Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- table ip mangle {
- chain PREROUTING {
- type filter hook prerouting priority mangle; policy accept;
- iifname "eno1" ip frag-off & 8191 != 0 counter packets 0 bytes 0 drop comment "DDOS RULE: Drop fragments in all chains"
- iifname "eno1" ip saddr { 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16, 224.0.0.0-255.255.255.255 } counter packets 0 bytes 0 drop comment "DDOS RULE: Block spoofed packets"
- iifname "eno1" tcp flags ! fin,syn,rst,psh,ack,urg counter packets 0 bytes 0 drop comment "DDOS RULE: Block packets with bogus TCP flags"
- iifname "eno1" tcp flags psh / psh,ack counter packets 0 bytes 0 drop comment "DDOS RULE: Block packets with bogus TCP flags"
- iifname "eno1" tcp flags fin / fin,ack counter packets 0 bytes 0 drop comment "DDOS RULE: Block packets with bogus TCP flags"
- iifname "eno1" tcp flags fin / fin,ack counter packets 0 bytes 0 drop comment "DDOS RULE: Block packets with bogus TCP flags"
- iifname "eno1" tcp flags fin,rst / fin,rst counter packets 0 bytes 0 drop comment "DDOS RULE: Block packets with bogus TCP flags"
- iifname "eno1" tcp flags syn,rst / syn,rst counter packets 0 bytes 0 drop comment "DDOS RULE: Block packets with bogus TCP flags"
- iifname "eno1" tcp flags fin,syn / fin,syn counter packets 0 bytes 0 drop comment "DDOS RULE: Block packets with bogus TCP flags"
- iifname "eno1" ct state new tcp option maxseg size != 536-65535 counter packets 0 bytes 0 drop comment "DDOS RULE: Drop SYN packets with suspicious MSS value"
- iifname "eno1" ct state new counter packets 0 bytes 0 drop comment "DDOS RULE: Drop TCP packets that are new and are not SYN"
- iifname "eno1" ct state invalid counter packets 0 bytes 0 drop comment "DDOS RULE: Drop invalid packets"
- tcp flags syn / fin,syn,rst,ack counter packets 0 bytes 0 notrack comment "DDOS RULE:SYNPROXY RULES FOR SYN FLOODS"
- }
- chain INPUT {
- type filter hook input priority mangle; policy accept;
- }
- chain FORWARD {
- type filter hook forward priority mangle; policy accept;
- }
- chain OUTPUT {
- type route hook output priority mangle; policy accept;
- }
- chain POSTROUTING {
- type filter hook postrouting priority mangle; policy accept;
- }
- chain droppedManglePre {
- }
- }
- table ip nat {
- set tel01 {
- type ipv4_addr
- size 65536
- elements = { 172.24.11.115, 172.24.11.116,
- 172.24.11.118, 172.24.11.119,
- 172.24.11.120, 172.24.11.121,
- 172.24.11.124, 172.24.11.195,
- 172.24.11.196, 172.24.11.197 }
- }
- set tel02 {
- type ipv4_addr
- size 65536
- elements = { 10.1.34.201, 10.1.34.202,
- 10.1.34.203, 10.1.34.204,
- 10.1.34.205, 10.1.178.52,
- 10.1.178.53, 10.1.178.54,
- 10.1.178.72, 10.1.178.73 }
- }
- set tel03 {
- type ipv4_addr
- size 65536
- elements = { 10.152.194.18, 10.152.194.19,
- 10.152.194.20 }
- }
- set tel04 {
- type ipv4_addr
- size 65536
- elements = { 10.161.10.181, 10.161.10.187,
- 10.161.10.188 }
- }
- set tel05 {
- type ipv4_addr
- size 65536
- elements = { 192.168.100.1, 192.168.100.2,
- 192.168.100.3, 192.168.100.4,
- 192.168.100.5, 192.168.100.6 }
- }
- chain RAW {
- type nat hook prerouting priority dstnat; policy accept;
- }
- chain PREROUTING {
- type nat hook prerouting priority dstnat; policy accept;
- iifname "eno1" tcp dport 80 counter packets 0 bytes 0 redirect to :3128 comment "Send To Squid Proxy for Port 80 Traffic"
- iif "eno1" tcp dport 31796 counter packets 0 bytes 0 dnat to 192.168.11.106:31796 comment "PULSAR"
- iif "eno1" tcp dport 32620 counter packets 0 bytes 0 dnat to 192.168.11.103:32620 comment "DASK"
- iif "eno1" tcp dport 19350 counter packets 0 bytes 0 dnat to 192.168.10.10:19530 comment "FACE-VECTOR-ENGINE-MILVUS"
- iif "eno1" tcp dport 29443 counter packets 0 bytes 0 dnat to 192.168.11.105:9443 comment "SPECIAL ACCESS FOR STORAGE"
- iif "eno1" tcp dport 29000 counter packets 0 bytes 0 dnat to 192.168.10.10:9090 comment "SPECIAL ACCESS FOR STORAGE"
- iif "eno1" tcp dport 14022 counter packets 0 bytes 0 dnat to 192.168.134.140:22 comment "Custom Rule: SPECIAL ACCESS FROM OUTSIDE"
- iif "eno1" tcp dport 12022 counter packets 0 bytes 0 dnat to 192.168.134.120:22 comment "Custom Rule: SPECIAL ACCESS FROM OUTSIDE"
- iif "eno1" tcp dport 13410 counter packets 0 bytes 0 dnat to 192.168.134.10:22 comment "Custom Rule: SPECIAL ACCESS FROM OUTSIDE"
- }
- chain INPUT {
- type nat hook input priority 100; policy accept;
- }
- chain POSTROUTING {
- type nat hook postrouting priority srcnat; policy accept;
- oifname "eno1" counter packets 0 bytes 0 masquerade comment "Send To Squid Proxy for Port 80 Traffic"
- oif "ens2f0" ip saddr @tel01 counter packets 0 bytes 0 snat to 10.152.194.30 comment "ROUTE INTERNAL IPs TO TEL01 SERVERS"
- oif "ens2f0" ip saddr @tel02 counter packets 0 bytes 0 snat to 10.10.96.186 comment "ROUTE INTERNAL IPs TO TEL02 SERVERS"
- oif "ens2f0" ip saddr @tel03 counter packets 0 bytes 0 snat to 172.19.183.170 comment "ROUTE INTERNAL IPs TO TEL03 SERVERS"
- oif "ens2f0" ip saddr @tel04 counter packets 0 bytes 0 snat to 172.31.63.162 comment "ROUTE INTERNAL IPs TO TEL04 SERVERS"
- oif "ens2f0" ip saddr @tel05 counter packets 0 bytes 0 snat to 192.168.100.4 comment "ROUTE INTERNAL IPs TO TEL05 SERVERS"
- oif "eno1" counter packets 0 bytes 0 snat to xxx.xxx.xxx.xxx comment "PASS ALL PACKETS WITHOUT A ROUTE TO DEFAULT ROUTE"
- }
- chain OUTPUT {
- type nat hook output priority -100; policy accept;
- }
- }
- table ip filter {
- set telcos {
- type ipv4_addr
- size 65536
- elements = { 10.10.96.185, 172.19.183.169,
- 172.31.63.161, 192.168.100.1 }
- }
- set dropPorts {
- type inet_service
- elements = { 21, 22, 23, 80, 443,
- 873, 992, 2022, 3306, 7000,
- 7001, 7002, 7004, 7016, 10000 }
- }
- set denylist {
- type ipv4_addr
- flags dynamic,timeout
- timeout 5m
- }
- set allowedPorts {
- type inet_service
- elements = { 53 comment "dns", 54 comment "testing", 80 comment "http", 123 comment "ntp", 161 comment "snmp",
- 443 comment "https", 953 comment "rndc", 3306 comment "mysql", 4242 comment "postgresql", 41184 comment "joplin" }
- }
- set nimc {
- type ipv4_addr
- size 65536
- elements = { 192.168.100.1, 192.168.100.2,
- 192.168.100.3, 192.168.100.4,
- 192.168.100.5, 192.168.100.6 }
- }
- set maclist {
- type ether_addr
- size 65536
- elements = { 30:3a:64:f3:5b:29,
- 38:63:bb:b9:8a:07 }
- }
- chain INPUT {
- type filter hook input priority filter; policy drop;
- ct state established,related counter packets 0 bytes 0 accept comment "ALLOW ESTABLISHED TRAFFIC FROM INTERNET
- iifname "eno2" ip saddr { 192.168.31.9, 192.168.31.17 } counter packets 19 bytes 1156 accept comment "VIP Access"
- iif "eno2" tcp dport 23 counter packets 0 bytes 0 drop comment "DROP TELNET"
- tcp dport 8080 accept
- ip saddr 192.168.160.0/27 iif "eno2" counter packets 0 bytes 0 drop comment "Custom Rules for Guests on 160 network"
- ip saddr 192.168.150.2 iif "eno2" counter packets 0 bytes 0 drop comment "Custom Rule For DG Only"
- ip saddr 192.168.150.0/24 counter packets 0 bytes 0 drop comment "Custom Rule BLock all traffic from DG block"
- tcp dport 22 ct state new counter packets 0 bytes 0 accept comment "ALLOW SSH FOR AUTHORIZED SYSTEMS"
- iif "eno1" ct state new counter packets 0 bytes 0 drop comment "BLOCK ALL NEW TRAFFIC FROM INTERNET"
- iif { "eno2", "bondlan" } ip saddr 192.168.16.0/20 counter packets 0 bytes 0 accept comment "ACCEPT LOCAL TRAFFIC FROM INHOUSE IPs"
- tcp dport @dropPorts counter packets 0 bytes 0 drop comment "DROP NMAP SCANS AND VARIOUS PORTS"
- tcp flags fin / fin,syn,rst,psh,ack,urg counter packets 0 bytes 0 drop comment "DROP TCP ATTACKS"
- iif "bondlan" icmp type echo-request counter packets 0 bytes 0 drop comment "DROP INPUT PINGS"
- iif "bondlan" ip protocol icmp meta length 1492-65535 counter packets 0 bytes 0 drop comment "DROP INPUT PINGS"
- iif "bondlan" icmp type echo-request counter packets 0 bytes 0 drop comment "DROP INPUT PINGS"
- iif "ens2f0" icmp type echo-request counter packets 0 bytes 0 drop comment "DROP INPUT PINGS"
- iif "ens2f0" ip protocol icmp meta length 1492-65535 counter packets 0 bytes 0 drop comment "DROP INPUT PINGS"
- iif "ens2f0" icmp type echo-request counter packets 0 bytes 0 drop comment "DROP INPUT PINGS"
- iif "eno1" icmp type echo-request counter packets 0 bytes 0 drop comment "DROP INPUT PINGS"
- iif "eno1" ip protocol icmp meta length 1492-65535 counter packets 0 bytes 0 drop comment "DROP INPUT PINGS"
- iif "eno1" icmp type echo-request counter packets 0 bytes 0 drop comment "DROP INPUT PINGS"
- tcp flags syn tcp dport @allowedPorts counter packets 0 bytes 0 accept comment "ACCEPT ALLOWED PORTS"
- meta l4proto tcp iifname "eno1" ct count over 111 counter packets 0 bytes 0 reject with tcp reset comment "DDOS RULE: Limit connections per source IP"
- iifname "eno1" ip protocol tcp ct state new limit rate 60/second burst 20 packets counter packets 0 bytes 0 accept comment "DDOS RULE Limit new TCP connections per second per source IP"
- iifname "eno1" ip protocol tcp ct state new counter packets 0 bytes 0 drop comment "DDOS RULE Limit new TCP connections per second per source IP"
- ct state invalid,untracked counter packets 0 bytes 0 synproxy mss 1460 wscale 7 timestamp sack-perm comment "DDOS RULE:SYNPROXY RULES FOR SYN FLOODS"
- ct state invalid counter packets 0 bytes 0 drop comment "DDOS RULE:SYNPROXY RULES FOR SYN FLOODS"
- }
- chain FORWARD {
- type filter hook forward priority filter; policy accept;
- ip daddr 192.168.11.106 tcp dport 31796 counter packets 0 bytes 0 accept comment "PULSAR"
- ip daddr 192.168.11.103 tcp dport 32620 counter packets 0 bytes 0 accept comment "DASK"
- ip daddr 192.168.10.10 tcp dport 19530 counter packets 0 bytes 0 accept comment "FACE-VECTOR-ENGINE-MILVUS"
- ip daddr 192.168.11.105 tcp dport 9443 counter packets 0 bytes 0 accept comment "SPECIAL ACCESS FOR STORAGE"
- ip daddr 192.168.10.10 tcp dport 9090 counter packets 0 bytes 0 accept comment "SPECIAL ACCESS FOR STORAGE"
- ip daddr 192.168.134.140 tcp dport 22 counter packets 0 bytes 0 accept comment "Custom Rule: SPECIAL ACCESS FROM OUTSIDE"
- ip daddr 192.168.134.120 tcp dport 22 counter packets 0 bytes 0 accept comment "Custom Rule: SPECIAL ACCESS FROM OUTSIDE"
- ip daddr 192.168.134.10 tcp dport 22 counter packets 0 bytes 0 accept comment "Custom Rule: SPECIAL ACCESS FROM OUTSIDE"
- ip saddr 192.168.160.0/27 oif "eno1" counter packets 0 bytes 0 accept comment "Custom Rules for Guests on 160 network"
- ip saddr 192.168.150.2 oif "eno1" counter packets 0 bytes 0 accept comment "Custom Rule For DG Only"
- ip saddr 192.168.150.0/24 counter packets 0 bytes 0 drop comment "Custom Rule BLock all traffic from DG block"
- ct state established,related counter packets 32 bytes 2853 accept comment "ALLOW ESTABLISHED TRAFFIC FROM INTERNET"
- tcp dport 22 ct state new counter packets 0 bytes 0 accept comment "ALLOW SSH FOR AUTHORIZED SYSTEMS"
- iif "eno1" ct state new counter packets 0 bytes 0 drop comment "BLOCK ALL NEW TRAFFIC FROM INTERNET"
- iif { "eno2", "bondlan" } ip saddr 192.168.16.0/20 counter packets 0 bytes 0 accept comment "ACCEPT LOCAL TRAFFIC FROM INHOUSE IPs"
- iif "ens2f0" tcp dport @dropPorts counter packets 0 bytes 0 drop comment "DROP THESE PORTS"
- iif "ens2f0" ip saddr @telcos counter packets 0 bytes 0 drop comment "DROP TELCOS FROM ENTERING OUR NETWORK"
- tcp dport @allowedPorts counter packets 0 bytes 0 accept comment "ACCEPT ALLOWED PORTS"
- }
- chain OUTPUT {
- type filter hook output priority filter; policy accept;
- }
- chain port_scanning {
- iifname "eno1" tcp flags rst / fin,syn,rst,ack limit rate 1/second burst 2 packets counter packets 0 bytes 0 return comment "DDOS RULE: Protection against port scanning"
- iifname "eno1" tcp flags rst / fin,syn,rst,ack limit rate 1/second burst 2 packets counter packets 0 bytes 0 return comment "DDOS RULE: Protection against port scanning"
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement