SHARE
TWEET

Untitled

NetSpasibo79 Jun 23rd, 2019 6 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1.  
  2. #
  3. # rules.before
  4. #
  5. # Rules that should be run before the ufw command line added rules. Custom
  6. # rules should be added to one of these chains:
  7. #   ufw-before-input
  8. #   ufw-before-output
  9. #   ufw-before-forward
  10. #
  11.  
  12. # NAT table rules
  13. *nat
  14. :PREROUTING ACCEPT [0:0]
  15. :POSTROUTING ACCEPT [0:0]
  16. -F
  17.  
  18. -A PREROUTING -i enp2s0 -p udp --dport 53 -j DNAT --to-destination 10.96.103.252
  19. -A PREROUTING -i enp2s0 -p tcp --dport 53 -j DNAT --to-destination 10.96.103.252
  20. -A PREROUTING -i enp2s0 -p tcp --dport 4711 -j DNAT --to-destination 10.96.103.252
  21.  
  22. COMMIT
  23.  
  24. # Don't delete these required lines, otherwise there will be errors
  25. *filter
  26. :ufw-before-input - [0:0]
  27. :ufw-before-output - [0:0]
  28. :ufw-before-forward - [0:0]
  29. :ufw-not-local - [0:0]
  30. # End required lines
  31.  
  32.  
  33. # allow all on loopback
  34. -A ufw-before-input -i lo -j ACCEPT
  35. -A ufw-before-output -o lo -j ACCEPT
  36.  
  37. # quickly process packets for which we already have a connection
  38. -A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  39. -A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  40. -A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  41.  
  42. # drop INVALID packets (logs these in loglevel medium and higher)
  43. -A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
  44. -A ufw-before-input -m conntrack --ctstate INVALID -j DROP
  45.  
  46. # ok icmp codes for INPUT
  47. -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
  48. -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
  49. -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
  50. -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
  51.  
  52. # ok icmp code for FORWARD
  53. -A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
  54. -A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
  55. -A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
  56. -A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT
  57.  
  58. # allow dhcp client to work
  59. -A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT
  60.  
  61. #
  62. # ufw-not-local
  63. #
  64. -A ufw-before-input -j ufw-not-local
  65.  
  66. # if LOCAL, RETURN
  67. -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
  68.  
  69. # if MULTICAST, RETURN
  70. -A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
  71.  
  72. # if BROADCAST, RETURN
  73. -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
  74.  
  75. # all other non-local packets are dropped
  76. -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
  77. -A ufw-not-local -j DROP
  78.  
  79. # allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
  80. # is uncommented)
  81. -A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
  82.  
  83. # allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
  84. # is uncommented)
  85. -A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT
  86.  
  87. # don't delete the 'COMMIT' line or these rules won't be processed
  88. COMMIT
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top