API tools faq
paste
Guest User

Untitled

a guest
Feb 19th, 2023
31
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.04 KB | None | 0 0
raw download clone embed print report
  1. utm:/var/mdw/etc/iptables # cat iptable.filter
  2. # Generated by iptables-save v1.4.4 on Mon Feb 1 14:24:48 2010
  3. *filter
  4. :INPUT DROP [0:0]
  5. :FORWARD DROP [0:0]
  6. :OUTPUT DROP [0:0]
  7. :GEOIP_REJECT - [0:0]
  8. :GEOIP_OUT - [0:0]
  9. :AUTO_FORWARD - [0:0]
  10. :AUTO_INPUT - [0:0]
  11. :AUTO_OUTPUT - [0:0]
  12. :HA_IN - [0:0]
  13. :HA_OUT - [0:0]
  14. :LOCKOUT - [0:0]
  15. :INVALID_PKT - [0:0]
  16. :LOCAL_RESTAPI - [0:0]
  17. :LOGACCEPT - [0:0]
  18. :LOGDROP - [0:0]
  19. :LOGREJECT - [0:0]
  20. :PSD_ACTION - [0:0]
  21. :PSD_MATCH - [0:0]
  22. :RELATED_FWD - [0:0]
  23. :SANITY_CHECKS - [0:0]
  24. :STRICT_TCP_DROP - [0:0]
  25. :STRICT_TCP_STATE - [0:0]
  26. :MULTIPATH_DROP - [0:0]
  27. :USR_FORWARD - [0:0]
  28. :USR_INPUT - [0:0]
  29. :USR_OUTPUT - [0:0]
  30. #slow http attack prevention [NUTM-9287]
  31. -A INPUT -p tcp --dport webadmin -m connlimit --connlimit-above 10 -j REJECT --reject-with tcp-reset
  32. -A INPUT -i lo -j ACCEPT
  33. -A INPUT -m confirmed ! -d 224.0.0.0/4 -j ACCEPT
  34. -A INPUT -m conntrack --ctstate RELATED -j CONFIRMED
  35. -A INPUT -j HA_IN
  36. -A INPUT -j LOCKOUT
  37. -A INPUT -j PSD_MATCH
  38. -A INPUT -j SANITY_CHECKS
  39. -A INPUT -j AUTO_INPUT
  40. -A INPUT -j USR_INPUT
  41. -A INPUT -m logmark --logmark 60001 -j LOGDROP
  42. -A FORWARD -m confirmed ! -d 224.0.0.0/4 -j ACCEPT
  43. -A FORWARD -m conntrack --ctstate RELATED -j RELATED_FWD
  44. -A FORWARD -j PSD_MATCH
  45. -A FORWARD -j AUTO_FORWARD
  46. -A FORWARD -j USR_FORWARD
  47. -A FORWARD -m logmark --logmark 60002 -j LOGDROP
  48. -A OUTPUT -p tcp -d 127.0.0.1 --dport 4472 -m owner --uid-owner 100 -j LOGDROP
  49. -A OUTPUT -o lo -p tcp --dport 3002 -j LOCAL_RESTAPI
  50. -A OUTPUT -o lo -p tcp --dport 3498 -j LOCAL_RESTAPI
  51. -A OUTPUT -o lo -j ACCEPT
  52. -A OUTPUT -m confirmed ! -d 224.0.0.0/4 -j ACCEPT
  53. -A OUTPUT -m conntrack --ctstate RELATED -j CONFIRMED
  54. # allow root to temporarily override output rules
  55. -A OUTPUT -m condition --condition "OUTPUT_ACCEPT_ALL" -m owner --uid-owner root --gid-owner root -j CONFIRMED
  56. # NUTM-10626: The dehydrated output rules are unconditional because Middleware would try to connect outbound before creating the rules
  57. -A OUTPUT -p tcp -m tcp --sport 1:65535 --dport 443 -m owner --uid-owner dehydrated --gid-owner dehydrated -j CONFIRMED
  58. -A OUTPUT -j HA_OUT
  59. -A OUTPUT -j SANITY_CHECKS
  60. -A OUTPUT -j AUTO_OUTPUT
  61. -A OUTPUT -j USR_OUTPUT
  62. -A OUTPUT ! -o eth2 -p tcp --tcp-flags SYN,ACK,FIN ACK,FIN -j DROP
  63. -A OUTPUT ! -o eth2 -p tcp --tcp-flags SYN,RST RST -j DROP
  64. -A OUTPUT -m logmark --logmark 60003 -j LOGDROP
  65. -A INVALID_PKT -m logmark --logmark 60007 -j NFLOG --nflog-prefix "INVALID_PKT: "
  66. -A INVALID_PKT -j DROP
  67. -A STRICT_TCP_DROP -j DROP
  68. -A LOGACCEPT -j NFLOG --nflog-prefix "ACCEPT: "
  69. -A LOGACCEPT -j CONFIRMED
  70. -A LOGDROP -j NFLOG --nflog-prefix "DROP: "
  71. -A LOGDROP -j DROP
  72. -A LOGREJECT -j NFLOG --nflog-prefix "REJECT: "
  73. -A LOGREJECT -j REJECT --reject-with icmp-port-unreachable
  74. -A GEOIP_REJECT -p tcp -j REJECT --reject-with tcp-reset
  75. -A GEOIP_REJECT -j REJECT --reject-with icmp-port-unreachable
  76. -A RELATED_FWD -j CONFIRMED
  77. -A LOCAL_RESTAPI -m owner --uid-owner root -j ACCEPT
  78. -A LOCAL_RESTAPI -m owner --uid-owner loginuser -j ACCEPT
  79. -A LOCAL_RESTAPI -j DROP
  80. COMMIT
  81. # Completed on Mon Feb 1 14:24:48 2010
  82.  
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!