Iptables bloqueo de internet

Bienvenido(a) a Alcance Libre 06/09/2025, 07:47
Alcance Libre Foros

	Índice del foro > Todo acerca de Linux > Redes y Servidores	New Topic Post Reply
Iptables bloqueo de internet
Anónimo: : sinmarca
04/01/16 04:53 (Leído 2,510 veces)
Buen dia,

Hemos detectado un problema en la configuracion de iptables de un servidor que tenemos, al parecer alguien ha metido configuracion invalida y esto nos esta produciendo bloqueos en internet, es decir si hacemos un ping sostenido a google.com hay veces que nos retorna 5 paquetes recibidos y luego 5 perdidos, con lo cual es imposible navegar, el proveedor de internet ya lo revisamos e hizo cambio de router, muchas gracias si me pueden ayudar.

Adjunto resultado de iptables:
PHP Formatted Code
# Generated by iptables-save v1.3.5 on Wed Dec  2 16:15:34 2015

-A INPUT -m conntrack --ctstate INVALID,NEW-j dynamic 
-A INPUT -i eth0 -j eth0_in 
-A INPUT -i ppp+-j loc2fw 
-A INPUT -i eth1 -j net2fw 
-A INPUT -i tun0 -j rem2fw 
-A INPUT -i lo -j ACCEPT 
-A INPUT -j Drop 
-A INPUT -j LOG--log-prefix "Shorewall:INPUT:DROP:"--log-level 6
-A INPUT -j DROP 
-A INPUT -s 31.216.145.53 -j DROP 
-A FORWARD -i eth0 -j eth0_fwd 
-A FORWARD -i ppp+-j ppp+_fwd 
-A FORWARD -i eth1 -j net_frwd 
-A FORWARD -i tun0 -j rem_frwd 
-A FORWARD -j Drop 
-A FORWARD -j LOG--log-prefix "Shorewall:FORWARD:DROP:"--log-level 6
-A FORWARD -j DROP 
-A OUTPUT -o eth0 -j fw2loc 
-A OUTPUT -o ppp+-j fw2loc 
-A OUTPUT -o eth1 -j fw2net 
-A OUTPUT -o tun0 -j fw2rem 
-A OUTPUT -o lo -j fw2fw 
-A OUTPUT -j Drop 
-A OUTPUT -j DROP 
-A OUTPUT -d 31.0.0.0/255.0.0.0 -p tcp -j DROP 
-A OUTPUT -d 31.13.73.36 -p tcp -j DROP 
-A OUTPUT -d 69.171.230.68 -p tcp -j DROP 
-A OUTPUT -d 69.171.230.68 -p tcp -j DROP 
-A OUTPUT -d 74.125.196.93 -p tcp -j DROP 
-A OUTPUT -d 74.125.196.136 -p tcp -j DROP 
-A OUTPUT -d 74.125.196.190 -p tcp -j DROP 
-A OUTPUT -d 74.125.196.91 -p tcp -j DROP 
-A OUTPUT -d 74.125.196.93 -p tcp -j DROP 
-A OUTPUT -d 74.125.196.190 -p tcp -j DROP 
-A OUTPUT -d 74.125.196.136 -p tcp -j DROP 
-A OUTPUT -d 74.125.196.91 -p tcp -j DROP 
-A OUTPUT -d 74.125.0.0/255.255.0.0 -p tcp -j DROP 
-A Broadcast -m addrtype --dst-type BROADCAST -j DROP 
-A Broadcast -m addrtype --dst-type MULTICAST -j DROP 
-A Broadcast -m addrtype --dst-type ANYCAST -j DROP 
-A Broadcast -d 224.0.0.0/240.0.0.0 -j DROP 
-A Drop 
-A Drop -p tcp -m tcp --dport 113-m comment --comment "Auth"-j reject 
-A Drop -j Broadcast 
-A Drop -p icmp -m icmp --icmp-type 3/4-m comment --comment "Needed ICMP types"-j ACCEPT 
-A Drop -p icmp -m icmp --icmp-type 11-m comment --comment "Needed ICMP types"-j ACCEPT 
-A Drop -j Invalid 
-A Drop -p udp -m multiport --dports 135,445-m comment --comment "SMB"-j DROP 
-A Drop -p udp -m udp --dport 137:139-m comment --comment "SMB"-j DROP 
-A Drop -p udp -m udp --sport 137--dport 1024:65535-m comment --comment "SMB"-j DROP 
-A Drop -p tcp -m multiport --dports 135,139,445-m comment --comment "SMB"-j DROP 
-A Drop -p udp -m udp --dport 1900-m comment --comment "UPnP"-j DROP 
-A Drop -p tcp -j NotSyn 
-A Drop -p udp -m udp --sport 53-m comment --comment "Late DNS Replies"-j DROP 
-A Invalid -m conntrack --ctstate INVALID -j DROP 
-A NotSyn -p tcp -m tcp !--tcp-flags FIN,SYN,RST,ACK SYN -j DROP 
-A Reject 
-A Reject -p tcp -m tcp --dport 113-m comment --comment "Auth"-j reject 
-A Reject -j Broadcast 
-A Reject -p icmp -m icmp --icmp-type 3/4-m comment --comment "Needed ICMP types"-j ACCEPT 
-A Reject -p icmp -m icmp --icmp-type 11-m comment --comment "Needed ICMP types"-j ACCEPT 
-A Reject -j Invalid 
-A Reject -p udp -m multiport --dports 135,445-m comment --comment "SMB"-j reject 
-A Reject -p udp -m udp --dport 137:139-m comment --comment "SMB"-j reject 
-A Reject -p udp -m udp --sport 137--dport 1024:65535-m comment --comment "SMB"-j reject 
-A Reject -p tcp -m multiport --dports 135,139,445-m comment --comment "SMB"-j reject 
-A Reject -p udp -m udp --dport 1900-m comment --comment "UPnP"-j DROP 
-A Reject -p tcp -j NotSyn 
-A Reject -p udp -m udp --sport 53-m comment --comment "Late DNS Replies"-j DROP 
-A SSHKnock -p tcp -m tcp --dport 22-m recent --rcheck --seconds 60--name SSHconsul --rsource -j ACCEPT 
-A SSHKnock -p tcp -m tcp --dport 2007-m recent --remove --name SSHconsul --rsource -j DROP 
-A SSHKnock -p tcp -m tcp --dport 2008-m recent --set --name SSHconsul --rsource -j DROP 
-A SSHKnock -p tcp -m tcp --dport 2009-m recent --remove --name SSHconsul --rsource -j DROP 
-A eth0_fwd -m conntrack --ctstate INVALID,NEW-j dynamic 
-A eth0_fwd -m conntrack --ctstate INVALID,NEW-j smurfs 
-A eth0_fwd -p tcp -j tcpflags 
-A eth0_fwd -j loc_frwd 
-A eth0_in -m conntrack --ctstate INVALID,NEW-j dynamic 
-A eth0_in -m conntrack --ctstate INVALID,NEW-j smurfs 
-A eth0_in -p udp -m udp --dport 67:68-j ACCEPT 
-A eth0_in -p tcp -j tcpflags 
-A eth0_in -j loc2fw 
-A fw2fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A fw2fw -m iprange --dst-range 69.171.224.0-69.171.255.255 -g ~log0 
-A fw2fw -m iprange --dst-range 66.220.144.0-66.220.159.255 -g ~log0 
-A fw2fw -m iprange --src-range 69.171.224.0-69.171.255.255 -g ~log0 
-A fw2fw -m iprange --src-range 66.220.144.0-66.220.159.255 -g ~log0 
-A fw2fw -j ACCEPT 
-A fw2loc -p udp -m udp --dport 67:68-j ACCEPT 
-A fw2loc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A fw2loc -m iprange --dst-range 69.171.224.0-69.171.255.255 -g ~log1 
-A fw2loc -m iprange --dst-range 66.220.144.0-66.220.159.255 -g ~log1 
-A fw2loc -m iprange --src-range 69.171.224.0-69.171.255.255 -g ~log1 
-A fw2loc -m iprange --src-range 66.220.144.0-66.220.159.255 -g ~log1 
-A fw2loc -p tcp -m tcp --dport 80-m comment --comment "HTTP"-j ACCEPT 
-A fw2loc -p udp -m udp --dport 67-j ACCEPT 
-A fw2loc -j ACCEPT 
-A fw2net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A fw2net -p gre -j ACCEPT 
-A fw2net -m iprange --dst-range 69.171.224.0-69.171.255.255 -g ~log2 
-A fw2net -m iprange --dst-range 66.220.144.0-66.220.159.255 -g ~log2 
-A fw2net -m iprange --src-range 69.171.224.0-69.171.255.255 -g ~log2 
-A fw2net -m iprange --src-range 66.220.144.0-66.220.159.255 -g ~log2 
-A fw2net -p udp -m udp --dport 53-m comment --comment "DNS"-j ACCEPT 
-A fw2net -p tcp -m tcp --dport 53-m comment --comment "DNS"-j ACCEPT 
-A fw2net -p udp -m udp --dport 123-m comment --comment "NTP"-j ACCEPT 
-A fw2net -p tcp -m tcp --dport 21-m comment --comment "FTP"-j ACCEPT 
-A fw2net -p tcp -j ACCEPT 
-A fw2net -p tcp -m tcp --dport 80-m comment --comment "HTTP"-j ACCEPT 
-A fw2net -m iprange --dst-range 31.13.64.0-31.13.127.255 -j reject 
-A fw2net -m iprange --dst-range 66.220.144.0-66.220.159.255 -j reject 
-A fw2net -m iprange --dst-range 69.63.176.0-69.63.191.255 -j reject 
-A fw2net -m iprange --dst-range 69.171.224.0-69.171.255.255 -j reject 
-A fw2net -m iprange --dst-range 74.119.76.0-74.119.79.255 -j reject 
-A fw2net -m iprange --dst-range 173.252.64.0-173.252.127.255 -j reject 
-A fw2net -m iprange --dst-range 204.15.20.0-204.15.23.255 -j reject 
-A fw2net -j ACCEPT 
-A fw2rem -p udp -m udp --dport 67:68-j ACCEPT 
-A fw2rem -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A fw2rem -p udp -m udp --sport 1194-j ACCEPT 
-A fw2rem -m iprange --dst-range 69.171.224.0-69.171.255.255 -g ~log3 
-A fw2rem -m iprange --dst-range 66.220.144.0-66.220.159.255 -g ~log3 
-A fw2rem -m iprange --src-range 69.171.224.0-69.171.255.255 -g ~log3 
-A fw2rem -m iprange --src-range 66.220.144.0-66.220.159.255 -g ~log3 
-A fw2rem -p tcp -m tcp --dport 22-m comment --comment "SSH"-j ACCEPT 
-A fw2rem -p icmp -m icmp --icmp-type 8-m comment --comment "Ping"-j ACCEPT 
-A fw2rem -p udp -m udp --dport 33434:33524-m comment --comment "Trcrt"-j ACCEPT 
-A fw2rem -p icmp -m icmp --icmp-type 8-m comment --comment "Trcrt"-j ACCEPT 
-A fw2rem -j Drop 
-A fw2rem -j DROP 
-A loc2fw -m conntrack --ctstate INVALID,NEW-j dynamic 
-A loc2fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A loc2fw -m iprange --dst-range 69.171.224.0-69.171.255.255 -g ~log4 
-A loc2fw -m iprange --dst-range 66.220.144.0-66.220.159.255 -g ~log4 
-A loc2fw -m iprange --src-range 69.171.224.0-69.171.255.255 -g ~log4 
-A loc2fw -m iprange --src-range 66.220.144.0-66.220.159.255 -g ~log4 
-A loc2fw -p udp -m udp --dport 53-m comment --comment "DNS"-j ACCEPT 
-A loc2fw -p tcp -m tcp --dport 53-m comment --comment "DNS"-j ACCEPT 
-A loc2fw -p tcp -m tcp --dport 21-m comment --comment "FTP"-j ACCEPT 
-A loc2fw -p tcp -m tcp --dport 22-m comment --comment "SSH"-j ACCEPT 
-A loc2fw -p icmp -m icmp --icmp-type 8-m comment --comment "Ping"-j ACCEPT 
-A loc2fw -p udp -m multiport --dports 135,445-m comment --comment "SMB"-j ACCEPT 
-A loc2fw -p udp -m udp --dport 137:139-m comment --comment "SMB"-j ACCEPT 
-A loc2fw -p udp -m udp --sport 137--dport 1024:65535-m comment --comment "SMB"-j ACCEPT 
-A loc2fw -p tcp -m multiport --dports 135,139,445-m comment --comment "SMB"-j ACCEPT 
-A loc2fw -p tcp -m tcp --dport 10000-j ACCEPT 
-A loc2fw -p tcp -m tcp --dport 80-m comment --comment "Web"-j ACCEPT 
-A loc2fw -p tcp -m tcp --dport 443-m comment --comment "Web"-j ACCEPT 
-A loc2fw -p tcp -m tcp --dport 3128-j ACCEPT 
-A loc2fw -p tcp -m tcp --dport 3128-m comment --comment "HTTP"-j ACCEPT 
-A loc2fw -p udp -m udp --dport 68-j ACCEPT 
-A loc2fw -j ACCEPT 
-A loc2loc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A loc2loc -m iprange --dst-range 69.171.224.0-69.171.255.255 -g ~log5 
-A loc2loc -m iprange --dst-range 66.220.144.0-66.220.159.255 -g ~log5 
-A loc2loc -m iprange --src-range 69.171.224.0-69.171.255.255 -g ~log5 
-A loc2loc -m iprange --src-range 66.220.144.0-66.220.159.255 -g ~log5 
-A loc2loc -j ACCEPT 
-A loc2net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A loc2net -m iprange --dst-range 69.171.224.0-69.171.255.255 -g ~log6 
-A loc2net -m iprange --dst-range 66.220.144.0-66.220.159.255 -g ~log6 
-A loc2net -m iprange --src-range 69.171.224.0-69.171.255.255 -g ~log6 
-A loc2net -m iprange --src-range 66.220.144.0-66.220.159.255 -g ~log6 
-A loc2net -p tcp -m tcp --dport 8080-j ACCEPT 
-A loc2net -p tcp -m tcp --dport 4550-j ACCEPT 
-A loc2net -p tcp -m tcp --dport 5550-j ACCEPT 
-A loc2net -p tcp -m tcp --dport 6550-j ACCEPT 
-A loc2net -p tcp -m tcp --dport 5552-j ACCEPT 
-A loc2net -p tcp -m tcp --dport 7424-j ACCEPT 
-A loc2net -p tcp -m tcp --dport 7425-j ACCEPT 
-A loc2net -p udp -m udp --dport 53-m comment --comment "DNS"-j ACCEPT 
-A loc2net -p tcp -m tcp --dport 53-m comment --comment "DNS"-j ACCEPT 
-A loc2net -p udp -m udp --dport 123-m comment --comment "NTP"-j ACCEPT 
-A loc2net -p tcp -m tcp --dport 21-m comment --comment "FTP"-j ACCEPT 
-A loc2net -p icmp -m icmp --icmp-type 8-m comment --comment "Ping"-j ACCEPT 
-A loc2net -p icmp -m icmp --icmp-type 8-m comment --comment "Ping"-j ACCEPT 
-A loc2net -p udp -m udp --dport 33434:33524-m comment --comment "Trcrt"-j ACCEPT 
-A loc2net -p icmp -m icmp --icmp-type 8-m comment --comment "Trcrt"-j ACCEPT 
-A loc2net -p tcp -m tcp --dport 443-m comment --comment "HTTPS"-j ACCEPT 
-A loc2net -p tcp -m tcp --dport 25-m comment --comment "SMTP"-j ACCEPT 
-A loc2net -p tcp -m tcp --dport 465-m comment --comment "SMTPS"-j ACCEPT 
-A loc2net -p tcp -m tcp --dport 110-m comment --comment "POP3"-j ACCEPT 
-A loc2net -p tcp -m tcp --dport 995-m comment --comment "POP3S"-j ACCEPT 
-A loc2net -p tcp -m tcp --dport 143-m comment --comment "IMAP"-j ACCEPT 
-A loc2net -p tcp -m tcp --dport 993-m comment --comment "IMAPS"-j ACCEPT 
-A loc2net -p tcp -m tcp --dport 443-j ACCEPT 
-A loc2net -m iprange --dst-range 31.13.64.0-31.13.127.255 -j reject 
-A loc2net -m iprange --dst-range 66.220.144.0-66.220.159.255 -j reject 
-A loc2net -m iprange --dst-range 69.63.176.0-69.63.191.255 -j reject 
-A loc2net -m iprange --dst-range 69.171.224.0-69.171.255.255 -j reject 
-A loc2net -m iprange --dst-range 74.119.76.0-74.119.79.255 -j reject 
-A loc2net -m iprange --dst-range 173.252.64.0-173.252.127.255 -j reject 
-A loc2net -m iprange --dst-range 204.15.20.0-204.15.23.255 -j reject 
-A loc2net -p tcp -m tcp --dport 22-m comment --comment "SSH"-j ACCEPT 
-A loc2net -p tcp -m tcp --dport 444-j ACCEPT 
-A loc2net -p tcp -m tcp --dport 3389-j ACCEPT 
-A loc2net -d 190.144.XX.XX -j ACCEPT 
-A loc2net -d 190.144.XX.XX -j ACCEPT 
-A loc2net -d 190.144.XX.XX -j ACCEPT 
-A loc2net -d 190.144.XX.XX -j ACCEPT 
-A loc2net -d 142.4.203.69 -j ACCEPT 
-A loc2net -d 190.156.228.132 -j ACCEPT 
-A loc2net -j ACCEPT 
-A loc2net -d 69.171.228.13 -p tcp -m tcp --sport 443--dport 443-j reject 
-A loc2net -d 69.63.176.13 -p tcp -m tcp --sport 443--dport 443-j reject 
-A loc2net -d 69.63.181.15 -p tcp -m tcp --sport 443--dport 443-j reject 
-A loc2net -d 69.63.184.142 -p tcp -m tcp --sport 443--dport 443-j reject 
-A loc2net -d 69.63.187.17 -p tcp -m tcp --sport 443--dport 443-j reject 
-A loc2net -d 69.63.187.18 -p tcp -m tcp --sport 443--dport 443-j reject 
-A loc2net -d 69.63.187.19 -p tcp -m tcp --sport 443--dport 443-j reject 
-A loc2net -d 74.125.227.41 -p tcp -m tcp --sport 443--dport 443-j reject 
-A loc2net -j Drop 
-A loc2net -j DROP 
-A loc2rem -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A loc2rem -m iprange --dst-range 69.171.224.0-69.171.255.255 -g ~log7 
-A loc2rem -m iprange --dst-range 66.220.144.0-66.220.159.255 -g ~log7 
-A loc2rem -m iprange --src-range 69.171.224.0-69.171.255.255 -g ~log7 
-A loc2rem -m iprange --src-range 66.220.144.0-66.220.159.255 -g ~log7 
-A loc2rem -p tcp -m tcp --dport 8080-j ACCEPT 
-A loc2rem -p tcp -m tcp --dport 4550-j ACCEPT 
-A loc2rem -p tcp -m tcp --dport 5550-j ACCEPT 
-A loc2rem -p tcp -m tcp --dport 6550-j ACCEPT 
-A loc2rem -p tcp -m tcp --dport 5552-j ACCEPT 
-A loc2rem -p tcp -m tcp --dport 7424-j ACCEPT 
-A loc2rem -p tcp -m tcp --dport 7425-j ACCEPT 
-A loc2rem -p icmp -m icmp --icmp-type 8-m comment --comment "Ping"-j ACCEPT 
-A loc2rem -p udp -m udp --dport 33434:33524-m comment --comment "Trcrt"-j ACCEPT 
-A loc2rem -p icmp -m icmp --icmp-type 8-m comment --comment "Trcrt"-j ACCEPT 
-A loc2rem -j Drop 
-A loc2rem -j DROP 
-A loc_frwd -o eth0 -j loc2loc 
-A loc_frwd -o ppp+-j loc2loc 
-A loc_frwd -o eth1 -j loc2net 
-A loc_frwd -o tun0 -j loc2rem 
-A logdrop -j DROP 
-A logflags -j LOG--log-prefix "Shorewall:logflags:DROP:"--log-level 6--log-ip-options 
-A logflags -j DROP 
-A logreject -j reject 
-A net2fw -m conntrack --ctstate INVALID,NEW-j dynamic 
-A net2fw -m conntrack --ctstate INVALID,NEW-j smurfs 
-A net2fw -p tcp -j tcpflags 
-A net2fw -m conntrack --ctstate INVALID,NEW-j net2fw~ 
-A net2fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A net2fw -p gre -j ACCEPT 
-A net2fw -p tcp -m tcp --dport 1723-j ACCEPT 
-A net2fw -m iprange --dst-range 69.171.224.0-69.171.255.255 -g ~log8 
-A net2fw -m iprange --dst-range 66.220.144.0-66.220.159.255 -g ~log8 
-A net2fw -m iprange --src-range 69.171.224.0-69.171.255.255 -g ~log8 
-A net2fw -m iprange --src-range 66.220.144.0-66.220.159.255 -g ~log8 
-A net2fw -p tcp -m tcp --dport 22-m comment --comment "SSH"-j ACCEPT 
-A net2fw -p tcp -m multiport --dports 22,2007,2008,2009-j SSHKnock 
-A net2fw -p tcp -m tcp --dport 10000-j ACCEPT 
-A net2fw -p tcp -m tcp --dport 80-m comment --comment "Web"-j ACCEPT 
-A net2fw -p tcp -m tcp --dport 443-m comment --comment "Web"-j ACCEPT 
-A net2fw -p udp -m udp --dport 1194-j ACCEPT 
-A net2fw -j Drop 
-A net2fw -j DROP 
-A net2fw~ -s 31.0.0.0/255.0.0.0 -j DROP 
-A net2loc -m conntrack --ctstate INVALID,NEW-j net2loc~ 
-A net2loc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A net2loc -m iprange --dst-range 69.171.224.0-69.171.255.255 -g ~log9 
-A net2loc -m iprange --dst-range 66.220.144.0-66.220.159.255 -g ~log9 
-A net2loc -m iprange --src-range 69.171.224.0-69.171.255.255 -g ~log9 
-A net2loc -m iprange --src-range 66.220.144.0-66.220.159.255 -g ~log9 
-A net2loc -d 192.168.0.69 -p tcp -m tcp --dport 3389-j ACCEPT 
-A net2loc -d 192.168.0.70 -p tcp -m tcp --dport 3390-j ACCEPT 
-A net2loc -d 192.168.0.71 -p tcp -m tcp --dport 3391-j ACCEPT 
-A net2loc -d 192.168.0.145 -p tcp -m tcp --dport 3392-j ACCEPT 
-A net2loc -d 192.168.0.143 -p tcp -m tcp --dport 3393-j ACCEPT 
-A net2loc -j Drop 
-A net2loc -j DROP 
-A net2loc~ -s 31.0.0.0/255.0.0.0 -j DROP 
-A net2net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A net2net -m iprange --dst-range 69.171.224.0-69.171.255.255 -g ~log10
-A net2net -m iprange --dst-range 66.220.144.0-66.220.159.255 -g ~log10
-A net2net -m iprange --src-range 69.171.224.0-69.171.255.255 -g ~log10
-A net2net -m iprange --src-range 66.220.144.0-66.220.159.255 -g ~log10
-A net2net -j ACCEPT 
-A net2rem -m conntrack --ctstate INVALID,NEW-j net2rem~ 
-A net2rem -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A net2rem -m iprange --dst-range 69.171.224.0-69.171.255.255 -g ~log11 
-A net2rem -m iprange --dst-range 66.220.144.0-66.220.159.255 -g ~log11 
-A net2rem -m iprange --src-range 69.171.224.0-69.171.255.255 -g ~log11 
-A net2rem -m iprange --src-range 66.220.144.0-66.220.159.255 -g ~log11 
-A net2rem -j Drop 
-A net2rem -j DROP 
-A net2rem~ -s 31.0.0.0/255.0.0.0 -j DROP 
-A net_frwd -m conntrack --ctstate INVALID,NEW-j dynamic 
-A net_frwd -m conntrack --ctstate INVALID,NEW-j smurfs 
-A net_frwd -p tcp -j tcpflags 
-A net_frwd -o eth0 -j net2loc 
-A net_frwd -o ppp+-j net2loc 
-A net_frwd -o eth1 -j net2net 
-A net_frwd -o tun0 -j net2rem 
-A ppp+_fwd -m conntrack --ctstate INVALID,NEW-j dynamic 
-A ppp+_fwd -j loc_frwd 
-A reject -m addrtype --src-type BROADCAST -j DROP 
-A reject -s 224.0.0.0/240.0.0.0 -j DROP 
-A reject -p igmp -j DROP 
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -p udp -j REJECT --reject-with icmp-port-unreachable 
-A reject -p icmp -j REJECT --reject-with icmp-host-unreachable 
-A reject -j REJECT --reject-with icmp-host-prohibited 
-A rem2fw -m conntrack --ctstate INVALID,NEW-j dynamic 
-A rem2fw -p udp -m udp --dport 67:68-j ACCEPT 
-A rem2fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A rem2fw -p udp -m udp --dport 1194-j ACCEPT 
-A rem2fw -m iprange --dst-range 69.171.224.0-69.171.255.255 -g ~log12 
-A rem2fw -m iprange --dst-range 66.220.144.0-66.220.159.255 -g ~log12 
-A rem2fw -m iprange --src-range 69.171.224.0-69.171.255.255 -g ~log12 
-A rem2fw -m iprange --src-range 66.220.144.0-66.220.159.255 -g ~log12 
-A rem2fw -j Drop 
-A rem2fw -j LOG--log-prefix "Shorewall:rem2fw:DROP:"--log-level 6
-A rem2fw -j DROP 
-A rem2loc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A rem2loc -m iprange --dst-range 69.171.224.0-69.171.255.255 -g ~log13 
-A rem2loc -m iprange --dst-range 66.220.144.0-66.220.159.255 -g ~log13 
-A rem2loc -m iprange --src-range 69.171.224.0-69.171.255.255 -g ~log13 
-A rem2loc -m iprange --src-range 66.220.144.0-66.220.159.255 -g ~log13 
-A rem2loc -j Drop 
-A rem2loc -j LOG--log-prefix "Shorewall:rem2loc:DROP:"--log-level 6
-A rem2loc -j DROP 
-A rem2net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A rem2net -m iprange --dst-range 69.171.224.0-69.171.255.255 -g ~log14 
-A rem2net -m iprange --dst-range 66.220.144.0-66.220.159.255 -g ~log14 
-A rem2net -m iprange --src-range 69.171.224.0-69.171.255.255 -g ~log14 
-A rem2net -m iprange --src-range 66.220.144.0-66.220.159.255 -g ~log14 
-A rem2net -m iprange --dst-range 31.13.64.0-31.13.127.255 -j reject 
-A rem2net -m iprange --dst-range 66.220.144.0-66.220.159.255 -j reject 
-A rem2net -m iprange --dst-range 69.63.176.0-69.63.191.255 -j reject 
-A rem2net -m iprange --dst-range 69.171.224.0-69.171.255.255 -j reject 
-A rem2net -m iprange --dst-range 74.119.76.0-74.119.79.255 -j reject 
-A rem2net -m iprange --dst-range 173.252.64.0-173.252.127.255 -j reject 
-A rem2net -m iprange --dst-range 204.15.20.0-204.15.23.255 -j reject 
-A rem2net -j Drop 
-A rem2net -j LOG--log-prefix "Shorewall:rem2net:DROP:"--log-level 6
-A rem2net -j DROP 
-A rem2rem -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A rem2rem -m iprange --dst-range 69.171.224.0-69.171.255.255 -g ~log15 
-A rem2rem -m iprange --dst-range 66.220.144.0-66.220.159.255 -g ~log15 
-A rem2rem -m iprange --src-range 69.171.224.0-69.171.255.255 -g ~log15 
-A rem2rem -m iprange --src-range 66.220.144.0-66.220.159.255 -g ~log15 
-A rem2rem -j ACCEPT 
-A rem_frwd -m conntrack --ctstate INVALID,NEW-j dynamic 
-A rem_frwd -o eth0 -j rem2loc 
-A rem_frwd -o ppp+-j rem2loc 
-A rem_frwd -o eth1 -j rem2net 
-A smurflog -j LOG--log-prefix "Shorewall:smurfs:DROP:"--log-level 6
-A smurflog -j DROP 
-A smurfs -s 0.0.0.0 -j RETURN
-A smurfs -m addrtype --src-type BROADCAST -g smurflog 
-A smurfs -s 224.0.0.0/240.0.0.0 -g smurflog 
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g logflags 
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g logflags 
-A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g logflags 
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g logflags 
-A tcpflags -p tcp -m tcp --sport 0--tcp-flags FIN,SYN,RST,ACK SYN -g logflags 
-A ~log0 -j LOG--log-prefix "Shorewall:fw2fw:REJECT:"--log-level 6
-A ~log0 -j reject 
-A ~log1 -j LOG--log-prefix "Shorewall:fw2loc:REJECT:"--log-level 6
-A ~log1 -j reject 
-A ~log10-j LOG--log-prefix "Shorewall:net2net:REJECT:"--log-level 6
-A ~log10-j reject 
-A ~log11 -j LOG--log-prefix "Shorewall:net2rem:REJECT:"--log-level 6
-A ~log11 -j reject 
-A ~log12 -j LOG--log-prefix "Shorewall:rem2fw:REJECT:"--log-level 6
-A ~log12 -j reject 
-A ~log13 -j LOG--log-prefix "Shorewall:rem2loc:REJECT:"--log-level 6
-A ~log13 -j reject 
-A ~log14 -j LOG--log-prefix "Shorewall:rem2net:REJECT:"--log-level 6
-A ~log14 -j reject 
-A ~log15 -j LOG--log-prefix "Shorewall:rem2rem:REJECT:"--log-level 6
-A ~log15 -j reject 
-A ~log2 -j LOG--log-prefix "Shorewall:fw2net:REJECT:"--log-level 6
-A ~log2 -j reject 
-A ~log3 -j LOG--log-prefix "Shorewall:fw2rem:REJECT:"--log-level 6
-A ~log3 -j reject 
-A ~log4 -j LOG--log-prefix "Shorewall:loc2fw:REJECT:"--log-level 6
-A ~log4 -j reject 
-A ~log5 -j LOG--log-prefix "Shorewall:loc2loc:REJECT:"--log-level 6
-A ~log5 -j reject 
-A ~log6 -j LOG--log-prefix "Shorewall:loc2net:REJECT:"--log-level 6
-A ~log6 -j reject 
-A ~log7 -j LOG--log-prefix "Shorewall:loc2rem:REJECT:"--log-level 6
-A ~log7 -j reject 
-A ~log8 -j LOG--log-prefix "Shorewall:net2fw:REJECT:"--log-level 6
-A ~log8 -j reject 
-A ~log9 -j LOG--log-prefix "Shorewall:net2loc:REJECT:"--log-level 6
-A ~log9 -j reject 

COMMIT
# Completed on Wed Dec  2 16:15:34 2015

# Generated by iptables-save v1.3.5 on Wed Dec  2 16:15:34 2015

*mangle
:PREROUTING ACCEPT [465789:253825304]
:INPUT ACCEPT [98145:77652380]
:FORWARD ACCEPT [367324:176156144]
:OUTPUT ACCEPT [121244:78269841]
:POSTROUTING ACCEPT [488563:254428376]
:tcfor - [0:0]
:tcin - [0:0]
:tcout - [0:0]
:tcpost - [0:0]
:tcpre - [0:0]
-A PREROUTING -j tcpre 
-A INPUT -j tcin 
-A FORWARD -j MARK --set-mark 0x0
-A FORWARD -j tcfor 
-A OUTPUT -j tcout 
-A POSTROUTING -j tcpost 

COMMIT
# Completed on Wed Dec  2 16:15:34 2015

# Generated by iptables-save v1.3.5 on Wed Dec  2 16:15:34 2015

*nat
:PREROUTING ACCEPT [1786:203768]
:POSTROUTING ACCEPT [533:39005]
:OUTPUT ACCEPT [515:38285]
:dnat - [0:0]
:eth1_masq - [0:0]
:loc_dnat - [0:0]
:net_dnat - [0:0]
-A PREROUTING -j dnat 
-A POSTROUTING -o eth1 -j eth1_masq 
-A dnat -i eth0 -j loc_dnat 
-A dnat -i ppp+-j loc_dnat 
-A dnat -i eth1 -j net_dnat 
-A eth1_masq -s 192.168.0.0/255.255.255.0 -j MASQUERADE 
-A loc_dnat -p tcp -m tcp --dport 80-m comment --comment "HTTP"-j REDIRECT --to-ports 3128
-A loc_dnat -j ACCEPT 
-A net_dnat -p tcp -m tcp --dport 3389-j DNAT --to-destination 192.168.0.69:3389
-A net_dnat -p tcp -m tcp --dport 3390-j DNAT --to-destination 192.168.0.70:3390
-A net_dnat -p tcp -m tcp --dport 3391-j DNAT --to-destination 192.168.0.71:3391
-A net_dnat -p tcp -m tcp --dport 3392-j DNAT --to-destination 192.168.0.145:3392
-A net_dnat -p tcp -m tcp --dport 3393-j DNAT --to-destination 192.168.0.143:3393

COMMIT
# Completed on Wed Dec  2 16:15:34 2015

# Generated by iptables-save v1.3.5 on Wed Dec  2 16:15:34 2015

*raw
:PREROUTING ACCEPT [465844:253831742]
:OUTPUT ACCEPT [121246:78270040]

COMMIT
# Completed on Wed Dec  2 16:15:34 2015

# Generated by webmin

*filter
:INPUT DROP [0:0]
:rem_frwd - [0:0]
:loc2fw - [0:0]
:SSHKnock - [0:0]
:loc2loc - [0:0]
:rem2rem - [0:0]
:eth0_fwd - [0:0]
:logdrop - [0:0]
:rem2fw - [0:0]
:FORWARD DROP [0:0]
:net2net - [0:0]
:fw2loc - [0:0]
:rem2net - [0:0]
:net2rem - [0:0]
:eth0_in - [0:0]
:Invalid - [0:0]
:dynamic - [0:0]
:loc2rem - [0:0]
:tcpflags - [0:0]
:NotSyn - [0:0]
:logflags - [0:0]
:logreject - [0:0]
:loc2net - [0:0]
:Reject - [0:0]
:Broadcast - [0:0]
:fw2net - [0:0]
:shorewall - [0:0]
:smurflog - [0:0]
:ppp+_fwd - [0:0]
:rem2loc - [0:0]
:OUTPUT DROP [0:0]
:smurfs - [0:0]
:fw2rem - [0:0]
:loc_frwd - [0:0]
:net2loc - [0:0]
:net2fw - [0:0]
:fw2fw - [0:0]
:Drop - [0:0]
:reject - [0:0]
:net_frwd - [0:0]
-A INPUT -m conntrack -j dynamic  --ctstate INVALID,NEW
-A INPUT -i eth0 -j eth0_in
-A INPUT -i ppp+-j loc2fw
-A INPUT -i eth1 -j net2fw
-A INPUT -i lo -j ACCEPT
-A INPUT -j Drop
-A INPUT -j LOG--log-prefix "Shorewall:INPUT:DROP:"--log-level 6
-A INPUT -j DROP
-A FORWARD -i eth0 -j eth0_fwd
-A FORWARD -i ppp+-j ppp+_fwd
-A FORWARD -i eth1 -j net_frwd
-A FORWARD -j Drop
-A FORWARD -j LOG--log-prefix "Shorewall:FORWARD:DROP:"--log-level 6
-A FORWARD -j DROP
-A OUTPUT -o eth0 -j fw2loc
-A OUTPUT -o ppp+-j fw2loc
-A OUTPUT -o eth1 -j fw2net
-A OUTPUT -o lo -j fw2fw
-A OUTPUT -j Drop
-A OUTPUT -j DROP
-A Broadcast -m addrtype -j DROP  --dst-type BROADCAST 
-A Broadcast -m addrtype -j DROP  --dst-type MULTICAST 
-A Broadcast -m addrtype -j DROP  --dst-type ANYCAST 
-A Broadcast -d 224.0.0.0/240.0.0.0 -j DROP
-A Drop
-A Drop -p tcp -m tcp -m comment --dport 113-j reject --comment Auth
-A Drop -j Broadcast
-A Drop -p icmp -m icmp -m comment --icmp-type 3/4-j ACCEPT --comment "Needed ICMP types"
-A Drop -p icmp -m icmp -m comment --icmp-type 11-j ACCEPT --comment "Needed ICMP types"
-A Drop -j Invalid
-A Drop -p udp -m multiport -m comment -j DROP --dports 135,445--comment SMB
-A Drop -p udp -m udp -m comment --dport 137:139-j DROP --comment SMB
-A Drop -p udp -m udp -m comment --dport 1024:65535--sport 137-j DROP --comment SMB
-A Drop -p tcp -m multiport -m comment -j DROP --dports 135,139,445--comment SMB
-A Drop -p udp -m udp -m comment --dport 1900-j DROP --comment UPnP
-A Drop -p tcp -j NotSyn
-A Drop -p udp -m udp -m comment --sport 53-j DROP --comment "Late DNS Replies"
-A Invalid -m conntrack -j DROP  --ctstate INVALID 
-A NotSyn -p tcp -m tcp !--tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A Reject
-A Reject -p tcp -m tcp -m comment --dport 113-j reject --comment Auth
-A Reject -j Broadcast
-A Reject -p icmp -m icmp -m comment --icmp-type 3/4-j ACCEPT --comment "Needed ICMP types"
-A Reject -p icmp -m icmp -m comment --icmp-type 11-j ACCEPT --comment "Needed ICMP types"
-A Reject -j Invalid
-A Reject -p udp -m multiport -m comment -j reject --dports 135,445--comment SMB
-A Reject -p udp -m udp -m comment --dport 137:139-j reject --comment SMB
-A Reject -p udp -m udp -m comment --dport 1024:65535--sport 137-j reject --comment SMB
-A Reject -p tcp -m multiport -m comment -j reject --dports 135,139,445--comment SMB
-A Reject -p udp -m udp -m comment --dport 1900-j DROP --comment UPnP
-A Reject -p tcp -j NotSyn
-A Reject -p udp -m udp -m comment --sport 53-j DROP --comment "Late DNS Replies"
-A SSHKnock -p tcp -m tcp -m recent --dport 22-j ACCEPT  --rcheck --seconds 60--name SSHconsul --rsource 
-A SSHKnock -p tcp -m tcp -m recent --dport 2007-j DROP  --remove --name SSHconsul --rsource 
-A SSHKnock -p tcp -m tcp -m recent --dport 2008-j DROP  --set --name SSHconsul --rsource 
-A SSHKnock -p tcp -m tcp -m recent --dport 2009-j DROP  --remove --name SSHconsul --rsource 
-A eth0_fwd -m conntrack -j dynamic  --ctstate INVALID,NEW
-A eth0_fwd -m conntrack -j smurfs  --ctstate INVALID,NEW
-A eth0_fwd -p tcp -j tcpflags
-A eth0_fwd -j loc_frwd
-A eth0_in -m conntrack -j dynamic  --ctstate INVALID,NEW
-A eth0_in -m conntrack -j smurfs  --ctstate INVALID,NEW
-A eth0_in -p udp -m udp --dport 67:68-j ACCEPT
-A eth0_in -p tcp -j tcpflags
-A eth0_in -j loc2fw
-A fw2fw -m conntrack -j ACCEPT  --ctstate RELATED,ESTABLISHED 
-A fw2fw -m iprange  --dst-range 69.171.224.0-69.171.255.255 -g ~log0 
-A fw2fw -m iprange  --dst-range 66.220.144.0-66.220.159.255 -g ~log0 
-A fw2fw -m iprange  --src-range 69.171.224.0-69.171.255.255 -g ~log0 
-A fw2fw -m iprange  --src-range 66.220.144.0-66.220.159.255 -g ~log0 
-A fw2fw -j ACCEPT
-A fw2loc -p udp -m udp --dport 67:68-j ACCEPT
-A fw2loc -m conntrack -j ACCEPT  --ctstate RELATED,ESTABLISHED 
-A fw2loc -m iprange  --dst-range 69.171.224.0-69.171.255.255 -g ~log1 
-A fw2loc -m iprange  --dst-range 66.220.144.0-66.220.159.255 -g ~log1 
-A fw2loc -m iprange  --src-range 69.171.224.0-69.171.255.255 -g ~log1 
-A fw2loc -m iprange  --src-range 66.220.144.0-66.220.159.255 -g ~log1 
-A fw2loc -p tcp -m tcp -m comment --dport 80-j ACCEPT --comment HTTP
-A fw2loc -p udp -m udp --dport 67-j ACCEPT
-A fw2loc -j ACCEPT
-A fw2net -m conntrack -j ACCEPT  --ctstate RELATED,ESTABLISHED 
-A fw2net -p gre -j ACCEPT
-A fw2net -m iprange  --dst-range 69.171.224.0-69.171.255.255 -g ~log2 
-A fw2net -m iprange  --dst-range 66.220.144.0-66.220.159.255 -g ~log2 
-A fw2net -m iprange  --src-range 69.171.224.0-69.171.255.255 -g ~log2 
-A fw2net -m iprange  --src-range 66.220.144.0-66.220.159.255 -g ~log2 
-A fw2net -p udp -m udp -m comment --dport 53-j ACCEPT --comment DNS
-A fw2net -p tcp -m tcp -m comment --dport 53-j ACCEPT --comment DNS
-A fw2net -p udp -m udp -m comment --dport 123-j ACCEPT --comment NTP
-A fw2net -p tcp -m tcp -m comment --dport 21-j ACCEPT --comment FTP
-A fw2net -p tcp -j ACCEPT
-A fw2net -p tcp -m tcp -m comment --dport 80-j ACCEPT --comment HTTP
-A fw2net -m iprange -j reject  --dst-range 31.13.64.0-31.13.127.255 
-A fw2net -m iprange -j reject  --dst-range 66.220.144.0-66.220.159.255 
-A fw2net -m iprange -j reject  --dst-range 69.63.176.0-69.63.191.255 
-A fw2net -m iprange -j reject  --dst-range 69.171.224.0-69.171.255.255 
-A fw2net -m iprange -j reject  --dst-range 74.119.76.0-74.119.79.255 
-A fw2net -m iprange -j reject  --dst-range 173.252.64.0-173.252.127.255 
-A fw2net -m iprange -j reject  --dst-range 204.15.20.0-204.15.23.255 
-A fw2net -j ACCEPT
-A fw2rem -p udp -m udp --dport 67:68-j ACCEPT
-A fw2rem -m conntrack -j ACCEPT  --ctstate RELATED,ESTABLISHED 
-A fw2rem -p udp -m udp --sport 1194-j ACCEPT
-A fw2rem -m iprange  --dst-range 69.171.224.0-69.171.255.255 -g ~log3 
-A fw2rem -m iprange  --dst-range 66.220.144.0-66.220.159.255 -g ~log3 
-A fw2rem -m iprange  --src-range 69.171.224.0-69.171.255.255 -g ~log3 
-A fw2rem -m iprange  --src-range 66.220.144.0-66.220.159.255 -g ~log3 
-A fw2rem -p tcp -m tcp -m comment --dport 22-j ACCEPT --comment SSH
-A fw2rem -p icmp -m icmp -m comment --icmp-type 8-j ACCEPT --comment Ping
-A fw2rem -p udp -m udp -m comment --dport 33434:33524-j ACCEPT --comment Trcrt
-A fw2rem -p icmp -m icmp -m comment --icmp-type 8-j ACCEPT --comment Trcrt
-A fw2rem -j Drop
-A fw2rem -j DROP
-A loc2fw -m conntrack -j dynamic  --ctstate INVALID,NEW
-A loc2fw -m conntrack -j ACCEPT  --ctstate RELATED,ESTABLISHED 
-A loc2fw -m iprange  --dst-range 69.171.224.0-69.171.255.255 -g ~log4 
-A loc2fw -m iprange  --dst-range 66.220.144.0-66.220.159.255 -g ~log4 
-A loc2fw -m iprange  --src-range 69.171.224.0-69.171.255.255 -g ~log4 
-A loc2fw -m iprange  --src-range 66.220.144.0-66.220.159.255 -g ~log4 
-A loc2fw -p udp -m udp -m comment --dport 53-j ACCEPT --comment DNS
-A loc2fw -p tcp -m tcp -m comment --dport 53-j ACCEPT --comment DNS
-A loc2fw -p tcp -m tcp -m comment --dport 21-j ACCEPT --comment FTP
-A loc2fw -p tcp -m tcp -m comment --dport 22-j ACCEPT --comment SSH
-A loc2fw -p icmp -m icmp -m comment --icmp-type 8-j ACCEPT --comment Ping
-A loc2fw -p udp -m multiport -m comment -j ACCEPT --dports 135,445--comment SMB
-A loc2fw -p udp -m udp -m comment --dport 137:139-j ACCEPT --comment SMB
-A loc2fw -p udp -m udp -m comment --dport 1024:65535--sport 137-j ACCEPT --comment SMB
-A loc2fw -p tcp -m multiport -m comment -j ACCEPT --dports 135,139,445--comment SMB
-A loc2fw -p tcp -m tcp --dport 10000-j ACCEPT
-A loc2fw -p tcp -m tcp -m comment --dport 80-j ACCEPT --comment Web
-A loc2fw -p tcp -m tcp -m comment --dport 443-j ACCEPT --comment Web
-A loc2fw -p tcp -m tcp --dport 3128-j ACCEPT
-A loc2fw -p tcp -m tcp -m comment --dport 3128-j ACCEPT --comment HTTP
-A loc2fw -p udp -m udp --dport 68-j ACCEPT
-A loc2fw -j ACCEPT
-A loc2loc -m conntrack -j ACCEPT  --ctstate RELATED,ESTABLISHED 
-A loc2loc -m iprange  --dst-range 69.171.224.0-69.171.255.255 -g ~log5 
-A loc2loc -m iprange  --dst-range 66.220.144.0-66.220.159.255 -g ~log5 
-A loc2loc -m iprange  --src-range 69.171.224.0-69.171.255.255 -g ~log5 
-A loc2loc -m iprange  --src-range 66.220.144.0-66.220.159.255 -g ~log5 
-A loc2loc -j ACCEPT
-A loc2net -m conntrack -j ACCEPT  --ctstate RELATED,ESTABLISHED 
-A loc2net -m iprange  --dst-range 69.171.224.0-69.171.255.255 -g ~log6 
-A loc2net -m iprange  --dst-range 66.220.144.0-66.220.159.255 -g ~log6 
-A loc2net -m iprange  --src-range 69.171.224.0-69.171.255.255 -g ~log6 
-A loc2net -m iprange  --src-range 66.220.144.0-66.220.159.255 -g ~log6 
-A loc2net -p tcp -m tcp --dport 8080-j ACCEPT
-A loc2net -p tcp -m tcp --dport 4550-j ACCEPT
-A loc2net -p tcp -m tcp --dport 5550-j ACCEPT
-A loc2net -p tcp -m tcp --dport 6550-j ACCEPT
-A loc2net -p tcp -m tcp --dport 5552-j ACCEPT
-A loc2net -p tcp -m tcp --dport 7424-j ACCEPT
-A loc2net -p tcp -m tcp --dport 7425-j ACCEPT
-A loc2net -p udp -m udp -m comment --dport 53-j ACCEPT --comment DNS
-A loc2net -p tcp -m tcp -m comment --dport 53-j ACCEPT --comment DNS
-A loc2net -p udp -m udp -m comment --dport 123-j ACCEPT --comment NTP
-A loc2net -p tcp -m tcp -m comment --dport 21-j ACCEPT --comment FTP
-A loc2net -p icmp -m icmp -m comment --icmp-type 8-j ACCEPT --comment Ping
-A loc2net -p icmp -m icmp -m comment --icmp-type 8-j ACCEPT --comment Ping
-A loc2net -p udp -m udp -m comment --dport 33434:33524-j ACCEPT --comment Trcrt
-A loc2net -p icmp -m icmp -m comment --icmp-type 8-j ACCEPT --comment Trcrt
-A loc2net -p tcp -m tcp -m comment --dport 443-j ACCEPT --comment HTTPS
-A loc2net -p tcp -m tcp -m comment --dport 25-j ACCEPT --comment SMTP
-A loc2net -p tcp -m tcp -m comment --dport 465-j ACCEPT --comment SMTPS
-A loc2net -p tcp -m tcp -m comment --dport 110-j ACCEPT --comment POP3
-A loc2net -p tcp -m tcp -m comment --dport 995-j ACCEPT --comment POP3S
-A loc2net -p tcp -m tcp -m comment --dport 143-j ACCEPT --comment IMAP
-A loc2net -p tcp -m tcp -m comment --dport 993-j ACCEPT --comment IMAPS
-A loc2net -p tcp -m tcp --dport 443-j ACCEPT
-A loc2net -m iprange -j reject  --dst-range 31.13.64.0-31.13.127.255 
-A loc2net -m iprange -j reject  --dst-range 66.220.144.0-66.220.159.255 
-A loc2net -m iprange -j reject  --dst-range 69.63.176.0-69.63.191.255 
-A loc2net -m iprange -j reject  --dst-range 69.171.224.0-69.171.255.255 
-A loc2net -m iprange -j reject  --dst-range 74.119.76.0-74.119.79.255 
-A loc2net -m iprange -j reject  --dst-range 173.252.64.0-173.252.127.255 
-A loc2net -m iprange -j reject  --dst-range 204.15.20.0-204.15.23.255 
-A loc2net -p tcp -m tcp -m comment --dport 22-j ACCEPT --comment SSH
-A loc2net -p tcp -m tcp --dport 444-j ACCEPT
-A loc2net -p tcp -m tcp --dport 3389-j ACCEPT
-A loc2net -d 190.144.XX.XX -j ACCEPT
-A loc2net -d 190.144.XX.XX -j ACCEPT
-A loc2net -d 190.144.XX.XX -j ACCEPT
-A loc2net -d 190.144.XX.XX -j ACCEPT
-A loc2net -d 142.4.203.69 -j ACCEPT
-A loc2net -d 190.156.228.132 -j ACCEPT
-A loc2net -j ACCEPT
-A loc2net -p tcp -m tcp -d 69.171.228.13 --dport 443--sport 443-j reject
-A loc2net -p tcp -m tcp -d 69.63.176.13 --dport 443--sport 443-j reject
-A loc2net -p tcp -m tcp -d 69.63.181.15 --dport 443--sport 443-j reject
-A loc2net -p tcp -m tcp -d 69.63.184.142 --dport 443--sport 443-j reject
-A loc2net -p tcp -m tcp -d 69.63.187.17 --dport 443--sport 443-j reject
-A loc2net -p tcp -m tcp -d 69.63.187.18 --dport 443--sport 443-j reject
-A loc2net -p tcp -m tcp -d 69.63.187.19 --dport 443--sport 443-j reject
-A loc2net -p tcp -m tcp -d 74.125.227.41 --dport 443--sport 443-j reject
-A loc2net -j Drop
-A loc2net -j DROP
-A loc2rem -m conntrack -j ACCEPT  --ctstate RELATED,ESTABLISHED 
-A loc2rem -m iprange  --dst-range 69.171.224.0-69.171.255.255 -g ~log7 
-A loc2rem -m iprange  --dst-range 66.220.144.0-66.220.159.255 -g ~log7 
-A loc2rem -m iprange  --src-range 69.171.224.0-69.171.255.255 -g ~log7 
-A loc2rem -m iprange  --src-range 66.220.144.0-66.220.159.255 -g ~log7 
-A loc2rem -p tcp -m tcp --dport 8080-j ACCEPT
-A loc2rem -p tcp -m tcp --dport 4550-j ACCEPT
-A loc2rem -p tcp -m tcp --dport 5550-j ACCEPT
-A loc2rem -p tcp -m tcp --dport 6550-j ACCEPT
-A loc2rem -p tcp -m tcp --dport 5552-j ACCEPT
-A loc2rem -p tcp -m tcp --dport 7424-j ACCEPT
-A loc2rem -p tcp -m tcp --dport 7425-j ACCEPT
-A loc2rem -p icmp -m icmp -m comment --icmp-type 8-j ACCEPT --comment Ping
-A loc2rem -p udp -m udp -m comment --dport 33434:33524-j ACCEPT --comment Trcrt
-A loc2rem -p icmp -m icmp -m comment --icmp-type 8-j ACCEPT --comment Trcrt
-A loc2rem -j Drop
-A loc2rem -j DROP
-A loc_frwd -o eth0 -j loc2loc
-A loc_frwd -o ppp+-j loc2loc
-A loc_frwd -o eth1 -j loc2net
-A logdrop -j DROP
-A logflags -j LOG--log-prefix "Shorewall:logflags:DROP:"--log-level 6--log-ip-options 
-A logflags -j DROP
-A logreject -j reject
-A net2fw -m conntrack -j dynamic  --ctstate INVALID,NEW
-A net2fw -m conntrack -j smurfs  --ctstate INVALID,NEW
-A net2fw -p tcp -j tcpflags
-A net2fw -m conntrack -j ACCEPT  --ctstate RELATED,ESTABLISHED 
-A net2fw -p gre -j ACCEPT
-A net2fw -p tcp -m tcp --dport 1723-j ACCEPT
-A net2fw -m iprange  --dst-range 69.171.224.0-69.171.255.255 -g ~log8 
-A net2fw -m iprange  --dst-range 66.220.144.0-66.220.159.255 -g ~log8 
-A net2fw -m iprange  --src-range 69.171.224.0-69.171.255.255 -g ~log8 
-A net2fw -m iprange  --src-range 66.220.144.0-66.220.159.255 -g ~log8 
-A net2fw -p tcp -m tcp -m comment --dport 22-j ACCEPT --comment SSH
-A net2fw -p tcp -m multiport -j SSHKnock --dports 22,2007,2008,2009
-A net2fw -p tcp -m tcp --dport 10000-j ACCEPT
-A net2fw -p tcp -m tcp -m comment --dport 80-j ACCEPT --comment Web
-A net2fw -p tcp -m tcp -m comment --dport 443-j ACCEPT --comment Web
-A net2fw -p udp -m udp --dport 1194-j ACCEPT
-A net2fw -j Drop
-A net2fw -j DROP
-A net2loc -m conntrack -j ACCEPT  --ctstate RELATED,ESTABLISHED 
-A net2loc -m iprange  --dst-range 69.171.224.0-69.171.255.255 -g ~log9 
-A net2loc -m iprange  --dst-range 66.220.144.0-66.220.159.255 -g ~log9 
-A net2loc -m iprange  --src-range 69.171.224.0-69.171.255.255 -g ~log9 
-A net2loc -m iprange  --src-range 66.220.144.0-66.220.159.255 -g ~log9 
-A net2loc -p tcp -m tcp -d 192.168.0.69 --dport 3389-j ACCEPT
-A net2loc -p tcp -m tcp -d 192.168.0.70 --dport 3390-j ACCEPT
-A net2loc -p tcp -m tcp -d 192.168.0.71 --dport 3391-j ACCEPT
-A net2loc -p tcp -m tcp -d 192.168.0.145 --dport 3392-j ACCEPT
-A net2loc -p tcp -m tcp -d 192.168.0.143 --dport 3393-j ACCEPT
-A net2loc -j Drop
-A net2loc -j DROP
-A net2net -m conntrack -j ACCEPT  --ctstate RELATED,ESTABLISHED 
-A net2net -m iprange  --dst-range 69.171.224.0-69.171.255.255 -g ~log10
-A net2net -m iprange  --dst-range 66.220.144.0-66.220.159.255 -g ~log10
-A net2net -m iprange  --src-range 69.171.224.0-69.171.255.255 -g ~log10
-A net2net -m iprange  --src-range 66.220.144.0-66.220.159.255 -g ~log10
-A net2net -j ACCEPT
-A net2rem -m conntrack -j ACCEPT  --ctstate RELATED,ESTABLISHED 
-A net2rem -m iprange  --dst-range 69.171.224.0-69.171.255.255 -g ~log11 
-A net2rem -m iprange  --dst-range 66.220.144.0-66.220.159.255 -g ~log11 
-A net2rem -m iprange  --src-range 69.171.224.0-69.171.255.255 -g ~log11 
-A net2rem -m iprange  --src-range 66.220.144.0-66.220.159.255 -g ~log11 
-A net2rem -j Drop
-A net2rem -j DROP
-A net_frwd -m conntrack -j dynamic  --ctstate INVALID,NEW
-A net_frwd -m conntrack -j smurfs  --ctstate INVALID,NEW
-A net_frwd -p tcp -j tcpflags
-A net_frwd -o eth0 -j net2loc
-A net_frwd -o ppp+-j net2loc
-A net_frwd -o eth1 -j net2net
-A ppp+_fwd -m conntrack -j dynamic  --ctstate INVALID,NEW
-A ppp+_fwd -j loc_frwd
-A reject -m addrtype -j DROP  --src-type BROADCAST 
-A reject -s 224.0.0.0/240.0.0.0 -j DROP
-A reject -p igmp -j DROP
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A reject -j REJECT --reject-with icmp-host-prohibited
-A rem2fw -m conntrack -j dynamic  --ctstate INVALID,NEW
-A rem2fw -p udp -m udp --dport 67:68-j ACCEPT
-A rem2fw -m conntrack -j ACCEPT  --ctstate RELATED,ESTABLISHED 
-A rem2fw -p udp -m udp --dport 1194-j ACCEPT
-A rem2fw -m iprange  --dst-range 69.171.224.0-69.171.255.255 -g ~log12 
-A rem2fw -m iprange  --dst-range 66.220.144.0-66.220.159.255 -g ~log12 
-A rem2fw -m iprange  --src-range 69.171.224.0-69.171.255.255 -g ~log12 
-A rem2fw -m iprange  --src-range 66.220.144.0-66.220.159.255 -g ~log12 
-A rem2fw -j Drop
-A rem2fw -j LOG--log-prefix "Shorewall:rem2fw:DROP:"--log-level 6
-A rem2fw -j DROP
-A rem2loc -m conntrack -j ACCEPT  --ctstate RELATED,ESTABLISHED 
-A rem2loc -m iprange  --dst-range 69.171.224.0-69.171.255.255 -g ~log13 
-A rem2loc -m iprange  --dst-range 66.220.144.0-66.220.159.255 -g ~log13 
-A rem2loc -m iprange  --src-range 69.171.224.0-69.171.255.255 -g ~log13 
-A rem2loc -m iprange  --src-range 66.220.144.0-66.220.159.255 -g ~log13 
-A rem2loc -j Drop
-A rem2loc -j LOG--log-prefix "Shorewall:rem2loc:DROP:"--log-level 6
-A rem2loc -j DROP
-A rem2net -m conntrack -j ACCEPT  --ctstate RELATED,ESTABLISHED 
-A rem2net -m iprange  --dst-range 69.171.224.0-69.171.255.255 -g ~log14 
-A rem2net -m iprange  --dst-range 66.220.144.0-66.220.159.255 -g ~log14 
-A rem2net -m iprange  --src-range 69.171.224.0-69.171.255.255 -g ~log14 
-A rem2net -m iprange  --src-range 66.220.144.0-66.220.159.255 -g ~log14 
-A rem2net -m iprange -j reject  --dst-range 31.13.64.0-31.13.127.255 
-A rem2net -m iprange -j reject  --dst-range 66.220.144.0-66.220.159.255 
-A rem2net -m iprange -j reject  --dst-range 69.63.176.0-69.63.191.255 
-A rem2net -m iprange -j reject  --dst-range 69.171.224.0-69.171.255.255 
-A rem2net -m iprange -j reject  --dst-range 74.119.76.0-74.119.79.255 
-A rem2net -m iprange -j reject  --dst-range 173.252.64.0-173.252.127.255 
-A rem2net -m iprange -j reject  --dst-range 204.15.20.0-204.15.23.255 
-A rem2net -j Drop
-A rem2net -j LOG--log-prefix "Shorewall:rem2net:DROP:"--log-level 6
-A rem2net -j DROP
-A rem2rem -m conntrack -j ACCEPT  --ctstate RELATED,ESTABLISHED 
-A rem2rem -m iprange  --dst-range 69.171.224.0-69.171.255.255 -g ~log15 
-A rem2rem -m iprange  --dst-range 66.220.144.0-66.220.159.255 -g ~log15 
-A rem2rem -m iprange  --src-range 69.171.224.0-69.171.255.255 -g ~log15 
-A rem2rem -m iprange  --src-range 66.220.144.0-66.220.159.255 -g ~log15 
-A rem2rem -j ACCEPT
-A rem_frwd -m conntrack -j dynamic  --ctstate INVALID,NEW
-A rem_frwd -o eth0 -j rem2loc
-A rem_frwd -o ppp+-j rem2loc
-A rem_frwd -o eth1 -j rem2net
-A smurflog -j LOG--log-prefix "Shorewall:smurfs:DROP:"--log-level 6
-A smurflog -j DROP
-A smurfs -s 0.0.0.0 -j RETURN
-A smurfs -m addrtype  --src-type BROADCAST -g smurflog 
-A smurfs -s 224.0.0.0/240.0.0.0  -g smurflog 
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG  -g logflags 
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE  -g logflags 
-A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST  -g logflags 
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN  -g logflags 
-A tcpflags -p tcp -m tcp --sport 0--tcp-flags FIN,SYN,RST,ACK SYN  -g logflags 

COMMIT
# Completed
P.D: He modificado las direcciones IP publicas por seguridad en este foro quedaron marcadas como XX.XX
Quote
Joel Barrios Dueñas
04/01/16 11:16
Admin
Estado: desconectado
Identificado: 17/02/07
Mensajes: 1761
Localización:Mexico
Me temo que no. Intuyo recién estás tomando al administración de ese servidor que era administrado por otra persona. Ese servidor que indicas utiliza Shorewall como muro cortafuegos. Por tanto requiere que los cambios y configuraciones las hagas en los archivos de /etc/shorewall.

Por favor lee y revisa http://www.alcancelibre.org/staticpages/index.php/configuracion-basica-shorewall

Shorewall es mucho más fácil de administrar y entender que iptables.
Profile
Website
Quote
Anónimo: : sinmarca
05/01/16 08:59
Citando a: Joel Barrios Dueñas
Me temo que no. Intuyo recién estás tomando al administración de ese servidor que era administrado pro otra persona. Ese servidor que indicas utiliza Shorewall como muro cortafuegos. Por tanto requiere que los cambios y configuraciones las hagas en los archivos de /etc/sh/orewall.

Por favor lee y revisa http://www.alcancelibre.org/staticpages/index.php/configuracion-basica-shorewall

Shorewall es mucho más fácil de administrar y entender que iptables.
Ok, recomiendas que haga backup de los antiguos archivos y modifique según esa guía la configuración del shorewall?
Quote
Anónimo: : sinmarca
05/01/16 09:01
Citando a: Joel Barrios Dueñas
Ok, seguiré tu consejo y mejor modifico la configuración de shorewall, según la guía que me enviaste, muchas gracias mañana te comento como me fue
Quote
Contenido generado en: 0.19 segundos
New Topic
Post Reply
Todas las horas son CST. Hora actual 07:47 .
	Tópico normal
	Tópico Pegado
	Tópico bloqueado
	Mensaje Nuevo
	Tópico pegado con nuevo mensaje
	Tópico bloqueado con nuevo mensaje
Ver mensajes anónimos
Los usuarios anónimos pueden enviar
Se permite HTML Filtrado
Contenido censurado