# Generated by iptables-save v1.4.9.1 on Sun Mar 20 09:01:11 2011
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [44:4128]
:DOS_FLOOD_PROTECTION - [0:0]
:ICMP_FLOOD - [0:0]
:ICMP_FLOOD_DROP - [0:0]
:ICMP_FLOOD_DST - [0:0]
:ICMP_FLOOD_SRC - [0:0]
:INVALID_PKT - [0:0]
:LOCAL_TRAFFIC - [0:0]
:SANITY_CHECKS - [0:0]
:SPOOFING_PROTECTION - [0:0]
:SPOOF_DROP - [0:0]
:SYN_FLOOD - [0:0]
:SYN_FLOOD_DROP - [0:0]
:SYN_FLOOD_DST - [0:0]
:SYN_FLOOD_SRC - [0:0]
:UDP_FLOOD - [0:0]
:UDP_FLOOD_DROP - [0:0]
:UDP_FLOOD_DST - [0:0]
:UDP_FLOOD_SRC - [0:0]
[982:385499] -A PREROUTING -s 127.0.0.0/8 -d 127.0.0.0/8 -j LOCAL_TRAFFIC 
[118:38181] -A PREROUTING -j SANITY_CHECKS 
[118:38181] -A PREROUTING -j DOS_FLOOD_PROTECTION 
[0:0] -A PREROUTING -j SPOOFING_PROTECTION 
[3146236:601139130] -A OUTPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -j LOCAL_TRAFFIC 
[9480191:7587214003] -A DOS_FLOOD_PROTECTION -p tcp -j SYN_FLOOD 
[293105:218554889] -A DOS_FLOOD_PROTECTION -p udp -j UDP_FLOOD 
[15918:1336267] -A DOS_FLOOD_PROTECTION -p icmp -j ICMP_FLOOD 
[15918:1336267] -A ICMP_FLOOD -j ICMP_FLOOD_SRC 
[0:0] -A ICMP_FLOOD_DROP -m limit --limit 5/sec -m logmark --logmark 60014 -j NFLOG --nflog-prefix "ICMP_FLOOD: " 
[0:0] -A ICMP_FLOOD_DROP -j DROP 
[15918:1336267] -A ICMP_FLOOD_DST -m hashlimit --hashlimit-upto 20/sec --hashlimit-burst 20 --hashlimit-mode dstip --hashlimit-name ICMP_FLOOD_DST -j SPOOFING_PROTECTION 
[0:0] -A ICMP_FLOOD_DST -j ICMP_FLOOD_DROP 
[15918:1336267] -A ICMP_FLOOD_SRC -m hashlimit --hashlimit-upto 10/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name ICMP_FLOOD_SRC -j ICMP_FLOOD_DST 
[0:0] -A ICMP_FLOOD_SRC -j ICMP_FLOOD_DROP 
[0:0] -A INVALID_PKT -m logmark --logmark 60007 -j NFLOG --nflog-prefix "INVALID_PKT: " 
[0:0] -A INVALID_PKT -j DROP 
[6292462:1202277052] -A LOCAL_TRAFFIC -j NOTRACK 
[6292462:1202277052] -A LOCAL_TRAFFIC -j ACCEPT 
[0:0] -A SANITY_CHECKS -p tcp -m length2 --layer4 --length 0:19 -j INVALID_PKT 
[0:0] -A SANITY_CHECKS -p udp -m length2 --layer4 --length 0:7 -j INVALID_PKT 
[0:0] -A SANITY_CHECKS -p icmp -m length2 --layer4 --length 0:1 -j INVALID_PKT 
[0:0] -A SPOOFING_PROTECTION -s 203.217.93.74/32 -j SPOOF_DROP 
[44:21570] -A SPOOFING_PROTECTION -d 203.217.93.74/32 ! -i eth1 -j SPOOF_DROP 
[0:0] -A SPOOFING_PROTECTION -s 203.217.93.74/32 ! -i eth1 -j SPOOF_DROP 
[0:0] -A SPOOFING_PROTECTION -s 192.168.10.1/32 -j SPOOF_DROP 
[0:0] -A SPOOFING_PROTECTION -d 192.168.10.1/32 ! -i eth0.10 -j SPOOF_DROP 
[0:0] -A SPOOFING_PROTECTION -s 192.168.10.0/24 ! -i eth0.10 -j SPOOF_DROP 
[0:0] -A SPOOFING_PROTECTION -s 192.168.111.1/32 -j SPOOF_DROP 
[0:0] -A SPOOFING_PROTECTION -d 192.168.111.1/32 ! -i eth0.111 -j SPOOF_DROP 
[0:0] -A SPOOFING_PROTECTION -s 192.168.111.0/24 ! -i eth0.111 -j SPOOF_DROP 
[20:2135] -A SPOOFING_PROTECTION -j ACCEPT 
[84:34815] -A SPOOF_DROP -m logmark --logmark 60008 -j NFLOG --nflog-prefix "IP-SPOOFING DROP: " 
[84:34815] -A SPOOF_DROP -j DROP 
[9455965:7585955071] -A SYN_FLOOD -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j SPOOFING_PROTECTION 
[24226:1258932] -A SYN_FLOOD -j SYN_FLOOD_SRC 
[0:0] -A SYN_FLOOD_DROP -m limit --limit 5/sec -m logmark --logmark 60012 -j NFLOG --nflog-prefix "SYN_FLOOD: " 
[0:0] -A SYN_FLOOD_DROP -j DROP 
[24226:1258932] -A SYN_FLOOD_DST -m hashlimit --hashlimit-upto 200/sec --hashlimit-burst 200 --hashlimit-mode dstip --hashlimit-name SYN_FLOOD_DST -j SPOOFING_PROTECTION 
[0:0] -A SYN_FLOOD_DST -j SYN_FLOOD_DROP 
[24226:1258932] -A SYN_FLOOD_SRC -m hashlimit --hashlimit-upto 100/sec --hashlimit-burst 100 --hashlimit-mode srcip --hashlimit-name SYN_FLOOD_SRC -j SYN_FLOOD_DST 
[0:0] -A SYN_FLOOD_SRC -j SYN_FLOOD_DROP 
[0:0] -A UDP_FLOOD -p udp -m udp --sport 1:65535 --dport 3401 -j SPOOFING_PROTECTION 
[0:0] -A UDP_FLOOD -p udp -m udp --sport 3401 --dport 1:65535 -j SPOOFING_PROTECTION 
[292954:218533797] -A UDP_FLOOD -j UDP_FLOOD_SRC 
[0:0] -A UDP_FLOOD_DROP -m limit --limit 5/sec -m logmark --logmark 60013 -j NFLOG --nflog-prefix "UDP_FLOOD: " 
[0:0] -A UDP_FLOOD_DROP -j DROP 
[293105:218554889] -A UDP_FLOOD_DST -m hashlimit --hashlimit-upto 303/sec --hashlimit-burst 300 --hashlimit-mode dstip --hashlimit-name UDP_FLOOD_DST -j SPOOFING_PROTECTION 
[0:0] -A UDP_FLOOD_DST -j UDP_FLOOD_DROP 
[293105:218554889] -A UDP_FLOOD_SRC -m hashlimit --hashlimit-upto 200/sec --hashlimit-burst 200 --hashlimit-mode srcip --hashlimit-name UDP_FLOOD_SRC -j UDP_FLOOD_DST 
[0:0] -A UDP_FLOOD_SRC -j UDP_FLOOD_DROP 
COMMIT
# Completed on Sun Mar 20 09:01:11 2011
