Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Generated by iptables-save v1.4.14 on Tue Feb 17 20:55:42 2015
- *raw
- :PREROUTING ACCEPT [429:62137]
- :OUTPUT ACCEPT [117:23438]
- COMMIT
- # Completed on Tue Feb 17 20:55:42 2015
- # Generated by iptables-save v1.4.14 on Tue Feb 17 20:55:42 2015
- *mangle
- :PREROUTING ACCEPT [429:62137]
- :INPUT ACCEPT [187:26396]
- :FORWARD ACCEPT [216:33476]
- :OUTPUT ACCEPT [117:23438]
- :POSTROUTING ACCEPT [224:48999]
- :tcfor - [0:0]
- :tcin - [0:0]
- :tcout - [0:0]
- :tcpost - [0:0]
- :tcpre - [0:0]
- -A PREROUTING -j tcpre
- -A INPUT -j tcin
- -A FORWARD -j MARK --set-xmark 0x0/0xff
- -A FORWARD -j tcfor
- -A OUTPUT -j tcout
- -A POSTROUTING -j tcpost
- COMMIT
- # Completed on Tue Feb 17 20:55:42 2015
- # Generated by iptables-save v1.4.14 on Tue Feb 17 20:55:42 2015
- *nat
- :PREROUTING ACCEPT [100:6869]
- :INPUT ACCEPT [3:156]
- :OUTPUT ACCEPT [5:291]
- :POSTROUTING ACCEPT [6:343]
- :eth0_masq - [0:0]
- -A POSTROUTING -o eth0 -j eth0_masq
- -A eth0_masq -s 10.0.0.0/8 -j MASQUERADE
- -A eth0_masq -s 192.168.10.3/32 -j MASQUERADE
- COMMIT
- # Completed on Tue Feb 17 20:55:42 2015
- # Generated by iptables-save v1.4.14 on Tue Feb 17 20:55:42 2015
- *filter
- :INPUT DROP [0:0]
- :FORWARD DROP [0:0]
- :OUTPUT DROP [0:0]
- :%Invalid - [0:0]
- :Broadcast - [0:0]
- :Drop - [0:0]
- :Invalid - [0:0]
- :NotSyn - [0:0]
- :Reject - [0:0]
- :dynamic - [0:0]
- :eth1_fwd - [0:0]
- :eth1_in - [0:0]
- :eth1_out - [0:0]
- :fw2loc - [0:0]
- :fw2loc2 - [0:0]
- :fw2net - [0:0]
- :loc22fw - [0:0]
- :loc22loc - [0:0]
- :loc22net - [0:0]
- :loc2_frwd - [0:0]
- :loc2fw - [0:0]
- :loc2loc2 - [0:0]
- :loc2net - [0:0]
- :loc_frwd - [0:0]
- :logdrop - [0:0]
- :logflags - [0:0]
- :logreject - [0:0]
- :net2fw - [0:0]
- :net2loc - [0:0]
- :net2loc2 - [0:0]
- :net_frwd - [0:0]
- :reject - [0:0]
- :shorewall - [0:0]
- :smurflog - [0:0]
- :smurfs - [0:0]
- :tcpflags - [0:0]
- -A INPUT -i eth0 -j net2fw
- -A INPUT -i eth1 -j eth1_in
- -A INPUT -i lo -j ACCEPT
- -A INPUT -j Reject
- -A INPUT -j LOG --log-prefix "Shorewall:INPUT:REJECT:" --log-level 3
- -A INPUT -g reject
- -A FORWARD -i eth0 -j net_frwd
- -A FORWARD -i eth1 -j eth1_fwd
- -A FORWARD -j Reject
- -A FORWARD -j LOG --log-prefix "Shorewall:FORWARD:REJECT:" --log-level 3
- -A FORWARD -g reject
- -A OUTPUT -o eth0 -j fw2net
- -A OUTPUT -o eth1 -j eth1_out
- -A OUTPUT -o lo -j ACCEPT
- -A OUTPUT -j Reject
- -A OUTPUT -j LOG --log-prefix "Shorewall:OUTPUT:REJECT:" --log-level 3
- -A OUTPUT -g reject
- -A %Invalid -m conntrack --ctstate INVALID -j DROP
- -A Broadcast -m addrtype --dst-type BROADCAST -j DROP
- -A Broadcast -m addrtype --dst-type MULTICAST -j DROP
- -A Broadcast -m addrtype --dst-type ANYCAST -j DROP
- -A Broadcast -d 224.0.0.0/4 -j DROP
- -A Drop
- -A Drop -p tcp -m tcp --dport 113 -m comment --comment Auth -j reject
- -A Drop -j Broadcast
- -A Drop -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP types" -j ACCEPT
- -A Drop -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types" -j ACCEPT
- -A Drop -j Invalid
- -A Drop -p udp -m multiport --dports 135,445 -m comment --comment SMB -j DROP
- -A Drop -p udp -m udp --dport 137:139 -m comment --comment SMB -j DROP
- -A Drop -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment SMB -j DROP
- -A Drop -p tcp -m multiport --dports 135,139,445 -m comment --comment SMB -j DROP
- -A Drop -p udp -m udp --dport 1900 -m comment --comment UPnP -j DROP
- -A Drop -p tcp -j NotSyn
- -A Drop -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -j DROP
- -A Invalid -m conntrack --ctstate INVALID -j DROP
- -A NotSyn -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
- -A Reject
- -A Reject -p tcp -m tcp --dport 113 -m comment --comment Auth -j reject
- -A Reject -j Broadcast
- -A Reject -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP types" -j ACCEPT
- -A Reject -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types" -j ACCEPT
- -A Reject -j Invalid
- -A Reject -p udp -m multiport --dports 135,445 -m comment --comment SMB -j reject
- -A Reject -p udp -m udp --dport 137:139 -m comment --comment SMB -j reject
- -A Reject -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment SMB -j reject
- -A Reject -p tcp -m multiport --dports 135,139,445 -m comment --comment SMB -j reject
- -A Reject -p udp -m udp --dport 1900 -m comment --comment UPnP -j DROP
- -A Reject -p tcp -j NotSyn
- -A Reject -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -j DROP
- -A eth1_fwd -m conntrack --ctstate INVALID,NEW -j dynamic
- -A eth1_fwd -m conntrack --ctstate INVALID,NEW -j smurfs
- -A eth1_fwd -p tcp -j tcpflags
- -A eth1_fwd -s 10.0.0.0/8 -j loc_frwd
- -A eth1_fwd -s 192.168.0.0/16 -j loc2_frwd
- -A eth1_in -m conntrack --ctstate INVALID,NEW -j dynamic
- -A eth1_in -m conntrack --ctstate INVALID,NEW -j smurfs
- -A eth1_in -p udp -m udp --dport 67:68 -j ACCEPT
- -A eth1_in -p tcp -j tcpflags
- -A eth1_in -s 0.0.0.0/32 -p udp -m udp --dport 67:68 -j ACCEPT
- -A eth1_in -s 10.0.0.0/8 -j loc2fw
- -A eth1_in -s 192.168.0.0/16 -j loc22fw
- -A eth1_out -p udp -m udp --dport 67:68 -j ACCEPT
- -A eth1_out -d 10.0.0.0/8 -j fw2loc
- -A eth1_out -d 192.168.0.0/16 -j fw2loc2
- -A fw2loc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A fw2loc -p icmp -j ACCEPT
- -A fw2loc -j Reject
- -A fw2loc -j LOG --log-prefix "Shorewall:fw2loc:REJECT:" --log-level 3
- -A fw2loc -g reject
- -A fw2loc2 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A fw2loc2 -p icmp -j ACCEPT
- -A fw2loc2 -j Reject
- -A fw2loc2 -j LOG --log-prefix "Shorewall:fw2loc2:REJECT:" --log-level 3
- -A fw2loc2 -g reject
- -A fw2net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A fw2net -p udp -m udp --dport 53 -m comment --comment DNS -j ACCEPT
- -A fw2net -p tcp -m tcp --dport 53 -m comment --comment DNS -j ACCEPT
- -A fw2net -p udp -m udp --dport 33434:33524 -m comment --comment Trcrt -j ACCEPT
- -A fw2net -p icmp -m icmp --icmp-type 8 -m comment --comment Trcrt -j ACCEPT
- -A fw2net -p icmp -j ACCEPT
- -A fw2net -p tcp -m tcp --dport 80 -j ACCEPT
- -A fw2net -p tcp -m tcp --dport 443 -j ACCEPT
- -A fw2net -p tcp -m tcp --dport 21 -m comment --comment FTP -j ACCEPT
- -A fw2net -j Reject
- -A fw2net -j LOG --log-prefix "Shorewall:fw2net:REJECT:" --log-level 3
- -A fw2net -g reject
- -A loc22fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A loc22fw -p udp -m udp --dport 53 -m comment --comment DNS -j ACCEPT
- -A loc22fw -p tcp -m tcp --dport 53 -m comment --comment DNS -j ACCEPT
- -A loc22fw -p tcp -m tcp --dport 62128 -j ACCEPT
- -A loc22fw -p tcp -m tcp --dport 3128 -j ACCEPT
- -A loc22fw -j Reject
- -A loc22fw -j LOG --log-prefix "Shorewall:loc22fw:REJECT:" --log-level 3
- -A loc22fw -g reject
- -A loc22loc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A loc22loc -p icmp -m icmp --icmp-type 8 -m comment --comment Ping -j ACCEPT
- -A loc22loc -j Reject
- -A loc22loc -j LOG --log-prefix "Shorewall:loc22loc:REJECT:" --log-level 3
- -A loc22loc -g reject
- -A loc22net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A loc22net -j Drop
- -A loc22net -j DROP
- -A loc2_frwd -o eth0 -j loc22net
- -A loc2_frwd -d 10.0.0.0/8 -o eth1 -j loc22loc
- -A loc2fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A loc2fw -p udp -m udp --dport 53 -m comment --comment DNS -j ACCEPT
- -A loc2fw -p tcp -m tcp --dport 53 -m comment --comment DNS -j ACCEPT
- -A loc2fw -p icmp -m icmp --icmp-type 8 -m comment --comment Ping -j ACCEPT
- -A loc2fw -p tcp -m tcp --dport 62128 -j ACCEPT
- -A loc2fw -j Reject
- -A loc2fw -j LOG --log-prefix "Shorewall:loc2fw:REJECT:" --log-level 3
- -A loc2fw -g reject
- -A loc2loc2 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A loc2loc2 -p icmp -m icmp --icmp-type 8 -m comment --comment Ping -j ACCEPT
- -A loc2loc2 -d 192.168.100.5/32 -p udp -m multiport --dports 135,445 -m comment --comment SMB -j ACCEPT
- -A loc2loc2 -d 192.168.100.5/32 -p udp -m udp --dport 137:139 -m comment --comment SMB -j ACCEPT
- -A loc2loc2 -d 192.168.100.5/32 -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment SMB -j ACCEPT
- -A loc2loc2 -d 192.168.100.5/32 -p tcp -m multiport --dports 135,139,445 -m comment --comment SMB -j ACCEPT
- -A loc2loc2 -j Reject
- -A loc2loc2 -j LOG --log-prefix "Shorewall:loc2loc2:REJECT:" --log-level 3
- -A loc2loc2 -g reject
- -A loc2net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A loc2net -j ACCEPT
- -A loc_frwd -o eth0 -j loc2net
- -A loc_frwd -d 192.168.0.0/16 -o eth1 -j loc2loc2
- -A logdrop -j DROP
- -A logflags -j LOG --log-prefix "Shorewall:logflags:DROP:" --log-level 6 --log-ip-options
- -A logflags -j DROP
- -A logreject -j reject
- -A net2fw -m conntrack --ctstate INVALID,NEW -j dynamic
- -A net2fw -m conntrack --ctstate INVALID,NEW -j smurfs
- -A net2fw -p tcp -j tcpflags
- -A net2fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A net2fw -j %Invalid
- -A net2fw -p icmp -m icmp --icmp-type 8 -m comment --comment Ping -j ACCEPT
- -A net2fw -p tcp -m tcp --dport 62128 -j ACCEPT
- -A net2fw -p tcp -m tcp --dport 113 -j DROP
- -A net2fw -j Drop
- -A net2fw -j LOG --log-prefix "Shorewall:net2fw:DROP:" --log-level 3
- -A net2fw -j DROP
- -A net2loc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A net2loc -j %Invalid
- -A net2loc -j Drop
- -A net2loc -j DROP
- -A net2loc2 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A net2loc2 -j %Invalid
- -A net2loc2 -j Drop
- -A net2loc2 -j DROP
- -A net_frwd -m conntrack --ctstate INVALID,NEW -j dynamic
- -A net_frwd -m conntrack --ctstate INVALID,NEW -j smurfs
- -A net_frwd -p tcp -j tcpflags
- -A net_frwd -d 10.0.0.0/8 -o eth1 -j net2loc
- -A net_frwd -d 192.168.0.0/16 -o eth1 -j net2loc2
- -A reject -m addrtype --src-type BROADCAST -j DROP
- -A reject -s 224.0.0.0/4 -j DROP
- -A reject -p igmp -j DROP
- -A reject -p tcp -j REJECT --reject-with tcp-reset
- -A reject -p udp -j REJECT --reject-with icmp-port-unreachable
- -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
- -A reject -j REJECT --reject-with icmp-host-prohibited
- -A smurflog -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6
- -A smurflog -j DROP
- -A smurfs -s 0.0.0.0/32 -j RETURN
- -A smurfs -m addrtype --src-type BROADCAST -g smurflog
- -A smurfs -s 224.0.0.0/4 -g smurflog
- -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g logflags
- -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g logflags
- -A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g logflags
- -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g logflags
- -A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g logflags
- COMMIT
- # Completed on Tue Feb 17 20:55:42 2015
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement