Created
May 5, 2021 13:52
-
-
Save stefangweichinger/0dfa68aa25296f09f74864280f3e6521 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
root@app1:~# iptables -L | |
# Warning: iptables-legacy tables present, use iptables-legacy to see them | |
Chain INPUT (policy ACCEPT) | |
target prot opt source destination | |
ACCEPT tcp -- anywhere anywhere tcp dpt:domain | |
ACCEPT udp -- anywhere anywhere udp dpt:domain | |
ACCEPT tcp -- anywhere anywhere tcp dpt:67 | |
ACCEPT udp -- anywhere anywhere udp dpt:bootps | |
Chain FORWARD (policy ACCEPT) | |
target prot opt source destination | |
ACCEPT all -- anywhere anywhere | |
ACCEPT all -- anywhere anywhere | |
Chain OUTPUT (policy ACCEPT) | |
target prot opt source destination | |
root@app1:~# iptables-legacy -L | |
Chain INPUT (policy DROP) | |
target prot opt source destination | |
ACCEPT all -- anywhere anywhere | |
ACCEPT tcp -- unifi.oops.co.at anywhere tcp dpt:ssh | |
hashlimit-filter_icmp_flood icmp -- anywhere anywhere | |
DROP all -- anywhere anywhere ctstate INVALID | |
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED | |
hashlimit-filter_syn_flood tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN | |
LOG all -- anywhere anywhere recent: UPDATE seconds: 7200 name: badguys side: source mask: 255.255.255.255 limit: avg 2/min burst 5 LOG level warning ip-options prefix "ipt-recent-badguys: " | |
REJECT all -- anywhere anywhere recent: UPDATE seconds: 7200 name: badguys side: source mask: 255.255.255.255 reject-with icmp-admin-prohibited | |
all -- anywhere anywhere recent: REMOVE name: badguys side: source mask: 255.255.255.255 | |
filter-ssh tcp -- anywhere anywhere tcp dpt:ssh | |
ACCEPT udp -- anywhere anywhere udp dpt:dhcpv6-server | |
ACCEPT tcp -- anywhere anywhere multiport dports http,https | |
debops-legacy-input-rules all -- anywhere anywhere | |
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable | |
REJECT tcp -- anywhere anywhere reject-with tcp-reset | |
REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable | |
Chain FORWARD (policy DROP) | |
target prot opt source destination | |
DROP all -- anywhere anywhere ctstate INVALID | |
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED | |
Chain OUTPUT (policy ACCEPT) | |
target prot opt source destination | |
DROP all -- anywhere anywhere ctstate INVALID | |
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED | |
Chain debops-legacy-input-rules (1 references) | |
target prot opt source destination | |
Chain filter-ssh (1 references) | |
target prot opt source destination | |
LOG tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: UPDATE seconds: 300 hit_count: 8 name: ssh-new side: source mask: 255.255.255.255 limit: avg 2/min burst 5 LOG level warning ip-options prefix "ipt-recent-ssh-new: " | |
REJECT tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: UPDATE seconds: 300 hit_count: 8 name: ssh-new side: source mask: 255.255.255.255 reject-with icmp-admin-prohibited | |
tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: SET name: ssh-new side: source mask: 255.255.255.255 | |
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh | |
Chain hashlimit-filter_icmp_flood (1 references) | |
target prot opt source destination | |
ACCEPT all -- anywhere anywhere limit: up to 10/sec burst 10 mode srcip htable-expire 3600000 | |
LOG all -- anywhere anywhere limit: avg 2/min burst 5 LOG level warning ip-options prefix "ipt-hashlimit-filter_icmp_flo" | |
DROP all -- anywhere anywhere | |
Chain hashlimit-filter_syn_flood (1 references) | |
target prot opt source destination | |
RETURN all -- anywhere anywhere limit: up to 40/sec burst 40 mode srcip htable-expire 3600000 | |
LOG all -- anywhere anywhere limit: avg 2/min burst 5 LOG level warning ip-options prefix "ipt-hashlimit-filter_syn_floo" | |
DROP all -- anywhere anywhere |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment