Skip to content

Instantly share code, notes, and snippets.

@sargon

sargon/iptables-save

Created June 7, 2015 22:23
Show Gist options
  • Save sargon/35d0639dff0470a9be17 to your computer and use it in GitHub Desktop.
Save sargon/35d0639dff0470a9be17 to your computer and use it in GitHub Desktop.
Download ZIP
iptables-save output of the created firewall on gc-gw0 with the new concept.
Raw
iptables-save
# Generated by iptables-save v1.4.14 on Sun Jun 7 23:36:31 2015
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o tun-anonvpn -j MASQUERADE
COMMIT
# Completed on Sun Jun 7 23:36:31 2015
# Generated by iptables-save v1.4.14 on Sun Jun 7 23:36:31 2015
*mangle
:PREROUTING ACCEPT [438:19148]
:INPUT ACCEPT [438:19148]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [411:32144]
:POSTROUTING ACCEPT [411:32144]
COMMIT
# Completed on Sun Jun 7 23:36:31 2015
# Generated by iptables-save v1.4.14 on Sun Jun 7 23:36:31 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [86:7568]
:DROP-log - [0:0]
:bat-input - [0:0]
:fwd-in - [0:0]
:icvpn-fwd-icvpn-out - [0:0]
:icvpn-fwd-in - [0:0]
:icvpn-fwd-out - [0:0]
:icvpn-input - [0:0]
:input - [0:0]
:mesh-fwd-br-ffgc-out - [0:0]
:mesh-fwd-in - [0:0]
:mesh-fwd-out - [0:0]
:mesh-input - [0:0]
:peering-fwd-in - [0:0]
:peering-fwd-out - [0:0]
:peering-input - [0:0]
:uplink-fwd-in - [0:0]
:uplink-fwd-out - [0:0]
:uplink-fwd-tun-anonvpn-out - [0:0]
:uplink-input - [0:0]
:wan-input - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p udp -m conntrack --ctstate NEW -j input
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j input
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j DROP
-A FORWARD -i br-ffgc -j fwd-in
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -p udp -m conntrack --ctstate NEW -j fwd-in
-A FORWARD -p udp -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j fwd-in
-A FORWARD -p tcp -j REJECT --reject-with tcp-reset
-A FORWARD -j DROP
-A DROP-log ! -p tcp -j LOG --log-ip-options --log-uid
-A DROP-log -p tcp -j LOG --log-tcp-sequence --log-tcp-options --log-ip-options --log-uid
-A DROP-log -j DROP
-A bat-input -p udp -m udp --dport 16962 -m comment --comment alfred -j ACCEPT
-A bat-input -j DROP
-A fwd-in -i br-ffgc -j mesh-fwd-br-ffgc-out
-A fwd-in -i icvpn -j icvpn-fwd-icvpn-out
-A fwd-in -i tun-anonvpn -j uplink-fwd-tun-anonvpn-out
-A fwd-in -j DROP
-A icvpn-fwd-icvpn-out -j ACCEPT
-A icvpn-fwd-in -o br-ffgc -j mesh-fwd-br-ffgc-out
-A icvpn-fwd-in -o br-ffgc -j mesh-fwd-br-ffgc-out
-A icvpn-fwd-in -j DROP
-A icvpn-fwd-out -j DROP
-A input -i br-ffgc -j mesh-input
-A input -i eth0 -j wan-input
-A input -i eth1 -j wan-input
-A input -i icvpn -j icvpn-input
-A input -i tun-anonvpn -j uplink-input
-A input -j DROP
-A mesh-fwd-br-ffgc-out -j ACCEPT
-A mesh-fwd-in -o br-ffgc -j mesh-fwd-br-ffgc-out
-A mesh-fwd-in -o br-ffgc -j mesh-fwd-br-ffgc-out
-A mesh-fwd-in -o icvpn -j icvpn-fwd-icvpn-out
-A mesh-fwd-in -o icvpn -j icvpn-fwd-icvpn-out
-A mesh-fwd-in -o tun-anonvpn -j uplink-fwd-tun-anonvpn-out
-A mesh-fwd-in -j DROP
-A mesh-fwd-out -j DROP
-A mesh-input -p udp -m udp --dport 16962 -m comment --comment alfred -j ACCEPT
-A mesh-input -p tcp -m tcp --dport 179 -m comment --comment bird -j ACCEPT
-A mesh-input -p udp -m udp --dport 67 -m comment --comment dhcpd -j ACCEPT
-A mesh-input -p udp -m udp --dport 68 -m comment --comment dhcpd -j ACCEPT
-A mesh-input -p udp -m udp --dport 53 -m comment --comment named -j ACCEPT
-A mesh-input -p tcp -m tcp --dport 53 -m comment --comment named -j ACCEPT
-A mesh-input -p udp -m recent --update --seconds 3600 --hitcount 10 --name ntpd --rsource -m udp --dport 123 -j DROP
-A mesh-input -p udp -m recent --set --name ntpd --rsource -m udp --dport 123
-A mesh-input -p udp -m udp --dport 123 -m comment --comment ntpd -j ACCEPT
-A mesh-input -p tcp -m recent --update --seconds 60 --hitcount 3 --name sshd --rsource -m tcp --dport 22 -j DROP
-A mesh-input -p tcp -m recent --set --name sshd --rsource -m tcp --dport 22
-A mesh-input -p tcp -m tcp --dport 22 -j ACCEPT
-A mesh-input -j DROP
-A peering-fwd-in -j DROP
-A peering-fwd-out -j DROP
-A uplink-fwd-in -j DROP
-A uplink-fwd-out -j DROP
-A uplink-fwd-tun-anonvpn-out -j ACCEPT
-A wan-input -s 127.0.0.0/8 -j DROP
-A wan-input -s 0.0.0.0/8 -j DROP
-A wan-input -s 240.0.0.0/4 -j DROP
-A wan-input -s 192.0.2.0/24 -j DROP
-A wan-input -s 198.51.100.0/24 -j DROP
-A wan-input -s 203.0.113.0/24 -j DROP
-A wan-input -s 192.168.0.0/16 -j DROP
-A wan-input -s 10.0.0.0/8 -j DROP
-A wan-input -s 172.16.0.0/12 -j DROP
-A wan-input -s 169.254.0.0/16 -j DROP
-A wan-input -p udp -m udp --dport 10035 -m comment --comment fastd-ffgc -j ACCEPT
-A wan-input -p tcp -m recent --update --seconds 60 --hitcount 3 --name sshd --rsource -m tcp --dport 22 -j DROP
-A wan-input -p tcp -m recent --set --name sshd --rsource -m tcp --dport 22
-A wan-input -p tcp -m tcp --dport 22 -j ACCEPT
-A wan-input -p tcp -m tcp --dport 655 -m comment --comment tincd -j ACCEPT
-A wan-input -j DROP
COMMIT
# Completed on Sun Jun 7 23:36:31 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment