API tools faq
paste
Advertisement
August712

Output of trendy's command

August712
Apr 4th, 2022 (edited)
44
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 34.32 KB | None | 0 0
raw download clone embed print report
  1. root@router:~# ubus call system board; \
  2. > uci export network; \
  3. > uci export dhcp; uci export firewall; \
  4. > head -n -0 /etc/firewall.user; \
  5. > iptables-save -c; \
  6. > ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
  7. {
  8. "kernel": "5.4.154",
  9. "hostname": "cerberus",
  10. "system": "ARMv7 Processor rev 1 (v7l)",
  11. "model": "Linksys WRT1200AC",
  12. "board_name": "linksys,wrt1200ac",
  13. "release": {
  14. "distribution": "OpenWrt",
  15. "version": "21.02.1",
  16. "revision": "r16325-88151b8303",
  17. "target": "mvebu/cortexa9",
  18. "description": "OpenWrt 21.02.1 r16325-88151b8303"
  19. }
  20. }
  21. package network
  22.  
  23. config interface 'loopback'
  24. option device 'lo'
  25. option proto 'static'
  26. option ipaddr '127.0.0.1'
  27. option netmask '255.0.0.0'
  28.  
  29. config globals 'globals'
  30. option ula_prefix 'fdad:caa7:f4af::/48'
  31.  
  32. config device
  33. option name 'br-lan'
  34. option type 'bridge'
  35. list ports 'lan1'
  36. list ports 'lan2'
  37. list ports 'lan3'
  38. list ports 'lan4'
  39.  
  40. config interface 'lan'
  41. option proto 'static'
  42. option netmask '255.255.255.0'
  43. option ip6assign '60'
  44. list dns_search '[Redacted Domain]'
  45. list dns '10.1.1.3'
  46. list dns '1.1.1.1'
  47. list dns '1.0.0.1'
  48. option device 'br-lan.100'
  49. option ipaddr '10.0.0.1'
  50.  
  51. config device
  52. option name 'wan'
  53. option macaddr '[Redacted MAC]'
  54.  
  55. config interface 'wan'
  56. option device 'wan'
  57. option proto 'static'
  58. option ipaddr '[Redacted WAN IP]'
  59. option netmask '[Redacted]'
  60. option gateway '[Redacted]'
  61. list dns '[ISP DNS Server #1]'
  62. list dns '[ISP DNS Server #2]'
  63.  
  64. config interface 'wan6'
  65. option device 'wan'
  66. option proto 'dhcpv6'
  67.  
  68. config bridge-vlan
  69. option device 'br-lan'
  70. option vlan '3'
  71. list ports 'lan1:t'
  72.  
  73. config bridge-vlan
  74. option device 'br-lan'
  75. option vlan '4'
  76. list ports 'lan1:t'
  77.  
  78. config bridge-vlan
  79. option device 'br-lan'
  80. option vlan '100'
  81. list ports 'lan1:t'
  82. list ports 'lan2:u*'
  83. list ports 'lan3:u*'
  84.  
  85. config bridge-vlan
  86. option device 'br-lan'
  87. option vlan '200'
  88. list ports 'lan1:t'
  89. list ports 'lan4:u*'
  90.  
  91. config interface 'SERVER'
  92. option proto 'static'
  93. option device 'br-lan.200'
  94. option netmask '255.255.255.0'
  95. option ipaddr '10.1.1.1'
  96. list dns_search '[Redacted Domain]'
  97. list dns '10.1.1.3'
  98. list dns '1.1.1.1'
  99. list dns '1.0.0.1'
  100.  
  101. config interface 'GUEST'
  102. option proto 'static'
  103. option device 'br-lan.3'
  104. option ipaddr '10.0.1.1'
  105. option netmask '255.255.255.0'
  106. list dns '10.1.1.3'
  107. list dns '1.1.1.1'
  108. list dns '1.0.0.1'
  109. list dns_search '[Redacted Domain]'
  110.  
  111. config interface 'IOT'
  112. option proto 'static'
  113. option device 'br-lan.4'
  114. option ipaddr '10.0.2.0'
  115. option netmask '255.255.255.0'
  116. list dns '10.1.1.3'
  117. list dns '1.1.1.1'
  118. list dns '1.0.0.1'
  119. list dns_search '[Redacted Domain]'
  120.  
  121. package dhcp
  122.  
  123. config dnsmasq
  124. option domainneeded '1'
  125. option localise_queries '1'
  126. option rebind_protection '1'
  127. option rebind_localhost '1'
  128. option local '/lan/'
  129. option expandhosts '1'
  130. option authoritative '1'
  131. option readethers '1'
  132. option leasefile '/tmp/dhcp.leases'
  133. option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
  134. option localservice '1'
  135. option ednspacket_max '1232'
  136. option domain '[Redacted]'
  137. list server '10.1.1.3'
  138. list server '1.1.1.1'
  139. list server '1.0.0.1'
  140.  
  141. config dhcp 'lan'
  142. option interface 'lan'
  143. option start '100'
  144. option limit '150'
  145. option leasetime '12h'
  146. option dhcpv4 'server'
  147. option dhcpv6 'server'
  148. option ra 'server'
  149. list ra_flags 'managed-config'
  150. list ra_flags 'other-config'
  151. list dhcp_option '6,10.1.1.3,1.1.1.1,1.0.0.1'
  152.  
  153. config dhcp 'wan'
  154. option interface 'wan'
  155. option ignore '1'
  156. option start '100'
  157. option limit '150'
  158. option leasetime '12h'
  159. list ra_flags 'none'
  160.  
  161. config odhcpd 'odhcpd'
  162. option maindhcp '0'
  163. option leasefile '/tmp/hosts/odhcpd'
  164. option leasetrigger '/usr/sbin/odhcpd-update'
  165. option loglevel '4'
  166.  
  167. # EDITORS NOTE: Following this line were 13 `config host` groups which
  168. # I have redacted, because they detailed static IP assignments that
  169. # contained lots of MAC addresses, didnt think including all of it was imperative.
  170. # All pointed to MACs on my SERVER network and assigned them 10.1.1.X IPs.
  171. # Also worth noting 10.1.1.3 hosts my DNS.
  172.  
  173. config dhcp 'SERVER'
  174. option interface 'SERVER'
  175. option leasetime '12h'
  176. option start '200'
  177. option limit '50'
  178. list dhcp_option '6,10.1.1.3,1.1.1.1,1.0.0.1'
  179. list ra_flags 'none'
  180.  
  181. config dhcp 'GUEST'
  182. option interface 'GUEST'
  183. option start '100'
  184. option limit '150'
  185. option leasetime '12h'
  186. list ra_flags 'none'
  187.  
  188. config dhcp 'IOT'
  189. option interface 'IOT'
  190. option start '100'
  191. option limit '150'
  192. option leasetime '12h'
  193. list ra_flags 'none'
  194.  
  195. package firewall
  196.  
  197. config defaults
  198. option input 'ACCEPT'
  199. option output 'ACCEPT'
  200. option synflood_protect '1'
  201. option forward 'REJECT'
  202.  
  203. config zone
  204. list network 'lan'
  205. option input 'ACCEPT'
  206. option output 'ACCEPT'
  207. option forward 'ACCEPT'
  208. option name 'lan'
  209.  
  210. config zone
  211. list network 'wan'
  212. list network 'wan6'
  213. option input 'REJECT'
  214. option output 'ACCEPT'
  215. option masq '1'
  216. option mtu_fix '1'
  217. option name 'wan'
  218. option forward 'REJECT'
  219.  
  220. config forwarding
  221. option src 'lan'
  222. option dest 'wan'
  223.  
  224. config rule
  225. option name 'Allow-DHCP-Renew'
  226. option proto 'udp'
  227. option dest_port '68'
  228. option target 'ACCEPT'
  229. option family 'ipv4'
  230. option src 'wan'
  231.  
  232. config rule
  233. option name 'Allow-Ping'
  234. option proto 'icmp'
  235. option icmp_type 'echo-request'
  236. option family 'ipv4'
  237. option target 'ACCEPT'
  238. option src 'wan'
  239.  
  240. config rule
  241. option name 'Allow-IGMP'
  242. option proto 'igmp'
  243. option family 'ipv4'
  244. option target 'ACCEPT'
  245. option src 'wan'
  246.  
  247. config rule
  248. option name 'Allow-DHCPv6'
  249. option proto 'udp'
  250. option src_ip 'fc00::/6'
  251. option dest_ip 'fc00::/6'
  252. option dest_port '546'
  253. option family 'ipv6'
  254. option target 'ACCEPT'
  255. option src 'wan'
  256.  
  257. config rule
  258. option name 'Allow-MLD'
  259. option proto 'icmp'
  260. option src_ip 'fe80::/10'
  261. list icmp_type '130/0'
  262. list icmp_type '131/0'
  263. list icmp_type '132/0'
  264. list icmp_type '143/0'
  265. option family 'ipv6'
  266. option target 'ACCEPT'
  267. option src 'wan'
  268.  
  269. config rule
  270. option name 'Allow-ICMPv6-Input'
  271. option proto 'icmp'
  272. list icmp_type 'echo-request'
  273. list icmp_type 'echo-reply'
  274. list icmp_type 'destination-unreachable'
  275. list icmp_type 'packet-too-big'
  276. list icmp_type 'time-exceeded'
  277. list icmp_type 'bad-header'
  278. list icmp_type 'unknown-header-type'
  279. list icmp_type 'router-solicitation'
  280. list icmp_type 'neighbour-solicitation'
  281. list icmp_type 'router-advertisement'
  282. list icmp_type 'neighbour-advertisement'
  283. option limit '1000/sec'
  284. option family 'ipv6'
  285. option target 'ACCEPT'
  286. option src 'wan'
  287.  
  288. config rule
  289. option name 'Allow-ICMPv6-Forward'
  290. option dest '*'
  291. option proto 'icmp'
  292. list icmp_type 'echo-request'
  293. list icmp_type 'echo-reply'
  294. list icmp_type 'destination-unreachable'
  295. list icmp_type 'packet-too-big'
  296. list icmp_type 'time-exceeded'
  297. list icmp_type 'bad-header'
  298. list icmp_type 'unknown-header-type'
  299. option limit '1000/sec'
  300. option family 'ipv6'
  301. option target 'ACCEPT'
  302. option src 'wan'
  303.  
  304. config rule
  305. option name 'Allow-IPSec-ESP'
  306. option proto 'esp'
  307. option target 'ACCEPT'
  308. option dest 'lan'
  309. option src 'wan'
  310.  
  311. config rule
  312. option name 'Allow-ISAKMP'
  313. option dest_port '500'
  314. option proto 'udp'
  315. option target 'ACCEPT'
  316. option dest 'lan'
  317. option src 'wan'
  318.  
  319. config rule
  320. option name 'Support-UDP-Traceroute'
  321. option dest_port '33434:33689'
  322. option proto 'udp'
  323. option family 'ipv4'
  324. option target 'REJECT'
  325. option enabled '0'
  326. option src 'wan'
  327.  
  328. config include
  329. option path '/etc/firewall.user'
  330.  
  331. config rule # EDITORS NOTE: honestly dont know why this is here; disabled, so ignore ig
  332. option name 'Allow SSH'
  333. option src_port '22'
  334. option dest_port '22'
  335. option target 'ACCEPT'
  336. option src 'lan'
  337. option dest 'lan'
  338. option enabled '0'
  339.  
  340. config zone
  341. option output 'ACCEPT'
  342. option name 'servers'
  343. option log '1'
  344. option forward 'ACCEPT'
  345. option input 'REJECT'
  346. list network 'SERVER'
  347.  
  348. config zone
  349. option output 'ACCEPT'
  350. option name 'guest'
  351. option input 'REJECT'
  352. list network 'GUEST'
  353. option forward 'ACCEPT'
  354.  
  355. config zone
  356. option input 'ACCEPT'
  357. option output 'ACCEPT'
  358. option forward 'REJECT'
  359. option name 'iot'
  360. list network 'IOT'
  361.  
  362. config forwarding
  363. option src 'lan'
  364. option dest 'iot'
  365.  
  366. config forwarding
  367. option src 'lan'
  368. option dest 'servers'
  369.  
  370. config forwarding
  371. option src 'guest'
  372. option dest 'wan'
  373.  
  374. config forwarding
  375. option src 'servers'
  376. option dest 'wan'
  377.  
  378. config rule
  379. option name 'Guest Allow DHCP and DNS'
  380. option src 'guest'
  381. option dest_port '53 67 68'
  382. option target 'ACCEPT'
  383.  
  384. config rule
  385. option name 'Servers Allow DHCP'
  386. list proto 'udp'
  387. option src 'servers'
  388. option target 'ACCEPT'
  389. option dest_port '67 68'
  390.  
  391. config redirect
  392. option target 'DNAT'
  393. option name 'Test'
  394. option src 'wan'
  395. option src_dport '8000'
  396. option dest_ip '10.1.1.5'
  397. option dest_port '8000'
  398. option dest 'servers' # EDITORS NOTE: Forward works when this line is set to 'lan'
  399.  
  400. # This file is interpreted as shell script.
  401. # Put your custom iptables rules here, they will
  402. # be executed with each firewall (re-)start.
  403.  
  404. # Internal uci firewall chains are flushed and recreated on reload, so
  405. # put custom rules into the root chains e.g. INPUT or FORWARD or into the
  406. # special user chains, e.g. input_wan_rule or postrouting_lan_rule.
  407. # Generated by iptables-save v1.8.7 on Mon Apr 4 13:37:48 2022
  408. *nat
  409. :PREROUTING ACCEPT [8835:1383157]
  410. :INPUT ACCEPT [480:64768]
  411. :OUTPUT ACCEPT [1959:139160]
  412. :POSTROUTING ACCEPT [1888:118614]
  413. :postrouting_guest_rule - [0:0]
  414. :postrouting_iot_rule - [0:0]
  415. :postrouting_lan_rule - [0:0]
  416. :postrouting_rule - [0:0]
  417. :postrouting_servers_rule - [0:0]
  418. :postrouting_wan_rule - [0:0]
  419. :prerouting_guest_rule - [0:0]
  420. :prerouting_iot_rule - [0:0]
  421. :prerouting_lan_rule - [0:0]
  422. :prerouting_rule - [0:0]
  423. :prerouting_servers_rule - [0:0]
  424. :prerouting_wan_rule - [0:0]
  425. :zone_guest_postrouting - [0:0]
  426. :zone_guest_prerouting - [0:0]
  427. :zone_iot_postrouting - [0:0]
  428. :zone_iot_prerouting - [0:0]
  429. :zone_lan_postrouting - [0:0]
  430. :zone_lan_prerouting - [0:0]
  431. :zone_servers_postrouting - [0:0]
  432. :zone_servers_prerouting - [0:0]
  433. :zone_wan_postrouting - [0:0]
  434. :zone_wan_prerouting - [0:0]
  435. [8835:1383157] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
  436. [7294:1268406] -A PREROUTING -i br-lan.100 -m comment --comment "!fw3" -j zone_lan_prerouting
  437. [620:31841] -A PREROUTING -i wan -m comment --comment "!fw3" -j zone_wan_prerouting
  438. [921:82910] -A PREROUTING -i br-lan.200 -m comment --comment "!fw3" -j zone_servers_prerouting
  439. [0:0] -A PREROUTING -i br-lan.3 -m comment --comment "!fw3" -j zone_guest_prerouting
  440. [0:0] -A PREROUTING -i br-lan.4 -m comment --comment "!fw3" -j zone_iot_prerouting
  441. [6893:793114] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
  442. [2:757] -A POSTROUTING -o br-lan.100 -m comment --comment "!fw3" -j zone_lan_postrouting
  443. [5005:674500] -A POSTROUTING -o wan -m comment --comment "!fw3" -j zone_wan_postrouting
  444. [1883:117657] -A POSTROUTING -o br-lan.200 -m comment --comment "!fw3" -j zone_servers_postrouting
  445. [0:0] -A POSTROUTING -o br-lan.3 -m comment --comment "!fw3" -j zone_guest_postrouting
  446. [0:0] -A POSTROUTING -o br-lan.4 -m comment --comment "!fw3" -j zone_iot_postrouting
  447. [0:0] -A zone_guest_postrouting -m comment --comment "!fw3: Custom guest postrouting rule chain" -j postrouting_guest_rule
  448. [0:0] -A zone_guest_prerouting -m comment --comment "!fw3: Custom guest prerouting rule chain" -j prerouting_guest_rule
  449. [0:0] -A zone_iot_postrouting -m comment --comment "!fw3: Custom iot postrouting rule chain" -j postrouting_iot_rule
  450. [0:0] -A zone_iot_prerouting -m comment --comment "!fw3: Custom iot prerouting rule chain" -j prerouting_iot_rule
  451. [2:757] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
  452. [7294:1268406] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
  453. [1883:117657] -A zone_servers_postrouting -m comment --comment "!fw3: Custom servers postrouting rule chain" -j postrouting_servers_rule
  454. [0:0] -A zone_servers_postrouting -s 10.1.1.0/24 -d 10.1.1.5/32 -p tcp -m tcp --dport 8000 -m comment --comment "!fw3: Test (reflection)" -j SNAT --to-source 10.1.1.1
  455. [0:0] -A zone_servers_postrouting -s 10.1.1.0/24 -d 10.1.1.5/32 -p udp -m udp --dport 8000 -m comment --comment "!fw3: Test (reflection)" -j SNAT --to-source 10.1.1.1
  456. [921:82910] -A zone_servers_prerouting -m comment --comment "!fw3: Custom servers prerouting rule chain" -j prerouting_servers_rule
  457. [0:0] -A zone_servers_prerouting -s 10.1.1.0/24 -d [Redacted WAN IP]/32 -p tcp -m tcp --dport 8000 -m comment --comment "!fw3: Test (reflection)" -j DNAT --to-destination 10.1.1.5:8000
  458. [0:0] -A zone_servers_prerouting -s 10.1.1.0/24 -d [Redacted WAN IP]/32 -p udp -m udp --dport 8000 -m comment --comment "!fw3: Test (reflection)" -j DNAT --to-destination 10.1.1.5:8000
  459. [5005:674500] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
  460. [5005:674500] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
  461. [620:31841] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
  462. [0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 8000 -m comment --comment "!fw3: Test" -j DNAT --to-destination 10.1.1.5:8000
  463. [0:0] -A zone_wan_prerouting -p udp -m udp --dport 8000 -m comment --comment "!fw3: Test" -j DNAT --to-destination 10.1.1.5:8000
  464. COMMIT
  465. # Completed on Mon Apr 4 13:37:48 2022
  466. # Generated by iptables-save v1.8.7 on Mon Apr 4 13:37:48 2022
  467. *raw
  468. :PREROUTING ACCEPT [1786326:1882064727]
  469. :OUTPUT ACCEPT [5462:609475]
  470. :zone_guest_helper - [0:0]
  471. :zone_iot_helper - [0:0]
  472. :zone_lan_helper - [0:0]
  473. :zone_servers_helper - [0:0]
  474. [400373:49636235] -A PREROUTING -i br-lan.100 -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
  475. [7976:995534] -A PREROUTING -i br-lan.200 -m comment --comment "!fw3: servers CT helper assignment" -j zone_servers_helper
  476. [0:0] -A PREROUTING -i br-lan.3 -m comment --comment "!fw3: guest CT helper assignment" -j zone_guest_helper
  477. [0:0] -A PREROUTING -i br-lan.4 -m comment --comment "!fw3: iot CT helper assignment" -j zone_iot_helper
  478. COMMIT
  479. # Completed on Mon Apr 4 13:37:48 2022
  480. # Generated by iptables-save v1.8.7 on Mon Apr 4 13:37:48 2022
  481. *mangle
  482. :PREROUTING ACCEPT [1786328:1882064819]
  483. :INPUT ACCEPT [4984:658861]
  484. :FORWARD ACCEPT [1778171:1880777067]
  485. :OUTPUT ACCEPT [5471:611035]
  486. :POSTROUTING ACCEPT [1783500:1881364282]
  487. [1521:85916] -A FORWARD -o wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
  488. [1458:81148] -A FORWARD -i wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
  489. COMMIT
  490. # Completed on Mon Apr 4 13:37:48 2022
  491. # Generated by iptables-save v1.8.7 on Mon Apr 4 13:37:48 2022
  492. *filter
  493. :INPUT ACCEPT [0:0]
  494. :FORWARD DROP [0:0]
  495. :OUTPUT ACCEPT [0:0]
  496. :banIP - [0:0]
  497. :forwarding_guest_rule - [0:0]
  498. :forwarding_iot_rule - [0:0]
  499. :forwarding_lan_rule - [0:0]
  500. :forwarding_rule - [0:0]
  501. :forwarding_servers_rule - [0:0]
  502. :forwarding_wan_rule - [0:0]
  503. :input_guest_rule - [0:0]
  504. :input_iot_rule - [0:0]
  505. :input_lan_rule - [0:0]
  506. :input_rule - [0:0]
  507. :input_servers_rule - [0:0]
  508. :input_wan_rule - [0:0]
  509. :output_guest_rule - [0:0]
  510. :output_iot_rule - [0:0]
  511. :output_lan_rule - [0:0]
  512. :output_rule - [0:0]
  513. :output_servers_rule - [0:0]
  514. :output_wan_rule - [0:0]
  515. :reject - [0:0]
  516. :syn_flood - [0:0]
  517. :zone_guest_dest_ACCEPT - [0:0]
  518. :zone_guest_forward - [0:0]
  519. :zone_guest_input - [0:0]
  520. :zone_guest_output - [0:0]
  521. :zone_guest_src_REJECT - [0:0]
  522. :zone_iot_dest_ACCEPT - [0:0]
  523. :zone_iot_dest_REJECT - [0:0]
  524. :zone_iot_forward - [0:0]
  525. :zone_iot_input - [0:0]
  526. :zone_iot_output - [0:0]
  527. :zone_iot_src_ACCEPT - [0:0]
  528. :zone_lan_dest_ACCEPT - [0:0]
  529. :zone_lan_forward - [0:0]
  530. :zone_lan_input - [0:0]
  531. :zone_lan_output - [0:0]
  532. :zone_lan_src_ACCEPT - [0:0]
  533. :zone_servers_dest_ACCEPT - [0:0]
  534. :zone_servers_forward - [0:0]
  535. :zone_servers_input - [0:0]
  536. :zone_servers_output - [0:0]
  537. :zone_servers_src_REJECT - [0:0]
  538. :zone_wan_dest_ACCEPT - [0:0]
  539. :zone_wan_dest_REJECT - [0:0]
  540. :zone_wan_forward - [0:0]
  541. :zone_wan_input - [0:0]
  542. :zone_wan_output - [0:0]
  543. :zone_wan_src_REJECT - [0:0]
  544. [58:4850] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
  545. [4928:654115] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
  546. [3178:508198] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
  547. [472:19228] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
  548. [680:91947] -A INPUT -i br-lan.100 -m comment --comment "!fw3" -j zone_lan_input
  549. [1013:47681] -A INPUT -i wan -m comment --comment "!fw3" -j zone_wan_input
  550. [57:6289] -A INPUT -i br-lan.200 -m comment --comment "!fw3" -j zone_servers_input
  551. [0:0] -A INPUT -i br-lan.3 -m comment --comment "!fw3" -j zone_guest_input
  552. [0:0] -A INPUT -i br-lan.4 -m comment --comment "!fw3" -j zone_iot_input
  553. [1778171:1880777067] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
  554. [1772402:1879907394] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
  555. [4535:753102] -A FORWARD -i br-lan.100 -m comment --comment "!fw3" -j zone_lan_forward
  556. [0:0] -A FORWARD -i wan -m comment --comment "!fw3" -j zone_wan_forward
  557. [1234:116571] -A FORWARD -i br-lan.200 -m comment --comment "!fw3" -j zone_servers_forward
  558. [0:0] -A FORWARD -i br-lan.3 -m comment --comment "!fw3" -j zone_guest_forward
  559. [0:0] -A FORWARD -i br-lan.4 -m comment --comment "!fw3" -j zone_iot_forward
  560. [0:0] -A FORWARD -m comment --comment "!fw3" -j reject
  561. [58:4850] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
  562. [5422:607585] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
  563. [2363:390840] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
  564. [3:1138] -A OUTPUT -o br-lan.100 -m comment --comment "!fw3" -j zone_lan_output
  565. [1718:121799] -A OUTPUT -o wan -m comment --comment "!fw3" -j zone_wan_output
  566. [1338:93808] -A OUTPUT -o br-lan.200 -m comment --comment "!fw3" -j zone_servers_output
  567. [0:0] -A OUTPUT -o br-lan.3 -m comment --comment "!fw3" -j zone_guest_output
  568. [0:0] -A OUTPUT -o br-lan.4 -m comment --comment "!fw3" -j zone_iot_output
  569. [41:13826] -A banIP -p udp -m udp --sport 67:68 --dport 67:68 -j RETURN
  570. [5821:247233] -A banIP -m conntrack ! --ctstate NEW -j RETURN
  571. [0:0] -A banIP -i wan -m set --match-set whitelist_4 src -j RETURN
  572. [0:0] -A banIP -o wan -m set --match-set whitelist_4 dst -j RETURN
  573. [17:792] -A banIP -i wan -m set --match-set darklist_4 src -j DROP
  574. [0:0] -A banIP -o wan -m set --match-set darklist_4 dst -j REJECT --reject-with icmp-port-unreachable
  575. [0:0] -A banIP -i wan -m set --match-set edrop_4 src -j DROP
  576. [0:0] -A banIP -o wan -m set --match-set edrop_4 dst -j REJECT --reject-with icmp-port-unreachable
  577. [563:23538] -A banIP -i wan -m set --match-set dshield_4 src -j DROP
  578. [0:0] -A banIP -o wan -m set --match-set dshield_4 dst -j REJECT --reject-with icmp-port-unreachable
  579. [8:325] -A banIP -i wan -m set --match-set drop_4 src -j DROP
  580. [0:0] -A banIP -o wan -m set --match-set drop_4 dst -j REJECT --reject-with icmp-port-unreachable
  581. [49:2200] -A banIP -i wan -m set --match-set debl_4 src -j DROP
  582. [0:0] -A banIP -o wan -m set --match-set debl_4 dst -j REJECT --reject-with icmp-port-unreachable
  583. [0:0] -A banIP -i wan -m set --match-set feodo_4 src -j DROP
  584. [0:0] -A banIP -o wan -m set --match-set feodo_4 dst -j REJECT --reject-with icmp-port-unreachable
  585. [0:0] -A banIP -i wan -m set --match-set firehol1_4 src -j DROP
  586. [0:0] -A banIP -o wan -m set --match-set firehol1_4 dst -j REJECT --reject-with icmp-port-unreachable
  587. [2:96] -A banIP -i wan -m set --match-set iblockspy_4 src -j DROP
  588. [2:128] -A banIP -o wan -m set --match-set iblockspy_4 dst -j REJECT --reject-with icmp-port-unreachable
  589. [22:886] -A banIP -i wan -m set --match-set greensnow_4 src -j DROP
  590. [0:0] -A banIP -o wan -m set --match-set greensnow_4 dst -j REJECT --reject-with icmp-port-unreachable
  591. [0:0] -A banIP -i wan -m set --match-set sslbl_4 src -j DROP
  592. [0:0] -A banIP -o wan -m set --match-set sslbl_4 dst -j REJECT --reject-with icmp-port-unreachable
  593. [36:1785] -A banIP -i wan -m set --match-set threat_4 src -j DROP
  594. [0:0] -A banIP -o wan -m set --match-set threat_4 dst -j REJECT --reject-with icmp-port-unreachable
  595. [1:52] -A banIP -i wan -m set --match-set talos_4 src -j DROP
  596. [0:0] -A banIP -o wan -m set --match-set talos_4 dst -j REJECT --reject-with icmp-port-unreachable
  597. [0:0] -A banIP -i wan -m set --match-set tor_4 src -j DROP
  598. [0:0] -A banIP -o wan -m set --match-set tor_4 dst -j REJECT --reject-with icmp-port-unreachable
  599. [0:0] -A banIP -i wan -m set --match-set yoyo_4 src -j DROP
  600. [1333:305013] -A banIP -o wan -m set --match-set yoyo_4 dst -j REJECT --reject-with icmp-port-unreachable
  601. [85:12325] -A banIP -i wan -m set --match-set voip_4 src -j DROP
  602. [0:0] -A banIP -o wan -m set --match-set voip_4 dst -j REJECT --reject-with icmp-port-unreachable
  603. [110:4571] -A banIP -i wan -m set --match-set uceprotect1_4 src -j DROP
  604. [0:0] -A banIP -o wan -m set --match-set uceprotect1_4 dst -j REJECT --reject-with icmp-port-unreachable
  605. [38439:7087227] -A forwarding_lan_rule -j banIP
  606. [0:0] -A forwarding_wan_rule -j banIP
  607. [5116:755551] -A input_lan_rule -j banIP
  608. [12430:595172] -A input_wan_rule -j banIP
  609. [810:35128] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
  610. [80:7913] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
  611. [472:19228] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
  612. [0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
  613. [0:0] -A zone_guest_dest_ACCEPT -o br-lan.3 -m comment --comment "!fw3" -j ACCEPT
  614. [0:0] -A zone_guest_forward -m comment --comment "!fw3: Custom guest forwarding rule chain" -j forwarding_guest_rule
  615. [0:0] -A zone_guest_forward -m comment --comment "!fw3: Zone guest to wan forwarding policy" -j zone_wan_dest_ACCEPT
  616. [0:0] -A zone_guest_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
  617. [0:0] -A zone_guest_forward -m comment --comment "!fw3" -j zone_guest_dest_ACCEPT
  618. [0:0] -A zone_guest_input -m comment --comment "!fw3: Custom guest input rule chain" -j input_guest_rule
  619. [0:0] -A zone_guest_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Guest Allow DHCP and DNS" -j ACCEPT
  620. [0:0] -A zone_guest_input -p tcp -m tcp --dport 67 -m comment --comment "!fw3: Guest Allow DHCP and DNS" -j ACCEPT
  621. [0:0] -A zone_guest_input -p tcp -m tcp --dport 68 -m comment --comment "!fw3: Guest Allow DHCP and DNS" -j ACCEPT
  622. [0:0] -A zone_guest_input -p udp -m udp --dport 53 -m comment --comment "!fw3: Guest Allow DHCP and DNS" -j ACCEPT
  623. [0:0] -A zone_guest_input -p udp -m udp --dport 67 -m comment --comment "!fw3: Guest Allow DHCP and DNS" -j ACCEPT
  624. [0:0] -A zone_guest_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Guest Allow DHCP and DNS" -j ACCEPT
  625. [0:0] -A zone_guest_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
  626. [0:0] -A zone_guest_input -m comment --comment "!fw3" -j zone_guest_src_REJECT
  627. [0:0] -A zone_guest_output -m comment --comment "!fw3: Custom guest output rule chain" -j output_guest_rule
  628. [0:0] -A zone_guest_output -m comment --comment "!fw3" -j zone_guest_dest_ACCEPT
  629. [0:0] -A zone_guest_src_REJECT -i br-lan.3 -m comment --comment "!fw3" -j reject
  630. [0:0] -A zone_iot_dest_ACCEPT -o br-lan.4 -m comment --comment "!fw3" -j ACCEPT
  631. [0:0] -A zone_iot_dest_REJECT -o br-lan.4 -m comment --comment "!fw3" -j reject
  632. [0:0] -A zone_iot_forward -m comment --comment "!fw3: Custom iot forwarding rule chain" -j forwarding_iot_rule
  633. [0:0] -A zone_iot_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
  634. [0:0] -A zone_iot_forward -m comment --comment "!fw3" -j zone_iot_dest_REJECT
  635. [0:0] -A zone_iot_input -m comment --comment "!fw3: Custom iot input rule chain" -j input_iot_rule
  636. [0:0] -A zone_iot_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
  637. [0:0] -A zone_iot_input -m comment --comment "!fw3" -j zone_iot_src_ACCEPT
  638. [0:0] -A zone_iot_output -m comment --comment "!fw3: Custom iot output rule chain" -j output_iot_rule
  639. [0:0] -A zone_iot_output -m comment --comment "!fw3" -j zone_iot_dest_ACCEPT
  640. [0:0] -A zone_iot_src_ACCEPT -i br-lan.4 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
  641. [3:1138] -A zone_lan_dest_ACCEPT -o br-lan.100 -m comment --comment "!fw3" -j ACCEPT
  642. [4535:753102] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
  643. [4449:732074] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
  644. [970:53173] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to iot forwarding policy" -j zone_iot_dest_ACCEPT
  645. [970:53173] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to servers forwarding policy" -j zone_servers_dest_ACCEPT
  646. [0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
  647. [0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
  648. [680:91947] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
  649. [0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
  650. [680:91947] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
  651. [3:1138] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
  652. [3:1138] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
  653. [680:91947] -A zone_lan_src_ACCEPT -i br-lan.100 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
  654. [2308:146981] -A zone_servers_dest_ACCEPT -o br-lan.200 -m comment --comment "!fw3" -j ACCEPT
  655. [1234:116571] -A zone_servers_forward -m comment --comment "!fw3: Custom servers forwarding rule chain" -j forwarding_servers_rule
  656. [1234:116571] -A zone_servers_forward -m comment --comment "!fw3: Zone servers to wan forwarding policy" -j zone_wan_dest_ACCEPT
  657. [0:0] -A zone_servers_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
  658. [0:0] -A zone_servers_forward -m comment --comment "!fw3" -j zone_servers_dest_ACCEPT
  659. [57:6289] -A zone_servers_input -m comment --comment "!fw3: Custom servers input rule chain" -j input_servers_rule
  660. [0:0] -A zone_servers_input -p udp -m udp --dport 67 -m comment --comment "!fw3: Servers Allow DHCP" -j ACCEPT
  661. [0:0] -A zone_servers_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Servers Allow DHCP" -j ACCEPT
  662. [0:0] -A zone_servers_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
  663. [57:6289] -A zone_servers_input -m comment --comment "!fw3" -j zone_servers_src_REJECT
  664. [1338:93808] -A zone_servers_output -m comment --comment "!fw3: Custom servers output rule chain" -j output_servers_rule
  665. [1338:93808] -A zone_servers_output -m comment --comment "!fw3" -j zone_servers_dest_ACCEPT
  666. [57:6289] -A zone_servers_src_REJECT -i br-lan.200 -m limit --limit 10/sec -m comment --comment "!fw3" -j LOG --log-prefix "REJECT servers in: "
  667. [57:6289] -A zone_servers_src_REJECT -i br-lan.200 -m comment --comment "!fw3" -j reject
  668. [56:2792] -A zone_wan_dest_ACCEPT -o wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
  669. [6375:914479] -A zone_wan_dest_ACCEPT -o wan -m comment --comment "!fw3" -j ACCEPT
  670. [0:0] -A zone_wan_dest_REJECT -o wan -m comment --comment "!fw3" -j reject
  671. [0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
  672. [0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
  673. [0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
  674. [0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
  675. [0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
  676. [1013:47681] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
  677. [0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
  678. [98:6934] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
  679. [0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
  680. [0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
  681. [833:36752] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
  682. [1718:121799] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
  683. [1718:121799] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
  684. [833:36752] -A zone_wan_src_REJECT -i wan -m comment --comment "!fw3" -j reject
  685. COMMIT
  686. # Completed on Mon Apr 4 13:37:48 2022
  687. 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
  688. inet 127.0.0.1/8 scope host lo
  689. valid_lft forever preferred_lft forever
  690. 7: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
  691. inet [Redacted WAN IP]/26 brd [Redacted] scope global wan
  692. valid_lft forever preferred_lft forever
  693. 16: br-lan.100@br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
  694. inet 10.0.0.1/24 brd 10.0.0.255 scope global br-lan.100
  695. valid_lft forever preferred_lft forever
  696. 17: br-lan.200@br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
  697. inet 10.1.1.1/24 brd 10.1.1.255 scope global br-lan.200
  698. valid_lft forever preferred_lft forever
  699. 18: br-lan.3@br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
  700. inet 10.0.1.1/24 brd 10.0.1.255 scope global br-lan.3
  701. valid_lft forever preferred_lft forever
  702. 19: br-lan.4@br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
  703. inet 10.0.2.0/24 brd 10.0.2.255 scope global br-lan.4
  704. valid_lft forever preferred_lft forever
  705. default via [Redacted Gateway] dev wan proto static
  706. 10.0.0.0/24 dev br-lan.100 proto kernel scope link src 10.0.0.1
  707. 10.0.1.0/24 dev br-lan.3 proto kernel scope link src 10.0.1.1
  708. 10.0.2.0/24 dev br-lan.4 proto kernel scope link src 10.0.2.0
  709. 10.1.1.0/24 dev br-lan.200 proto kernel scope link src 10.1.1.1
  710. [Redacted CIDR] dev wan proto kernel scope link src [Redacted WAN IP]
  711. broadcast 10.0.0.0 dev br-lan.100 table local proto kernel scope link src 10.0.0.1
  712. local 10.0.0.1 dev br-lan.100 table local proto kernel scope host src 10.0.0.1
  713. broadcast 10.0.0.255 dev br-lan.100 table local proto kernel scope link src 10.0.0.1
  714. broadcast 10.0.1.0 dev br-lan.3 table local proto kernel scope link src 10.0.1.1
  715. local 10.0.1.1 dev br-lan.3 table local proto kernel scope host src 10.0.1.1
  716. broadcast 10.0.1.255 dev br-lan.3 table local proto kernel scope link src 10.0.1.1
  717. local 10.0.2.0 dev br-lan.4 table local proto kernel scope host src 10.0.2.0
  718. broadcast 10.0.2.0 dev br-lan.4 table local proto kernel scope link src 10.0.2.0
  719. broadcast 10.0.2.255 dev br-lan.4 table local proto kernel scope link src 10.0.2.0
  720. broadcast 10.1.1.0 dev br-lan.200 table local proto kernel scope link src 10.1.1.1
  721. local 10.1.1.1 dev br-lan.200 table local proto kernel scope host src 10.1.1.1
  722. broadcast 10.1.1.255 dev br-lan.200 table local proto kernel scope link src 10.1.1.1
  723. broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
  724. local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
  725. local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
  726. broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
  727. broadcast [Redacted] dev wan table local proto kernel scope link src [Redacted WAN IP]
  728. local [Redacted WAN IP] dev wan table local proto kernel scope host src [Redacted WAN IP]
  729. broadcast [Redacted] dev wan table local proto kernel scope link src [Redacted WAN IP]
  730. 0: from all lookup local
  731. 32766: from all lookup main
  732. 32767: from all lookup default
  733.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!