API tools faq
paste
Advertisement
ST3ALTHPSYCH0

iptables 2

ST3ALTHPSYCH0
Sep 13th, 2016
80
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.37 KB | None | 0 0
raw download clone embed print report
  1. *mangle
  2. :PREROUTING ACCEPT [83145:120824770]
  3. :INPUT ACCEPT [83145:120824770]
  4. :FORWARD ACCEPT [0:0]
  5. :OUTPUT ACCEPT [46823:2584014]
  6. :POSTROUTING ACCEPT [46823:2584014]
  7. COMMIT
  8.  
  9. *filter
  10. :INPUT DROP [0:0]
  11. :FORWARD DROP [0:0]
  12. :OUTPUT ACCEPT [1:60]
  13. :RH-Firewall-1-INPUT - [0:0]
  14.  
  15. #Accepts all traffic from loopback
  16. -A INPUT -i lo -j ACCEPT
  17.  
  18. #Allows existing connections
  19. -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
  20.  
  21. #Drops packets w/ unneccessary flags
  22. -A INPUT -m conntrack --ctstate INVALID -j DROP
  23. -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
  24. -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
  25.  
  26.  
  27. #SSH rules. Allows SSH. Drops after 4 failed attempts within 60 seconds (Change dport as necessary)
  28. -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
  29. -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j LOG --log-prefix "SSH break in attempt "
  30. -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j DROP
  31. -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
  32.  
  33. #Allow TFTP, SIP, and Voice stream from SIP client IPs (change or add IP(s) as necessary); only SIP for trunks
  34. -A INPUT -i eth0 -p udp -m udp --dport 5060 -s 64.136.173.31,64.136.174.30,209.166.154.70 -j ACCEPT
  35. -A INPUT -i eth0 -p udp -m multiport --dports 69,5060,10000:20000 -m state --state NEW -s 104.192.65.0/21,68.169.169.0/24,108.174.105.177,173.247.19.21,173.166.244.106,74.221.189.40,68.42.4.138,75.130.71.66,24.107.250.225,96.4.234.152 -j ACCEPT
  36. -A INPUT -i eth0 -p udp -m multiport --dports 69,5060,10000:20000 -j DROP
  37.  
  38. #HTTP Whitelist. Add IPs and Networks as necessary
  39. -A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -s 104.192.66.244 -j ACCEPT
  40. -A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j DROP
  41.  
  42.  
  43. #Allow Access to FOP (Replace IP with whitelisted IP(s). Add as necessary)
  44. #-A INPUT -i eth0 -p udp -m udp --dport 4445 -s 96.4.234.151 -j ACCEPT
  45. #-A INPUT -i eth0 -p udp -m udp --dport 4445 -j DROP
  46.  
  47. #Drop Ping echo requests
  48. -A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW -j DROP
  49. -A INPUT -j REJECT --reject-with icmp-port-unreachable
  50.  
  51. COMMIT
  52.  
  53. *nat
  54. :PREROUTING ACCEPT [164:6544]
  55. :POSTROUTING ACCEPT [148:8939]
  56. :OUTPUT ACCEPT [148:8939]
  57. COMMIT
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!