# Generated by ip6tables-save v1.4.9.1 on Fri Jul 8 07:39:42 2011 *raw :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [61:4991] :DOS_FLOOD_PROTECTION - [0:0] :ICMP_FLOOD - [0:0] :ICMP_FLOOD_DROP - [0:0] :ICMP_FLOOD_DST - [0:0] :ICMP_FLOOD_SRC - [0:0] :INVALID_PKT - [0:0] :LOCAL_TRAFFIC - [0:0] :SANITY_CHECKS - [0:0] :SPOOFING_PROTECTION - [0:0] :SPOOF_DROP - [0:0] :SYN_FLOOD - [0:0] :SYN_FLOOD_DROP - [0:0] :SYN_FLOOD_DST - [0:0] :SYN_FLOOD_SRC - [0:0] :UDP_FLOOD - [0:0] :UDP_FLOOD_DROP - [0:0] :UDP_FLOOD_DST - [0:0] :UDP_FLOOD_SRC - [0:0] [0:0] -A PREROUTING -s ::1/128 -d ::1/128 -j LOCAL_TRAFFIC [1321465:1365821954] -A PREROUTING -j SANITY_CHECKS [1321465:1365821954] -A PREROUTING ! -i lo -j DOS_FLOOD_PROTECTION [0:0] -A PREROUTING ! -i lo -j SPOOFING_PROTECTION [0:0] -A OUTPUT -s ::1/128 -d ::1/128 -j LOCAL_TRAFFIC [1371369:1557971205] -A DOS_FLOOD_PROTECTION -p tcp -j SYN_FLOOD [86850:9074848] -A DOS_FLOOD_PROTECTION -p udp -j UDP_FLOOD [36653:2516189] -A DOS_FLOOD_PROTECTION -p ipv6-icmp -j ICMP_FLOOD [36653:2516189] -A ICMP_FLOOD -j ICMP_FLOOD_SRC [4:384] -A ICMP_FLOOD_DROP -m limit --limit 5/sec -m logmark --logmark 60014 -j NFLOG --nflog-prefix "ICMP_FLOOD: " [4:384] -A ICMP_FLOOD_DROP -j DROP [36649:2515805] -A ICMP_FLOOD_DST -m hashlimit --hashlimit-upto 20/sec --hashlimit-burst 20 --hashlimit-mode dstip --hashlimit-name ICMP_FLOOD_DST -j SPOOFING_PROTECTION [0:0] -A ICMP_FLOOD_DST -j ICMP_FLOOD_DROP [36649:2515805] -A ICMP_FLOOD_SRC -m hashlimit --hashlimit-upto 10/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name ICMP_FLOOD_SRC -j ICMP_FLOOD_DST [4:384] -A ICMP_FLOOD_SRC -j ICMP_FLOOD_DROP [0:0] -A INVALID_PKT -m logmark --logmark 60007 -j NFLOG --nflog-prefix "INVALID_PKT: " [0:0] -A INVALID_PKT -j DROP [0:0] -A LOCAL_TRAFFIC -j NOTRACK [0:0] -A LOCAL_TRAFFIC -j ACCEPT [0:0] -A SANITY_CHECKS -p tcp -m length2 --layer4 --length 0:19 -j INVALID_PKT [0:0] -A SANITY_CHECKS -p udp -m length2 --layer4 --length 0:7 -j INVALID_PKT [0:0] -A SANITY_CHECKS -p ipv6-icmp -m length2 --layer4 --length 0:1 -j INVALID_PKT [11:1056] -A SPOOFING_PROTECTION -m conntrack ! --ctstate INVALID -j ACCEPT [0:0] -A SPOOFING_PROTECTION -s 2406:a000:f0ff:fffe::39b3/128 -j SPOOF_DROP [0:0] -A SPOOFING_PROTECTION -s 2406:a000:f005:9b00:a::1/128 -j SPOOF_DROP [0:0] -A SPOOFING_PROTECTION -s 2406:a000:f005:9b00::/64 ! -i eth0.10 -j SPOOF_DROP [0:0] -A SPOOFING_PROTECTION -s 2406:a000:f005:9b00:b::1/128 -j SPOOF_DROP [21:1508] -A SPOOFING_PROTECTION -s 2406:a000:f005:9b00::/64 ! -i eth0.111 -j SPOOF_DROP [8:480] -A SPOOFING_PROTECTION -j ACCEPT [61:4319] -A SPOOF_DROP -m logmark --logmark 60008 -j NFLOG --nflog-prefix "IP-SPOOFING DROP: " [61:4319] -A SPOOF_DROP -j DROP [1367548:1557696245] -A SYN_FLOOD -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j SPOOFING_PROTECTION [3821:274960] -A SYN_FLOOD -j SYN_FLOOD_SRC [0:0] -A SYN_FLOOD_DROP -m limit --limit 5/sec -m logmark --logmark 60012 -j NFLOG --nflog-prefix "SYN_FLOOD: " [0:0] -A SYN_FLOOD_DROP -j DROP [3821:274960] -A SYN_FLOOD_DST -m hashlimit --hashlimit-upto 200/sec --hashlimit-burst 200 --hashlimit-mode dstip --hashlimit-name SYN_FLOOD_DST -j SPOOFING_PROTECTION [0:0] -A SYN_FLOOD_DST -j SYN_FLOOD_DROP [3821:274960] -A SYN_FLOOD_SRC -m hashlimit --hashlimit-upto 100/sec --hashlimit-burst 100 --hashlimit-mode srcip --hashlimit-name SYN_FLOOD_SRC -j SYN_FLOOD_DST [0:0] -A SYN_FLOOD_SRC -j SYN_FLOOD_DROP [86850:9074848] -A UDP_FLOOD -j UDP_FLOOD_SRC [0:0] -A UDP_FLOOD_DROP -m limit --limit 5/sec -m logmark --logmark 60013 -j NFLOG --nflog-prefix "UDP_FLOOD: " [0:0] -A UDP_FLOOD_DROP -j DROP [86850:9074848] -A UDP_FLOOD_DST -m hashlimit --hashlimit-upto 303/sec --hashlimit-burst 300 --hashlimit-mode dstip --hashlimit-name UDP_FLOOD_DST -j SPOOFING_PROTECTION [0:0] -A UDP_FLOOD_DST -j UDP_FLOOD_DROP [86850:9074848] -A UDP_FLOOD_SRC -m hashlimit --hashlimit-upto 200/sec --hashlimit-burst 200 --hashlimit-mode srcip --hashlimit-name UDP_FLOOD_SRC -j UDP_FLOOD_DST [0:0] -A UDP_FLOOD_SRC -j UDP_FLOOD_DROP COMMIT # Completed on Fri Jul 8 07:39:42 2011