Attention: All pages of this wiki depend on the pages that come before it, in order as they are listed on the Main Page. Please check for Dependencies.
Please also look at What You Need to Know Before Using This Wiki

Difference between revisions of "/root/scripts/iptables-restore"

From COCNM
Jump to: navigation, search
m (1 revision)
 
(Completed)
 
Line 83: Line 83:
 
-A POSTROUTING -m conntrack --ctstate INVALID -j DROP
 
-A POSTROUTING -m conntrack --ctstate INVALID -j DROP
 
-A POSTROUTING -j ACCOUNT --addr 0/0 --tname wan
 
-A POSTROUTING -j ACCOUNT --addr 0/0 --tname wan
 +
-A FORWARD -j ACCOUNT --addr 192.168.26.0/24 --tname computerisms
 +
-A FORWARD -j ACCOUNT --addr 192.168.27.0/24 --tname pubaccess
 
-A PREROUTING -d 192.168.25.15/32 -i eth0 -p tcp -m tcp --dport 25 -j MARK --set-xmark 0x1/0xffffffff  
 
-A PREROUTING -d 192.168.25.15/32 -i eth0 -p tcp -m tcp --dport 25 -j MARK --set-xmark 0x1/0xffffffff  
 
-A PREROUTING -d 192.168.25.15/32 -i eth0 -p tcp -m tcp --dport 80 -j MARK --set-xmark 0x1/0xffffffff  
 
-A PREROUTING -d 192.168.25.15/32 -i eth0 -p tcp -m tcp --dport 80 -j MARK --set-xmark 0x1/0xffffffff  
Line 119: Line 121:
 
-A INPUT -j LOG --log-prefix INPUT
 
-A INPUT -j LOG --log-prefix INPUT
 
-A INPUT -j DROP
 
-A INPUT -j DROP
-A FORWARD -j ACCOUNT --addr 192.168.26.0/24 --tname computerisms
 
-A FORWARD -j ACCOUNT --addr 192.168.27.0/24 --tname pubaccess
 
 
-A FORWARD -m mark --mark 0x1 -j ACCEPT  
 
-A FORWARD -m mark --mark 0x1 -j ACCEPT  
 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

Latest revision as of 16:58, 30 August 2014

Basic

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.26.0/24 -o eth0 -j SNAT --to-source 192.168.25.15
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -m conntrack --ctstate INVALID -j DROP
COMMIT
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 127.0.0.0/8 ! -i lo -j LOG --log-prefix INPUTlo
-A INPUT -s 127.0.0.0/8 ! -i lo -j DROP
-A INPUT -d 255.255.255.255/32 -j ACCEPT
-A INPUT -d 224.0.0.0/4 -i eth1 ! -p tcp -j ACCEPT
-A INPUT -d 192.168.25.15/32 -i eth0 -j ACCEPT
-A INPUT -d 192.168.25.255/32 -i eth0 -j ACCEPT
-A INPUT -s 192.168.26.0/24 -i eth1 -j ACCEPT
-A INPUT -s 192.168.26.0/24 ! -i eth1 -j LOG --log-prefix INPUT1
-A INPUT -s 192.168.26.0/24 ! -i eth1 -j DROP
-A INPUT -j LOG --log-prefix INPUT
-A INPUT -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.26.0/24 -i eth1 -o eth0 -j ACCEPT
-A FORWARD -j LOG --log-prefix FORWARD
-A FORWARD -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -d 127.0.0.0/8 ! -o lo -j LOG --log-prefix OUTPUTlo
-A OUTPUT -d 127.0.0.0/8 ! -o lo -j DROP
-A OUTPUT -d 255.255.255.255/32 -j ACCEPT
-A OUTPUT -d 224.0.0.0/4 -o eth1 ! -p tcp -j ACCEPT
-A OUTPUT -d 224.0.0.0/4 -o eth2 ! -p tcp -j ACCEPT
-A OUTPUT -s 192.168.25.15/32 -o eth0 -j ACCEPT
-A OUTPUT -s 192.168.25.255/32 -o eth0 -j ACCEPT
-A OUTPUT -d 192.168.26.0/24 -o eth1 -j ACCEPT
-A OUTPUT -d 192.168.26.0/24 ! -o eth1 -j LOG --log-prefix OUTPUT1
-A OUTPUT -d 192.168.26.0/24 ! -o eth1 -j DROP
-A OUTPUT -j LOG --log-prefix OUTPUT
-A OUTPUT -j DROP
COMMIT

Completed

# Generated by iptables-save v1.4.20 on Thu Aug 29 20:35:34 2013
*nat
:PREROUTING ACCEPT [16208:2924135]
:INPUT ACCEPT [12634:2681037]
:OUTPUT ACCEPT [5147:372035]
:POSTROUTING ACCEPT [5147:372035]
-A PREROUTING -d 192.168.25.15/32 -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.26.10:25 
-A PREROUTING -d 192.168.25.15/32 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.26.10:80 
-A PREROUTING -d 192.168.25.15/32 -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.26.10:443
-A PREROUTING -d 192.168.25.15/32 -i eth0 -p tcp -m tcp --dport 587 -j DNAT --to-destination 192.168.26.10:587
-A PREROUTING -d 192.168.25.15/32 -i eth0 -p tcp -m tcp --dport 993 -j DNAT --to-destination 192.168.26.10:993 
-A PREROUTING -d 192.168.25.15/32 -i eth0 -p tcp -m tcp --dport 995 -j DNAT --to-destination 192.168.26.10:995
-A POSTROUTING ! -d 10.25.0.0/24 -s 192.168.26.0/24 -o eth0 -j SNAT --to-source 192.168.25.15
-A POSTROUTING -s 192.168.27.0/24 -o eth0 -j SNAT --to-source 192.168.25.15
COMMIT
# Completed on Thu Aug 29 20:35:34 2013
# Generated by iptables-save v1.4.20 on Thu Aug 29 20:35:34 2013
*mangle
:PREROUTING ACCEPT [154883:126645061]
:INPUT ACCEPT [133756:117641671]
:FORWARD ACCEPT [20465:8966111]
:OUTPUT ACCEPT [86452:6816891]
:POSTROUTING ACCEPT [106905:15782402]
-A POSTROUTING -m conntrack --ctstate INVALID -j DROP
-A POSTROUTING -j ACCOUNT --addr 0/0 --tname wan
-A FORWARD -j ACCOUNT --addr 192.168.26.0/24 --tname computerisms
-A FORWARD -j ACCOUNT --addr 192.168.27.0/24 --tname pubaccess
-A PREROUTING -d 192.168.25.15/32 -i eth0 -p tcp -m tcp --dport 25 -j MARK --set-xmark 0x1/0xffffffff 
-A PREROUTING -d 192.168.25.15/32 -i eth0 -p tcp -m tcp --dport 80 -j MARK --set-xmark 0x1/0xffffffff 
-A PREROUTING -d 192.168.25.15/32 -i eth0 -p tcp -m tcp --dport 443 -j MARK --set-xmark 0x1/0xffffffff
-A PREROUTING -d 192.168.25.15/32 -i eth0 -p tcp -m tcp --dport 587 -j MARK --set-xmark 0x1/0xffffffff 
-A PREROUTING -d 192.168.25.15/32 -i eth0 -p tcp -m tcp --dport 993 -j MARK --set-xmark 0x1/0xffffffff 
-A PREROUTING -d 192.168.25.15/32 -i eth0 -p tcp -m tcp --dport 995 -j MARK --set-xmark 0x1/0xffffffff 
COMMIT
# Completed on Thu Aug 29 20:35:34 2013
# Generated by iptables-save v1.4.20 on Thu Aug 29 20:35:34 2013
*raw
:PREROUTING ACCEPT [154883:126645061]
:OUTPUT ACCEPT [86452:6816891]
COMMIT
# Completed on Thu Aug 29 20:35:34 2013
# Generated by iptables-save v1.4.20 on Thu Aug 29 20:35:34 2013
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -m mark --mark 0x1 -j ACCEPT 
-A INPUT -i lo -j ACCEPT
-A INPUT -s 127.0.0.0/8 ! -i lo -j LOG --log-prefix INPUTlo
-A INPUT -s 127.0.0.0/8 ! -i lo -j DROP
-A INPUT -d 255.255.255.255/32 -j ACCEPT
-A INPUT -d 224.0.0.0/4 -i eth1 ! -p tcp -j ACCEPT
-A INPUT -d 224.0.0.0/4 -i eth2 ! -p tcp -j ACCEPT
-A INPUT -d 192.168.25.15/32 -i eth0 -j ACCEPT
-A INPUT -d 192.168.25.255/32 -i eth0 -j ACCEPT
-A INPUT -s 192.168.26.0/24 -i eth1 -j ACCEPT
-A INPUT -s 192.168.26.0/24 ! -i eth1 -j LOG --log-prefix INPUT1
-A INPUT -s 192.168.26.0/24 ! -i eth1 -j DROP
-A INPUT -s 192.168.27.0/24 -i eth2 -j ACCEPT
-A INPUT -s 192.168.27.0/24 ! -i eth2 -j LOG --log-prefix INPUT2
-A INPUT -s 192.168.27.0/24 ! -i eth2 -j DROP
-A INPUT -j LOG --log-prefix INPUT
-A INPUT -j DROP
-A FORWARD -m mark --mark 0x1 -j ACCEPT 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.26.0/24 -d 192.168.27.0/24 -j LOG --log-prefix FORWARD1
-A FORWARD -s 192.168.26.0/24 -d 192.168.27.0/24 -j DROP
-A FORWARD -s 192.168.27.0/24 -d 192.168.26.0/24 -j LOG --log-prefix FORWARD2
-A FORWARD -s 192.168.27.0/24 -d 192.168.26.0/24 -j DROP
-A FORWARD -s 192.168.26.0/24 -d 10.25.0.0/24 -j ACCEPT
-A FORWARD -d 192.168.26.0/24 -s 10.25.0.0/24 -j ACCEPT
-A FORWARD -s 192.168.26.0/24 -i eth1 -o eth0 -j ACCEPT
-A FORWARD -s 192.168.27.0/24 -i eth2 -o eth0 -j ACCEPT
-A FORWARD -j LOG --log-prefix FORWARD
-A FORWARD -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -d 127.0.0.0/8 ! -o lo -j LOG --log-prefix OUTPUTlo
-A OUTPUT -d 127.0.0.0/8 ! -o lo -j DROP
-A OUTPUT -d 255.255.255.255/32 -j ACCEPT
-A OUTPUT -d 224.0.0.0/4 -o eth1 ! -p tcp -j ACCEPT
-A OUTPUT -d 224.0.0.0/4 -o eth2 ! -p tcp -j ACCEPT
-A OUTPUT -s 192.168.25.15/32 -o eth0 -j ACCEPT
-A OUTPUT -s 192.168.25.255/32 -o eth0 -j ACCEPT
-A OUTPUT -d 192.168.26.0/24 -o eth1 -j ACCEPT
-A OUTPUT -d 192.168.26.0/24 ! -o eth1 -j LOG --log-prefix OUTPUT1
-A OUTPUT -d 192.168.26.0/24 ! -o eth1 -j DROP
-A OUTPUT -d 192.168.27.0/24 -o eth2 -j ACCEPT
-A OUTPUT -d 192.168.27.0/24 ! -o eth2 -j LOG --log-prefix OUTPUT2
-A OUTPUT -d 192.168.27.0/24 ! -o eth2 -j DROP
-A OUTPUT -j LOG --log-prefix OUTPUT
-A OUTPUT -j DROP
COMMIT
# Completed on Thu Aug 29 20:35:34 2013