Created
March 26, 2020 14:54
-
-
Save hazcod/bb2ccfe0bc4ab176b2be6840b3c82fb5 to your computer and use it in GitHub Desktop.
Telenet modem firewall ruleset.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Generated by iptables-save v1.4.21 on Sun Jan 19 08:14:54 2020 | |
| *raw | |
| :PREROUTING ACCEPT [17478:786616] | |
| :OUTPUT ACCEPT [15285:6842393] | |
| COMMIT | |
| # Completed on Sun Jan 19 08:14:54 2020 | |
| # Generated by iptables-save v1.4.21 on Sun Jan 19 08:14:54 2020 | |
| *nat | |
| :PREROUTING ACCEPT [412:43501] | |
| :INPUT ACCEPT [54:3686] | |
| :OUTPUT ACCEPT [105:9758] | |
| :POSTROUTING ACCEPT [90:9194] | |
| :CBN_NAT_PARENTAL_CONTROL - [0:0] | |
| :CBN_NAT_PORT_FORWARD - [0:0] | |
| :CBN_NAT_PORT_FORWARD_LAN - [0:0] | |
| :CBN_NAT_PORT_TRIGGER - [0:0] | |
| :CBN_NAT_REMOTE_ACCESS - [0:0] | |
| :NAT_POSTROUTING_CHAIN - [0:0] | |
| :NAT_PREROUTING_CHAIN - [0:0] | |
| :POST_NAT_POSTROUTING_CHAIN - [0:0] | |
| :POST_NAT_PREROUTING_CHAIN - [0:0] | |
| :UPnP - [0:0] | |
| :WiFiDog_l2sd0.2_Outgoing - [0:0] | |
| :ZONE_CBN_NAT_PREROUTING_DMZ - [0:0] | |
| -A PREROUTING -i l2sd0.2 -j WiFiDog_l2sd0.2_Outgoing | |
| -A PREROUTING -j CBN_NAT_PARENTAL_CONTROL | |
| -A PREROUTING -j NAT_PREROUTING_CHAIN | |
| -A PREROUTING -j CBN_NAT_PORT_TRIGGER | |
| -A PREROUTING -j CBN_NAT_REMOTE_ACCESS | |
| -A PREROUTING -i erouter0 -j CBN_NAT_PORT_FORWARD | |
| -A PREROUTING -i l2sd0.2 -j CBN_NAT_PORT_FORWARD_LAN | |
| -A PREROUTING -i erouter0 -j ZONE_CBN_NAT_PREROUTING_DMZ | |
| -A PREROUTING -j POST_NAT_PREROUTING_CHAIN | |
| -A POSTROUTING -s 192.168.100.251/32 -o erouter0 -j MASQUERADE | |
| -A POSTROUTING -s 192.168.100.254/32 -o wan0 -j MASQUERADE | |
| -A POSTROUTING -o erouter0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu | |
| -A POSTROUTING -j NAT_POSTROUTING_CHAIN | |
| -A POSTROUTING -s 192.168.0.0/24 ! -d 192.168.0.0/24 -o erouter0 -j MASQUERADE | |
| -A POSTROUTING -s 192.168.0.0/24 -o l2sd0.2 -j MASQUERADE | |
| -A POSTROUTING -j POST_NAT_POSTROUTING_CHAIN | |
| COMMIT | |
| # Completed on Sun Jan 19 08:14:54 2020 | |
| # Generated by iptables-save v1.4.21 on Sun Jan 19 08:14:54 2020 | |
| *mangle | |
| :PREROUTING ACCEPT [15570:645724] | |
| :INPUT ACCEPT [14574:552056] | |
| :FORWARD ACCEPT [808:58384] | |
| :OUTPUT ACCEPT [14133:6719081] | |
| :POSTROUTING ACCEPT [14940:6776455] | |
| :CBN_GRE_TCPMSS - [0:0] | |
| -A PREROUTING -m physdev --physdev-is-bridged -j ACCEPT | |
| -A PREROUTING -i l2sd0.2 ! -p igmp -m iprange --dst-range 224.0.0.0-238.255.255.255 -j GWMETA --gwmeta-gwmask 0x10 | |
| -A FORWARD -j CBN_GRE_TCPMSS | |
| -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1420 | |
| COMMIT | |
| # Completed on Sun Jan 19 08:14:54 2020 | |
| # Generated by iptables-save v1.4.21 on Sun Jan 19 08:14:54 2020 | |
| *filter | |
| :INPUT DROP [0:0] | |
| :FORWARD DROP [0:0] | |
| :OUTPUT ACCEPT [0:0] | |
| :BASE_FORWARD_CHAIN - [0:0] | |
| :BASE_INPUT_CHAIN - [0:0] | |
| :BASE_OUTPUT_CHAIN - [0:0] | |
| :BRIDGED_TRAFFIC_CHAIN - [0:0] | |
| :CBN_DROP_LAN_TO_CBN_INT - [0:0] | |
| :CBN_DROP_LAN_TO_HOST_EROUTER - [0:0] | |
| :CBN_DROP_LAN_TO_HOST_HFC - [0:0] | |
| :CBN_DROP_LAN_TO_HOST_LAN - [0:0] | |
| :CBN_DROP_LAN_TO_HOST_RPC - [0:0] | |
| :CBN_DSLITE_INPUT_CHAIN - [0:0] | |
| :CBN_FILTER_IN_CHAIN - [0:0] | |
| :CBN_FILTER_MAC_FILTER - [0:0] | |
| :CBN_FILTER_OUT_CHAIN - [0:0] | |
| :CBN_FILTER_PORT_FORWARD - [0:0] | |
| :CBN_FILTER_PORT_FORWARD_LAN - [0:0] | |
| :CBN_FILTER_PORT_TRIGGER - [0:0] | |
| :CBN_IDS_ICMPFLOOD - [0:0] | |
| :CBN_IDS_IPFLOOD - [0:0] | |
| :CBN_IDS_IPFLOOD_LAN - [0:0] | |
| :CBN_IDS_IPFRAG - [0:0] | |
| :CBN_IDS_PSCAN - [0:0] | |
| :CBN_IDS_PSCAN_UDP - [0:0] | |
| :CBN_INPUT_ACCEPT - [0:0] | |
| :CBN_INPUT_PRIMARY_NETWORK - [0:0] | |
| :CBN_INPUT_REMOTEACCESS - [0:0] | |
| :CBN_INPUT_SECONDARY_NETWORK - [0:0] | |
| :CBN_MAC_FORWARD_IN_CHAIN - [0:0] | |
| :CBN_TRUST_INPUT_L2SD0.4093 - [0:0] | |
| :CBN_TRUST_INPUT_LAN0 - [0:0] | |
| :CBN_TRUST_INPUT_MTA0 - [0:0] | |
| :CBN_TRUST_INPUT_WAN0 - [0:0] | |
| :DMZ_FORWARD_IN_CHAIN - [0:0] | |
| :DMZ_FORWARD_OUT_CHAIN - [0:0] | |
| :DMZ_INET_FORWARD_CHAIN - [0:0] | |
| :DMZ_INPUT_CHAIN - [0:0] | |
| :DMZ_LAN_FORWARD_CHAIN - [0:0] | |
| :DMZ_OUTPUT_CHAIN - [0:0] | |
| :EXT_BROADCAST_CHAIN - [0:0] | |
| :EXT_FORWARD_IN_CHAIN - [0:0] | |
| :EXT_FORWARD_OUT_CHAIN - [0:0] | |
| :EXT_ICMP_FLOOD_CHAIN - [0:0] | |
| :EXT_INPUT_CHAIN - [0:0] | |
| :EXT_MULTICAST_CHAIN - [0:0] | |
| :EXT_OUTPUT_CHAIN - [0:0] | |
| :FORWARD_CHAIN - [0:0] | |
| :HOST_BLOCK_DROP - [0:0] | |
| :HOST_BLOCK_DST - [0:0] | |
| :HOST_BLOCK_SRC - [0:0] | |
| :INET_DMZ_FORWARD_CHAIN - [0:0] | |
| :INPUT_CHAIN - [0:0] | |
| :INT_FORWARD_IN_CHAIN - [0:0] | |
| :INT_FORWARD_OUT_CHAIN - [0:0] | |
| :INT_INPUT_CHAIN - [0:0] | |
| :INT_OUTPUT_CHAIN - [0:0] | |
| :LAN_INET_FORWARD_CHAIN - [0:0] | |
| :OUTPUT_CHAIN - [0:0] | |
| :POST_FORWARD_CHAIN - [0:0] | |
| :POST_INPUT_CHAIN - [0:0] | |
| :POST_INPUT_DROP_CHAIN - [0:0] | |
| :POST_OUTPUT_CHAIN - [0:0] | |
| :RESERVED_NET_CHK - [0:0] | |
| :SPOOF_CHK - [0:0] | |
| :VALID_CHK - [0:0] | |
| :VPN_CHAIN - [0:0] | |
| :ZONE_CBN_FILTER_FORWARD_DMZ - [0:0] | |
| -A INPUT -s 192.168.100.251/32 -i l2sd0.3000 -j ACCEPT | |
| -A INPUT -i l2sd0.4093 -j CBN_TRUST_INPUT_L2SD0.4093 | |
| -A INPUT -i mta0 -j CBN_TRUST_INPUT_MTA0 | |
| -A INPUT -i wan0 -j CBN_TRUST_INPUT_WAN0 | |
| -A INPUT -i lan0 -j CBN_TRUST_INPUT_LAN0 | |
| -A INPUT ! -p igmp -j CBN_IDS_IPFRAG | |
| -A INPUT -p tcp -j CBN_IDS_PSCAN | |
| -A INPUT -i erouter0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CBN_IDS_IPFLOOD | |
| -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CBN_IDS_IPFLOOD_LAN | |
| -A INPUT -p udp -j CBN_IDS_PSCAN_UDP | |
| -A INPUT -i erouter0 -p icmp -j CBN_IDS_ICMPFLOOD | |
| -A INPUT -i erouter0 -p ipencap -j CBN_DSLITE_INPUT_CHAIN | |
| -A INPUT -j BASE_INPUT_CHAIN | |
| -A INPUT -j INPUT_CHAIN | |
| -A INPUT -j HOST_BLOCK_SRC | |
| -A INPUT -j SPOOF_CHK | |
| -A INPUT -i erouter0 -j VALID_CHK | |
| -A INPUT -d 224.0.0.0/4 -i erouter0 -j EXT_MULTICAST_CHAIN | |
| -A INPUT -i erouter0 -j CBN_INPUT_ACCEPT | |
| -A INPUT -i erouter0 -j CBN_INPUT_REMOTEACCESS | |
| -A INPUT -i l2sd0.2 -j CBN_INPUT_PRIMARY_NETWORK | |
| -A INPUT -i lsdbr2 -j CBN_INPUT_SECONDARY_NETWORK | |
| -A INPUT -i erouter0 ! -p icmp -m state --state NEW -j EXT_INPUT_CHAIN | |
| -A INPUT -i erouter0 -p icmp -m state --state NEW -m limit --limit 60/sec --limit-burst 100 -j EXT_INPUT_CHAIN | |
| -A INPUT -i erouter0 -p icmp -m state --state NEW -j EXT_ICMP_FLOOD_CHAIN | |
| -A INPUT -i l2sd0.2 -j INT_INPUT_CHAIN | |
| -A INPUT -i ip6tnl1 -j ACCEPT | |
| -A INPUT -j POST_INPUT_CHAIN | |
| -A INPUT -m limit --limit 1/min -j LOG --log-prefix "AIF:Dropped INPUT packet: " --log-level 6 | |
| -A INPUT -j DROP | |
| -A FORWARD -s 192.168.100.251/32 -i l2sd0.3000 -j ACCEPT | |
| -A FORWARD -s 192.168.100.254/32 -i l2sd0.3000 -j ACCEPT | |
| -A FORWARD -j BRIDGED_TRAFFIC_CHAIN | |
| -A FORWARD -i l2sd0.2 -j CBN_FILTER_MAC_FILTER | |
| -A FORWARD -o erouter0 -j VPN_CHAIN | |
| -A FORWARD ! -p igmp -j CBN_IDS_IPFRAG | |
| -A FORWARD -p tcp -j CBN_IDS_PSCAN | |
| -A FORWARD -i erouter0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CBN_IDS_IPFLOOD | |
| -A FORWARD -p udp -j CBN_IDS_PSCAN_UDP | |
| -A FORWARD -j BASE_FORWARD_CHAIN | |
| -A FORWARD -o erouter0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu | |
| -A FORWARD -j FORWARD_CHAIN | |
| -A FORWARD -j HOST_BLOCK_SRC | |
| -A FORWARD -j HOST_BLOCK_DST | |
| -A FORWARD -i ip6tnl1 -j ACCEPT | |
| -A FORWARD -o ip6tnl1 -j ACCEPT | |
| -A FORWARD -j CBN_FILTER_IN_CHAIN | |
| -A FORWARD -j CBN_FILTER_OUT_CHAIN | |
| -A FORWARD -i erouter0 -j EXT_FORWARD_IN_CHAIN | |
| -A FORWARD -o erouter0 -j EXT_FORWARD_OUT_CHAIN | |
| -A FORWARD -i l2sd0.2 -j INT_FORWARD_IN_CHAIN | |
| -A FORWARD -o l2sd0.2 -j INT_FORWARD_OUT_CHAIN | |
| -A FORWARD -j SPOOF_CHK | |
| -A FORWARD -i l2sd0.2 -o l2sd0.2 -j ACCEPT | |
| -A FORWARD -i l2sd0.2 -o erouter0 -j LAN_INET_FORWARD_CHAIN | |
| -A FORWARD -j POST_FORWARD_CHAIN | |
| -A FORWARD -m limit --limit 1/min --limit-burst 3 -j LOG --log-prefix "AIF:Dropped FORWARD packet: " --log-level 6 | |
| -A FORWARD -j DROP | |
| -A OUTPUT -j BASE_OUTPUT_CHAIN | |
| -A OUTPUT -o erouter0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu | |
| -A OUTPUT -j OUTPUT_CHAIN | |
| -A OUTPUT -j HOST_BLOCK_DST | |
| -A OUTPUT -o erouter0 -j EXT_OUTPUT_CHAIN | |
| -A OUTPUT -o l2sd0.2 -j INT_OUTPUT_CHAIN | |
| -A OUTPUT -j POST_OUTPUT_CHAIN | |
| -A OUTPUT -j ACCEPT | |
| -A BASE_FORWARD_CHAIN -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate ESTABLISHED -j DROP | |
| -A BASE_FORWARD_CHAIN -m state --state ESTABLISHED -j ACCEPT | |
| -A BASE_FORWARD_CHAIN -p tcp -m state --state RELATED -m tcp --dport 1024:65535 -j ACCEPT | |
| -A BASE_FORWARD_CHAIN -p udp -m state --state RELATED -m udp --dport 1024:65535 -j ACCEPT | |
| -A BASE_FORWARD_CHAIN -p icmp -m state --state RELATED -j ACCEPT | |
| -A BASE_FORWARD_CHAIN -p gre -m state --state RELATED -j ACCEPT | |
| -A BASE_FORWARD_CHAIN -m state --state RELATED -j ACCEPT | |
| -A BASE_FORWARD_CHAIN -i lo -j ACCEPT | |
| -A BASE_INPUT_CHAIN -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate ESTABLISHED -j DROP | |
| -A BASE_INPUT_CHAIN -m state --state ESTABLISHED -j ACCEPT | |
| -A BASE_INPUT_CHAIN -p tcp -m state --state RELATED -m tcp --dport 1024:65535 -j ACCEPT | |
| -A BASE_INPUT_CHAIN -p udp -m state --state RELATED -m udp --dport 1024:65535 -j ACCEPT | |
| -A BASE_INPUT_CHAIN -p icmp -m state --state RELATED -j ACCEPT | |
| -A BASE_INPUT_CHAIN -i lo -j ACCEPT | |
| -A BASE_OUTPUT_CHAIN -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate ESTABLISHED -j DROP | |
| -A BASE_OUTPUT_CHAIN -m state --state ESTABLISHED -j ACCEPT | |
| -A BASE_OUTPUT_CHAIN -o lo -j ACCEPT | |
| -A BRIDGED_TRAFFIC_CHAIN -m physdev --physdev-is-bridged -j ACCEPT | |
| -A CBN_DROP_LAN_TO_CBN_INT -d 192.168.100.250/32 -j DROP | |
| -A CBN_DROP_LAN_TO_HOST_EROUTER -d 172.22.222.11/32 -j DROP | |
| -A CBN_DROP_LAN_TO_HOST_HFC -d 0.3.87.92/32 -j DROP | |
| -A CBN_DROP_LAN_TO_HOST_HFC -d 10.52.131.83/32 -j DROP | |
| -A CBN_DROP_LAN_TO_HOST_LAN -p icmp -j ACCEPT | |
| -A CBN_DROP_LAN_TO_HOST_LAN -p tcp -m tcp --dport 22 -j ACCEPT | |
| -A CBN_DROP_LAN_TO_HOST_LAN -p tcp -m tcp --dport 23 -j ACCEPT | |
| -A CBN_DROP_LAN_TO_HOST_LAN -p tcp -m tcp --dport 80 -j ACCEPT | |
| -A CBN_DROP_LAN_TO_HOST_LAN -p udp -m udp --dport 161 -j ACCEPT | |
| -A CBN_DROP_LAN_TO_HOST_LAN -j DROP | |
| -A CBN_DROP_LAN_TO_HOST_RPC ! -s 192.168.254.254/32 -j DROP | |
| -A CBN_IDS_ICMPFLOOD -i wan0 -m limit --limit 15/sec --limit-burst 15 -j RETURN | |
| -A CBN_IDS_ICMPFLOOD -i wan0 -m limit --limit 5/min -j LOG --log-prefix "ICMP Flood: " --log-level 5 | |
| -A CBN_IDS_ICMPFLOOD -i wan0 -j DROP | |
| -A CBN_IDS_ICMPFLOOD -i mta0 -m limit --limit 15/sec --limit-burst 15 -j RETURN | |
| -A CBN_IDS_ICMPFLOOD -i mta0 -m limit --limit 5/min -j LOG --log-prefix "ICMP Flood: " --log-level 5 | |
| -A CBN_IDS_ICMPFLOOD -i mta0 -j DROP | |
| -A CBN_INPUT_ACCEPT -j ACCEPT | |
| -A CBN_INPUT_REMOTEACCESS -p tcp -m tcp --dport 8443 -j REJECT --reject-with icmp-host-unreachable | |
| -A CBN_TRUST_INPUT_L2SD0.4093 -j ACCEPT | |
| -A CBN_TRUST_INPUT_LAN0 -j ACCEPT | |
| -A CBN_TRUST_INPUT_MTA0 -p icmp -j CBN_IDS_ICMPFLOOD | |
| -A CBN_TRUST_INPUT_MTA0 -p udp -m udp --dport 53 -j DROP | |
| -A CBN_TRUST_INPUT_MTA0 -p tcp -m tcp --dport 53 -j DROP | |
| -A CBN_TRUST_INPUT_MTA0 -j ACCEPT | |
| -A CBN_TRUST_INPUT_WAN0 -p icmp -j CBN_IDS_ICMPFLOOD | |
| -A CBN_TRUST_INPUT_WAN0 -p udp -m udp --dport 53 -j DROP | |
| -A CBN_TRUST_INPUT_WAN0 -p tcp -m tcp --dport 53 -j DROP | |
| -A CBN_TRUST_INPUT_WAN0 -j ACCEPT | |
| -A EXT_BROADCAST_CHAIN -p tcp -m tcp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV TCP broadcast: " --log-level 6 | |
| -A EXT_BROADCAST_CHAIN -p udp -m udp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV UDP broadcast: " --log-level 6 | |
| -A EXT_BROADCAST_CHAIN -p tcp -m tcp --dport 1024:65535 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV TCP broadcast: " --log-level 6 | |
| -A EXT_BROADCAST_CHAIN -p udp -m udp --dport 1024 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV UDP broadcast: " --log-level 6 | |
| -A EXT_BROADCAST_CHAIN -j DROP | |
| -A EXT_FORWARD_IN_CHAIN -d 224.0.0.0/4 -i erouter0 -j ACCEPT | |
| -A EXT_FORWARD_IN_CHAIN -j VALID_CHK | |
| -A EXT_FORWARD_IN_CHAIN -i erouter0 -j CBN_FILTER_PORT_FORWARD | |
| -A EXT_FORWARD_IN_CHAIN -i erouter0 -j CBN_FILTER_PORT_TRIGGER | |
| -A EXT_FORWARD_IN_CHAIN -i erouter0 -j ZONE_CBN_FILTER_FORWARD_DMZ | |
| -A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 3 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-unreachable flood: " --log-level 6 | |
| -A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 3 -j POST_INPUT_DROP_CHAIN | |
| -A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 11 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-time-exceeded fld: " --log-level 6 | |
| -A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 11 -j POST_INPUT_DROP_CHAIN | |
| -A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 12 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-param-problem fld: " --log-level 6 | |
| -A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 12 -j POST_INPUT_DROP_CHAIN | |
| -A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-request(ping) fld: " --log-level 6 | |
| -A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 8 -j POST_INPUT_DROP_CHAIN | |
| -A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 0 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-reply(pong) flood: " --log-level 6 | |
| -A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 0 -j POST_INPUT_DROP_CHAIN | |
| -A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 4 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-source-quench fld: " --log-level 6 | |
| -A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 4 -j POST_INPUT_DROP_CHAIN | |
| -A EXT_ICMP_FLOOD_CHAIN -p icmp -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP(other) flood: " --log-level 6 | |
| -A EXT_ICMP_FLOOD_CHAIN -p icmp -j POST_INPUT_DROP_CHAIN | |
| -A EXT_INPUT_CHAIN -p tcp -m tcp --dport 0 -m limit --limit 6/hour --limit-burst 1 -j LOG --log-prefix "AIF:Port 0 OS fingerprint: " --log-level 6 | |
| -A EXT_INPUT_CHAIN -p udp -m udp --dport 0 -m limit --limit 6/hour --limit-burst 1 -j LOG --log-prefix "AIF:Port 0 OS fingerprint: " --log-level 6 | |
| -A EXT_INPUT_CHAIN -p tcp -m tcp --dport 0 -j POST_INPUT_DROP_CHAIN | |
| -A EXT_INPUT_CHAIN -p udp -m udp --dport 0 -j POST_INPUT_DROP_CHAIN | |
| -A EXT_INPUT_CHAIN -p tcp -m tcp --sport 0 -m limit --limit 6/hour -j LOG --log-prefix "AIF:TCP source port 0: " --log-level 6 | |
| -A EXT_INPUT_CHAIN -p udp -m udp --sport 0 -m limit --limit 6/hour -j LOG --log-prefix "AIF:UDP source port 0: " --log-level 6 | |
| -A EXT_INPUT_CHAIN -p tcp -m tcp --sport 0 -j POST_INPUT_DROP_CHAIN | |
| -A EXT_INPUT_CHAIN -p udp -m udp --sport 0 -j POST_INPUT_DROP_CHAIN | |
| -A EXT_INPUT_CHAIN -p udp -m udp --sport 67 --dport 68 -j ACCEPT | |
| -A EXT_INPUT_CHAIN -p tcp -m tcp --dport 22 -j ACCEPT | |
| -A EXT_INPUT_CHAIN -p tcp -m tcp --dport 80 -j ACCEPT | |
| -A EXT_INPUT_CHAIN -p udp -m udp --dport 161 -j ACCEPT | |
| -A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 20/sec --limit-burst 100 -j ACCEPT | |
| -A EXT_INPUT_CHAIN -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j POST_INPUT_DROP_CHAIN | |
| -A EXT_INPUT_CHAIN -d 255.255.255.255/32 -j EXT_BROADCAST_CHAIN | |
| -A EXT_INPUT_CHAIN -p tcp -m tcp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV TCP packet: " --log-level 6 | |
| -A EXT_INPUT_CHAIN -p udp -m udp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV UDP packet: " --log-level 6 | |
| -A EXT_INPUT_CHAIN -p tcp -m tcp --dport 1024:65535 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV TCP packet: " --log-level 6 | |
| -A EXT_INPUT_CHAIN -p udp -m udp --dport 1024:65535 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV UDP packet: " --log-level 6 | |
| -A EXT_INPUT_CHAIN -p igmp -m limit --limit 1/min -j LOG --log-prefix "AIF:IGMP packet: " --log-level 6 | |
| -A EXT_INPUT_CHAIN -j POST_INPUT_CHAIN | |
| -A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-request: " --log-level 6 | |
| -A EXT_INPUT_CHAIN -p icmp -m icmp ! --icmp-type 8 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-other: " --log-level 6 | |
| -A EXT_INPUT_CHAIN -p tcp -j POST_INPUT_DROP_CHAIN | |
| -A EXT_INPUT_CHAIN -p udp -j POST_INPUT_DROP_CHAIN | |
| -A EXT_INPUT_CHAIN -p igmp -j POST_INPUT_DROP_CHAIN | |
| -A EXT_INPUT_CHAIN -p icmp -j POST_INPUT_DROP_CHAIN | |
| -A EXT_INPUT_CHAIN -m limit --limit 1/min -j LOG --log-prefix "AIF:Other connect: " --log-level 6 | |
| -A EXT_INPUT_CHAIN -j POST_INPUT_DROP_CHAIN | |
| -A EXT_MULTICAST_CHAIN -d 224.0.0.0/24 -i erouter0 -j ACCEPT | |
| -A EXT_MULTICAST_CHAIN -p tcp -m tcp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV TCP multicast: " --log-level 6 | |
| -A EXT_MULTICAST_CHAIN -p udp -m udp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV UDP multicast: " --log-level 6 | |
| -A EXT_MULTICAST_CHAIN -p tcp -m tcp --dport 1024:65535 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV TCP multicast: " --log-level 6 | |
| -A EXT_MULTICAST_CHAIN -p udp -m udp --dport 1024 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV UDP multicast: " --log-level 6 | |
| -A EXT_MULTICAST_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-multicast-request: " --log-level 6 | |
| -A EXT_MULTICAST_CHAIN -p icmp -m icmp ! --icmp-type 8 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-multicast-other: " --log-level 6 | |
| -A EXT_MULTICAST_CHAIN -j DROP | |
| -A HOST_BLOCK_DROP -m limit --limit 1/min --limit-burst 1 -j LOG --log-prefix "AIF:Blocked host(s): " --log-level 6 | |
| -A HOST_BLOCK_DROP -j DROP | |
| -A INT_FORWARD_IN_CHAIN -i l2sd0.2 -j CBN_FILTER_PORT_FORWARD_LAN | |
| -A INT_INPUT_CHAIN -j CBN_DROP_LAN_TO_HOST_HFC | |
| -A INT_INPUT_CHAIN -j CBN_DROP_LAN_TO_HOST_EROUTER | |
| -A INT_INPUT_CHAIN -d 192.168.100.1/32 -j CBN_DROP_LAN_TO_HOST_LAN | |
| -A INT_INPUT_CHAIN -d 192.168.254.253/32 -j CBN_DROP_LAN_TO_HOST_RPC | |
| -A INT_INPUT_CHAIN -d 192.168.100.250/32 -j CBN_DROP_LAN_TO_CBN_INT | |
| -A INT_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 20/sec --limit-burst 100 -j ACCEPT | |
| -A INT_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-request: " --log-level 6 | |
| -A INT_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -j DROP | |
| -A INT_INPUT_CHAIN -j ACCEPT | |
| -A LAN_INET_FORWARD_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 20/sec --limit-burst 100 -j ACCEPT | |
| -A LAN_INET_FORWARD_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-request: " --log-level 6 | |
| -A LAN_INET_FORWARD_CHAIN -p icmp -m icmp --icmp-type 8 -j DROP | |
| -A LAN_INET_FORWARD_CHAIN -p tcp -j ACCEPT | |
| -A LAN_INET_FORWARD_CHAIN -p udp -j ACCEPT | |
| -A LAN_INET_FORWARD_CHAIN -j ACCEPT | |
| -A POST_INPUT_DROP_CHAIN -j DROP | |
| -A SPOOF_CHK -s 192.168.0.0/24 -i l2sd0.2 -j RETURN | |
| -A SPOOF_CHK -s 192.168.0.0/24 -m limit --limit 3/min -j LOG --log-prefix "AIF:Spoofed packet: " --log-level 6 | |
| -A SPOOF_CHK -s 192.168.0.0/24 -j POST_INPUT_DROP_CHAIN | |
| -A SPOOF_CHK -j RETURN | |
| COMMIT |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment