Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- root@localhost:~# ip a
- 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
- link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
- inet 127.0.0.1/8 scope host lo
- inet6 ::1/128 scope host
- valid_lft forever preferred_lft forever
- 2: bcm: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noop state UNKNOWN qlen 1000
- link/ether 02:10:18:01:00:01 brd ff:ff:ff:ff:ff:ff
- 3: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
- link/ether a0:1d:48:f7:0b:c6 brd ff:ff:ff:ff:ff:ff
- 4: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
- link/ether a0:1d:48:f7:0b:c7 brd ff:ff:ff:ff:ff:ff
- 5: dsl0: <NO-CARRIER,UP> mtu 0 qdisc noop state DOWN
- link/[29]
- 6: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
- link/ether a0:1d:48:f7:0b:c8 brd ff:ff:ff:ff:ff:ff
- 7: eth3: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
- link/ether a0:1d:48:f7:0b:c9 brd ff:ff:ff:ff:ff:ff
- 8: eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
- link/ether a0:1d:48:f7:0b:ca brd ff:ff:ff:ff:ff:ff
- inet 178.165.50.111/24 brd 178.165.50.255 scope global eth4
- 9: bcmport: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
- link/ether 02:10:18:01:00:01 brd ff:ff:ff:ff:ff:ff
- 10: ip6tnl0: <NOARP> mtu 1460 qdisc noop state DOWN
- link/tunnel6 :: brd ::
- 11: tunl0: <NOARP> mtu 1480 qdisc noop state DOWN
- link/ipip 0.0.0.0 brd 0.0.0.0
- 12: sit0: <NOARP> mtu 1480 qdisc noop state DOWN
- link/sit 0.0.0.0 brd 0.0.0.0
- 13: wl0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
- link/ether a0:1d:48:f7:0b:c0 brd ff:ff:ff:ff:ff:ff
- 14: wl1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
- link/ether a0:1d:48:f7:0b:c4 brd ff:ff:ff:ff:ff:ff
- 15: wl0.1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 500
- link/ether a0:1d:48:f7:0b:c1 brd ff:ff:ff:ff:ff:ff
- 16: wl0.2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 500
- link/ether a0:1d:48:f7:0b:c2 brd ff:ff:ff:ff:ff:ff
- 17: wl0.3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 500
- link/ether a0:1d:48:f7:0b:c3 brd ff:ff:ff:ff:ff:ff
- 18: wl1.1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 500
- link/ether a0:1d:48:f7:0b:c5 brd ff:ff:ff:ff:ff:ff
- 19: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
- link/ether a0:1d:48:f7:0b:c0 brd ff:ff:ff:ff:ff:ff
- inet 172.16.0.1/24 brd 172.16.0.255 scope global br0
- inet6 fe80::a21d:48ff:fef7:bc0/64 scope link
- valid_lft forever preferred_lft forever
- 26: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 3
- link/ppp
- inet 10.33.33.1 peer 10.33.33.33/32 scope global ppp0
- root@localhost:~# ip r
- 10.33.33.33 dev ppp0 proto kernel scope link src 10.33.33.1
- 95.142.206.0/24 dev ppp0 scope link
- 213.180.204.0/24 dev ppp0 scope link
- 5.255.255.0/24 dev ppp0 scope link
- 172.16.0.0/24 dev br0 proto kernel scope link src 172.16.0.1
- 93.158.134.0/24 dev ppp0 scope link
- 213.180.193.0/24 dev ppp0 scope link
- 178.165.50.0/24 dev eth4 proto kernel scope link src 178.165.50.111
- 77.88.55.0/24 dev ppp0 scope link
- 185.32.248.0/22 dev ppp0 scope link
- 93.186.224.0/21 dev ppp0 scope link
- 95.142.192.0/21 dev ppp0 scope link
- 93.186.232.0/21 dev ppp0 scope link
- 95.213.0.0/18 dev ppp0 scope link
- 87.240.128.0/18 dev ppp0 scope link
- 87.250.0.0/16 dev ppp0 scope link
- 178.248.0.0/16 dev ppp0 scope link
- 178.154.0.0/16 dev ppp0 scope link
- default via 178.165.50.1 dev eth4
- root@localhost:~# iptables -S
- -P INPUT ACCEPT
- -P FORWARD ACCEPT
- -P OUTPUT ACCEPT
- -N CMWSIn
- -N CWMP2In
- -N CWMP2Out
- -N CWMPIn
- -N CWMPOut
- -N DHCPServices
- -N DNSIn
- -N FTPLocalIn
- -N FTPRemoteIn
- -N Firewall
- -N Firewall.LHigh
- -N Firewall.LLow
- -N FirewallIn
- -N FirewallIn.LHigh
- -N FirewallIn.LLow
- -N FirewallOut
- -N ForwardAllow
- -N ForwardAllow_DMZ
- -N ForwardAllow_IPsec
- -N ForwardAllow_MC
- -N ForwardAllow_PortMapping
- -N ForwardAllow_Rtsp
- -N ForwardAllow_Tunnel
- -N ForwardDeny
- -N ForwardDeny.br0
- -N GUILocalIn
- -N GUILocalIn_
- -N GUILocalOut
- -N GUIRemoteIn
- -N GUIRemoteIn_
- -N HTTPLocalIn
- -N HTTPRemoteIn
- -N IGMPProxyIn
- -N IPsecIn
- -N InputDeny
- -N InputDeny.br0
- -N NATPM.4
- -N NATPM.5
- -N NATPM.6
- -N OutputAllow
- -N OutputAllow_LocalServices
- -N RtspIn
- -N RtspOut
- -N SNMPIn
- -N SSHLocalIn
- -N SSHLocalIn_
- -N SSHLocalOut
- -N SSHRemoteIn
- -N SSHRemoteIn_
- -N SSHRemoteOut
- -N SambaIn
- -N SambaOut
- -N ServicesIn
- -N ServicesOut
- -N TelnetLocalIn
- -N TelnetLocalIn_
- -N TelnetRemoteIn
- -N TelnetRemoteIn_
- -N TunnelIn
- -A INPUT -j SambaIn
- -A INPUT -i lo -j ACCEPT
- -A INPUT -j InputDeny
- -A INPUT -j ServicesIn
- -A INPUT -j FirewallIn
- -A FORWARD -j ForwardAllow
- -A FORWARD -j ForwardDeny
- -A FORWARD -j Firewall
- -A OUTPUT -j SambaOut
- -A OUTPUT -o lo -j ACCEPT
- -A OUTPUT -j OutputAllow
- -A OUTPUT -j RtspOut
- -A OUTPUT -j FirewallOut
- -A DHCPServices -i br0 -p udp -m multiport --dports 67:68 -j ACCEPT
- -A DNSIn -i eth4 -p udp -m udp --dport 53 -j DROP
- -A DNSIn -i eth4 -p tcp -m tcp --dport 53 -j DROP
- -A Firewall.LHigh -o eth4 -p tcp -m multiport --dports 20,21,22,23,25,53,80,110,143,443 -j ACCEPT
- -A Firewall.LHigh -o eth4 -p udp -m udp --dport 53 -j ACCEPT
- -A Firewall.LHigh -m state --state RELATED,ESTABLISHED -j ACCEPT
- -A Firewall.LHigh -j DROP
- -A Firewall.LLow -i eth4 -m state --state INVALID,NEW,UNTRACKED -j DROP
- -A FirewallIn.LHigh -d 172.16.0.1/32 -i eth4 -j DROP
- -A FirewallIn.LLow -d 172.16.0.1/32 -i eth4 -j DROP
- -A ForwardAllow -j ForwardAllow_MC
- -A ForwardAllow -j ForwardAllow_DMZ
- -A ForwardAllow -j ForwardAllow_Rtsp
- -A ForwardAllow -j ForwardAllow_PortMapping
- -A ForwardAllow -j ForwardAllow_IPsec
- -A ForwardAllow -j ForwardAllow_Tunnel
- -A ForwardAllow_MC -m pkttype --pkt-type multicast -j ACCEPT
- -A ForwardAllow_PortMapping -j NATPM.4
- -A ForwardAllow_PortMapping -j NATPM.5
- -A ForwardAllow_PortMapping -j NATPM.6
- -A ForwardDeny -j ForwardDeny.br0
- -A ForwardDeny -i eth4 -m state --state INVALID,NEW,UNTRACKED -j DROP
- -A ForwardDeny -o eth4 -m state --state INVALID -j DROP
- -A GUILocalIn ! -p tcp -j RETURN
- -A GUILocalIn -p tcp -m multiport ! --dports 80,4433 -j RETURN
- -A GUILocalIn -d 172.16.0.1/32 -j GUILocalIn_
- -A GUILocalIn_ -j ACCEPT
- -A GUILocalIn_ -j DROP
- -A GUIRemoteIn ! -p tcp -j RETURN
- -A GUIRemoteIn -p tcp -m multiport ! --dports 8080,443 -j RETURN
- -A GUIRemoteIn -d 178.165.50.111/32 -j GUIRemoteIn_
- -A GUIRemoteIn_ -j ACCEPT
- -A GUIRemoteIn_ -j DROP
- -A IGMPProxyIn -i wl0 -p igmp -j ACCEPT
- -A IGMPProxyIn -i eth0 -p igmp -j ACCEPT
- -A IGMPProxyIn -i eth1 -p igmp -j ACCEPT
- -A IGMPProxyIn -i eth2 -p igmp -j ACCEPT
- -A IGMPProxyIn -i eth3 -p igmp -j ACCEPT
- -A InputDeny -j InputDeny.br0
- -A NATPM.4 -d 172.16.0.111/32 -i br+ -p tcp -j ACCEPT
- -A NATPM.4 -d 172.16.0.111/32 -p tcp -m conntrack --ctstate DNAT -j ACCEPT
- -A NATPM.5 -d 172.16.0.111/32 -i br+ -p tcp -j ACCEPT
- -A NATPM.5 -d 172.16.0.111/32 -p tcp -m conntrack --ctstate DNAT -j ACCEPT
- -A NATPM.6 -d 172.16.0.111/32 -i br+ -p udp -j ACCEPT
- -A NATPM.6 -d 172.16.0.111/32 -p udp -m conntrack --ctstate DNAT -j ACCEPT
- -A OutputAllow_LocalServices -j CWMPOut
- -A OutputAllow_LocalServices -j CWMP2Out
- -A OutputAllow_LocalServices -j GUILocalOut
- -A OutputAllow_LocalServices -j SSHLocalOut
- -A SSHLocalIn ! -p tcp -j RETURN
- -A SSHLocalIn -p tcp -m multiport ! --dports 22 -j RETURN
- -A SSHLocalIn -d 172.16.0.1/32 -i br0 -j SSHLocalIn_
- -A SSHLocalIn_ -j ACCEPT
- -A SSHLocalIn_ -j DROP
- -A SSHRemoteIn ! -p tcp -j RETURN
- -A SSHRemoteIn -p tcp -m multiport ! --dports 2222 -j RETURN
- -A SSHRemoteIn -d 178.165.50.111/32 -i eth4 -j SSHRemoteIn_
- -A SSHRemoteIn_ -j ACCEPT
- -A SSHRemoteIn_ -j DROP
- -A ServicesIn -j DNSIn
- -A ServicesIn -j CWMPIn
- -A ServicesIn -j CWMP2In
- -A ServicesIn -j SSHRemoteIn
- -A ServicesIn -j SSHLocalIn
- -A ServicesIn -j GUIRemoteIn
- -A ServicesIn -j GUILocalIn
- -A ServicesIn -j HTTPRemoteIn
- -A ServicesIn -j HTTPLocalIn
- -A ServicesIn -j DHCPServices
- -A ServicesIn -j RtspIn
- -A ServicesIn -j SNMPIn
- -A ServicesIn -j CMWSIn
- -A ServicesIn -j TelnetRemoteIn
- -A ServicesIn -j TelnetLocalIn
- -A ServicesIn -j FTPRemoteIn
- -A ServicesIn -j FTPLocalIn
- -A ServicesIn -j IGMPProxyIn
- -A ServicesIn -j IPsecIn
- -A ServicesIn -j TunnelIn
- -A TelnetLocalIn ! -p tcp -j RETURN
- -A TelnetLocalIn -p tcp -m multiport ! --dports 23 -j RETURN
- -A TelnetLocalIn -d 172.16.0.1/32 -j TelnetLocalIn_
- -A TelnetLocalIn_ -j ACCEPT
- -A TelnetLocalIn_ -j DROP
- -A TelnetRemoteIn_ -j ACCEPT
- -A TelnetRemoteIn_ -j DROP
- root@localhost:~# iptables -S -t nat
- -P PREROUTING ACCEPT
- -P POSTROUTING ACCEPT
- -P OUTPUT ACCEPT
- -N CP
- -N CbpcRedirect
- -N DMZ
- -N DMZ_SNAT
- -N IP_PHONE_br0
- -N NATIpPhone
- -N NATPM.4
- -N NATPM.4_SNAT
- -N NATPM.5
- -N NATPM.5_SNAT
- -N NATPM.6
- -N NATPM.6_SNAT
- -N NATSkip_ACS
- -N NATSkip_CMWS
- -N NATSkip_CWMP2
- -N NATSkip_GUILocal
- -N NATSkip_GUIRemote
- -N NATSkip_HTTPLocal
- -N NATSkip_HTTPRemote
- -N NATSkip_IPsec
- -N NATSkip_SSHLocal
- -N NATSkip_SSHRemote
- -N NATSkip_TelnetLocal
- -N NATSkip_TelnetRemote
- -N NATSkip_VoIP_FaxT38
- -N NATSkip_VoIP_RTP
- -N NATSkip_VoIP_SIP
- -N NATSkip_VoIP_SIP2
- -N NATeth4
- -N PortMapping
- -N RtspRedirect
- -N Rtsp_dnat
- -N Rtsp_snat
- -N SNATSkip_IPsec
- -N SNAT_DMZ
- -N SNAT_NATPM.4
- -N SNAT_NATPM.5
- -N SNAT_NATPM.6
- -N SnatMapping
- -A PREROUTING -j RtspRedirect
- -A PREROUTING -j NATSkip_GUIRemote
- -A PREROUTING -j NATSkip_GUILocal
- -A PREROUTING -j NATSkip_HTTPRemote
- -A PREROUTING -j NATSkip_HTTPLocal
- -A PREROUTING -j NATSkip_CMWS
- -A PREROUTING -j NATSkip_ACS
- -A PREROUTING -j NATSkip_CWMP2
- -A PREROUTING -j NATSkip_SSHRemote
- -A PREROUTING -j NATSkip_SSHLocal
- -A PREROUTING -j NATSkip_TelnetRemote
- -A PREROUTING -j NATSkip_TelnetLocal
- -A PREROUTING -j NATSkip_VoIP_FaxT38
- -A PREROUTING -j NATSkip_VoIP_RTP
- -A PREROUTING -j NATSkip_VoIP_SIP
- -A PREROUTING -j NATSkip_VoIP_SIP2
- -A PREROUTING -j PortMapping
