Created
March 29, 2017 17:58
-
-
Save xavier83/31b70b044ad9028b4c8083a020544958 to your computer and use it in GitHub Desktop.
iptables-save generated file
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Generated by iptables-save v1.6.0 on Wed Mar 29 23:26:05 2017 | |
*nat | |
:PREROUTING ACCEPT [0:0] | |
:INPUT ACCEPT [0:0] | |
:OUTPUT ACCEPT [1367:85931] | |
:POSTROUTING ACCEPT [1367:85931] | |
:NAT_POSTROUTING_CHAIN - [0:0] | |
:NAT_PREROUTING_CHAIN - [0:0] | |
:POST_NAT_POSTROUTING_CHAIN - [0:0] | |
:POST_NAT_PREROUTING_CHAIN - [0:0] | |
-A PREROUTING -j NAT_PREROUTING_CHAIN | |
-A PREROUTING -j POST_NAT_PREROUTING_CHAIN | |
-A POSTROUTING -j NAT_POSTROUTING_CHAIN | |
-A POSTROUTING -j POST_NAT_POSTROUTING_CHAIN | |
COMMIT | |
# Completed on Wed Mar 29 23:26:05 2017 | |
# Generated by iptables-save v1.6.0 on Wed Mar 29 23:26:05 2017 | |
*mangle | |
:PREROUTING ACCEPT [21071:11629411] | |
:INPUT ACCEPT [21071:11629411] | |
:FORWARD ACCEPT [0:0] | |
:OUTPUT ACCEPT [17905:1765093] | |
:POSTROUTING ACCEPT [17956:1770141] | |
COMMIT | |
# Completed on Wed Mar 29 23:26:05 2017 | |
# Generated by iptables-save v1.6.0 on Wed Mar 29 23:26:05 2017 | |
*filter | |
:INPUT DROP [0:0] | |
:FORWARD DROP [0:0] | |
:OUTPUT DROP [0:0] | |
:BASE_FORWARD_CHAIN - [0:0] | |
:BASE_INPUT_CHAIN - [0:0] | |
:BASE_OUTPUT_CHAIN - [0:0] | |
:DMZ_FORWARD_IN_CHAIN - [0:0] | |
:DMZ_FORWARD_OUT_CHAIN - [0:0] | |
:DMZ_INET_FORWARD_CHAIN - [0:0] | |
:DMZ_INPUT_CHAIN - [0:0] | |
:DMZ_LAN_FORWARD_CHAIN - [0:0] | |
:DMZ_OUTPUT_CHAIN - [0:0] | |
:EXT_BROADCAST_CHAIN - [0:0] | |
:EXT_FORWARD_IN_CHAIN - [0:0] | |
:EXT_FORWARD_OUT_CHAIN - [0:0] | |
:EXT_ICMP_FLOOD_CHAIN - [0:0] | |
:EXT_INPUT_CHAIN - [0:0] | |
:EXT_MULTICAST_CHAIN - [0:0] | |
:EXT_OUTPUT_CHAIN - [0:0] | |
:FORWARD_CHAIN - [0:0] | |
:HOST_BLOCK_DROP - [0:0] | |
:HOST_BLOCK_DST - [0:0] | |
:HOST_BLOCK_SRC - [0:0] | |
:INET_DMZ_FORWARD_CHAIN - [0:0] | |
:INPUT_CHAIN - [0:0] | |
:INT_INPUT_CHAIN - [0:0] | |
:INT_OUTPUT_CHAIN - [0:0] | |
:LAN_INET_FORWARD_CHAIN - [0:0] | |
:LAN_LAN_FORWARD_CHAIN - [0:0] | |
:OUTPUT_CHAIN - [0:0] | |
:POST_FORWARD_CHAIN - [0:0] | |
:POST_INPUT_CHAIN - [0:0] | |
:POST_INPUT_DROP_CHAIN - [0:0] | |
:POST_OUTPUT_CHAIN - [0:0] | |
:RESERVED_NET_CHK - [0:0] | |
:SPOOF_CHK - [0:0] | |
:VALID_CHK - [0:0] | |
-A INPUT -j BASE_INPUT_CHAIN | |
-A INPUT -j INPUT_CHAIN | |
-A INPUT -j HOST_BLOCK_SRC | |
-A INPUT -j SPOOF_CHK | |
-A INPUT -i enp3s0 -j VALID_CHK | |
-A INPUT -i enp3s0 ! -p icmp -m state --state NEW -j EXT_INPUT_CHAIN | |
-A INPUT -i enp3s0 -p icmp -m state --state NEW -m limit --limit 60/sec --limit-burst 100 -j EXT_INPUT_CHAIN | |
-A INPUT -i enp3s0 -p icmp -m state --state NEW -j EXT_ICMP_FLOOD_CHAIN | |
-A INPUT -i wlp2s0 -j VALID_CHK | |
-A INPUT -i wlp2s0 ! -p icmp -m state --state NEW -j EXT_INPUT_CHAIN | |
-A INPUT -i wlp2s0 -p icmp -m state --state NEW -m limit --limit 60/sec --limit-burst 100 -j EXT_INPUT_CHAIN | |
-A INPUT -i wlp2s0 -p icmp -m state --state NEW -j EXT_ICMP_FLOOD_CHAIN | |
-A INPUT -j POST_INPUT_CHAIN | |
-A INPUT -m limit --limit 1/sec -j LOG --log-prefix "AIF:Dropped INPUT packet: " --log-level 6 | |
-A INPUT -j DROP | |
-A FORWARD -j BASE_FORWARD_CHAIN | |
-A FORWARD -o enp3s0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu | |
-A FORWARD -o wlp2s0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu | |
-A FORWARD -j FORWARD_CHAIN | |
-A FORWARD -j HOST_BLOCK_SRC | |
-A FORWARD -j HOST_BLOCK_DST | |
-A FORWARD -i enp3s0 -j EXT_FORWARD_IN_CHAIN | |
-A FORWARD -o enp3s0 -j EXT_FORWARD_OUT_CHAIN | |
-A FORWARD -i wlp2s0 -j EXT_FORWARD_IN_CHAIN | |
-A FORWARD -o wlp2s0 -j EXT_FORWARD_OUT_CHAIN | |
-A FORWARD -j SPOOF_CHK | |
-A FORWARD -j POST_FORWARD_CHAIN | |
-A FORWARD -m limit --limit 1/min --limit-burst 3 -j LOG --log-prefix "AIF:Dropped FORWARD packet: " --log-level 6 | |
-A FORWARD -j DROP | |
-A OUTPUT -j BASE_OUTPUT_CHAIN | |
-A OUTPUT -o enp3s0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu | |
-A OUTPUT -o wlp2s0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu | |
-A OUTPUT -j OUTPUT_CHAIN | |
-A OUTPUT -j HOST_BLOCK_DST | |
-A OUTPUT -f -m limit --limit 3/min -j LOG --log-prefix "AIF:Fragment packet: " --log-level 6 | |
-A OUTPUT -f -j DROP | |
-A OUTPUT -o enp3s0 -j EXT_OUTPUT_CHAIN | |
-A OUTPUT -o wlp2s0 -j EXT_OUTPUT_CHAIN | |
-A OUTPUT -j POST_OUTPUT_CHAIN | |
-A OUTPUT -j ACCEPT | |
-A BASE_FORWARD_CHAIN -m state --state ESTABLISHED -j ACCEPT | |
-A BASE_FORWARD_CHAIN -p tcp -m state --state RELATED -m tcp --dport 1024:65535 -j ACCEPT | |
-A BASE_FORWARD_CHAIN -p udp -m state --state RELATED -m udp --dport 1024:65535 -j ACCEPT | |
-A BASE_FORWARD_CHAIN -p icmp -m state --state RELATED -j ACCEPT | |
-A BASE_FORWARD_CHAIN -i lo -j ACCEPT | |
-A BASE_INPUT_CHAIN -m state --state ESTABLISHED -j ACCEPT | |
-A BASE_INPUT_CHAIN -p tcp -m state --state RELATED -m tcp --dport 1024:65535 -j ACCEPT | |
-A BASE_INPUT_CHAIN -p udp -m state --state RELATED -m udp --dport 1024:65535 -j ACCEPT | |
-A BASE_INPUT_CHAIN -p icmp -m state --state RELATED -j ACCEPT | |
-A BASE_INPUT_CHAIN -i lo -j ACCEPT | |
-A BASE_OUTPUT_CHAIN -m state --state ESTABLISHED -j ACCEPT | |
-A BASE_OUTPUT_CHAIN -o lo -j ACCEPT | |
-A EXT_BROADCAST_CHAIN -p tcp -m tcp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV TCP broadcast: " --log-level 6 | |
-A EXT_BROADCAST_CHAIN -p udp -m udp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV UDP broadcast: " --log-level 6 | |
-A EXT_BROADCAST_CHAIN -p tcp -m tcp --dport 1024:65535 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV TCP broadcast: " --log-level 6 | |
-A EXT_BROADCAST_CHAIN -p udp -m udp --dport 1024 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV UDP broadcast: " --log-level 6 | |
-A EXT_BROADCAST_CHAIN -j DROP | |
-A EXT_FORWARD_IN_CHAIN -j VALID_CHK | |
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 3 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-unreachable flood: " --log-level 6 | |
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 3 -j POST_INPUT_DROP_CHAIN | |
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 11 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-time-exceeded fld: " --log-level 6 | |
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 11 -j POST_INPUT_DROP_CHAIN | |
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 12 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-param-problem fld: " --log-level 6 | |
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 12 -j POST_INPUT_DROP_CHAIN | |
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-request(ping) fld: " --log-level 6 | |
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 8 -j POST_INPUT_DROP_CHAIN | |
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 0 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-reply(pong) flood: " --log-level 6 | |
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 0 -j POST_INPUT_DROP_CHAIN | |
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 4 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-source-quench fld: " --log-level 6 | |
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 4 -j POST_INPUT_DROP_CHAIN | |
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP(other) flood: " --log-level 6 | |
-A EXT_ICMP_FLOOD_CHAIN -p icmp -j POST_INPUT_DROP_CHAIN | |
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 0 -m limit --limit 6/hour --limit-burst 1 -j LOG --log-prefix "AIF:Port 0 OS fingerprint: " --log-level 6 | |
-A EXT_INPUT_CHAIN -p udp -m udp --dport 0 -m limit --limit 6/hour --limit-burst 1 -j LOG --log-prefix "AIF:Port 0 OS fingerprint: " --log-level 6 | |
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 0 -j POST_INPUT_DROP_CHAIN | |
-A EXT_INPUT_CHAIN -p udp -m udp --dport 0 -j POST_INPUT_DROP_CHAIN | |
-A EXT_INPUT_CHAIN -p tcp -m tcp --sport 0 -m limit --limit 6/hour -j LOG --log-prefix "AIF:TCP source port 0: " --log-level 6 | |
-A EXT_INPUT_CHAIN -p udp -m udp --sport 0 -m limit --limit 6/hour -j LOG --log-prefix "AIF:UDP source port 0: " --log-level 6 | |
-A EXT_INPUT_CHAIN -p tcp -m tcp --sport 0 -j POST_INPUT_DROP_CHAIN | |
-A EXT_INPUT_CHAIN -p udp -m udp --sport 0 -j POST_INPUT_DROP_CHAIN | |
-A EXT_INPUT_CHAIN -p udp -m udp --sport 67 --dport 68 -j ACCEPT | |
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 1024:65535 ! --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth scan? (UNPRIV): " --log-level 6 | |
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 0:1023 ! --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth scan? (PRIV): " --log-level 6 | |
-A EXT_INPUT_CHAIN -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j POST_INPUT_DROP_CHAIN | |
-A EXT_INPUT_CHAIN -d 255.255.255.255/32 -j EXT_BROADCAST_CHAIN | |
-A EXT_INPUT_CHAIN -d 192.168.100.255/32 -j EXT_BROADCAST_CHAIN | |
-A EXT_INPUT_CHAIN -d 224.0.0.0/4 -j EXT_MULTICAST_CHAIN | |
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV TCP packet: " --log-level 6 | |
-A EXT_INPUT_CHAIN -p udp -m udp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV UDP packet: " --log-level 6 | |
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 1024:65535 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV TCP packet: " --log-level 6 | |
-A EXT_INPUT_CHAIN -p udp -m udp --dport 1024:65535 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV UDP packet: " --log-level 6 | |
-A EXT_INPUT_CHAIN -p igmp -m limit --limit 1/min -j LOG --log-prefix "AIF:IGMP packet: " --log-level 6 | |
-A EXT_INPUT_CHAIN -j POST_INPUT_CHAIN | |
-A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-request: " --log-level 6 | |
-A EXT_INPUT_CHAIN -p icmp -m icmp ! --icmp-type 8 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-other: " --log-level 6 | |
-A EXT_INPUT_CHAIN -p tcp -j POST_INPUT_DROP_CHAIN | |
-A EXT_INPUT_CHAIN -p udp -j POST_INPUT_DROP_CHAIN | |
-A EXT_INPUT_CHAIN -p igmp -j POST_INPUT_DROP_CHAIN | |
-A EXT_INPUT_CHAIN -p icmp -j POST_INPUT_DROP_CHAIN | |
-A EXT_INPUT_CHAIN -m limit --limit 1/min -j LOG --log-prefix "AIF:Other connect: " --log-level 6 | |
-A EXT_INPUT_CHAIN -j POST_INPUT_DROP_CHAIN | |
-A EXT_MULTICAST_CHAIN -p tcp -m tcp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV TCP multicast: " --log-level 6 | |
-A EXT_MULTICAST_CHAIN -p udp -m udp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV UDP multicast: " --log-level 6 | |
-A EXT_MULTICAST_CHAIN -p tcp -m tcp --dport 1024:65535 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV TCP multicast: " --log-level 6 | |
-A EXT_MULTICAST_CHAIN -p udp -m udp --dport 1024 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV UDP multicast: " --log-level 6 | |
-A EXT_MULTICAST_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-multicast-request: " --log-level 6 | |
-A EXT_MULTICAST_CHAIN -p icmp -m icmp ! --icmp-type 8 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-multicast-other: " --log-level 6 | |
-A EXT_MULTICAST_CHAIN -j DROP | |
-A HOST_BLOCK_DROP -m limit --limit 1/min --limit-burst 1 -j LOG --log-prefix "AIF:Blocked host(s): " --log-level 6 | |
-A HOST_BLOCK_DROP -j DROP | |
-A POST_INPUT_DROP_CHAIN -j DROP | |
-A SPOOF_CHK -j RETURN | |
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth XMAS scan: " --log-level 6 | |
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth XMAS-PSH scan: " --log-level 6 | |
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth XMAS-ALL scan: " --log-level 6 | |
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth FIN scan: " --log-level 6 | |
-A VALID_CHK -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth SYN/RST scan: " --log-level 6 | |
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth SYN/FIN scan?: " --log-level 6 | |
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth Null scan: " --log-level 6 | |
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j POST_INPUT_DROP_CHAIN | |
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j POST_INPUT_DROP_CHAIN | |
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j POST_INPUT_DROP_CHAIN | |
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j POST_INPUT_DROP_CHAIN | |
-A VALID_CHK -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j POST_INPUT_DROP_CHAIN | |
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j POST_INPUT_DROP_CHAIN | |
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j POST_INPUT_DROP_CHAIN | |
-A VALID_CHK -p tcp -m tcp --tcp-option 64 -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "AIF:Bad TCP flag(64): " --log-level 6 | |
-A VALID_CHK -p tcp -m tcp --tcp-option 128 -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "AIF:Bad TCP flag(128): " --log-level 6 | |
-A VALID_CHK -p tcp -m tcp --tcp-option 64 -j POST_INPUT_DROP_CHAIN | |
-A VALID_CHK -p tcp -m tcp --tcp-option 128 -j POST_INPUT_DROP_CHAIN | |
-A VALID_CHK -m state --state INVALID -j POST_INPUT_DROP_CHAIN | |
-A VALID_CHK -f -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "AIF:Fragment packet: " | |
-A VALID_CHK -f -j DROP | |
COMMIT | |
# Completed on Wed Mar 29 23:26:05 2017 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment