API tools faq
paste
Guest User

Untitled

a guest
Dec 18th, 2018
87
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 17.72 KB | None | 0 0
raw download clone embed print report
  1. root@media:/home/dost# iptables -vL
  2. Chain INPUT (policy DROP 114 packets, 7947 bytes)
  3. pkts bytes target prot opt in out source destination
  4. 4747 1194K ufw-before-logging-input all -- any any anywhere anywhere
  5. 4747 1194K ufw-before-input all -- any any anywhere anywhere
  6. 4057 1125K ufw-after-input all -- any any anywhere anywhere
  7. 114 7947 ufw-after-logging-input all -- any any anywhere anywhere
  8. 114 7947 ufw-reject-input all -- any any anywhere anywhere
  9. 114 7947 ufw-track-input all -- any any anywhere anywhere
  10.  
  11. Chain FORWARD (policy DROP 0 packets, 0 bytes)
  12. pkts bytes target prot opt in out source destination
  13. 71211 37M ufw-before-logging-forward all -- any any anywhere anywhere
  14. 71211 37M ufw-before-forward all -- any any anywhere anywhere
  15. 5074 294K ufw-after-forward all -- any any anywhere anywhere
  16. 5074 294K ufw-after-logging-forward all -- any any anywhere anywhere
  17. 5074 294K ufw-reject-forward all -- any any anywhere anywhere
  18. 5074 294K ufw-track-forward all -- any any anywhere anywhere
  19. 5074 294K ACCEPT all -- wlp2s0 ppp0 192.168.0.0/24 anywhere ctstate NEW
  20. 0 0 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
  21.  
  22. Chain OUTPUT (policy ACCEPT 4 packets, 160 bytes)
  23. pkts bytes target prot opt in out source destination
  24. 689 78679 ufw-before-logging-output all -- any any anywhere anywhere
  25. 689 78679 ufw-before-output all -- any any anywhere anywhere
  26. 228 18265 ufw-after-output all -- any any anywhere anywhere
  27. 228 18265 ufw-after-logging-output all -- any any anywhere anywhere
  28. 228 18265 ufw-reject-output all -- any any anywhere anywhere
  29. 228 18265 ufw-track-output all -- any any anywhere anywhere
  30.  
  31. Chain ufw-after-forward (1 references)
  32. pkts bytes target prot opt in out source destination
  33.  
  34. Chain ufw-after-input (1 references)
  35. pkts bytes target prot opt in out source destination
  36. 132 10728 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:netbios-ns
  37. 0 0 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:netbios-dgm
  38. 2 84 ufw-skip-to-policy-input tcp -- any any anywhere anywhere tcp dpt:netbios-ssn
  39. 8 388 ufw-skip-to-policy-input tcp -- any any anywhere anywhere tcp dpt:microsoft-ds
  40. 0 0 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:bootps
  41. 0 0 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:bootpc
  42. 3801 1106K ufw-skip-to-policy-input all -- any any anywhere anywhere ADDRTYPE match dst-type BROADCAST
  43.  
  44. Chain ufw-after-logging-forward (1 references)
  45. pkts bytes target prot opt in out source destination
  46. 200 11172 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
  47.  
  48. Chain ufw-after-logging-input (1 references)
  49. pkts bytes target prot opt in out source destination
  50. 98 6313 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
  51.  
  52. Chain ufw-after-logging-output (1 references)
  53. pkts bytes target prot opt in out source destination
  54.  
  55. Chain ufw-after-output (1 references)
  56. pkts bytes target prot opt in out source destination
  57.  
  58. Chain ufw-before-forward (1 references)
  59. pkts bytes target prot opt in out source destination
  60. 66137 37M ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
  61. 0 0 ACCEPT tcp -- ppp0 wlp2s0 anywhere anywhere tcp dpt:ssh
  62. 0 0 ACCEPT tcp -- ppp0 wlp2s0 anywhere anywhere tcp dpt:http
  63. 0 0 ACCEPT tcp -- ppp0 wlp2s0 anywhere anywhere tcp dpt:https
  64. 0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable
  65. 0 0 ACCEPT icmp -- any any anywhere anywhere icmp source-quench
  66. 0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded
  67. 0 0 ACCEPT icmp -- any any anywhere anywhere icmp parameter-problem
  68. 0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
  69. 5074 294K ufw-user-forward all -- any any anywhere anywhere
  70.  
  71. Chain ufw-before-input (1 references)
  72. pkts bytes target prot opt in out source destination
  73. 160 12960 ACCEPT all -- lo any anywhere anywhere
  74. 279 31674 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
  75. 11 440 ufw-logging-deny all -- any any anywhere anywhere ctstate INVALID
  76. 11 440 DROP all -- any any anywhere anywhere ctstate INVALID
  77. 0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable
  78. 0 0 ACCEPT icmp -- any any anywhere anywhere icmp source-quench
  79. 0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded
  80. 0 0 ACCEPT icmp -- any any anywhere anywhere icmp parameter-problem
  81. 0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
  82. 1 369 ACCEPT udp -- any any anywhere anywhere udp spt:bootps dpt:bootpc
  83. 4296 1148K ufw-not-local all -- any any anywhere anywhere
  84. 52 8782 ACCEPT udp -- any any anywhere 224.0.0.251 udp dpt:mdns
  85. 0 0 ACCEPT udp -- any any anywhere 239.255.255.250 udp dpt:1900
  86. 4244 1139K ufw-user-input all -- any any anywhere anywhere
  87.  
  88. Chain ufw-before-logging-forward (1 references)
  89. pkts bytes target prot opt in out source destination
  90.  
  91. Chain ufw-before-logging-input (1 references)
  92. pkts bytes target prot opt in out source destination
  93.  
  94. Chain ufw-before-logging-output (1 references)
  95. pkts bytes target prot opt in out source destination
  96.  
  97. Chain ufw-before-output (1 references)
  98. pkts bytes target prot opt in out source destination
  99. 160 12960 ACCEPT all -- any lo anywhere anywhere
  100. 301 47454 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
  101. 228 18265 ufw-user-output all -- any any anywhere anywhere
  102.  
  103. Chain ufw-logging-allow (0 references)
  104. pkts bytes target prot opt in out source destination
  105. 0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
  106.  
  107. Chain ufw-logging-deny (2 references)
  108. pkts bytes target prot opt in out source destination
  109. 11 440 RETURN all -- any any anywhere anywhere ctstate INVALID limit: avg 3/min burst 10
  110. 0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
  111.  
  112. Chain ufw-not-local (1 references)
  113. pkts bytes target prot opt in out source destination
  114. 305 20552 RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type LOCAL
  115. 52 8782 RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type MULTICAST
  116. 3939 1119K RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type BROADCAST
  117. 0 0 ufw-logging-deny all -- any any anywhere anywhere limit: avg 3/min burst 10
  118. 0 0 DROP all -- any any anywhere anywhere
  119.  
  120. Chain ufw-reject-forward (1 references)
  121. pkts bytes target prot opt in out source destination
  122.  
  123. Chain ufw-reject-input (1 references)
  124. pkts bytes target prot opt in out source destination
  125.  
  126. Chain ufw-reject-output (1 references)
  127. pkts bytes target prot opt in out source destination
  128.  
  129. Chain ufw-skip-to-policy-forward (0 references)
  130. pkts bytes target prot opt in out source destination
  131. 0 0 DROP all -- any any anywhere anywhere
  132.  
  133. Chain ufw-skip-to-policy-input (7 references)
  134. pkts bytes target prot opt in out source destination
  135. 3943 1117K DROP all -- any any anywhere anywhere
  136.  
  137. Chain ufw-skip-to-policy-output (0 references)
  138. pkts bytes target prot opt in out source destination
  139. 0 0 ACCEPT all -- any any anywhere anywhere
  140.  
  141. Chain ufw-track-forward (1 references)
  142. pkts bytes target prot opt in out source destination
  143.  
  144. Chain ufw-track-input (1 references)
  145. pkts bytes target prot opt in out source destination
  146.  
  147. Chain ufw-track-output (1 references)
  148. pkts bytes target prot opt in out source destination
  149. 0 0 ACCEPT tcp -- any any anywhere anywhere ctstate NEW
  150. 224 18105 ACCEPT udp -- any any anywhere anywhere ctstate NEW
  151.  
  152. Chain ufw-user-forward (1 references)
  153. pkts bytes target prot opt in out source destination
  154.  
  155. Chain ufw-user-input (1 references)
  156. pkts bytes target prot opt in out source destination
  157. 6 2004 ACCEPT udp -- wlp2s0 any anywhere anywhere udp spt:bootpc dpt:bootps
  158. 0 0 ACCEPT tcp -- wlp2s0 any 192.168.0.0/24 anywhere tcp dpt:domain
  159. 176 11885 ACCEPT udp -- wlp2s0 any 192.168.0.0/24 anywhere udp dpt:domain
  160. 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:1111
  161. 1 52 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh
  162. 4 196 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http
  163. 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https
  164.  
  165. Chain ufw-user-limit (0 references)
  166. pkts bytes target prot opt in out source destination
  167. 0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
  168. 0 0 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable
  169.  
  170. Chain ufw-user-limit-accept (0 references)
  171. pkts bytes target prot opt in out source destination
  172. 0 0 ACCEPT all -- any any anywhere anywhere
  173.  
  174. Chain ufw-user-logging-forward (0 references)
  175. pkts bytes target prot opt in out source destination
  176.  
  177. Chain ufw-user-logging-input (0 references)
  178. pkts bytes target prot opt in out source destination
  179.  
  180. Chain ufw-user-logging-output (0 references)
  181. pkts bytes target prot opt in out source destination
  182.  
  183. Chain ufw-user-output (1 references)
  184. pkts bytes target prot opt in out source destination
  185.  
  186. root@media:/home/dost# cat /etc/ufw/before.rules
  187. #
  188. # rules.before
  189. #
  190. # Rules that should be run before the ufw command line added rules. Custom
  191. # rules should be added to one of these chains:
  192. # ufw-before-input
  193. # ufw-before-output
  194. # ufw-before-forward
  195. #
  196.  
  197. # Don't delete these required lines, otherwise there will be errors
  198. *filter
  199. :ufw-before-input - [0:0]
  200. :ufw-before-output - [0:0]
  201. :ufw-before-forward - [0:0]
  202. :ufw-not-local - [0:0]
  203. # End required lines
  204.  
  205.  
  206. # allow all on loopback
  207. -A ufw-before-input -i lo -j ACCEPT
  208. -A ufw-before-output -o lo -j ACCEPT
  209.  
  210. # quickly process packets for which we already have a connection
  211. -A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  212. -A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  213. -A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  214.  
  215. -A ufw-before-forward -i ppp0 -o wlp2s0 -p tcp --dport 22 -j ACCEPT
  216. -A ufw-before-forward -i ppp0 -o wlp2s0 -p tcp --dport 80 -j ACCEPT
  217. -A ufw-before-forward -i ppp0 -o wlp2s0 -p tcp --dport 443 -j ACCEPT
  218.  
  219. # drop INVALID packets (logs these in loglevel medium and higher)
  220. -A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
  221. -A ufw-before-input -m conntrack --ctstate INVALID -j DROP
  222.  
  223. # ok icmp codes for INPUT
  224. -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
  225. -A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
  226. -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
  227. -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
  228. -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
  229.  
  230. # ok icmp code for FORWARD
  231. -A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
  232. -A ufw-before-forward -p icmp --icmp-type source-quench -j ACCEPT
  233. -A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
  234. -A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
  235. -A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT
  236.  
  237. # allow dhcp client to work
  238. -A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT
  239.  
  240. #
  241. # ufw-not-local
  242. #
  243. -A ufw-before-input -j ufw-not-local
  244.  
  245. # if LOCAL, RETURN
  246. -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
  247.  
  248. # if MULTICAST, RETURN
  249. -A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
  250.  
  251. # if BROADCAST, RETURN
  252. -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
  253.  
  254. # all other non-local packets are dropped
  255. -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
  256. -A ufw-not-local -j DROP
  257.  
  258. # allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
  259. # is uncommented)
  260. -A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
  261.  
  262. # allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
  263. # is uncommented)
  264. -A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT
  265.  
  266. # don't delete the 'COMMIT' line or these rules won't be processed
  267. COMMIT
  268.  
  269. #*nat
  270. #:PREROUTING ACCEPT [0:0]
  271. #
  272. #-A PREROUTING -p tcp --dport 1111 -j DNAT --to-destination 192.168.0.34:22
  273. #-A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.0.3:80
  274. #-A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 192.168.0.3:443
  275. #
  276. #COMMIT
  277.  
  278. root@media:/home/dost# cat /etc/ufw/after.rules
  279. #
  280. # rules.input-after
  281. #
  282. # Rules that should be run after the ufw command line added rules. Custom
  283. # rules should be added to one of these chains:
  284. # ufw-after-input
  285. # ufw-after-output
  286. # ufw-after-forward
  287. #
  288.  
  289. # Don't delete these required lines, otherwise there will be errors
  290. *filter
  291. :ufw-after-input - [0:0]
  292. :ufw-after-output - [0:0]
  293. :ufw-after-forward - [0:0]
  294. # End required lines
  295.  
  296. # don't log noisy services by default
  297. -A ufw-after-input -p udp --dport 137 -j ufw-skip-to-policy-input
  298. -A ufw-after-input -p udp --dport 138 -j ufw-skip-to-policy-input
  299. -A ufw-after-input -p tcp --dport 139 -j ufw-skip-to-policy-input
  300. -A ufw-after-input -p tcp --dport 445 -j ufw-skip-to-policy-input
  301. -A ufw-after-input -p udp --dport 67 -j ufw-skip-to-policy-input
  302. -A ufw-after-input -p udp --dport 68 -j ufw-skip-to-policy-input
  303.  
  304. # don't log noisy broadcast
  305. -A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
  306.  
  307. -A FORWARD -o ppp0 -i wlp2s0 -s 192.168.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
  308. -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
  309.  
  310. # don't delete the 'COMMIT' line or these rules won't be processed
  311. COMMIT
  312.  
  313. # Enable NAT
  314. *nat
  315. :POSTROUTING ACCEPT [0:0]
  316. #:PREROUTING ACCEPT [0:0]
  317.  
  318. #-A PREROUTING -p tcp --dport 1111 -j DNAT --to-destination 192.168.0.34:22
  319. #-A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.0.34:80
  320. #-A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 192.168.0.34:443
  321.  
  322. # Forward traffic through eth0 - Change to match you out-interface
  323. -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -j MASQUERADE
  324.  
  325. COMMIT
  326.  
  327. root@media:/home/dost# ufw status
  328. Status: active
  329.  
  330. To Action From
  331. -- ------ ----
  332. 67/udp on wlp2s0 ALLOW 68/udp
  333. 53 on wlp2s0 ALLOW 192.168.0.0/24
  334. 1111/tcp ALLOW Anywhere
  335. 22/tcp ALLOW Anywhere
  336. 80/tcp ALLOW Anywhere
  337. 443/tcp ALLOW Anywhere
  338. 67/udp (v6) on wlp2s0 ALLOW 68/udp (v6)
  339. 1111/tcp (v6) ALLOW Anywhere (v6)
  340. 22/tcp (v6) ALLOW Anywhere (v6)
  341. 80/tcp (v6) ALLOW Anywhere (v6)
  342. 443/tcp (v6) ALLOW Anywhere (v6)
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!