Code:
# Generated by iptables-save v1.4.8 on Thu Jul 12 21:06:24 2012
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:BLACKLISTED - [0:0]
-A INPUT -i eth1 -m recent --rcheck --name EVIL --rsource -j DROP
-A INPUT -i eth1 -m recent --update --seconds 1234 --name STUPID --rsource -j BLACKLISTED
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -d www.www.www.www/32 ! -i eth1 -j REJECT --reject-with icmp-host-unreachable
-A INPUT -d 10.0.0.1/32 ! -i eth0 -j DROP
-A INPUT -d 127.0.0.0/8 ! -i lo -j DROP
-A INPUT -i eth1 -p udp -m multiport --dports 49152:65535,8500,500 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth1 -p tcp -m multiport --dports 49152:65535,8500,500 -j REJECT --reject-with tcp-reset
-A INPUT -s 10.0.0.0/8 ! -i eth1 -p udp -m multiport --dports 5351,137,67 -j DROP
-A INPUT -i eth1 -p icmp -m limit --limit 1000/day --limit-burst 50 -j LOG --log-prefix "[ ICMP IN ] " --log-level 7
-A INPUT -p icmp -m icmp ! --icmp-type 5 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m limit --limit 1000/day --limit-burst 50 -j LOG --log-prefix "[ SSH IN N ] " --log-level 7
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 20/hour --limit-burst 2 -m recent --set --name SSH --rsource -j ACCEPT
-A INPUT -s 10.0.0.0/8 ! -i eth1 -p udp -m udp --dport 123 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 33434:33534 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 33434:33534 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -i lo -p udp -m udp --dport 123 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp ! --dport 22 ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
-A INPUT -m recent --update --seconds 54321 --name SUSPECT --rsource -m recent --set --name STUPID --rsource -j BLACKLISTED
-A INPUT ! -s isp.isp.0.0/16 -i eth1 -p tcp -m tcp --dport 1024:49151 -m recent --set --name SUSPECT --rsource -j REJECT --reject-with tcp-reset
-A INPUT ! -s isp.isp.0.0/16 -i eth1 -p udp -m udp --dport 1024:49151 -m recent --set --name SUSPECT --rsource -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m limit --limit 1000/day --limit-burst 50 -j LOG --log-prefix "[ IN D ] " --log-level 7
-A INPUT ! -s isp.isp.0.0/16 -i eth1 -m recent --set --name SUSPECT --rsource -j DROP
-A FORWARD -i eth1 -m recent --rcheck --name EVIL --rsource -j DROP
-A FORWARD -i eth1 -m recent --update --seconds 1234 --name STUPID --rsource -j BLACKLISTED
-A FORWARD -o eth1 -m recent --rcheck --seconds 1234 --name STUPID --rdest -j BLACKLISTED
-A FORWARD ! -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 ! -o eth1 -p udp -m multiport --dports 6881:6882,skypeport,secretport1 -m state --state NEW -j ACCEPT
-A FORWARD -i eth1 ! -o eth1 -p tcp -m multiport --dports 6881:6882,skypeport,secretport2,secretport3,secretport4 -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -d 172.16.0.0/12 -o eth1 -j REJECT --reject-with icmp-net-unreachable
-A FORWARD -s 10.0.0.0/8 ! -i eth1 -o eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -s 10.0.0.0/8 ! -i eth1 -o eth1 ! -p tcp -m state --state NEW -j ACCEPT
-A FORWARD -p icmp -m icmp ! --icmp-type 5 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD ! -i eth1 -o eth1 -p tcp -m multiport --dports 143,220,109,110,25,993,995,1109,106,465 -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m state --state INVALID -j ACCEPT
-A FORWARD -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
-A FORWARD -p tcp -m tcp --tcp-flags FIN,RST NONE -m state --state INVALID -m limit --limit 1000/day --limit-burst 50 -j LOG --log-prefix "[ FW I ] " --log-level 7
-A FORWARD ! -p tcp -m state --state INVALID -m limit --limit 1000/day --limit-burst 50 -j LOG --log-prefix "[ FW I ] " --log-level 7
-A FORWARD -m state --state INVALID -j DROP
-A OUTPUT -o eth1 -p icmp -m icmp --icmp-type 3/1 -j DROP
-A OUTPUT -o eth1 -m recent --rcheck --seconds 1234 --name STUPID --rdest -j BLACKLISTED
-A OUTPUT -s 169.254.0.0/16 -o eth1 -j DROP
-A OUTPUT -m state --state RELATED -m recent --rcheck --name SUSPECT --rdest -m limit --limit 1000/day --limit-burst 50 -j LOG --log-prefix "[ SSPCT OUT R ] " --log-level 7
-A OUTPUT -m state --state RELATED -j ACCEPT
-A OUTPUT -o eth1 -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -m limit --limit 1000/day --limit-burst 50 -j LOG --log-prefix "[ SSH OUT E ] " --log-level 7
-A OUTPUT -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -d isp.isp.servers.0/22 -o eth1 -p udp -m multiport --dports 123,67 -m state --state NEW -j ACCEPT
-A OUTPUT -p udp -m multiport --dports 53,33434:33534 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m multiport --dports 80,443,33434:33534 -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,RST NONE -m state --state INVALID -m limit --limit 1000/day --limit-burst 50 -j LOG --log-prefix "[ OUT I ] " --log-level 7
-A OUTPUT ! -p tcp -m state --state INVALID -m limit --limit 1000/day --limit-burst 50 -j LOG --log-prefix "[ OUT I ] " --log-level 7
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -p icmp -m state --state NEW -j ACCEPT
-A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -o lo -p udp -m udp --dport 123 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
-A OUTPUT -m recent --rcheck --seconds 54321 --name SUSPECT --rdest -m recent --set --name STUPID --rdest -j BLACKLISTED
-A OUTPUT ! -d isp.isp.0.0/16 -o eth1 -m recent --set --name SUSPECT --rdest -j DROP
-A OUTPUT -m limit --limit 1000/day --limit-burst 50 -j LOG --log-prefix "[ OUT D ] " --log-level 7
-A BLACKLISTED -m recent --rcheck --hitcount 20 --name SUSPECT --rsource -m recent --set --name EVIL --rsource
-A BLACKLISTED -d www.www.www.www/32 -i eth1 -m limit --limit 1000/day --limit-burst 20 -j LOG --log-prefix "[ STPD IN D ] " --log-level 7
-A BLACKLISTED -i eth1 -o eth0 -m limit --limit 1000/day --limit-burst 20 -j LOG --log-prefix "[ STPD I FW D ] " --log-level 7
-A BLACKLISTED -i eth1 -o wlan0 -m limit --limit 1000/day --limit-burst 20 -j LOG --log-prefix "[ STPD I FW D ] " --log-level 7
-A BLACKLISTED -i eth1 -o pan0 -m limit --limit 1000/day --limit-burst 20 -j LOG --log-prefix "[ STPD I FW D ] " --log-level 7
-A BLACKLISTED -i eth1 -o lo -m limit --limit 1000/day --limit-burst 20 -j LOG --log-prefix "[ STPD I FW D ] " --log-level 7
-A BLACKLISTED -i eth1 -j DROP
-A BLACKLISTED -i eth0 -o eth1 -m limit --limit 1000/day --limit-burst 20 -j LOG --log-prefix "[ STPD O FW D ] " --log-level 7
-A BLACKLISTED -i wlan0 -o eth1 -m limit --limit 1000/day --limit-burst 20 -j LOG --log-prefix "[ STPD O FW D ] " --log-level 7
-A BLACKLISTED -i pan0 -o eth1 -m limit --limit 1000/day --limit-burst 20 -j LOG --log-prefix "[ STPD O FW D ] " --log-level 7
-A BLACKLISTED -i lo -o eth1 -m limit --limit 1000/day --limit-burst 20 -j LOG --log-prefix "[ STPD O FW D ] " --log-level 7
-A BLACKLISTED -s www.www.www.www/32 -o eth1 -m limit --limit 1000/day --limit-burst 20 -j LOG --log-prefix "[ STPD OUT D ] " --log-level 7
-A BLACKLISTED -j REJECT --reject-with icmp-host-unreachable
COMMIT
# Completed on Thu Jul 12 21:06:24 2012
# Generated by iptables-save v1.4.8 on Thu Jul 12 21:06:24 2012
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth1 -p udp -m multiport --dports 6881,skypeport -j DNAT --to-destination 10.0.0.3
-A PREROUTING -i eth1 -p tcp -m multiport --dports 6881,skypeport -j DNAT --to-destination 10.0.0.3
-A PREROUTING -i eth1 -p tcp -m multiport --dports 80,443,8080 -j DNAT --to-destination 10.0.0.3:skypeport
-A PREROUTING -i eth1 -p tcp -m multiport --dports 25,109,110 -j DNAT --to-destination www.www.www.www:22
-A PREROUTING -i eth1 -p tcp -m multiport --dports 6882,secretport2,secretport3,secretport4 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -i eth1 -p udp -m multiport --dports 6882,secretport1 -j DNAT --to-destination 10.0.0.2
-A POSTROUTING -o eth1 -j SNAT --to-source www.www.www.www
COMMIT
# Completed on Thu Jul 12 21:06:24 2012
Bookmarks