|
# Generated by ip6tables-save v1.6.2 on Wed Nov 4 15:38:43 2020
|
|
*mangle
|
|
:PREROUTING ACCEPT [36:7020]
|
|
:INPUT ACCEPT [34:6876]
|
|
:FORWARD ACCEPT [0:0]
|
|
:OUTPUT ACCEPT [32:2424]
|
|
:POSTROUTING ACCEPT [32:2424]
|
|
COMMIT
|
|
# Completed on Wed Nov 4 15:38:43 2020
|
|
# Generated by ip6tables-save v1.6.2 on Wed Nov 4 15:38:43 2020
|
|
*filter
|
|
:INPUT DROP [0:0]
|
|
:FORWARD DROP [0:0]
|
|
:OUTPUT ACCEPT [13:1080]
|
|
:forward_ext - [0:0]
|
|
:forward_int - [0:0]
|
|
:input_ext - [0:0]
|
|
:input_int - [0:0]
|
|
:reject_func - [0:0]
|
|
-A INPUT -i lo -j ACCEPT
|
|
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
|
-A INPUT -p ipv6-icmp -m conntrack --ctstate RELATED -j ACCEPT
|
|
-A INPUT -p udp -m udp --dport 546 -j ACCEPT
|
|
-A INPUT -i br1 -j input_int
|
|
-A INPUT -i ovs-system -j input_int
|
|
-A INPUT -j input_ext
|
|
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
|
|
-A INPUT -j DROP
|
|
-A FORWARD -m physdev --physdev-is-bridged -j ACCEPT
|
|
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
|
|
-A OUTPUT -o lo -j ACCEPT
|
|
-A OUTPUT -p ipv6-icmp -j ACCEPT
|
|
-A input_ext -m pkttype --pkt-type broadcast -j DROP
|
|
-A input_ext -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
|
|
-A input_ext -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j ACCEPT
|
|
-A input_ext -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT
|
|
-A input_ext -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT
|
|
-A input_ext -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT
|
|
-A input_ext -p ipv6-icmp -m icmp6 --icmpv6-type 137 -j ACCEPT
|
|
-A input_ext -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j ACCEPT
|
|
-A input_ext -p gre -j ACCEPT
|
|
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 20000:22000 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
|
|
-A input_ext -p tcp -m tcp --dport 20000:22000 -j ACCEPT
|
|
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 5990:6020 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
|
|
-A input_ext -p tcp -m tcp --dport 5990:6020 -j ACCEPT
|
|
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 1723 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
|
|
-A input_ext -p tcp -m tcp --dport 1723 -j ACCEPT
|
|
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 6556 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
|
|
-A input_ext -p tcp -m tcp --dport 6556 -j ACCEPT
|
|
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 5666 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
|
|
-A input_ext -p tcp -m tcp --dport 5666 -j ACCEPT
|
|
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
|
|
-A input_ext -p tcp -m tcp --dport 22 -j ACCEPT
|
|
-A input_ext -m comment --comment "sfw2.insert.pos" -m pkttype ! --pkt-type unicast -j DROP
|
|
-A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
|
|
-A input_ext -p ipv6-icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
|
|
-A input_ext -p udp -m limit --limit 3/min -m conntrack --ctstate NEW -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
|
|
-A input_ext -j DROP
|
|
-A input_int -j ACCEPT
|
|
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
|
|
-A reject_func -p udp -j REJECT --reject-with icmp6-port-unreachable
|
|
-A reject_func -j REJECT --reject-with icmp6-addr-unreachable
|
|
-A reject_func -j DROP
|
|
COMMIT
|
|
# Completed on Wed Nov 4 15:38:43 2020
|