Created
January 18, 2023 15:14
-
-
Save cyuste/d7b31a24eeeaafaedf781e33007ccba5 to your computer and use it in GitHub Desktop.
Iptables
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| From computer | |
| sudo iptables -S | |
| -P INPUT ACCEPT | |
| -P FORWARD ACCEPT | |
| -P OUTPUT ACCEPT | |
| sudo iptables -t nat --list | |
| Chain PREROUTING (policy ACCEPT) | |
| target prot opt source destination | |
| Chain INPUT (policy ACCEPT) | |
| target prot opt source destination | |
| Chain OUTPUT (policy ACCEPT) | |
| target prot opt source destination | |
| Chain POSTROUTING (policy ACCEPT) | |
| target prot opt source destination | |
| From 5G modem | |
| iptables -S | |
| -P INPUT ACCEPT | |
| -P FORWARD DROP | |
| -P OUTPUT ACCEPT | |
| -N forwarding_lan_rule | |
| -N forwarding_rule | |
| -N forwarding_wan_rule | |
| -N input_lan_rule | |
| -N input_rule | |
| -N input_wan_rule | |
| -N output_lan_rule | |
| -N output_rule | |
| -N output_wan_rule | |
| -N reject | |
| -N syn_flood | |
| -N zone_lan_dest_ACCEPT | |
| -N zone_lan_forward | |
| -N zone_lan_input | |
| -N zone_lan_output | |
| -N zone_lan_src_ACCEPT | |
| -N zone_wan_dest_ACCEPT | |
| -N zone_wan_dest_REJECT | |
| -N zone_wan_forward | |
| -N zone_wan_input | |
| -N zone_wan_output | |
| -N zone_wan_src_REJECT | |
| -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT | |
| -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule | |
| -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT | |
| -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood | |
| -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input | |
| -A INPUT -i rmnet_data0 -m comment --comment "!fw3" -j zone_wan_input | |
| -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule | |
| -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT | |
| -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward | |
| -A FORWARD -i rmnet_data0 -m comment --comment "!fw3" -j zone_wan_forward | |
| -A FORWARD -m comment --comment "!fw3" -j reject | |
| -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT | |
| -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule | |
| -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT | |
| -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output | |
| -A OUTPUT -o rmnet_data0 -m comment --comment "!fw3" -j zone_wan_output | |
| -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset | |
| -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable | |
| -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN | |
| -A syn_flood -m comment --comment "!fw3" -j DROP | |
| -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT | |
| -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule | |
| -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT | |
| -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT | |
| -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT | |
| -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule | |
| -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT | |
| -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT | |
| -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule | |
| -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT | |
| -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT | |
| -A zone_wan_dest_ACCEPT -o rmnet_data0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP | |
| -A zone_wan_dest_ACCEPT -o rmnet_data0 -m comment --comment "!fw3" -j ACCEPT | |
| -A zone_wan_dest_REJECT -o rmnet_data0 -m comment --comment "!fw3" -j reject | |
| -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule | |
| -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT | |
| -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT | |
| -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT | |
| -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT | |
| -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule | |
| -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT | |
| -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT | |
| -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT | |
| -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT | |
| -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT | |
| -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule | |
| -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT | |
| -A zone_wan_src_REJECT -i rmnet_data0 -m comment --comment "!fw3" -j reject | |
| iptables -t nat --list | |
| Chain PREROUTING (policy ACCEPT) | |
| target prot opt source destination | |
| prerouting_rule all -- anywhere anywhere /* !fw3: Custom prerouting rule chain */ | |
| zone_lan_prerouting all -- anywhere anywhere /* !fw3 */ | |
| zone_wan_prerouting all -- anywhere anywhere /* !fw3 */ | |
| Chain INPUT (policy ACCEPT) | |
| target prot opt source destination | |
| Chain OUTPUT (policy ACCEPT) | |
| target prot opt source destination | |
| Chain POSTROUTING (policy ACCEPT) | |
| target prot opt source destination | |
| postrouting_rule all -- anywhere anywhere /* !fw3: Custom postrouting rule chain */ | |
| zone_lan_postrouting all -- anywhere anywhere /* !fw3 */ | |
| zone_wan_postrouting all -- anywhere anywhere /* !fw3 */ | |
| Chain postrouting_lan_rule (1 references) | |
| target prot opt source destination | |
| Chain postrouting_rule (1 references) | |
| target prot opt source destination | |
| Chain postrouting_wan_rule (1 references) | |
| target prot opt source destination | |
| Chain prerouting_lan_rule (1 references) | |
| target prot opt source destination | |
| Chain prerouting_rule (1 references) | |
| target prot opt source destination | |
| Chain prerouting_wan_rule (1 references) | |
| target prot opt source destination | |
| Chain zone_lan_postrouting (1 references) | |
| target prot opt source destination | |
| postrouting_lan_rule all -- anywhere anywhere /* !fw3: Custom lan postrouting rule chain */ | |
| Chain zone_lan_prerouting (1 references) | |
| target prot opt source destination | |
| prerouting_lan_rule all -- anywhere anywhere /* !fw3: Custom lan prerouting rule chain */ | |
| Chain zone_wan_postrouting (1 references) | |
| target prot opt source destination | |
| postrouting_wan_rule all -- anywhere anywhere /* !fw3: Custom wan postrouting rule chain */ | |
| MASQUERADE all -- anywhere anywhere /* !fw3 */ | |
| Chain zone_wan_prerouting (1 references) | |
| target prot opt source destination | |
| prerouting_wan_rule all -- anywhere anywhere /* !fw3: Custom wan prerouting rule chain */ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment