# Generated by iptables-save v1.4.9.1 on Fri Apr  1 22:50:15 2011
*ips
:PREROUTING ACCEPT [33385:18378715]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [33585:15621853]
:AFC_ACTION - [0:0]
:AFC_ALERT - [0:0]
:AFC_BLOCK - [0:0]
:AFC_EXCEPTION - [0:0]
:AFC_LOG - [0:0]
:AFC_SKIP - [0:0]
:IPS_AUTO_OUTPUT - [0:0]
:IPS_USR_FORWARD - [0:0]
:IPS_USR_OUTPUT - [0:0]
:QOSMARK - [0:0]
-A INPUT -m mark ! --mark 0x0/0xffff -j AFC_ACTION 
-A INPUT -s 192.168.10.0/24 -p tcp -m tcp --sport 1:65535 --dport 2212 -j ACCEPT 
-A INPUT -p tcp -m tcp --sport 1:65535 --dport 2212 -j ACCEPT 
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 4444 -j ACCEPT 
-A INPUT -s 192.168.10.0/24 -p tcp -m tcp --sport 1024:65535 --dport 4444 -j ACCEPT 
-A INPUT -p tcp -m tcp --sport 1:65535 --dport 4494 -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p esp -j ACCEPT 
-A INPUT -p gre -j ACCEPT 
-A INPUT -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -j ACCEPT 
-A INPUT -m mark --mark 0x20000 -j ACCEPT 
-A INPUT -m condition --condition "ips" -j ACCEPT 
-A INPUT -m condition --condition "snort-takeover" -j NFQUEUE --queue-num 16000 
-A INPUT -j NFQUEUE --queue-num 0 
-A FORWARD -m conntrack --ctstate NEW -j IPS_USR_FORWARD 
-A FORWARD -m connmark --mark 0x20000/0x20000 -j ACCEPT 
-A FORWARD -p esp -j ACCEPT 
-A FORWARD -m condition --condition "ips" -j ACCEPT 
-A FORWARD -m condition --condition "snort-takeover" -j NFQUEUE --queue-num 16000 
-A FORWARD -j NFQUEUE --queue-num 0 
-A OUTPUT -j IPS_AUTO_OUTPUT 
-A OUTPUT -j IPS_USR_OUTPUT 
-A OUTPUT -d 192.168.10.0/24 -p tcp -m tcp --sport 2212 --dport 1:65535 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --sport 2212 --dport 1:65535 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --sport 4444 --dport 1024:65535 -j ACCEPT 
-A OUTPUT -d 192.168.10.0/24 -p tcp -m tcp --sport 4444 --dport 1024:65535 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --sport 4494 --dport 1:65535 -j ACCEPT 
-A OUTPUT -o lo -j ACCEPT 
-A OUTPUT -p esp -j ACCEPT 
-A OUTPUT -p gre -j ACCEPT 
-A OUTPUT -d 192.168.10.0/24 -j ACCEPT 
-A OUTPUT -p icmp -m icmp --icmp-type 8/0 -j ACCEPT 
-A OUTPUT -m condition --condition "ips" -j ACCEPT 
-A OUTPUT -m condition --condition "snort-takeover" -j NFQUEUE --queue-num 16000 
-A OUTPUT -j NFQUEUE --queue-num 0 
-A POSTROUTING -m mark ! --mark 0x0/0xffff -j AFC_ACTION 
-A POSTROUTING -m mark --mark 0x1000/0x1000 -j CONNMARK --set-xmark 0x1000/0x1000 
-A POSTROUTING -j MARK --set-xmark 0x0/0xffffffff 
-A POSTROUTING ! -o lo -j QOSMARK 
-A AFC_ACTION -j CONNMARK --save-mark --nfmask 0xfff --ctmask 0xfff 
-A AFC_ACTION -m mark --mark 0x2000/0x2000 -j AFC_LOG 
-A AFC_ACTION -m connmark --mark 0x1000/0x1000 -j RETURN 
-A AFC_ACTION -m mark --mark 0x2/0xfff -g AFC_SKIP 
-A AFC_ACTION -m mark --mark 0x90/0xfff -j DROP 
-A AFC_ACTION -m mark --mark 0x91/0xfff -j DROP 
-A AFC_ACTION -m mark --mark 0x8f/0xfff -j DROP 
-A AFC_ACTION -m mark --mark 0x210/0xfff -j DROP 
-A AFC_ACTION -m mark --mark 0x2e/0xfff -g AFC_SKIP 
-A AFC_ACTION -m mark --mark 0x26/0xfff -g AFC_SKIP 
-A AFC_ACTION -m mark --mark 0x21a/0xfff -j DROP 
-A AFC_ACTION -m mark --mark 0x92/0xfff -j DROP 
-A AFC_ACTION -m mark --mark 0x8e/0xfff -j DROP 
-A AFC_ACTION -m mark --mark 0x85/0xfff -j DROP 
-A AFC_ACTION -m mark --mark 0x73/0xfff -j DROP 
-A AFC_ALERT -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 3 --hashlimit-mode srcip,dstip --hashlimit-name afc_limit_host -j NFLOG --nflog-prefix "AFC_ALERT " 
-A AFC_BLOCK -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 3 --hashlimit-mode srcip,dstip --hashlimit-name afc_limit_host -j NFLOG --nflog-prefix "AFC_BLOCK " 
-A AFC_LOG -m mark --mark 0x2/0xfff -g AFC_ALERT 
-A AFC_LOG -m mark --mark 0x90/0xfff -j RETURN 
-A AFC_LOG -m mark --mark 0x91/0xfff -j RETURN 
-A AFC_LOG -m mark --mark 0x8f/0xfff -j RETURN 
-A AFC_LOG -m mark --mark 0x210/0xfff -j RETURN 
-A AFC_LOG -m mark --mark 0x2e/0xfff -g AFC_ALERT 
-A AFC_LOG -m mark --mark 0x26/0xfff -g AFC_ALERT 
-A AFC_LOG -m mark --mark 0x21a/0xfff -j RETURN 
-A AFC_LOG -m mark --mark 0x92/0xfff -j RETURN 
-A AFC_LOG -m mark --mark 0x8e/0xfff -j RETURN 
-A AFC_LOG -m mark --mark 0x85/0xfff -j RETURN 
-A AFC_LOG -m mark --mark 0x73/0xfff -j RETURN 
-A AFC_SKIP -j CONNMARK --set-xmark 0x1000/0x1000 
-A IPS_AUTO_OUTPUT -p tcp -m tcp --sport 53:65535 --dport 53 -j ACCEPT 
-A IPS_AUTO_OUTPUT -p udp -m udp --sport 53:65535 --dport 53 -j ACCEPT 
-A IPS_AUTO_OUTPUT -p tcp -m tcp --sport 1024:65535 -m multiport --dports 80,443 -m owner ! --uid-owner httpproxy -j ACCEPT 
-A IPS_AUTO_OUTPUT -d 203.0.178.192/32 -p tcp -m tcp --sport 1:65535 --dport 25 -j ACCEPT 
-A IPS_AUTO_OUTPUT -p udp -m set --match-set EYpmRsA/iVIwLo/LjnC16A dst -m udp --sport 123:65535 --dport 123 -j ACCEPT 
-A IPS_AUTO_OUTPUT -m mark --mark 0x20000 -j ACCEPT 
-A QOSMARK -s 192.168.10.0/24 -m connmark --mark 0x2/0xfff -j MARK --set-xmark 0x2/0xffffffff 
-A QOSMARK -m mark ! --mark 0x0 -j RETURN 
-A QOSMARK -s 192.168.111.0/24 -m tos --tos 0x10/0xff -j MARK --set-xmark 0x2710/0xffffffff 
-A QOSMARK -s 192.168.111.0/24 -m tos --tos 0x10/0xff -j RETURN 
-A QOSMARK -s 192.168.10.0/24 -p tcp -m tcp --sport 1:65535 --dport 25 -j MARK --set-xmark 0x2711/0xffffffff 
-A QOSMARK -s 192.168.10.0/24 -p tcp -m tcp --sport 1:65535 --dport 25 -j RETURN 
COMMIT
# Completed on Fri Apr  1 22:50:15 2011
# Generated by iptables-save v1.4.9.1 on Fri Apr  1 22:50:15 2011
*mangle
:PREROUTING ACCEPT [29744:17985460]
:INPUT ACCEPT [20352:11852720]
:FORWARD ACCEPT [8587:4072515]
:OUTPUT ACCEPT [25114:11708413]
:POSTROUTING ACCEPT [28117:13349910]
:AFC_DETECT - [0:0]
:AFC_EXCEPTIONS_ALL - [0:0]
:AFC_EXCEPTIONS_IN - [0:0]
:AFC_EXCEPTIONS_OUT - [0:0]
:FLOW_MONITOR - [0:0]
:GEOIP_DROP - [0:0]
:GEOIP_FORWARD - [0:0]
:GEOIP_IN - [0:0]
:POLICY_ROUTING_OUT - [0:0]
:POLICY_ROUTING_PRE - [0:0]
:SANITYCHECK_FORWARD - [0:0]
:SANITYCHECK_IN - [0:0]
:TPROXY_DIVERT - [0:0]
:TPROXY_DIVERT_HTTP - [0:0]
:TPROXY_HOOK - [0:0]
:TPROXY_HOOK_HTTP - [0:0]
-A PREROUTING -j TPROXY_HOOK 
-A PREROUTING -j POLICY_ROUTING_PRE 
-A PREROUTING -j FLOW_MONITOR 
-A PREROUTING -m conntrack --ctstate RELATED -m helper --helper "ftp" -m logmark --logmark 60010 -j NFLOG --nflog-prefix "FTP_DATA: " 
-A INPUT -j AFC_EXCEPTIONS_IN 
-A INPUT -j AFC_EXCEPTIONS_ALL 
-A INPUT -i lo -j MARK --set-xmark 0x0/0xffff 
-A INPUT ! -i lo -p tcp -m connmark ! --mark 0x1000/0x1000 -j NFQUEUE --queue-num 256 --bypass 
-A INPUT ! -i lo -p udp -m connmark ! --mark 0x1000/0x1000 -j NFQUEUE --queue-num 256 --bypass 
-A FORWARD -m conntrack --ctstate RELATED -m helper --helper "sip" -m logmark --logmark 60018 -j NFLOG --nflog-prefix "SIP Call RTP: " 
-A FORWARD -i ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1452 
-A FORWARD -o ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1452 
-A OUTPUT -m conntrack --ctstate NEW -m mark --mark 0x80000/0x80000 -j CONNMARK --set-xmark 0x40000/0x40000 
-A OUTPUT -j AFC_EXCEPTIONS_OUT 
-A OUTPUT -j POLICY_ROUTING_OUT 
-A POSTROUTING -j AFC_EXCEPTIONS_ALL 
-A POSTROUTING -j FLOW_MONITOR 
-A POSTROUTING -j MARK --set-xmark 0x0/0xffff 
-A POSTROUTING ! -o lo -m connmark ! --mark 0x1000/0x1000 -j AFC_DETECT 
-A AFC_DETECT -m conntrack --ctstate UNTRACKED -j RETURN 
-A AFC_DETECT -p esp -j RETURN 
-A AFC_DETECT -j NFQUEUE --queue-num 256 --bypass 
-A AFC_DETECT -j NFQUEUE --queue-num 256 --bypass 
-A AFC_DETECT -m owner --socket-exists -j NFQUEUE --queue-num 256 --bypass 
-A AFC_EXCEPTIONS_IN -p tcp -m tcp --sport 1:65535 --dport 2212 -j CONNMARK --set-xmark 0x104a/0xffff 
-A AFC_EXCEPTIONS_IN -p tcp -m tcp --sport 1:65535 --dport 4444 -j CONNMARK --set-xmark 0x1231/0xffff 
-A AFC_EXCEPTIONS_IN -p tcp -m tcp --sport 1:65535 --dport 4494 -j CONNMARK --set-xmark 0x1232/0xffff 
-A AFC_EXCEPTIONS_IN -p tcp -m tcp --sport 1:65535 --dport 8110 -j CONNMARK --set-xmark 0x1049/0xffff 
-A AFC_EXCEPTIONS_IN -p udp -m udp --sport 1:65535 --dport 4500 -j CONNMARK --set-xmark 0x1056/0xffff 
-A AFC_EXCEPTIONS_IN -p udp -m udp --sport 500 --dport 500 -j CONNMARK --set-xmark 0x1056/0xffff 
-A AFC_EXCEPTIONS_IN -p tcp -m tcp --sport 1:65535 --dport 3400 -j CONNMARK --set-xmark 0x1233/0xffff 
-A AFC_EXCEPTIONS_IN -p udp -m udp --sport 1:65535 --dport 3400 -j CONNMARK --set-xmark 0x1233/0xffff 
-A AFC_EXCEPTIONS_IN -p tcp -m tcp --sport 1:65535 --dport 8111 -j CONNMARK --set-xmark 0x1049/0xffff 
-A AFC_EXCEPTIONS_IN -p tcp -m tcp --sport 1:65535 --dport 443 -j CONNMARK --set-xmark 0x11de/0xffff 
-A AFC_EXCEPTIONS_IN -p udp -m udp --sport 1:65535 --dport 443 -j CONNMARK --set-xmark 0x11de/0xffff 
-A AFC_EXCEPTIONS_OUT -p udp -m udp --sport 1:65535 --dport 3653 -j CONNMARK --set-xmark 0x1234/0xffff 
-A AFC_EXCEPTIONS_OUT -p udp -m udp --sport 1:65535 -m multiport --dports 5072,3740,3874 -j CONNMARK --set-xmark 0x1235/0xffff 
-A AFC_EXCEPTIONS_OUT -m owner --uid-owner teredo -j CONNMARK --set-xmark 0x1236/0xffff 
-A AFC_EXCEPTIONS_OUT -p udp -m udp --sport 1:65535 --dport 4500 -j CONNMARK --set-xmark 0x1056/0xffff 
-A AFC_EXCEPTIONS_OUT -p udp -m udp --sport 500 --dport 500 -j CONNMARK --set-xmark 0x1056/0xffff 
-A AFC_EXCEPTIONS_OUT -p tcp -m tcp --sport 1:65535 --dport 3400 -j CONNMARK --set-xmark 0x1233/0xffff 
-A AFC_EXCEPTIONS_OUT -p udp -m udp --sport 1:65535 --dport 3400 -j CONNMARK --set-xmark 0x1233/0xffff 
-A AFC_EXCEPTIONS_OUT -p tcp -m tcp --sport 1:65535 --dport 8111 -j CONNMARK --set-xmark 0x1049/0xffff 
-A AFC_EXCEPTIONS_OUT -p tcp -m tcp --sport 1:65535 --dport 443 -j CONNMARK --set-xmark 0x11de/0xffff 
-A AFC_EXCEPTIONS_OUT -p udp -m udp --sport 1:65535 --dport 443 -j CONNMARK --set-xmark 0x11de/0xffff 
-A AFC_EXCEPTIONS_OUT -p icmp -j CONNMARK --set-xmark 0x1000/0x1000 
-A FLOW_MONITOR -j CONNMARK --set-xmark 0x0/0xff000000 
-A TPROXY_DIVERT -j MARK --set-xmark 0x40000/0xffffffff 
-A TPROXY_DIVERT -j ACCEPT 
-A TPROXY_DIVERT_HTTP -m conntrack --ctstate ESTABLISHED --ctstatus ASSURED -j CONNMARK --set-xmark 0x40000/0x40000 
-A TPROXY_DIVERT_HTTP -p tcp -j TPROXY --on-port 18080 --on-ip 0.0.0.0 --tproxy-mark 0x40000/0x40000 
-A TPROXY_HOOK ! -i lo -m conntrack --ctstate RELATED,ESTABLISHED -m connmark --mark 0x40000/0x40000 -j TPROXY_DIVERT 
-A TPROXY_HOOK ! -i lo -p tcp -m tcp --sport 1:65535 -m multiport --dports 80,443 -m addrtype ! --dst-type LOCAL -j TPROXY_HOOK_HTTP 
-A TPROXY_HOOK_HTTP -s 203.39.149.112/32 -p tcp -m tcp --sport 1:65535 --dport 80 -j RETURN 
-A TPROXY_HOOK_HTTP -s 203.39.149.112/32 -p tcp -m tcp --sport 1:65535 --dport 443 -j RETURN 
-A TPROXY_HOOK_HTTP -d 203.39.149.112/32 -p tcp -m tcp --sport 1:65535 --dport 80 -j RETURN 
-A TPROXY_HOOK_HTTP -d 203.39.149.112/32 -p tcp -m tcp --sport 1:65535 --dport 443 -j RETURN 
-A TPROXY_HOOK_HTTP -s 192.168.10.0/24 -p tcp -m tcp --sport 1:65535 --dport 80 -j TPROXY_DIVERT_HTTP 
-A TPROXY_HOOK_HTTP -s 192.168.10.0/24 -p tcp -m tcp --sport 1:65535 --dport 443 -j TPROXY_DIVERT_HTTP 
COMMIT
# Completed on Fri Apr  1 22:50:15 2011
# Generated by iptables-save v1.4.9.1 on Fri Apr  1 22:50:15 2011
*nat
:PREROUTING ACCEPT [4472:334709]
:POSTROUTING ACCEPT [6817:473853]
:OUTPUT ACCEPT [7894:1886526]
:AUTO_OUTPUT - [0:0]
:AUTO_POST - [0:0]
:AUTO_PRE - [0:0]
:LOAD_BALANCING - [0:0]
:USR_OUTPUT - [0:0]
:USR_POST - [0:0]
:USR_PRE - [0:0]
-A PREROUTING -j AUTO_PRE 
-A PREROUTING -j USR_PRE 
-A PREROUTING -j LOAD_BALANCING 
-A POSTROUTING -j AUTO_POST 
-A POSTROUTING -j USR_POST 
-A OUTPUT -j AUTO_OUTPUT 
-A OUTPUT -j USR_OUTPUT 
-A AUTO_PRE -d 1.2.3.4/32 -i eth0.10 -p tcp -m tcp --sport 1024:65535 --dport 2712 -j REDIRECT --to-ports 2712 
-A AUTO_PRE -p tcp -m tcp --sport 1024:65535 --dport 4444 -m addrtype --dst-type LOCAL -j ACCEPT 
-A AUTO_PRE -s 192.168.10.0/24 -p tcp -m tcp --sport 1:65535 --dport 110 -j REDIRECT --to-ports 8110 
-A AUTO_PRE -s 192.168.10.0/24 -p tcp -m tcp --sport 1:65535 --dport 21 -j REDIRECT --to-ports 2121 
-A AUTO_PRE -p tcp -m tcp --sport 1:65535 --dport 25 -j REDIRECT --to-ports 25 
-A USR_OUTPUT -d 124.168.94.217/32 -p tcp -m tcp --sport 1:65535 --dport 3724 -m logmark --logmark 60021 -j NFLOG 
-A USR_OUTPUT -d 124.168.94.217/32 -p udp -m udp --sport 1:65535 --dport 3724 -m logmark --logmark 60021 -j NFLOG 
-A USR_OUTPUT -d 124.168.94.217/32 -p tcp -m tcp --sport 1:65535 --dport 3724 -j DNAT --to-destination 192.168.10.250:3724 
-A USR_OUTPUT -d 124.168.94.217/32 -p udp -m udp --sport 1:65535 --dport 3724 -j DNAT --to-destination 192.168.10.250:3724 
-A USR_OUTPUT -d 124.168.94.217/32 -p tcp -m tcp --sport 1:65535 --dport 3724 -m logmark --logmark 60021 -j NFLOG 
-A USR_OUTPUT -d 124.168.94.217/32 -p udp -m udp --sport 1:65535 --dport 3724 -m logmark --logmark 60021 -j NFLOG 
-A USR_OUTPUT -d 124.168.94.217/32 -p tcp -m tcp --sport 1:65535 --dport 3724 -j DNAT --to-destination 192.168.10.251:3724 
-A USR_OUTPUT -d 124.168.94.217/32 -p udp -m udp --sport 1:65535 --dport 3724 -j DNAT --to-destination 192.168.10.251:3724 
-A USR_POST -s 192.168.10.0/24 -o ppp0 -m policy --dir out --pol none -j MASQUERADE 
-A USR_POST -s 192.168.111.0/24 -o ppp0 -m policy --dir out --pol none -j MASQUERADE 
-A USR_PRE -d 124.168.94.217/32 -p tcp -m tcp --sport 1:65535 --dport 3724 -m logmark --logmark 60021 -j NFLOG 
-A USR_PRE -d 124.168.94.217/32 -p udp -m udp --sport 1:65535 --dport 3724 -m logmark --logmark 60021 -j NFLOG 
-A USR_PRE -d 124.168.94.217/32 -p tcp -m tcp --sport 1:65535 --dport 3724 -j DNAT --to-destination 192.168.10.250:3724 
-A USR_PRE -d 124.168.94.217/32 -p udp -m udp --sport 1:65535 --dport 3724 -j DNAT --to-destination 192.168.10.250:3724 
-A USR_PRE -d 124.168.94.217/32 -p tcp -m tcp --sport 1:65535 --dport 3724 -m logmark --logmark 60021 -j NFLOG 
-A USR_PRE -d 124.168.94.217/32 -p udp -m udp --sport 1:65535 --dport 3724 -m logmark --logmark 60021 -j NFLOG 
-A USR_PRE -d 124.168.94.217/32 -p tcp -m tcp --sport 1:65535 --dport 3724 -j DNAT --to-destination 192.168.10.251:3724 
-A USR_PRE -d 124.168.94.217/32 -p udp -m udp --sport 1:65535 --dport 3724 -j DNAT --to-destination 192.168.10.251:3724 
COMMIT
# Completed on Fri Apr  1 22:50:15 2011
# Generated by iptables-save v1.4.9.1 on Fri Apr  1 22:50:15 2011
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:AUTO_FORWARD - [0:0]
:AUTO_INPUT - [0:0]
:AUTO_OUTPUT - [0:0]
:GEOIP_OUT - [0:0]
:GEOIP_REJECT - [0:0]
:HA - [0:0]
:INVALID_PKT - [0:0]
:IPS_AUTO_OUTPUT - [0:0]
:IPS_USR_OUTPUT - [0:0]
:LOGACCEPT - [0:0]
:LOGDROP - [0:0]
:LOGREJECT - [0:0]
:PSD_ACTION - [0:0]
:PSD_MATCH - [0:0]
:SANITY_CHECKS - [0:0]
:STRICT_TCP_STATE - [0:0]
:USR_FORWARD - [0:0]
:USR_INPUT - [0:0]
:USR_OUTPUT - [0:0]
-A INPUT -j CONNMARK --restore-mark --nfmask 0x20000 --ctmask 0x20000 
-A INPUT -i lo -j ACCEPT 
-A INPUT -m confirmed -j ACCEPT 
-A INPUT -m conntrack --ctstate RELATED -j CONFIRMED 
-A INPUT -j HA 
-A INPUT -j PSD_MATCH 
-A INPUT -j SANITY_CHECKS 
-A INPUT -j AUTO_INPUT 
-A INPUT -j USR_INPUT 
-A INPUT -m logmark --logmark 60001 -j LOGDROP 
-A FORWARD -m confirmed -j ACCEPT 
-A FORWARD -m conntrack --ctstate RELATED -j CONFIRMED 
-A FORWARD -j PSD_MATCH 
-A FORWARD -j SANITY_CHECKS 
-A FORWARD -j AUTO_FORWARD 
-A FORWARD -j USR_FORWARD 
-A FORWARD -m logmark --logmark 60002 -j LOGDROP 
-A OUTPUT -m conntrack --ctstate NEW -j IPS_AUTO_OUTPUT 
-A OUTPUT -m conntrack --ctstate NEW -j IPS_USR_OUTPUT 
-A OUTPUT ! -s 127.0.0.0/8 -o lo -p tcp -m tcp --sport 1024:65535 --dport 4444 -m logmark --logmark 60005 -j LOGDROP 
-A OUTPUT ! -s 127.0.0.0/8 -o lo -p tcp -m tcp --sport 1:65535 --dport 4494 -m logmark --logmark 60005 -j LOGDROP 
-A OUTPUT -o lo -j ACCEPT 
-A OUTPUT -m confirmed -j ACCEPT 
-A OUTPUT -m conntrack --ctstate RELATED -j CONFIRMED 
-A OUTPUT -m condition --condition "OUTPUT_ACCEPT_ALL" -m owner --uid-owner root --gid-owner root -j CONFIRMED 
-A OUTPUT -j HA 
-A OUTPUT -j SANITY_CHECKS 
-A OUTPUT -j AUTO_OUTPUT 
-A OUTPUT -j USR_OUTPUT 
-A OUTPUT -m logmark --logmark 60003 -j LOGDROP 
-A AUTO_FORWARD -s 203.39.149.112/32 -p tcp -m tcp --sport 1:65535 --dport 80 -j CONFIRMED 
-A AUTO_FORWARD -s 203.39.149.112/32 -p tcp -m tcp --sport 1:65535 --dport 80 -j CONFIRMED 
-A AUTO_FORWARD -d 203.39.149.112/32 -p tcp -m tcp --sport 1:65535 --dport 80 -j CONFIRMED 
-A AUTO_FORWARD -d 203.39.149.112/32 -p tcp -m tcp --sport 1:65535 --dport 443 -j CONFIRMED 
-A AUTO_FORWARD -p icmp -j CONFIRMED 
-A AUTO_FORWARD -p icmp -m icmp --icmp-type 8/0 -j CONFIRMED 
-A AUTO_FORWARD -p icmp -m icmp --icmp-type 0/0 -j CONFIRMED 
-A AUTO_FORWARD -p udp -m udp --sport 1024:65535 -m multiport --dports 33000:34000,44444:55555 -j CONFIRMED 
-A AUTO_FORWARD -p icmp -m icmp --icmp-type 11/0 -j CONFIRMED 
-A AUTO_FORWARD -s 10.242.2.0/24 -d 192.168.10.0/24 -i tun0 -j CONFIRMED 
-A AUTO_FORWARD -d 192.168.10.250/32 -p tcp -m tcp --sport 1:65535 --dport 3724 -m conntrack --ctorigdst 124.168.94.217 -j CONFIRMED 
-A AUTO_FORWARD -d 192.168.10.250/32 -p udp -m udp --sport 1:65535 --dport 3724 -m conntrack --ctorigdst 124.168.94.217 -j CONFIRMED 
-A AUTO_FORWARD -d 192.168.10.251/32 -p tcp -m tcp --sport 1:65535 --dport 3724 -m conntrack --ctorigdst 124.168.94.217 -j CONFIRMED 
-A AUTO_FORWARD -d 192.168.10.251/32 -p udp -m udp --sport 1:65535 --dport 3724 -m conntrack --ctorigdst 124.168.94.217 -j CONFIRMED 
-A AUTO_FORWARD -s 192.168.111.0/24 -p tcp -m set --match-set 3s3VYs4wcz4CDZhtzBC6zg dst -m tcp --sport 1:65535 --dport 5060 -j CONFIRMED 
-A AUTO_FORWARD -s 192.168.111.0/24 -p udp -m set --match-set 3s3VYs4wcz4CDZhtzBC6zg dst -m udp --sport 1:65535 --dport 5060 -j CONFIRMED 
-A AUTO_INPUT -i eth0.10 -p tcp -m tcp --sport 1024:65535 --dport 2712 -j CONFIRMED 
-A AUTO_INPUT -i eth0.10 -p udp -m udp --sport 1024:65535 --dport 415 -j CONFIRMED 
-A AUTO_INPUT -i eth0.10 -p udp -m udp --sport 1024:65535 --dport 3401 -j CONFIRMED 
-A AUTO_INPUT -s 192.168.10.0/24 -p tcp -m tcp --sport 1:65535 --dport 2212 -j CONFIRMED 
-A AUTO_INPUT -p tcp -m tcp --sport 1:65535 --dport 2212 -j CONFIRMED 
-A AUTO_INPUT -p tcp -m tcp --sport 1:65535 --dport 2212 -m logmark --logmark 60004 -j LOGDROP 
-A AUTO_INPUT -p tcp -m tcp --sport 1024:65535 --dport 4444 -m logmark --logmark 60006 -j LOGACCEPT 
-A AUTO_INPUT -s 192.168.10.0/24 -p tcp -m tcp --sport 1024:65535 --dport 4444 -m logmark --logmark 60006 -j LOGACCEPT 
-A AUTO_INPUT -p tcp -m tcp --sport 1024:65535 --dport 4444 -m logmark --logmark 60005 -j LOGDROP 
-A AUTO_INPUT -p tcp -m tcp --sport 1:65535 --dport 4494 -j CONFIRMED 
-A AUTO_INPUT -i aiccu -p udp -m udp --sport 68 --dport 67 -j CONFIRMED 
-A AUTO_INPUT -d 255.255.255.255/32 -i eth0.111 -p udp -m udp --sport 68 --dport 67 -j CONFIRMED 
-A AUTO_INPUT -s 192.168.111.0/24 -d 192.168.111.1/32 -i eth0.111 -p udp -m udp --sport 68 --dport 67 -j CONFIRMED 
-A AUTO_INPUT -d 255.255.255.255/32 -i eth0.10 -p udp -m udp --sport 68 --dport 67 -j CONFIRMED 
-A AUTO_INPUT -s 192.168.10.0/24 -d 192.168.10.1/32 -i eth0.10 -p udp -m udp --sport 68 --dport 67 -j CONFIRMED 
-A AUTO_INPUT -s 192.168.111.0/24 -p tcp -m tcp --sport 53:65535 --dport 53 -j CONFIRMED 
-A AUTO_INPUT -s 192.168.111.0/24 -p udp -m udp --sport 53:65535 --dport 53 -j CONFIRMED 
-A AUTO_INPUT -s 192.168.10.0/24 -p tcp -m tcp --sport 53:65535 --dport 53 -j CONFIRMED 
-A AUTO_INPUT -s 192.168.10.0/24 -p udp -m udp --sport 53:65535 --dport 53 -j CONFIRMED 
-A AUTO_INPUT -s 192.168.10.0/24 -p tcp -m tcp --sport 1:65535 --dport 8080 -j CONFIRMED 
-A AUTO_INPUT -p icmp -m icmp --icmp-type 8/0 -j CONFIRMED 
-A AUTO_INPUT -d 124.168.94.217/32 -p esp -m esp --espspi 256:4294967295 -j CONFIRMED 
-A AUTO_INPUT -d 124.168.94.217/32 -p ip -m policy --dir in --pol ipsec --mode transport -j CONFIRMED 
-A AUTO_INPUT -d 124.168.94.217/32 -p udp -m udp --sport 1:65535 -m multiport --dports 500,4500 -j CONFIRMED 
-A AUTO_INPUT -d 124.168.94.217/32 -p esp -m esp --espspi 256:4294967295 -j CONFIRMED 
-A AUTO_INPUT -d 124.168.94.217/32 -p ip -m policy --dir in --pol ipsec --mode transport -j CONFIRMED 
-A AUTO_INPUT -d 124.168.94.217/32 -p udp -m udp --sport 1:65535 -m multiport --dports 500,4500 -j CONFIRMED 
-A AUTO_INPUT -p tcp -m tcp --sport 1:65535 --dport 443 -j CONFIRMED 
-A AUTO_INPUT -s 192.168.111.0/24 -p udp -m udp --sport 123:65535 --dport 123 -j CONFIRMED 
-A AUTO_INPUT -s 192.168.10.0/24 -p udp -m udp --sport 123:65535 --dport 123 -j CONFIRMED 
