Skip to content

Instantly share code, notes, and snippets.

/stdin

Created July 10, 2015 07:57
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save anonymous/2b72d07c85bf901d6de2 to your computer and use it in GitHub Desktop.
Save anonymous/2b72d07c85bf901d6de2 to your computer and use it in GitHub Desktop.
Download ZIP
stdin
Raw
stdin
# Generated by iptables-save v1.4.21 on Fri Jul 10 14:57:08 2015
*raw
:PREROUTING ACCEPT [1737030:681629393]
:OUTPUT ACCEPT [1359551:1355484041]
COMMIT
# Completed on Fri Jul 10 14:57:08 2015
# Generated by iptables-save v1.4.21 on Fri Jul 10 14:57:08 2015
*nat
:PREROUTING ACCEPT [1218:190786]
:INPUT ACCEPT [133:24257]
:OUTPUT ACCEPT [6303:540173]
:POSTROUTING ACCEPT [6303:540173]
:MINIUPNPD - [0:0]
:MINIUPNPD-PCP-PEER - [0:0]
:UPnP - [0:0]
:inet_dnat - [0:0]
:wan0_masq - [0:0]
-A PREROUTING -i wan0 -j UPnP
-A PREROUTING -i wan0 -j inet_dnat
-A PREROUTING -i wan0 -j MINIUPNPD
-A POSTROUTING -o wan0 -j wan0_masq
-A POSTROUTING -o wan0 -j MINIUPNPD-PCP-PEER
-A inet_dnat -p tcp -m tcp --dport 31337 -j DNAT --to-destination 192.168.0.8:22
-A wan0_masq -s 192.168.0.0/24 -j MASQUERADE
COMMIT
# Completed on Fri Jul 10 14:57:08 2015
# Generated by iptables-save v1.4.21 on Fri Jul 10 14:57:08 2015
*mangle
:PREROUTING ACCEPT [44425:5018395]
:INPUT ACCEPT [43060:4609992]
:FORWARD ACCEPT [553:268811]
:OUTPUT ACCEPT [63222:88740432]
:POSTROUTING ACCEPT [63947:89032218]
:MINIUPNPD - [0:0]
:tcfor - [0:0]
:tcin - [0:0]
:tcout - [0:0]
:tcpost - [0:0]
:tcpre - [0:0]
-A PREROUTING -j tcpre
-A PREROUTING -i wan0 -j MINIUPNPD
-A INPUT -j tcin
-A FORWARD -j MARK --set-xmark 0x0/0xff
-A FORWARD -j tcfor
-A OUTPUT -j tcout
-A POSTROUTING -j tcpost
COMMIT
# Completed on Fri Jul 10 14:57:08 2015
# Generated by iptables-save v1.4.21 on Fri Jul 10 14:57:08 2015
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:Broadcast - [0:0]
:Drop - [0:0]
:MINIUPNPD - [0:0]
:Reject - [0:0]
:allowinUPnP - [0:0]
:dynamic - [0:0]
:forwardUPnP - [0:0]
:fw-inet - [0:0]
:fw-local - [0:0]
:inet-fw - [0:0]
:inet-local - [0:0]
:inet_frwd - [0:0]
:local-fw - [0:0]
:local-inet - [0:0]
:local_frwd - [0:0]
:logdrop - [0:0]
:logflags - [0:0]
:logreject - [0:0]
:reject - [0:0]
:sfilter - [0:0]
:sha-lh-190856d345853875c518 - [0:0]
:sha-rh-17b20e68bf4325b23fec - [0:0]
:shorewall - [0:0]
:tcpflags - [0:0]
-A INPUT -i wan0 -j inet-fw
-A INPUT -i br0 -j local-fw
-A INPUT -i lo -j ACCEPT
-A INPUT -j Reject
-A INPUT -j LOG --log-prefix "Shorewall:INPUT:REJECT:" --log-level 6
-A INPUT -g reject
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i wan0 -j inet_frwd
-A FORWARD -i br0 -j local_frwd
-A FORWARD -j Reject
-A FORWARD -j LOG --log-prefix "Shorewall:FORWARD:REJECT:" --log-level 6
-A FORWARD -g reject
-A FORWARD -i wan0 ! -o wan0 -j MINIUPNPD
-A OUTPUT -o wan0 -j fw-inet
-A OUTPUT -o br0 -j fw-local
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT
-A Broadcast -d 127.255.255.255/32 -j DROP
-A Broadcast -d 172.20.188.63/32 -j DROP
-A Broadcast -d 192.168.0.255/32 -j DROP
-A Broadcast -d 255.255.255.255/32 -j DROP
-A Broadcast -d 224.0.0.0/4 -j DROP
-A Drop
-A Drop -j Broadcast
-A Drop -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP types" -j ACCEPT
-A Drop -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types" -j ACCEPT
-A Drop -m conntrack --ctstate INVALID -j DROP
-A Drop -p udp -m multiport --dports 135,445 -m comment --comment SMB -j DROP
-A Drop -p udp -m udp --dport 137:139 -m comment --comment SMB -j DROP
-A Drop -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment SMB -j DROP
-A Drop -p tcp -m multiport --dports 135,139,445 -m comment --comment SMB -j DROP
-A Drop -p udp -m udp --dport 1900 -m comment --comment UPnP -j DROP
-A Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A Drop -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -j DROP
-A Reject
-A Reject -j Broadcast
-A Reject -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP types" -j ACCEPT
-A Reject -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types" -j ACCEPT
-A Reject -m conntrack --ctstate INVALID -j DROP
-A Reject -p udp -m multiport --dports 135,445 -m comment --comment SMB -j reject
-A Reject -p udp -m udp --dport 137:139 -m comment --comment SMB -j reject
-A Reject -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment SMB -j reject
-A Reject -p tcp -m multiport --dports 135,139,445 -m comment --comment SMB -j reject
-A Reject -p udp -m udp --dport 1900 -m comment --comment UPnP -j DROP
-A Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A Reject -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -j DROP
-A allowinUPnP -p udp -m udp --dport 1900 -j ACCEPT
-A allowinUPnP -p tcp -m tcp --dport 49152 -j ACCEPT
-A dynamic -s 188.235.223.253/32 -j DROP
-A fw-inet -p udp -m udp --dport 67:68 -j ACCEPT
-A fw-inet -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A fw-inet -p udp -m udp --dport 33434:33524 -m comment --comment Trcrt -j ACCEPT
-A fw-inet -p icmp -m icmp --icmp-type 8 -m comment --comment Trcrt -j ACCEPT
-A fw-inet -p udp -m udp --dport 123 -m comment --comment NTPbi -j ACCEPT
-A fw-inet -p udp -m udp --dport 123 -m comment --comment NTPbi -j ACCEPT
-A fw-inet -j ACCEPT
-A fw-local -p udp -m udp --dport 67:68 -j ACCEPT
-A fw-local -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A fw-local -p udp -m udp --dport 33434:33524 -m comment --comment Trcrt -j ACCEPT
-A fw-local -p icmp -m icmp --icmp-type 8 -m comment --comment Trcrt -j ACCEPT
-A fw-local -p udp -m udp --dport 123 -m comment --comment NTPbi -j ACCEPT
-A fw-local -p udp -m udp --dport 123 -m comment --comment NTPbi -j ACCEPT
-A fw-local -j ACCEPT
-A inet-fw -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A inet-fw -p udp -m udp --dport 67:68 -j ACCEPT
-A inet-fw -p tcp -j tcpflags
-A inet-fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A inet-fw -p udp -m udp --dport 33434:33524 -m comment --comment Trcrt -j ACCEPT
-A inet-fw -p icmp -m icmp --icmp-type 8 -m comment --comment Trcrt -j ACCEPT
-A inet-fw -p udp -m udp --dport 123 -m comment --comment NTPbi -j ACCEPT
-A inet-fw -p udp -m udp --dport 123 -m comment --comment NTPbi -j ACCEPT
-A inet-fw -p tcp -m tcp --dport 113 -m comment --comment Auth -j DROP
-A inet-fw -p tcp -m tcp --dport 22 -m comment --comment SSH -j ACCEPT
-A inet-fw -p tcp -m tcp --dport 80 -m comment --comment Web -j ACCEPT
-A inet-fw -p tcp -m tcp --dport 443 -m comment --comment Web -j ACCEPT
-A inet-fw -p icmp -m icmp --icmp-type 8 -m comment --comment Ping -j ACCEPT
-A inet-fw -p tcp -m tcp --dport 6881:6999 -m comment --comment BitTorrent32 -j ACCEPT
-A inet-fw -p udp -m udp --dport 6881 -m comment --comment BitTorrent32 -j ACCEPT
-A inet-fw -p udp -m udp --dport 1194 -m comment --comment OpenVPN -j ACCEPT
-A inet-fw -p tcp -m tcp --dport 3306 -m comment --comment MySQL -j ACCEPT
-A inet-fw -s 95.170.181.208/32 -p tcp -m tcp --dport 8123 -j ACCEPT
-A inet-fw -s 109.195.66.242/32 -p tcp -m tcp --dport 8123 -j ACCEPT
-A inet-fw -d 224.0.0.0/4 -j RETURN
-A inet-fw -j Drop
-A inet-fw -j LOG --log-prefix "Shorewall:inet-fw:DROP:" --log-level 6
-A inet-fw -j DROP
-A inet-local -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A inet-local -j forwardUPnP
-A inet-local -p udp -m udp --dport 33434:33524 -m comment --comment Trcrt -j ACCEPT
-A inet-local -p icmp -m icmp --icmp-type 8 -m comment --comment Trcrt -j ACCEPT
-A inet-local -p udp -m udp --dport 123 -m comment --comment NTPbi -j ACCEPT
-A inet-local -p udp -m udp --dport 123 -m comment --comment NTPbi -j ACCEPT
-A inet-local -d 192.168.0.8/32 -p tcp -m tcp --dport 22 -m conntrack --ctorigdstport 31337 -j ACCEPT
-A inet-local -d 224.0.0.0/4 -j RETURN
-A inet-local -j Drop
-A inet-local -j LOG --log-prefix "Shorewall:inet-local:DROP:" --log-level 6
-A inet-local -j DROP
-A inet_frwd -o wan0 -g sfilter
-A inet_frwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A inet_frwd -p tcp -j tcpflags
-A inet_frwd -o br0 -j inet-local
-A local-fw -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A local-fw -p udp -m udp --dport 67:68 -j ACCEPT
-A local-fw -p tcp -j tcpflags
-A local-fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A local-fw -j allowinUPnP
-A local-fw -p udp -m udp --dport 33434:33524 -m comment --comment Trcrt -j ACCEPT
-A local-fw -p icmp -m icmp --icmp-type 8 -m comment --comment Trcrt -j ACCEPT
-A local-fw -p udp -m udp --dport 123 -m comment --comment NTPbi -j ACCEPT
-A local-fw -p udp -m udp --dport 123 -m comment --comment NTPbi -j ACCEPT
-A local-fw -p tcp -m tcp --dport 22 -m comment --comment SSH -j ACCEPT
-A local-fw -p tcp -m tcp --dport 80 -m comment --comment Web -j ACCEPT
-A local-fw -p tcp -m tcp --dport 443 -m comment --comment Web -j ACCEPT
-A local-fw -p icmp -m icmp --icmp-type 8 -m comment --comment Ping -j ACCEPT
-A local-fw -p tcp -m tcp --dport 6881:6999 -m comment --comment BitTorrent32 -j ACCEPT
-A local-fw -p udp -m udp --dport 6881 -m comment --comment BitTorrent32 -j ACCEPT
-A local-fw -p udp -m udp --dport 1194 -m comment --comment OpenVPN -j ACCEPT
-A local-fw -p tcp -m tcp --dport 3306 -m comment --comment MySQL -j ACCEPT
-A local-fw -j ACCEPT
-A local-inet -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A local-inet -p udp -m udp --dport 33434:33524 -m comment --comment Trcrt -j ACCEPT
-A local-inet -p icmp -m icmp --icmp-type 8 -m comment --comment Trcrt -j ACCEPT
-A local-inet -p udp -m udp --dport 123 -m comment --comment NTPbi -j ACCEPT
-A local-inet -p udp -m udp --dport 123 -m comment --comment NTPbi -j ACCEPT
-A local-inet -j ACCEPT
-A local_frwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A local_frwd -o br0 -p udp -m udp --dport 67:68 -j ACCEPT
-A local_frwd -p tcp -j tcpflags
-A local_frwd -o wan0 -j local-inet
-A local_frwd -o br0 -j ACCEPT
-A logdrop -j DROP
-A logflags -j LOG --log-prefix "Shorewall:logflags:DROP:" --log-level 6 --log-ip-options
-A logflags -j DROP
-A logreject -j reject
-A reject -d 127.255.255.255/32 -j DROP
-A reject -d 172.20.188.63/32 -j DROP
-A reject -d 192.168.0.255/32 -j DROP
-A reject -d 255.255.255.255/32 -j DROP
-A reject -s 224.0.0.0/4 -j DROP
-A reject -p igmp -j DROP
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A reject -j REJECT --reject-with icmp-host-prohibited
-A sfilter -j LOG --log-prefix "Shorewall:sfilter:DROP:" --log-level 6
-A sfilter -j DROP
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g logflags
-A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g logflags
COMMIT
# Completed on Fri Jul 10 14:57:08 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment