# Generated by iptables-save v1.4.4 on Wed Apr 21 12:58:16 2010
*ips
:PREROUTING ACCEPT [10481983:5179859945]
:INPUT ACCEPT [5430230:975580388]
:FORWARD ACCEPT [4980374:4198438011]
:OUTPUT ACCEPT [5472535:965661007]
:POSTROUTING ACCEPT [10451579:5164005539]
:AFC_ACTION - [0:0]
:AFC_IM_IRC - [0:0]
:AFC_IM_MSN - [0:0]
:AFC_IM_OSCAR - [0:0]
:AFC_IM_SKYPE - [0:0]
:AFC_IM_TENCENT_QQ - [0:0]
:AFC_IM_XMPP - [0:0]
:AFC_IM_YAHOO - [0:0]
:AFC_P2P_APPLEJUICE - [0:0]
:AFC_P2P_ARES - [0:0]
:AFC_P2P_BITTORRENT - [0:0]
:AFC_P2P_DIRECT_CONNECT - [0:0]
:AFC_P2P_EDONKEY - [0:0]
:AFC_P2P_GNUTELLA - [0:0]
:AFC_P2P_IMESH - [0:0]
:AFC_P2P_MANOLITO - [0:0]
:AFC_P2P_MUTE - [0:0]
:AFC_P2P_PANDO - [0:0]
:AFC_P2P_SHARE - [0:0]
:AFC_P2P_WINMX - [0:0]
:AFC_P2P_WINNY - [0:0]
:QOSMARK - [0:0]
COMMIT
# Completed on Wed Apr 21 12:58:16 2010
# Generated by iptables-save v1.4.4 on Wed Apr 21 12:58:16 2010
*mangle
:PREROUTING ACCEPT [10481983:5179859945]
:INPUT ACCEPT [5501401:981302149]
:FORWARD ACCEPT [4980407:4198439676]
:OUTPUT ACCEPT [5472535:965661007]
:POSTROUTING ACCEPT [10451579:5164005539]
:AFC_DETECT - [0:0]
:AFC_EXCEPTIONS_ALL - [0:0]
:AFC_EXCEPTIONS_IN - [0:0]
:AFC_EXCEPTIONS_OUT - [0:0]
:POLICY_ROUTING_OUT - [0:0]
:POLICY_ROUTING_PRE - [0:0]
:SANITYCHECK_FORWARD - [0:0]
:SANITYCHECK_IN - [0:0]
-A PREROUTING -j POLICY_ROUTING_PRE
-A INPUT -j AFC_EXCEPTIONS_IN
-A INPUT -j AFC_EXCEPTIONS_ALL
-A OUTPUT -j AFC_EXCEPTIONS_OUT
-A OUTPUT -j AFC_EXCEPTIONS_ALL
-A OUTPUT -j POLICY_ROUTING_OUT
COMMIT
# Completed on Wed Apr 21 12:58:16 2010
# Generated by iptables-save v1.4.4 on Wed Apr 21 12:58:16 2010
*nat
:PREROUTING ACCEPT [168210:13703631]
:POSTROUTING ACCEPT [147806:9714295]
:OUTPUT ACCEPT [148366:9750902]
:AUTO_OUTPUT - [0:0]
:AUTO_POST - [0:0]
:AUTO_PRE - [0:0]
:LOAD_BALANCING - [0:0]
:USR_OUTPUT - [0:0]
:USR_POST - [0:0]
:USR_PRE - [0:0]
-A PREROUTING -j AUTO_PRE
-A PREROUTING -j USR_PRE
-A PREROUTING -j LOAD_BALANCING
-A POSTROUTING -j AUTO_POST
-A POSTROUTING -j USR_POST
-A OUTPUT -j AUTO_OUTPUT
-A OUTPUT -j USR_OUTPUT
-A AUTO_PRE -p tcp -m tcp --sport 1024:65535 --dport 4444 -m addrtype --dst-type LOCAL -j ACCEPT
-A AUTO_PRE -s 192.168.23.0/24 -p tcp -m tcp --sport 1:65535 --dport 110 -j REDIRECT --to-ports 8110
-A USR_POST -s 192.168.23.0/24 -o eth1 -m policy --dir out --pol none -j MASQUERADE
COMMIT
# Completed on Wed Apr 21 12:58:16 2010
# Generated by iptables-save v1.4.4 on Wed Apr 21 12:58:16 2010
*raw
:PREROUTING ACCEPT [1221:321336]
:OUTPUT ACCEPT [611724:149930454]
:DOS_FLOOD_PROTECTION - [0:0]
:ICMP_FLOOD - [0:0]
:ICMP_FLOOD_DROP - [0:0]
:ICMP_FLOOD_DST - [0:0]
:ICMP_FLOOD_SRC - [0:0]
:INVALID_PKT - [0:0]
:LOCAL_TRAFFIC - [0:0]
:SANITY_CHECKS - [0:0]
:SPOOFING_PROTECTION - [0:0]
:SPOOF_DROP - [0:0]
:SYN_FLOOD - [0:0]
:SYN_FLOOD_DROP - [0:0]
:SYN_FLOOD_DST - [0:0]
:SYN_FLOOD_SRC - [0:0]
:UDP_FLOOD - [0:0]
:UDP_FLOOD_DROP - [0:0]
:UDP_FLOOD_DST - [0:0]
:UDP_FLOOD_SRC - [0:0]
-A PREROUTING -s 127.0.0.0/8 -d 127.0.0.0/8 -j LOCAL_TRAFFIC
-A PREROUTING -j DOS_FLOOD_PROTECTION
-A PREROUTING -j SPOOFING_PROTECTION
-A OUTPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -j LOCAL_TRAFFIC
-A INVALID_PKT -m logmark --logmark 60007 -j NFLOG --nflog-prefix "INVALID_PKT: "
-A INVALID_PKT -j DROP
-A LOCAL_TRAFFIC -j NOTRACK
-A LOCAL_TRAFFIC -j ACCEPT
-A SPOOFING_PROTECTION -j ACCEPT
-A SPOOF_DROP -m logmark --logmark 60008 -j NFLOG --nflog-prefix "IP-SPOOFING DROP: "
-A SPOOF_DROP -j DROP
COMMIT
# Completed on Wed Apr 21 12:58:16 2010
# Generated by iptables-save v1.4.4 on Wed Apr 21 12:58:16 2010
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:AUTO_FORWARD - [0:0]
:AUTO_INPUT - [0:0]
:AUTO_OUTPUT - [0:0]
:HA - [0:0]
:INVALID_PKT - [0:0]
:LOGACCEPT - [0:0]
:LOGDROP - [0:0]
:LOGREJECT - [0:0]
:PSD_ACTION - [0:0]
:PSD_MATCH - [0:0]
:SANITY_CHECKS - [0:0]
:STRICT_TCP_STATE - [0:0]
:USR_FORWARD - [0:0]
:USR_INPUT - [0:0]
:USR_OUTPUT - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m confirmed -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED -j CONFIRMED
-A INPUT -j HA
-A INPUT -j PSD_MATCH
-A INPUT -j SANITY_CHECKS
-A INPUT -j AUTO_INPUT
-A INPUT -j USR_INPUT
-A INPUT -m logmark --logmark 60001 -j LOGDROP
-A FORWARD -m confirmed -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED -j CONFIRMED
-A FORWARD -j PSD_MATCH
-A FORWARD -j SANITY_CHECKS
-A FORWARD -j AUTO_FORWARD
-A FORWARD -j USR_FORWARD
-A FORWARD -m logmark --logmark 60002 -j LOGDROP
-A OUTPUT ! -s 127.0.0.0/8 -o lo -p tcp -m tcp --sport 1024:65535 --dport 4444 -m logmark --logmark 60005 -j LOGDROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m confirmed -j ACCEPT
-A OUTPUT -m conntrack --ctstate RELATED -j CONFIRMED
-A OUTPUT -j HA
-A OUTPUT -j SANITY_CHECKS
-A OUTPUT -j AUTO_OUTPUT
-A OUTPUT -j USR_OUTPUT
-A OUTPUT -m logmark --logmark 60003 -j LOGDROP
-A AUTO_FORWARD -s 10.2.120.0/24 -d 192.168.23.0/24 -m policy --dir in --pol ipsec --mode tunnel -j CONFIRMED
-A AUTO_FORWARD -s 192.168.23.0/24 -d 10.2.120.0/24 -m policy --dir out --pol ipsec --mode tunnel -j CONFIRMED
-A AUTO_INPUT -s 192.168.23.0/24 -p tcp -m tcp --sport 1:65535 --dport 22 -j CONFIRMED
-A AUTO_INPUT -s 10.2.120.0/24 -p tcp -m tcp --sport 1:65535 --dport 22 -j CONFIRMED
-A AUTO_INPUT -s 212.XXX.XXX.212/32 -p tcp -m tcp --sport 1:65535 --dport 22 -j CONFIRMED
-A AUTO_INPUT -s 192.168.99.0/24 -p tcp -m tcp --sport 1:65535 --dport 22 -j CONFIRMED
-A AUTO_INPUT -p tcp -m tcp --sport 1:65535 --dport 22 -m logmark --logmark 60004 -j LOGDROP
-A AUTO_INPUT -s 192.168.23.0/24 -p tcp -m tcp --sport 1024:65535 --dport 4444 -j CONFIRMED
-A AUTO_INPUT -s 10.2.120.0/24 -p tcp -m tcp --sport 1024:65535 --dport 4444 -j CONFIRMED
-A AUTO_INPUT -s 212.XXX.XXX.212/32 -p tcp -m tcp --sport 1024:65535 --dport 4444 -j CONFIRMED
-A AUTO_INPUT -p tcp -m tcp --sport 1024:65535 --dport 4444 -j CONFIRMED
-A AUTO_INPUT -p tcp -m tcp --sport 1024:65535 --dport 4444 -m logmark --logmark 60005 -j LOGDROP
-A AUTO_INPUT -d 255.255.255.255/32 -i eth0 -p udp -m udp --sport 68 --dport 67 -j CONFIRMED
-A AUTO_INPUT -s 192.168.23.0/24 -d 192.168.23.254/32 -i eth0 -p udp -m udp --sport 68 --dport 67 -j CONFIRMED
-A AUTO_INPUT -s 192.168.23.0/24 -p tcp -m tcp --sport 53:65535 --dport 53 -j CONFIRMED
-A AUTO_INPUT -s 192.168.23.0/24 -p udp -m udp --sport 53:65535 --dport 53 -j CONFIRMED
-A AUTO_INPUT -p icmp -m icmp --icmp-type 8/0 -j CONFIRMED
-A AUTO_INPUT -s 212.XXX.XXX.212/32 -d 192.168.99.254/32 -p esp -m esp --espspi 256:4294967295 -j CONFIRMED
-A AUTO_INPUT -s 212.XXX.XXX.212/32 -d 192.168.99.254/32 -p udp -m udp --sport 1:65535 -m multiport --dports 500,4500 -j CONFIRMED
-A AUTO_INPUT -s 192.168.23.0/24 -p udp -m udp --sport 123:65535 --dport 123 -j CONFIRMED
-A AUTO_INPUT -s 192.168.23.0/24 -p tcp -m tcp --sport 1:65535 --dport 8110 -m conntrack --ctstate DNAT -j CONFIRMED
-A AUTO_INPUT -p tcp -m tcp --sport 1024:65535 --dport 1723 -j CONFIRMED
-A AUTO_INPUT -p tcp -m tcp --sport 1:65535 -m multiport --dports 25,465,587 -j CONFIRMED
-A AUTO_OUTPUT -s 192.168.23.254/32 -d 255.255.255.255/32 -o eth0 -p udp -m udp --sport 67 --dport 67:68 -j CONFIRMED
-A AUTO_OUTPUT -s 192.168.23.254/32 -d 192.168.23.0/24 -o eth0 -p udp -m udp --sport 67 --dport 67:68 -j CONFIRMED
-A AUTO_OUTPUT -p icmp -m icmp --icmp-type 8/0 -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 53:65535 --dport 53 -j CONFIRMED
-A AUTO_OUTPUT -p udp -m udp --sport 53:65535 --dport 53 -j CONFIRMED
-A AUTO_OUTPUT -p udp -m udp --sport 53 --dport 53:65535 -j CONFIRMED
-A AUTO_OUTPUT -p icmp -m icmp --icmp-type 8/0 -j CONFIRMED
-A AUTO_OUTPUT -p udp -m udp --sport 1024:65535 --dport 33000:34000 -j CONFIRMED
-A AUTO_OUTPUT -s 192.168.99.254/32 -d 212.XXX.XXX.212/32 -p esp -m esp --espspi 256:4294967295 -j CONFIRMED
-A AUTO_OUTPUT -s 192.168.99.254/32 -d 212.XXX.XXX.212/32 -p udp -m udp --sport 4500 --dport 1:65535 -j CONFIRMED
-A AUTO_OUTPUT -s 192.168.99.254/32 -d 212.XXX.XXX.212/32 -p udp -m udp --sport 500 --dport 1:65535 -j CONFIRMED
-A AUTO_OUTPUT -d 83.169.19.225/32 -p udp -m udp --sport 123:65535 --dport 123 -j CONFIRMED
-A AUTO_OUTPUT -d 141.40.103.102/32 -p udp -m udp --sport 123:65535 --dport 123 -j CONFIRMED
-A AUTO_OUTPUT -d 129.143.2.23/32 -p udp -m udp --sport 123:65535 --dport 123 -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 110 -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 80 -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 -m multiport --dports 25,465,587 -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 80 -j CONFIRMED
-A AUTO_OUTPUT -p udp -m udp --sport 1024:65535 --dport 33000:34000 -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 443 -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 80 -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 443 -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 80 -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 443 -j CONFIRMED
-A AUTO_OUTPUT -d 192.168.23.18/32 -p tcp -m tcp --sport 1:65535 --dport 1812:1813 -j CONFIRMED
-A AUTO_OUTPUT -d 192.168.23.18/32 -p udp -m udp --sport 1:65535 --dport 1812:1813 -j CONFIRMED
-A INVALID_PKT -m logmark --logmark 60007 -j NFLOG --nflog-prefix "INVALID_PKT: "
-A INVALID_PKT -j DROP
-A LOGACCEPT -m addrtype --src-type BROADCAST -j ACCEPT
-A LOGACCEPT -m addrtype --dst-type BROADCAST -j ACCEPT
-A LOGACCEPT -j NFLOG --nflog-prefix "ACCEPT: "
-A LOGACCEPT -j CONFIRMED
-A LOGDROP -m addrtype --src-type BROADCAST -j DROP
-A LOGDROP -m addrtype --dst-type BROADCAST -j DROP
-A LOGDROP -j NFLOG --nflog-prefix "DROP: "
-A LOGDROP -j DROP
-A LOGREJECT -m addrtype --src-type BROADCAST -j REJECT --reject-with icmp-port-unreachable
-A LOGREJECT -m addrtype --dst-type BROADCAST -j REJECT --reject-with icmp-port-unreachable
-A LOGREJECT -j NFLOG --nflog-prefix "REJECT: "
-A LOGREJECT -j REJECT --reject-with icmp-port-unreachable
-A USR_FORWARD -s 192.168.23.0/24 -j CONFIRMED
-A USR_FORWARD -j DROP
COMMIT
# Completed on Wed Apr 21 12:58:16 2010