SHARE
TWEET

Untitled

NetSpasibo79 May 18th, 2019 7 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # rules.before
  2. #
  3. # Rules that should be run before the ufw command line added rules. Custom
  4. # rules should be added to one of these chains:
  5. #   ufw-before-input
  6. #   ufw-before-output
  7. #   ufw-before-forward
  8. #
  9.  
  10. # Don't delete these required lines, otherwise there will be errors
  11. *filter
  12. :ufw-before-input - [0:0]
  13. :ufw-before-output - [0:0]
  14. :ufw-before-forward - [0:0]
  15. :ufw-not-local - [0:0]
  16. # End required lines
  17.  
  18. # allow all on loopback
  19. -A ufw-before-input -i lo -j ACCEPT
  20. -A ufw-before-output -o lo -j ACCEPT
  21.  
  22. # quickly process packets for which we already have a connection
  23. -A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  24. -A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  25. -A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  26.  
  27. # drop INVALID packets (logs these in loglevel medium and higher)
  28. -A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
  29. -A ufw-before-input -m conntrack --ctstate INVALID -j DROP
  30.  
  31. # ok icmp codes for INPUT
  32. -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
  33. -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
  34. -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
  35. -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
  36.  
  37. ok icmp codes for INPUT
  38. -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
  39. -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
  40. -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
  41. -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
  42.  
  43. # ok icmp code for FORWARD
  44. -A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
  45. -A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
  46. -A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
  47. -A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT
  48.  
  49. # allow dhcp client to work
  50. -A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT
  51.  
  52. #
  53. # ufw-not-local
  54. #
  55. -A ufw-before-input -j ufw-not-local
  56.  
  57. # if LOCAL, RETURN
  58. -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
  59.  
  60. # if MULTICAST, RETURN
  61. -A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
  62.  
  63. # if BROADCAST, RETURN
  64. -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
  65.  
  66. # all other non-local packets are dropped
  67. -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
  68. -A ufw-not-local -j DROP
  69.  
  70. # allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
  71. # is uncommented)
  72. -A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
  73.  
  74. # allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
  75. # is uncommented)
  76. -A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT
  77.  
  78. # dns
  79. -A PREROUTING -i enp2s0 -d 192.168.86.100 -p udp --dport 53 -j DNAT --to-destination 10.49.71.89:53
  80. -A PREROUTING -i enp2s0 -d 192.168.86.100 -p tcp --dport 53 -j DNAT --to-destination 10.49.71.89:53
  81.  
  82. # don't delete the 'COMMIT' line or these rules won't be processed
  83. COMMIT
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top