API tools faq
paste
Advertisement
Emulatorman

iptables

Emulatorman
Jul 30th, 2011
117
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 33.79 KB | None | 0 0
raw download clone embed print report
  1. #!/bin/bash
  2.  
  3. ## Export Interfaces Variables ##
  4. export LO=lo
  5. export LAN=eth1
  6. export WAN=eth0
  7. #export WAN=ppp0
  8.  
  9. ## Export IPv4 Address Variables ##
  10. #export IP_LO_GROUP=127.0.0.0/8
  11. #export IP_LO=127.0.0.1/32
  12. #export IP_LAN_GROUP=192.168.0.0/24
  13. #export IP_LAN1=192.168.0.1/32
  14. #export IP_LAN2=192.168.0.2/32
  15. #export IP_LAN3=192.168.0.3/32
  16. #export IP_LAN4=192.168.0.4/32
  17. #export IP_LAN5=192.168.0.5/32
  18. #export IP_LAN6=192.168.0.6/32
  19. #export IP_LAN7=192.168.0.7/32
  20. #export IP_LAN8=192.168.0.8/32
  21. #export IP_LAN5=192.168.0.9/32
  22. #export IP_LAN6=192.168.0.10/32
  23. #export IP_LAN7=192.168.0.11/32
  24. #export IP_LAN8=192.168.0.12/32
  25. #export IP_WAN_GROUP=192.168.1.0/24
  26. #export IP_WAN1=192.168.1.1/32
  27. #export IP_WAN2=192.168.1.2/32
  28.  
  29. ## Export IPv6 Variables ##
  30. #export IP6_LO=::1/128
  31. #export IP6_GROUP=fe80::/64
  32. #export IP6_LAN1=fe80::208:54ff:fe2c:cf01/64
  33. #export IP6_LAN2=fe80::219:66ff:feed:fa5f/64
  34. #export IP6_LAN3=fe80::225:22ff:fe3d:96e0/64
  35. #export IP6_WAN2=fe80::219:21ff:fe54:ea2f/64
  36.  
  37. ## Clear All NAT Tables ##
  38. iptables -t nat -F
  39. iptables -t nat -X
  40. iptables -t nat -Z
  41.  
  42. ## Setup NAT Build-in Policy Tables ##
  43. #iptables -t nat -P PREROUTING ACCEPT
  44. #iptables -t nat -P INPUT ACCEPT
  45. #iptables -t nat -P OUTPUT ACCEPT
  46. iptables -t nat -P POSTROUTING ACCEPT
  47.  
  48. ## PREROUTING TO THE ASTERISK, APACHE, POSTFIX AND RFACTOR SERVER
  49.  
  50. # SMTP/TLS
  51. iptables -t nat -A PREROUTING -i ${WAN} -m tcp -p tcp --dport 25 -j DNAT --to-destination 192.168.0.253
  52.  
  53. # Web server
  54. iptables -t nat -A PREROUTING -i ${WAN} -m tcp -p tcp --dport 80 -j DNAT --to-destination 192.168.0.253
  55.  
  56. # POP3
  57. iptables -t nat -A PREROUTING -i ${WAN} -m tcp -p tcp --dport 110 -j DNAT --to-destination 192.168.0.253
  58.  
  59. # IMAP
  60. iptables -t nat -A PREROUTING -i ${WAN} -m tcp -p tcp --dport 143 -j DNAT --to-destination 192.168.0.253
  61.  
  62. # SMTP/SSL
  63. #iptables -t nat -A PREROUTING -i ${WAN} -m tcp -p tcp --dport 465 -j DNAT --to-destination 192.168.0.253
  64.  
  65. #IMAPS
  66. #iptables -t nat -A PREROUTING -i ${WAN} -m tcp -p tcp --dport 993 -j DNAT --to-destination 192.168.0.253
  67.  
  68. #POP3S
  69. #iptables -t nat -A PREROUTING -i ${WAN} -m tcp -p tcp --dport 995 -j DNAT --to-destination 192.168.0.253
  70.  
  71. # IAX Asterisk
  72. #iptables -t nat -A PREROUTING -i ${WAN} -m udp -p udp --dport 4569 -j DNAT --to-destination 192.168.0.254
  73.  
  74. # SIP Asterisk
  75. #iptables -t nat -A PREROUTING -i ${WAN} -m udp -p udp --dport 5060 -j DNAT --to-destination 192.168.0.254
  76.  
  77. # RTP Asterisk
  78. #iptables -t nat -A PREROUTING -i ${WAN} -m udp -p udp --dport 10000:20000 -j DNAT --to-destination 192.168.0.254
  79.  
  80. # RFACTOR SERVER (WEBSITE RESULTS)
  81. iptables -t nat -A PREROUTING -i ${WAN} -m tcp -p tcp --dport 27012 -j DNAT --to-destination 192.168.0.252
  82. iptables -t nat -A PREROUTING -i ${WAN} -m udp -p udp --dport 27012 -j DNAT --to-destination 192.168.0.252
  83.  
  84. # RFACTOR SERVER (GAME PORT TCP AND UDP)
  85. iptables -t nat -A PREROUTING -i ${WAN} -m tcp -p tcp --dport 34000:35000 -j DNAT --to-destination 192.168.0.252
  86. iptables -t nat -A PREROUTING -i ${WAN} -m udp -p udp --dport 34000:35000 -j DNAT --to-destination 192.168.0.252
  87.  
  88. # RFACTOR SERVER (MATCHMAKER PORT)
  89. iptables -t nat -A PREROUTING -i ${WAN} -m tcp -p tcp --dport 39001 -j DNAT --to-destination 192.168.0.252
  90. iptables -t nat -A PREROUTING -i ${WAN} -m udp -p udp --dport 39002 -j DNAT --to-destination 192.168.0.252
  91.  
  92.  
  93. ## Configuring NAT POSTROUTING Build-in Chain Table ##
  94. iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
  95.  
  96. ## Clear All IPv4 Filter Tables ##
  97. iptables -F
  98. iptables -X
  99. iptables -Z
  100.  
  101. ## Setup IPv4 Filter Build-in Policy Tables ##
  102. iptables -P INPUT DROP
  103. iptables -P FORWARD DROP
  104. iptables -P OUTPUT DROP
  105.  
  106. ## FORWARDS to Asterisk, Apache, Postfix and rFactor Server
  107.  
  108. # SMTP/TLS
  109. iptables -A FORWARD -i ${WAN} -o ${LAN} -m tcp -p tcp --dport 25 -d 192.168.0.253 -j ACCEPT
  110.  
  111. # Web server
  112. iptables -A FORWARD -i ${WAN} -o ${LAN} -m tcp -p tcp --dport 80 -d 192.168.0.253 -j ACCEPT
  113.  
  114. # POP3
  115. iptables -A FORWARD -i ${WAN} -o ${LAN} -m tcp -p tcp --dport 110 -d 192.168.0.253 -j ACCEPT
  116.  
  117. # IMAP
  118. iptables -A FORWARD -i ${WAN} -o ${LAN} -m tcp -p tcp --dport 143 -d 192.168.0.253 -j ACCEPT
  119.  
  120. # SMTP/SSL
  121. #iptables -A FORWARD -i ${WAN} -o ${LAN} -m tcp -p tcp --dport 465 -d 192.168.0.253 -j ACCEPT
  122.  
  123. # IMAPS
  124. #iptables -A FORWARD -i ${WAN} -o ${LAN} -m tcp -p tcp --dport 993 -d 192.168.0.253 -j ACCEPT
  125.  
  126. # POP3S
  127. #iptables -A FORWARD -i ${WAN} -o ${LAN} -m tcp -p tcp --dport 995 -d 192.168.0.253 -j ACCEPT
  128.  
  129. # IAX
  130. #iptables -A FORWARD -i ${WAN} -o ${LAN} -m udp -p udp --dport 4569 -d 192.168.0.254 -j ACCEPT
  131.  
  132. # SIP
  133. #iptables -A FORWARD -i ${WAN} -o ${LAN} -m udp -p udp --dport 5060 -d 192.168.0.254 -j ACCEPT
  134.  
  135. # RTP
  136. #iptables -A FORWARD -i ${WAN} -o ${LAN} -m udp -p udp --dport 10000:20000 -d 192.168.0.254 -j ACCEPT
  137.  
  138. # Rfactor Server (WEBSITE RESULTS)
  139. iptables -A FORWARD -i ${WAN} -o ${LAN} -m tcp -p tcp --dport 27012 -d 192.168.0.252 -j ACCEPT
  140. iptables -A FORWARD -i ${WAN} -o ${LAN} -m udp -p udp --dport 27012 -d 192.168.0.252 -j ACCEPT
  141.  
  142. # Rfactor Server (GAME PORT)
  143. iptables -A FORWARD -i ${WAN} -o ${LAN} -m tcp -p tcp --dport 34000:35000 -d 192.168.0.252 -j ACCEPT
  144. iptables -A FORWARD -i ${WAN} -o ${LAN} -m udp -p udp --dport 34000:35000 -d 192.168.0.252 -j ACCEPT
  145.  
  146. # Rfactor Server (MATCHMAKER PORT)
  147. iptables -A FORWARD -i ${WAN} -o ${LAN} -m tcp -p tcp --dport 39001 -d 192.168.0.252 -j ACCEPT
  148. iptables -A FORWARD -i ${WAN} -o ${LAN} -m udp -p udp --dport 39002 -d 192.168.0.252 -j ACCEPT
  149.  
  150. ## Create New IPv4 Filter Chains Tables ##
  151. iptables -N icmp_allowed
  152. iptables -N check-flags
  153. iptables -N allow-local-traffic-in
  154. iptables -N allow-ftp-traffic-in
  155. iptables -N allow-ftp-traffic-out
  156. iptables -N allow-ssh-traffic-in
  157. iptables -N allow-ssh-traffic-out
  158. iptables -N allow-smtp-traffic-in
  159. iptables -N allow-smtp-traffic-out
  160. iptables -N allow-dns-traffic-in
  161. iptables -N allow-dns-traffic-out
  162. iptables -N allow-http-traffic-in
  163. iptables -N allow-http-traffic-out
  164. iptables -N allow-pop3-traffic-in
  165. iptables -N allow-pop3-traffic-out
  166. iptables -N allow-ntp-traffic-in
  167. iptables -N allow-ntp-traffic-out
  168. iptables -N allow-imap-traffic-in
  169. iptables -N allow-imap-traffic-out
  170. iptables -N allow-https-traffic-in
  171. iptables -N allow-https-traffic-out
  172. iptables -N allow-smtps-traffic-in
  173. iptables -N allow-smtps-traffic-out
  174. iptables -N allow-rsync-traffic-in
  175. iptables -N allow-rsync-traffic-out
  176. iptables -N allow-imaps-traffic-in
  177. iptables -N allow-imaps-traffic-out
  178. iptables -N allow-pop3s-traffic-in
  179. iptables -N allow-pop3s-traffic-out
  180. iptables -N allow-fb-traffic-in
  181. iptables -N allow-fb-traffic-out
  182. iptables -N allow-amsn-traffic-out
  183. iptables -N allow-streaming-traffic-in
  184. iptables -N allow-streaming-traffic-out
  185. iptables -N allow-svn-traffic-in
  186. iptables -N allow-svn-traffic-out
  187. iptables -N allow-irc-traffic-in
  188. iptables -N allow-irc-traffic-out
  189. iptables -N allow-noip-traffic-out
  190. iptables -N allow-git-traffic-in
  191. iptables -N allow-git-traffic-out
  192. iptables -N allow-teamspeak-traffic-in
  193. iptables -N allow-teamspeak-traffic-out
  194. iptables -N allow-quake-traffic-out
  195. iptables -N allow-quake3-traffic-out
  196. iptables -N allow-rfactor-traffic-in
  197. iptables -N allow-rfactor-traffic-out
  198. iptables -N allow-hw-traffic-in
  199. iptables -N allow-hw-traffic-out
  200. iptables -N allowed-connection
  201.  
  202. ## Configuring IPv4 Filter INPUT Build-in Chain Table ##
  203. iptables -A INPUT -m state --state INVALID -j DROP
  204. iptables -A INPUT -p icmp -j icmp_allowed
  205. iptables -A INPUT -j check-flags
  206. #iptables -A INPUT -i ${WAN} -j ACCEPT
  207. #iptables -A INPUT -i ${WAN} -j allow-ftp-traffic-in
  208. #iptables -A INPUT -i ${WAN} -j allow-ssh-traffic-in
  209. #iptables -A INPUT -i ${WAN} -j allow-smtp-traffic-in
  210. iptables -A INPUT -i ${WAN} -j allow-dns-traffic-in
  211. #iptables -A INPUT -i ${WAN} -j allow-http-traffic-in
  212. #iptables -A INPUT -i ${WAN} -j allow-pop3-traffic-in
  213. #iptables -A INPUT -i ${WAN} -j allow-ntp-traffic-in
  214. #iptables -A INPUT -i ${WAN} -j allow-imap-traffic-in
  215. #iptables -A INPUT -i ${WAN} -j allow-https-traffic-in
  216. #iptables -A INPUT -i ${WAN} -j allow-smtps-traffic-in
  217. #iptables -A INPUT -i ${WAN} -j allow-rsync-traffic-in
  218. #iptables -A INPUT -i ${WAN} -j allow-imaps-traffic-in
  219. #iptables -A INPUT -i ${WAN} -j allow-pop3s-traffic-in
  220. #iptables -A INPUT -i ${WAN} -j allow-streaming-traffic-in
  221. #iptables -A INPUT -i ${WAN} -j allow-irc-traffic-in
  222. #iptables -A INPUT -i ${WAN} -j allow-http-traffic-in
  223. #iptables -A INPUT -i ${WAN} -j DROP
  224. iptables -A INPUT -i ${LO} -j ACCEPT
  225. iptables -A INPUT -i ${LAN} -j ACCEPT
  226. iptables -A INPUT -j allowed-connection
  227.  
  228. ## Configuring IPv4 Filter FORWARD Build-in Chain Table ##
  229. iptables -A FORWARD -m state --state INVALID -j DROP
  230. iptables -A FORWARD -p icmp -j icmp_allowed
  231. iptables -A FORWARD -j check-flags
  232. #iptables -A FORWARD -i ${WAN} -j ACCEPT
  233. #iptables -A FORWARD -o ${WAN} -j ACCEPT
  234. #iptables -A FORWARD -i ${WAN} -j allow-ftp-traffic-in
  235. iptables -A FORWARD -o ${WAN} -j allow-ftp-traffic-out
  236. #iptables -A FORWARD -i ${WAN} -j allow-ssh-traffic-in
  237. iptables -A FORWARD -o ${WAN} -j allow-ssh-traffic-out
  238. #iptables -A FORWARD -i ${WAN} -j allow-smtp-traffic-in
  239. iptables -A FORWARD -o ${WAN} -j allow-smtp-traffic-out
  240. #iptables -A FORWARD -i ${WAN} -j allow-dns-traffic-in
  241. iptables -A FORWARD -o ${WAN} -j allow-dns-traffic-out
  242. #iptables -A FORWARD -i ${WAN} -j allow-http-traffic-in
  243. iptables -A FORWARD -o ${WAN} -j allow-http-traffic-out
  244. #iptables -A FORWARD -i ${WAN} -j allow-pop3-traffic-in
  245. iptables -A FORWARD -o ${WAN} -j allow-pop3-traffic-out
  246. #iptables -A FORWARD -i ${WAN} -j allow-ntp-traffic-in
  247. iptables -A FORWARD -o ${WAN} -j allow-ntp-traffic-out
  248. #iptables -A FORWARD -i ${WAN} -j allow-imap-traffic-in
  249. iptables -A FORWARD -o ${WAN} -j allow-imap-traffic-out
  250. #iptables -A FORWARD -i ${WAN} -j allow-https-traffic-in
  251. iptables -A FORWARD -o ${WAN} -j allow-https-traffic-out
  252. #iptables -A FORWARD -i ${WAN} -j allow-smtps-traffic-in
  253. iptables -A FORWARD -o ${WAN} -j allow-smtps-traffic-out
  254. #iptables -A FORWARD -i ${WAN} -j allow-rsync-traffic-in
  255. iptables -A FORWARD -o ${WAN} -j allow-rsync-traffic-out
  256. #iptables -A FORWARD -i ${WAN} -j allow-imaps-traffic-in
  257. iptables -A FORWARD -o ${WAN} -j allow-imaps-traffic-out
  258. #iptables -A FORWARD -i ${WAN} -j allow-pop3s-traffic-in
  259. iptables -A FORWARD -o ${WAN} -j allow-pop3s-traffic-out
  260. #iptables -A FORWARD -i ${WAN} -j allow-fb-traffic-in
  261. iptables -A FORWARD -o ${WAN} -j allow-fb-traffic-out
  262. iptables -A FORWARD -o ${WAN} -j allow-amsn-traffic-out
  263. #iptables -A FORWARD -i ${WAN} -j allow-streaming-traffic-in
  264. iptables -A FORWARD -o ${WAN} -j allow-streaming-traffic-out
  265. #iptables -A FORWARD -i ${WAN} -j allow-svn-traffic-in
  266. iptables -A FORWARD -o ${WAN} -j allow-svn-traffic-out
  267. #iptables -A FORWARD -i ${WAN} -j allow-irc-traffic-in
  268. iptables -A FORWARD -o ${WAN} -j allow-irc-traffic-out
  269. #iptables -A FORWARD -i ${WAN} -j allow-git-traffic-in
  270. iptables -A FORWARD -o ${WAN} -j allow-git-traffic-out
  271. #iptables -A FORWARD -i ${WAN} -j allow-teamspeak-traffic-in
  272. iptables -A FORWARD -o ${WAN} -j allow-teamspeak-traffic-out
  273. iptables -A FORWARD -o ${WAN} -j allow-quake-traffic-out
  274. iptables -A FORWARD -o ${WAN} -j allow-quake3-traffic-out
  275. #iptables -A FORWARD -i ${WAN} -j allow-rfactor-traffic-in
  276. iptables -A FORWARD -o ${WAN} -j allow-rfactor-traffic-out
  277. #iptables -A FORWARD -i ${WAN} -j allow-hw-traffic-in
  278. iptables -A FORWARD -o ${WAN} -j allow-hw-traffic-out
  279. #iptables -A FORWARD -i ${WAN} -j DROP
  280. #iptables -A FORWARD -o ${WAN} -j DROP
  281. #iptables -A FORWARD -i ${LO} -j ACCEPT
  282. #iptables -A FORWARD -o ${LO} -j ACCEPT
  283. iptables -A FORWARD -j allowed-connection
  284.  
  285. ## Configuring IPv4 Filter OUTPUT Build-in Chain Table ##
  286. iptables -A OUTPUT -m state --state INVALID -j DROP
  287. iptables -A OUTPUT -p icmp -j icmp_allowed
  288. iptables -A OUTPUT -j check-flags
  289. #iptables -A OUTPUT -o ${WAN} -j ACCEPT
  290. iptables -A OUTPUT -o ${WAN} -j allow-ftp-traffic-out
  291. #iptables -A OUTPUT -o ${WAN} -j allow-ssh-traffic-out
  292. #iptables -A OUTPUT -o ${WAN} -j allow-smtp-traffic-out
  293. iptables -A OUTPUT -o ${WAN} -j allow-dns-traffic-out
  294. iptables -A OUTPUT -o ${WAN} -j allow-http-traffic-out
  295. #iptables -A OUTPUT -o ${WAN} -j allow-pop3-traffic-out
  296. iptables -A OUTPUT -o ${WAN} -j allow-ntp-traffic-out
  297. #iptables -A OUTPUT -o ${WAN} -j allow-imap-traffic-out
  298. iptables -A OUTPUT -o ${WAN} -j allow-https-traffic-out
  299. #iptables -A OUTPUT -o ${WAN} -j allow-smtps-traffic-out
  300. iptables -A OUTPUT -o ${WAN} -j allow-rsync-traffic-out
  301. #iptables -A OUTPUT -o ${WAN} -j allow-imaps-traffic-out
  302. #iptables -A OUTPUT -o ${WAN} -j allow-pop3s-traffic-out
  303. #iptables -A OUTPUT -o ${WAN} -j allow-svn-traffic-out
  304. #iptables -A OUTPUT -o ${WAN} -j allow-irc-traffic-out
  305. iptables -A OUTPUT -o ${WAN} -j allow-noip-traffic-out
  306. #iptables -A OUTPUT -o ${WAN} -j allow-git-traffic-out
  307. #iptables -A OUTPUT -o ${WAN} -j DROP
  308. iptables -A OUTPUT -o ${LO} -j ACCEPT
  309. iptables -A OUTPUT -o ${LAN} -j ACCEPT
  310. iptables -A OUTPUT -j allowed-connection
  311.  
  312. ## Configuring IPv4 Filter "icmp_allowed" Chain Table ##
  313. iptables -A icmp_allowed -p icmp -m state --state NEW -m icmp --icmp-type 11 -j ACCEPT
  314. iptables -A icmp_allowed -p icmp -m state --state NEW -m icmp --icmp-type 3 -j ACCEPT
  315. iptables -A icmp_allowed -p icmp -j LOG --log-prefix "Bad ICMP traffic:"
  316. iptables -A icmp_allowed -p icmp -j DROP
  317.  
  318. ## Configuring IPv4 Filter "check-flags" Chain Table ##
  319. iptables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m limit --limit 5/min -j LOG --log-prefix "NMAP-XMAS:" --log-level 1
  320. iptables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
  321. iptables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m limit --limit 5/min -j LOG --log-prefix "XMAS:" --log-level 1
  322. iptables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
  323. iptables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -m limit --limit 5/min -j LOG --log-prefix "XMAS-PSH:" --log-level 1
  324. iptables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
  325. iptables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 5/min -j LOG --log-prefix "NULL_SCAN:" --log-level 1
  326. iptables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
  327. iptables -A check-flags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/min -j LOG --log-prefix "SYN/RST:" --log-level 5
  328. iptables -A check-flags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
  329. iptables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min -j LOG --log-prefix "SYN/FIN:" --log-level 5
  330. iptables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
  331.  
  332. ## Configuring IPv4 Filter "allow-local-traffic-in" Chain Table ##
  333. iptables -A allow-local-traffic-in -p tcp -m limit --limit 1/sec -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT
  334. iptables -A allow-local-traffic-in -p tcp -m limit --limit 1/sec -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j ACCEPT
  335. iptables -A allow-local-traffic-in -p tcp -m limit --limit 1/sec -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j ACCEPT
  336. iptables -A allow-local-traffic-in -m state --state RELATED,ESTABLISHED -j ACCEPT
  337.  
  338. ## Configuring IPv4 Filter "allow-ftp-traffic-in" Chain Table ##
  339. #iptables -A allow-ftp-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 21 --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT
  340. #iptables -A allow-ftp-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 21 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j ACCEPT
  341. #iptables -A allow-ftp-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 21 --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j ACCEPT
  342. #iptables -A allow-ftp-traffic-in -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 21 -j ACCEPT
  343.  
  344. ## Configuring IPv4 Filter "allow-ftp-traffic-out" Chain Table ##
  345. iptables -A allow-ftp-traffic-out -p tcp -m tcp --dport 21 -j ACCEPT
  346.  
  347. ## Configuring IPv4 Filter "allow-ssh-traffic-in" Chain Table ##
  348. iptables -A allow-ssh-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 22 --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT
  349. iptables -A allow-ssh-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 22 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j ACCEPT
  350. iptables -A allow-ssh-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 22 --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j ACCEPT
  351. iptables -A allow-ssh-traffic-in -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 22 -j ACCEPT
  352.  
  353. ## Configuring IPv4 Filter "allow-ssh-traffic-out" Chain Table ##
  354. iptables -A allow-ssh-traffic-out -p tcp -m tcp --dport 22 -j ACCEPT
  355.  
  356. ## Configuring IPv4 Filter "allow-smtp-traffic-out" Chain Table ##
  357. iptables -A allow-smtp-traffic-out -p tcp -m tcp --dport 25 -j ACCEPT
  358.  
  359. ## Configuring IPv4 Filter "allow-dns-traffic-in" Chain Table ##
  360. iptables -A allow-dns-traffic-in -p udp -m limit --limit 1/sec -m udp --dport 53 -j ACCEPT
  361. iptables -A allow-dns-traffic-in -p udp -m state --state RELATED,ESTABLISHED -m udp --dport 53 -j ACCEPT
  362. iptables -A allow-dns-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 53 --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT
  363. iptables -A allow-dns-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 53 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j ACCEPT
  364. iptables -A allow-dns-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 53 --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j ACCEPT
  365. iptables -A allow-dns-traffic-in -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 53 -j ACCEPT
  366.  
  367. ## Configuring IPv4 Filter "allow-dns-traffic-out" Chain Table ##
  368. iptables -A allow-dns-traffic-out -p udp -m udp --dport 53 -j ACCEPT
  369. iptables -A allow-dns-traffic-out -p tcp -m tcp --dport 53 -j ACCEPT
  370.  
  371. ## Configuring IPv4 Filter "allow-http-traffic-in" Chain Table ##
  372. #iptables -A allow-http-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 80 --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT
  373. #iptables -A allow-http-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 80 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j ACCEPT
  374. #iptables -A allow-http-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 80 --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j ACCEPT
  375. #iptables -A allow-http-traffic-in -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 80 -j ACCEPT
  376.  
  377. ## Configuring IPv4 Filter "allow-http-traffic-out" Chain Table ##
  378. iptables -A allow-http-traffic-out -p tcp -m tcp --dport 80 -j ACCEPT
  379.  
  380. ## Configuring IPv4 Filter "allow-pop3-traffic-out" Chain Table ##
  381. iptables -A allow-pop3-traffic-out -p udp -m udp --dport 110 -j ACCEPT
  382.  
  383. ## Configuring IPv4 Filter "allow-ntp-traffic-in" Chain Table ##
  384. #iptables -A allow-ntp-traffic-in -p udp -m limit --limit 1/sec -m udp --dport 123 -j ACCEPT
  385. #iptables -A allow-ntp-traffic-in -p udp -m state --state RELATED,ESTABLISHED -m udp --dport 123 -j ACCEPT
  386.  
  387. ## Configuring IPv4 Filter "allow-ntp-traffic-out" Chain Table ##
  388. iptables -A allow-ntp-traffic-out -p udp -m udp --dport 123 -j ACCEPT
  389.  
  390. ## Configuring IPv4 Filter "allow-imap-traffic-out" Chain Table ##
  391. iptables -A allow-imap-traffic-out -p udp -m udp --dport 143 -j ACCEPT
  392.  
  393. ## Configuring IPv4 Filter "allow-https-traffic-in" Chain Table ##
  394. #iptables -A allow-https-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 443 --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT
  395. #iptables -A allow-https-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 443 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j ACCEPT
  396. #iptables -A allow-https-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 443 --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j ACCEPT
  397. #iptables -A allow-https-traffic-in -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 443 -j ACCEPT
  398.  
  399. ## Configuring IPv4 Filter "allow-https-traffic-out" Chain Table ##
  400. iptables -A allow-https-traffic-out -p tcp -m tcp --dport 443 -j ACCEPT
  401.  
  402. ## Configuring IPv4 Filter "allow-smtps-traffic-out" Chain Table ##
  403. iptables -A allow-smtp-traffic-out -p tcp -m tcp --dport 465 -j ACCEPT
  404. iptables -A allow-smtp-traffic-out -p tcp -m tcp --dport 587 -j ACCEPT
  405.  
  406. ## Configuring IPv4 Filter "allow-rsync-traffic-in" Chain Table ##
  407. #iptables -A allow-rsync-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 873 --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT
  408. #iptables -A allow-rsync-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 873 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j ACCEPT
  409. #iptables -A allow-rsync-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 873 --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j ACCEPT
  410. #iptables -A allow-rsync-traffic-in -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 873 -j ACCEPT
  411.  
  412. ## Configuring IPv4 Filter "allow-rsync-traffic-out" Chain Table ##
  413. iptables -A allow-rsync-traffic-out -p tcp -m tcp --dport 873 -j ACCEPT
  414.  
  415. ## Configuring IPv4 Filter "allow-imaps-traffic-out" Chain Table ##
  416. iptables -A allow-imap-traffic-out -p tcp -m tcp --dport 993 -j ACCEPT
  417.  
  418. ## Configuring IPv4 Filter "allow-pop3s-traffic-out" Chain Table ##
  419. iptables -A allow-pop3-traffic-out -p tcp -m tcp --dport 995 -j ACCEPT
  420.  
  421. ## Configuring IPv4 Filter "allow-fb-traffic-out" Chain Table ##
  422. iptables -A allow-fb-traffic-out -p tcp -m tcp --dport 1511 -j ACCEPT
  423. iptables -A allow-fb-traffic-out -p tcp -m tcp --dport 1512 -j ACCEPT
  424. iptables -A allow-fb-traffic-out -p tcp -m tcp --dport 1514 -j ACCEPT
  425. iptables -A allow-fb-traffic-out -p tcp -m tcp --dport 1515 -j ACCEPT
  426.  
  427. ## Configuring IPv4 Filter "allow-amsn-traffic-out" Chain Table ##
  428. iptables -A allow-amsn-traffic-out -p tcp -m tcp --dport 1863 -j ACCEPT
  429.  
  430. ## Configuring IPv4 Filter "allow-streaming-traffic-out" Chain Table ##
  431. iptables -A allow-streaming-traffic-out -p tcp -m tcp --dport 1935 -j ACCEPT
  432.  
  433. ## Configuring IPv4 Filter "allow-svn-traffic-out" Chain Table ##
  434. iptables -A allow-svn-traffic-out -p tcp -m tcp --dport 3690 -j ACCEPT
  435.  
  436. ## Configuring IPv4 Filter "allow-irc-traffic-out" Chain Table ##
  437. #iptables -A allow-irc-traffic-out -p tcp -m tcp --dport 194 -j ACCEPT
  438. #iptables -A allow-irc-traffic-out -p tcp -m tcp --dport 529 -j ACCEPT
  439. #iptables -A allow-irc-traffic-out -p tcp -m tcp --dport 994 -j ACCEPT
  440. iptables -A allow-irc-traffic-out -p tcp -m tcp --dport 6667 -j ACCEPT
  441.  
  442. ## Configuring IPv4 Filter "allow-http-traffic-in" Chain Table ##
  443. #iptables -A allow-http-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 8080 --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT
  444. #iptables -A allow-http-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 8080 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j ACCEPT
  445. #iptables -A allow-http-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 8080 --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j ACCEPT
  446. #iptables -A allow-http-traffic-in -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 8080 -j ACCEPT
  447.  
  448. ## Configuring IPv4 Filter "allow-noip-traffic-out" Chain Table ##
  449. iptables -A allow-noip-traffic-out -p tcp -m tcp --dport 8245 -j ACCEPT
  450.  
  451. ## Configuring IPv4 Filter "allow-git-traffic-out" Chain Table ##
  452. iptables -A allow-git-traffic-out -p tcp -m tcp --dport 9418 -j ACCEPT
  453.  
  454. ## Opening IPv4 Filter "allow-teamspeak-traffic-out" Chain Table ##
  455. iptables -A allow-teamspeak-traffic-out -p udp -m udp --dport 9987 -j ACCEPT
  456.  
  457. ## Configuring IPv4 Filter "allow-rfactor-traffic-in" Chain Table ##
  458. #iptables -A allow-rfactor-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 34000:35000 --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT
  459. #iptables -A allow-rfactor-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 34000:35000 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j ACCEPT
  460. #iptables -A allow-rfactor-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 34000:35000 --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j ACCEPT
  461. #iptables -A allow-rfactor-traffic-in -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 34000:35000 -j ACCEPT
  462. #iptables -A allow-rfactor-traffic-in -p tcp -m tcp --dport 34000:35000 -j ACCEPT
  463. #iptables -A allow-rfactor-traffic-in -p udp -m udp --dport 34000:35000 -j ACCEPT
  464. #iptables -A allow-rfactor-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 39001 --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT
  465. #iptables -A allow-rfactor-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 39001 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j ACCEPT
  466. #iptables -A allow-rfactor-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 39001 --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j ACCEPT
  467. #iptables -A allow-rfactor-traffic-in -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 39001 -j ACCEPT
  468. #iptables -A allow-rfactor-traffic-in -p tcp -m tcp --dport 39001 -j ACCEPT
  469. #iptables -A allow-rfactor-traffic-in -p udp -m udp --dport 39002 -j ACCEPT
  470.  
  471. ## Configuring IPv4 Filter "allow-rfactor-traffic-out" Chain Table (UNDER OBSERVATION) ##
  472. ## iptables -A allow-rfactor-traffic-out -p udp -m udp --dport 1900 -j ACCEPT
  473. ## iptables -A allow-rfactor-traffic-out -p tcp -m tcp --dport 3484 -j ACCEPT
  474. ## iptables -A allow-rfactor-traffic-out -p udp -m udp --dport 3544 -j ACCEPT
  475. ## iptables -A allow-rfactor-traffic-out -p tcp -m tcp --dport 31000:31002 -j ACCEPT
  476. ## iptables -A allow-rfactor-traffic-out -p tcp -m tcp --dport 32000:32002 -j ACCEPT
  477. ## iptables -A allow-rfactor-traffic-out -p tcp -m tcp --dport 34384 -j ACCEPT
  478.  
  479. ## Configuring IPv4 Filter "allow-rfactor-traffic-out" Chain Table (IF RFACTOR HAVE PROBLEMS TO CONNECT) ##
  480. ## iptables -A allow-rfactor-traffic-out -p tcp -m tcp --dport 34000:35000 -j ACCEPT
  481.  
  482. ## Configuring IPv4 Filter "allow-quake-traffic-out" rFactor Hotlaps Chain Table ##
  483. iptables -A allow-quake-traffic-out -p udp -m udp --dport 26000 -j ACCEPT
  484.  
  485. ## Configuring IPv4 Filter "allow-rfactor-traffic-out" rFactor Hotlaps Chain Table ##
  486. iptables -A allow-rfactor-traffic-out -p tcp -m tcp --dport 27011:27015 -j ACCEPT
  487.  
  488. ## Configuring IPv4 Filter "allow-quake-traffic-out" rFactor Hotlaps Chain Table ##
  489. iptables -A allow-quake3-traffic-out -p udp -m udp --dport 27950 -j ACCEPT
  490.  
  491. ## Configuring IPv4 Filter "allow-rfactor-traffic-out" Chain Table (CHECK OK) ##
  492. ## Opening F1SR 1993 mod ports ##
  493. iptables -A allow-rfactor-traffic-out -p udp -m udp --dport 34297 -j ACCEPT
  494. iptables -A allow-rfactor-traffic-out -p udp -m udp --dport 34397 -j ACCEPT
  495. iptables -A allow-rfactor-traffic-out -p tcp -m tcp --dport 34447:34450 -j ACCEPT
  496.  
  497. ## Opening FSONE 2009 mod ports ##
  498. iptables -A allow-rfactor-traffic-out -p udp -m udp --dport 34298 -j ACCEPT
  499. iptables -A allow-rfactor-traffic-out -p udp -m udp --dport 34398 -j ACCEPT
  500. iptables -A allow-rfactor-traffic-out -p udp -m udp --dport 34299 -j ACCEPT
  501. iptables -A allow-rfactor-traffic-out -p udp -m udp --dport 34399:34400 -j ACCEPT
  502.  
  503. ## Opening Matchmaker ports ##
  504. iptables -A allow-rfactor-traffic-out -p tcp -m tcp --dport 39001 -j ACCEPT
  505. iptables -A allow-rfactor-traffic-out -p udp -m udp --dport 39002 -j ACCEPT
  506.  
  507. ## Opening IPv4 Filter "allow-hw-traffic-out" Chain Table ##
  508. iptables -A allow-hw-traffic-out -p tcp -m tcp --dport 46631 -j ACCEPT
  509.  
  510. ## Configuring IPv4 Filter "allowed-wan-connection" Chain Table ##
  511. iptables -A allowed-connection -m state --state RELATED,ESTABLISHED -j ACCEPT
  512. iptables -A allowed-connection -i ${WAN} -m limit --limit 3/hour -j LOG --log-prefix "Bad packet from eth1:"
  513. iptables -A allowed-connection -j DROP
  514.  
  515. ## Clear All IPv6 Filter Tables ##
  516. ip6tables -F
  517. ip6tables -X
  518. ip6tables -Z
  519.  
  520. ## Setup IPv6 Filter Build-in Policy Tables ##
  521. ip6tables -P INPUT DROP
  522. ip6tables -P FORWARD DROP
  523. ip6tables -P OUTPUT DROP
  524.  
  525. ## Create New IPv6 Filter Chains Tables ##
  526. ip6tables -N allow-dns-traffic-out
  527. ip6tables -N allow-ftp-traffic-out
  528. ip6tables -N allow-ntp-traffic-out
  529. ip6tables -N allow-ssh-traffic-in
  530. ip6tables -N allow-ssh-traffic-out
  531. ip6tables -N allow-www-traffic-out
  532. ip6tables -N allowed-connection
  533. ip6tables -N check-flags
  534. ip6tables -N icmpv6_allowed
  535.  
  536. ## Configuring IPv6 Filter INPUT Build-in Chain Table ##
  537. ip6tables -A INPUT -m state --state INVALID -j DROP
  538. ip6tables -A INPUT -p icmpv6 -j icmpv6_allowed
  539. ip6tables -A INPUT -j check-flags
  540. #ip6tables -A INPUT -i ${WAN} -j allow-ssh-traffic-in
  541. ip6tables -A INPUT -i ${WAN} -j DROP
  542. ip6tables -A INPUT -i ${LO} -j ACCEPT
  543. ip6tables -A INPUT -i ${LAN} -j ACCEPT
  544. ip6tables -A INPUT -j allowed-connection
  545.  
  546. ## Configuring IPv6 Filter FORWARD Build-in Chain Table ##
  547. ip6tables -A FORWARD -m state --state INVALID -j DROP
  548. ip6tables -A FORWARD -p icmpv6 -j icmpv6_allowed
  549. ip6tables -A FORWARD -j check-flags
  550. #ip6tables -A FORWARD -i ${WAN} -j ACCEPT
  551. #ip6tables -A FORWARD -o ${WAN} -j ACCEPT
  552. #ip6tables -A FORWARD -i ${WAN} -j allow-ssh-traffic-in
  553. #ip6tables -A FORWARD -o ${WAN} -j allow-ssh-traffic-out
  554. #ip6tables -A FORWARD -o ${WAN} -j allow-dns-traffic-out
  555. #ip6tables -A FORWARD -o ${WAN} -j allow-ftp-traffic-out
  556. #ip6tables -A FORWARD -o ${WAN} -j allow-ntp-traffic-out
  557. #ip6tables -A FORWARD -o ${WAN} -j allow-www-traffic-out
  558. ip6tables -A FORWARD -i ${WAN} -j DROP
  559. ip6tables -A FORWARD -o ${WAN} -j DROP
  560. #ip6tables -A FORWARD -i ${LO} -j ACCEPT
  561. #ip6tables -A FORWARD -o ${LO} -j ACCEPT
  562. ip6tables -A FORWARD -j allowed-connection
  563.  
  564. ## Configuring IPv6 Filter OUTPUT Build-in Chain Table ##
  565. ip6tables -A OUTPUT -m state --state INVALID -j DROP
  566. ip6tables -A OUTPUT -p icmpv6 -j icmpv6_allowed
  567. ip6tables -A OUTPUT -j check-flags
  568. #ip6tables -A OUTPUT -o ${WAN} -j ACCEPT
  569. #ip6tables -A OUTPUT -o ${WAN} -j allow-ssh-traffic-out
  570. #ip6tables -A OUTPUT -o ${WAN} -j allow-dns-traffic-out
  571. #ip6tables -A OUTPUT -o ${WAN} -j allow-ftp-traffic-out
  572. #ip6tables -A OUTPUT -o ${WAN} -j allow-ntp-traffic-out
  573. #ip6tables -A OUTPUT -o ${WAN} -j allow-www-traffic-out
  574. ip6tables -A OUTPUT -o ${WAN} -j DROP
  575. ip6tables -A OUTPUT -o ${LO} -j ACCEPT
  576. ip6tables -A OUTPUT -o ${LAN} -j ACCEPT
  577. ip6tables -A OUTPUT -j allowed-connection
  578.  
  579. ## Configuring IPv6 Filter "allow-dns-traffic-out" Chain Table ##
  580. #ip6tables -A allow-dns-traffic-out -d ${DNS1_V6} -p udp -m udp --dport 53 -j ACCEPT
  581. #ip6tables -A allow-dns-traffic-out -d ${DNS2_V6} -p udp -m udp --dport 53 -j ACCEPT
  582. #ip6tables -A allow-dns-traffic-out -d ${DNS3_V6} -p udp -m udp --dport 53 -j ACCEPT
  583. #ip6tables -A allow-dns-traffic-out -d ${DNS4_V6} -p udp -m udp --dport 53 -j ACCEPT
  584.  
  585. ## Configuring IPv6 Filter "allow-ftp-traffic-out" Chain Table ##
  586. ip6tables -A allow-ftp-traffic-out -p tcp -m tcp --dport 21 -j ACCEPT
  587.  
  588. ## Configuring IPv6 Filter "allow-ntp-traffic-out" Chain Table ##
  589. ip6tables -A allow-ntp-traffic-out -p udp -m udp --dport 123 -j ACCEPT
  590.  
  591. ## Configuring IPv6 Filter "allow-ssh-traffic-in" Chain Table ##
  592. ip6tables -A allow-ssh-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 22 --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT
  593. ip6tables -A allow-ssh-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 22 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j ACCEPT
  594. ip6tables -A allow-ssh-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 22 --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j ACCEPT
  595. ip6tables -A allow-ssh-traffic-in -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 22 -j ACCEPT
  596.  
  597. ## Configuring IPv6 Filter "allow-ssh-traffic-out" Chain Table ##
  598. ip6tables -A allow-ssh-traffic-out -p tcp -m tcp --dport 22 -j ACCEPT
  599.  
  600. ## Configuring IPv6 Filter "allow-www-traffic-out" Chain Table ##
  601. ip6tables -A allow-www-traffic-out -p tcp -m tcp --dport 80 -j ACCEPT
  602. ip6tables -A allow-www-traffic-out -p tcp -m tcp --dport 443 -j ACCEPT
  603.  
  604. ## Configuring IPv6 Filter "allowed-connection" Chain Table ##
  605. ip6tables -A allowed-connection -m state --state RELATED,ESTABLISHED -j ACCEPT
  606. ip6tables -A allowed-connection -i ${WAN} -m limit --limit 3/hour -j LOG --log-prefix "Bad packet from eth1:"
  607. ip6tables -A allowed-connection -j DROP
  608.  
  609. ## Configuring IPv6 Filter "check-flags" Chain Table ##
  610. ip6tables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m limit --limit 5/min -j LOG --log-prefix "NMAP-XMAS:" --log-level 1
  611. ip6tables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
  612. ip6tables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m limit --limit 5/min -j LOG --log-prefix "XMAS:" --log-level 1
  613. ip6tables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
  614. ip6tables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -m limit --limit 5/min -j LOG --log-prefix "XMAS-PSH:" --log-level 1
  615. ip6tables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
  616. ip6tables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 5/min -j LOG --log-prefix "NULL_SCAN:" --log-level 1
  617. ip6tables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
  618. ip6tables -A check-flags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/min -j LOG --log-prefix "SYN/RST:" --log-level 5
  619. ip6tables -A check-flags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
  620. ip6tables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min -j LOG --log-prefix "SYN/FIN:" --log-level 5
  621. ip6tables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
  622.  
  623. ## Configuring IPv6 Filter "icmp_allowed" Chain Table ##
  624. ip6tables -A icmpv6_allowed -p icmpv6 -m state --state NEW -m icmpv6 --icmpv6-type 3 -j ACCEPT
  625. ip6tables -A icmpv6_allowed -p icmpv6 -m state --state NEW -m icmpv6 --icmpv6-type 1 -j ACCEPT
  626. ip6tables -A icmpv6_allowed -p icmpv6 -j LOG --log-prefix "Bad ICMPv6 traffic:"
  627. ip6tables -A icmpv6_allowed -p icmpv6 -j DROP
  628.  
  629. ## Setting IPv4 Forward and RP Filter Linux Kernel ##
  630. #echo 1 > /proc/sys/net/ipv4/ip_forward
  631. for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done
  632.  
  633. ## Save And Restart IPv4 Tables ##
  634. /etc/init.d/iptables save
  635. /etc/init.d/iptables restart
  636.  
  637. ## Save And Restart IPv6 Tables ##
  638. /etc/init.d/ip6tables save
  639. /etc/init.d/ip6tables restart
  640.  
  641. ## List IPv4 Tables ##
  642. #iptables -t nat -L -v
  643. #iptables -L -v
  644.  
  645. ## List IPv6 Tables ##
  646. #iptables -L -v
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!