Skip to content

Instantly share code, notes, and snippets.

@SemanticBeeng

SemanticBeeng/chains

Last active July 16, 2020 08:49
Show Gist options
  • Save SemanticBeeng/46edcfa25ea81af1bbc31f088c14b87c to your computer and use it in GitHub Desktop.
Save SemanticBeeng/46edcfa25ea81af1bbc31f088c14b87c to your computer and use it in GitHub Desktop.
Download ZIP
Raw
chains
iptables -L -nv --line-numbers
```
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 12 792 ICMP-flood icmp -- * * 0.0.0.0/0 0.0.0.0/0
2 10 400 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
3 953 519K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
4 204 9472 AUTO_WHITELIST tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02
5 13 1322 AUTO_WHITELIST udp -- * * 0.0.0.0/0 0.0.0.0/0
6 0 0 AUTO_WHITELIST icmp -- * * 0.0.0.0/0 0.0.0.0/0
7 204 9472 SYN-flood tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02
8 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 recent: UPDATE seconds: 7200 name: badguys side: source mask: 255.255.255.255 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix "iptables-recent-badguys: "
9 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 recent: UPDATE seconds: 7200 name: badguys side: source mask: 255.255.255.255 reject-with icmp-admin-prohibited
10 10 710 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
11 0 0 REJECT all -- !lo * 127.0.0.0/8 0.0.0.0/0 reject-with icmp-port-unreachable
12 37 1932 ACCEPT tcp -- eno2 * 0.0.0.0/0 95.216.37.89 tcp dpt:22 state NEW,ESTABLISHED
13 0 0 ACCEPT tcp -- eno2 * 0.0.0.0/0 95.216.37.89 tcp spt:53 state ESTABLISHED
14 0 0 ACCEPT udp -- eno2 * 0.0.0.0/0 95.216.37.89 udp spt:53 state ESTABLISHED
15 0 0 ACCEPT icmp -- eno2 * 0.0.0.0/0 95.216.37.89 icmptype 8
16 1 114 ACCEPT udp -- eno2 * 0.0.0.0/0 95.216.37.89 udp dpt:1194 state NEW,ESTABLISHED
17 0 0 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0
18 0 0 ACCEPT tcp -- eno2 * 0.0.0.0/0 95.216.37.89 tcp spt:80 state NEW,ESTABLISHED
19 0 0 ACCEPT tcp -- eno2 * 0.0.0.0/0 95.216.37.89 tcp spt:443 state NEW,ESTABLISHED
20 2 498 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
21 166 7500 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
22 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-proto-unreachable
23 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "iptables_INPUT_denied: "
24 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
2 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
3 0 0 ACCEPT all -- tun0 eno2 10.8.0.0/24 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
4 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "iptables_FORWARD_denied: "
5 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
2 1058 177K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
3 10 710 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT tcp -- * eno2 95.216.37.89 0.0.0.0/0 tcp spt:22 state ESTABLISHED
5 0 0 ACCEPT tcp -- * eno2 95.216.37.89 0.0.0.0/0 tcp dpt:53 state NEW,ESTABLISHED
6 10 710 ACCEPT udp -- * eno2 95.216.37.89 0.0.0.0/0 udp dpt:53 state NEW,ESTABLISHED
7 0 0 ACCEPT icmp -- * eno2 95.216.37.89 0.0.0.0/0 icmptype 8
8 0 0 ACCEPT udp -- * eno2 95.216.37.89 0.0.0.0/0 udp spt:1194 state ESTABLISHED
9 0 0 ACCEPT all -- * tun0 0.0.0.0/0 0.0.0.0/0
10 0 0 ACCEPT tcp -- * eno2 95.216.37.89 0.0.0.0/0 tcp dpt:80 state NEW,ESTABLISHED
11 0 0 ACCEPT tcp -- * eno2 95.216.37.89 0.0.0.0/0 tcp dpt:443 state NEW,ESTABLISHED
12 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "iptables_OUTPUT_denied: "
13 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain AUTO_WHITELIST (3 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * * 10.8.0.1 0.0.0.0/0
2 0 0 ACCEPT all -- * * 172.17.0.1 0.0.0.0/0
3 0 0 ACCEPT all -- * * 95.216.37.89 0.0.0.0/0
4 0 0 ACCEPT all -- * * 10.8.0.1 0.0.0.0/0
5 0 0 ACCEPT all -- * * 172.17.0.1 0.0.0.0/0
6 0 0 ACCEPT all -- * * 95.216.37.89 0.0.0.0/0
7 0 0 ACCEPT all -- * * 10.8.0.1 0.0.0.0/0
8 0 0 ACCEPT all -- * * 172.17.0.1 0.0.0.0/0
9 0 0 ACCEPT all -- * * 95.216.37.89 0.0.0.0/0
Chain ICMP-flood (1 references)
num pkts bytes target prot opt in out source destination
1 12 792 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 limit: up to 10/sec burst 10 mode srcip htable-expire 3600000
2 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/hour burst 2 LOG flags 0 level 4 prefix "iptables-ICMP-flood: "
3 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-admin-prohibited
Chain SYN-flood (1 references)
num pkts bytes target prot opt in out source destination
1 203 9432 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 limit: up to 40/sec burst 20 mode srcip htable-expire 3600000
2 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix "iptables-SYN-flood: "
3 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-admin-prohibited
```
> iptables -S
```
iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-N AUTO_WHITELIST
-N ICMP-flood
-N SYN-flood
-A INPUT -p icmp -j ICMP-flood
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j AUTO_WHITELIST
-A INPUT -p udp -j AUTO_WHITELIST
-A INPUT -p icmp -j AUTO_WHITELIST
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j SYN-flood
-A INPUT -m recent --update --seconds 7200 --name badguys --mask 255.255.255.255 --rsource -m limit --limit 3/hour -j LOG --log-prefix "iptables-recent-badguys: "
-A INPUT -m recent --update --seconds 7200 --name badguys --mask 255.255.255.255 --rsource -j REJECT --reject-with icmp-admin-prohibited
-A INPUT -i lo -j ACCEPT
-A INPUT -s 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -d 95.216.37.89/32 -i eno2 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -d 95.216.37.89/32 -i eno2 -p tcp -m tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -d 95.216.37.89/32 -i eno2 -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -d 95.216.37.89/32 -i eno2 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -d 95.216.37.89/32 -i eno2 -p udp -m udp --dport 1194 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i tun0 -j ACCEPT
-A INPUT -d 95.216.37.89/32 -i eno2 -p tcp -m tcp --sport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -d 95.216.37.89/32 -i eno2 -p tcp -m tcp --sport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "iptables_INPUT_denied: "
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -i tun0 -o eno2 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "iptables_FORWARD_denied: "
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -m conntrack --ctstate INVALID -j DROP
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s 95.216.37.89/32 -o eno2 -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -s 95.216.37.89/32 -o eno2 -p tcp -m tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -s 95.216.37.89/32 -o eno2 -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -s 95.216.37.89/32 -o eno2 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -s 95.216.37.89/32 -o eno2 -p udp -m udp --sport 1194 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -s 95.216.37.89/32 -o eno2 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -s 95.216.37.89/32 -o eno2 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "iptables_OUTPUT_denied: "
-A OUTPUT -j REJECT --reject-with icmp-port-unreachable
-A AUTO_WHITELIST -s 10.8.0.1/32 -j ACCEPT
-A AUTO_WHITELIST -s 172.17.0.1/32 -j ACCEPT
-A AUTO_WHITELIST -s 95.216.37.89/32 -j ACCEPT
-A AUTO_WHITELIST -s 10.8.0.1/32 -j ACCEPT
-A AUTO_WHITELIST -s 172.17.0.1/32 -j ACCEPT
-A AUTO_WHITELIST -s 95.216.37.89/32 -j ACCEPT
-A AUTO_WHITELIST -s 10.8.0.1/32 -j ACCEPT
-A AUTO_WHITELIST -s 172.17.0.1/32 -j ACCEPT
-A AUTO_WHITELIST -s 95.216.37.89/32 -j ACCEPT
-A ICMP-flood -m hashlimit --hashlimit-upto 10/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name ICMP-flood --hashlimit-htable-expire 3600000 -j ACCEPT
-A ICMP-flood -m limit --limit 3/hour --limit-burst 2 -j LOG --log-prefix "iptables-ICMP-flood: "
-A ICMP-flood -j REJECT --reject-with icmp-admin-prohibited
-A SYN-flood -m hashlimit --hashlimit-upto 40/sec --hashlimit-burst 20 --hashlimit-mode srcip --hashlimit-name SYN-flood --hashlimit-htable-expire 3600000 -j RETURN
-A SYN-flood -m limit --limit 3/hour -j LOG --log-prefix "iptables-SYN-flood: "
-A SYN-flood -j REJECT --reject-with icmp-admin-prohibited
```
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment