SHARE
TWEET

Untitled

a guest May 23rd, 2016 91 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. -P INPUT DROP
  2. -P FORWARD DROP
  3. -P OUTPUT DROP
  4. -N BASE_FORWARD_CHAIN
  5. -N BASE_INPUT_CHAIN
  6. -N BASE_OUTPUT_CHAIN
  7. -N BRIDGED_TRAFFIC_CHAIN
  8. -N DMZ_FORWARD_IN_CHAIN
  9. -N DMZ_FORWARD_OUT_CHAIN
  10. -N DMZ_INET_FORWARD_CHAIN
  11. -N DMZ_INPUT_CHAIN
  12. -N DMZ_LAN_FORWARD_CHAIN
  13. -N DMZ_OUTPUT_CHAIN
  14. -N EXT_BROADCAST_CHAIN
  15. -N EXT_FORWARD_IN_CHAIN
  16. -N EXT_FORWARD_OUT_CHAIN
  17. -N EXT_ICMP_FLOOD_CHAIN
  18. -N EXT_INPUT_CHAIN
  19. -N EXT_MULTICAST_CHAIN
  20. -N EXT_OUTPUT_CHAIN
  21. -N FORWARD_CHAIN
  22. -N HOST_BLOCK_DROP
  23. -N HOST_BLOCK_DST
  24. -N HOST_BLOCK_SRC
  25. -N INET_DMZ_FORWARD_CHAIN
  26. -N INPUT_CHAIN
  27. -N INT_FORWARD_IN_CHAIN
  28. -N INT_FORWARD_OUT_CHAIN
  29. -N INT_INPUT_CHAIN
  30. -N INT_OUTPUT_CHAIN
  31. -N LAN_INET_FORWARD_CHAIN
  32. -N LOGGING
  33. -N OUTPUT_CHAIN
  34. -N PARCON
  35. -N POST_FORWARD_CHAIN
  36. -N POST_INPUT_CHAIN
  37. -N POST_INPUT_DROP_CHAIN
  38. -N POST_OUTPUT_CHAIN
  39. -N RESERVED_NET_CHK
  40. -N SPOOF_CHK
  41. -N VALID_CHK
  42. -N VPN_CHAIN
  43. -A INPUT -d 10.4.96.30/32 -i rndbr1 -j DROP
  44. -A INPUT -i erouter0 -p icmp -j ACCEPT
  45. -A INPUT -j BASE_INPUT_CHAIN
  46. -A INPUT -j INPUT_CHAIN
  47. -A INPUT -j HOST_BLOCK_SRC
  48. -A INPUT -j SPOOF_CHK
  49. -A INPUT -i erouter0 -j VALID_CHK
  50. -A INPUT -d 224.0.0.0/4 -i erouter0 -j EXT_MULTICAST_CHAIN
  51. -A INPUT -i erouter0 ! -p icmp -m state --state NEW -j EXT_INPUT_CHAIN
  52. -A INPUT -i erouter0 -p icmp -m state --state NEW -m limit --limit 60/sec --limit-burst 100 -j EXT_INPUT_CHAIN
  53. -A INPUT -i erouter0 -p icmp -m state --state NEW -j EXT_ICMP_FLOOD_CHAIN
  54. -A INPUT -i rndbr1 -j INT_INPUT_CHAIN
  55. -A INPUT -i wan0 -j ACCEPT
  56. -A INPUT -i mta0 -j ACCEPT
  57. -A INPUT -i ip6tnl1 -j ACCEPT
  58. -A INPUT -j POST_INPUT_CHAIN
  59. -A INPUT -m limit --limit 1/sec -j LOG --log-prefix "AIF:Dropped INPUT packet: " --log-level 6
  60. -A INPUT -j DROP
  61. -A FORWARD -j BRIDGED_TRAFFIC_CHAIN
  62. -A FORWARD -o erouter0 -j VPN_CHAIN
  63. -A FORWARD -j BASE_FORWARD_CHAIN
  64. -A FORWARD -o erouter0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
  65. -A FORWARD -j FORWARD_CHAIN
  66. -A FORWARD -j HOST_BLOCK_SRC
  67. -A FORWARD -j HOST_BLOCK_DST
  68. -A FORWARD -i wan0 -j ACCEPT
  69. -A FORWARD -o wan0 -j ACCEPT
  70. -A FORWARD -i mta0 -j ACCEPT
  71. -A FORWARD -o mta0 -j ACCEPT
  72. -A FORWARD -i ip6tnl1 -j ACCEPT
  73. -A FORWARD -o ip6tnl1 -j ACCEPT
  74. -A FORWARD -i erouter0 -j EXT_FORWARD_IN_CHAIN
  75. -A FORWARD -o erouter0 -j EXT_FORWARD_OUT_CHAIN
  76. -A FORWARD -i rndbr1 -j INT_FORWARD_IN_CHAIN
  77. -A FORWARD -o rndbr1 -j INT_FORWARD_OUT_CHAIN
  78. -A FORWARD -j SPOOF_CHK
  79. -A FORWARD -i rndbr1 -o rndbr1 -j ACCEPT
  80. -A FORWARD -i rndbr1 -o erouter0 -j LAN_INET_FORWARD_CHAIN
  81. -A FORWARD -j POST_FORWARD_CHAIN
  82. -A FORWARD -m limit --limit 1/min --limit-burst 3 -j LOG --log-prefix "AIF:Dropped FORWARD packet: " --log-level 6
  83. -A FORWARD -j DROP
  84. -A OUTPUT -j BASE_OUTPUT_CHAIN
  85. -A OUTPUT -o erouter0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
  86. -A OUTPUT -j OUTPUT_CHAIN
  87. -A OUTPUT -j HOST_BLOCK_DST
  88. -A OUTPUT -f -m limit --limit 3/min -j LOG --log-prefix "AIF:Fragment packet: " --log-level 6
  89. -A OUTPUT -f -j DROP
  90. -A OUTPUT -o erouter0 -j EXT_OUTPUT_CHAIN
  91. -A OUTPUT -o rndbr1 -j INT_OUTPUT_CHAIN
  92. -A OUTPUT -j POST_OUTPUT_CHAIN
  93. -A OUTPUT -j ACCEPT
  94. -A BASE_FORWARD_CHAIN -m state --state ESTABLISHED -j ACCEPT
  95. -A BASE_FORWARD_CHAIN -p tcp -m state --state RELATED -m tcp --dport 1024:65535 -j ACCEPT
  96. -A BASE_FORWARD_CHAIN -p udp -m state --state RELATED -m udp --dport 1024:65535 -j ACCEPT
  97. -A BASE_FORWARD_CHAIN -p icmp -m state --state RELATED -j ACCEPT
  98. -A BASE_FORWARD_CHAIN -p gre -m state --state RELATED -j ACCEPT
  99. -A BASE_FORWARD_CHAIN -i lo -j ACCEPT
  100. -A BASE_INPUT_CHAIN -m state --state ESTABLISHED -j ACCEPT
  101. -A BASE_INPUT_CHAIN -p tcp -m state --state RELATED -m tcp --dport 1024:65535 -j ACCEPT
  102. -A BASE_INPUT_CHAIN -p udp -m state --state RELATED -m udp --dport 1024:65535 -j ACCEPT
  103. -A BASE_INPUT_CHAIN -p icmp -m state --state RELATED -j ACCEPT
  104. -A BASE_INPUT_CHAIN -i lo -j ACCEPT
  105. -A BASE_OUTPUT_CHAIN -m state --state ESTABLISHED -j ACCEPT
  106. -A BASE_OUTPUT_CHAIN -o lo -j ACCEPT
  107. -A BRIDGED_TRAFFIC_CHAIN -m physdev --physdev-is-bridged -j ACCEPT
  108. -A BRIDGED_TRAFFIC_CHAIN -m physdev --physdev-is-bridged -j ACCEPT
  109. -A EXT_BROADCAST_CHAIN -p tcp -m tcp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV TCP broadcast: " --log-level 6
  110. -A EXT_BROADCAST_CHAIN -p udp -m udp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV UDP broadcast: " --log-level 6
  111. -A EXT_BROADCAST_CHAIN -p tcp -m tcp --dport 1024:65535 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV TCP broadcast: " --log-level 6
  112. -A EXT_BROADCAST_CHAIN -p udp -m udp --dport 1024 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV UDP broadcast: " --log-level 6
  113. -A EXT_BROADCAST_CHAIN -j DROP
  114. -A EXT_FORWARD_IN_CHAIN -d 224.0.0.0/4 -i erouter0 -j ACCEPT
  115. -A EXT_FORWARD_IN_CHAIN -d 192.168.0.24/32 -i erouter0 ! -o erouter0 -p tcp -j ACCEPT
  116. -A EXT_FORWARD_IN_CHAIN -d 192.168.0.24/32 -i erouter0 ! -o erouter0 -p udp -j ACCEPT
  117. -A EXT_FORWARD_IN_CHAIN -j VALID_CHK
  118. -A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 3 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-unreachable flood: " --log-level 6
  119. -A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 3 -j POST_INPUT_DROP_CHAIN
  120. -A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 11 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-time-exceeded fld: " --log-level 6
  121. -A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 11 -j POST_INPUT_DROP_CHAIN
  122. -A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 12 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-param-problem fld: " --log-level 6
  123. -A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 12 -j POST_INPUT_DROP_CHAIN
  124. -A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-request(ping) fld: " --log-level 6
  125. -A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 8 -j POST_INPUT_DROP_CHAIN
  126. -A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 0 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-reply(pong) flood: " --log-level 6
  127. -A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 0 -j POST_INPUT_DROP_CHAIN
  128. -A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 4 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-source-quench fld: " --log-level 6
  129. -A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 4 -j POST_INPUT_DROP_CHAIN
  130. -A EXT_ICMP_FLOOD_CHAIN -p icmp -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP(other) flood: " --log-level 6
  131. -A EXT_ICMP_FLOOD_CHAIN -p icmp -j POST_INPUT_DROP_CHAIN
  132. -A EXT_INPUT_CHAIN -p tcp -m tcp --dport 0 -m limit --limit 6/hour --limit-burst 1 -j LOG --log-prefix "AIF:Port 0 OS fingerprint: " --log-level 6
  133. -A EXT_INPUT_CHAIN -p udp -m udp --dport 0 -m limit --limit 6/hour --limit-burst 1 -j LOG --log-prefix "AIF:Port 0 OS fingerprint: " --log-level 6
  134. -A EXT_INPUT_CHAIN -p tcp -m tcp --dport 0 -j POST_INPUT_DROP_CHAIN
  135. -A EXT_INPUT_CHAIN -p udp -m udp --dport 0 -j POST_INPUT_DROP_CHAIN
  136. -A EXT_INPUT_CHAIN -p tcp -m tcp --sport 0 -m limit --limit 6/hour -j LOG --log-prefix "AIF:TCP source port 0: " --log-level 6
  137. -A EXT_INPUT_CHAIN -p udp -m udp --sport 0 -m limit --limit 6/hour -j LOG --log-prefix "AIF:UDP source port 0: " --log-level 6
  138. -A EXT_INPUT_CHAIN -p tcp -m tcp --sport 0 -j POST_INPUT_DROP_CHAIN
  139. -A EXT_INPUT_CHAIN -p udp -m udp --sport 0 -j POST_INPUT_DROP_CHAIN
  140. -A EXT_INPUT_CHAIN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
  141. -A EXT_INPUT_CHAIN -p tcp -m tcp --dport 22 -j ACCEPT
  142. -A EXT_INPUT_CHAIN -p tcp -m tcp --dport 80 -j ACCEPT
  143. -A EXT_INPUT_CHAIN -p tcp -m tcp --dport 8080 -j ACCEPT
  144. -A EXT_INPUT_CHAIN -p tcp -m tcp --dport 8081 -j ACCEPT
  145. -A EXT_INPUT_CHAIN -p tcp -m tcp --dport 8082 -j ACCEPT
  146. -A EXT_INPUT_CHAIN -p tcp -m tcp --dport 8084 -j ACCEPT
  147. -A EXT_INPUT_CHAIN -p tcp -m tcp --dport 8096 -j ACCEPT
  148. -A EXT_INPUT_CHAIN -p udp -m udp --dport 161 -j ACCEPT
  149. -A EXT_INPUT_CHAIN -p udp -m udp --dport 8088 -j ACCEPT
  150. -A EXT_INPUT_CHAIN -p udp -m udp --dport 16000 -j ACCEPT
  151. -A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 20/sec --limit-burst 100 -j ACCEPT
  152. -A EXT_INPUT_CHAIN -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j POST_INPUT_DROP_CHAIN
  153. -A EXT_INPUT_CHAIN -d 255.255.255.255/32 -j EXT_BROADCAST_CHAIN
  154. -A EXT_INPUT_CHAIN -p tcp -m tcp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV TCP packet: " --log-level 6
  155. -A EXT_INPUT_CHAIN -p udp -m udp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV UDP packet: " --log-level 6
  156. -A EXT_INPUT_CHAIN -p tcp -m tcp --dport 1024:65535 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV TCP packet: " --log-level 6
  157. -A EXT_INPUT_CHAIN -p udp -m udp --dport 1024:65535 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV UDP packet: " --log-level 6
  158. -A EXT_INPUT_CHAIN -p igmp -m limit --limit 1/min -j LOG --log-prefix "AIF:IGMP packet: " --log-level 6
  159. -A EXT_INPUT_CHAIN -j POST_INPUT_CHAIN
  160. -A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-request: " --log-level 6
  161. -A EXT_INPUT_CHAIN -p icmp -m icmp ! --icmp-type 8 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-other: " --log-level 6
  162. -A EXT_INPUT_CHAIN -p tcp -j POST_INPUT_DROP_CHAIN
  163. -A EXT_INPUT_CHAIN -p udp -j POST_INPUT_DROP_CHAIN
  164. -A EXT_INPUT_CHAIN -p igmp -j POST_INPUT_DROP_CHAIN
  165. -A EXT_INPUT_CHAIN -p icmp -j POST_INPUT_DROP_CHAIN
  166. -A EXT_INPUT_CHAIN -m limit --limit 1/min -j LOG --log-prefix "AIF:Other connect: " --log-level 6
  167. -A EXT_INPUT_CHAIN -j POST_INPUT_DROP_CHAIN
  168. -A EXT_MULTICAST_CHAIN -d 224.0.0.0/24 -i erouter0 -j ACCEPT
  169. -A EXT_MULTICAST_CHAIN -p tcp -m tcp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV TCP multicast: " --log-level 6
  170. -A EXT_MULTICAST_CHAIN -p udp -m udp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV UDP multicast: " --log-level 6
  171. -A EXT_MULTICAST_CHAIN -p tcp -m tcp --dport 1024:65535 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV TCP multicast: " --log-level 6
  172. -A EXT_MULTICAST_CHAIN -p udp -m udp --dport 1024 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV UDP multicast: " --log-level 6
  173. -A EXT_MULTICAST_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-multicast-request: " --log-level 6
  174. -A EXT_MULTICAST_CHAIN -p icmp -m icmp ! --icmp-type 8 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-multicast-other: " --log-level 6
  175. -A EXT_MULTICAST_CHAIN -j DROP
  176. -A HOST_BLOCK_DROP -m limit --limit 1/min --limit-burst 1 -j LOG --log-prefix "AIF:Blocked host(s): " --log-level 6
  177. -A HOST_BLOCK_DROP -j DROP
  178. -A INT_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 20/sec --limit-burst 100 -j ACCEPT
  179. -A INT_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-request: " --log-level 6
  180. -A INT_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -j DROP
  181. -A INT_INPUT_CHAIN -j ACCEPT
  182. -A LAN_INET_FORWARD_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 20/sec --limit-burst 100 -j ACCEPT
  183. -A LAN_INET_FORWARD_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-request: " --log-level 6
  184. -A LAN_INET_FORWARD_CHAIN -p icmp -m icmp --icmp-type 8 -j DROP
  185. -A LAN_INET_FORWARD_CHAIN -p tcp -j ACCEPT
  186. -A LAN_INET_FORWARD_CHAIN -p udp -j ACCEPT
  187. -A LAN_INET_FORWARD_CHAIN -j ACCEPT
  188. -A LOGGING -j DROP
  189. -A POST_FORWARD_CHAIN -d 192.168.0.24/32 -p tcp -m tcp --dport 80 -j ACCEPT
  190. -A POST_FORWARD_CHAIN -d 192.168.0.8/32 -p tcp -m tcp --dport 0 -j ACCEPT
  191. -A POST_FORWARD_CHAIN -d 192.168.0.24/32 -p tcp -m tcp --dport 1701 -j ACCEPT
  192. -A POST_FORWARD_CHAIN -d 192.168.0.24/32 -p udp -m udp --dport 4500 -j ACCEPT
  193. -A POST_FORWARD_CHAIN -d 192.168.0.24/32 -p udp -m udp --dport 500 -j ACCEPT
  194. -A POST_FORWARD_CHAIN -d 192.168.0.8/32 -p udp -m udp --dport 5353 -j ACCEPT
  195. -A POST_FORWARD_CHAIN -d 192.168.0.8/32 -p udp -m udp --dport 4500 -j ACCEPT
  196. -A POST_FORWARD_CHAIN -d 192.168.0.5/32 -p udp -m udp --dport 23639 -j ACCEPT
  197. -A POST_FORWARD_CHAIN -d 192.168.0.5/32 -p tcp -m tcp --dport 23639 -j ACCEPT
  198. -A POST_FORWARD_CHAIN -d 192.168.0.5/32 -p udp -m udp --dport 16402 -j ACCEPT
  199. -A POST_FORWARD_CHAIN -d 192.168.0.8/32 -p udp -m udp --dport 1383 -j ACCEPT
  200. -A POST_FORWARD_CHAIN -d 192.168.0.8/32 -p tcp -m tcp --dport 1383 -j ACCEPT
  201. -A POST_FORWARD_CHAIN -d 192.168.0.10/32 -p tcp -m tcp --dport 62734 -j ACCEPT
  202. -A POST_FORWARD_CHAIN -d 192.168.0.10/32 -p udp -m udp --dport 62734 -j ACCEPT
  203. -A POST_INPUT_DROP_CHAIN -j DROP
  204. -A SPOOF_CHK -s 192.168.0.0/24 -i rndbr1 -j RETURN
  205. -A SPOOF_CHK -s 192.168.0.0/24 -m limit --limit 3/min -j LOG --log-prefix "AIF:Spoofed packet: " --log-level 6
  206. -A SPOOF_CHK -s 192.168.0.0/24 -j POST_INPUT_DROP_CHAIN
  207. -A SPOOF_CHK -j RETURN
  208. -A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth XMAS scan: " --log-level 6
  209. -A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth XMAS-PSH scan: " --log-level 6
  210. -A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth XMAS-ALL scan: " --log-level 6
  211. -A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth FIN scan: " --log-level 6
  212. -A VALID_CHK -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth SYN/RST scan: " --log-level 6
  213. -A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth SYN/FIN scan?: " --log-level 6
  214. -A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth Null scan: " --log-level 6
  215. -A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j POST_INPUT_DROP_CHAIN
  216. -A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j POST_INPUT_DROP_CHAIN
  217. -A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j POST_INPUT_DROP_CHAIN
  218. -A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j POST_INPUT_DROP_CHAIN
  219. -A VALID_CHK -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j POST_INPUT_DROP_CHAIN
  220. -A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j POST_INPUT_DROP_CHAIN
  221. -A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j POST_INPUT_DROP_CHAIN
  222. -A VALID_CHK -p tcp -m tcp --tcp-option 64 -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "AIF:Bad TCP flag(64): " --log-level 6
  223. -A VALID_CHK -p tcp -m tcp --tcp-option 128 -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "AIF:Bad TCP flag(128): " --log-level 6
  224. -A VALID_CHK -p tcp -m tcp --tcp-option 64 -j POST_INPUT_DROP_CHAIN
  225. -A VALID_CHK -p tcp -m tcp --tcp-option 128 -j POST_INPUT_DROP_CHAIN
  226. -A VALID_CHK -m state --state INVALID -j POST_INPUT_DROP_CHAIN
  227. -A VALID_CHK -f -j DROP
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top