API tools faq
paste
Advertisement
unclemusclez

Untitled

unclemusclez
Jul 30th, 2015
273
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 15.80 KB | None | 0 0
raw download clone embed print report
  1. $ sudo iptables -L
  2. Chain INPUT (policy DROP)
  3. target prot opt source destination
  4. ACCEPT udp -- anywhere anywhere udp dpt:domain
  5. ACCEPT tcp -- anywhere anywhere tcp dpt:domain
  6. ACCEPT udp -- anywhere anywhere udp dpt:bootps
  7. ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
  8. ufw-before-logging-input all -- anywhere anywhere
  9. ufw-before-input all -- anywhere anywhere
  10. ufw-after-input all -- anywhere anywhere
  11. ufw-after-logging-input all -- anywhere anywhere
  12. ufw-reject-input all -- anywhere anywhere
  13. ufw-track-input all -- anywhere anywhere
  14.  
  15. Chain FORWARD (policy DROP)
  16. target prot opt source destination
  17. ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
  18. ACCEPT all -- 192.168.122.0/24 anywhere
  19. ACCEPT all -- anywhere anywhere
  20. REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
  21. REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
  22. ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-out vif3.0 --physdev-is-bridged
  23. ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-in vif3.0 --physdev-is-bridged
  24. ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-out vif2.0 --physdev-is-bridged
  25. ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-in vif2.0 --physdev-is-bridged
  26. ufw-before-logging-forward all -- anywhere anywhere
  27. ufw-before-forward all -- anywhere anywhere
  28. ufw-after-forward all -- anywhere anywhere
  29. ufw-after-logging-forward all -- anywhere anywhere
  30. ufw-reject-forward all -- anywhere anywhere
  31. ufw-track-forward all -- anywhere anywhere
  32.  
  33. Chain OUTPUT (policy ACCEPT)
  34. target prot opt source destination
  35. ACCEPT udp -- anywhere anywhere udp dpt:bootpc
  36. ufw-before-logging-output all -- anywhere anywhere
  37. ufw-before-output all -- anywhere anywhere
  38. ufw-after-output all -- anywhere anywhere
  39. ufw-after-logging-output all -- anywhere anywhere
  40. ufw-reject-output all -- anywhere anywhere
  41. ufw-track-output all -- anywhere anywhere
  42.  
  43. Chain ufw-after-forward (1 references)
  44. target prot opt source destination
  45.  
  46. Chain ufw-after-input (1 references)
  47. target prot opt source destination
  48. ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns
  49. ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm
  50. ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn
  51. ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds
  52. ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootps
  53. ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootpc
  54. ufw-skip-to-policy-input all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
  55.  
  56. Chain ufw-after-logging-forward (1 references)
  57. target prot opt source destination
  58. LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
  59.  
  60. Chain ufw-after-logging-input (1 references)
  61. target prot opt source destination
  62. LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
  63.  
  64. Chain ufw-after-logging-output (1 references)
  65. target prot opt source destination
  66.  
  67. Chain ufw-after-output (1 references)
  68. target prot opt source destination
  69.  
  70. Chain ufw-before-forward (1 references)
  71. target prot opt source destination
  72. ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
  73. ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
  74. ACCEPT icmp -- anywhere anywhere icmp source-quench
  75. ACCEPT icmp -- anywhere anywhere icmp time-exceeded
  76. ACCEPT icmp -- anywhere anywhere icmp parameter-problem
  77. ACCEPT icmp -- anywhere anywhere icmp echo-request
  78. ufw-user-forward all -- anywhere anywhere
  79.  
  80. Chain ufw-before-input (1 references)
  81. target prot opt source destination
  82. ACCEPT all -- anywhere anywhere
  83. ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
  84. ufw-logging-deny all -- anywhere anywhere ctstate INVALID
  85. DROP all -- anywhere anywhere ctstate INVALID
  86. ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
  87. ACCEPT icmp -- anywhere anywhere icmp source-quench
  88. ACCEPT icmp -- anywhere anywhere icmp time-exceeded
  89. ACCEPT icmp -- anywhere anywhere icmp parameter-problem
  90. ACCEPT icmp -- anywhere anywhere icmp echo-request
  91. ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
  92. ufw-not-local all -- anywhere anywhere
  93. ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
  94. ACCEPT udp -- anywhere 239.255.255.250 udp dpt:1900
  95. ufw-user-input all -- anywhere anywhere
  96.  
  97. Chain ufw-before-logging-forward (1 references)
  98. target prot opt source destination
  99.  
  100. Chain ufw-before-logging-input (1 references)
  101. target prot opt source destination
  102.  
  103. Chain ufw-before-logging-output (1 references)
  104. target prot opt source destination
  105.  
  106. Chain ufw-before-output (1 references)
  107. target prot opt source destination
  108. ACCEPT all -- anywhere anywhere
  109. ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
  110. ufw-user-output all -- anywhere anywhere
  111.  
  112. Chain ufw-logging-allow (0 references)
  113. target prot opt source destination
  114. LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
  115.  
  116. Chain ufw-logging-deny (2 references)
  117. target prot opt source destination
  118. RETURN all -- anywhere anywhere ctstate INVALID limit: avg 3/min burst 10
  119. LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
  120.  
  121. Chain ufw-not-local (1 references)
  122. target prot opt source destination
  123. RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
  124. RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
  125. RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
  126. ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10
  127. DROP all -- anywhere anywhere
  128.  
  129. Chain ufw-reject-forward (1 references)
  130. target prot opt source destination
  131.  
  132. Chain ufw-reject-input (1 references)
  133. target prot opt source destination
  134.  
  135. Chain ufw-reject-output (1 references)
  136. target prot opt source destination
  137.  
  138. Chain ufw-skip-to-policy-forward (0 references)
  139. target prot opt source destination
  140. DROP all -- anywhere anywhere
  141.  
  142. Chain ufw-skip-to-policy-input (7 references)
  143. target prot opt source destination
  144. DROP all -- anywhere anywhere
  145.  
  146. Chain ufw-skip-to-policy-output (0 references)
  147. target prot opt source destination
  148. ACCEPT all -- anywhere anywhere
  149.  
  150. Chain ufw-track-forward (1 references)
  151. target prot opt source destination
  152.  
  153. Chain ufw-track-input (1 references)
  154. target prot opt source destination
  155.  
  156. Chain ufw-track-output (1 references)
  157. target prot opt source destination
  158. ACCEPT tcp -- anywhere anywhere ctstate NEW
  159. ACCEPT udp -- anywhere anywhere ctstate NEW
  160.  
  161. Chain ufw-user-forward (1 references)
  162. target prot opt source destination
  163.  
  164. Chain ufw-user-input (1 references)
  165. target prot opt source destination
  166.  
  167. Chain ufw-user-limit (0 references)
  168. target prot opt source destination
  169. LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
  170. REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
  171.  
  172. Chain ufw-user-limit-accept (0 references)
  173. target prot opt source destination
  174. ACCEPT all -- anywhere anywhere
  175.  
  176. Chain ufw-user-logging-forward (0 references)
  177. target prot opt source destination
  178.  
  179. Chain ufw-user-logging-input (0 references)
  180. target prot opt source destination
  181.  
  182. Chain ufw-user-logging-output (0 references)
  183. target prot opt source destination
  184.  
  185. Chain ufw-user-output (1 references)
  186. target prot opt source destination
  187. $ sudo iptables -S
  188. -P INPUT DROP
  189. -P FORWARD DROP
  190. -P OUTPUT ACCEPT
  191. -N ufw-after-forward
  192. -N ufw-after-input
  193. -N ufw-after-logging-forward
  194. -N ufw-after-logging-input
  195. -N ufw-after-logging-output
  196. -N ufw-after-output
  197. -N ufw-before-forward
  198. -N ufw-before-input
  199. -N ufw-before-logging-forward
  200. -N ufw-before-logging-input
  201. -N ufw-before-logging-output
  202. -N ufw-before-output
  203. -N ufw-logging-allow
  204. -N ufw-logging-deny
  205. -N ufw-not-local
  206. -N ufw-reject-forward
  207. -N ufw-reject-input
  208. -N ufw-reject-output
  209. -N ufw-skip-to-policy-forward
  210. -N ufw-skip-to-policy-input
  211. -N ufw-skip-to-policy-output
  212. -N ufw-track-forward
  213. -N ufw-track-input
  214. -N ufw-track-output
  215. -N ufw-user-forward
  216. -N ufw-user-input
  217. -N ufw-user-limit
  218. -N ufw-user-limit-accept
  219. -N ufw-user-logging-forward
  220. -N ufw-user-logging-input
  221. -N ufw-user-logging-output
  222. -N ufw-user-output
  223. -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
  224. -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
  225. -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
  226. -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
  227. -A INPUT -j ufw-before-logging-input
  228. -A INPUT -j ufw-before-input
  229. -A INPUT -j ufw-after-input
  230. -A INPUT -j ufw-after-logging-input
  231. -A INPUT -j ufw-reject-input
  232. -A INPUT -j ufw-track-input
  233. -A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  234. -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
  235. -A FORWARD -i virbr0 -o virbr0 -j ACCEPT
  236. -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
  237. -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
  238. -A FORWARD -m physdev --physdev-out vif3.0 --physdev-is-bridged -j ACCEPT
  239. -A FORWARD -m physdev --physdev-in vif3.0 --physdev-is-bridged -j ACCEPT
  240. -A FORWARD -m physdev --physdev-out vif2.0 --physdev-is-bridged -j ACCEPT
  241. -A FORWARD -m physdev --physdev-in vif2.0 --physdev-is-bridged -j ACCEPT
  242. -A FORWARD -j ufw-before-logging-forward
  243. -A FORWARD -j ufw-before-forward
  244. -A FORWARD -j ufw-after-forward
  245. -A FORWARD -j ufw-after-logging-forward
  246. -A FORWARD -j ufw-reject-forward
  247. -A FORWARD -j ufw-track-forward
  248. -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
  249. -A OUTPUT -j ufw-before-logging-output
  250. -A OUTPUT -j ufw-before-output
  251. -A OUTPUT -j ufw-after-output
  252. -A OUTPUT -j ufw-after-logging-output
  253. -A OUTPUT -j ufw-reject-output
  254. -A OUTPUT -j ufw-track-output
  255. -A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
  256. -A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
  257. -A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
  258. -A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
  259. -A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
  260. -A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
  261. -A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
  262. -A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
  263. -A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
  264. -A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  265. -A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
  266. -A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT
  267. -A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
  268. -A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
  269. -A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
  270. -A ufw-before-forward -j ufw-user-forward
  271. -A ufw-before-input -i lo -j ACCEPT
  272. -A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  273. -A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
  274. -A ufw-before-input -m conntrack --ctstate INVALID -j DROP
  275. -A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
  276. -A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
  277. -A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
  278. -A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
  279. -A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
  280. -A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
  281. -A ufw-before-input -j ufw-not-local
  282. -A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
  283. -A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
  284. -A ufw-before-input -j ufw-user-input
  285. -A ufw-before-output -o lo -j ACCEPT
  286. -A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  287. -A ufw-before-output -j ufw-user-output
  288. -A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
  289. -A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
  290. -A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
  291. -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
  292. -A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
  293. -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
  294. -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
  295. -A ufw-not-local -j DROP
  296. -A ufw-skip-to-policy-forward -j DROP
  297. -A ufw-skip-to-policy-input -j DROP
  298. -A ufw-skip-to-policy-output -j ACCEPT
  299. -A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
  300. -A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
  301. -A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
  302. -A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
  303. -A ufw-user-limit-accept -j ACCEPT
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!