API tools faq
paste
Advertisement
Guest User

iptables-save

a guest
Feb 17th, 2015
232
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 10.29 KB | None | 0 0
raw download clone embed print report
  1. # Generated by iptables-save v1.4.14 on Tue Feb 17 20:55:42 2015
  2. *raw
  3. :PREROUTING ACCEPT [429:62137]
  4. :OUTPUT ACCEPT [117:23438]
  5. COMMIT
  6. # Completed on Tue Feb 17 20:55:42 2015
  7. # Generated by iptables-save v1.4.14 on Tue Feb 17 20:55:42 2015
  8. *mangle
  9. :PREROUTING ACCEPT [429:62137]
  10. :INPUT ACCEPT [187:26396]
  11. :FORWARD ACCEPT [216:33476]
  12. :OUTPUT ACCEPT [117:23438]
  13. :POSTROUTING ACCEPT [224:48999]
  14. :tcfor - [0:0]
  15. :tcin - [0:0]
  16. :tcout - [0:0]
  17. :tcpost - [0:0]
  18. :tcpre - [0:0]
  19. -A PREROUTING -j tcpre
  20. -A INPUT -j tcin
  21. -A FORWARD -j MARK --set-xmark 0x0/0xff
  22. -A FORWARD -j tcfor
  23. -A OUTPUT -j tcout
  24. -A POSTROUTING -j tcpost
  25. COMMIT
  26. # Completed on Tue Feb 17 20:55:42 2015
  27. # Generated by iptables-save v1.4.14 on Tue Feb 17 20:55:42 2015
  28. *nat
  29. :PREROUTING ACCEPT [100:6869]
  30. :INPUT ACCEPT [3:156]
  31. :OUTPUT ACCEPT [5:291]
  32. :POSTROUTING ACCEPT [6:343]
  33. :eth0_masq - [0:0]
  34. -A POSTROUTING -o eth0 -j eth0_masq
  35. -A eth0_masq -s 10.0.0.0/8 -j MASQUERADE
  36. -A eth0_masq -s 192.168.10.3/32 -j MASQUERADE
  37. COMMIT
  38. # Completed on Tue Feb 17 20:55:42 2015
  39. # Generated by iptables-save v1.4.14 on Tue Feb 17 20:55:42 2015
  40. *filter
  41. :INPUT DROP [0:0]
  42. :FORWARD DROP [0:0]
  43. :OUTPUT DROP [0:0]
  44. :%Invalid - [0:0]
  45. :Broadcast - [0:0]
  46. :Drop - [0:0]
  47. :Invalid - [0:0]
  48. :NotSyn - [0:0]
  49. :Reject - [0:0]
  50. :dynamic - [0:0]
  51. :eth1_fwd - [0:0]
  52. :eth1_in - [0:0]
  53. :eth1_out - [0:0]
  54. :fw2loc - [0:0]
  55. :fw2loc2 - [0:0]
  56. :fw2net - [0:0]
  57. :loc22fw - [0:0]
  58. :loc22loc - [0:0]
  59. :loc22net - [0:0]
  60. :loc2_frwd - [0:0]
  61. :loc2fw - [0:0]
  62. :loc2loc2 - [0:0]
  63. :loc2net - [0:0]
  64. :loc_frwd - [0:0]
  65. :logdrop - [0:0]
  66. :logflags - [0:0]
  67. :logreject - [0:0]
  68. :net2fw - [0:0]
  69. :net2loc - [0:0]
  70. :net2loc2 - [0:0]
  71. :net_frwd - [0:0]
  72. :reject - [0:0]
  73. :shorewall - [0:0]
  74. :smurflog - [0:0]
  75. :smurfs - [0:0]
  76. :tcpflags - [0:0]
  77. -A INPUT -i eth0 -j net2fw
  78. -A INPUT -i eth1 -j eth1_in
  79. -A INPUT -i lo -j ACCEPT
  80. -A INPUT -j Reject
  81. -A INPUT -j LOG --log-prefix "Shorewall:INPUT:REJECT:" --log-level 3
  82. -A INPUT -g reject
  83. -A FORWARD -i eth0 -j net_frwd
  84. -A FORWARD -i eth1 -j eth1_fwd
  85. -A FORWARD -j Reject
  86. -A FORWARD -j LOG --log-prefix "Shorewall:FORWARD:REJECT:" --log-level 3
  87. -A FORWARD -g reject
  88. -A OUTPUT -o eth0 -j fw2net
  89. -A OUTPUT -o eth1 -j eth1_out
  90. -A OUTPUT -o lo -j ACCEPT
  91. -A OUTPUT -j Reject
  92. -A OUTPUT -j LOG --log-prefix "Shorewall:OUTPUT:REJECT:" --log-level 3
  93. -A OUTPUT -g reject
  94. -A %Invalid -m conntrack --ctstate INVALID -j DROP
  95. -A Broadcast -m addrtype --dst-type BROADCAST -j DROP
  96. -A Broadcast -m addrtype --dst-type MULTICAST -j DROP
  97. -A Broadcast -m addrtype --dst-type ANYCAST -j DROP
  98. -A Broadcast -d 224.0.0.0/4 -j DROP
  99. -A Drop
  100. -A Drop -p tcp -m tcp --dport 113 -m comment --comment Auth -j reject
  101. -A Drop -j Broadcast
  102. -A Drop -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP types" -j ACCEPT
  103. -A Drop -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types" -j ACCEPT
  104. -A Drop -j Invalid
  105. -A Drop -p udp -m multiport --dports 135,445 -m comment --comment SMB -j DROP
  106. -A Drop -p udp -m udp --dport 137:139 -m comment --comment SMB -j DROP
  107. -A Drop -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment SMB -j DROP
  108. -A Drop -p tcp -m multiport --dports 135,139,445 -m comment --comment SMB -j DROP
  109. -A Drop -p udp -m udp --dport 1900 -m comment --comment UPnP -j DROP
  110. -A Drop -p tcp -j NotSyn
  111. -A Drop -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -j DROP
  112. -A Invalid -m conntrack --ctstate INVALID -j DROP
  113. -A NotSyn -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
  114. -A Reject
  115. -A Reject -p tcp -m tcp --dport 113 -m comment --comment Auth -j reject
  116. -A Reject -j Broadcast
  117. -A Reject -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP types" -j ACCEPT
  118. -A Reject -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types" -j ACCEPT
  119. -A Reject -j Invalid
  120. -A Reject -p udp -m multiport --dports 135,445 -m comment --comment SMB -j reject
  121. -A Reject -p udp -m udp --dport 137:139 -m comment --comment SMB -j reject
  122. -A Reject -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment SMB -j reject
  123. -A Reject -p tcp -m multiport --dports 135,139,445 -m comment --comment SMB -j reject
  124. -A Reject -p udp -m udp --dport 1900 -m comment --comment UPnP -j DROP
  125. -A Reject -p tcp -j NotSyn
  126. -A Reject -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -j DROP
  127. -A eth1_fwd -m conntrack --ctstate INVALID,NEW -j dynamic
  128. -A eth1_fwd -m conntrack --ctstate INVALID,NEW -j smurfs
  129. -A eth1_fwd -p tcp -j tcpflags
  130. -A eth1_fwd -s 10.0.0.0/8 -j loc_frwd
  131. -A eth1_fwd -s 192.168.0.0/16 -j loc2_frwd
  132. -A eth1_in -m conntrack --ctstate INVALID,NEW -j dynamic
  133. -A eth1_in -m conntrack --ctstate INVALID,NEW -j smurfs
  134. -A eth1_in -p udp -m udp --dport 67:68 -j ACCEPT
  135. -A eth1_in -p tcp -j tcpflags
  136. -A eth1_in -s 0.0.0.0/32 -p udp -m udp --dport 67:68 -j ACCEPT
  137. -A eth1_in -s 10.0.0.0/8 -j loc2fw
  138. -A eth1_in -s 192.168.0.0/16 -j loc22fw
  139. -A eth1_out -p udp -m udp --dport 67:68 -j ACCEPT
  140. -A eth1_out -d 10.0.0.0/8 -j fw2loc
  141. -A eth1_out -d 192.168.0.0/16 -j fw2loc2
  142. -A fw2loc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  143. -A fw2loc -p icmp -j ACCEPT
  144. -A fw2loc -j Reject
  145. -A fw2loc -j LOG --log-prefix "Shorewall:fw2loc:REJECT:" --log-level 3
  146. -A fw2loc -g reject
  147. -A fw2loc2 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  148. -A fw2loc2 -p icmp -j ACCEPT
  149. -A fw2loc2 -j Reject
  150. -A fw2loc2 -j LOG --log-prefix "Shorewall:fw2loc2:REJECT:" --log-level 3
  151. -A fw2loc2 -g reject
  152. -A fw2net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  153. -A fw2net -p udp -m udp --dport 53 -m comment --comment DNS -j ACCEPT
  154. -A fw2net -p tcp -m tcp --dport 53 -m comment --comment DNS -j ACCEPT
  155. -A fw2net -p udp -m udp --dport 33434:33524 -m comment --comment Trcrt -j ACCEPT
  156. -A fw2net -p icmp -m icmp --icmp-type 8 -m comment --comment Trcrt -j ACCEPT
  157. -A fw2net -p icmp -j ACCEPT
  158. -A fw2net -p tcp -m tcp --dport 80 -j ACCEPT
  159. -A fw2net -p tcp -m tcp --dport 443 -j ACCEPT
  160. -A fw2net -p tcp -m tcp --dport 21 -m comment --comment FTP -j ACCEPT
  161. -A fw2net -j Reject
  162. -A fw2net -j LOG --log-prefix "Shorewall:fw2net:REJECT:" --log-level 3
  163. -A fw2net -g reject
  164. -A loc22fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  165. -A loc22fw -p udp -m udp --dport 53 -m comment --comment DNS -j ACCEPT
  166. -A loc22fw -p tcp -m tcp --dport 53 -m comment --comment DNS -j ACCEPT
  167. -A loc22fw -p tcp -m tcp --dport 62128 -j ACCEPT
  168. -A loc22fw -p tcp -m tcp --dport 3128 -j ACCEPT
  169. -A loc22fw -j Reject
  170. -A loc22fw -j LOG --log-prefix "Shorewall:loc22fw:REJECT:" --log-level 3
  171. -A loc22fw -g reject
  172. -A loc22loc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  173. -A loc22loc -p icmp -m icmp --icmp-type 8 -m comment --comment Ping -j ACCEPT
  174. -A loc22loc -j Reject
  175. -A loc22loc -j LOG --log-prefix "Shorewall:loc22loc:REJECT:" --log-level 3
  176. -A loc22loc -g reject
  177. -A loc22net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  178. -A loc22net -j Drop
  179. -A loc22net -j DROP
  180. -A loc2_frwd -o eth0 -j loc22net
  181. -A loc2_frwd -d 10.0.0.0/8 -o eth1 -j loc22loc
  182. -A loc2fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  183. -A loc2fw -p udp -m udp --dport 53 -m comment --comment DNS -j ACCEPT
  184. -A loc2fw -p tcp -m tcp --dport 53 -m comment --comment DNS -j ACCEPT
  185. -A loc2fw -p icmp -m icmp --icmp-type 8 -m comment --comment Ping -j ACCEPT
  186. -A loc2fw -p tcp -m tcp --dport 62128 -j ACCEPT
  187. -A loc2fw -j Reject
  188. -A loc2fw -j LOG --log-prefix "Shorewall:loc2fw:REJECT:" --log-level 3
  189. -A loc2fw -g reject
  190. -A loc2loc2 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  191. -A loc2loc2 -p icmp -m icmp --icmp-type 8 -m comment --comment Ping -j ACCEPT
  192. -A loc2loc2 -d 192.168.100.5/32 -p udp -m multiport --dports 135,445 -m comment --comment SMB -j ACCEPT
  193. -A loc2loc2 -d 192.168.100.5/32 -p udp -m udp --dport 137:139 -m comment --comment SMB -j ACCEPT
  194. -A loc2loc2 -d 192.168.100.5/32 -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment SMB -j ACCEPT
  195. -A loc2loc2 -d 192.168.100.5/32 -p tcp -m multiport --dports 135,139,445 -m comment --comment SMB -j ACCEPT
  196. -A loc2loc2 -j Reject
  197. -A loc2loc2 -j LOG --log-prefix "Shorewall:loc2loc2:REJECT:" --log-level 3
  198. -A loc2loc2 -g reject
  199. -A loc2net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  200. -A loc2net -j ACCEPT
  201. -A loc_frwd -o eth0 -j loc2net
  202. -A loc_frwd -d 192.168.0.0/16 -o eth1 -j loc2loc2
  203. -A logdrop -j DROP
  204. -A logflags -j LOG --log-prefix "Shorewall:logflags:DROP:" --log-level 6 --log-ip-options
  205. -A logflags -j DROP
  206. -A logreject -j reject
  207. -A net2fw -m conntrack --ctstate INVALID,NEW -j dynamic
  208. -A net2fw -m conntrack --ctstate INVALID,NEW -j smurfs
  209. -A net2fw -p tcp -j tcpflags
  210. -A net2fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  211. -A net2fw -j %Invalid
  212. -A net2fw -p icmp -m icmp --icmp-type 8 -m comment --comment Ping -j ACCEPT
  213. -A net2fw -p tcp -m tcp --dport 62128 -j ACCEPT
  214. -A net2fw -p tcp -m tcp --dport 113 -j DROP
  215. -A net2fw -j Drop
  216. -A net2fw -j LOG --log-prefix "Shorewall:net2fw:DROP:" --log-level 3
  217. -A net2fw -j DROP
  218. -A net2loc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  219. -A net2loc -j %Invalid
  220. -A net2loc -j Drop
  221. -A net2loc -j DROP
  222. -A net2loc2 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  223. -A net2loc2 -j %Invalid
  224. -A net2loc2 -j Drop
  225. -A net2loc2 -j DROP
  226. -A net_frwd -m conntrack --ctstate INVALID,NEW -j dynamic
  227. -A net_frwd -m conntrack --ctstate INVALID,NEW -j smurfs
  228. -A net_frwd -p tcp -j tcpflags
  229. -A net_frwd -d 10.0.0.0/8 -o eth1 -j net2loc
  230. -A net_frwd -d 192.168.0.0/16 -o eth1 -j net2loc2
  231. -A reject -m addrtype --src-type BROADCAST -j DROP
  232. -A reject -s 224.0.0.0/4 -j DROP
  233. -A reject -p igmp -j DROP
  234. -A reject -p tcp -j REJECT --reject-with tcp-reset
  235. -A reject -p udp -j REJECT --reject-with icmp-port-unreachable
  236. -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
  237. -A reject -j REJECT --reject-with icmp-host-prohibited
  238. -A smurflog -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6
  239. -A smurflog -j DROP
  240. -A smurfs -s 0.0.0.0/32 -j RETURN
  241. -A smurfs -m addrtype --src-type BROADCAST -g smurflog
  242. -A smurfs -s 224.0.0.0/4 -g smurflog
  243. -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g logflags
  244. -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g logflags
  245. -A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g logflags
  246. -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g logflags
  247. -A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g logflags
  248. COMMIT
  249. # Completed on Tue Feb 17 20:55:42 2015
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!