Страница 1 из 1
iptables for transparent TCP proxy
Добавлено: 09 дек 2023, 09:47
ya
cat /etc/iptables
Добавлено: 16 дек 2023, 10:25
ya
cat /etc/iptables
Код: Выделить всё
# Generated by iptables-save v1.6.0 on Mon Jul 11 15:14:44 2022
*nat
:PREROUTING ACCEPT [19907:1759564]
:INPUT ACCEPT [19087:1700701]
:OUTPUT ACCEPT [1060:83671]
:POSTROUTING ACCEPT [1060:83671]
-A PREROUTING -d 212.119.243.135/32 -p tcp -m tcp --dport 34567 -j DNAT --to-destination 192.168.100.20:34567
-A PREROUTING -d 192.168.107.1/32 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.100.2:3389
-A PREROUTING -d 192.168.107.1/32 -p tcp -m tcp --dport 4899 -j DNAT --to-destination 192.168.100.2:4899
-A PREROUTING -d 192.168.107.1/32 -p tcp -m tcp --dport 5900 -j DNAT --to-destination 192.168.100.2:5900
-A PREROUTING -d 192.168.107.1/32 -p tcp -m tcp --dport 5959 -j DNAT --to-destination 192.168.100.12:5959
-A PREROUTING -d 192.168.107.1/32 -p tcp -m tcp --dport 34567 -j DNAT --to-destination 192.168.100.20:34567
-A OUTPUT -d 212.119.243.135/32 -p tcp -m tcp --dport 34567 -j DNAT --to-destination 192.168.100.20
-A OUTPUT -d 192.168.107.1/32 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.100.2
-A OUTPUT -d 192.168.107.1/32 -p tcp -m tcp --dport 4899 -j DNAT --to-destination 192.168.100.2
-A OUTPUT -d 192.168.107.1/32 -p tcp -m tcp --dport 5900 -j DNAT --to-destination 192.168.100.2
-A OUTPUT -d 192.168.107.1/32 -p tcp -m tcp --dport 5959 -j DNAT --to-destination 192.168.100.12
-A OUTPUT -d 192.168.107.1/32 -p tcp -m tcp --dport 34567 -j DNAT --to-destination 192.168.100.20
-A POSTROUTING -s 192.168.100.0/24 ! -d 192.168.0.0/16 -o ppp+ -j SNAT --to-source 212.119.243.135
-A POSTROUTING -d 192.168.100.20/32 -p tcp -m tcp --dport 34567 -j SNAT --to-source 192.168.100.9
-A POSTROUTING -d 192.168.100.2/32 -p tcp -m tcp --dport 3389 -j SNAT --to-source 192.168.100.9
-A POSTROUTING -d 192.168.100.2/32 -p tcp -m tcp --dport 4899 -j SNAT --to-source 192.168.100.9
-A POSTROUTING -d 192.168.100.2/32 -p tcp -m tcp --dport 5900 -j SNAT --to-source 192.168.100.9
-A POSTROUTING -d 192.168.100.12/32 -p tcp -m tcp --dport 5959 -j SNAT --to-source 192.168.100.9
COMMIT
# Completed on Mon Jul 11 15:14:44 2022
# Generated by iptables-save v1.6.0 on Mon Jul 11 15:14:44 2022
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [6567:4345643]
:f2b-proftpd - [0:0]
:f2b-sshd - [0:0]
:fail2ban-ssh - [0:0]
:fo-radmin - [0:0]
:fo-rdp - [0:0]
:fo-video - [0:0]
:in-ssh - [0:0]
#-A INPUT -p tcp -m multiport --dports 21,20,990,989 -j f2b-proftpd
#-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A INPUT -i lo -j ACCEPT
-A INPUT -i enp2s0 -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT ! -i enp1s0 -p udp -m udp --dport 49499 -j ACCEPT
#-A INPUT -p tcp -m multiport --dports 21,20,990,989 -j f2b-proftpd
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -s 194.67.0.0/16 -j DROP
-A INPUT -s 123.31.38.119/32 -j DROP
-A INPUT -s 183.196.44.103/32 -j DROP
-A INPUT -s 31.207.47.55/32 -j DROP
-A INPUT -s 91.197.232.104/32 -j DROP
-A INPUT -s 206.111.0.0/16 -j DROP
-A INPUT -s 173.194.55.0/24 -j DROP
#-A INPUT -i enx0c5b8f279a64 -j ACCEPT
-A INPUT -p icmp -m icmp ! --icmp-type 5 -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A INPUT ! -i enp1s0 -p tcp -m tcp --dport 22 -j in-ssh
-A INPUT -i enp2s0 -p 67 -j ACCEPT
-A INPUT -i tun+ -p 67 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 3128 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 3129 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -p udp -m udp --dport 25000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1935 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4444 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -s 8.8.8.8/32 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 8.8.4.4/32 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 172.18.49.0/24 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i ppp+ -p udp -m udp --dport 6881 -j ACCEPT
-A INPUT -i ppp+ -p udp -m udp --dport 6883 -j ACCEPT
-A INPUT ! -i ppp+ -p gre -j ACCEPT
-A INPUT -i ppp+ -p tcp -m tcp --dport 6969 -j ACCEPT
-A INPUT -i ppp+ -p tcp -m tcp --dport 49152:59152 -j ACCEPT
-A INPUT -i ppp+ -p tcp -m tcp --dport 20:21 -j ACCEPT
-A INPUT -i ppp+ -p tcp -m tcp --dport 7777:7785 -j ACCEPT
-A INPUT -i ppp+ -p udp -m udp --dport 7777:7785 -j ACCEPT
-A INPUT -i ppp+ -p tcp -m tcp --dport 34567 -j ACCEPT
-A INPUT -i ppp+ -p tcp -m tcp --dport 26000:27000 -j ACCEPT
-A INPUT -i ppp+ -p tcp -m tcp --dport 27001:28000 -j ACCEPT
-A INPUT -s 172.18.48.0/24 -i enp1s0 -p tcp -m tcp --dport 1701 -j ACCEPT
-A INPUT -i enp1s0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -i enp2s0 -j ACCEPT
-A FORWARD -o enp2s0 -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -o tun+ -j ACCEPT
-A FORWARD -d 192.168.100.20/32 -i ppp+ -o enp2s0 -p tcp -m tcp --dport 34567 -j fo-video
-A FORWARD -i enp2s0 -o ppp+ -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -i tun+ -j ACCEPT
-A f2b-proftpd -s 140.143.229.228/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-proftpd -j RETURN
-A f2b-proftpd -j RETURN
-A f2b-proftpd -j RETURN
-A f2b-sshd -s 129.226.39.59/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 181.188.195.18/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 212.192.241.163/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 141.98.10.81/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -j RETURN
-A f2b-sshd -j RETURN
-A f2b-sshd -j RETURN
-A f2b-sshd -j RETURN
-A fo-radmin -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "forward radmin: "
-A fo-radmin -j fail2ban-ssh
-A fo-radmin -j ACCEPT
-A fo-rdp -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "forward rdp: "
-A fo-rdp -j fail2ban-ssh
-A fo-rdp -j ACCEPT
-A fo-video -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "forward video: "
-A fo-video -j fail2ban-ssh
-A fo-video -j ACCEPT
-A in-ssh -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "IP_SPOOF A: "
-A in-ssh -j fail2ban-ssh
-A in-ssh -j ACCEPT
COMMIT
# Completed on Mon Jul 11 15:14:44 2022
# Generated by iptables-save v1.6.0 on Mon Jul 11 15:14:44 2022
*mangle
:PREROUTING ACCEPT [7383423438:8533246955420]
:INPUT ACCEPT [7294575237:8467034014118]
:FORWARD ACCEPT [88834630:66192106323]
:OUTPUT ACCEPT [6779230677:5775615075847]
:POSTROUTING ACCEPT [6868072764:5841808949575]
-A FORWARD -o ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Mon Jul 11 15:14:44 2022