Re: iptables notes

ipchains-save output from a firewall

*filter
:INPUT DROP [3229:322102]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:icmp-in – [0:0]
:icmp-out – [0:0]
:log-and-drop – [0:0]
:valid-source-address – [0:0]
:valid-source-address-udp – [0:0]
:valid-tcp-flags – [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -j valid-tcp-flags
-A INPUT -p ! udp -j valid-source-address
-A INPUT -p udp -j valid-source-address-udp
-A INPUT -p tcp -m tcp –tcp-flags SYN,RST,ACK SYN -j valid-source-address
-A INPUT -p icmp -j icmp-in
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp –dport 80 -m state –state NEW -j ACCEPT
-A INPUT -p tcp -m tcp –dport 443 -m state –state NEW -j ACCEPT
-A INPUT -p tcp -m tcp –dport 22 -m state –state NEW -j ACCEPT
-A INPUT -p udp -m udp –dport 123 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p tcp -j valid-tcp-flags
-A OUTPUT -p icmp -j icmp-out
-A OUTPUT -p udp -m udp –sport 1024:65535 –dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp –sport 1024:65535 –dport 53 -j ACCEPT
-A OUTPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -j REJECT –reject-with icmp-port-unreachable
-A icmp-in -p icmp -m icmp –icmp-type 0 -j ACCEPT
-A icmp-in -p icmp -m icmp –icmp-type 8 -j ACCEPT
-A icmp-in -p icmp -m icmp –icmp-type 3/4 -j ACCEPT
-A icmp-in -j DROP
-A icmp-out -p icmp -m icmp –icmp-type 8 -j ACCEPT
-A icmp-out -p icmp -m icmp –icmp-type 0 -j ACCEPT
-A icmp-out -j DROP
-A log-and-drop -j LOG –log-level 7 –log-tcp-options –log-ip-options
-A log-and-drop -j DROP
-A valid-source-address -s 127.0.0.1 -j DROP
-A valid-source-address -s 0.0.0.0/255.0.0.0 -j DROP
-A valid-source-address -d 255.255.255.255 -j DROP
-A valid-source-address-udp -s 127.0.0.1 -j DROP
-A valid-source-address-udp -s 0.0.0.0/255.0.0.0 -j DROP
-A valid-tcp-flags -p tcp -m tcp –tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j log-and-drop
-A valid-tcp-flags -p tcp -m tcp –tcp-flags FIN,ACK FIN -j log-and-drop
-A valid-tcp-flags -p tcp -m tcp –tcp-flags PSH,ACK PSH -j log-and-drop
-A valid-tcp-flags -p tcp -m tcp –tcp-flags ACK,URG URG -j log-and-drop
-A valid-tcp-flags -p tcp -m tcp –tcp-flags FIN,SYN FIN,SYN -j log-and-drop
-A valid-tcp-flags -p tcp -m tcp –tcp-flags SYN,RST SYN,RST -j log-and-drop
-A valid-tcp-flags -p tcp -m tcp –tcp-flags FIN,RST FIN,RST -j log-and-drop
COMMIT

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.