Skip to content

Instantly share code, notes, and snippets.

@stefangweichinger

stefangweichinger/iptables.txt

Created May 5, 2021 13:52
Show Gist options
  • Save stefangweichinger/0dfa68aa25296f09f74864280f3e6521 to your computer and use it in GitHub Desktop.
Save stefangweichinger/0dfa68aa25296f09f74864280f3e6521 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
iptables.txt
root@app1:~# iptables -L
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:67
ACCEPT udp -- anywhere anywhere udp dpt:bootps
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@app1:~# iptables-legacy -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- unifi.oops.co.at anywhere tcp dpt:ssh
hashlimit-filter_icmp_flood icmp -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
hashlimit-filter_syn_flood tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
LOG all -- anywhere anywhere recent: UPDATE seconds: 7200 name: badguys side: source mask: 255.255.255.255 limit: avg 2/min burst 5 LOG level warning ip-options prefix "ipt-recent-badguys: "
REJECT all -- anywhere anywhere recent: UPDATE seconds: 7200 name: badguys side: source mask: 255.255.255.255 reject-with icmp-admin-prohibited
all -- anywhere anywhere recent: REMOVE name: badguys side: source mask: 255.255.255.255
filter-ssh tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- anywhere anywhere udp dpt:dhcpv6-server
ACCEPT tcp -- anywhere anywhere multiport dports http,https
debops-legacy-input-rules all -- anywhere anywhere
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable
Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
Chain debops-legacy-input-rules (1 references)
target prot opt source destination
Chain filter-ssh (1 references)
target prot opt source destination
LOG tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: UPDATE seconds: 300 hit_count: 8 name: ssh-new side: source mask: 255.255.255.255 limit: avg 2/min burst 5 LOG level warning ip-options prefix "ipt-recent-ssh-new: "
REJECT tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: UPDATE seconds: 300 hit_count: 8 name: ssh-new side: source mask: 255.255.255.255 reject-with icmp-admin-prohibited
tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: SET name: ssh-new side: source mask: 255.255.255.255
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
Chain hashlimit-filter_icmp_flood (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere limit: up to 10/sec burst 10 mode srcip htable-expire 3600000
LOG all -- anywhere anywhere limit: avg 2/min burst 5 LOG level warning ip-options prefix "ipt-hashlimit-filter_icmp_flo"
DROP all -- anywhere anywhere
Chain hashlimit-filter_syn_flood (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere limit: up to 40/sec burst 40 mode srcip htable-expire 3600000
LOG all -- anywhere anywhere limit: avg 2/min burst 5 LOG level warning ip-options prefix "ipt-hashlimit-filter_syn_floo"
DROP all -- anywhere anywhere
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment