API tools faq
paste
Advertisement
danastasio

Untitled

danastasio
Sep 5th, 2019
159
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 11.18 KB | None | 0 0
raw download clone embed print report
  1. ip a; ip r; ip ru; iptables-save
  2. 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
  3. link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
  4. inet 127.0.0.1/8 scope host lo
  5. valid_lft forever preferred_lft forever
  6. inet6 ::1/128 scope host
  7. valid_lft forever preferred_lft forever
  8. 2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 532
  9. link/ether 14:91:82:27:7c:b5 brd ff:ff:ff:ff:ff:ff
  10. inet6 fe80::1691:82ff:fe27:7cb5/64 scope link
  11. valid_lft forever preferred_lft forever
  12. 3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 532
  13. link/ether 16:91:82:27:7c:b5 brd ff:ff:ff:ff:ff:ff
  14. inet6 fe80::1491:82ff:fe27:7cb5/64 scope link
  15. valid_lft forever preferred_lft forever
  16. 7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
  17. link/ether 16:91:82:27:7c:b5 brd ff:ff:ff:ff:ff:ff
  18. inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
  19. valid_lft forever preferred_lft forever
  20. inet6 2601:182:4200:dfa9::1/64 scope global dynamic
  21. valid_lft 177802sec preferred_lft 177802sec
  22. inet6 fde4:faf1:87f3::1/60 scope global
  23. valid_lft forever preferred_lft forever
  24. inet6 fe80::1491:82ff:fe27:7cb5/64 scope link
  25. valid_lft forever preferred_lft forever
  26. 8: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
  27. link/ether 16:91:82:27:7c:b5 brd ff:ff:ff:ff:ff:ff
  28. 9: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
  29. link/ether 14:91:82:27:7c:b5 brd ff:ff:ff:ff:ff:ff
  30. inet 24.63.84.229/22 brd 24.63.87.255 scope global eth1.2
  31. valid_lft forever preferred_lft forever
  32. inet6 2001:558:6017:136:f4d5:dcc0:d9a1:3464/128 scope global dynamic
  33. valid_lft 177802sec preferred_lft 177802sec
  34. inet6 fe80::1691:82ff:fe27:7cb5/64 scope link
  35. valid_lft forever preferred_lft forever
  36. 10: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP qlen 1000
  37. link/ether 16:91:82:27:7c:b6 brd ff:ff:ff:ff:ff:ff
  38. inet6 fe80::1491:82ff:fe27:7cb6/64 scope link
  39. valid_lft forever preferred_lft forever
  40. 11: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP qlen 1000
  41. link/ether 16:91:82:27:7c:b7 brd ff:ff:ff:ff:ff:ff
  42. inet6 fe80::1491:82ff:fe27:7cb7/64 scope link
  43. valid_lft forever preferred_lft forever
  44. default via 24.63.84.1 dev eth1.2 src 24.63.84.229
  45. 24.63.84.0/22 dev eth1.2 scope link src 24.63.84.229
  46. 192.168.1.0/24 dev br-lan scope link src 192.168.1.1
  47. 0: from all lookup local
  48. 32766: from all lookup main
  49. 32767: from all lookup default
  50. # Generated by iptables-save v1.6.2 on Fri Sep 6 02:10:39 2019
  51. *nat
  52. :PREROUTING ACCEPT [4687:628150]
  53. :INPUT ACCEPT [862:76802]
  54. :OUTPUT ACCEPT [1664:118266]
  55. :POSTROUTING ACCEPT [16:1111]
  56. :postrouting_lan_rule - [0:0]
  57. :postrouting_rule - [0:0]
  58. :postrouting_wan_rule - [0:0]
  59. :prerouting_lan_rule - [0:0]
  60. :prerouting_rule - [0:0]
  61. :prerouting_wan_rule - [0:0]
  62. :zone_lan_postrouting - [0:0]
  63. :zone_lan_prerouting - [0:0]
  64. :zone_wan_postrouting - [0:0]
  65. :zone_wan_prerouting - [0:0]
  66. -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
  67. -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
  68. -A PREROUTING -i eth1.2 -m comment --comment "!fw3" -j zone_wan_prerouting
  69. -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
  70. -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
  71. -A POSTROUTING -o eth1.2 -m comment --comment "!fw3" -j zone_wan_postrouting
  72. -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
  73. -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.152/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: @redirect[0] (reflection)" -j SNAT --to-source 192.168.1.1
  74. -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.152/32 -p udp -m udp --dport 80 -m comment --comment "!fw3: @redirect[0] (reflection)" -j SNAT --to-source 192.168.1.1
  75. -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.152/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: @redirect[1] (reflection)" -j SNAT --to-source 192.168.1.1
  76. -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.152/32 -p udp -m udp --dport 80 -m comment --comment "!fw3: @redirect[1] (reflection)" -j SNAT --to-source 192.168.1.1
  77. -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
  78. -A zone_lan_prerouting -s 192.168.1.0/24 -d 24.63.84.229/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: @redirect[0] (reflection)" -j DNAT --to-destination 192.168.1.152:80
  79. -A zone_lan_prerouting -s 192.168.1.0/24 -d 24.63.84.229/32 -p udp -m udp --dport 80 -m comment --comment "!fw3: @redirect[0] (reflection)" -j DNAT --to-destination 192.168.1.152:80
  80. -A zone_lan_prerouting -s 192.168.1.0/24 -d 24.63.84.229/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: @redirect[1] (reflection)" -j DNAT --to-destination 192.168.1.152:80
  81. -A zone_lan_prerouting -s 192.168.1.0/24 -d 24.63.84.229/32 -p udp -m udp --dport 443 -m comment --comment "!fw3: @redirect[1] (reflection)" -j DNAT --to-destination 192.168.1.152:80
  82. -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
  83. -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
  84. -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
  85. -A zone_wan_prerouting -p tcp -m tcp --dport 80 -m comment --comment "!fw3: @redirect[0]" -j DNAT --to-destination 192.168.1.152:80
  86. -A zone_wan_prerouting -p udp -m udp --dport 80 -m comment --comment "!fw3: @redirect[0]" -j DNAT --to-destination 192.168.1.152:80
  87. -A zone_wan_prerouting -p tcp -m tcp --dport 443 -m comment --comment "!fw3: @redirect[1]" -j DNAT --to-destination 192.168.1.152:80
  88. -A zone_wan_prerouting -p udp -m udp --dport 443 -m comment --comment "!fw3: @redirect[1]" -j DNAT --to-destination 192.168.1.152:80
  89. COMMIT
  90. # Completed on Fri Sep 6 02:10:39 2019
  91. # Generated by iptables-save v1.6.2 on Fri Sep 6 02:10:39 2019
  92. *mangle
  93. :PREROUTING ACCEPT [134597:223638137]
  94. :INPUT ACCEPT [9796:570937]
  95. :FORWARD ACCEPT [122258:222599600]
  96. :OUTPUT ACCEPT [3411:311502]
  97. :POSTROUTING ACCEPT [125506:222904546]
  98. -A FORWARD -o eth1.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
  99. COMMIT
  100. # Completed on Fri Sep 6 02:10:39 2019
  101. # Generated by iptables-save v1.6.2 on Fri Sep 6 02:10:39 2019
  102. *filter
  103. :INPUT ACCEPT [0:0]
  104. :FORWARD ACCEPT [0:0]
  105. :OUTPUT ACCEPT [0:0]
  106. :forwarding_lan_rule - [0:0]
  107. :forwarding_rule - [0:0]
  108. :forwarding_wan_rule - [0:0]
  109. :input_lan_rule - [0:0]
  110. :input_rule - [0:0]
  111. :input_wan_rule - [0:0]
  112. :output_lan_rule - [0:0]
  113. :output_rule - [0:0]
  114. :output_wan_rule - [0:0]
  115. :reject - [0:0]
  116. :syn_flood - [0:0]
  117. :zone_lan_dest_ACCEPT - [0:0]
  118. :zone_lan_forward - [0:0]
  119. :zone_lan_input - [0:0]
  120. :zone_lan_output - [0:0]
  121. :zone_lan_src_ACCEPT - [0:0]
  122. :zone_wan_dest_ACCEPT - [0:0]
  123. :zone_wan_forward - [0:0]
  124. :zone_wan_input - [0:0]
  125. :zone_wan_output - [0:0]
  126. :zone_wan_src_DROP - [0:0]
  127. -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
  128. -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
  129. -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
  130. -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
  131. -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
  132. -A INPUT -i eth1.2 -m comment --comment "!fw3" -j zone_wan_input
  133. -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
  134. -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
  135. -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
  136. -A FORWARD -i eth1.2 -m comment --comment "!fw3" -j zone_wan_forward
  137. -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
  138. -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
  139. -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
  140. -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
  141. -A OUTPUT -o eth1.2 -m comment --comment "!fw3" -j zone_wan_output
  142. -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
  143. -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
  144. -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
  145. -A syn_flood -m comment --comment "!fw3" -j DROP
  146. -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
  147. -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
  148. -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
  149. -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
  150. -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
  151. -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
  152. -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
  153. -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
  154. -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
  155. -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
  156. -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
  157. -A zone_wan_dest_ACCEPT -o eth1.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
  158. -A zone_wan_dest_ACCEPT -o eth1.2 -m comment --comment "!fw3" -j ACCEPT
  159. -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
  160. -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
  161. -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
  162. -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
  163. -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
  164. -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
  165. -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
  166. -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
  167. -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
  168. -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
  169. -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_DROP
  170. -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
  171. -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
  172. -A zone_wan_src_DROP -i eth1.2 -m comment --comment "!fw3" -j DROP
  173. COMMIT
  174. # Completed on Fri Sep 6 02:10:39 2019
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!