Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- chain INPUT {
- type filter hook input priority filter; policy drop;
- ct state established,related counter packets 0 bytes 0 accept comment "ALLOW ESTABLISHED TRAFFIC FROM INTERNET"
- iifname "eno2" ip saddr { 192.168.31.9, 192.168.31.17 } counter packets 19 bytes 1156 accept comment "VIP Access"
- iif "eno2" tcp dport 23 counter packets 0 bytes 0 drop comment "DROP TELNET"
- tcp dport 8080 accept
- ip saddr 192.168.160.0/27 iif "eno2" counter packets 0 bytes 0 drop comment "Custom Rules for Guests on 160 network"
- ip saddr 192.168.150.2 iif "eno2" counter packets 0 bytes 0 drop comment "Custom Rule For DG Only"
- ip saddr 192.168.150.0/24 counter packets 0 bytes 0 drop comment "Custom Rule BLock all traffic from DG block"
- tcp dport 22 ct state new counter packets 0 bytes 0 accept comment "ALLOW SSH FOR AUTHORIZED SYSTEMS"
- iif "eno1" ct state new counter packets 0 bytes 0 drop comment "BLOCK ALL NEW TRAFFIC FROM INTERNET"
- iif { "eno2", "bondlan" } ip saddr 192.168.16.0/20 counter packets 0 bytes 0 accept comment "ACCEPT LOCAL TRAFFIC FROM INHOUSE IPs"
- tcp dport @dropPorts counter packets 0 bytes 0 drop comment "DROP NMAP SCANS AND VARIOUS PORTS"
- tcp flags fin / fin,syn,rst,psh,ack,urg counter packets 0 bytes 0 drop comment "DROP TCP ATTACKS"
- iif "bondlan" icmp type echo-request counter packets 0 bytes 0 drop comment "DROP INPUT PINGS"
- iif "bondlan" ip protocol icmp meta length 1492-65535 counter packets 0 bytes 0 drop comment "DROP INPUT PINGS"
- iif "bondlan" icmp type echo-request counter packets 0 bytes 0 drop comment "DROP INPUT PINGS"
- iif "ens2f0" icmp type echo-request counter packets 0 bytes 0 drop comment "DROP INPUT PINGS"
- iif "ens2f0" ip protocol icmp meta length 1492-65535 counter packets 0 bytes 0 drop comment "DROP INPUT PINGS"
- iif "ens2f0" icmp type echo-request counter packets 0 bytes 0 drop comment "DROP INPUT PINGS"
- iif "eno1" icmp type echo-request counter packets 0 bytes 0 drop comment "DROP INPUT PINGS"
- iif "eno1" ip protocol icmp meta length 1492-65535 counter packets 0 bytes 0 drop comment "DROP INPUT PINGS"
- iif "eno1" icmp type echo-request counter packets 0 bytes 0 drop comment "DROP INPUT PINGS"
- tcp flags syn tcp dport @allowedPorts counter packets 0 bytes 0 accept comment "ACCEPT ALLOWED PORTS"
- meta l4proto tcp iifname "eno1" ct count over 111 counter packets 0 bytes 0 reject with tcp reset comment "DDOS RULE: Limit connections per source IP"
- iifname "eno1" ip protocol tcp ct state new limit rate 60/second burst 20 packets counter packets 0 bytes 0 accept comment "DDOS RULE Limit new TCP connections per second per source IP"
- iifname "eno1" ip protocol tcp ct state new counter packets 0 bytes 0 drop comment "DDOS RULE Limit new TCP connections per second per source IP"
- ct state invalid,untracked counter packets 0 bytes 0 synproxy mss 1460 wscale 7 timestamp sack-perm comment "DDOS RULE:SYNPROXY RULES FOR SYN FLOODS"
- ct state invalid counter packets 0 bytes 0 drop comment "DDOS RULE:SYNPROXY RULES FOR SYN FLOODS"
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement