1
0
mirror of https://github.com/tonusoo/koduinternet-cpe synced 2024-11-14 07:11:00 +02:00
koduinternet-cpe/conf/usr/local/etc/IPv4_fw_rules

63 lines
2.6 KiB
Plaintext
Raw Permalink Normal View History

2023-06-15 17:55:10 +03:00
# Generated by xtables-save v1.8.2 on Thu Mar 30 23:00:39 2023
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.0.0/24 -o wan0 -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/24 -o wwan0 -j MASQUERADE
COMMIT
# Completed on Thu Mar 30 23:00:39 2023
# Generated by xtables-save v1.8.2 on Thu Mar 30 23:00:39 2023
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:SSH - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8/0 -j ACCEPT
-A INPUT -p udp -m udp --dport 33434:33534 -m comment --comment "traceroute in UDP mode" -j REJECT --reject-with icmp-port-unreachable
-A INPUT -d 224.0.0.0/4 -i wan0.4 -p igmp -j ACCEPT
-A INPUT -i br0 -p tcp -m tcp --dport 22 -j SSH
-A INPUT -i br0 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A INPUT -i br0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i br0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -d 224.0.0.2/32 -i br0 -p igmp -j ACCEPT
-A FORWARD -i br0 -o wan0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wan0 -o br0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i br0 -o wwan0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wwan0 -o br0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i br0 -o wan0.4 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m comment --comment "IPTV - unicast" -j ACCEPT
-A FORWARD -i wan0.4 -o br0 -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "IPTV - unicast" -j ACCEPT
-A FORWARD -d 224.0.0.0/4 -i wan0.4 -o br0 -m comment --comment "IPTV - multicast" -j ACCEPT
-A SSH -m recent --set --name SSH --mask 255.255.255.255 --rsource
-A SSH -m recent --update --seconds 30 --hitcount 10 --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "SSH bruteforce: "
-A SSH -m recent --update --seconds 30 --hitcount 10 --name SSH --mask 255.255.255.255 --rsource -j DROP
-A SSH -j ACCEPT
COMMIT
# Completed on Thu Mar 30 23:00:39 2023
# Generated by xtables-save v1.8.2 on Thu Mar 30 23:00:39 2023
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Thu Mar 30 23:00:39 2023
# Generated by xtables-save v1.8.2 on Thu Mar 30 23:00:39 2023
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Thu Mar 30 23:00:39 2023
# Generated by xtables-save v1.8.2 on Thu Mar 30 23:00:39 2023
*security
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Thu Mar 30 23:00:39 2023