mirror of
https://github.com/firehol/firehol.git
synced 2024-06-28 18:02:33 +00:00
Reinstate possibly undesired change to FORWARD behaviour, and bring tests into line
Changes based on test review: Apply FORWARD rules early, as before, since these could otherwise be missing entirely depending on policy Reinstate the ordering of accepting related ICMP after dropping invalid Use chain name in log invalid calls, which is more similar to the previous output format Update expected test outputs to reflect the intended move of invalid connection handling to after user rules
This commit is contained in:
Dominic Benson
parent
44095b64dd
commit
8f8ef1b8be
37
sbin/firehol
37
sbin/firehol
@ -6469,8 +6469,24 @@ close_master() {
|
||||
iptables_both -t mangle -A POSTROUTING -j CONNMARK --save-mark --mask ${MARKS_SAVERESTORE_STATELESS_MASK}
|
||||
fi
|
||||
|
||||
set_work_function "Apply polices to drop orphan or invalid packets on INPUT/OUTPUT"
|
||||
|
||||
# Insert session cleanup rules here, after user rules are processed
|
||||
# NB that the forward chain is updated along with firewall_filtering_policy_common
|
||||
# since they may not be applied in the policy chain
|
||||
if [ ${ENABLE_IPV4} -eq 1 ]
|
||||
then
|
||||
firewall_filtering_policy_common_late iptables INPUT
|
||||
firewall_filtering_policy_common_late iptables OUTPUT
|
||||
fi
|
||||
if [ ${ENABLE_IPV6} -eq 1 ]
|
||||
then
|
||||
firewall_filtering_policy_common_late ip6tables INPUT
|
||||
firewall_filtering_policy_common_late ip6tables OUTPUT
|
||||
fi
|
||||
|
||||
set_work_function "Matching all ICMP related packets to the ESTABLISHED connections"
|
||||
|
||||
|
||||
if [ ${ENABLE_IPV4} -eq 1 ]
|
||||
then
|
||||
iptables -A INPUT -m conntrack --ctstate RELATED -p icmp -j ACCEPT
|
||||
@ -6484,21 +6500,6 @@ close_master() {
|
||||
ip6tables -A FORWARD -m conntrack --ctstate RELATED -p icmpv6 -j ACCEPT
|
||||
fi
|
||||
|
||||
|
||||
# Insert session cleanup rules here, after user rules are processed
|
||||
if [ ${ENABLE_IPV4} -eq 1 ]
|
||||
then
|
||||
firewall_filtering_policy_common_late iptables INPUT
|
||||
firewall_filtering_policy_common_late iptables OUTPUT
|
||||
firewall_filtering_policy_common_late iptables FORWARD
|
||||
fi
|
||||
if [ ${ENABLE_IPV6} -eq 1 ]
|
||||
then
|
||||
firewall_filtering_policy_common_late ip6tables INPUT
|
||||
firewall_filtering_policy_common_late ip6tables OUTPUT
|
||||
firewall_filtering_policy_common_late ip6tables FORWARD
|
||||
fi
|
||||
|
||||
set_work_function "Accepting TCP-RESET at the end of the firewall."
|
||||
rule chain "OUTPUT" state RELATED proto tcp custom '--tcp-flags ALL ACK,RST' action ACCEPT || return 1
|
||||
rule chain "FORWARD" state RELATED proto tcp custom '--tcp-flags ALL ACK,RST' action ACCEPT || return 1
|
||||
@ -12050,7 +12051,7 @@ firewall_filtering_policy_common_late() {
|
||||
|
||||
if [ ${FIREHOL_LOG_DROP_INVALID} -eq 1 ]
|
||||
then
|
||||
rule table filter chain ${iptables_chain} state INVALID action DROP loglimit "BLOCKED INVALID"
|
||||
rule table filter chain ${iptables_chain} state INVALID action DROP loglimit "BLOCKED INVALID ${iptables_chain}"
|
||||
else
|
||||
${iptables_cmd} -t filter -A ${iptables_chain} -m conntrack --ctstate INVALID -j DROP
|
||||
fi
|
||||
@ -12066,12 +12067,14 @@ firewall_filtering_policy() {
|
||||
then
|
||||
FIREHOL_NS_CURR="ipv4"
|
||||
firewall_filtering_policy_common iptables
|
||||
firewall_filtering_policy_common_late iptables FORWARD
|
||||
fi
|
||||
|
||||
if [ ${ENABLE_IPV6} -eq 1 ]
|
||||
then
|
||||
FIREHOL_NS_CURR="ipv6"
|
||||
firewall_filtering_policy_common ip6tables
|
||||
firewall_filtering_policy_common_late ip6tables FORWARD
|
||||
fi
|
||||
|
||||
FIREHOL_NS_CURR="${oldns}"
|
||||
|
||||
@ -14,13 +14,6 @@
|
||||
:out_myeth3 - [0:0]
|
||||
:out_myeth4 - [0:0]
|
||||
-A INPUT -i lo -j ACCEPT
|
||||
-A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID IN:"
|
||||
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||
-A INPUT -i eth0 -j in_myeth0
|
||||
-A INPUT -s 10.0.0.0/8 -i eth1 -j in_myeth1
|
||||
-A INPUT ! -s 10.0.0.0/8 -i eth2 -j in_myeth2
|
||||
@ -31,6 +24,13 @@
|
||||
-A INPUT -s 192.88.99.0/24 -i eth3 -j in_myeth3
|
||||
-A INPUT -s 192.168.0.0/16 -i eth3 -j in_myeth3
|
||||
-A INPUT -i eth4 -j in_myeth4
|
||||
-A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID INPUT:"
|
||||
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||
-A INPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A INPUT -m limit --limit 1/sec -j LOG --log-prefix "IN-unknown:"
|
||||
-A INPUT -j DROP
|
||||
@ -39,20 +39,13 @@
|
||||
-A FORWARD -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A FORWARD -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A FORWARD -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A FORWARD -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID PASS:"
|
||||
-A FORWARD -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID FORWARD:"
|
||||
-A FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||
-A FORWARD -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A FORWARD -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
|
||||
-A FORWARD -m limit --limit 1/sec -j LOG --log-prefix "PASS-unknown:"
|
||||
-A FORWARD -j DROP
|
||||
-A OUTPUT -o lo -j ACCEPT
|
||||
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID OUT:"
|
||||
-A OUTPUT -m conntrack --ctstate INVALID -j DROP
|
||||
-A OUTPUT -o eth0 -j out_myeth0
|
||||
-A OUTPUT -d 10.0.0.0/8 -o eth1 -j out_myeth1
|
||||
-A OUTPUT ! -d 10.0.0.0/8 -o eth2 -j out_myeth2
|
||||
@ -63,20 +56,55 @@
|
||||
-A OUTPUT -d 192.88.99.0/24 -o eth3 -j out_myeth3
|
||||
-A OUTPUT -d 192.168.0.0/16 -o eth3 -j out_myeth3
|
||||
-A OUTPUT -o eth4 -j out_myeth4
|
||||
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID OUTPUT:"
|
||||
-A OUTPUT -m conntrack --ctstate INVALID -j DROP
|
||||
-A OUTPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A OUTPUT -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
|
||||
-A OUTPUT -m limit --limit 1/sec -j LOG --log-prefix "OUT-unknown:"
|
||||
-A OUTPUT -j DROP
|
||||
-A in_myeth0 -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A in_myeth0 -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth0 -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth0 -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth0 -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth0 -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth0 -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID in_myeth0:"
|
||||
-A in_myeth0 -m conntrack --ctstate INVALID -j DROP
|
||||
-A in_myeth0 -m limit --limit 1/sec -j LOG --log-prefix "IN-myeth0:"
|
||||
-A in_myeth0 -j DROP
|
||||
-A in_myeth1 -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A in_myeth1 -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth1 -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth1 -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth1 -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth1 -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth1 -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID in_myeth1:"
|
||||
-A in_myeth1 -m conntrack --ctstate INVALID -j DROP
|
||||
-A in_myeth1 -m limit --limit 1/sec -j LOG --log-prefix "IN-myeth1:"
|
||||
-A in_myeth1 -j DROP
|
||||
-A in_myeth2 -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A in_myeth2 -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth2 -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth2 -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth2 -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth2 -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth2 -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID in_myeth2:"
|
||||
-A in_myeth2 -m conntrack --ctstate INVALID -j DROP
|
||||
-A in_myeth2 -m limit --limit 1/sec -j LOG --log-prefix "IN-myeth2:"
|
||||
-A in_myeth2 -j DROP
|
||||
-A in_myeth3 -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A in_myeth3 -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth3 -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth3 -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth3 -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth3 -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth3 -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID in_myeth3:"
|
||||
-A in_myeth3 -m conntrack --ctstate INVALID -j DROP
|
||||
-A in_myeth3 -m limit --limit 1/sec -j LOG --log-prefix "IN-myeth3:"
|
||||
-A in_myeth3 -j DROP
|
||||
-A in_myeth4 -s 10.0.0.0/8 -j RETURN
|
||||
@ -86,22 +114,57 @@
|
||||
-A in_myeth4 -s 192.88.99.0/24 -j RETURN
|
||||
-A in_myeth4 -s 192.168.0.0/16 -j RETURN
|
||||
-A in_myeth4 -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A in_myeth4 -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth4 -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth4 -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth4 -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth4 -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth4 -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID in_myeth4:"
|
||||
-A in_myeth4 -m conntrack --ctstate INVALID -j DROP
|
||||
-A in_myeth4 -m limit --limit 1/sec -j LOG --log-prefix "IN-myeth4:"
|
||||
-A in_myeth4 -j DROP
|
||||
-A out_myeth0 -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A out_myeth0 -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
|
||||
-A out_myeth0 -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth0 -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth0 -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth0 -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth0 -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth0 -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID out_myeth0:"
|
||||
-A out_myeth0 -m conntrack --ctstate INVALID -j DROP
|
||||
-A out_myeth0 -m limit --limit 1/sec -j LOG --log-prefix "OUT-myeth0:"
|
||||
-A out_myeth0 -j DROP
|
||||
-A out_myeth1 -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A out_myeth1 -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
|
||||
-A out_myeth1 -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth1 -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth1 -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth1 -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth1 -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth1 -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID out_myeth1:"
|
||||
-A out_myeth1 -m conntrack --ctstate INVALID -j DROP
|
||||
-A out_myeth1 -m limit --limit 1/sec -j LOG --log-prefix "OUT-myeth1:"
|
||||
-A out_myeth1 -j DROP
|
||||
-A out_myeth2 -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A out_myeth2 -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
|
||||
-A out_myeth2 -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth2 -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth2 -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth2 -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth2 -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth2 -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID out_myeth2:"
|
||||
-A out_myeth2 -m conntrack --ctstate INVALID -j DROP
|
||||
-A out_myeth2 -m limit --limit 1/sec -j LOG --log-prefix "OUT-myeth2:"
|
||||
-A out_myeth2 -j DROP
|
||||
-A out_myeth3 -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A out_myeth3 -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
|
||||
-A out_myeth3 -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth3 -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth3 -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth3 -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth3 -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth3 -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID out_myeth3:"
|
||||
-A out_myeth3 -m conntrack --ctstate INVALID -j DROP
|
||||
-A out_myeth3 -m limit --limit 1/sec -j LOG --log-prefix "OUT-myeth3:"
|
||||
-A out_myeth3 -j DROP
|
||||
-A out_myeth4 -d 10.0.0.0/8 -j RETURN
|
||||
@ -112,6 +175,13 @@
|
||||
-A out_myeth4 -d 192.168.0.0/16 -j RETURN
|
||||
-A out_myeth4 -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A out_myeth4 -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
|
||||
-A out_myeth4 -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth4 -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth4 -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth4 -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth4 -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth4 -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID out_myeth4:"
|
||||
-A out_myeth4 -m conntrack --ctstate INVALID -j DROP
|
||||
-A out_myeth4 -m limit --limit 1/sec -j LOG --log-prefix "OUT-myeth4:"
|
||||
-A out_myeth4 -j DROP
|
||||
COMMIT
|
||||
|
||||
@ -14,18 +14,18 @@
|
||||
:out_myeth3 - [0:0]
|
||||
:out_myeth4 - [0:0]
|
||||
-A INPUT -i lo -j ACCEPT
|
||||
-A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID IN:"
|
||||
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||
-A INPUT -i eth0 -j in_myeth0
|
||||
-A INPUT -s ::/8 -i eth1 -j in_myeth1
|
||||
-A INPUT ! -s ::/8 -i eth2 -j in_myeth2
|
||||
-A INPUT -s fc00::/7 -i eth3 -j in_myeth3
|
||||
-A INPUT -s fe80::/10 -i eth3 -j in_myeth3
|
||||
-A INPUT -i eth4 -j in_myeth4
|
||||
-A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID INPUT:"
|
||||
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||
-A INPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A INPUT -m limit --limit 1/sec -j LOG --log-prefix "IN-unknown:"
|
||||
-A INPUT -j DROP
|
||||
@ -33,66 +33,126 @@
|
||||
-A FORWARD -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A FORWARD -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A FORWARD -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A FORWARD -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID PASS:"
|
||||
-A FORWARD -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID FORWARD:"
|
||||
-A FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||
-A FORWARD -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A FORWARD -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
|
||||
-A FORWARD -m limit --limit 1/sec -j LOG --log-prefix "PASS-unknown:"
|
||||
-A FORWARD -j DROP
|
||||
-A OUTPUT -o lo -j ACCEPT
|
||||
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID OUT:"
|
||||
-A OUTPUT -m conntrack --ctstate INVALID -j DROP
|
||||
-A OUTPUT -o eth0 -j out_myeth0
|
||||
-A OUTPUT -d ::/8 -o eth1 -j out_myeth1
|
||||
-A OUTPUT ! -d ::/8 -o eth2 -j out_myeth2
|
||||
-A OUTPUT -d fc00::/7 -o eth3 -j out_myeth3
|
||||
-A OUTPUT -d fe80::/10 -o eth3 -j out_myeth3
|
||||
-A OUTPUT -o eth4 -j out_myeth4
|
||||
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID OUTPUT:"
|
||||
-A OUTPUT -m conntrack --ctstate INVALID -j DROP
|
||||
-A OUTPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A OUTPUT -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
|
||||
-A OUTPUT -m limit --limit 1/sec -j LOG --log-prefix "OUT-unknown:"
|
||||
-A OUTPUT -j DROP
|
||||
-A in_myeth0 -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A in_myeth0 -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth0 -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth0 -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth0 -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth0 -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID in_myeth0:"
|
||||
-A in_myeth0 -m conntrack --ctstate INVALID -j DROP
|
||||
-A in_myeth0 -m limit --limit 1/sec -j LOG --log-prefix "IN-myeth0:"
|
||||
-A in_myeth0 -j DROP
|
||||
-A in_myeth1 -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A in_myeth1 -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth1 -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth1 -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth1 -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth1 -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID in_myeth1:"
|
||||
-A in_myeth1 -m conntrack --ctstate INVALID -j DROP
|
||||
-A in_myeth1 -m limit --limit 1/sec -j LOG --log-prefix "IN-myeth1:"
|
||||
-A in_myeth1 -j DROP
|
||||
-A in_myeth2 -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A in_myeth2 -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth2 -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth2 -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth2 -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth2 -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID in_myeth2:"
|
||||
-A in_myeth2 -m conntrack --ctstate INVALID -j DROP
|
||||
-A in_myeth2 -m limit --limit 1/sec -j LOG --log-prefix "IN-myeth2:"
|
||||
-A in_myeth2 -j DROP
|
||||
-A in_myeth3 -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A in_myeth3 -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth3 -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth3 -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth3 -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth3 -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID in_myeth3:"
|
||||
-A in_myeth3 -m conntrack --ctstate INVALID -j DROP
|
||||
-A in_myeth3 -m limit --limit 1/sec -j LOG --log-prefix "IN-myeth3:"
|
||||
-A in_myeth3 -j DROP
|
||||
-A in_myeth4 -s fc00::/7 -j RETURN
|
||||
-A in_myeth4 -s fe80::/10 -j RETURN
|
||||
-A in_myeth4 -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A in_myeth4 -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth4 -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth4 -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth4 -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth4 -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID in_myeth4:"
|
||||
-A in_myeth4 -m conntrack --ctstate INVALID -j DROP
|
||||
-A in_myeth4 -m limit --limit 1/sec -j LOG --log-prefix "IN-myeth4:"
|
||||
-A in_myeth4 -j DROP
|
||||
-A out_myeth0 -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A out_myeth0 -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
|
||||
-A out_myeth0 -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth0 -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth0 -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth0 -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth0 -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID out_myeth0:"
|
||||
-A out_myeth0 -m conntrack --ctstate INVALID -j DROP
|
||||
-A out_myeth0 -m limit --limit 1/sec -j LOG --log-prefix "OUT-myeth0:"
|
||||
-A out_myeth0 -j DROP
|
||||
-A out_myeth1 -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A out_myeth1 -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
|
||||
-A out_myeth1 -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth1 -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth1 -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth1 -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth1 -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID out_myeth1:"
|
||||
-A out_myeth1 -m conntrack --ctstate INVALID -j DROP
|
||||
-A out_myeth1 -m limit --limit 1/sec -j LOG --log-prefix "OUT-myeth1:"
|
||||
-A out_myeth1 -j DROP
|
||||
-A out_myeth2 -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A out_myeth2 -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
|
||||
-A out_myeth2 -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth2 -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth2 -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth2 -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth2 -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID out_myeth2:"
|
||||
-A out_myeth2 -m conntrack --ctstate INVALID -j DROP
|
||||
-A out_myeth2 -m limit --limit 1/sec -j LOG --log-prefix "OUT-myeth2:"
|
||||
-A out_myeth2 -j DROP
|
||||
-A out_myeth3 -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A out_myeth3 -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
|
||||
-A out_myeth3 -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth3 -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth3 -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth3 -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth3 -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID out_myeth3:"
|
||||
-A out_myeth3 -m conntrack --ctstate INVALID -j DROP
|
||||
-A out_myeth3 -m limit --limit 1/sec -j LOG --log-prefix "OUT-myeth3:"
|
||||
-A out_myeth3 -j DROP
|
||||
-A out_myeth4 -d fc00::/7 -j RETURN
|
||||
-A out_myeth4 -d fe80::/10 -j RETURN
|
||||
-A out_myeth4 -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A out_myeth4 -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
|
||||
-A out_myeth4 -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth4 -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth4 -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth4 -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth4 -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID out_myeth4:"
|
||||
-A out_myeth4 -m conntrack --ctstate INVALID -j DROP
|
||||
-A out_myeth4 -m limit --limit 1/sec -j LOG --log-prefix "OUT-myeth4:"
|
||||
-A out_myeth4 -j DROP
|
||||
COMMIT
|
||||
|
||||
@ -10,16 +10,16 @@
|
||||
:out_myeth1 - [0:0]
|
||||
:out_myeth2 - [0:0]
|
||||
-A INPUT -i lo -j ACCEPT
|
||||
-A INPUT -i eth0 -j in_myeth0
|
||||
-A INPUT -s 10.0.0.0/8 -i eth1 -j in_myeth1
|
||||
-A INPUT ! -s 10.0.0.0/8 -i eth2 -j in_myeth2
|
||||
-A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID IN:"
|
||||
-A INPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID INPUT:"
|
||||
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||
-A INPUT -i eth0 -j in_myeth0
|
||||
-A INPUT -s 10.0.0.0/8 -i eth1 -j in_myeth1
|
||||
-A INPUT ! -s 10.0.0.0/8 -i eth2 -j in_myeth2
|
||||
-A INPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A INPUT -m limit --limit 1/sec -j LOG --log-prefix "IN-unknown:"
|
||||
-A INPUT -j DROP
|
||||
@ -28,46 +28,88 @@
|
||||
-A FORWARD -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A FORWARD -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A FORWARD -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A FORWARD -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID PASS:"
|
||||
-A FORWARD -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID FORWARD:"
|
||||
-A FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||
-A FORWARD -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A FORWARD -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
|
||||
-A FORWARD -m limit --limit 1/sec -j LOG --log-prefix "PASS-unknown:"
|
||||
-A FORWARD -j DROP
|
||||
-A OUTPUT -o lo -j ACCEPT
|
||||
-A OUTPUT -o eth0 -j out_myeth0
|
||||
-A OUTPUT -d 10.0.0.0/8 -o eth1 -j out_myeth1
|
||||
-A OUTPUT ! -d 10.0.0.0/8 -o eth2 -j out_myeth2
|
||||
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID OUT:"
|
||||
-A OUTPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID OUTPUT:"
|
||||
-A OUTPUT -m conntrack --ctstate INVALID -j DROP
|
||||
-A OUTPUT -o eth0 -j out_myeth0
|
||||
-A OUTPUT -d 10.0.0.0/8 -o eth1 -j out_myeth1
|
||||
-A OUTPUT ! -d 10.0.0.0/8 -o eth2 -j out_myeth2
|
||||
-A OUTPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A OUTPUT -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
|
||||
-A OUTPUT -m limit --limit 1/sec -j LOG --log-prefix "OUT-unknown:"
|
||||
-A OUTPUT -j DROP
|
||||
-A in_myeth0 -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A in_myeth0 -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth0 -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth0 -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth0 -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth0 -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth0 -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID in_myeth0:"
|
||||
-A in_myeth0 -m conntrack --ctstate INVALID -j DROP
|
||||
-A in_myeth0 -m limit --limit 1/sec -j LOG --log-prefix "IN-myeth0:"
|
||||
-A in_myeth0 -j DROP
|
||||
-A in_myeth1 -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A in_myeth1 -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth1 -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth1 -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth1 -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth1 -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth1 -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID in_myeth1:"
|
||||
-A in_myeth1 -m conntrack --ctstate INVALID -j DROP
|
||||
-A in_myeth1 -m limit --limit 1/sec -j LOG --log-prefix "IN-myeth1:"
|
||||
-A in_myeth1 -j DROP
|
||||
-A in_myeth2 -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A in_myeth2 -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth2 -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth2 -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth2 -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth2 -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth2 -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID in_myeth2:"
|
||||
-A in_myeth2 -m conntrack --ctstate INVALID -j DROP
|
||||
-A in_myeth2 -m limit --limit 1/sec -j LOG --log-prefix "IN-myeth2:"
|
||||
-A in_myeth2 -j DROP
|
||||
-A out_myeth0 -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A out_myeth0 -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
|
||||
-A out_myeth0 -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth0 -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth0 -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth0 -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth0 -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth0 -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID out_myeth0:"
|
||||
-A out_myeth0 -m conntrack --ctstate INVALID -j DROP
|
||||
-A out_myeth0 -m limit --limit 1/sec -j LOG --log-prefix "OUT-myeth0:"
|
||||
-A out_myeth0 -j DROP
|
||||
-A out_myeth1 -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A out_myeth1 -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
|
||||
-A out_myeth1 -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth1 -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth1 -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth1 -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth1 -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth1 -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID out_myeth1:"
|
||||
-A out_myeth1 -m conntrack --ctstate INVALID -j DROP
|
||||
-A out_myeth1 -m limit --limit 1/sec -j LOG --log-prefix "OUT-myeth1:"
|
||||
-A out_myeth1 -j DROP
|
||||
-A out_myeth2 -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A out_myeth2 -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
|
||||
-A out_myeth2 -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth2 -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth2 -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth2 -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth2 -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth2 -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID out_myeth2:"
|
||||
-A out_myeth2 -m conntrack --ctstate INVALID -j DROP
|
||||
-A out_myeth2 -m limit --limit 1/sec -j LOG --log-prefix "OUT-myeth2:"
|
||||
-A out_myeth2 -j DROP
|
||||
COMMIT
|
||||
|
||||
@ -10,15 +10,15 @@
|
||||
:out_myeth1 - [0:0]
|
||||
:out_myeth2 - [0:0]
|
||||
-A INPUT -i lo -j ACCEPT
|
||||
-A INPUT -i eth1 -j in_myeth0
|
||||
-A INPUT -s fe80::/64 -i eth1 -j in_myeth1
|
||||
-A INPUT ! -s fe80::/64 -i eth2 -j in_myeth2
|
||||
-A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID IN:"
|
||||
-A INPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID INPUT:"
|
||||
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||
-A INPUT -i eth1 -j in_myeth0
|
||||
-A INPUT -s fe80::/64 -i eth1 -j in_myeth1
|
||||
-A INPUT ! -s fe80::/64 -i eth2 -j in_myeth2
|
||||
-A INPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A INPUT -m limit --limit 1/sec -j LOG --log-prefix "IN-unknown:"
|
||||
-A INPUT -j DROP
|
||||
@ -26,45 +26,81 @@
|
||||
-A FORWARD -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A FORWARD -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A FORWARD -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A FORWARD -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID PASS:"
|
||||
-A FORWARD -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID FORWARD:"
|
||||
-A FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||
-A FORWARD -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A FORWARD -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
|
||||
-A FORWARD -m limit --limit 1/sec -j LOG --log-prefix "PASS-unknown:"
|
||||
-A FORWARD -j DROP
|
||||
-A OUTPUT -o lo -j ACCEPT
|
||||
-A OUTPUT -o eth1 -j out_myeth0
|
||||
-A OUTPUT -d fe80::/64 -o eth1 -j out_myeth1
|
||||
-A OUTPUT ! -d fe80::/64 -o eth2 -j out_myeth2
|
||||
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID OUT:"
|
||||
-A OUTPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID OUTPUT:"
|
||||
-A OUTPUT -m conntrack --ctstate INVALID -j DROP
|
||||
-A OUTPUT -o eth1 -j out_myeth0
|
||||
-A OUTPUT -d fe80::/64 -o eth1 -j out_myeth1
|
||||
-A OUTPUT ! -d fe80::/64 -o eth2 -j out_myeth2
|
||||
-A OUTPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A OUTPUT -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
|
||||
-A OUTPUT -m limit --limit 1/sec -j LOG --log-prefix "OUT-unknown:"
|
||||
-A OUTPUT -j DROP
|
||||
-A in_myeth0 -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A in_myeth0 -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth0 -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth0 -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth0 -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth0 -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID in_myeth0:"
|
||||
-A in_myeth0 -m conntrack --ctstate INVALID -j DROP
|
||||
-A in_myeth0 -m limit --limit 1/sec -j LOG --log-prefix "IN-myeth0:"
|
||||
-A in_myeth0 -j DROP
|
||||
-A in_myeth1 -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A in_myeth1 -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth1 -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth1 -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth1 -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth1 -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID in_myeth1:"
|
||||
-A in_myeth1 -m conntrack --ctstate INVALID -j DROP
|
||||
-A in_myeth1 -m limit --limit 1/sec -j LOG --log-prefix "IN-myeth1:"
|
||||
-A in_myeth1 -j DROP
|
||||
-A in_myeth2 -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A in_myeth2 -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth2 -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth2 -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth2 -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth2 -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID in_myeth2:"
|
||||
-A in_myeth2 -m conntrack --ctstate INVALID -j DROP
|
||||
-A in_myeth2 -m limit --limit 1/sec -j LOG --log-prefix "IN-myeth2:"
|
||||
-A in_myeth2 -j DROP
|
||||
-A out_myeth0 -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A out_myeth0 -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
|
||||
-A out_myeth0 -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth0 -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth0 -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth0 -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth0 -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID out_myeth0:"
|
||||
-A out_myeth0 -m conntrack --ctstate INVALID -j DROP
|
||||
-A out_myeth0 -m limit --limit 1/sec -j LOG --log-prefix "OUT-myeth0:"
|
||||
-A out_myeth0 -j DROP
|
||||
-A out_myeth1 -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A out_myeth1 -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
|
||||
-A out_myeth1 -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth1 -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth1 -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth1 -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth1 -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID out_myeth1:"
|
||||
-A out_myeth1 -m conntrack --ctstate INVALID -j DROP
|
||||
-A out_myeth1 -m limit --limit 1/sec -j LOG --log-prefix "OUT-myeth1:"
|
||||
-A out_myeth1 -j DROP
|
||||
-A out_myeth2 -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A out_myeth2 -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
|
||||
-A out_myeth2 -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth2 -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth2 -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth2 -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth2 -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID out_myeth2:"
|
||||
-A out_myeth2 -m conntrack --ctstate INVALID -j DROP
|
||||
-A out_myeth2 -m limit --limit 1/sec -j LOG --log-prefix "OUT-myeth2:"
|
||||
-A out_myeth2 -j DROP
|
||||
COMMIT
|
||||
|
||||
@ -13,7 +13,7 @@
|
||||
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID IN:"
|
||||
-A INPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID INPUT:"
|
||||
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||
-A INPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A INPUT -m limit --limit 1/sec -j LOG --log-prefix "IN-unknown:"
|
||||
@ -23,7 +23,7 @@
|
||||
-A FORWARD -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A FORWARD -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A FORWARD -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A FORWARD -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID PASS:"
|
||||
-A FORWARD -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID FORWARD:"
|
||||
-A FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||
-A FORWARD -s 0.0.0.0/8 -j in_routera
|
||||
-A FORWARD -s 127.0.0.0/8 -j in_routera
|
||||
@ -55,7 +55,7 @@
|
||||
-A OUTPUT -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID OUT:"
|
||||
-A OUTPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID OUTPUT:"
|
||||
-A OUTPUT -m conntrack --ctstate INVALID -j DROP
|
||||
-A OUTPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A OUTPUT -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
|
||||
|
||||
@ -12,7 +12,7 @@
|
||||
-A INPUT -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID IN:"
|
||||
-A INPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID INPUT:"
|
||||
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||
-A INPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A INPUT -m limit --limit 1/sec -j LOG --log-prefix "IN-unknown:"
|
||||
@ -21,7 +21,7 @@
|
||||
-A FORWARD -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A FORWARD -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A FORWARD -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A FORWARD -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID PASS:"
|
||||
-A FORWARD -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID FORWARD:"
|
||||
-A FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||
-A FORWARD -s ::/8 -j in_routera
|
||||
-A FORWARD -s 100::/8 -j in_routera
|
||||
@ -70,7 +70,7 @@
|
||||
-A OUTPUT -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID OUT:"
|
||||
-A OUTPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID OUTPUT:"
|
||||
-A OUTPUT -m conntrack --ctstate INVALID -j DROP
|
||||
-A OUTPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A OUTPUT -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
|
||||
|
||||
@ -11,7 +11,7 @@
|
||||
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID IN:"
|
||||
-A INPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID INPUT:"
|
||||
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||
-A INPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A INPUT -m limit --limit 1/sec -j LOG --log-prefix "IN-unknown:"
|
||||
@ -21,7 +21,7 @@
|
||||
-A FORWARD -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A FORWARD -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A FORWARD -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A FORWARD -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID PASS:"
|
||||
-A FORWARD -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID FORWARD:"
|
||||
-A FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||
-A FORWARD -s 10.0.0.0/8 ! -d 12.0.0.0/8 -j in_myrouter
|
||||
-A FORWARD ! -s 12.0.0.0/8 -d 10.0.0.0/8 -j out_myrouter
|
||||
@ -35,7 +35,7 @@
|
||||
-A OUTPUT -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID OUT:"
|
||||
-A OUTPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID OUTPUT:"
|
||||
-A OUTPUT -m conntrack --ctstate INVALID -j DROP
|
||||
-A OUTPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A OUTPUT -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
|
||||
|
||||
@ -10,7 +10,7 @@
|
||||
-A INPUT -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID IN:"
|
||||
-A INPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID INPUT:"
|
||||
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||
-A INPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A INPUT -m limit --limit 1/sec -j LOG --log-prefix "IN-unknown:"
|
||||
@ -19,7 +19,7 @@
|
||||
-A FORWARD -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A FORWARD -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A FORWARD -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A FORWARD -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID PASS:"
|
||||
-A FORWARD -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID FORWARD:"
|
||||
-A FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||
-A FORWARD -s fe80::/64 ! -d fe80:bbbb::/64 -j in_myrouter
|
||||
-A FORWARD ! -s fe80:bbbb::/64 -d fe80::/64 -j out_myrouter
|
||||
@ -32,7 +32,7 @@
|
||||
-A OUTPUT -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID OUT:"
|
||||
-A OUTPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID OUTPUT:"
|
||||
-A OUTPUT -m conntrack --ctstate INVALID -j DROP
|
||||
-A OUTPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A OUTPUT -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
|
||||
|
||||
@ -6,13 +6,13 @@
|
||||
:in_myeth0 - [0:0]
|
||||
:out_myeth0 - [0:0]
|
||||
-A INPUT -i lo -j ACCEPT
|
||||
-A INPUT -i eth0 -j in_myeth0
|
||||
-A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID IN:"
|
||||
-A INPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID INPUT:"
|
||||
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||
-A INPUT -i eth0 -j in_myeth0
|
||||
-A INPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A INPUT -m limit --limit 1/sec -j LOG --log-prefix "IN-unknown:"
|
||||
-A INPUT -j DROP
|
||||
@ -20,29 +20,41 @@
|
||||
-A FORWARD -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A FORWARD -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A FORWARD -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A FORWARD -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID PASS:"
|
||||
-A FORWARD -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID FORWARD:"
|
||||
-A FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||
-A FORWARD -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A FORWARD -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
|
||||
-A FORWARD -m limit --limit 1/sec -j LOG --log-prefix "PASS-unknown:"
|
||||
-A FORWARD -j DROP
|
||||
-A OUTPUT -o lo -j ACCEPT
|
||||
-A OUTPUT -o eth0 -j out_myeth0
|
||||
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID OUT:"
|
||||
-A OUTPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID OUTPUT:"
|
||||
-A OUTPUT -m conntrack --ctstate INVALID -j DROP
|
||||
-A OUTPUT -o eth0 -j out_myeth0
|
||||
-A OUTPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A OUTPUT -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
|
||||
-A OUTPUT -m limit --limit 1/sec -j LOG --log-prefix "OUT-unknown:"
|
||||
-A OUTPUT -j DROP
|
||||
-A in_myeth0 -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A in_myeth0 -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth0 -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth0 -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth0 -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth0 -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID in_myeth0:"
|
||||
-A in_myeth0 -m conntrack --ctstate INVALID -j DROP
|
||||
-A in_myeth0 -m limit --limit 1/sec -j LOG --log-prefix "IN-myeth0:"
|
||||
-A in_myeth0 -j DROP
|
||||
-A out_myeth0 -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A out_myeth0 -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
|
||||
-A out_myeth0 -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth0 -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth0 -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth0 -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth0 -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID out_myeth0:"
|
||||
-A out_myeth0 -m conntrack --ctstate INVALID -j DROP
|
||||
-A out_myeth0 -m limit --limit 1/sec -j LOG --log-prefix "OUT-myeth0:"
|
||||
-A out_myeth0 -j DROP
|
||||
COMMIT
|
||||
|
||||
@ -6,13 +6,13 @@
|
||||
:in_myeth0 - [0:0]
|
||||
:out_myeth0 - [0:0]
|
||||
-A INPUT -i lo -j ACCEPT
|
||||
-A INPUT -i eth0 -j in_myeth0
|
||||
-A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID IN:"
|
||||
-A INPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID INPUT:"
|
||||
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||
-A INPUT -i eth0 -j in_myeth0
|
||||
-A INPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A INPUT -m limit --limit 1/sec -j LOG --log-prefix "IN-unknown:"
|
||||
-A INPUT -j DROP
|
||||
@ -20,29 +20,41 @@
|
||||
-A FORWARD -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A FORWARD -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A FORWARD -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A FORWARD -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID PASS:"
|
||||
-A FORWARD -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID FORWARD:"
|
||||
-A FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||
-A FORWARD -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A FORWARD -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
|
||||
-A FORWARD -m limit --limit 1/sec -j LOG --log-prefix "PASS-unknown:"
|
||||
-A FORWARD -j DROP
|
||||
-A OUTPUT -o lo -j ACCEPT
|
||||
-A OUTPUT -o eth0 -j out_myeth0
|
||||
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID OUT:"
|
||||
-A OUTPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID OUTPUT:"
|
||||
-A OUTPUT -m conntrack --ctstate INVALID -j DROP
|
||||
-A OUTPUT -o eth0 -j out_myeth0
|
||||
-A OUTPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A OUTPUT -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
|
||||
-A OUTPUT -m limit --limit 1/sec -j LOG --log-prefix "OUT-unknown:"
|
||||
-A OUTPUT -j DROP
|
||||
-A in_myeth0 -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A in_myeth0 -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth0 -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth0 -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth0 -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth0 -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID in_myeth0:"
|
||||
-A in_myeth0 -m conntrack --ctstate INVALID -j DROP
|
||||
-A in_myeth0 -m limit --limit 1/sec -j LOG --log-prefix "IN-myeth0:"
|
||||
-A in_myeth0 -j DROP
|
||||
-A out_myeth0 -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A out_myeth0 -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
|
||||
-A out_myeth0 -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth0 -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth0 -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth0 -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth0 -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID out_myeth0:"
|
||||
-A out_myeth0 -m conntrack --ctstate INVALID -j DROP
|
||||
-A out_myeth0 -m limit --limit 1/sec -j LOG --log-prefix "OUT-myeth0:"
|
||||
-A out_myeth0 -j DROP
|
||||
COMMIT
|
||||
|
||||
@ -6,14 +6,14 @@
|
||||
:in_myeth0 - [0:0]
|
||||
:out_myeth0 - [0:0]
|
||||
-A INPUT -i lo -j ACCEPT
|
||||
-A INPUT -i eth0 -j in_myeth0
|
||||
-A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID IN:"
|
||||
-A INPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID INPUT:"
|
||||
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||
-A INPUT -i eth0 -j in_myeth0
|
||||
-A INPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A INPUT -m limit --limit 1/sec -j LOG --log-prefix "IN-unknown:"
|
||||
-A INPUT -j DROP
|
||||
@ -22,30 +22,44 @@
|
||||
-A FORWARD -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A FORWARD -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A FORWARD -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A FORWARD -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID PASS:"
|
||||
-A FORWARD -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID FORWARD:"
|
||||
-A FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||
-A FORWARD -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A FORWARD -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
|
||||
-A FORWARD -m limit --limit 1/sec -j LOG --log-prefix "PASS-unknown:"
|
||||
-A FORWARD -j DROP
|
||||
-A OUTPUT -o lo -j ACCEPT
|
||||
-A OUTPUT -o eth0 -j out_myeth0
|
||||
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID OUT:"
|
||||
-A OUTPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID OUTPUT:"
|
||||
-A OUTPUT -m conntrack --ctstate INVALID -j DROP
|
||||
-A OUTPUT -o eth0 -j out_myeth0
|
||||
-A OUTPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A OUTPUT -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
|
||||
-A OUTPUT -m limit --limit 1/sec -j LOG --log-prefix "OUT-unknown:"
|
||||
-A OUTPUT -j DROP
|
||||
-A in_myeth0 -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A in_myeth0 -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth0 -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth0 -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth0 -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth0 -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth0 -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID in_myeth0:"
|
||||
-A in_myeth0 -m conntrack --ctstate INVALID -j DROP
|
||||
-A in_myeth0 -m limit --limit 1/sec -j LOG --log-prefix "IN-myeth0:"
|
||||
-A in_myeth0 -j DROP
|
||||
-A out_myeth0 -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A out_myeth0 -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
|
||||
-A out_myeth0 -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth0 -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth0 -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth0 -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth0 -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth0 -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID out_myeth0:"
|
||||
-A out_myeth0 -m conntrack --ctstate INVALID -j DROP
|
||||
-A out_myeth0 -m limit --limit 1/sec -j LOG --log-prefix "OUT-myeth0:"
|
||||
-A out_myeth0 -j DROP
|
||||
COMMIT
|
||||
|
||||
@ -6,14 +6,14 @@
|
||||
:in_myeth0 - [0:0]
|
||||
:out_myeth0 - [0:0]
|
||||
-A INPUT -i lo -j ACCEPT
|
||||
-A INPUT -i eth0 -j in_myeth0
|
||||
-A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A INPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID IN:"
|
||||
-A INPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID INPUT:"
|
||||
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||
-A INPUT -i eth0 -j in_myeth0
|
||||
-A INPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A INPUT -m limit --limit 1/sec -j LOG --log-prefix "IN-unknown:"
|
||||
-A INPUT -j DROP
|
||||
@ -22,30 +22,44 @@
|
||||
-A FORWARD -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A FORWARD -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A FORWARD -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A FORWARD -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID PASS:"
|
||||
-A FORWARD -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID FORWARD:"
|
||||
-A FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||
-A FORWARD -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A FORWARD -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
|
||||
-A FORWARD -m limit --limit 1/sec -j LOG --log-prefix "PASS-unknown:"
|
||||
-A FORWARD -j DROP
|
||||
-A OUTPUT -o lo -j ACCEPT
|
||||
-A OUTPUT -o eth0 -j out_myeth0
|
||||
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A OUTPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID OUT:"
|
||||
-A OUTPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID OUTPUT:"
|
||||
-A OUTPUT -m conntrack --ctstate INVALID -j DROP
|
||||
-A OUTPUT -o eth0 -j out_myeth0
|
||||
-A OUTPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A OUTPUT -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
|
||||
-A OUTPUT -m limit --limit 1/sec -j LOG --log-prefix "OUT-unknown:"
|
||||
-A OUTPUT -j DROP
|
||||
-A in_myeth0 -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A in_myeth0 -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth0 -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth0 -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth0 -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth0 -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A in_myeth0 -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID in_myeth0:"
|
||||
-A in_myeth0 -m conntrack --ctstate INVALID -j DROP
|
||||
-A in_myeth0 -m limit --limit 1/sec -j LOG --log-prefix "IN-myeth0:"
|
||||
-A in_myeth0 -j DROP
|
||||
-A out_myeth0 -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
-A out_myeth0 -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
|
||||
-A out_myeth0 -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth0 -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth0 -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth0 -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth0 -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
-A out_myeth0 -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID out_myeth0:"
|
||||
-A out_myeth0 -m conntrack --ctstate INVALID -j DROP
|
||||
-A out_myeth0 -m limit --limit 1/sec -j LOG --log-prefix "OUT-myeth0:"
|
||||
-A out_myeth0 -j DROP
|
||||
COMMIT
|
||||
|
||||
Loading…
Reference in New Issue
Block a user