API tools faq
paste
Advertisement
iomari

Untitled

iomari
Jul 12th, 2022
39
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 11.86 KB | None | 0 0
raw download clone embed print report
  1. table ip mangle {
  2. chain PREROUTING {
  3. type filter hook prerouting priority mangle; policy accept;
  4. iifname "eno1" ip frag-off & 8191 != 0 counter packets 0 bytes 0 drop comment "DDOS RULE: Drop fragments in all chains"
  5. iifname "eno1" ip saddr { 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16, 224.0.0.0-255.255.255.255 } counter packets 0 bytes 0 drop comment "DDOS RULE: Block spoofed packets"
  6. iifname "eno1" tcp flags ! fin,syn,rst,psh,ack,urg counter packets 0 bytes 0 drop comment "DDOS RULE: Block packets with bogus TCP flags"
  7. iifname "eno1" tcp flags psh / psh,ack counter packets 0 bytes 0 drop comment "DDOS RULE: Block packets with bogus TCP flags"
  8. iifname "eno1" tcp flags fin / fin,ack counter packets 0 bytes 0 drop comment "DDOS RULE: Block packets with bogus TCP flags"
  9. iifname "eno1" tcp flags fin / fin,ack counter packets 0 bytes 0 drop comment "DDOS RULE: Block packets with bogus TCP flags"
  10. iifname "eno1" tcp flags fin,rst / fin,rst counter packets 0 bytes 0 drop comment "DDOS RULE: Block packets with bogus TCP flags"
  11. iifname "eno1" tcp flags syn,rst / syn,rst counter packets 0 bytes 0 drop comment "DDOS RULE: Block packets with bogus TCP flags"
  12. iifname "eno1" tcp flags fin,syn / fin,syn counter packets 0 bytes 0 drop comment "DDOS RULE: Block packets with bogus TCP flags"
  13. iifname "eno1" ct state new tcp option maxseg size != 536-65535 counter packets 0 bytes 0 drop comment "DDOS RULE: Drop SYN packets with suspicious MSS value"
  14. iifname "eno1" ct state new counter packets 0 bytes 0 drop comment "DDOS RULE: Drop TCP packets that are new and are not SYN"
  15. iifname "eno1" ct state invalid counter packets 0 bytes 0 drop comment "DDOS RULE: Drop invalid packets"
  16. tcp flags syn / fin,syn,rst,ack counter packets 0 bytes 0 notrack comment "DDOS RULE:SYNPROXY RULES FOR SYN FLOODS"
  17. }
  18.  
  19. chain INPUT {
  20. type filter hook input priority mangle; policy accept;
  21. }
  22.  
  23. chain FORWARD {
  24. type filter hook forward priority mangle; policy accept;
  25. }
  26.  
  27. chain OUTPUT {
  28. type route hook output priority mangle; policy accept;
  29. }
  30.  
  31. chain POSTROUTING {
  32. type filter hook postrouting priority mangle; policy accept;
  33. }
  34.  
  35. chain droppedManglePre {
  36. }
  37. }
  38. table ip nat {
  39. set tel01 {
  40. type ipv4_addr
  41. size 65536
  42. elements = { 172.24.11.115, 172.24.11.116,
  43. 172.24.11.118, 172.24.11.119,
  44. 172.24.11.120, 172.24.11.121,
  45. 172.24.11.124, 172.24.11.195,
  46. 172.24.11.196, 172.24.11.197 }
  47. }
  48.  
  49. set tel02 {
  50. type ipv4_addr
  51. size 65536
  52. elements = { 10.1.34.201, 10.1.34.202,
  53. 10.1.34.203, 10.1.34.204,
  54. 10.1.34.205, 10.1.178.52,
  55. 10.1.178.53, 10.1.178.54,
  56. 10.1.178.72, 10.1.178.73 }
  57. }
  58.  
  59. set tel03 {
  60. type ipv4_addr
  61. size 65536
  62. elements = { 10.152.194.18, 10.152.194.19,
  63. 10.152.194.20 }
  64. }
  65.  
  66. set tel04 {
  67. type ipv4_addr
  68. size 65536
  69. elements = { 10.161.10.181, 10.161.10.187,
  70. 10.161.10.188 }
  71. }
  72.  
  73. set tel05 {
  74. type ipv4_addr
  75. size 65536
  76. elements = { 192.168.100.1, 192.168.100.2,
  77. 192.168.100.3, 192.168.100.4,
  78. 192.168.100.5, 192.168.100.6 }
  79. }
  80.  
  81. chain RAW {
  82. type nat hook prerouting priority dstnat; policy accept;
  83. }
  84.  
  85. chain PREROUTING {
  86. type nat hook prerouting priority dstnat; policy accept;
  87. iifname "eno1" tcp dport 80 counter packets 0 bytes 0 redirect to :3128 comment "Send To Squid Proxy for Port 80 Traffic"
  88. iif "eno1" tcp dport 31796 counter packets 0 bytes 0 dnat to 192.168.11.106:31796 comment "PULSAR"
  89. iif "eno1" tcp dport 32620 counter packets 0 bytes 0 dnat to 192.168.11.103:32620 comment "DASK"
  90. iif "eno1" tcp dport 19350 counter packets 0 bytes 0 dnat to 192.168.10.10:19530 comment "FACE-VECTOR-ENGINE-MILVUS"
  91. iif "eno1" tcp dport 29443 counter packets 0 bytes 0 dnat to 192.168.11.105:9443 comment "SPECIAL ACCESS FOR STORAGE"
  92. iif "eno1" tcp dport 29000 counter packets 0 bytes 0 dnat to 192.168.10.10:9090 comment "SPECIAL ACCESS FOR STORAGE"
  93. iif "eno1" tcp dport 14022 counter packets 0 bytes 0 dnat to 192.168.134.140:22 comment "Custom Rule: SPECIAL ACCESS FROM OUTSIDE"
  94. iif "eno1" tcp dport 12022 counter packets 0 bytes 0 dnat to 192.168.134.120:22 comment "Custom Rule: SPECIAL ACCESS FROM OUTSIDE"
  95. iif "eno1" tcp dport 13410 counter packets 0 bytes 0 dnat to 192.168.134.10:22 comment "Custom Rule: SPECIAL ACCESS FROM OUTSIDE"
  96. }
  97.  
  98. chain INPUT {
  99. type nat hook input priority 100; policy accept;
  100. }
  101.  
  102. chain POSTROUTING {
  103. type nat hook postrouting priority srcnat; policy accept;
  104. oifname "eno1" counter packets 0 bytes 0 masquerade comment "Send To Squid Proxy for Port 80 Traffic"
  105. oif "ens2f0" ip saddr @tel01 counter packets 0 bytes 0 snat to 10.152.194.30 comment "ROUTE INTERNAL IPs TO TEL01 SERVERS"
  106. oif "ens2f0" ip saddr @tel02 counter packets 0 bytes 0 snat to 10.10.96.186 comment "ROUTE INTERNAL IPs TO TEL02 SERVERS"
  107. oif "ens2f0" ip saddr @tel03 counter packets 0 bytes 0 snat to 172.19.183.170 comment "ROUTE INTERNAL IPs TO TEL03 SERVERS"
  108. oif "ens2f0" ip saddr @tel04 counter packets 0 bytes 0 snat to 172.31.63.162 comment "ROUTE INTERNAL IPs TO TEL04 SERVERS"
  109. oif "ens2f0" ip saddr @tel05 counter packets 0 bytes 0 snat to 192.168.100.4 comment "ROUTE INTERNAL IPs TO TEL05 SERVERS"
  110. oif "eno1" counter packets 0 bytes 0 snat to xxx.xxx.xxx.xxx comment "PASS ALL PACKETS WITHOUT A ROUTE TO DEFAULT ROUTE"
  111. }
  112.  
  113. chain OUTPUT {
  114. type nat hook output priority -100; policy accept;
  115. }
  116. }
  117. table ip filter {
  118. set telcos {
  119. type ipv4_addr
  120. size 65536
  121. elements = { 10.10.96.185, 172.19.183.169,
  122. 172.31.63.161, 192.168.100.1 }
  123. }
  124.  
  125. set dropPorts {
  126. type inet_service
  127. elements = { 21, 22, 23, 80, 443,
  128. 873, 992, 2022, 3306, 7000,
  129. 7001, 7002, 7004, 7016, 10000 }
  130. }
  131.  
  132. set denylist {
  133. type ipv4_addr
  134. flags dynamic,timeout
  135. timeout 5m
  136. }
  137.  
  138. set allowedPorts {
  139. type inet_service
  140. elements = { 53 comment "dns", 54 comment "testing", 80 comment "http", 123 comment "ntp", 161 comment "snmp",
  141. 443 comment "https", 953 comment "rndc", 3306 comment "mysql", 4242 comment "postgresql", 41184 comment "joplin" }
  142. }
  143.  
  144. set nimc {
  145. type ipv4_addr
  146. size 65536
  147. elements = { 192.168.100.1, 192.168.100.2,
  148. 192.168.100.3, 192.168.100.4,
  149. 192.168.100.5, 192.168.100.6 }
  150. }
  151.  
  152. set maclist {
  153. type ether_addr
  154. size 65536
  155. elements = { 30:3a:64:f3:5b:29,
  156. 38:63:bb:b9:8a:07 }
  157. }
  158.  
  159. chain INPUT {
  160. type filter hook input priority filter; policy drop;
  161. ct state established,related counter packets 0 bytes 0 accept comment "ALLOW ESTABLISHED TRAFFIC FROM INTERNET
  162. iifname "eno2" ip saddr { 192.168.31.9, 192.168.31.17 } counter packets 19 bytes 1156 accept comment "VIP Access"
  163. iif "eno2" tcp dport 23 counter packets 0 bytes 0 drop comment "DROP TELNET"
  164. tcp dport 8080 accept
  165. ip saddr 192.168.160.0/27 iif "eno2" counter packets 0 bytes 0 drop comment "Custom Rules for Guests on 160 network"
  166. ip saddr 192.168.150.2 iif "eno2" counter packets 0 bytes 0 drop comment "Custom Rule For DG Only"
  167. ip saddr 192.168.150.0/24 counter packets 0 bytes 0 drop comment "Custom Rule BLock all traffic from DG block"
  168. tcp dport 22 ct state new counter packets 0 bytes 0 accept comment "ALLOW SSH FOR AUTHORIZED SYSTEMS"
  169. iif "eno1" ct state new counter packets 0 bytes 0 drop comment "BLOCK ALL NEW TRAFFIC FROM INTERNET"
  170. iif { "eno2", "bondlan" } ip saddr 192.168.16.0/20 counter packets 0 bytes 0 accept comment "ACCEPT LOCAL TRAFFIC FROM INHOUSE IPs"
  171. tcp dport @dropPorts counter packets 0 bytes 0 drop comment "DROP NMAP SCANS AND VARIOUS PORTS"
  172. tcp flags fin / fin,syn,rst,psh,ack,urg counter packets 0 bytes 0 drop comment "DROP TCP ATTACKS"
  173. iif "bondlan" icmp type echo-request counter packets 0 bytes 0 drop comment "DROP INPUT PINGS"
  174. iif "bondlan" ip protocol icmp meta length 1492-65535 counter packets 0 bytes 0 drop comment "DROP INPUT PINGS"
  175. iif "bondlan" icmp type echo-request counter packets 0 bytes 0 drop comment "DROP INPUT PINGS"
  176. iif "ens2f0" icmp type echo-request counter packets 0 bytes 0 drop comment "DROP INPUT PINGS"
  177. iif "ens2f0" ip protocol icmp meta length 1492-65535 counter packets 0 bytes 0 drop comment "DROP INPUT PINGS"
  178. iif "ens2f0" icmp type echo-request counter packets 0 bytes 0 drop comment "DROP INPUT PINGS"
  179. iif "eno1" icmp type echo-request counter packets 0 bytes 0 drop comment "DROP INPUT PINGS"
  180. iif "eno1" ip protocol icmp meta length 1492-65535 counter packets 0 bytes 0 drop comment "DROP INPUT PINGS"
  181. iif "eno1" icmp type echo-request counter packets 0 bytes 0 drop comment "DROP INPUT PINGS"
  182. tcp flags syn tcp dport @allowedPorts counter packets 0 bytes 0 accept comment "ACCEPT ALLOWED PORTS"
  183. meta l4proto tcp iifname "eno1" ct count over 111 counter packets 0 bytes 0 reject with tcp reset comment "DDOS RULE: Limit connections per source IP"
  184. iifname "eno1" ip protocol tcp ct state new limit rate 60/second burst 20 packets counter packets 0 bytes 0 accept comment "DDOS RULE Limit new TCP connections per second per source IP"
  185. iifname "eno1" ip protocol tcp ct state new counter packets 0 bytes 0 drop comment "DDOS RULE Limit new TCP connections per second per source IP"
  186. ct state invalid,untracked counter packets 0 bytes 0 synproxy mss 1460 wscale 7 timestamp sack-perm comment "DDOS RULE:SYNPROXY RULES FOR SYN FLOODS"
  187. ct state invalid counter packets 0 bytes 0 drop comment "DDOS RULE:SYNPROXY RULES FOR SYN FLOODS"
  188. }
  189.  
  190. chain FORWARD {
  191. type filter hook forward priority filter; policy accept;
  192. ip daddr 192.168.11.106 tcp dport 31796 counter packets 0 bytes 0 accept comment "PULSAR"
  193. ip daddr 192.168.11.103 tcp dport 32620 counter packets 0 bytes 0 accept comment "DASK"
  194. ip daddr 192.168.10.10 tcp dport 19530 counter packets 0 bytes 0 accept comment "FACE-VECTOR-ENGINE-MILVUS"
  195. ip daddr 192.168.11.105 tcp dport 9443 counter packets 0 bytes 0 accept comment "SPECIAL ACCESS FOR STORAGE"
  196. ip daddr 192.168.10.10 tcp dport 9090 counter packets 0 bytes 0 accept comment "SPECIAL ACCESS FOR STORAGE"
  197. ip daddr 192.168.134.140 tcp dport 22 counter packets 0 bytes 0 accept comment "Custom Rule: SPECIAL ACCESS FROM OUTSIDE"
  198. ip daddr 192.168.134.120 tcp dport 22 counter packets 0 bytes 0 accept comment "Custom Rule: SPECIAL ACCESS FROM OUTSIDE"
  199. ip daddr 192.168.134.10 tcp dport 22 counter packets 0 bytes 0 accept comment "Custom Rule: SPECIAL ACCESS FROM OUTSIDE"
  200. ip saddr 192.168.160.0/27 oif "eno1" counter packets 0 bytes 0 accept comment "Custom Rules for Guests on 160 network"
  201. ip saddr 192.168.150.2 oif "eno1" counter packets 0 bytes 0 accept comment "Custom Rule For DG Only"
  202. ip saddr 192.168.150.0/24 counter packets 0 bytes 0 drop comment "Custom Rule BLock all traffic from DG block"
  203. ct state established,related counter packets 32 bytes 2853 accept comment "ALLOW ESTABLISHED TRAFFIC FROM INTERNET"
  204. tcp dport 22 ct state new counter packets 0 bytes 0 accept comment "ALLOW SSH FOR AUTHORIZED SYSTEMS"
  205. iif "eno1" ct state new counter packets 0 bytes 0 drop comment "BLOCK ALL NEW TRAFFIC FROM INTERNET"
  206. iif { "eno2", "bondlan" } ip saddr 192.168.16.0/20 counter packets 0 bytes 0 accept comment "ACCEPT LOCAL TRAFFIC FROM INHOUSE IPs"
  207. iif "ens2f0" tcp dport @dropPorts counter packets 0 bytes 0 drop comment "DROP THESE PORTS"
  208. iif "ens2f0" ip saddr @telcos counter packets 0 bytes 0 drop comment "DROP TELCOS FROM ENTERING OUR NETWORK"
  209. tcp dport @allowedPorts counter packets 0 bytes 0 accept comment "ACCEPT ALLOWED PORTS"
  210. }
  211.  
  212. chain OUTPUT {
  213. type filter hook output priority filter; policy accept;
  214. }
  215.  
  216. chain port_scanning {
  217. iifname "eno1" tcp flags rst / fin,syn,rst,ack limit rate 1/second burst 2 packets counter packets 0 bytes 0 return comment "DDOS RULE: Protection against port scanning"
  218. iifname "eno1" tcp flags rst / fin,syn,rst,ack limit rate 1/second burst 2 packets counter packets 0 bytes 0 return comment "DDOS RULE: Protection against port scanning"
  219. }
  220. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!