Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- $ sudo iptables -L
- Chain INPUT (policy DROP)
- target prot opt source destination
- ACCEPT udp -- anywhere anywhere udp dpt:domain
- ACCEPT tcp -- anywhere anywhere tcp dpt:domain
- ACCEPT udp -- anywhere anywhere udp dpt:bootps
- ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
- ufw-before-logging-input all -- anywhere anywhere
- ufw-before-input all -- anywhere anywhere
- ufw-after-input all -- anywhere anywhere
- ufw-after-logging-input all -- anywhere anywhere
- ufw-reject-input all -- anywhere anywhere
- ufw-track-input all -- anywhere anywhere
- Chain FORWARD (policy DROP)
- target prot opt source destination
- ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
- ACCEPT all -- 192.168.122.0/24 anywhere
- ACCEPT all -- anywhere anywhere
- REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
- REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
- ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-out vif3.0 --physdev-is-bridged
- ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-in vif3.0 --physdev-is-bridged
- ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-out vif2.0 --physdev-is-bridged
- ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-in vif2.0 --physdev-is-bridged
- ufw-before-logging-forward all -- anywhere anywhere
- ufw-before-forward all -- anywhere anywhere
- ufw-after-forward all -- anywhere anywhere
- ufw-after-logging-forward all -- anywhere anywhere
- ufw-reject-forward all -- anywhere anywhere
- ufw-track-forward all -- anywhere anywhere
- Chain OUTPUT (policy ACCEPT)
- target prot opt source destination
- ACCEPT udp -- anywhere anywhere udp dpt:bootpc
- ufw-before-logging-output all -- anywhere anywhere
- ufw-before-output all -- anywhere anywhere
- ufw-after-output all -- anywhere anywhere
- ufw-after-logging-output all -- anywhere anywhere
- ufw-reject-output all -- anywhere anywhere
- ufw-track-output all -- anywhere anywhere
- Chain ufw-after-forward (1 references)
- target prot opt source destination
- Chain ufw-after-input (1 references)
- target prot opt source destination
- ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns
- ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm
- ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn
- ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds
- ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootps
- ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootpc
- ufw-skip-to-policy-input all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
- Chain ufw-after-logging-forward (1 references)
- target prot opt source destination
- LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
- Chain ufw-after-logging-input (1 references)
- target prot opt source destination
- LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
- Chain ufw-after-logging-output (1 references)
- target prot opt source destination
- Chain ufw-after-output (1 references)
- target prot opt source destination
- Chain ufw-before-forward (1 references)
- target prot opt source destination
- ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
- ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
- ACCEPT icmp -- anywhere anywhere icmp source-quench
- ACCEPT icmp -- anywhere anywhere icmp time-exceeded
- ACCEPT icmp -- anywhere anywhere icmp parameter-problem
- ACCEPT icmp -- anywhere anywhere icmp echo-request
- ufw-user-forward all -- anywhere anywhere
- Chain ufw-before-input (1 references)
- target prot opt source destination
- ACCEPT all -- anywhere anywhere
- ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
- ufw-logging-deny all -- anywhere anywhere ctstate INVALID
- DROP all -- anywhere anywhere ctstate INVALID
- ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
- ACCEPT icmp -- anywhere anywhere icmp source-quench
- ACCEPT icmp -- anywhere anywhere icmp time-exceeded
- ACCEPT icmp -- anywhere anywhere icmp parameter-problem
- ACCEPT icmp -- anywhere anywhere icmp echo-request
- ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
- ufw-not-local all -- anywhere anywhere
- ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
- ACCEPT udp -- anywhere 239.255.255.250 udp dpt:1900
- ufw-user-input all -- anywhere anywhere
- Chain ufw-before-logging-forward (1 references)
- target prot opt source destination
- Chain ufw-before-logging-input (1 references)
- target prot opt source destination
- Chain ufw-before-logging-output (1 references)
- target prot opt source destination
- Chain ufw-before-output (1 references)
- target prot opt source destination
- ACCEPT all -- anywhere anywhere
- ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
- ufw-user-output all -- anywhere anywhere
- Chain ufw-logging-allow (0 references)
- target prot opt source destination
- LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
- Chain ufw-logging-deny (2 references)
- target prot opt source destination
- RETURN all -- anywhere anywhere ctstate INVALID limit: avg 3/min burst 10
- LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
- Chain ufw-not-local (1 references)
- target prot opt source destination
- RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
- RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
- RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
- ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10
- DROP all -- anywhere anywhere
- Chain ufw-reject-forward (1 references)
- target prot opt source destination
- Chain ufw-reject-input (1 references)
- target prot opt source destination
- Chain ufw-reject-output (1 references)
- target prot opt source destination
- Chain ufw-skip-to-policy-forward (0 references)
- target prot opt source destination
- DROP all -- anywhere anywhere
- Chain ufw-skip-to-policy-input (7 references)
- target prot opt source destination
- DROP all -- anywhere anywhere
- Chain ufw-skip-to-policy-output (0 references)
- target prot opt source destination
- ACCEPT all -- anywhere anywhere
- Chain ufw-track-forward (1 references)
- target prot opt source destination
- Chain ufw-track-input (1 references)
- target prot opt source destination
- Chain ufw-track-output (1 references)
- target prot opt source destination
- ACCEPT tcp -- anywhere anywhere ctstate NEW
- ACCEPT udp -- anywhere anywhere ctstate NEW
- Chain ufw-user-forward (1 references)
- target prot opt source destination
- Chain ufw-user-input (1 references)
- target prot opt source destination
- Chain ufw-user-limit (0 references)
- target prot opt source destination
- LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
- REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
- Chain ufw-user-limit-accept (0 references)
- target prot opt source destination
- ACCEPT all -- anywhere anywhere
- Chain ufw-user-logging-forward (0 references)
- target prot opt source destination
- Chain ufw-user-logging-input (0 references)
- target prot opt source destination
- Chain ufw-user-logging-output (0 references)
- target prot opt source destination
- Chain ufw-user-output (1 references)
- target prot opt source destination
- $ sudo iptables -S
- -P INPUT DROP
- -P FORWARD DROP
- -P OUTPUT ACCEPT
- -N ufw-after-forward
- -N ufw-after-input
- -N ufw-after-logging-forward
- -N ufw-after-logging-input
- -N ufw-after-logging-output
- -N ufw-after-output
- -N ufw-before-forward
- -N ufw-before-input
- -N ufw-before-logging-forward
- -N ufw-before-logging-input
- -N ufw-before-logging-output
- -N ufw-before-output
- -N ufw-logging-allow
- -N ufw-logging-deny
- -N ufw-not-local
- -N ufw-reject-forward
- -N ufw-reject-input
- -N ufw-reject-output
- -N ufw-skip-to-policy-forward
- -N ufw-skip-to-policy-input
- -N ufw-skip-to-policy-output
- -N ufw-track-forward
- -N ufw-track-input
- -N ufw-track-output
- -N ufw-user-forward
- -N ufw-user-input
- -N ufw-user-limit
- -N ufw-user-limit-accept
- -N ufw-user-logging-forward
- -N ufw-user-logging-input
- -N ufw-user-logging-output
- -N ufw-user-output
- -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
- -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
- -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
- -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
- -A INPUT -j ufw-before-logging-input
- -A INPUT -j ufw-before-input
- -A INPUT -j ufw-after-input
- -A INPUT -j ufw-after-logging-input
- -A INPUT -j ufw-reject-input
- -A INPUT -j ufw-track-input
- -A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
- -A FORWARD -i virbr0 -o virbr0 -j ACCEPT
- -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
- -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
- -A FORWARD -m physdev --physdev-out vif3.0 --physdev-is-bridged -j ACCEPT
- -A FORWARD -m physdev --physdev-in vif3.0 --physdev-is-bridged -j ACCEPT
- -A FORWARD -m physdev --physdev-out vif2.0 --physdev-is-bridged -j ACCEPT
- -A FORWARD -m physdev --physdev-in vif2.0 --physdev-is-bridged -j ACCEPT
- -A FORWARD -j ufw-before-logging-forward
- -A FORWARD -j ufw-before-forward
- -A FORWARD -j ufw-after-forward
- -A FORWARD -j ufw-after-logging-forward
- -A FORWARD -j ufw-reject-forward
- -A FORWARD -j ufw-track-forward
- -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
- -A OUTPUT -j ufw-before-logging-output
- -A OUTPUT -j ufw-before-output
- -A OUTPUT -j ufw-after-output
- -A OUTPUT -j ufw-after-logging-output
- -A OUTPUT -j ufw-reject-output
- -A OUTPUT -j ufw-track-output
- -A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
- -A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
- -A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
- -A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
- -A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
- -A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
- -A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
- -A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
- -A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
- -A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
- -A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT
- -A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
- -A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
- -A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
- -A ufw-before-forward -j ufw-user-forward
- -A ufw-before-input -i lo -j ACCEPT
- -A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
- -A ufw-before-input -m conntrack --ctstate INVALID -j DROP
- -A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
- -A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
- -A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
- -A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
- -A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
- -A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
- -A ufw-before-input -j ufw-not-local
- -A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
- -A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
- -A ufw-before-input -j ufw-user-input
- -A ufw-before-output -o lo -j ACCEPT
- -A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A ufw-before-output -j ufw-user-output
- -A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
- -A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
- -A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
- -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
- -A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
- -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
- -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
- -A ufw-not-local -j DROP
- -A ufw-skip-to-policy-forward -j DROP
- -A ufw-skip-to-policy-input -j DROP
- -A ufw-skip-to-policy-output -j ACCEPT
- -A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
- -A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
- -A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
- -A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
- -A ufw-user-limit-accept -j ACCEPT
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement