Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- admin@RT-AX86U-79A8:/# more /tmp/filter_rules
- *filter
- :INPUT ACCEPT [0:0]
- :FORWARD ACCEPT [0:0]
- :OUTPUT ACCEPT [0:0]
- :INPUT_PING - [0:0]
- :INPUT_ICMP - [0:0]
- :FUPNP - [0:0]
- :SECURITY - [0:0]
- :ACCESS_RESTRICTION - [0:0]
- :IControls - [0:0]
- :DNSFILTER_DOT - [0:0]
- :WGNPControls - [0:0]
- :PControls - [0:0]
- :default_block - [0:0]
- :IPSEC_DROP_SUBNET_ICMP - [0:0]
- :IPSEC_STRONGSWAN - [0:0]
- :WGSI - [0:0]
- :WGSF - [0:0]
- :WGCI - [0:0]
- :WGCF - [0:0]
- :OVPNSI - [0:0]
- :OVPNSF - [0:0]
- :OVPNCI - [0:0]
- :OVPNCF - [0:0]
- :VPNCF - [0:0]
- :VPNCI - [0:0]
- :logaccept - [0:0]
- :logdrop - [0:0]
- :PTCSRVWAN - [0:0]
- :PTCSRVLAN - [0:0]
- -A FORWARD -j IPSEC_DROP_SUBNET_ICMP
- -A FORWARD -j IPSEC_STRONGSWAN
- -A INPUT -p icmp --icmp-type 8 -j INPUT_PING
- -A INPUT_PING -p icmp -m policy --dir in --pol ipsec -j RETURN
- -A INPUT_PING -i vlan10 -p icmp -j DROP
- -A INPUT -p udp -m multiport --dport 500,4500 -j ACCEPT
- -A INPUT -p esp -j ACCEPT
- -A INPUT -p ah -j ACCEPT
- -A INPUT -m state --state RELATED,ESTABLISHED -j logaccept
- -A INPUT -m state --state INVALID -j DROP
- -A INPUT ! -i br0 -j PTCSRVWAN
- -A INPUT -i br0 -j PTCSRVLAN
- -A INPUT ! -i lo -p tcp --dport 5152 -j DROP
- -A INPUT -i br0 -m state --state NEW -j ACCEPT
- -A INPUT -m policy --dir in --pol ipsec -m state --state NEW -j ACCEPT
- -A INPUT -i lo -m state --state NEW -j ACCEPT
- -A INPUT -p udp --sport 67 --dport 68 -j logaccept
- -A INPUT -p icmp -j INPUT_ICMP
- -A INPUT_ICMP -p icmp --icmp-type 8 -j RETURN
- -A INPUT_ICMP -p icmp --icmp-type 13 -j RETURN
- -A INPUT_ICMP -p icmp -j logaccept
- -A INPUT -j WGSI
- -A INPUT -j WGCI
- -A INPUT -j OVPNSI
- -A INPUT -j OVPNCI
- -A INPUT -j DROP
- -A FORWARD -m state --state ESTABLISHED,RELATED -j logaccept
- -A FORWARD -m policy --dir in --pol ipsec -j ACCEPT
- -A FORWARD -j WGSF
- -A FORWARD -j OVPNSF
- -A FORWARD -o vlan10 ! -i br0 -j DROP
- -A FORWARD -i br0 -o br0 -j logaccept
- -A FORWARD -m state --state INVALID -j DROP
- -A FORWARD -i vlan10 -j SECURITY
- -A FORWARD -m conntrack --ctstate DNAT -j logaccept
- -A SECURITY -p tcp --syn -m limit --limit 1/s -j RETURN
- -A SECURITY -p tcp --syn -j DROP
- -A SECURITY -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN
- -A SECURITY -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j DROP
- -A SECURITY -p icmp --icmp-type 8 -m limit --limit 1/s -j RETURN
- -A SECURITY -p icmp --icmp-type 8 -j DROP
- -A SECURITY -j RETURN
- -A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
- -A logaccept -j ACCEPT
- -A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
- -A logdrop -j DROP
- -A FORWARD -j WGCF
- -A FORWARD -j OVPNCF
- -A FORWARD -j VPNCF
- -A FORWARD -i br0 -j ACCEPT
- -A FORWARD -j DROP
- :logdrop_dns - [0:0]
- -A logdrop_dns -j LOG --log-prefix "DROP_DNS " --log-tcp-sequence --log-tcp-options --log-ip-options
- -A logdrop_dns -j DROP
- :OUTPUT_DNS - [0:0]
- :logdrop_ip - [0:0]
- -A logdrop_ip -j LOG --log-prefix "DROP_IP " --log-tcp-sequence --log-tcp-options --log-ip-options
- -A logdrop_ip -j DROP
- :OUTPUT_IP - [0:0]
- -A OUTPUT -p udp --dport 53 -m u32 --u32 0>>22&0x3c@8>>15&1=0 -j OUTPUT_DNS
- -A OUTPUT -p tcp --dport 53 -m u32 --u32 0>>22&0x3c@12>>26&0x3c@8>>15&1=0 -j OUTPUT_DNS
- -A OUTPUT_DNS -m string --icase --hex-string "|10|poiuytyuiopkjfnf|03|com|00|" --algo bm -j logdrop_dns
- -A OUTPUT_DNS -m string --icase --hex-string "|0D|rfjejnfjnefje|03|com|00|" --algo bm -j logdrop_dns
- -A OUTPUT_DNS -m string --icase --hex-string "|11|10afdmasaxsssaqrk|03|com|00|" --algo bm -j logdrop_dns
- -A OUTPUT_DNS -m string --icase --hex-string "|0F|7mfsdfasdmkgmrk|03|com|00|" --algo bm -j logdrop_dns
- -A OUTPUT_DNS -m string --icase --hex-string "|0D|8masaxsssaqrk|03|com|00|" --algo bm -j logdrop_dns
- -A OUTPUT_DNS -m string --icase --hex-string "|0F|9fdmasaxsssaqrk|03|com|00|" --algo bm -j logdrop_dns
- -A OUTPUT_DNS -m string --icase --hex-string "|12|efbthmoiuykmkjkjgt|03|com|00|" --algo bm -j logdrop_dns
- -A OUTPUT_DNS -m string --icase --hex-string "|08|hackucdt|03|com|00|" --algo bm -j logdrop_dns
- -A OUTPUT_DNS -m string --icase --hex-string "|07|linwudi|05|f3322|03|net|00|" --algo bm -j logdrop_dns
- -A OUTPUT_DNS -m string --icase --hex-string "|0F|lkjhgfdsatryuio|03|com|00|" --algo bm -j logdrop_dns
- -A OUTPUT_DNS -m string --icase --hex-string "|0B|mnbvcxzzz12|03|com|00|" --algo bm -j logdrop_dns
- -A OUTPUT_DNS -m string --icase --hex-string "|07|q111333|03|top|00|" --algo bm -j logdrop_dns
- -A OUTPUT_DNS -m string --icase --hex-string "|05|sq520|05|f3322|03|net|00|" --algo bm -j logdrop_dns
- -A OUTPUT_DNS -m string --icase --hex-string "|07|uctkone|03|com|00|" --algo bm -j logdrop_dns
- -A OUTPUT_DNS -m string --icase --hex-string "|0E|zxcvbmnnfjjfwq|03|com|00|" --algo bm -j logdrop_dns
- -A OUTPUT_DNS -m string --icase --hex-string "|0A|eummagvnbp|03|com|00|" --algo bm -j logdrop_dns
- -A OUTPUT -j OUTPUT_IP
- -A OUTPUT_IP -d 193.201.224.0/24 -j logdrop_ip
- -A OUTPUT_IP -d 51.15.120.245 -j logdrop_ip
- -A OUTPUT_IP -d 45.33.73.134 -j logdrop_ip
- -A OUTPUT_IP -d 190.115.18.28 -j logdrop_ip
- -A OUTPUT_IP -d 51.159.52.250 -j logdrop_ip
- -A OUTPUT_IP -d 190.115.18.86 -j logdrop_ip
- COMMIT
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
