# Generated by iptables-save v1.4.12 on Tue Nov 26 19:57:04 2013 *filte

1. # Generated by iptables-save v1.4.12 on Tue Nov 26 19:57:04 2013
2. *filter
3. :INPUT DROP [624:55836]
4. :FORWARD ACCEPT [0:0]
5. :OUTPUT ACCEPT [0:0]
6. :FILETRANSFER - [0:0]
7. :OPENVPN - [0:0]
8. :SPAMMERS - [0:0]
9. :SSH-ALL - [0:0]
10. :SSH-BLOCKED - [0:0]
11. :TRUSTFORWARDS - [0:0]
12. :TRUSTIN-OUTPUT - [0:0]
13. :TRUSTIN-UDP - [0:0]
14. -A INPUT -m state --state INVALID -j DROP
15. -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
16. -A INPUT -i lo -j ACCEPT
17. -A INPUT -i br1 -j ACCEPT
18. -A INPUT -i tap0 -j ACCEPT
19. -A INPUT -m set --match-set trustin src -j ACCEPT
20. -A INPUT -m set --match-set blackhole src -j DROP
21. -A INPUT -i br1 -j ACCEPT
22. -A INPUT -m set --match-set spammers src -j SPAMMERS
23. -A INPUT -p icmp -j ACCEPT
24. -A INPUT -p udp -m udp --dport 500 -j ACCEPT
25. -A INPUT -p esp -j ULOG --ulog-prefix "IPSec connection event: "
26. -A INPUT -p ah -j ULOG --ulog-prefix "IPSec connection event: "
27. -A INPUT -p esp -j ACCEPT
28. -A INPUT -p ah -j ACCEPT
29. -A INPUT -p tcp -m tcp --dport 22 -j SSH-ALL
30. -A INPUT -p tcp -m tcp --dport 1194 -j OPENVPN
31. -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
32. -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
33. -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
34. -A INPUT -p tcp -m tcp --dport 67 -j ACCEPT
35. -A INPUT -p tcp -m tcp --dport XXXX -j ACCEPT
36. -A INPUT -p tcp -m tcp --dport XXXX -j ACCEPT
37. -A INPUT -p tcp -m set --match-set filenet src -j FILETRANSFER
38. -A INPUT -p tcp -m tcp --sport 389 -j ACCEPT
39. -A INPUT -p tcp -m tcp --sport 636 -j ACCEPT
40. -A INPUT -p tcp -m set --match-set proxies src -j ACCEPT
41. -A INPUT -p udp -m udp --sport 53 -j ACCEPT
42. -A INPUT -p udp -m udp --sport 67 -j ACCEPT
43. -A INPUT -p udp -m udp --dport 53 -j ACCEPT
44. -A INPUT -p udp -m udp --dport 67 -j ACCEPT
45. -A INPUT -p udp -m set --match-set trustout dst -j TRUSTIN-UDP
46. -A FORWARD -m state --state INVALID -j DROP
47. -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
48. -A FORWARD -m set --match-set trustin src -j ACCEPT
49. -A FORWARD -m set --match-set trustout dst -j ACCEPT
50. -A FORWARD -m set --match-set trustout src -j ACCEPT
51. -A FORWARD -m set --match-set trustforward src -j TRUSTFORWARDS
52. -A FORWARD -p tcp -m set --match-set proxies src -j ACCEPT
53. -A FORWARD -p tcp -m set --match-set proxies dst -j ACCEPT
54. -A FORWARD -p tcp -j RETURN
55. -A FORWARD -p udp -m udp --sport 53 -j ACCEPT
56. -A FORWARD -p udp -m udp --sport 67 -j ACCEPT
57. -A FORWARD -p udp -m udp --dport 53 -j ACCEPT
58. -A FORWARD -p udp -m udp --dport 67 -j ACCEPT
59. -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
60. -A OUTPUT -m set --match-set trustout src -j ACCEPT
61. -A OUTPUT -m set --match-set trustin src -j TRUSTIN-OUTPUT
62. -A OUTPUT -m set --match-set trustout dst -j ACCEPT
63. -A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
64. -A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
65. -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
66. -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
67. -A OUTPUT -p tcp -m tcp --dport 389 -j ACCEPT
68. -A OUTPUT -p tcp -m tcp --dport 636 -j ACCEPT
69. -A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
70. -A OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT
71. -A OUTPUT -p tcp -m tcp --sport 443 -j ACCEPT
72. -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
73. -A OUTPUT -p udp -m udp --dport 67 -j ACCEPT
74. -A FILETRANSFER -p tcp -m set --match-set fileport dst -j ACCEPT
75. -A FILETRANSFER -p tcp -j RETURN
76. -A OPENVPN -p tcp -j ULOG --ulog-prefix "OpenVPN Event per rule 138: "
77. -A OPENVPN -p tcp -j ACCEPT
78. -A SPAMMERS -j ULOG --ulog-prefix "Blocked-IP per rule 109: "
79. -A SPAMMERS -j SET --add-set blackhole src
80. -A SPAMMERS -j DROP
81. -A SSH-ALL -p tcp -m recent --set --name SSH --rsource
82. -A SSH-ALL -p tcp -m recent --update --seconds 180 --hitcount 8 --name SSH --rsource -j SSH-BLOCKED
83. -A SSH-ALL -p tcp -j ACCEPT
84. -A SSH-BLOCKED -p tcp -j ULOG --ulog-prefix "Blocked-ssh per rule 130: "
85. -A SSH-BLOCKED -p tcp -j SET --add-set blackhole src
86. -A SSH-BLOCKED -p tcp -j DROP
87. -A TRUSTFORWARDS -m set --match-set trustforward dst -j ACCEPT
88. -A TRUSTFORWARDS -j RETURN
89. -A TRUSTIN-OUTPUT -m set --match-set trustout dst -j ACCEPT
90. -A TRUSTIN-OUTPUT -j RETURN
91. -A TRUSTIN-UDP -p udp -m set --match-set fileport src -j ACCEPT
92. -A TRUSTIN-UDP -p udp -j RETURN
93. COMMIT
94. # Completed on Tue Nov 26 19:57:04 2013
95. # Generated by iptables-save v1.4.12 on Tue Nov 26 19:57:04 2013
96. *nat
97. :PREROUTING ACCEPT [1408:137513]
98. :INPUT ACCEPT [195:12332]
99. :OUTPUT ACCEPT [134:8355]
100. :POSTROUTING ACCEPT [133:9134]
101. -A PREROUTING -i eth0 -p tcp -m tcp --dport XXXX -j DNAT --to-destination 192.168.1.3:22
102. -A PREROUTING -i eth0 -p tcp -m tcp --dport XXXX -j DNAT --to-destination 192.168.1.4:22
103. -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.121.7:443
104. -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.121.7:80
105. -A POSTROUTING -p tcp -m tcp --dport 22 -j MASQUERADE
106. -A POSTROUTING -p tcp -m tcp --dport 80 -j MASQUERADE
107. -A POSTROUTING -p tcp -m tcp --dport 443 -j MASQUERADE
108. -A POSTROUTING -s 192.168.1.0/24 ! -d 192.168.1.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
109. -A POSTROUTING -s 192.168.1.0/24 ! -d 192.168.1.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
110. -A POSTROUTING -s 192.168.1.0/24 ! -d 192.168.1.0/24 -j MASQUERADE
111. -A POSTROUTING -o tap0 -j MASQUERADE
112. COMMIT
113. # Completed on Tue Nov 26 19:57:04 2013
114. # Generated by iptables-save v1.4.12 on Tue Nov 26 19:57:04 2013
115. *mangle
116. :PREROUTING ACCEPT [21652:26968794]
117. :INPUT ACCEPT [17965:26091140]
118. :FORWARD ACCEPT [3815:890854]
119. :OUTPUT ACCEPT [10579:767130]
120. :POSTROUTING ACCEPT [14388:1657412]
121. COMMIT
122. # Completed on Tue Nov 26 19:57:04 2013