FORWARD -i p2p1 -s 10.2.0.0/6 -p icmp -j DROP
"INPUT/FORWARD" stands for one rule for each!
iptables -A INPUT/FORWARD -i p1p1 -s 10.1.0.3 -p icmp -j DROP

A2. iptables -A INPUT -p udp --dport 514 -j DROP
B: iptables -A FORWARD ! -s 10.0.0.0/8 -j REJECT
   iptables -A FORWARD ! -d 10.0.0.0/8 -j REJECT

   note: using a single rule here would still allow the EITHER -s 10.0.0.0/8
   OR -d 10.0.0.0/8

C: iptables -A INPUT -s 10.1.0.3 -p tcp --syn --dport 443 -j DROP
C2: 
iptables -A INPUT -p tcp --syn --dport 443 -m connlimit --connlimit-above 2 -j REJECT
D: iptables -A INPUT -p tcp --dport 79 -i ! lo -j DROP
   iptables -A FORWARD -p tcp --dport 79 -j DROP
E: iptables -A INPUT -s 10.1.0.8/29 -p tcp --syn --dport 22 -j DROP
F: iptables -A INPUT -s 127.0.0.0/8 ! -i lo -j DROP
G: iptables -A FORWARD -d 10.1.0.98 -p udp --dport 53 -j ACCEPT
   iptables -A FORWARD -d 167.206.112.138 -p udp --dport 53 -j ACCEPT
   iptables -A FORWARD -p udp --dport 53 -j DROP
   ## similar rules needed for the OUTPUT chain.
H: iptables -I INPUT 1 -p tcp --dport 443 --syn -j LOG --log-prefix "browser:"
   (note insert used instead of append)
I: iptables -A OUTPUT -p tcp --syn ! -d 10.0.0.0/8 ! --dport 80 -j LOG --log-prefix "unusual activity"
J: iptables -A INPUT -s 10.1.0.3 -m mac --mac-source ! 00:e0:4c:68:76:1f -j DROP

solutions to part 2:

1. iptables -A FORWARD -i eth2 -o eth2 -j REJECT
   iptables -A FORWARD -i eth0 ! -s 10.5.2.0/25 -j REJECT
   iptables -A FORWARD -i eth1 ! -s 10.5.2.128/25 -j REJECT

      (the last two rules stops other routing activity on the subnets)

   My solutions here are sometimes more elaborate than what I would expect from
you on an exam.  The first rule by itself would suffice.  Another answer I
would accept, because of the way the question was phrased is:

   iptables -A FORWARD -i eth2 ! -d 10.5.2.0/24 -j REJECT


2. iptables -A FORWARD -p 47 -j DROP

3. iptables -A FORWARD -i eth1 -o ! eth1 -p icmp -j DROP

4. iptables -A FORWARD -p udp --sport 53 -s 10.5.3.12 -j ACCEPT
   iptables -A FORWARD -p udp --sport 53 -s 10.5.3.13 -j ACCEPT
   iptables -A FORWARD -p udp --sport 53 -j LOG --log-prefix "prohibited!"
   iptables -A FORWARD -p udp --sport 53 -j DROP
   # and similarly for INPUT chain

5. iptables -A FORWARD -p tcp --dport 143 ! -d 10.5.1.14 -j DROP
   iptables -A FORWARD -p tcp --dport 110 -j DROP

6. 
  iptables -A FORWARD -p tcp --dport 80 -d 10.5.2.130 ! -s 10.5.2.0/24 -j DROP
  
      more clever (divert requests to the legal server):

  iptables -t nat -A PREROUTING ! -s 10.5.2.0/24 -d 10.5.2.130 -p tcp --dport 80 -j DNAT --to 10.5.3.10

7. iptables -A FORWARD -p tcp --dport 80 -d 10.5.3.10 -m limit --limit-burst 3
   iptables -A FORWARD -p tcp --dport 80 -d 10.5.3.10 -m limit --limit 1/s -j ACCEPT
   iptables -A FORWARD -p tcp --dport 80 -d 10.5.3.10 -j DROP

8. iptables -A INPUT -i eth2 -p udp --dport 67 -j DROP

9. iptables -A INPUT -i eth2 -s 147.4.150.54 -p tcp --dport 22 -j ACCEPT
   iptables -A INPUT ! -i lo -p tcp --dport 22 -j DROP