Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- *mangle
- :PREROUTING ACCEPT [83145:120824770]
- :INPUT ACCEPT [83145:120824770]
- :FORWARD ACCEPT [0:0]
- :OUTPUT ACCEPT [46823:2584014]
- :POSTROUTING ACCEPT [46823:2584014]
- COMMIT
- *filter
- :INPUT DROP [0:0]
- :FORWARD DROP [0:0]
- :OUTPUT ACCEPT [1:60]
- :RH-Firewall-1-INPUT - [0:0]
- #Accepts all traffic from loopback
- -A INPUT -i lo -j ACCEPT
- #Allows existing connections
- -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
- #Drops packets w/ unneccessary flags
- -A INPUT -m conntrack --ctstate INVALID -j DROP
- -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
- -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
- #SSH rules. Allows SSH. Drops after 4 failed attempts within 60 seconds (Change dport as necessary)
- -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
- -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j LOG --log-prefix "SSH break in attempt "
- -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j DROP
- -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
- #Allow TFTP, SIP, and Voice stream from SIP client IPs (change or add IP(s) as necessary); only SIP for trunks
- -A INPUT -i eth0 -p udp -m udp --dport 5060 -s 64.136.173.31,64.136.174.30,209.166.154.70 -j ACCEPT
- -A INPUT -i eth0 -p udp -m multiport --dports 69,5060,10000:20000 -m state --state NEW -s 104.192.65.0/21,68.169.169.0/24,108.174.105.177,173.247.19.21,173.166.244.106,74.221.189.40,68.42.4.138,75.130.71.66,24.107.250.225,96.4.234.152 -j ACCEPT
- -A INPUT -i eth0 -p udp -m multiport --dports 69,5060,10000:20000 -j DROP
- #HTTP Whitelist. Add IPs and Networks as necessary
- -A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -s 104.192.66.244 -j ACCEPT
- -A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j DROP
- #Allow Access to FOP (Replace IP with whitelisted IP(s). Add as necessary)
- #-A INPUT -i eth0 -p udp -m udp --dport 4445 -s 96.4.234.151 -j ACCEPT
- #-A INPUT -i eth0 -p udp -m udp --dport 4445 -j DROP
- #Drop Ping echo requests
- -A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW -j DROP
- -A INPUT -j REJECT --reject-with icmp-port-unreachable
- COMMIT
- *nat
- :PREROUTING ACCEPT [164:6544]
- :POSTROUTING ACCEPT [148:8939]
- :OUTPUT ACCEPT [148:8939]
- COMMIT
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement