1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
|
# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017
*security
:INPUT ACCEPT [4559:2307887]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4459:962215]
COMMIT
# Completed on Sat Feb 25 18:34:17 2017
# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017
*raw
:PREROUTING ACCEPT [18446:3412851]
:OUTPUT ACCEPT [4467:962535]
COMMIT
# Completed on Sat Feb 25 18:34:17 2017
# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017
*nat
:PREROUTING ACCEPT [13936:1107904]
:INPUT ACCEPT [49:2940]
:OUTPUT ACCEPT [504:40037]
:POSTROUTING ACCEPT [504:40037]
COMMIT
# Completed on Sat Feb 25 18:34:17 2017
# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Sat Feb 25 18:34:17 2017
# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:ACCEPTLOG - [0:0]
:DROPLOG - [0:0]
:REJECTLOG - [0:0]
:RELATED_ICMP - [0:0]
:SYN_FLOOD - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m limit --limit 1/sec --limit-burst 2 -j ACCEPT
-A INPUT -p icmp -m limit --limit 1/sec --limit-burst 2 -j LOG --log-prefix "PING-DROP:"
-A INPUT -p icmp -j DROP
-A INPUT -p icmp -f -j DROPLOG
-A INPUT -p icmp -m state --state ESTABLISHED -m limit --limit 3/sec --limit-burst 8 -j ACCEPT
-A INPUT -p icmp -m state --state RELATED -m limit --limit 3/sec --limit-burst 8 -j RELATED_ICMP
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 3/sec --limit-burst 8 -j ACCEPT
-A INPUT -p icmp -j DROPLOG
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP
-A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROPLOG
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROPLOG
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROPLOG
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROPLOG
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROPLOG
-A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROPLOG
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROPLOG
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j SYN_FLOOD
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROPLOG
-A INPUT -f -j DROPLOG
-A INPUT -j DROPLOG
-A FORWARD -p icmp -f -j DROPLOG
-A FORWARD -p icmp -j DROPLOG
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -j REJECTLOG
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -p icmp -f -j DROPLOG
-A OUTPUT -p icmp -m state --state ESTABLISHED -m limit --limit 3/sec --limit-burst 8 -j ACCEPT
-A OUTPUT -p icmp -m state --state RELATED -m limit --limit 3/sec --limit-burst 8 -j RELATED_ICMP
-A OUTPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 3/sec --limit-burst 8 -j ACCEPT
-A OUTPUT -p icmp -j DROPLOG
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 5222 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -j DROPLOG
-A ACCEPTLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: ACCEPT " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options
-A ACCEPTLOG -j ACCEPT
-A DROPLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: DROP " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options
-A DROPLOG -j DROP
-A REJECTLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: REJECT " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options
-A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset
-A REJECTLOG -j REJECT --reject-with icmp-port-unreachable
-A RELATED_ICMP -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A RELATED_ICMP -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A RELATED_ICMP -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A RELATED_ICMP -j DROPLOG
-A SYN_FLOOD -m limit --limit 2/sec --limit-burst 6 -j RETURN
-A SYN_FLOOD -j DROP
COMMIT
# Completed on Sat Feb 25 18:34:17 2017
|