Command Center: iptables

Tuesday, August 18, 2009

iptables

Category: iptables — SkyHi @ Tuesday, August 18, 2009

[root@home ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-VSFTPD tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
fail2ban-SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 192.168.0.49 69.147.86.169 tcp dpt:80
ACCEPT tcp -- 192.168.0.49 213.171.218.144 tcp dpt:80
ACCEPT tcp -- 192.168.0.49 140.90.128.70 tcp dpt:80
ACCEPT tcp -- 192.168.0.49 192.168.0.96 tcp dpt:80
ACCEPT tcp -- 192.168.0.49 64.4.241.33 tcp dpt:80
ACCEPT tcp -- 192.168.0.49 64.4.241.33 tcp dpt:443
ACCEPT tcp -- 192.168.0.49 64.4.241.49 tcp dpt:443

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
REJECT tcp -- 212.84.0.0/16 0.0.0.0/0 tcp reject-with icmp-port-unreachable
REJECT tcp -- 193.252.22.0/24 0.0.0.0/0 tcp reject-with icmp-port-unreachable
REJECT tcp -- 201.67.0.0/16 0.0.0.0/0 tcp reject-with icmp-port-unreachable
REJECT tcp -- 195.113.190.0/24 0.0.0.0/0 tcp reject-with icmp-port-unreachable
DROP all -- 127.0.0.0/8 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x37
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
REJECT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 length 85:65535 reject-with icmp-host-prohibited
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 2/sec burst 5
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 flags:0x16/0x02
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 flags:0x16/0x02
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:60000:60040
ACCEPT all -- 0.0.0.0/0 192.168.0.59
ACCEPT tcp -- 192.168.0.0/24 0.0.0.0/0 tcp dpt:25 flags:0x16/0x02
ACCEPT tcp -- 192.168.0.0/24 0.0.0.0/0 tcp dpt:22 flags:0x16/0x02
ACCEPT tcp -- 192.168.0.0/24 0.0.0.0/0 tcp dpt:139 flags:0x16/0x02
ACCEPT udp -- 192.168.0.0/24 0.0.0.0/0 udp dpt:137
ACCEPT udp -- 192.168.0.0/24 0.0.0.0/0 udp dpt:138
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-VSFTPD (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
[root@home ~]#

[root@home cronjobs]# cat 2009-07-09.firewall
# Generated by iptables-save v1.3.5 on Thu Jul 9 16:42:10 2009
*mangle
:PREROUTING ACCEPT [3414216:507318126]
:INPUT ACCEPT [3035775:476364271]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2766419:780215082]
:POSTROUTING ACCEPT [2878832:795076384]
COMMIT
# Completed on Thu Jul 9 16:42:10 2009
# Generated by iptables-save v1.3.5 on Thu Jul 9 16:42:10 2009
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2766419:780215082]
:RH-Firewall-1-INPUT - [0:0]
:fail2ban-SSH - [0:0]
:fail2ban-VSFTPD - [0:0]
-A INPUT -p tcp -m tcp --dport 21 -j fail2ban-VSFTPD
-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A OUTPUT -s 192.168.0.49 -d 69.147.86.169 -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -s 192.168.0.49 -d 213.171.218.144 -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -s 192.168.0.49 -d 140.90.128.70 -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -s 192.168.0.49 -d 192.168.0.96 -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -s 192.168.0.49 -d 64.4.241.33 -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -s 192.168.0.49 -d 64.4.241.33 -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -s 192.168.0.49 -d 64.4.241.49 -p tcp -m tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -s 212.84.0.0/255.255.0.0 -p tcp -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 193.252.22.0/255.255.255.0 -p tcp -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 201.67.0.0/255.255.0.0 -p tcp -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 195.113.190.0/255.255.255.0 -p tcp -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j DROP
-A RH-Firewall-1-INPUT -m state --state INVALID -j DROP
-A RH-Firewall-1-INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A RH-Firewall-1-INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A RH-Firewall-1-INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
-A RH-Firewall-1-INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A RH-Firewall-1-INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A RH-Firewall-1-INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A RH-Firewall-1-INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 8 -m length --length 85:65535 -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 2/sec -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 60000:60040 -j ACCEPT
-A RH-Firewall-1-INPUT -d 192.168.0.59 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 25 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 139 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.0/255.255.255.0 -p udp -m udp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.0/255.255.255.0 -p udp -m udp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
-A fail2ban-SSH -j RETURN
-A fail2ban-VSFTPD -j RETURN
COMMIT
# Completed on Thu Jul 9 16:42:10 2009
[root@home cronjobs]#

Command Center

Tuesday, August 18, 2009

iptables

Labels

Blog Archive

My Blog List