API tools faq
paste
Advertisement
Sferg

Untitled

Sferg
Jul 25th, 2018
442
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.81 KB | None | 0 0
raw download clone embed print report
  1. # Generated by iptables-save v1.4.21 on Wed Jul 25 22:35:07 2018
  2. *security
  3. :INPUT ACCEPT [1201707:89077703]
  4. :FORWARD ACCEPT [3815797:3847225101]
  5. :OUTPUT ACCEPT [1887436:2651647256]
  6. COMMIT
  7. # Completed on Wed Jul 25 22:35:07 2018
  8. # Generated by iptables-save v1.4.21 on Wed Jul 25 22:35:07 2018
  9. *raw
  10. :PREROUTING ACCEPT [5057118:3941435888]
  11. :OUTPUT ACCEPT [1888196:2651677656]
  12. COMMIT
  13. # Completed on Wed Jul 25 22:35:07 2018
  14. # Generated by iptables-save v1.4.21 on Wed Jul 25 22:35:07 2018
  15. *mangle
  16. :PREROUTING ACCEPT [5057118:3941435888]
  17. :INPUT ACCEPT [1228486:91729093]
  18. :FORWARD ACCEPT [3816999:3847696974]
  19. :OUTPUT ACCEPT [1888196:2651677656]
  20. :POSTROUTING ACCEPT [5703520:6498939502]
  21. COMMIT
  22. # Completed on Wed Jul 25 22:35:07 2018
  23. # Generated by iptables-save v1.4.21 on Wed Jul 25 22:35:07 2018
  24. *nat
  25. :PREROUTING ACCEPT [55576:6225421]
  26. :INPUT ACCEPT [1742:177860]
  27. :OUTPUT ACCEPT [11942:1212195]
  28. :POSTROUTING ACCEPT [112:9316]
  29. -A PREROUTING -d 12.34.56.78/32 -p tcp -m tcp --dport 1234 -j DNAT --to-destination 192.168.0.32:22
  30. -A PREROUTING -d 12.34.56.78/32 -p tcp -m tcp --dport 1234 -j DNAT --to-destination 192.168.0.32:22
  31. -A PREROUTING -d 12.34.56.78/32 -p tcp -m tcp --dport 1234 -j DNAT --to-destination 192.168.0.32:22
  32. -A POSTROUTING -d 192.168.0.32/32 -p tcp -m tcp --dport 22 -j SNAT --to-source 12.34.56.78
  33. -A POSTROUTING -o eth0 -j MASQUERADE
  34. -A POSTROUTING -d 192.168.0.32/32 -p tcp -m tcp --dport 22 -j SNAT --to-source 12.34.56.78
  35. -A POSTROUTING -o br0 -j MASQUERADE
  36. -A POSTROUTING -d 192.168.0.32/32 -p tcp -m tcp --dport 22 -j SNAT --to-source 12.34.56.78
  37. -A POSTROUTING -o tun0 -j MASQUERADE
  38. COMMIT
  39. # Completed on Wed Jul 25 22:35:07 2018
  40. # Generated by iptables-save v1.4.21 on Wed Jul 25 22:35:07 2018
  41. *filter
  42. :INPUT DROP [18811:1795794]
  43. :FORWARD DROP [403:436525]
  44. :OUTPUT ACCEPT [0:0]
  45. -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
  46. -A INPUT -p icmp -m icmp --icmp-type 8 -j DROP
  47. -A INPUT -m geoip --source-country ZA,CO,CL,IR,MX,EC,PE,UA -j DROP
  48. -A INPUT -m geoip --source-country CN,JP,KP,KR,PK,TW,HK,BR,IN,TR,ID,DZ,VN,DO,AE -j DROP
  49. -A INPUT -m iprange --src-range 78.47.120.32-78.47.120.47 -j DROP
  50. -A INPUT -m iprange --src-range 192.17.0.0-192.17.255.255 -j DROP
  51. -A INPUT -m iprange --src-range 130.126.0.0-130.126.255.255 -j DROP
  52. -A INPUT -m iprange --src-range 72.36.64.0-72.36.127.255 -j DROP
  53. -A INPUT -s 213.88.49.71/32 -j DROP
  54. -A INPUT -s 89.222.164.212/32 -j DROP
  55. -A INPUT -i lo -j ACCEPT
  56. -A INPUT -i eth1 -j ACCEPT
  57. -A INPUT -m conntrack --ctstate INVALID -j DROP
  58. -A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
  59. -A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
  60. -A INPUT -p tcp -m conntrack --ctstate NEW -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
  61. -A INPUT -p tcp -m conntrack --ctstate INVALID,NEW -m tcp --tcp-flags SYN,ACK SYN,ACK -j REJECT --reject-with tcp-reset
  62. -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
  63. -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
  64. -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
  65. -A INPUT -p tcp -m tcp -m multiport --dports 20,21,25,80,139,443,445,1194,2285,9091 -m conntrack --ctstate NEW -m recent --set --name ddos_block_conn_tcp --mask 255.255.255.255 --rsource
  66. -A INPUT -p tcp -m tcp -m multiport --dports 20,21,25,80,139,443,445,1194,2285,9091 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 180 --name ddos_block_conn_tcp --mask 255.255.255.255 --rsource -j DROP
  67. -A INPUT -p udp -m udp -m multiport --dports 123,137,138,1194 -m conntrack --ctstate NEW -m recent --set --name ddos_block_conn_udp --mask 255.255.255.255 --rsource
  68. -A INPUT -p udp -m udp -m multiport --dports 123,137,138,1194 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 180 --name ddos_block_conn_udp --mask 255.255.255.255 --rsource -j DROP
  69. -A INPUT -i eth0 -p tcp -m multiport --dports 20,21,25,80,139,443,445,1194,2285,9091 -m connlimit --connlimit-above 16 --connlimit-mask 32 --connlimit-saddr -j DROP
  70. -A INPUT -i eth0 -p tcp -m multiport --dports 20,21,25,80,139,443,445,1194,2285,9091 -m conntrack --ctstate NEW -m hashlimit --hashlimit-upto 36/min --hashlimit-burst 24 --hashlimit-mode srcip --hashlimit-name ddos_block_tcp -j ACCEPT
  71. -A INPUT -i eth0 -p udp -m multiport --dports 123,137,138,1194 -m connlimit --connlimit-above 16 --connlimit-mask 32 --connlimit-saddr -j DROP
  72. -A INPUT -i eth0 -p udp -m multiport --dports 123,137,138,1194 -m conntrack --ctstate NEW -m hashlimit --hashlimit-upto 36/min --hashlimit-burst 24 --hashlimit-mode srcip --hashlimit-name ddos_block_udp -j ACCEPT
  73. -A INPUT -i br0 -p tcp -m multiport --dports 20,21,25,80,139,443,445,1194,2285,9091 -m connlimit --connlimit-above 16 --connlimit-mask 32 --connlimit-saddr -j DROP
  74. -A INPUT -i br0 -p tcp -m multiport --dports 20,21,25,80,139,443,445,1194,2285,9091 -m conntrack --ctstate NEW -m hashlimit --hashlimit-upto 36/min --hashlimit-burst 24 --hashlimit-mode srcip --hashlimit-name ddos_block_tcp -j ACCEPT
  75. -A INPUT -i br0 -p udp -m multiport --dports 123,137,138,1194 -m connlimit --connlimit-above 16 --connlimit-mask 32 --connlimit-saddr -j DROP
  76. -A INPUT -i br0 -p udp -m multiport --dports 123,137,138,1194 -m conntrack --ctstate NEW -m hashlimit --hashlimit-upto 36/min --hashlimit-burst 24 --hashlimit-mode srcip --hashlimit-name ddos_block_udp -j ACCEPT
  77. -A INPUT -i tun0 -p tcp -m multiport --dports 20,21,25,80,139,443,445,1194,2285,9091 -m connlimit --connlimit-above 16 --connlimit-mask 32 --connlimit-saddr -j DROP
  78. -A INPUT -i tun0 -p tcp -m multiport --dports 20,21,25,80,139,443,445,1194,2285,9091 -m conntrack --ctstate NEW -m hashlimit --hashlimit-upto 36/min --hashlimit-burst 24 --hashlimit-mode srcip --hashlimit-name ddos_block_tcp -j ACCEPT
  79. -A INPUT -i tun0 -p udp -m multiport --dports 123,137,138,1194 -m connlimit --connlimit-above 16 --connlimit-mask 32 --connlimit-saddr -j DROP
  80. -A INPUT -i tun0 -p udp -m multiport --dports 123,137,138,1194 -m conntrack --ctstate NEW -m hashlimit --hashlimit-upto 36/min --hashlimit-burst 24 --hashlimit-mode srcip --hashlimit-name ddos_block_udp -j ACCEPT
  81. -A INPUT -p udp -m pkttype --pkt-type broadcast -j DROP
  82. -A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  83. -A INPUT -s 192.168.0.0/16 -i eth0 -m conntrack --ctstate NEW -j ACCEPT
  84. -A INPUT -i eth0 -p gre -j ACCEPT
  85. -A INPUT -i br0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  86. -A INPUT -s 192.168.0.0/16 -i br0 -m conntrack --ctstate NEW -j ACCEPT
  87. -A INPUT -i br0 -p gre -j ACCEPT
  88. -A INPUT -i tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  89. -A INPUT -s 192.168.0.0/16 -i tun0 -m conntrack --ctstate NEW -j ACCEPT
  90. -A INPUT -i tun0 -p gre -j ACCEPT
  91. -A FORWARD -m conntrack --ctstate INVALID -j DROP
  92. -A FORWARD -i eth0 -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  93. -A FORWARD -o eth0 -p tcp -m multiport --dports 21,22,53,80,81,139,443,445,1024:65535 -m conntrack --ctstate NEW -j ACCEPT
  94. -A FORWARD -i eth0 -p udp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  95. -A FORWARD -o eth0 -p udp -m multiport --dports 53,123,137,138,1024:65535 -m conntrack --ctstate NEW -j ACCEPT
  96. -A FORWARD -i eth0 -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  97. -A FORWARD -o eth0 -p icmp -m conntrack --ctstate NEW -j ACCEPT
  98. -A FORWARD -i br0 -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  99. -A FORWARD -o br0 -p tcp -m multiport --dports 21,22,53,80,81,139,443,445,1024:65535 -m conntrack --ctstate NEW -j ACCEPT
  100. -A FORWARD -i br0 -p udp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  101. -A FORWARD -o br0 -p udp -m multiport --dports 53,123,137,138,1024:65535 -m conntrack --ctstate NEW -j ACCEPT
  102. -A FORWARD -i br0 -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  103. -A FORWARD -o br0 -p icmp -m conntrack --ctstate NEW -j ACCEPT
  104. -A FORWARD -i tun0 -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  105. -A FORWARD -o tun0 -p tcp -m multiport --dports 21,22,53,80,81,139,443,445,1024:65535 -m conntrack --ctstate NEW -j ACCEPT
  106. -A FORWARD -i tun0 -p udp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  107. -A FORWARD -o tun0 -p udp -m multiport --dports 53,123,137,138,1024:65535 -m conntrack --ctstate NEW -j ACCEPT
  108. -A FORWARD -i tun0 -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  109. -A FORWARD -o tun0 -p icmp -m conntrack --ctstate NEW -j ACCEPT
  110. -A OUTPUT -o lo -j ACCEPT
  111. -A OUTPUT -o eth1 -j ACCEPT
  112. -A OUTPUT -m conntrack --ctstate INVALID -j DROP
  113. -A OUTPUT -o eth0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
  114. -A OUTPUT -o eth0 -p gre -j ACCEPT
  115. -A OUTPUT -o br0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
  116. -A OUTPUT -o br0 -p gre -j ACCEPT
  117. -A OUTPUT -o tun0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
  118. -A OUTPUT -o tun0 -p gre -j ACCEPT
  119. COMMIT
  120. # Completed on Wed Jul 25 22:35:07 2018
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!