- -A PREROUTING -j Rtsp_dnat
- -A PREROUTING -j DMZ
- -A PREROUTING -j DMZ_SNAT
- -A PREROUTING -j NATSkip_IPsec
- -A PREROUTING ! -i pr+ -j CP
- -A PREROUTING -j CbpcRedirect
- -A POSTROUTING -j SnatMapping
- -A POSTROUTING -j Rtsp_snat
- -A POSTROUTING -j SNAT_DMZ
- -A POSTROUTING -j SNATSkip_IPsec
- -A POSTROUTING -j NATIpPhone
- -A POSTROUTING -o eth4 -j NATeth4
- -A IP_PHONE_br0 -s 172.16.0.0/24 ! -d 172.16.0.0/24 -p udp -m udp --sport 5060 -j MASQUERADE --to-ports 49152-65535
- -A IP_PHONE_br0 -s 172.16.0.0/24 ! -d 172.16.0.0/24 -p udp -m udp --dport 5060 -m multiport ! --sports 5060 -j MASQUERADE --to-ports 49152-65535
- -A NATIpPhone -j IP_PHONE_br0
- -A NATPM.4 -d 178.165.50.111/32 -p tcp -m tcp --dport 4242 -j DNAT --to-destination 172.16.0.111
- -A NATPM.4_SNAT -d 178.165.50.111/32 -i br+ -p tcp -m tcp --dport 4242 -j DNAT --to-destination 172.16.0.111
- -A NATPM.5 -d 178.165.50.111/32 -p tcp -m tcp --dport 33123 -j DNAT --to-destination 172.16.0.111
- -A NATPM.5_SNAT -d 178.165.50.111/32 -i br+ -p tcp -m tcp --dport 33123 -j DNAT --to-destination 172.16.0.111
- -A NATPM.6 -d 178.165.50.111/32 -p udp -m udp --dport 33123 -j DNAT --to-destination 172.16.0.111
- -A NATPM.6_SNAT -d 178.165.50.111/32 -i br+ -p udp -m udp --dport 33123 -j DNAT --to-destination 172.16.0.111
- -A NATSkip_GUILocal -d 172.16.0.1/32 -i br0 -p tcp -m multiport --dports 80,4433 -j ACCEPT
- -A NATSkip_GUIRemote -d 178.165.50.111/32 -i eth4 -p tcp -m multiport --dports 8080,443 -j ACCEPT
- -A NATSkip_SSHLocal -d 172.16.0.1/32 -i br0 -p tcp -m tcp --dport 22 -j ACCEPT
- -A NATSkip_SSHRemote -d 178.165.50.111/32 -i eth4 -p tcp -m tcp --dport 2222 -j ACCEPT
- -A NATSkip_TelnetLocal -d 172.16.0.1/32 -i br0 -p tcp -m tcp --dport 23 -j ACCEPT
- -A NATeth4 -o eth4 -j MASQUERADE
- -A PortMapping -j NATPM.6
- -A PortMapping -j NATPM.6_SNAT
- -A PortMapping -j NATPM.5
- -A PortMapping -j NATPM.5_SNAT
- -A PortMapping -j NATPM.4
- -A PortMapping -j NATPM.4_SNAT
- -A SNAT_NATPM.4 -d 172.16.0.111/32 -p tcp -m tcp --dport 4242 -m emark --mark 0x1/0x1 -m conntrack --ctstate DNAT -j MASQUERADE
- -A SNAT_NATPM.5 -d 172.16.0.111/32 -p tcp -m tcp --dport 33123 -m emark --mark 0x1/0x1 -m conntrack --ctstate DNAT -j MASQUERADE
- -A SNAT_NATPM.6 -d 172.16.0.111/32 -p udp -m udp --dport 33123 -m emark --mark 0x1/0x1 -m conntrack --ctstate DNAT -j MASQUERADE
- -A SnatMapping -j SNAT_NATPM.6
- -A SnatMapping -j SNAT_NATPM.5
- -A SnatMapping -j SNAT_NATPM.4
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement