API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Mar 29th, 2017
62
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 13.04 KB | None | 0 0
raw download clone embed print report
  1. # Generated by iptables-save v1.6.0 on Wed Mar 29 23:26:05 2017
  2. *nat
  3. :PREROUTING ACCEPT [0:0]
  4. :INPUT ACCEPT [0:0]
  5. :OUTPUT ACCEPT [1367:85931]
  6. :POSTROUTING ACCEPT [1367:85931]
  7. :NAT_POSTROUTING_CHAIN - [0:0]
  8. :NAT_PREROUTING_CHAIN - [0:0]
  9. :POST_NAT_POSTROUTING_CHAIN - [0:0]
  10. :POST_NAT_PREROUTING_CHAIN - [0:0]
  11. -A PREROUTING -j NAT_PREROUTING_CHAIN
  12. -A PREROUTING -j POST_NAT_PREROUTING_CHAIN
  13. -A POSTROUTING -j NAT_POSTROUTING_CHAIN
  14. -A POSTROUTING -j POST_NAT_POSTROUTING_CHAIN
  15. COMMIT
  16. # Completed on Wed Mar 29 23:26:05 2017
  17. # Generated by iptables-save v1.6.0 on Wed Mar 29 23:26:05 2017
  18. *mangle
  19. :PREROUTING ACCEPT [21071:11629411]
  20. :INPUT ACCEPT [21071:11629411]
  21. :FORWARD ACCEPT [0:0]
  22. :OUTPUT ACCEPT [17905:1765093]
  23. :POSTROUTING ACCEPT [17956:1770141]
  24. COMMIT
  25. # Completed on Wed Mar 29 23:26:05 2017
  26. # Generated by iptables-save v1.6.0 on Wed Mar 29 23:26:05 2017
  27. *filter
  28. :INPUT DROP [0:0]
  29. :FORWARD DROP [0:0]
  30. :OUTPUT DROP [0:0]
  31. :BASE_FORWARD_CHAIN - [0:0]
  32. :BASE_INPUT_CHAIN - [0:0]
  33. :BASE_OUTPUT_CHAIN - [0:0]
  34. :DMZ_FORWARD_IN_CHAIN - [0:0]
  35. :DMZ_FORWARD_OUT_CHAIN - [0:0]
  36. :DMZ_INET_FORWARD_CHAIN - [0:0]
  37. :DMZ_INPUT_CHAIN - [0:0]
  38. :DMZ_LAN_FORWARD_CHAIN - [0:0]
  39. :DMZ_OUTPUT_CHAIN - [0:0]
  40. :EXT_BROADCAST_CHAIN - [0:0]
  41. :EXT_FORWARD_IN_CHAIN - [0:0]
  42. :EXT_FORWARD_OUT_CHAIN - [0:0]
  43. :EXT_ICMP_FLOOD_CHAIN - [0:0]
  44. :EXT_INPUT_CHAIN - [0:0]
  45. :EXT_MULTICAST_CHAIN - [0:0]
  46. :EXT_OUTPUT_CHAIN - [0:0]
  47. :FORWARD_CHAIN - [0:0]
  48. :HOST_BLOCK_DROP - [0:0]
  49. :HOST_BLOCK_DST - [0:0]
  50. :HOST_BLOCK_SRC - [0:0]
  51. :INET_DMZ_FORWARD_CHAIN - [0:0]
  52. :INPUT_CHAIN - [0:0]
  53. :INT_INPUT_CHAIN - [0:0]
  54. :INT_OUTPUT_CHAIN - [0:0]
  55. :LAN_INET_FORWARD_CHAIN - [0:0]
  56. :LAN_LAN_FORWARD_CHAIN - [0:0]
  57. :OUTPUT_CHAIN - [0:0]
  58. :POST_FORWARD_CHAIN - [0:0]
  59. :POST_INPUT_CHAIN - [0:0]
  60. :POST_INPUT_DROP_CHAIN - [0:0]
  61. :POST_OUTPUT_CHAIN - [0:0]
  62. :RESERVED_NET_CHK - [0:0]
  63. :SPOOF_CHK - [0:0]
  64. :VALID_CHK - [0:0]
  65. -A INPUT -j BASE_INPUT_CHAIN
  66. -A INPUT -j INPUT_CHAIN
  67. -A INPUT -j HOST_BLOCK_SRC
  68. -A INPUT -j SPOOF_CHK
  69. -A INPUT -i enp3s0 -j VALID_CHK
  70. -A INPUT -i enp3s0 ! -p icmp -m state --state NEW -j EXT_INPUT_CHAIN
  71. -A INPUT -i enp3s0 -p icmp -m state --state NEW -m limit --limit 60/sec --limit-burst 100 -j EXT_INPUT_CHAIN
  72. -A INPUT -i enp3s0 -p icmp -m state --state NEW -j EXT_ICMP_FLOOD_CHAIN
  73. -A INPUT -i wlp2s0 -j VALID_CHK
  74. -A INPUT -i wlp2s0 ! -p icmp -m state --state NEW -j EXT_INPUT_CHAIN
  75. -A INPUT -i wlp2s0 -p icmp -m state --state NEW -m limit --limit 60/sec --limit-burst 100 -j EXT_INPUT_CHAIN
  76. -A INPUT -i wlp2s0 -p icmp -m state --state NEW -j EXT_ICMP_FLOOD_CHAIN
  77. -A INPUT -j POST_INPUT_CHAIN
  78. -A INPUT -m limit --limit 1/sec -j LOG --log-prefix "AIF:Dropped INPUT packet: " --log-level 6
  79. -A INPUT -j DROP
  80. -A FORWARD -j BASE_FORWARD_CHAIN
  81. -A FORWARD -o enp3s0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
