about summary refs log tree commit diff stats
path: root/core/conf/iptables/br-lan.v4
blob: 61da499ddb46e4e13c5469acb2e97ff0845845fd (plain) (blame) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136

# Generated by iptables-save v1.6.2 on Tue Apr  3 02:25:27 2018
*security
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Tue Apr  3 02:25:27 2018
# Generated by iptables-save v1.6.2 on Tue Apr  3 02:25:27 2018
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Tue Apr  3 02:25:27 2018
# Generated by iptables-save v1.6.2 on Tue Apr  3 02:25:27 2018
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Tue Apr  3 02:25:27 2018
# Generated by iptables-save v1.6.2 on Tue Apr  3 02:25:27 2018
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Tue Apr  3 02:25:27 2018
# Generated by iptables-save v1.6.2 on Tue Apr  3 02:25:27 2018
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:blocker - [0:0]
:client_in - [0:0]
:client_out - [0:0]
:netconf_in - [0:0]
:netconf_out - [0:0]
:server_in - [0:0]
:server_out - [0:0]
-A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
-A INPUT -s 10.0.0.254/32 -d 10.0.0.254/32 -i lo -j ACCEPT
-A INPUT -j blocker
-A INPUT -s 10.0.0.0/8 -d 10.0.0.254/32 -i br0 -j server_in
-A INPUT -d 10.0.0.0/8 -i br0 -j client_in
-A INPUT -i br0 -j netconf_in
-A INPUT -j LOG --log-prefix "iptables: INPUT: " --log-level 7
-A FORWARD -j blocker
-A FORWARD -d 10.0.0.0/8 -i br0 -o br0 -j netconf_in
-A FORWARD -d 10.0.0.0/8 -i br0 -o br0 -j netconf_out
-A FORWARD -d 10.0.0.0/8 -i br0 -o br0 -j client_in
-A FORWARD -s 10.0.0.0/8 -i br0 -o br0 -j client_out
-A FORWARD -s 10.0.0.0/8 -i br0 -o br0 -j server_out
-A FORWARD -j LOG --log-prefix "iptables: FORWARD: " --log-level 7
-A OUTPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -o lo -j ACCEPT
-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.254/32 -o lo -j ACCEPT
-A OUTPUT -j blocker
-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o br0 -j server_out
-A OUTPUT -s 10.0.0.0/8 -o br0 -j client_out
-A OUTPUT -o br0 -j netconf_out
-A OUTPUT -j LOG --log-prefix "iptables: OUTPUT: " --log-level 7
-A blocker -s 8.8.0.0/24 -j LOG --log-prefix "iptables: blocker google: " --log-level 7
-A blocker -s 8.8.0.0/24 -j DROP
-A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7
-A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A blocker -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: "
-A blocker -f -j DROP
-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop null: "
-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop syn rst syn rs"
-A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop xmas: "
-A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop fin scan: "
-A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
-A blocker -j RETURN
-A client_in -p tcp -m tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A client_in -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A client_in -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A client_in -p tcp -m tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A client_in -p tcp -m tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A client_in -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A client_in -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A client_in -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A client_in -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A client_in -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A client_in -p tcp -m tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A client_in -j RETURN
-A client_out -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT
-A client_out -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A client_out -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT
-A client_out -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
-A client_out -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT
-A client_out -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A client_out -p udp -m udp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A client_out -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A client_out -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A client_out -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT
-A client_out -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A client_out -p tcp -m tcp --sport 1024:65535 --dport 11371 -m state --state NEW,ESTABLISHED -j ACCEPT
-A client_out -j RETURN
-A netconf_in -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A netconf_in -s 10.0.0.0/8 -d 10.0.0.0/8 -p udp -m udp --sport 520 --dport 520 -j ACCEPT
-A netconf_in -p icmp -j LOG --log-prefix "iptables: netconf_in ICMP: " --log-level 7
-A netconf_in -p icmp -j ACCEPT
-A netconf_in -j RETURN
-A netconf_out -s 10.0.0.0/8 -d 10.0.0.0/8 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A netconf_out -s 10.0.0.0/8 -d 10.0.0.0/8 -p udp -m udp --sport 520 --dport 520 -j ACCEPT
-A netconf_out -p icmp -j LOG --log-prefix "iptables: netconf_out ICMP: " --log-level 7
-A netconf_out -p icmp -j ACCEPT
-A netconf_out -j RETURN
-A server_in -p tcp -m tcp --sport 1024:65535 --dport 5900 -m state --state NEW,ESTABLISHED -j ACCEPT
-A server_in -p tcp -m tcp --sport 1024:65535 --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT
-A server_in -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT
-A server_in -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A server_in -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A server_in -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A server_in -p tcp -m tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A server_in -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT
-A server_in -j RETURN
-A server_out -p udp -m udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A server_out -p tcp -m tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A server_out -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A server_out -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A server_out -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A server_out -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A server_out -p tcp -m tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A server_out -p tcp -m tcp --sport 5900 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A server_out -j RETURN
COMMIT
# Completed on Tue Apr  3 02:25:27 2018
generated by cgit-pink 1.4.1-2-gfad0 (git 2.36.2.497.gbbea4dcf42) at 2024-07-05 20:20:45 +0000