Difference between revisions of "Iptables"
(→KVM IPtables :) |
|||
| Line 75: | Line 75: | ||
-A portdrop -i eth0 -p tcp -m tcp -j REJECT --reject-with tcp-reset | -A portdrop -i eth0 -p tcp -m tcp -j REJECT --reject-with tcp-reset | ||
-A portdrop -i eth0 -j DROP | -A portdrop -i eth0 -j DROP | ||
| + | COMMIT | ||
| + | |||
| + | == NAT IPtables : == | ||
| + | |||
| + | # Generated by HyperSecure Solutions v1.3 on June 26, 2015 | ||
| + | *nat | ||
| + | :PREROUTING ACCEPT [1:84] | ||
| + | :INPUT ACCEPT [1:84] | ||
| + | :OUTPUT ACCEPT [0:0] | ||
| + | :POSTROUTING ACCEPT [0:0] | ||
| + | -A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.1.18:22 | ||
| + | -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.23:80 | ||
| + | -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.1.23:443 | ||
| + | -A PREROUTING -i eth0 -p tcp -m tcp --dport 3000 -j DNAT --to-destination 192.168.1.16:3000 | ||
| + | -A PREROUTING -i eth0 -p tcp -m tcp --dport 5222 -j DNAT --to-destination 192.168.1.16:5222 | ||
| + | -A PREROUTING -i eth0 -p tcp -m tcp --dport 5223 -j DNAT --to-destination 192.168.1.16:5223 | ||
| + | -A PREROUTING -i eth0 -p tcp -m tcp --dport 5269 -j DNAT --to-destination 192.168.1.16:5269 | ||
| + | -A PREROUTING -i eth0 -p tcp -m tcp --dport 5298 -j DNAT --to-destination 192.168.1.16:5298 | ||
| + | -A PREROUTING -i eth0 -p tcp -m tcp --dport 7070 -j DNAT --to-destination 192.168.1.16:7070 | ||
| + | -A PREROUTING -i eth0 -p tcp -m tcp --dport 7443 -j DNAT --to-destination 192.168.1.16:7443 | ||
| + | -A PREROUTING -i eth0 -p tcp -m tcp --dport 7777 -j DNAT --to-destination 192.168.1.16:7777 | ||
| + | -A PREROUTING -i eth0 -p tcp -m tcp --dport 9090 -j DNAT --to-destination 192.168.1.16:9090 | ||
| + | -A PREROUTING -d 96.49.64.135/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.23 | ||
| + | -A PREROUTING -d 96.49.64.135/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.1.23 | ||
| + | -A POSTROUTING -o eth0 -j MASQUERADE | ||
| + | -A POSTROUTING -s 192.168.1.0/24 -d 192.168.1.23/32 -j SNAT --to-source 192.168.1.1 | ||
| + | COMMIT | ||
| + | |||
| + | *mangle | ||
| + | :PREROUTING ACCEPT [1036:112278] | ||
| + | :INPUT ACCEPT [445:39126] | ||
| + | :FORWARD ACCEPT [591:73152] | ||
| + | :OUTPUT ACCEPT [307:38143] | ||
| + | :POSTROUTING ACCEPT [890:110615] | ||
| + | COMMIT | ||
| + | |||
| + | *filter | ||
| + | :INPUT ACCEPT [55:8337] | ||
| + | :FORWARD ACCEPT [24:2456] | ||
| + | :OUTPUT ACCEPT [299:37463] | ||
| + | -A INPUT -i lo -j ACCEPT | ||
| + | -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | ||
| + | -A INPUT -i eth0 -m state --state NEW -j ACCEPT | ||
| + | -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT | ||
| + | -A FORWARD -i eth1 -o eth0 -j ACCEPT | ||
| + | -A FORWARD -d 192.168.1.18/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT | ||
| + | -A FORWARD -d 192.168.1.18/32 -i eth0 -p tcp -m tcp --dport 3000 -j ACCEPT | ||
| + | -A FORWARD -d 192.168.1.18/32 -i eth0 -p tcp -m tcp --dport 5222 -j ACCEPT | ||
| + | -A FORWARD -d 192.168.1.18/32 -i eth0 -p tcp -m tcp --dport 5223 -j ACCEPT | ||
| + | -A FORWARD -d 192.168.1.18/32 -i eth0 -p tcp -m tcp --dport 5269 -j ACCEPT | ||
| + | -A FORWARD -d 192.168.1.18/32 -i eth0 -p tcp -m tcp --dport 5298 -j ACCEPT | ||
| + | -A FORWARD -d 192.168.1.18/32 -i eth0 -p tcp -m tcp --dport 7070 -j ACCEPT | ||
| + | -A FORWARD -d 192.168.1.18/32 -i eth0 -p tcp -m tcp --dport 7443 -j ACCEPT | ||
| + | -A FORWARD -d 192.168.1.18/32 -i eth0 -p tcp -m tcp --dport 7777 -j ACCEPT | ||
| + | -A FORWARD -d 192.168.1.18/32 -i eth0 -p tcp -m tcp --dport 9090 -j ACCEPT | ||
COMMIT | COMMIT | ||
Revision as of 17:32, 26 June 2015
OpenVZ IPtables:
# Generated by HyperSecure Solutions v1.2 on August 8, 2013 *filter :FORWARD DROP [0:0] :INPUT DROP [0:0] :OUTPUT ACCEPT [187:19244] :portdrop - [0:0]
# Block bad tcp flags [0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j portdrop [0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j portdrop [0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j portdrop [0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j portdrop [0:0] -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j portdrop [0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j portdrop
#ICMP Drops -A INPUT -p icmp -m icmp --icmp-type 18 -j DROP -A INPUT -p icmp -m icmp --icmp-type 17 -j DROP -A INPUT -p icmp -m icmp --icmp-type 10 -j DROP -A INPUT -p icmp -m icmp --icmp-type 9 -j DROP -A INPUT -p icmp -m icmp --icmp-type 5 -j DROP -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
#Server Ports -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp -j DROP -A INPUT -p udp -m udp -j DROP -A OUTPUT -o lo -j ACCEPT -A OUTPUT -p icmp -m state --state NEW -j ACCEPT -A portdrop -p tcp -m tcp -j REJECT --reject-with tcp-reset -A portdrop -j DROP COMMIT
KVM IPtables :
# Generated by HyperSecure Solutions v1.3 on June 26, 2015 *filter :FORWARD DROP [0:0] :INPUT DROP [0:0] :OUTPUT ACCEPT [187:19244] :portdrop - [0:0]
# Block bad tcp flags [0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j portdrop [0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j portdrop [0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j portdrop [0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j portdrop [0:0] -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j portdrop [0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j portdrop
#ICMP Drops -A INPUT -p icmp -m icmp --icmp-type 18 -j DROP -A INPUT -p icmp -m icmp --icmp-type 17 -j DROP -A INPUT -p icmp -m icmp --icmp-type 10 -j DROP -A INPUT -p icmp -m icmp --icmp-type 9 -j DROP -A INPUT -p icmp -m icmp --icmp-type 5 -j DROP -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
#Server Ports -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp -j DROP -A INPUT -i eth0 -p udp -m udp -j DROP -A OUTPUT -o lo -j ACCEPT -A OUTPUT -p icmp -m state --state NEW -j ACCEPT -A portdrop -i eth0 -p tcp -m tcp -j REJECT --reject-with tcp-reset -A portdrop -i eth0 -j DROP COMMIT
NAT IPtables :
# Generated by HyperSecure Solutions v1.3 on June 26, 2015 *nat :PREROUTING ACCEPT [1:84] :INPUT ACCEPT [1:84] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.1.18:22 -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.23:80 -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.1.23:443 -A PREROUTING -i eth0 -p tcp -m tcp --dport 3000 -j DNAT --to-destination 192.168.1.16:3000 -A PREROUTING -i eth0 -p tcp -m tcp --dport 5222 -j DNAT --to-destination 192.168.1.16:5222 -A PREROUTING -i eth0 -p tcp -m tcp --dport 5223 -j DNAT --to-destination 192.168.1.16:5223 -A PREROUTING -i eth0 -p tcp -m tcp --dport 5269 -j DNAT --to-destination 192.168.1.16:5269 -A PREROUTING -i eth0 -p tcp -m tcp --dport 5298 -j DNAT --to-destination 192.168.1.16:5298 -A PREROUTING -i eth0 -p tcp -m tcp --dport 7070 -j DNAT --to-destination 192.168.1.16:7070 -A PREROUTING -i eth0 -p tcp -m tcp --dport 7443 -j DNAT --to-destination 192.168.1.16:7443 -A PREROUTING -i eth0 -p tcp -m tcp --dport 7777 -j DNAT --to-destination 192.168.1.16:7777 -A PREROUTING -i eth0 -p tcp -m tcp --dport 9090 -j DNAT --to-destination 192.168.1.16:9090 -A PREROUTING -d 96.49.64.135/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.23 -A PREROUTING -d 96.49.64.135/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.1.23 -A POSTROUTING -o eth0 -j MASQUERADE -A POSTROUTING -s 192.168.1.0/24 -d 192.168.1.23/32 -j SNAT --to-source 192.168.1.1 COMMIT
*mangle :PREROUTING ACCEPT [1036:112278] :INPUT ACCEPT [445:39126] :FORWARD ACCEPT [591:73152] :OUTPUT ACCEPT [307:38143] :POSTROUTING ACCEPT [890:110615] COMMIT
*filter :INPUT ACCEPT [55:8337] :FORWARD ACCEPT [24:2456] :OUTPUT ACCEPT [299:37463] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -m state --state NEW -j ACCEPT -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth1 -o eth0 -j ACCEPT -A FORWARD -d 192.168.1.18/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT -A FORWARD -d 192.168.1.18/32 -i eth0 -p tcp -m tcp --dport 3000 -j ACCEPT -A FORWARD -d 192.168.1.18/32 -i eth0 -p tcp -m tcp --dport 5222 -j ACCEPT -A FORWARD -d 192.168.1.18/32 -i eth0 -p tcp -m tcp --dport 5223 -j ACCEPT -A FORWARD -d 192.168.1.18/32 -i eth0 -p tcp -m tcp --dport 5269 -j ACCEPT -A FORWARD -d 192.168.1.18/32 -i eth0 -p tcp -m tcp --dport 5298 -j ACCEPT -A FORWARD -d 192.168.1.18/32 -i eth0 -p tcp -m tcp --dport 7070 -j ACCEPT -A FORWARD -d 192.168.1.18/32 -i eth0 -p tcp -m tcp --dport 7443 -j ACCEPT -A FORWARD -d 192.168.1.18/32 -i eth0 -p tcp -m tcp --dport 7777 -j ACCEPT -A FORWARD -d 192.168.1.18/32 -i eth0 -p tcp -m tcp --dport 9090 -j ACCEPT COMMIT