  82. -A FORWARD -o wlp2s0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
  83. -A FORWARD -j FORWARD_CHAIN
  84. -A FORWARD -j HOST_BLOCK_SRC
  85. -A FORWARD -j HOST_BLOCK_DST
  86. -A FORWARD -i enp3s0 -j EXT_FORWARD_IN_CHAIN
  87. -A FORWARD -o enp3s0 -j EXT_FORWARD_OUT_CHAIN
  88. -A FORWARD -i wlp2s0 -j EXT_FORWARD_IN_CHAIN
  89. -A FORWARD -o wlp2s0 -j EXT_FORWARD_OUT_CHAIN
  90. -A FORWARD -j SPOOF_CHK
  91. -A FORWARD -j POST_FORWARD_CHAIN
  92. -A FORWARD -m limit --limit 1/min --limit-burst 3 -j LOG --log-prefix "AIF:Dropped FORWARD packet: " --log-level 6
  93. -A FORWARD -j DROP
  94. -A OUTPUT -j BASE_OUTPUT_CHAIN
  95. -A OUTPUT -o enp3s0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
  96. -A OUTPUT -o wlp2s0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
  97. -A OUTPUT -j OUTPUT_CHAIN
  98. -A OUTPUT -j HOST_BLOCK_DST
  99. -A OUTPUT -f -m limit --limit 3/min -j LOG --log-prefix "AIF:Fragment packet: " --log-level 6
  100. -A OUTPUT -f -j DROP
  101. -A OUTPUT -o enp3s0 -j EXT_OUTPUT_CHAIN
  102. -A OUTPUT -o wlp2s0 -j EXT_OUTPUT_CHAIN
  103. -A OUTPUT -j POST_OUTPUT_CHAIN
  104. -A OUTPUT -j ACCEPT
  105. -A BASE_FORWARD_CHAIN -m state --state ESTABLISHED -j ACCEPT
  106. -A BASE_FORWARD_CHAIN -p tcp -m state --state RELATED -m tcp --dport 1024:65535 -j ACCEPT
  107. -A BASE_FORWARD_CHAIN -p udp -m state --state RELATED -m udp --dport 1024:65535 -j ACCEPT
  108. -A BASE_FORWARD_CHAIN -p icmp -m state --state RELATED -j ACCEPT
  109. -A BASE_FORWARD_CHAIN -i lo -j ACCEPT
  110. -A BASE_INPUT_CHAIN -m state --state ESTABLISHED -j ACCEPT
  111. -A BASE_INPUT_CHAIN -p tcp -m state --state RELATED -m tcp --dport 1024:65535 -j ACCEPT
  112. -A BASE_INPUT_CHAIN -p udp -m state --state RELATED -m udp --dport 1024:65535 -j ACCEPT
  113. -A BASE_INPUT_CHAIN -p icmp -m state --state RELATED -j ACCEPT
  114. -A BASE_INPUT_CHAIN -i lo -j ACCEPT
  115. -A BASE_OUTPUT_CHAIN -m state --state ESTABLISHED -j ACCEPT
  116. -A BASE_OUTPUT_CHAIN -o lo -j ACCEPT
  117. -A EXT_BROADCAST_CHAIN -p tcp -m tcp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV TCP broadcast: " --log-level 6
  118. -A EXT_BROADCAST_CHAIN -p udp -m udp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV UDP broadcast: " --log-level 6
  119. -A EXT_BROADCAST_CHAIN -p tcp -m tcp --dport 1024:65535 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV TCP broadcast: " --log-level 6
  120. -A EXT_BROADCAST_CHAIN -p udp -m udp --dport 1024 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV UDP broadcast: " --log-level 6
  121. -A EXT_BROADCAST_CHAIN -j DROP
  122. -A EXT_FORWARD_IN_CHAIN -j VALID_CHK
  123. -A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 3 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-unreachable flood: " --log-level 6
  124. -A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 3 -j POST_INPUT_DROP_CHAIN
  125. -A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 11 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-time-exceeded fld: " --log-level 6
  126. -A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 11 -j POST_INPUT_DROP_CHAIN
  127. -A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 12 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-param-problem fld: " --log-level 6
  128. -A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 12 -j POST_INPUT_DROP_CHAIN
  129. -A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-request(ping) fld: " --log-level 6
  130. -A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 8 -j POST_INPUT_DROP_CHAIN
  131. -A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 0 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-reply(pong) flood: " --log-level 6
  132. -A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 0 -j POST_INPUT_DROP_CHAIN
  133. -A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 4 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-source-quench fld: " --log-level 6
  134. -A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 4 -j POST_INPUT_DROP_CHAIN
  135. -A EXT_ICMP_FLOOD_CHAIN -p icmp -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP(other) flood: " --log-level 6
  136. -A EXT_ICMP_FLOOD_CHAIN -p icmp -j POST_INPUT_DROP_CHAIN
  137. -A EXT_INPUT_CHAIN -p tcp -m tcp --dport 0 -m limit --limit 6/hour --limit-burst 1 -j LOG --log-prefix "AIF:Port 0 OS fingerprint: " --log-level 6
  138. -A EXT_INPUT_CHAIN -p udp -m udp --dport 0 -m limit --limit 6/hour --limit-burst 1 -j LOG --log-prefix "AIF:Port 0 OS fingerprint: " --log-level 6
  139. -A EXT_INPUT_CHAIN -p tcp -m tcp --dport 0 -j POST_INPUT_DROP_CHAIN
  140. -A EXT_INPUT_CHAIN -p udp -m udp --dport 0 -j POST_INPUT_DROP_CHAIN
  141. -A EXT_INPUT_CHAIN -p tcp -m tcp --sport 0 -m limit --limit 6/hour -j LOG --log-prefix "AIF:TCP source port 0: " --log-level 6
  142. -A EXT_INPUT_CHAIN -p udp -m udp --sport 0 -m limit --limit 6/hour -j LOG --log-prefix "AIF:UDP source port 0: " --log-level 6
  143. -A EXT_INPUT_CHAIN -p tcp -m tcp --sport 0 -j POST_INPUT_DROP_CHAIN
  144. -A EXT_INPUT_CHAIN -p udp -m udp --sport 0 -j POST_INPUT_DROP_CHAIN
  145. -A EXT_INPUT_CHAIN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
  146. -A EXT_INPUT_CHAIN -p tcp -m tcp --dport 1024:65535 ! --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth scan? (UNPRIV): " --log-level 6
  147. -A EXT_INPUT_CHAIN -p tcp -m tcp --dport 0:1023 ! --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth scan? (PRIV): " --log-level 6
  148. -A EXT_INPUT_CHAIN -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j POST_INPUT_DROP_CHAIN
  149. -A EXT_INPUT_CHAIN -d 255.255.255.255/32 -j EXT_BROADCAST_CHAIN
  150. -A EXT_INPUT_CHAIN -d 192.168.100.255/32 -j EXT_BROADCAST_CHAIN
  151. -A EXT_INPUT_CHAIN -d 224.0.0.0/4 -j EXT_MULTICAST_CHAIN
  152. -A EXT_INPUT_CHAIN -p tcp -m tcp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV TCP packet: " --log-level 6
  153. -A EXT_INPUT_CHAIN -p udp -m udp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV UDP packet: " --log-level 6
  154. -A EXT_INPUT_CHAIN -p tcp -m tcp --dport 1024:65535 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV TCP packet: " --log-level 6
  155. -A EXT_INPUT_CHAIN -p udp -m udp --dport 1024:65535 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV UDP packet: " --log-level 6
  156. -A EXT_INPUT_CHAIN -p igmp -m limit --limit 1/min -j LOG --log-prefix "AIF:IGMP packet: " --log-level 6
  157. -A EXT_INPUT_CHAIN -j POST_INPUT_CHAIN
  158. -A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-request: " --log-level 6
  159. -A EXT_INPUT_CHAIN -p icmp -m icmp ! --icmp-type 8 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-other: " --log-level 6
  160. -A EXT_INPUT_CHAIN -p tcp -j POST_INPUT_DROP_CHAIN
  161. -A EXT_INPUT_CHAIN -p udp -j POST_INPUT_DROP_CHAIN
  162. -A EXT_INPUT_CHAIN -p igmp -j POST_INPUT_DROP_CHAIN
  163. -A EXT_INPUT_CHAIN -p icmp -j POST_INPUT_DROP_CHAIN
  164. -A EXT_INPUT_CHAIN -m limit --limit 1/min -j LOG --log-prefix "AIF:Other connect: " --log-level 6
  165. -A EXT_INPUT_CHAIN -j POST_INPUT_DROP_CHAIN
  166. -A EXT_MULTICAST_CHAIN -p tcp -m tcp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV TCP multicast: " --log-level 6
  167. -A EXT_MULTICAST_CHAIN -p udp -m udp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV UDP multicast: " --log-level 6
  168. -A EXT_MULTICAST_CHAIN -p tcp -m tcp --dport 1024:65535 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV TCP multicast: " --log-level 6
  169. -A EXT_MULTICAST_CHAIN -p udp -m udp --dport 1024 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV UDP multicast: " --log-level 6
  170. -A EXT_MULTICAST_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-multicast-request: " --log-level 6
  171. -A EXT_MULTICAST_CHAIN -p icmp -m icmp ! --icmp-type 8 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-multicast-other: " --log-level 6
  172. -A EXT_MULTICAST_CHAIN -j DROP
  173. -A HOST_BLOCK_DROP -m limit --limit 1/min --limit-burst 1 -j LOG --log-prefix "AIF:Blocked host(s): " --log-level 6
  174. -A HOST_BLOCK_DROP -j DROP
  175. -A POST_INPUT_DROP_CHAIN -j DROP
  176. -A SPOOF_CHK -j RETURN
  177. -A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth XMAS scan: " --log-level 6
  178. -A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth XMAS-PSH scan: " --log-level 6
  179. -A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth XMAS-ALL scan: " --log-level 6
  180. -A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth FIN scan: " --log-level 6
  181. -A VALID_CHK -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth SYN/RST scan: " --log-level 6
  182. -A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth SYN/FIN scan?: " --log-level 6
  183. -A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth Null scan: " --log-level 6
  184. -A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j POST_INPUT_DROP_CHAIN
  185. -A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j POST_INPUT_DROP_CHAIN
  186. -A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j POST_INPUT_DROP_CHAIN
  187. -A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j POST_INPUT_DROP_CHAIN
  188. -A VALID_CHK -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j POST_INPUT_DROP_CHAIN
  189. -A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j POST_INPUT_DROP_CHAIN
  190. -A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j POST_INPUT_DROP_CHAIN
  191. -A VALID_CHK -p tcp -m tcp --tcp-option 64 -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "AIF:Bad TCP flag(64): " --log-level 6
  192. -A VALID_CHK -p tcp -m tcp --tcp-option 128 -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "AIF:Bad TCP flag(128): " --log-level 6
  193. -A VALID_CHK -p tcp -m tcp --tcp-option 64 -j POST_INPUT_DROP_CHAIN
  194. -A VALID_CHK -p tcp -m tcp --tcp-option 128 -j POST_INPUT_DROP_CHAIN
  195. -A VALID_CHK -m state --state INVALID -j POST_INPUT_DROP_CHAIN
  196. -A VALID_CHK -f -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "AIF:Fragment packet: "
  197. -A VALID_CHK -f -j DROP
  198. COMMIT
  199. # Completed on Wed Mar 29 23:26:05 2017
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!