API tools faq
paste
ShapeShifter499

iptables rules

ShapeShifter499
Jun 30th, 2013
211
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 15.14 KB | None | 0 0
raw download clone embed print report
  1. ###****FIREWALL PRESETUP****###
  2.  
  3. *nat
  4.  
  5. # Wireless devices wlan0
  6. -A POSTROUTING -o eth0 -s 10.0.0.2/24 -j MASQUERADE
  7.  
  8. # Personal VPN tun0 to this network from my devices
  9. -A POSTROUTING -o eth0 -s 10.0.2.0/24 -j MASQUERADE
  10.  
  11. # Iodine (IP-over-DNS) dns0 and dns1
  12. -A POSTROUTING -o eth0 -s 172.16.0.1/27 -j MASQUERADE
  13. -A POSTROUTING -o eth0 -s 172.16.2.1/27 -j MASQUERADE
  14.  
  15. COMMIT
  16.  
  17. ###****BEGIN GLOBAL FIREWALL****###
  18.  
  19. *filter
  20.  
  21. # Block unwanted traffic
  22. :FORWARD DROP
  23. :INPUT DROP
  24.  
  25. # Allow wanted traffic to/from all interfaces
  26. :OUTPUT ACCEPT
  27. -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
  28.  
  29. # Make sure wanted traffic to/from wlan0 (LAN) is allowed
  30. -A FORWARD -i wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
  31.  
  32. # Make sure wanted traffic to/from tun0 (VPN) is allowed
  33. -A FORWARD -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
  34. -A FORWARD -i tun0 -o eth0 -s 10.0.2.0/25 -m state --state ESTABLISHED,RELATED -j ACCEPT
  35.  
  36. # Also allow traffic to/from tun0 (VPN) to wlan0 (LAN)
  37. -A FORWARD -i tun0 -o wlan0 -s 10.0.2.0/25 -d 10.0.0.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
  38.  
  39. # Also allow traffic to/from tun0 (VPN) to eth0 (WAN)
  40. -A FORWARD -i tun0 -o eth0 -s 10.0.2.0/25 -d 192.168.2.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
  41.  
  42. # Make sure wanted traffic to/from dns0 and dns1, Iodine (IP-over-DNS), is allowed
  43. -A FORWARD -i dns0 -m state --state RELATED,ESTABLISHED -j ACCEPT
  44. -A FORWARD -i dns1 -m state --state RELATED,ESTABLISHED -j ACCEPT
  45.  
  46. # Also allow traffic to/from dns0 and dns1, Iodine (IP-over-DNS), to wlan0 (LAN)
  47. -A FORWARD -i dns0 -o wlan0 -s 172.16.0.1/27 -d 10.0.0.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
  48. -A FORWARD -i dns1 -o wlan0 -s 172.16.2.1/27 -d 10.0.0.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
  49.  
  50. # Also allow traffic to/from dns0 and dns1, Iodine (IP-over-DNS), to eth0 (WAN)
  51. -A FORWARD -i dns0 -o wlan0 -s 172.16.0.1/27 -d 192.168.2.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
  52. -A FORWARD -i dns1 -o wlan0 -s 172.16.2.1/27 -d 192.168.2.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
  53.  
  54. # Allow wanted traffic into the router itself
  55. -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  56.  
  57. ###****BEGIN WIFI FIREWALL ****###
  58.  
  59. #Logging
  60. #-A FORWARD -i wlan0 -o eth0 -p tcp --syn -j LOG --log-prefix "syn packet:"
  61. #-I FORWARD 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
  62.  
  63. # dns
  64. -A FORWARD -i wlan0 -o eth0 -p udp --dport 53 -j ACCEPT
  65.  
  66. # http, https
  67. -A FORWARD -i wlan0 -o eth0 -p tcp --dport 80 -j ACCEPT
  68. -A FORWARD -i wlan0 -o eth0 -p tcp --dport 443 -j ACCEPT
  69.  
  70. # Los Rios College eServices (and others)
  71. -A FORWARD -i wlan0 -o eth0 -p tcp --dport 8080 -j ACCEPT
  72.  
  73. # Skype (Outgoing)
  74. -A FORWARD -i wlan0 -o eth0 -p udp --dport 29304 -j ACCEPT
  75. -A FORWARD -i wlan0 -o eth0 -p tcp --dport 29304 -j ACCEPT
  76.  
  77. # Skype (Incoming)
  78. -A FORWARD -i eth0 -o wlan0 -p udp --dport 29304 -j ACCEPT
  79. -A FORWARD -i eth0 -o wlan0 -p tcp --dport 29304 -j ACCEPT
  80.  
  81. # Splashtop streamer
  82. -A FORWARD -i wlan0 -o eth0 -m multiport -p tcp --dport 6783:6785 -j ACCEPT
  83. -A FORWARD -i wlan0 -o eth0 -m multiport -p udp --dport 6783:6785 -j ACCEPT
  84.  
  85. # CallCentric VOIP
  86. -A FORWARD -i wlan0 -o eth0 -m multiport -p udp --dport 5060:5080 -j ACCEPT
  87. -A FORWARD -i wlan0 -o eth0 -p udp --dport 65535 -j ACCEPT
  88.  
  89. # Google hangout, voip, and other google services
  90. -A FORWARD -i wlan0 -o eth0 -m multiport -p udp --dport 19305:19309 -j ACCEPT
  91. -A FORWARD -i wlan0 -o eth0 -m multiport -p tcp --dport 19305:19309 -j ACCEPT
  92. -A FORWARD -i wlan0 -o eth0 -p udp --dport 5228 -j ACCEPT
  93. -A FORWARD -i wlan0 -o eth0 -p tcp --dport 5228 -j ACCEPT
  94. -A FORWARD -i wlan0 -o eth0 -p udp --dport 14259 -j ACCEPT
  95. -A FORWARD -i wlan0 -o eth0 -p tcp --dport 14259 -j ACCEPT
  96.  
  97. # Torrent
  98. -A FORWARD -i wlan0 -o eth0 -p udp --dport 80 -j ACCEPT
  99. -A FORWARD -i wlan0 -o eth0 -p udp --dport 6969 -j ACCEPT
  100. -A FORWARD -i wlan0 -o eth0 -p udp --dport 1337 -j ACCEPT
  101.  
  102. # Email
  103. -A FORWARD -i wlan0 -o eth0 -p tcp --dport 25 -j ACCEPT
  104.  
  105. # iCloud Email
  106. -A FORWARD -i wlan0 -o eth0 -p tcp --dport 587 -j ACCEPT
  107.  
  108. # Gmail SMTP SSL
  109. -A FORWARD -i wlan0 -o eth0 -p udp --dport 465 -j ACCEPT
  110. -A FORWARD -i wlan0 -o eth0 -p tcp --dport 465 -j ACCEPT
  111.  
  112. # Gmail SMTP StartTLS
  113. -A FORWARD -i wlan0 -o eth0 -p udp --dport 587 -j ACCEPT
  114. -A FORWARD -i wlan0 -o eth0 -p tcp --dport 587 -j ACCEPT
  115.  
  116. # Gmail IMAP SSL
  117. -A FORWARD -i wlan0 -o eth0 -m multiport -p udp --dport 993:995 -j ACCEPT
  118. -A FORWARD -i wlan0 -o eth0 -m multiport -p tcp --dport 993:995 -j ACCEPT
  119.  
  120. # irc
  121. -A FORWARD -i wlan0 -o eth0 -p tcp --dport 7070 -j ACCEPT
  122. -A FORWARD -i wlan0 -o eth0 -p tcp --dport 1338 -j ACCEPT
  123. -A FORWARD -i wlan0 -o eth0 -p tcp --dport 6667 -j ACCEPT
  124. -A FORWARD -i wlan0 -o eth0 -p tcp --dport 6697 -j ACCEPT
  125.  
  126. # MUD
  127. -A FORWARD -i wlan0 -o eth0 -p tcp --dport 2000 -j ACCEPT
  128. -A FORWARD -i wlan0 -o eth0 -p tcp --dport 1843 -j ACCEPT
  129. -A FORWARD -i wlan0 -o eth0 -p tcp --dport 843 -j ACCEPT
  130.  
  131. # ssh
  132. -A FORWARD -i wlan0 -o eth0 -p tcp --dport 22 -j ACCEPT
  133.  
  134. # vpn
  135. -A FORWARD -i wlan0 -o eth0 -p udp --dport 1194 -j ACCEPT
  136.  
  137. # iOS iMessages, Facetime
  138. -A FORWARD -i wlan0 -o eth0 -m multiport -p udp --dport 3478:3487 -j ACCEPT
  139. -A FORWARD -i wlan0 -o eth0 -p tcp --dport 5223 -j ACCEPT
  140. -A FORWARD -i wlan0 -o eth0 -m multiport -p udp --dport 16384:16387 -j ACCEPT
  141. -A FORWARD -i wlan0 -o eth0 -m multiport -p udp --dport 16393:16402 -j ACCEPT
  142.  
  143. # Allow PING from remote hosts.
  144. -A FORWARD -i wlan0 -o eth0 -p icmp --icmp-type echo-request -j ACCEPT
  145.  
  146. ###****BEGIN IODINE (IP-over-DNS, dns0 and dns1) FIREWALL ****###
  147.  
  148. #Logging
  149. #-A FORWARD -i dns0 -o eth0 -p tcp --syn -j LOG --log-prefix "syn packet:"
  150.  
  151. # dns
  152. -A FORWARD -i dns0 -o eth0 -p udp --dport 53 -j ACCEPT
  153. -A FORWARD -i dns1 -o eth0 -p udp --dport 53 -j ACCEPT
  154.  
  155. # http, https
  156. -A FORWARD -i dns0 -o eth0 -p tcp --dport 80 -j ACCEPT
  157. -A FORWARD -i dns0 -o eth0 -p tcp --dport 443 -j ACCEPT
  158. -A FORWARD -i dns1 -o eth0 -p tcp --dport 80 -j ACCEPT
  159. -A FORWARD -i dns1 -o eth0 -p tcp --dport 443 -j ACCEPT
  160.  
  161. # Los Rios College eServices (and others)
  162. -A FORWARD -i dns0 -o eth0 -p tcp --dport 8080 -j ACCEPT
  163. -A FORWARD -i dns1 -o eth0 -p tcp --dport 8080 -j ACCEPT
  164.  
  165. # Skype (Outgoing)
  166. -A FORWARD -i dns0 -o eth0 -p udp --dport 29304 -j ACCEPT
  167. -A FORWARD -i dns0 -o eth0 -p tcp --dport 29304 -j ACCEPT
  168. -A FORWARD -i dns1 -o eth0 -p udp --dport 29304 -j ACCEPT
  169. -A FORWARD -i dns1 -o eth0 -p tcp --dport 29304 -j ACCEPT
  170.  
  171. # Skype (Incoming)
  172. -A FORWARD -i eth0 -o dns0 -p udp --dport 29304 -j ACCEPT
  173. -A FORWARD -i eth0 -o dns0 -p tcp --dport 29304 -j ACCEPT
  174. -A FORWARD -i eth0 -o dns1 -p udp --dport 29304 -j ACCEPT
  175. -A FORWARD -i eth0 -o dns1 -p tcp --dport 29304 -j ACCEPT
  176.  
  177. # Splashtop streamer
  178. -A FORWARD -i dns0 -o eth0 -m multiport -p tcp --dport 6783:6785 -j ACCEPT
  179. -A FORWARD -i dns0 -o eth0 -m multiport -p udp --dport 6783:6785 -j ACCEPT
  180. -A FORWARD -i dns1 -o eth0 -m multiport -p tcp --dport 6783:6785 -j ACCEPT
  181. -A FORWARD -i dns1 -o eth0 -m multiport -p udp --dport 6783:6785 -j ACCEPT
  182.  
  183. # CallCentric VOIP
  184. -A FORWARD -i dns0 -o eth0 -m multiport -p udp --dport 5060:5080 -j ACCEPT
  185. -A FORWARD -i dns0 -o eth0 -p udp --dport 65535 -j ACCEPT
  186. -A FORWARD -i dns1 -o eth0 -m multiport -p udp --dport 5060:5080 -j ACCEPT
  187. -A FORWARD -i dns1 -o eth0 -p udp --dport 65535 -j ACCEPT
  188.  
  189. # Google hangout, voip, and other google services
  190. -A FORWARD -i dns0 -o eth0 -m multiport -p udp --dport 19305:19309 -j ACCEPT
  191. -A FORWARD -i dns0 -o eth0 -m multiport -p tcp --dport 19305:19309 -j ACCEPT
  192. -A FORWARD -i dns0 -o eth0 -p udp --dport 5228 -j ACCEPT
  193. -A FORWARD -i dns0 -o eth0 -p tcp --dport 5228 -j ACCEPT
  194. -A FORWARD -i dns0 -o eth0 -p udp --dport 14259 -j ACCEPT
  195. -A FORWARD -i dns0 -o eth0 -p tcp --dport 14259 -j ACCEPT
  196. -A FORWARD -i dns1 -o eth0 -m multiport -p udp --dport 19305:19309 -j ACCEPT
  197. -A FORWARD -i dns1 -o eth0 -m multiport -p tcp --dport 19305:19309 -j ACCEPT
  198. -A FORWARD -i dns1 -o eth0 -p udp --dport 5228 -j ACCEPT
  199. -A FORWARD -i dns1 -o eth0 -p tcp --dport 5228 -j ACCEPT
  200. -A FORWARD -i dns1 -o eth0 -p udp --dport 14259 -j ACCEPT
  201. -A FORWARD -i dns1 -o eth0 -p tcp --dport 14259 -j ACCEPT
  202.  
  203. # Torrent
  204. -A FORWARD -i dns0 -o eth0 -p udp --dport 80 -j ACCEPT
  205. -A FORWARD -i dns0 -o eth0 -p udp --dport 6969 -j ACCEPT
  206. -A FORWARD -i dns0 -o eth0 -p udp --dport 1337 -j ACCEPT
  207. -A FORWARD -i dns1 -o eth0 -p udp --dport 80 -j ACCEPT
  208. -A FORWARD -i dns1 -o eth0 -p udp --dport 6969 -j ACCEPT
  209. -A FORWARD -i dns1 -o eth0 -p udp --dport 1337 -j ACCEPT
  210.  
  211. # Email
  212. -A FORWARD -i dns0 -o eth0 -p tcp --dport 25 -j ACCEPT
  213. -A FORWARD -i dns1 -o eth0 -p tcp --dport 25 -j ACCEPT
  214.  
  215. # iCloud Email
  216. -A FORWARD -i dns0 -o eth0 -p tcp --dport 587 -j ACCEPT
  217. -A FORWARD -i dns1 -o eth -p tcp --dport 587 -j ACCEPT
  218.  
  219. # Gmail SMTP SSL
  220. -A FORWARD -i dns0 -o eth0 -p udp --dport 465 -j ACCEPT
  221. -A FORWARD -i dns0 -o eth0 -p tcp --dport 465 -j ACCEPT
  222. -A FORWARD -i dns1 -o eth0 -p udp --dport 465 -j ACCEPT
  223. -A FORWARD -i dns1 -o eth0 -p tcp --dport 465 -j ACCEPT
  224.  
  225. # Gmail SMTP StartTLS
  226. -A FORWARD -i dns0 -o eth0 -p udp --dport 587 -j ACCEPT
  227. -A FORWARD -i dns0 -o eth0 -p tcp --dport 587 -j ACCEPT
  228. -A FORWARD -i dns1 -o eth0 -p udp --dport 587 -j ACCEPT
  229. -A FORWARD -i dns1 -o eth0 -p tcp --dport 587 -j ACCEPT
  230.  
  231. # Gmail IMAP SSL
  232. -A FORWARD -i dns0 -o eth0 -m multiport -p udp --dport 993:995 -j ACCEPT
  233. -A FORWARD -i dns0 -o eth0 -m multiport -p tcp --dport 993:995 -j ACCEPT
  234. -A FORWARD -i dns1 -o eth0 -m multiport -p udp --dport 993:995 -j ACCEPT
  235. -A FORWARD -i dns1 -o eth0 -m multiport -p tcp --dport 993:995 -j ACCEPT
  236.  
  237. # irc
  238. -A FORWARD -i dns0 -o eth0 -p tcp --dport 7070 -j ACCEPT
  239. -A FORWARD -i dns0 -o eth0 -p tcp --dport 1338 -j ACCEPT
  240. -A FORWARD -i dns0 -o eth0 -p tcp --dport 6667 -j ACCEPT
  241. -A FORWARD -i dns0 -o eth0 -p tcp --dport 6697 -j ACCEPT
  242. -A FORWARD -i dns1 -o eth0 -p tcp --dport 7070 -j ACCEPT
  243. -A FORWARD -i dns1 -o eth0 -p tcp --dport 1338 -j ACCEPT
  244. -A FORWARD -i dns1 -o eth0 -p tcp --dport 6667 -j ACCEPT
  245. -A FORWARD -i dns1 -o eth0 -p tcp --dport 6697 -j ACCEPT
  246.  
  247. # MUD
  248. -A FORWARD -i dns0 -o eth0 -p tcp --dport 2000 -j ACCEPT
  249. -A FORWARD -i dns0 -o eth0 -p tcp --dport 1843 -j ACCEPT
  250. -A FORWARD -i dns0 -o eth0 -p tcp --dport 843 -j ACCEPT
  251. -A FORWARD -i dns1 -o eth0 -p tcp --dport 2000 -j ACCEPT
  252. -A FORWARD -i dns1 -o eth0 -p tcp --dport 1843 -j ACCEPT
  253. -A FORWARD -i dns1 -o eth0 -p tcp --dport 843 -j ACCEPT
  254.  
  255. # ssh
  256. -A FORWARD -i dns0 -o eth0 -p tcp --dport 22 -j ACCEPT
  257. -A FORWARD -i dns1 -o eth0 -p tcp --dport 22 -j ACCEPT
  258.  
  259. # vpn
  260. -A FORWARD -i dns0 -o eth0 -p udp --dport 1194 -j ACCEPT
  261. -A FORWARD -i dns1 -o eth0 -p udp --dport 1194 -j ACCEPT
  262.  
  263. # iOS iMessages, Facetime
  264. -A FORWARD -i dns0 -o eth0 -m multiport -p udp --dport 3478:3487 -j ACCEPT
  265. -A FORWARD -i dns0 -o eth0 -p tcp --dport 5223 -j ACCEPT
  266. -A FORWARD -i dns0 -o eth0 -m multiport -p udp --dport 16384:16387 -j ACCEPT
  267. -A FORWARD -i dns0 -o eth0 -m multiport -p udp --dport 16393:16402 -j ACCEPT
  268. -A FORWARD -i dns1 -o eth0 -m multiport -p udp --dport 3478:3487 -j ACCEPT
  269. -A FORWARD -i dns1 -o eth0 -p tcp --dport 5223 -j ACCEPT
  270. -A FORWARD -i dns1 -o eth0 -m multiport -p udp --dport 16384:16387 -j ACCEPT
  271. -A FORWARD -i dns1 -o eth0 -m multiport -p udp --dport 16393:16402 -j ACCEPT
  272.  
  273. # Allow PING from remote hosts.
  274. -A FORWARD -i dns0 -o eth0 -p icmp --icmp-type echo-request -j ACCEPT
  275. -A FORWARD -i dns1 -o eth0 -p icmp --icmp-type echo-request -j ACCEPT
  276.  
  277. ###****BEGIN VPN FIREWALL****###
  278.  
  279. #Logging
  280. #-A FORWARD -i tun0 -o eth0 -p tcp --syn -j LOG --log-prefix "syn packet:"
  281.  
  282. # dns
  283. -A FORWARD -i tun0 -o eth0 -p udp --dport 53 -j ACCEPT
  284.  
  285. # http, https
  286. -A FORWARD -i tun0 -o eth0 -p tcp --dport 80 -j ACCEPT
  287. -A FORWARD -i tun0 -o eth0 -p tcp --dport 443 -j ACCEPT
  288.  
  289. # Los Rios College eServices (and others)
  290. -A FORWARD -i tun0 -o eth0 -p tcp --dport 8080 -j ACCEPT
  291.  
  292. # Skype (Outgoing)
  293. -A FORWARD -i tun0 -o eth0 -p udp --dport 29304 -j ACCEPT
  294. -A FORWARD -i tun0 -o eth0 -p tcp --dport 29304 -j ACCEPT
  295.  
  296. # Skype (Incoming)
  297. -A FORWARD -i eth0 -o tun0 -p udp --dport 29304 -j ACCEPT
  298. -A FORWARD -i eth0 -o tun0 -p tcp --dport 29304 -j ACCEPT
  299.  
  300. # Splashtop streamer
  301. -A FORWARD -i tun0 -o eth0 -m multiport -p tcp --dport 6783:6785 -j ACCEPT
  302. -A FORWARD -i tun0 -o eth0 -m multiport -p udp --dport 6783:6785 -j ACCEPT
  303.  
  304. # CallCentric VOIP
  305. -A FORWARD -i tun0 -o eth0 -m multiport -p udp --dport 5060:5080 -j ACCEPT
  306. -A FORWARD -i tun0 -o eth0 -p udp --dport 65535 -j ACCEPT
  307.  
  308. # Google hangout, voip, and other google services
  309. -A FORWARD -i tun0 -o eth0 -m multiport -p udp --dport 19305:19309 -j ACCEPT
  310. -A FORWARD -i tun0 -o eth0 -m multiport -p tcp --dport 19305:19309 -j ACCEPT
  311. -A FORWARD -i tun0 -o eth0 -p udp --dport 5228 -j ACCEPT
  312. -A FORWARD -i tun0 -o eth0 -p tcp --dport 5228 -j ACCEPT
  313. -A FORWARD -i tun0 -o eth0 -p udp --dport 14259 -j ACCEPT
  314. -A FORWARD -i tun0 -o eth0 -p tcp --dport 14259 -j ACCEPT
  315.  
  316. # Torrent
  317. -A FORWARD -i tun0 -o eth0 -p udp --dport 80 -j ACCEPT
  318. -A FORWARD -i tun0 -o eth0 -p udp --dport 6969 -j ACCEPT
  319. -A FORWARD -i tun0 -o eth0 -p udp --dport 1337 -j ACCEPT
  320.  
  321. # Email
  322. -A FORWARD -i tun0 -o eth0 -p tcp --dport 25 -j ACCEPT
  323.  
  324. # iCloud Email
  325. -A FORWARD -i tun0 -o eth0 -p tcp --dport 587 -j ACCEPT
  326.  
  327. # Gmail SMTP SSL
  328. -A FORWARD -i tun0 -o eth0 -p udp --dport 465 -j ACCEPT
  329. -A FORWARD -i tun0 -o eth0 -p tcp --dport 465 -j ACCEPT
  330.  
  331. # Gmail SMTP StartTLS
  332. -A FORWARD -i tun0 -o eth0 -p udp --dport 587 -j ACCEPT
  333. -A FORWARD -i tun0 -o eth0 -p tcp --dport 587 -j ACCEPT
  334.  
  335. # Gmail IMAP SSL
  336. -A FORWARD -i tun0 -o eth0 -m multiport -p udp --dport 993:995 -j ACCEPT
  337. -A FORWARD -i tun0 -o eth0 -m multiport -p tcp --dport 993:995 -j ACCEPT
  338.  
  339. # irc
  340. -A FORWARD -i tun0 -o eth0 -p tcp --dport 7070 -j ACCEPT
  341. -A FORWARD -i tun0 -o eth0 -p tcp --dport 1338 -j ACCEPT
  342. -A FORWARD -i tun0 -o eth0 -p tcp --dport 6667 -j ACCEPT
  343. -A FORWARD -i tun0 -o eth0 -p tcp --dport 6697 -j ACCEPT
  344.  
  345. # MUD
  346. -A FORWARD -i tun0 -o eth0 -p tcp --dport 2000 -j ACCEPT
  347. -A FORWARD -i tun0 -o eth0 -p tcp --dport 1843 -j ACCEPT
  348. -A FORWARD -i tun0 -o eth0 -p tcp --dport 843 -j ACCEPT
  349.  
  350. # ssh
  351. -A FORWARD -i tun0 -o eth0 -p tcp --dport 22 -j ACCEPT
  352.  
  353. # vpn
  354. -A FORWARD -i tun0 -o eth0 -p udp --dport 1194 -j ACCEPT
  355.  
  356. # iOS iMessages, Facetime
  357. -A FORWARD -i tun0 -o eth0 -m multiport -p udp --dport 3478:3487 -j ACCEPT
  358. -A FORWARD -i tun0 -o eth0 -p tcp --dport 5223 -j ACCEPT
  359. -A FORWARD -i tun0 -o eth0 -m multiport -p udp --dport 16384:16387 -j ACCEPT
  360. -A FORWARD -i tun0 -o eth0 -m multiport -p udp --dport 16393:16402 -j ACCEPT
  361.  
  362. # Allow PING from remote hosts.
  363. -A FORWARD -i tun0 -o eth0 -p icmp --icmp-type echo-request -j ACCEPT
  364.  
  365. ###****BEGIN SERVER FIREWALL****###
  366.  
  367. #Logging
  368. #-A FORWARD -i wlan0 -o eth0 -p tcp --syn -j LOG --log-prefix "syn packet:"
  369.  
  370. # Loop device.
  371. -A INPUT -i lo -j ACCEPT
  372.  
  373. # http, https
  374. -A INPUT -p tcp --dport 80 -j ACCEPT
  375. -A INPUT -p tcp --dport 443 -j ACCEPT
  376.  
  377. # smtp, submission
  378. -A INPUT -p tcp --dport 25 -j ACCEPT
  379. -A INPUT -p tcp --dport 587 -j ACCEPT
  380.  
  381. # pop3, pop3s
  382. -A INPUT -p tcp --dport 110 -j ACCEPT
  383. -A INPUT -p tcp --dport 995 -j ACCEPT
  384.  
  385. # imap, imaps
  386. -A INPUT -p tcp --dport 143 -j ACCEPT
  387. -A INPUT -p tcp --dport 993 -j ACCEPT
  388.  
  389. # ssh
  390. -A INPUT -p tcp --dport 22 -j ACCEPT
  391.  
  392. # vpn
  393. -A INPUT -p udp --dport 1194 -j ACCEPT
  394.  
  395. # Allow PING from remote hosts.
  396. -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
  397.  
  398. COMMIT
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!