Created
March 17, 2013 03:25
-
-
Save sunuslee/5179422 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Generated by iptables-save v1.4.6 on Tue May 8 19:22:59 2012 | |
| *nat | |
| :PREROUTING ACCEPT [860:71419] | |
| :POSTROUTING ACCEPT [167:12400] | |
| :OUTPUT ACCEPT [357:25377] | |
| :nat_reflection_in - [0:0] | |
| :nat_reflection_out - [0:0] | |
| :postrouting_rule - [0:0] | |
| :prerouting_lan - [0:0] | |
| :prerouting_rule - [0:0] | |
| :prerouting_wan - [0:0] | |
| :zone_lan_nat - [0:0] | |
| :zone_lan_prerouting - [0:0] | |
| :zone_wan_nat - [0:0] | |
| :zone_wan_prerouting - [0:0] | |
| -A PREROUTING -j prerouting_rule | |
| -A PREROUTING -i br-lan -j zone_lan_prerouting | |
| -A PREROUTING -i eth0.2 -j zone_wan_prerouting | |
| -A POSTROUTING -j postrouting_rule | |
| -A POSTROUTING -o br-lan -j zone_lan_nat | |
| -A POSTROUTING -o eth0.2 -j zone_wan_nat | |
| # packets goes to this step, it already being routed with out=ppp0 with VPN-ROUTE-GATEWAY | |
| # SNAT Do the magic here. | |
| # -A POSTROUTING -o ppp0 -j LOG --log-prefix "| sunus-d |" --log-level 7 | |
| -A POSTROUTING -o ppp0 -j SNAT --to-source PPP0-IP | |
| -A postrouting_rule -j nat_reflection_out | |
| -A prerouting_rule -j nat_reflection_in | |
| -A zone_lan_prerouting -j prerouting_lan | |
| # packets goes on | |
| # -A zone_lan_prerouting -j LOG --log-prefix "| sunus-b |" --log-level 7 | |
| -A zone_wan_nat -j MASQUERADE | |
| COMMIT | |
| # Completed on Tue May 8 19:22:59 2012 | |
| # Generated by iptables-save v1.4.6 on Tue May 8 19:22:59 2012 | |
| *raw | |
| :PREROUTING ACCEPT [42217:9866883] | |
| :OUTPUT ACCEPT [27952:11457451] | |
| :zone_lan_notrack - [0:0] | |
| :zone_wan_notrack - [0:0] | |
| -A PREROUTING -i br-lan -j zone_lan_notrack | |
| -A PREROUTING -i eth0.2 -j zone_wan_notrack | |
| COMMIT | |
| # Completed on Tue May 8 19:22:59 2012 | |
| # Generated by iptables-save v1.4.6 on Tue May 8 19:22:59 2012 | |
| *mangle | |
| :PREROUTING ACCEPT [42217:9866883] | |
| :INPUT ACCEPT [25058:4284357] | |
| :FORWARD ACCEPT [16223:5454059] | |
| :OUTPUT ACCEPT [27952:11457451] | |
| :POSTROUTING ACCEPT [43936:16896100] | |
| :ASSIGNOUT - [0:0] | |
| :Default - [0:0] | |
| :Default_ct - [0:0] | |
| :Default_ct_dn - [0:0] | |
| :Default_dn - [0:0] | |
| :NWANOUT - [0:0] | |
| :NWANPOS - [0:0] | |
| :NWANPRE - [0:0] | |
| -A PREROUTING -j ASSIGNOUT | |
| -A PREROUTING -j NWANPRE | |
| -A OUTPUT -j NWANOUT | |
| -A POSTROUTING -j NWANPOS | |
| -A ASSIGNOUT -m state --state RELATED,ESTABLISHED -j RETURN | |
| -A Default -m connmark --mark 0x0 -m recent --update --seconds 600 --name p2p_up --rsource --rport -j CONNMARK --set-xmark 0x4/0xffffffff | |
| -A Default -m connmark --mark 0x0 -m recent --update --seconds 600 --name funshion --rsource --rport -j CONNMARK --set-xmark 0x9/0xffffffff | |
| -A Default -m connmark --mark 0x3 -m opendpi --thunder -j CONNMARK --set-xmark 0x4/0xffffffff | |
| -A Default -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff | |
| -A Default -m mark --mark 0x0 -j Default_ct | |
| -A Default -m mark --mark 0x1 -m length --length 400:65535 -j MARK --set-xmark 0x0/0xffffffff | |
| -A Default -m mark --mark 0x2 -m length --length 800:65535 -j MARK --set-xmark 0x0/0xffffffff | |
| -A Default -p icmp -j MARK --set-xmark 0x1/0xffffffff | |
| -A Default -p tcp -m length --length 0:128 -m mark --mark 0x3 -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j MARK --set-xmark 0x2/0xffffffff | |
| -A Default -p tcp -m length --length 0:128 -m mark --mark 0x3 -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG ACK -j MARK --set-xmark 0x2/0xffffffff | |
| -A Default -p tcp -m length --length 0:128 -m mark --mark 0x0 -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j MARK --set-xmark 0x3/0xffffffff | |
| -A Default -p tcp -m length --length 0:128 -m mark --mark 0x0 -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG ACK -j MARK --set-xmark 0x3/0xffffffff | |
| -A Default -p udp -m mark --mark 0x0 -m length --length 0:65535 -j MARK --set-xmark 0x4/0xffffffff | |
| -A Default -p tcp -m mark --mark 0x0 -m length --length 0:65535 -j MARK --set-xmark 0x4/0xffffffff | |
| -A Default -p udp -m mark --mark 0x4 -m length --length 300:65535 -j MARK --set-xmark 0x5/0xffffffff | |
| -A Default -p tcp -m mark --mark 0x4 -m length --length 300:65535 -j MARK --set-xmark 0x5/0xffffffff | |
| -A Default -p udp -m mark --mark 0x9 -m length --length 300:65535 -j MARK --set-xmark 0x5/0xffffffff | |
| -A Default -p tcp -m mark --mark 0x9 -m length --length 300:65535 -j MARK --set-xmark 0x5/0xffffffff | |
| -A Default_ct -p tcp -m mark --mark 0x0 -m tcp -m multiport --ports 22,53 -j MARK --set-xmark 0x2/0xffffffff | |
| -A Default_ct -p udp -m mark --mark 0x0 -m udp -m multiport --ports 22,53 -j MARK --set-xmark 0x2/0xffffffff | |
| -A Default_ct -p tcp -m mark --mark 0x0 -m tcp -m multiport --ports 80,3389,3390,5900,1080,1194 -j MARK --set-xmark 0x3/0xffffffff | |
| -A Default_ct -m mark --mark 0x0 -m opendpi --hf -j MARK --set-xmark 0x1/0xffffffff | |
| -A Default_ct -m mark --mark 0x0 -m opendpi --pt11 -j MARK --set-xmark 0x1/0xffffffff | |
| -A Default_ct -m mark --mark 0x0 -m opendpi --warcraft3 -j MARK --set-xmark 0x1/0xffffffff | |
| -A Default_ct -m mark --mark 0x0 -m opendpi --counterstrike -j MARK --set-xmark 0x1/0xffffffff | |
| -A Default_ct -m mark --mark 0x0 -m opendpi --crossfire -j MARK --set-xmark 0x1/0xffffffff | |
| -A Default_ct -m mark --mark 0x0 -m opendpi --qq -j MARK --set-xmark 0x2/0xffffffff | |
| -A Default_ct -m mark --mark 0x0 -m opendpi --irc -j MARK --set-xmark 0x2/0xffffffff | |
| -A Default_ct -m mark --mark 0x0 -m opendpi --aliwangwang -j MARK --set-xmark 0x2/0xffffffff | |
| -A Default_ct -m mark --mark 0x0 -m opendpi --msn -j MARK --set-xmark 0x2/0xffffffff | |
| -A Default_ct -m mark --mark 0x0 -m opendpi --jabber -j MARK --set-xmark 0x2/0xffffffff | |
| -A Default_ct -m mark --mark 0x0 -m opendpi --worldofwarcraft -j MARK --set-xmark 0x2/0xffffffff | |
| -A Default_ct -m mark --mark 0x0 -m opendpi --rdp -j MARK --set-xmark 0x2/0xffffffff | |
| -A Default_ct -m mark --mark 0x0 -m opendpi --httpactivesync -j MARK --set-xmark 0x3/0xffffffff | |
| -A Default_ct -m mark --mark 0x0 -m opendpi --http -j MARK --set-xmark 0x3/0xffffffff | |
| -A Default_ct -m mark --mark 0x0 -m opendpi --telnet -j MARK --set-xmark 0x3/0xffffffff | |
| -A Default_ct -m mark --mark 0x0 -m opendpi --flash -j MARK --set-xmark 0x3/0xffffffff | |
| -A Default_ct -m mark --mark 0x0 -m opendpi --ntp -j MARK --set-xmark 0x3/0xffffffff | |
| -A Default_ct -m mark --mark 0x0 -m opendpi --mdns -j MARK --set-xmark 0x3/0xffffffff | |
| -A Default_ct -m mark --mark 0x0 -m opendpi --ppstream -j MARK --set-xmark 0x4/0xffffffff | |
| -A Default_ct -m mark --mark 0x0 -m opendpi --qqlive -j MARK --set-xmark 0x4/0xffffffff | |
| -A Default_ct -m mark --mark 0x0 -m opendpi --bittorrent -j MARK --set-xmark 0x4/0xffffffff | |
| -A Default_ct -m mark --mark 0x0 -m opendpi --ftp -j MARK --set-xmark 0x4/0xffffffff | |
| -A Default_ct -m mark --mark 0x0 -m opendpi --feidian -j MARK --set-xmark 0x4/0xffffffff | |
| -A Default_ct -m mark --mark 0x0 -m opendpi --ddl -j MARK --set-xmark 0x4/0xffffffff | |
| -A Default_ct -m mark --mark 0x0 -m opendpi --fasttrack -j MARK --set-xmark 0x5/0xffffffff | |
| -A Default_ct -m mark --mark 0x0 -m opendpi --funshion -j MARK --set-xmark 0x9/0xffffffff | |
| -A Default_ct -m mark --mark 0x9 -m recent --set --name funshion --rsource --rport | |
| -A Default_ct -m mark --mark 0x0 -m opendpi --pptv -j MARK --set-xmark 0x8/0xffffffff | |
| -A Default_ct -m mark --mark 0x0 -m opendpi --thunder -j MARK --set-xmark 0x8/0xffffffff | |
| -A Default_ct -m mark --mark 0x8 -m recent --set --name p2p_up --rsource --rport -j MARK --set-xmark 0x4/0xffffffff | |
| -A Default_ct -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff | |
| -A Default_dn -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff | |
| -A Default_dn -m mark --mark 0x0 -j Default_ct_dn | |
| -A NWANOUT -m conntrack --ctstate RELATED,ESTABLISHED -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff | |
| -A NWANPOS -o eth0.2 -m state --state NEW -j CONNMARK --set-xmark 0xa/0xffffffff | |
| -A NWANPRE -i eth0.2 -m state --state NEW -j CONNMARK --set-xmark 0xa/0xffffffff | |
| -A NWANPRE -i br-lan -m conntrack --ctstate RELATED,ESTABLISHED -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff | |
| # The Start of a forwarding packets from sunus to the route.(forwarding to ppp0) | |
| # -A NWANPRE -s 192.168.1.169/32 -j LOG --log-prefix "| sunus-a |" --log-level 7 | |
| COMMIT | |
| # Completed on Tue May 8 19:22:59 2012 | |
| # Generated by iptables-save v1.4.6 on Tue May 8 19:22:59 2012 | |
| *filter | |
| :INPUT ACCEPT [65:4166] | |
| :FORWARD DROP [0:0] | |
| :OUTPUT ACCEPT [0:0] | |
| :forward - [0:0] | |
| :forwarding_lan - [0:0] | |
| :forwarding_rule - [0:0] | |
| :forwarding_wan - [0:0] | |
| :input - [0:0] | |
| :input_lan - [0:0] | |
| :input_rule - [0:0] | |
| :input_wan - [0:0] | |
| :nat_reflection_fwd - [0:0] | |
| :output - [0:0] | |
| :output_rule - [0:0] | |
| :reject - [0:0] | |
| :syn_flood - [0:0] | |
| :zone_lan - [0:0] | |
| :zone_lan_ACCEPT - [0:0] | |
| :zone_lan_DROP - [0:0] | |
| :zone_lan_REJECT - [0:0] | |
| :zone_lan_forward - [0:0] | |
| :zone_wan - [0:0] | |
| :zone_wan_ACCEPT - [0:0] | |
| :zone_wan_DROP - [0:0] | |
| :zone_wan_REJECT - [0:0] | |
| :zone_wan_forward - [0:0] | |
| -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| -A INPUT -i lo -j ACCEPT | |
| -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood | |
| -A INPUT -j input_rule | |
| -A INPUT -j input | |
| -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| -A FORWARD -j forwarding_rule | |
| -A FORWARD -j forward | |
| -A FORWARD -j reject | |
| -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| -A OUTPUT -o lo -j ACCEPT | |
| -A OUTPUT -j output_rule | |
| -A OUTPUT -j output | |
| -A forward -i br-lan -j zone_lan_forward | |
| -A forward -i eth0.2 -j zone_wan_forward | |
| -A forwarding_rule -j nat_reflection_fwd | |
| -A input -i br-lan -j zone_lan | |
| -A input -i eth0.2 -j zone_wan | |
| -A output -j zone_lan_ACCEPT | |
| -A output -j zone_wan_ACCEPT | |
| -A reject -p tcp -j REJECT --reject-with tcp-reset | |
| -A reject -j REJECT --reject-with icmp-port-unreachable | |
| -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -j RETURN | |
| -A syn_flood -j DROP | |
| -A zone_lan -j input_lan | |
| -A zone_lan -j zone_lan_ACCEPT | |
| -A zone_lan_ACCEPT -o br-lan -j ACCEPT | |
| -A zone_lan_ACCEPT -i br-lan -j ACCEPT | |
| -A zone_lan_DROP -o br-lan -j DROP | |
| -A zone_lan_DROP -i br-lan -j DROP | |
| -A zone_lan_REJECT -o br-lan -j reject | |
| -A zone_lan_REJECT -i br-lan -j reject | |
| -A zone_lan_forward -j zone_wan_ACCEPT | |
| -A zone_lan_forward -j forwarding_lan | |
| -A zone_lan_forward -j zone_lan_REJECT | |
| -A zone_wan -p udp -m udp --dport 68 -j ACCEPT | |
| -A zone_wan -p icmp -m icmp --icmp-type 8 -j ACCEPT | |
| -A zone_wan -j input_wan | |
| -A zone_wan -j zone_wan_REJECT | |
| -A zone_wan_ACCEPT -o eth0.2 -j ACCEPT | |
| -A zone_wan_ACCEPT -i eth0.2 -j ACCEPT | |
| # packets goes on | |
| # -A zone_wan_ACCEPT -o ppp0 -j LOG --log-prefix "| sunus-c |" --log-level 7 | |
| # packets goes on, need to open ppp0 to accept this packet | |
| -A zone_wan_ACCEPT -o ppp0 -j ACCEPT | |
| -A zone_wan_DROP -o eth0.2 -j DROP | |
| -A zone_wan_DROP -i eth0.2 -j DROP | |
| -A zone_wan_REJECT -o eth0.2 -j reject | |
| -A zone_wan_REJECT -i eth0.2 -j reject | |
| -A zone_wan_forward -j forwarding_wan | |
| -A zone_wan_forward -j zone_wan_REJECT | |
| COMMIT | |
| # Completed on Tue May 8 19:22:59 2012 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment