Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- root@media:/home/dost# iptables -vL
- Chain INPUT (policy DROP 114 packets, 7947 bytes)
- pkts bytes target prot opt in out source destination
- 4747 1194K ufw-before-logging-input all -- any any anywhere anywhere
- 4747 1194K ufw-before-input all -- any any anywhere anywhere
- 4057 1125K ufw-after-input all -- any any anywhere anywhere
- 114 7947 ufw-after-logging-input all -- any any anywhere anywhere
- 114 7947 ufw-reject-input all -- any any anywhere anywhere
- 114 7947 ufw-track-input all -- any any anywhere anywhere
- Chain FORWARD (policy DROP 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- 71211 37M ufw-before-logging-forward all -- any any anywhere anywhere
- 71211 37M ufw-before-forward all -- any any anywhere anywhere
- 5074 294K ufw-after-forward all -- any any anywhere anywhere
- 5074 294K ufw-after-logging-forward all -- any any anywhere anywhere
- 5074 294K ufw-reject-forward all -- any any anywhere anywhere
- 5074 294K ufw-track-forward all -- any any anywhere anywhere
- 5074 294K ACCEPT all -- wlp2s0 ppp0 192.168.0.0/24 anywhere ctstate NEW
- 0 0 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
- Chain OUTPUT (policy ACCEPT 4 packets, 160 bytes)
- pkts bytes target prot opt in out source destination
- 689 78679 ufw-before-logging-output all -- any any anywhere anywhere
- 689 78679 ufw-before-output all -- any any anywhere anywhere
- 228 18265 ufw-after-output all -- any any anywhere anywhere
- 228 18265 ufw-after-logging-output all -- any any anywhere anywhere
- 228 18265 ufw-reject-output all -- any any anywhere anywhere
- 228 18265 ufw-track-output all -- any any anywhere anywhere
- Chain ufw-after-forward (1 references)
- pkts bytes target prot opt in out source destination
- Chain ufw-after-input (1 references)
- pkts bytes target prot opt in out source destination
- 132 10728 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:netbios-ns
- 0 0 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:netbios-dgm
- 2 84 ufw-skip-to-policy-input tcp -- any any anywhere anywhere tcp dpt:netbios-ssn
- 8 388 ufw-skip-to-policy-input tcp -- any any anywhere anywhere tcp dpt:microsoft-ds
- 0 0 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:bootps
- 0 0 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:bootpc
- 3801 1106K ufw-skip-to-policy-input all -- any any anywhere anywhere ADDRTYPE match dst-type BROADCAST
- Chain ufw-after-logging-forward (1 references)
- pkts bytes target prot opt in out source destination
- 200 11172 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
- Chain ufw-after-logging-input (1 references)
- pkts bytes target prot opt in out source destination
- 98 6313 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
- Chain ufw-after-logging-output (1 references)
- pkts bytes target prot opt in out source destination
- Chain ufw-after-output (1 references)
- pkts bytes target prot opt in out source destination
- Chain ufw-before-forward (1 references)
- pkts bytes target prot opt in out source destination
- 66137 37M ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
- 0 0 ACCEPT tcp -- ppp0 wlp2s0 anywhere anywhere tcp dpt:ssh
- 0 0 ACCEPT tcp -- ppp0 wlp2s0 anywhere anywhere tcp dpt:http
- 0 0 ACCEPT tcp -- ppp0 wlp2s0 anywhere anywhere tcp dpt:https
- 0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable
- 0 0 ACCEPT icmp -- any any anywhere anywhere icmp source-quench
- 0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded
- 0 0 ACCEPT icmp -- any any anywhere anywhere icmp parameter-problem
- 0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
- 5074 294K ufw-user-forward all -- any any anywhere anywhere
- Chain ufw-before-input (1 references)
- pkts bytes target prot opt in out source destination
- 160 12960 ACCEPT all -- lo any anywhere anywhere
- 279 31674 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
- 11 440 ufw-logging-deny all -- any any anywhere anywhere ctstate INVALID
- 11 440 DROP all -- any any anywhere anywhere ctstate INVALID
- 0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable
- 0 0 ACCEPT icmp -- any any anywhere anywhere icmp source-quench
- 0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded
- 0 0 ACCEPT icmp -- any any anywhere anywhere icmp parameter-problem
- 0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
- 1 369 ACCEPT udp -- any any anywhere anywhere udp spt:bootps dpt:bootpc
- 4296 1148K ufw-not-local all -- any any anywhere anywhere
- 52 8782 ACCEPT udp -- any any anywhere 224.0.0.251 udp dpt:mdns
- 0 0 ACCEPT udp -- any any anywhere 239.255.255.250 udp dpt:1900
- 4244 1139K ufw-user-input all -- any any anywhere anywhere
- Chain ufw-before-logging-forward (1 references)
- pkts bytes target prot opt in out source destination
- Chain ufw-before-logging-input (1 references)
- pkts bytes target prot opt in out source destination
- Chain ufw-before-logging-output (1 references)
- pkts bytes target prot opt in out source destination
- Chain ufw-before-output (1 references)
- pkts bytes target prot opt in out source destination
- 160 12960 ACCEPT all -- any lo anywhere anywhere
- 301 47454 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
- 228 18265 ufw-user-output all -- any any anywhere anywhere
- Chain ufw-logging-allow (0 references)
- pkts bytes target prot opt in out source destination
- 0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
- Chain ufw-logging-deny (2 references)
- pkts bytes target prot opt in out source destination
- 11 440 RETURN all -- any any anywhere anywhere ctstate INVALID limit: avg 3/min burst 10
- 0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
- Chain ufw-not-local (1 references)
- pkts bytes target prot opt in out source destination
- 305 20552 RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type LOCAL
- 52 8782 RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type MULTICAST
- 3939 1119K RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type BROADCAST
- 0 0 ufw-logging-deny all -- any any anywhere anywhere limit: avg 3/min burst 10
- 0 0 DROP all -- any any anywhere anywhere
- Chain ufw-reject-forward (1 references)
- pkts bytes target prot opt in out source destination
- Chain ufw-reject-input (1 references)
- pkts bytes target prot opt in out source destination
- Chain ufw-reject-output (1 references)
- pkts bytes target prot opt in out source destination
- Chain ufw-skip-to-policy-forward (0 references)
- pkts bytes target prot opt in out source destination
- 0 0 DROP all -- any any anywhere anywhere
- Chain ufw-skip-to-policy-input (7 references)
- pkts bytes target prot opt in out source destination
- 3943 1117K DROP all -- any any anywhere anywhere
- Chain ufw-skip-to-policy-output (0 references)
- pkts bytes target prot opt in out source destination
- 0 0 ACCEPT all -- any any anywhere anywhere
- Chain ufw-track-forward (1 references)
- pkts bytes target prot opt in out source destination
- Chain ufw-track-input (1 references)
- pkts bytes target prot opt in out source destination
- Chain ufw-track-output (1 references)
- pkts bytes target prot opt in out source destination
- 0 0 ACCEPT tcp -- any any anywhere anywhere ctstate NEW
- 224 18105 ACCEPT udp -- any any anywhere anywhere ctstate NEW
- Chain ufw-user-forward (1 references)
- pkts bytes target prot opt in out source destination
- Chain ufw-user-input (1 references)
- pkts bytes target prot opt in out source destination
- 6 2004 ACCEPT udp -- wlp2s0 any anywhere anywhere udp spt:bootpc dpt:bootps
- 0 0 ACCEPT tcp -- wlp2s0 any 192.168.0.0/24 anywhere tcp dpt:domain
- 176 11885 ACCEPT udp -- wlp2s0 any 192.168.0.0/24 anywhere udp dpt:domain
- 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:1111
- 1 52 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh
- 4 196 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http
- 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https
- Chain ufw-user-limit (0 references)
- pkts bytes target prot opt in out source destination
- 0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
- 0 0 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable
- Chain ufw-user-limit-accept (0 references)
- pkts bytes target prot opt in out source destination
- 0 0 ACCEPT all -- any any anywhere anywhere
- Chain ufw-user-logging-forward (0 references)
- pkts bytes target prot opt in out source destination
- Chain ufw-user-logging-input (0 references)
- pkts bytes target prot opt in out source destination
- Chain ufw-user-logging-output (0 references)
- pkts bytes target prot opt in out source destination
- Chain ufw-user-output (1 references)
- pkts bytes target prot opt in out source destination
- root@media:/home/dost# cat /etc/ufw/before.rules
- #
- # rules.before
- #
- # Rules that should be run before the ufw command line added rules. Custom
- # rules should be added to one of these chains:
- # ufw-before-input
- # ufw-before-output
- # ufw-before-forward
- #
- # Don't delete these required lines, otherwise there will be errors
- *filter
- :ufw-before-input - [0:0]
- :ufw-before-output - [0:0]
- :ufw-before-forward - [0:0]
- :ufw-not-local - [0:0]
- # End required lines
- # allow all on loopback
- -A ufw-before-input -i lo -j ACCEPT
- -A ufw-before-output -o lo -j ACCEPT
- # quickly process packets for which we already have a connection
- -A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A ufw-before-forward -i ppp0 -o wlp2s0 -p tcp --dport 22 -j ACCEPT
- -A ufw-before-forward -i ppp0 -o wlp2s0 -p tcp --dport 80 -j ACCEPT
- -A ufw-before-forward -i ppp0 -o wlp2s0 -p tcp --dport 443 -j ACCEPT
- # drop INVALID packets (logs these in loglevel medium and higher)
- -A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
- -A ufw-before-input -m conntrack --ctstate INVALID -j DROP
- # ok icmp codes for INPUT
- -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
- -A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
- -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
- -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
- -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
- # ok icmp code for FORWARD
- -A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
- -A ufw-before-forward -p icmp --icmp-type source-quench -j ACCEPT
- -A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
- -A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
- -A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT
- # allow dhcp client to work
- -A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT
- #
- # ufw-not-local
- #
- -A ufw-before-input -j ufw-not-local
- # if LOCAL, RETURN
- -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
- # if MULTICAST, RETURN
- -A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
- # if BROADCAST, RETURN
- -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
- # all other non-local packets are dropped
- -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
- -A ufw-not-local -j DROP
- # allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
- # is uncommented)
- -A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
- # allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
- # is uncommented)
- -A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT
- # don't delete the 'COMMIT' line or these rules won't be processed
- COMMIT
- #*nat
- #:PREROUTING ACCEPT [0:0]
- #
- #-A PREROUTING -p tcp --dport 1111 -j DNAT --to-destination 192.168.0.34:22
- #-A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.0.3:80
- #-A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 192.168.0.3:443
- #
- #COMMIT
- root@media:/home/dost# cat /etc/ufw/after.rules
- #
- # rules.input-after
- #
- # Rules that should be run after the ufw command line added rules. Custom
- # rules should be added to one of these chains:
- # ufw-after-input
- # ufw-after-output
- # ufw-after-forward
- #
- # Don't delete these required lines, otherwise there will be errors
- *filter
- :ufw-after-input - [0:0]
- :ufw-after-output - [0:0]
- :ufw-after-forward - [0:0]
- # End required lines
- # don't log noisy services by default
- -A ufw-after-input -p udp --dport 137 -j ufw-skip-to-policy-input
- -A ufw-after-input -p udp --dport 138 -j ufw-skip-to-policy-input
- -A ufw-after-input -p tcp --dport 139 -j ufw-skip-to-policy-input
- -A ufw-after-input -p tcp --dport 445 -j ufw-skip-to-policy-input
- -A ufw-after-input -p udp --dport 67 -j ufw-skip-to-policy-input
- -A ufw-after-input -p udp --dport 68 -j ufw-skip-to-policy-input
- # don't log noisy broadcast
- -A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
- -A FORWARD -o ppp0 -i wlp2s0 -s 192.168.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
- -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
- # don't delete the 'COMMIT' line or these rules won't be processed
- COMMIT
- # Enable NAT
- *nat
- :POSTROUTING ACCEPT [0:0]
- #:PREROUTING ACCEPT [0:0]
- #-A PREROUTING -p tcp --dport 1111 -j DNAT --to-destination 192.168.0.34:22
- #-A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.0.34:80
- #-A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 192.168.0.34:443
- # Forward traffic through eth0 - Change to match you out-interface
- -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -j MASQUERADE
- COMMIT
- root@media:/home/dost# ufw status
- Status: active
- To Action From
- -- ------ ----
- 67/udp on wlp2s0 ALLOW 68/udp
- 53 on wlp2s0 ALLOW 192.168.0.0/24
- 1111/tcp ALLOW Anywhere
- 22/tcp ALLOW Anywhere
- 80/tcp ALLOW Anywhere
- 443/tcp ALLOW Anywhere
- 67/udp (v6) on wlp2s0 ALLOW 68/udp (v6)
- 1111/tcp (v6) ALLOW Anywhere (v6)
- 22/tcp (v6) ALLOW Anywhere (v6)
- 80/tcp (v6) ALLOW Anywhere (v6)
- 443/tcp (v6) ALLOW Anywhere (v6)
Add Comment
Please, Sign In to add comment