-A AUTO_INPUT -s 192.168.10.0/24 -p tcp -m tcp --sport 1:65535 --dport 8110 -m conntrack --ctstate DNAT -j CONFIRMED 
-A AUTO_INPUT -s 192.168.10.0/24 -p tcp -m tcp --sport 1:65535 --dport 2121 -j CONFIRMED 
-A AUTO_INPUT -p tcp -m tcp --sport 1:65535 --dport 113 -j REJECT --reject-with icmp-port-unreachable 
-A AUTO_INPUT -p tcp -m tcp --sport 1024:65535 --dport 1723 -j CONFIRMED 
-A AUTO_INPUT -p tcp -m tcp --sport 1:65535 -m multiport --dports 25,465,587 -j CONFIRMED 
-A AUTO_INPUT -s 192.168.10.0/24 -p tcp -m tcp --sport 1:65535 --dport 1080 -j CONFIRMED 
-A AUTO_INPUT -p ipv6 -j CONFIRMED 
-A AUTO_INPUT -s 124.168.94.217/32 -p tcp -m tcp --sport 1:65535 --dport 3840 -j CONFIRMED 
-A AUTO_INPUT -s 192.168.10.0/24 -p tcp -m tcp --sport 1:65535 --dport 3840 -j CONFIRMED 
-A AUTO_INPUT -m mark --mark 0x40000/0x40000 -j CONFIRMED 
-A AUTO_OUTPUT -o aiccu -p udp -m udp --sport 67 --dport 68 -j CONFIRMED 
-A AUTO_OUTPUT -s 192.168.111.1/32 -d 255.255.255.255/32 -o eth0.111 -p udp -m udp --sport 67 --dport 67:68 -j CONFIRMED 
-A AUTO_OUTPUT -s 192.168.111.1/32 -d 192.168.111.0/24 -o eth0.111 -p udp -m udp --sport 67 --dport 67:68 -j CONFIRMED 
-A AUTO_OUTPUT -s 192.168.10.1/32 -d 255.255.255.255/32 -o eth0.10 -p udp -m udp --sport 67 --dport 67:68 -j CONFIRMED 
-A AUTO_OUTPUT -s 192.168.10.1/32 -d 192.168.10.0/24 -o eth0.10 -p udp -m udp --sport 67 --dport 67:68 -j CONFIRMED 
-A AUTO_OUTPUT -p icmp -m icmp --icmp-type 8/0 -j CONFIRMED 
-A AUTO_OUTPUT -p tcp -m tcp --sport 53:65535 --dport 53 -j CONFIRMED 
-A AUTO_OUTPUT -p udp -m udp --sport 53:65535 --dport 53 -j CONFIRMED 
-A AUTO_OUTPUT -p udp -m udp --sport 53 --dport 53:65535 -j CONFIRMED 
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 3840 -j CONFIRMED 
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 4444 -j CONFIRMED 
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 21 -j CONFIRMED 
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 80 -j CONFIRMED 
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 8080 -j CONFIRMED 
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 443 -j CONFIRMED 
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 389 -j CONFIRMED 
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 636 -j CONFIRMED 
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 8000:8060 -j CONFIRMED 
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 4494 -j CONFIRMED 
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 3724 -j CONFIRMED 
-A AUTO_OUTPUT -p udp -m udp --sport 1:65535 --dport 3724 -j CONFIRMED 
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 1119 -j CONFIRMED 
-A AUTO_OUTPUT -p udp -m udp --sport 1:65535 --dport 1119 -j CONFIRMED 
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 80 -j CONFIRMED 
-A AUTO_OUTPUT -p icmp -m icmp --icmp-type 8/0 -j CONFIRMED 
-A AUTO_OUTPUT -p udp -m udp --sport 1024:65535 -m multiport --dports 33000:34000,44444:55555 -j CONFIRMED 
-A AUTO_OUTPUT -s 124.168.94.217/32 -p esp -m esp --espspi 256:4294967295 -j CONFIRMED 
-A AUTO_OUTPUT -s 124.168.94.217/32 -p udp -m udp --sport 4500 --dport 1:65535 -j CONFIRMED 
-A AUTO_OUTPUT -s 124.168.94.217/32 -p udp -m udp --sport 500 --dport 1:65535 -j CONFIRMED 
-A AUTO_OUTPUT -s 124.168.94.217/32 -p esp -m esp --espspi 256:4294967295 -j CONFIRMED 
-A AUTO_OUTPUT -s 124.168.94.217/32 -p udp -m udp --sport 4500 --dport 1:65535 -j CONFIRMED 
-A AUTO_OUTPUT -s 124.168.94.217/32 -p udp -m udp --sport 500 --dport 1:65535 -j CONFIRMED 
-A AUTO_OUTPUT -p udp -m set --match-set EYpmRsA/iVIwLo/LjnC16A dst -m udp --sport 123:65535 --dport 123 -j CONFIRMED 
-A AUTO_OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 110 -j CONFIRMED 
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 80 -j CONFIRMED 
-A AUTO_OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1:65535 -j CONFIRMED 
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 -m multiport --dports 25,465,587 -j CONFIRMED 
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 80 -j CONFIRMED 
-A AUTO_OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1:65535 -j CONFIRMED 
-A AUTO_OUTPUT -p udp -m udp --sport 1024:65535 --dport 1:65535 -j CONFIRMED 
-A AUTO_OUTPUT -p tcp -m tcp --sport 1024:65535 -m multiport --dports 3740,3874,5072 -j CONFIRMED 
-A AUTO_OUTPUT -p udp -m udp --sport 1024:65535 -m multiport --dports 3740,3874,5072 -j CONFIRMED 
-A AUTO_OUTPUT -p ipv6 -j CONFIRMED 
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 443 -j CONFIRMED 
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 80 -j CONFIRMED 
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 443 -j CONFIRMED 
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 80 -j CONFIRMED 
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 443 -j CONFIRMED 
-A AUTO_OUTPUT -m owner --uid-owner snort --gid-owner snort -j CONFIRMED 
-A AUTO_OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -j CONFIRMED 
-A AUTO_OUTPUT -d 203.0.178.192/32 -p tcp -m tcp --sport 1:65535 --dport 25 -j CONFIRMED 
-A AUTO_OUTPUT -p icmp -m icmp --icmp-type 8/0 -j CONFIRMED 
-A AUTO_OUTPUT -d 79.125.8.19/32 -p tcp -m tcp --sport 1:65535 --dport 443 -j CONFIRMED 
-A GEOIP_OUT -d 203.0.178.192/32 -p tcp -m tcp --sport 1:65535 --dport 25 -j RETURN 
-A GEOIP_OUT -p udp -m set --match-set EYpmRsA/iVIwLo/LjnC16A dst -m udp --sport 123:65535 --dport 123 -j RETURN 
-A INVALID_PKT -m logmark --logmark 60007 -j NFLOG --nflog-prefix "INVALID_PKT: " 
-A INVALID_PKT -j DROP 
-A IPS_AUTO_OUTPUT -p tcp -m tcp --sport 53:65535 --dport 53 -j CONNMARK --set-xmark 0x20000/0x20000 
-A IPS_AUTO_OUTPUT -p udp -m udp --sport 53:65535 --dport 53 -j CONNMARK --set-xmark 0x20000/0x20000 
-A IPS_AUTO_OUTPUT -p tcp -m tcp --sport 1024:65535 -m multiport --dports 80,443 -m owner ! --uid-owner httpproxy -j CONNMARK --set-xmark 0x20000/0x20000 
-A IPS_AUTO_OUTPUT -d 203.0.178.192/32 -p tcp -m tcp --sport 1:65535 --dport 25 -j CONNMARK --set-xmark 0x20000/0x20000 
-A IPS_AUTO_OUTPUT -p udp -m set --match-set EYpmRsA/iVIwLo/LjnC16A dst -m udp --sport 123:65535 --dport 123 -j CONNMARK --set-xmark 0x20000/0x20000 
-A IPS_AUTO_OUTPUT -m mark --mark 0x20000 -j CONNMARK --set-xmark 0x20000/0x20000 
-A LOGACCEPT -m addrtype --src-type BROADCAST -j ACCEPT 
-A LOGACCEPT -m addrtype --dst-type BROADCAST -j ACCEPT 
-A LOGACCEPT -j NFLOG --nflog-prefix "ACCEPT: " 
-A LOGACCEPT -j CONFIRMED 
-A LOGDROP -m addrtype --src-type BROADCAST -j DROP 
-A LOGDROP -m addrtype --dst-type BROADCAST -j DROP 
-A LOGDROP -j NFLOG --nflog-prefix "DROP: " 
-A LOGDROP -j DROP 
-A LOGREJECT -m addrtype --src-type BROADCAST -j REJECT --reject-with icmp-port-unreachable 
-A LOGREJECT -m addrtype --dst-type BROADCAST -j REJECT --reject-with icmp-port-unreachable 
-A LOGREJECT -j NFLOG --nflog-prefix "REJECT: " 
-A LOGREJECT -j REJECT --reject-with icmp-port-unreachable 
-A PSD_ACTION -m limit --limit 5/sec -m logmark --logmark 60017 -j NFLOG --nflog-prefix "PORTSCAN: " 
-A PSD_ACTION -j DROP 
-A PSD_MATCH -m psd --psd-weight-threshold 21 --psd-delay-threshold 300 --psd-lo-ports-weight 3 --psd-hi-ports-weight 1 -j PSD_ACTION 
-A USR_FORWARD -s 192.168.111.0/24 -p tcp -m tcp --sport 1:65535 --dport 123 -j DROP 
-A USR_FORWARD -s 192.168.111.0/24 -p udp -m udp --sport 1:65535 --dport 123 -j DROP 
-A USR_FORWARD -s 192.168.111.0/24 -p tcp -m tcp --sport 1:65535 --dport 53 -j DROP 
-A USR_FORWARD -s 192.168.111.0/24 -p udp -m udp --sport 1:65535 --dport 53 -j DROP 
-A USR_FORWARD -s 192.168.111.0/24 -p tcp -m tcp --sport 1:65535 -m multiport --dports 445,137,135 -j DROP 
-A USR_FORWARD -s 192.168.111.0/24 -p udp -m udp --sport 1:65535 -m multiport --dports 445,137,135 -j DROP 
-A USR_FORWARD -s 192.168.111.0/24 -p udp -m udp --sport 1:65535 --dport 138 -j DROP 
-A USR_FORWARD -s 192.168.111.0/24 -p tcp -m tcp --sport 1:65535 --dport 139 -j DROP 
-A USR_FORWARD -s 192.168.111.0/24 -m logmark --logmark 6 -j LOGACCEPT 
-A USR_FORWARD -s 192.168.10.0/24 -p tcp -m tcp --sport 1:65535 --dport 53 -j DROP 
-A USR_FORWARD -s 192.168.10.0/24 -p udp -m udp --sport 1:65535 --dport 53 -j DROP 
-A USR_FORWARD -s 192.168.10.0/24 -p tcp -m tcp --sport 1:65535 --dport 123 -j DROP 
-A USR_FORWARD -s 192.168.10.0/24 -p udp -m udp --sport 1:65535 --dport 123 -j DROP 
-A USR_FORWARD -s 192.168.10.0/24 -p tcp -m tcp --sport 1:65535 -m multiport --dports 445,137,135 -j DROP 
-A USR_FORWARD -s 192.168.10.0/24 -p udp -m udp --sport 1:65535 -m multiport --dports 445,137,135 -j DROP 
-A USR_FORWARD -s 192.168.10.0/24 -p udp -m udp --sport 1:65535 --dport 138 -j DROP 
-A USR_FORWARD -s 192.168.10.0/24 -p tcp -m tcp --sport 1:65535 --dport 139 -j DROP 
-A USR_FORWARD -s 192.168.10.0/24 -m logmark --logmark 12 -j LOGACCEPT 
-A USR_INPUT -d 124.168.94.217/32 -p icmp -m icmp --icmp-type 8/0 -j DROP 
COMMIT
# Completed on Fri Apr  1 22:50:15 2011
# Generated by iptables-save v1.4.9.1 on Fri Apr  1 22:50:15 2011
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [44070:22009410]
:DOS_FLOOD_PROTECTION - [0:0]
:ICMP_FLOOD - [0:0]
:ICMP_FLOOD_DROP - [0:0]
:ICMP_FLOOD_DST - [0:0]
:ICMP_FLOOD_SRC - [0:0]
:INVALID_PKT - [0:0]
:LOCAL_TRAFFIC - [0:0]
:SANITY_CHECKS - [0:0]
:SPOOFING_PROTECTION - [0:0]
:SPOOF_DROP - [0:0]
:SYN_FLOOD - [0:0]
:SYN_FLOOD_DROP - [0:0]
:SYN_FLOOD_DST - [0:0]
:SYN_FLOOD_SRC - [0:0]
:UDP_FLOOD - [0:0]
:UDP_FLOOD_DROP - [0:0]
:UDP_FLOOD_DST - [0:0]
:UDP_FLOOD_SRC - [0:0]
-A PREROUTING -s 127.0.0.0/8 -d 127.0.0.0/8 -j LOCAL_TRAFFIC 
-A PREROUTING -j SANITY_CHECKS 
-A PREROUTING ! -i lo -j DOS_FLOOD_PROTECTION 
-A PREROUTING ! -i lo -j SPOOFING_PROTECTION 
-A OUTPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -j LOCAL_TRAFFIC 
-A DOS_FLOOD_PROTECTION -p tcp -j SYN_FLOOD 
-A DOS_FLOOD_PROTECTION -p udp -j UDP_FLOOD 
-A DOS_FLOOD_PROTECTION -p icmp -j ICMP_FLOOD 
-A ICMP_FLOOD -j ICMP_FLOOD_SRC 
-A ICMP_FLOOD_DROP -m limit --limit 5/sec -m logmark --logmark 60014 -j NFLOG --nflog-prefix "ICMP_FLOOD: " 
-A ICMP_FLOOD_DROP -j DROP 
-A ICMP_FLOOD_DST -m hashlimit --hashlimit-upto 20/sec --hashlimit-burst 20 --hashlimit-mode dstip --hashlimit-name ICMP_FLOOD_DST -j SPOOFING_PROTECTION 
-A ICMP_FLOOD_DST -j ICMP_FLOOD_DROP 
-A ICMP_FLOOD_SRC -m hashlimit --hashlimit-upto 10/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name ICMP_FLOOD_SRC -j ICMP_FLOOD_DST 
-A ICMP_FLOOD_SRC -j ICMP_FLOOD_DROP 
-A INVALID_PKT -m logmark --logmark 60007 -j NFLOG --nflog-prefix "INVALID_PKT: " 
-A INVALID_PKT -j DROP 
-A LOCAL_TRAFFIC -j NOTRACK 
-A LOCAL_TRAFFIC -j ACCEPT 
-A SANITY_CHECKS -p tcp -m length2 --layer4 --length 0:19 -j INVALID_PKT 
-A SANITY_CHECKS -p udp -m length2 --layer4 --length 0:7 -j INVALID_PKT 
-A SANITY_CHECKS -p icmp -m length2 --layer4 --length 0:1 -j INVALID_PKT 
-A SPOOFING_PROTECTION -j ACCEPT 
-A SPOOF_DROP -m logmark --logmark 60008 -j NFLOG --nflog-prefix "IP-SPOOFING DROP: " 
-A SPOOF_DROP -j DROP 
-A SYN_FLOOD -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j SPOOFING_PROTECTION 
-A SYN_FLOOD -j SYN_FLOOD_SRC 
-A SYN_FLOOD_DROP -m limit --limit 5/sec -m logmark --logmark 60012 -j NFLOG --nflog-prefix "SYN_FLOOD: " 
-A SYN_FLOOD_DROP -j DROP 
-A SYN_FLOOD_DST -m hashlimit --hashlimit-upto 200/sec --hashlimit-burst 200 --hashlimit-mode dstip --hashlimit-name SYN_FLOOD_DST -j SPOOFING_PROTECTION 
-A SYN_FLOOD_DST -j SYN_FLOOD_DROP 
-A SYN_FLOOD_SRC -m hashlimit --hashlimit-upto 100/sec --hashlimit-burst 100 --hashlimit-mode srcip --hashlimit-name SYN_FLOOD_SRC -j SYN_FLOOD_DST 
-A SYN_FLOOD_SRC -j SYN_FLOOD_DROP 
-A UDP_FLOOD -p udp -m udp --sport 1:65535 --dport 3401 -j SPOOFING_PROTECTION 
-A UDP_FLOOD -p udp -m udp --sport 3401 --dport 1:65535 -j SPOOFING_PROTECTION 
-A UDP_FLOOD -j UDP_FLOOD_SRC 
-A UDP_FLOOD_DROP -m limit --limit 5/sec -m logmark --logmark 60013 -j NFLOG --nflog-prefix "UDP_FLOOD: " 
-A UDP_FLOOD_DROP -j DROP 
-A UDP_FLOOD_DST -m hashlimit --hashlimit-upto 303/sec --hashlimit-burst 300 --hashlimit-mode dstip --hashlimit-name UDP_FLOOD_DST -j SPOOFING_PROTECTION 
-A UDP_FLOOD_DST -j UDP_FLOOD_DROP 
-A UDP_FLOOD_SRC -m hashlimit --hashlimit-upto 200/sec --hashlimit-burst 200 --hashlimit-mode srcip --hashlimit-name UDP_FLOOD_SRC -j UDP_FLOOD_DST 
-A UDP_FLOOD_SRC -j UDP_FLOOD_DROP 
COMMIT
# Completed on Fri Apr  1 22:50:15 2011
