###################
# Firewall rules
# Really basic egress filtering
###################

  # RFC-designated internal-only addresses, block these
$IPT -t filter -A OUTPUT -o $EXT -d 10.0.0.0/8 -j LOG
$IPT -t filter -A OUTPUT -o $EXT -d 10.0.0.0/8 -j DROP
$IPT -t filter -A OUTPUT -o $EXT -d 172.16.0.0/12 -j LOG
$IPT -t filter -A OUTPUT -o $EXT -d 172.16.0.0/12 -j DROP
$IPT -t filter -A OUTPUT -o $EXT -d 192.168.0.0/16 -j LOG
$IPT -t filter -A OUTPUT -o $EXT -d 192.168.0.0/16 -j DROP

  # sanity check (forged packets)
$IPT -t filter -A OUTPUT -o $EXT -s ! $EXT_IP -j LOG
$IPT -t filter -A OUTPUT -o $EXT -s ! $EXT_IP -j DROP