blob: be39d0be73ddf643bb6005a3ee1b31134f82889c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
|
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
ct state invalid counter drop comment "drop invalid packets"
ct state established,related counter accept comment "accept related connections"
iif lo counter accept
iif != lo ip daddr 127.0.0.1/8 counter drop
iif != lo ip6 daddr ::1/128 counter drop
ip protocol icmp counter accept
ip6 nexthdr ipv6-icmp counter accept
udp dport domain ip saddr 172.0.0.1/8 counter accept
tcp dport 8000 ip saddr 127.0.0.1/8 counter accept
tcp dport http-alt ip saddr 127.0.0.1/8 counter accept
tcp dport ssh counter accept
counter
}
chain forward {
type filter hook forward priority 0; policy drop;
ct state established,related counter accept
counter
}
chain output {
type filter hook output priority 0; policy drop;
ct state established,related counter accept
icmp type echo-request counter accept
icmp type echo-reply counter accept
udp dport domain counter accept
tcp dport http counter accept
tcp dport https counter accept
tcp dport ssh counter accept
tcp dport bootps counter accept
udp dport bootps counter accept
tcp dport ntp counter accept
udp dport ntp counter accept
tcp dport nntps counter accept
udp dport nntps counter accept
tcp dport submission counter accept
tcp dport imaps counter accept
tcp dport 2222 counter accept
tcp dport hkp counter accept
udp dport hkp counter accept
tcp dport 9100 counter accept
tcp dport git counter accept
udp dport git counter accept
tcp dport rsync counter accept
udp dport rsync counter accept
tcp dport 8000 counter accept
tcp dport http-alt counter accept
udp dport openvpn counter accept
counter
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority 0;
counter
}
chain postrouting {
type nat hook postrouting priority 100;
counter
}
}
table ip6 nat {
chain prerouting {
type nat hook prerouting priority 0;
counter
}
chain postrouting {
type nat hook postrouting priority 100;
counter
}
}
|