Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Generated by iptables-save v1.4.21 on Wed Jul 25 22:35:07 2018
- *security
- :INPUT ACCEPT [1201707:89077703]
- :FORWARD ACCEPT [3815797:3847225101]
- :OUTPUT ACCEPT [1887436:2651647256]
- COMMIT
- # Completed on Wed Jul 25 22:35:07 2018
- # Generated by iptables-save v1.4.21 on Wed Jul 25 22:35:07 2018
- *raw
- :PREROUTING ACCEPT [5057118:3941435888]
- :OUTPUT ACCEPT [1888196:2651677656]
- COMMIT
- # Completed on Wed Jul 25 22:35:07 2018
- # Generated by iptables-save v1.4.21 on Wed Jul 25 22:35:07 2018
- *mangle
- :PREROUTING ACCEPT [5057118:3941435888]
- :INPUT ACCEPT [1228486:91729093]
- :FORWARD ACCEPT [3816999:3847696974]
- :OUTPUT ACCEPT [1888196:2651677656]
- :POSTROUTING ACCEPT [5703520:6498939502]
- COMMIT
- # Completed on Wed Jul 25 22:35:07 2018
- # Generated by iptables-save v1.4.21 on Wed Jul 25 22:35:07 2018
- *nat
- :PREROUTING ACCEPT [55576:6225421]
- :INPUT ACCEPT [1742:177860]
- :OUTPUT ACCEPT [11942:1212195]
- :POSTROUTING ACCEPT [112:9316]
- -A PREROUTING -d 12.34.56.78/32 -p tcp -m tcp --dport 1234 -j DNAT --to-destination 192.168.0.32:22
- -A PREROUTING -d 12.34.56.78/32 -p tcp -m tcp --dport 1234 -j DNAT --to-destination 192.168.0.32:22
- -A PREROUTING -d 12.34.56.78/32 -p tcp -m tcp --dport 1234 -j DNAT --to-destination 192.168.0.32:22
- -A POSTROUTING -d 192.168.0.32/32 -p tcp -m tcp --dport 22 -j SNAT --to-source 12.34.56.78
- -A POSTROUTING -o eth0 -j MASQUERADE
- -A POSTROUTING -d 192.168.0.32/32 -p tcp -m tcp --dport 22 -j SNAT --to-source 12.34.56.78
- -A POSTROUTING -o br0 -j MASQUERADE
- -A POSTROUTING -d 192.168.0.32/32 -p tcp -m tcp --dport 22 -j SNAT --to-source 12.34.56.78
- -A POSTROUTING -o tun0 -j MASQUERADE
- COMMIT
- # Completed on Wed Jul 25 22:35:07 2018
- # Generated by iptables-save v1.4.21 on Wed Jul 25 22:35:07 2018
- *filter
- :INPUT DROP [18811:1795794]
- :FORWARD DROP [403:436525]
- :OUTPUT ACCEPT [0:0]
- -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
- -A INPUT -p icmp -m icmp --icmp-type 8 -j DROP
- -A INPUT -m geoip --source-country ZA,CO,CL,IR,MX,EC,PE,UA -j DROP
- -A INPUT -m geoip --source-country CN,JP,KP,KR,PK,TW,HK,BR,IN,TR,ID,DZ,VN,DO,AE -j DROP
- -A INPUT -m iprange --src-range 78.47.120.32-78.47.120.47 -j DROP
- -A INPUT -m iprange --src-range 192.17.0.0-192.17.255.255 -j DROP
- -A INPUT -m iprange --src-range 130.126.0.0-130.126.255.255 -j DROP
- -A INPUT -m iprange --src-range 72.36.64.0-72.36.127.255 -j DROP
- -A INPUT -s 213.88.49.71/32 -j DROP
- -A INPUT -s 89.222.164.212/32 -j DROP
- -A INPUT -i lo -j ACCEPT
- -A INPUT -i eth1 -j ACCEPT
- -A INPUT -m conntrack --ctstate INVALID -j DROP
- -A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
- -A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
- -A INPUT -p tcp -m conntrack --ctstate NEW -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
- -A INPUT -p tcp -m conntrack --ctstate INVALID,NEW -m tcp --tcp-flags SYN,ACK SYN,ACK -j REJECT --reject-with tcp-reset
- -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
- -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
- -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
- -A INPUT -p tcp -m tcp -m multiport --dports 20,21,25,80,139,443,445,1194,2285,9091 -m conntrack --ctstate NEW -m recent --set --name ddos_block_conn_tcp --mask 255.255.255.255 --rsource
- -A INPUT -p tcp -m tcp -m multiport --dports 20,21,25,80,139,443,445,1194,2285,9091 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 180 --name ddos_block_conn_tcp --mask 255.255.255.255 --rsource -j DROP
- -A INPUT -p udp -m udp -m multiport --dports 123,137,138,1194 -m conntrack --ctstate NEW -m recent --set --name ddos_block_conn_udp --mask 255.255.255.255 --rsource
- -A INPUT -p udp -m udp -m multiport --dports 123,137,138,1194 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 180 --name ddos_block_conn_udp --mask 255.255.255.255 --rsource -j DROP
- -A INPUT -i eth0 -p tcp -m multiport --dports 20,21,25,80,139,443,445,1194,2285,9091 -m connlimit --connlimit-above 16 --connlimit-mask 32 --connlimit-saddr -j DROP
- -A INPUT -i eth0 -p tcp -m multiport --dports 20,21,25,80,139,443,445,1194,2285,9091 -m conntrack --ctstate NEW -m hashlimit --hashlimit-upto 36/min --hashlimit-burst 24 --hashlimit-mode srcip --hashlimit-name ddos_block_tcp -j ACCEPT
- -A INPUT -i eth0 -p udp -m multiport --dports 123,137,138,1194 -m connlimit --connlimit-above 16 --connlimit-mask 32 --connlimit-saddr -j DROP
- -A INPUT -i eth0 -p udp -m multiport --dports 123,137,138,1194 -m conntrack --ctstate NEW -m hashlimit --hashlimit-upto 36/min --hashlimit-burst 24 --hashlimit-mode srcip --hashlimit-name ddos_block_udp -j ACCEPT
- -A INPUT -i br0 -p tcp -m multiport --dports 20,21,25,80,139,443,445,1194,2285,9091 -m connlimit --connlimit-above 16 --connlimit-mask 32 --connlimit-saddr -j DROP
- -A INPUT -i br0 -p tcp -m multiport --dports 20,21,25,80,139,443,445,1194,2285,9091 -m conntrack --ctstate NEW -m hashlimit --hashlimit-upto 36/min --hashlimit-burst 24 --hashlimit-mode srcip --hashlimit-name ddos_block_tcp -j ACCEPT
- -A INPUT -i br0 -p udp -m multiport --dports 123,137,138,1194 -m connlimit --connlimit-above 16 --connlimit-mask 32 --connlimit-saddr -j DROP
- -A INPUT -i br0 -p udp -m multiport --dports 123,137,138,1194 -m conntrack --ctstate NEW -m hashlimit --hashlimit-upto 36/min --hashlimit-burst 24 --hashlimit-mode srcip --hashlimit-name ddos_block_udp -j ACCEPT
- -A INPUT -i tun0 -p tcp -m multiport --dports 20,21,25,80,139,443,445,1194,2285,9091 -m connlimit --connlimit-above 16 --connlimit-mask 32 --connlimit-saddr -j DROP
- -A INPUT -i tun0 -p tcp -m multiport --dports 20,21,25,80,139,443,445,1194,2285,9091 -m conntrack --ctstate NEW -m hashlimit --hashlimit-upto 36/min --hashlimit-burst 24 --hashlimit-mode srcip --hashlimit-name ddos_block_tcp -j ACCEPT
- -A INPUT -i tun0 -p udp -m multiport --dports 123,137,138,1194 -m connlimit --connlimit-above 16 --connlimit-mask 32 --connlimit-saddr -j DROP
- -A INPUT -i tun0 -p udp -m multiport --dports 123,137,138,1194 -m conntrack --ctstate NEW -m hashlimit --hashlimit-upto 36/min --hashlimit-burst 24 --hashlimit-mode srcip --hashlimit-name ddos_block_udp -j ACCEPT
- -A INPUT -p udp -m pkttype --pkt-type broadcast -j DROP
- -A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A INPUT -s 192.168.0.0/16 -i eth0 -m conntrack --ctstate NEW -j ACCEPT
- -A INPUT -i eth0 -p gre -j ACCEPT
- -A INPUT -i br0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A INPUT -s 192.168.0.0/16 -i br0 -m conntrack --ctstate NEW -j ACCEPT
- -A INPUT -i br0 -p gre -j ACCEPT
- -A INPUT -i tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A INPUT -s 192.168.0.0/16 -i tun0 -m conntrack --ctstate NEW -j ACCEPT
- -A INPUT -i tun0 -p gre -j ACCEPT
- -A FORWARD -m conntrack --ctstate INVALID -j DROP
- -A FORWARD -i eth0 -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A FORWARD -o eth0 -p tcp -m multiport --dports 21,22,53,80,81,139,443,445,1024:65535 -m conntrack --ctstate NEW -j ACCEPT
- -A FORWARD -i eth0 -p udp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A FORWARD -o eth0 -p udp -m multiport --dports 53,123,137,138,1024:65535 -m conntrack --ctstate NEW -j ACCEPT
- -A FORWARD -i eth0 -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A FORWARD -o eth0 -p icmp -m conntrack --ctstate NEW -j ACCEPT
- -A FORWARD -i br0 -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A FORWARD -o br0 -p tcp -m multiport --dports 21,22,53,80,81,139,443,445,1024:65535 -m conntrack --ctstate NEW -j ACCEPT
- -A FORWARD -i br0 -p udp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A FORWARD -o br0 -p udp -m multiport --dports 53,123,137,138,1024:65535 -m conntrack --ctstate NEW -j ACCEPT
- -A FORWARD -i br0 -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A FORWARD -o br0 -p icmp -m conntrack --ctstate NEW -j ACCEPT
- -A FORWARD -i tun0 -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A FORWARD -o tun0 -p tcp -m multiport --dports 21,22,53,80,81,139,443,445,1024:65535 -m conntrack --ctstate NEW -j ACCEPT
- -A FORWARD -i tun0 -p udp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A FORWARD -o tun0 -p udp -m multiport --dports 53,123,137,138,1024:65535 -m conntrack --ctstate NEW -j ACCEPT
- -A FORWARD -i tun0 -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A FORWARD -o tun0 -p icmp -m conntrack --ctstate NEW -j ACCEPT
- -A OUTPUT -o lo -j ACCEPT
- -A OUTPUT -o eth1 -j ACCEPT
- -A OUTPUT -m conntrack --ctstate INVALID -j DROP
- -A OUTPUT -o eth0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
- -A OUTPUT -o eth0 -p gre -j ACCEPT
- -A OUTPUT -o br0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
- -A OUTPUT -o br0 -p gre -j ACCEPT
- -A OUTPUT -o tun0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
- -A OUTPUT -o tun0 -p gre -j ACCEPT
- COMMIT
- # Completed on Wed Jul 25 22:35:07 2018
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement