DCL Labs     Files     Network Status     Other Links     About DCL     Home     Search    
Hello IP Address,   54.145.120.69     Browser:   CCBot/2.0 (http://commoncrawl.org/faq/)
Your Browser will most likely either support a CTRL-F or ALT-F to search through this document.
Thursday 08-17-2017 - 14:05:27 The size of the firewall is 51KBs

 

DCLLabs.net configured Firewall with custom automated Intrusion Detection modules
Currently listed Firewall rules for system 'hosting03'

This firewall runs in real time and can be controlled from anywhere on the Internet, adding or excluding additional port access not normally given. Once the firewall script is run, it loads in less than a third of a second, never looses connection in the process and can generate this PHP/HTML page in about a second. This page also uses additional filtering, that can only be viewed from a limited group of trusted IP Addresses and Subnets.

This firewall page was last written out on Friday December 23, 2016 2:34pm CST.
The blocked rules last written out on Thursday August 17, 2017 12:35am CDT.
Uptime:   14:05:27 up 15:06, 2 users, load average: 0.10, 0.03, 0.01
Operating system: GNU/Linux     Kernel version: 4.4.0-1030-aws x86_64 Netfilter Hacking Howto     Netfilter Packet Filtering Howto For complete port listings and country codes, see these links. (These links bring up other pages.) Running this script never requires any type of reboot. The Firewall settings are always in real time. For additional references see www.Netfilter.org.   (This also brings up another page.)

Other DCLLabs.net managed Firewalls for Universities.
Unless access is given, these areas will not be available.
Air Force Academy
Army Westpoint
University of Alabama
Bluechip Compliance Engine
Bluechip Compliance Engine Development
Bluechip Corporate Site
BAS1 Multi Domain Server
BAS2 Multi Domain Server
BAS3 Multi Domain Server
Bluechip Portal
Bluechip Dev Portal
Duke University
Kansas State
Georgia Tech
Iowa State
Michigan State
University of Mississippi
University of Tennessee
University of Central Florida
Princeton University
USA Hockey League
Radar Development
US Hockey League
University of Minnesota
Vanderbilt University
University of Virginia
Western Kentucky
Yale University
 
#!/bin/bash
# May have to require #!/bin/bash versus #!/bin/sh
# /home/bin/iptfw - iptables firewall script by Sammy
#  I P T A B L E S   F I R E W A L L   S C R I P T

# For firewall packet forwarding.
# echo 1 > /proc/sys/net/ipv4/ip_forward

# Declare the right host and check this script is run on the right system.
host='san'
       if [ `uname -n` != $host ]; then
 echo "This was meant to be run on only '$host'."
 echo "Running this script on the wrong Server can cause loss of connection."
        exit 0
      fi

   if [ "$1" == "ip" ] ; then  hostip="$2" ; else  hostip="192.168.1.11"  ; fi


# exit 0
# *****************************************************************
# SCRIPT VARIABLES
# This allows you to set just one area for changing reoccurring IPs.
# Bit of a pain setting the global wide (WAN) environment variable.

A="ACCEPT"
D="DROP"
date_string=`date +"%A %B %e, %G at %I:%M:%S%P %Z"`
#webaddr="http://$WAN"
domain="dcllabs.net"
all=0/0                         	# 0.0.0.0/0.0.0.0 - Anywhere
#basb=216.126.32.18
#basm=216.126.32.17
sudden1=74.195.0.0/16                   # Suddenlink subnet1
sudden2=74.196.0.0/16                   # Suddenlink subnet1
hblock="192.168.1.0/24"	                # Home WAN Network IP Block
rrblock="216.126.32.0/24"               # RR public IP block.
hostip=192.168.1.11			# Primary LAN IP Address
pifi=192.168.1.220
high=1024:65535				# High Ports
local=127.0.0.1/32              	# Local Host Mode Only
low=0:1023				# Low port range
mac=192.168.1.203
minute_count=`date +%M`			# minute count check
radardev=216.126.32.120
router=192.168.1.1              	# Our local router
sean=24.175.117.187			# Sean S.
#wan=$WAN	              		# My Wan IP
xwin=6001:6015				# XWindows ports
I="iptables -A INPUT"			# summarized INPUT -A command
O="iptables -A OUTPUT"			# summarized OUTPUT -A command
F="iptables -A FORWARD"                 # summarized FORWARD -A command
NATINA="iptables -t nat -A PREROUTING"	# nat routing
tcpflags="--tcp-flags SYN,RST,ACK SYN"	# most common tcp flag setting
# *****************************************************************


# Make sure ifconfig and '$hostip' report the same ip address.
eth0chk=`/sbin/ifconfig  eth0 | awk '/inet / { print $2 }' | sed s/addr://`
 if [ $hostip != $eth0chk ]; then
  echo "Host IP Address is not the same listed in 'ifconfig'."
    date_string=`date +"%b %e %H:%M:%S"`
    echo "$date_string Host IP Address is not the same listed in 'ifconfig', see 'ipcfw'." \
   >> /var/log/messages
  echo "This can STOP the Apache Web Server from loading,  \
causing network and 'VirtualHost' errors!"
exit 0
fi


umask 0037                              # file creation attributes: u+rw-x,g+r-wx,o-rwx

       if    [ -e /home/bin/allow ]; then
                . /home/bin/allow
       else
               echo "No 'allow' rules added."
               # No external block rules to load, so break out.
       fi

iptables -F                             # Flush all rules.  'iptables -Z resets packet and byte counters'.
iptables -X                             # Delete all non-builtin chains.

# Target options can be ACCEPT, QUEUE, DROP and RETURN.
iptables -P INPUT   DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT  ACCEPT

iptables -N LocalSUBNET
# Internet Downloads
$I -s $hblock -d $hblock                         -j LocalSUBNET
iptables -A LocalSUBNET -s $hblock -d $hblock    -j RETURN

iptables -N PublicSUBNET
$I -s $hblock ! -d $hblock                       -j PublicSUBNET
iptables -A PublicSUBNET -s $hblock ! -d $hblock -j RETURN
$I ! -s $hblock -d $hblock                       -j PublicSUBNET
iptables -A PublicSUBNET ! -s $hblock -d $hblock -j RETURN


# Chain: untrusted-limit
# -------------------------------------------------------------------
# For untrusted hosts whose states we have no confidence in because
# our housekeeping tools do not run on them, we specify rate limiting
# thresholds to shape the traffic that passes.
# -------------------------------------------------------------------

#checkhere
iptables -N untrusted-limit
iptables -A untrusted-limit ! -s $hblock -d $hblock -p tcp --dport 6000:6099 -m limit --limit 300/second --limit-burst 300 -j RETURN
iptables -A untrusted-limit ! -s $hblock -d $hblock -m limit --limit 1000/second --limit-burst 1000 -j RETURN
iptables -A untrusted-limit -j DROP

$O -s 192.168.122.1 -j $D
$I -s 192.168.122.1 -j $D

# IRC out.
$O -s $hostip   -d 195.22.25.130 -j $D
$O -s $hostip   -d 203.123.49.3  -j $D
$O -s $hostip   -p tcp --dport 6660:6669  -j LOG --log-prefix "IRC " --log-level 6
$O -s $hostip   -p tcp --dport 6660:6669  -j $D

$I -s $all      -p tcp --dport 6660:6669  -j LOG --log-prefix "IRC " --log-level 6
$I -s $all      -p tcp --dport 6660:6669  -j $D


#    I C M P       P I N G        M T R       T R A C E R O U T E      I C M P
# ICMP_ECHO                  8       0  /* Ping.                                            */
# ICMP_ECHOREPLY             0       0  /* Ping response.                                   */
# ICMP_UNREACH               3       4  /* ICMP_UNREACH_NEEDFRAG - Used by Path             */
# ICMP_REDIRECT              5       0  /* ICMP Redirect                                    */
# ICMP_Alt Host Addr         6       0  /* Alternate Host Address                           */
# ICMP_Router Advertisement  9       0  /* can be used to redirect traffic from your site.  */
# ICMP_TIMXCEED             11       0  /* TTL expired in transit.  Used by UNIX            */
# ICMP_TIMESTAMP            13       0  /* Time Stamp                                       */
# ICMP_MASK_REQUEST         17       0  /* Address Mask Request                             */
# 'traceroute' and Windows 'tracert'.  Note that UNIX traceroute also uses a high UDP port. */
# /* This message is also important when routing loops occur.                               */
#
# These next rules are used for allowed ICMP traffic from trusted systems to this
# host.  Since these trusted systems need a round trip to complete packets through,
# packets must be able to go out from their destination and come back in here. This
# is necessary to do a successful ping, traceroute or MTR to our location.
$O  -s  $hblock    -p icmp                              -j $A
$I  -s  $hblock    -p icmp                              -j $A
$I  -s  $dcl       -p icmp -j LOG --log-prefix "ICMP " --log-level 6
$I  -s  $dcl       -p icmp --icmp-type  8
$I  -s  $ja        -p icmp -j LOG --log-prefix "ICMP " --log-level 6
$I  -s  $ja        -p icmp --icmp-type  8
$I  -s  $san       -p icmp -j LOG --log-prefix "ICMP " --log-level 6
$I  -s  $san       -p icmp --icmp-type  8
$I  -s  $hblock    -p icmp -j LOG --log-prefix "ICMP " --log-level 6
$I  -s  $hblock    -p icmp --icmp-type  8
#$I  -s  $suse      -p icmp -j LOG --log-prefix "ICMP " --log-level 6
#$I  -s  $suse      -p icmp --icmp-type  8               -j $A
# DENY pings from ALL other systems directly to this host,  unless we allowed above.
#   $I -s $all    -p icmp     -j LOG --log-prefix "ICMP " --log-level 6
#   $I -p icmp    -m state  --state NEW -m recent --set
#   $I -p icmp    -m recent --update --seconds 5 --hitcount 4 -j DROP
# directly to us unless their host is listed above.
$I  -s  $dcl            -p icmp --icmp-type  0               -j $A # allow ping response
$I  -s  $san            -p icmp --icmp-type  0               -j $A # allow ping response
#$I  -s  $suse           -p icmp --icmp-type  0               -j $A # allow ping response
$I  -s  $ja             -p icmp --icmp-type  0               -j $A # allow ping response
$I  -s  $all            -p icmp --icmp-type  0               -j $A # allow ping response ****
#
$I  -s  $all       -p icmp -j LOG --log-prefix "ICMP " --log-level 6
$I  -s  $all       -p icmp --icmp-type  8               -j $A
# This next rule is very slick.  Allows us to ping out and get a response from ALL hosts,
# but not allowing pings directly to us.
$I  -s  $all       -p icmp --icmp-type  0               -j $A # allow ping response
# THIS NEXT LINE EITHER NEEDS (A)llow for tr & mtr or (D)eny for closing down ALL tr or mtr.
$I   -s  $hblock   -p icmp                              -j $A # mtr/tr allow or deny
#$I   -s  $suse     -p icmp --icmp-type 11               -j $A # mtr/tr allow or deny
$I   -s  $ja       -p icmp --icmp-type 11               -j $A # mtr/tr allow or deny
$I   -s  $all      -p icmp --icmp-type 11               -j $A # mtr/tr allow or deny   MAIN SWITCH THAT ALLOWS MTR/TR 
# DENY icmp packets from ALL OTHER SYSTEMS. Stops initial port scanning.
$I   -s $all       -p icmp -j LOG --log-prefix "ICMP DENY " --log-level 6
$I   -s $all       -d $hostip -p icmp           -j $A
$O   -s $hostip  -d $all -p icmp         -j $A $L
$O   -s $hostip  -d $all -p 1            -j $A $L
#    I C M P       P I N G        M T R       T R A C E R O U T E      I C M P


# W H O I S   A C C E S S
# Whois Server Access - port 43 - TO READ 'WHOIS' FROM OTHER SYSTEMS.

$O -s 96.17.202.0/24  -p tcp --dport 80             -j $D
$O -s $hblock         -p tcp --dport 80             -j $A
$O -s $hostip         -p tcp        --dport 80 -j LOG --log-prefix "WebDcl " --log-level 6
$O -s $hostip         -p tcp --dport 80             -j $A

$I -s 96.17.202.0/24  -p tcp --dport 80             -j $D
$I -s $all            -p tcp --dport 43 -j LOG --log-prefix "Whois " --log-level 6
$I -s $all            -p tcp --dport 43             -j $A

       if    [ -e /home/bin/blk ]; then
                echo "$blu Loading COMMON BLOCKED SITE RULES.$nrm" -  "$cyan"`iptables --version`"$nrm"
                . /home/bin/blk

       elif  [ -e /home/bin/blk-local ]; then
               echo "Loading LOCAL BLOCKED SITE RULES."
               . /home/bin/blk-local
       else
               echo "No external block rules used at all."
               # No external block rules to load.
       fi

       #if    [ -e /home/bin/blkcn ]; then
       #         echo "Loading ALL CHINA BLOCKED SITE RULES."
       #         . /home/bin/blkcn
       #fi

# S E T   U P   A L L   L O C A L   P R O T O C O L S
# # Local Loopback Mode - UDP
$I     -s $local   -d $local -i lo         -j $A
$O     -s $local   -d $local               -j $A

# Each chain can have a default policy of ACCEPT, DROP, REJECT, or QUEUE.
# =======================================================================
# UDP ports don't even acknowledge syn or ack packets, and no handshake at either 
# end of the protocol can be done, UDP is not a guaranteed delivery. 
# Name Server Declaration to get in/out. - port 53 and port 953
$O -s $hblock       -p udp             -j $A
$O -s $all          -p udp -j LOG --log-prefix "UDP " --log-level 6 --log-tcp-options
   $include . /home/bin/blkudp
$O               -p udp --dport 53         -j $A
$O               -p udp --dport 953        -j $A
#$I -s $rrblock  -p udp --dport 53  -j LOG --log-prefix "DNS " --log-level 6 --log-tcp-options
#$I -s $rrblock  -p udp --dport 53  -j $A
#$I -s $rrblock  -p tcp --dport 53  -j LOG --log-prefix "DNS " --log-level 6 --log-tcp-options
#$I -s $rrblock  -p tcp --dport 53  -j $A
#$I -s $rrblock  -p udp --dport 953 -j LOG --log-prefix "DNS " --log-level 6 --log-tcp-options
#$I -s $rrblock  -p udp --dport 953 -j $A
$I -s $all       -p udp --dport 53  -j LOG --log-prefix "DNS " --log-level 6 --log-tcp-options
$I               -p udp --dport 53  -j $A
$I -s $all       -p udp --dport 953 -j LOG --log-prefix "DNS " --log-level 6 --log-tcp-options
$I               -p udp --dport 953 -j $A

# Cobbler ports
# since iptables may be running, ensure 69, 80, 25150, and 25151 are unblocked
$O -s $hblock           -p tcp          --dport 69    -j $A
$O -s $hblock           -p tcp          --dport 25150 -j $A
$O -s $hblock           -p tcp          --dport 25151 -j $A

$I -s $hblock     -i eth0 -p tcp        --dport 69    -j $A
$I -s $hblock     -i eth0 -p tcp        --dport 25150 -j $A
$I -s $hblock     -i eth0 -p tcp        --dport 25151 -j $A

# Web Services - httpd - port 80 - web - http -  httpd
##$O -s   $router           -p tcp        --dport 80 -j LOG --log-prefix "WebRouter " --log-level 6
##$O -s   $router           -p tcp        --dport 80 -j $A
$O -s   $dcl              -p tcp        --dport 80 -j LOG --log-prefix "WEB " --log-level 6
$O -s   $dcl              -p tcp        --dport 80 -j $A
#$O -s   $hblock           -p tcp        --dport 80 -j $A
$O -s   $all              -p tcp        --dport 80 -j LOG --log-prefix "WEB " --log-level 6
$O -s   $all              -p tcp        --dport 80 -j $A

$I -s $all                -p tcp        --dport 80 -j LOG --log-prefix "WEB " --log-level 6
$I -s $hblock     -i eth0 -p tcp        --dport 80 -j $A
$I -s $dcl        -i eth0 -p tcp        --dport 80 -j $A
$I -s $infrared   -i eth0 -p tcp        --dport 80 -j $A

$I -s $all        -p tcp        --dport 8886 -j LOG --log-prefix "WEB 8886 " --log-level 6
$I -s $local      -p tcp        --dport 8886 -j $A
$I -s $hblock     -p tcp        --dport 8886 -j $A
$I -s $dcl        -p tcp        --dport 8886 -j $A
$I -s $ja         -p tcp        --dport 8886 -j $A
$I -s $dcl        -p tcp        --dport 8886 -j $A

# Web Use - port 80.
$I -s $all        -i eth0 -p tcp  --dport 80 -j LOG --log-prefix "WEB " --log-level 6
$I -s $all        -i eth0 -p tcp  --dport 80 -j $D

# SSH or ssh - Secure Shell Access - port 22
#$ -s $all          -p tcp              --dport ssh -j LOG --log-prefix "SSH " --log-level 6
$O -s $all          -p tcp -m tcp       --dport 22 -j $A

 if [ -e /home/bin/allowssh ]; then $include . /home/bin/allowssh ; fi
#$I -p tcp --dport 22 -m state  --state NEW -m recent --set
#$I -p tcp --dport 22 -m recent --update --seconds 70 --hitcount 5 -j DROP
$I -s $hblock       -p tcp              --dport ssh -j $A
$I -s $all          -p tcp -m tcp       --dport ssh -j $D


# FTP ftp - port 21 -vsFTPd
$O -s $all       -p tcp --dport 20:21 -j LOG --log-prefix "FTP "         --log-level 6
$O -s $hostip    -d $dcl   -p tcp --dport 20:21 -j $A
$O -s $hostip    -p tcp --dport 20:21 $tcpflags -j $A
$I -s $dcl       -p tcp --dport 20:21 $tcpflags -j $A
#$I -s $suse      -p tcp --dport 20:21 $tcpflags -j $A
$I -s $all       -p tcp --dport 20:21 -j LOG --log-prefix "FTP "         --log-level 6
$I -s $all       -p tcp --dport 20:21 $tcpflags -j $D

# Return Port or ftp data port - vsFTPd ftpdata - port 20
$I               -p tcp -m tcp --dport 20 -j LOG --log-prefix "FtpData " --log-level 6
$I -s $all       -p tcp -m tcp --dport 20 $tcpflags -j $D

# Telnet Access - telnet - port 23
$O              -p tcp --dport telnet -j LOG --log-prefix "TELNET " --log-level 6
$O              -p tcp --sport telnet -j $A
$O              -p udp --sport telnet -j $A
#$I -s $suse     -p udp --sport telnet -j $A
#$I -s $suse     -p tcp -m tcp --dport 23 -j $A
$I -s $hblock   -p udp --sport telnet -j $A
$I -s $hblock    -p tcp -m tcp --dport telnet $tcpflags -j $A
$I -s $hblock    -p tcp -m tcp --dport 23 -j $A

$I               -p tcp --dport telnet -j LOG --log-prefix "TELNET DENY "  --log-level 6
$I -s $all       -p tcp -m tcp --dport 23 -j $D

# SENDMAIL - sendmail - port 25
$O -s $hblock    -p tcp --dport 25 $tcpflags -j $A
# $O -s $all       -p tcp   --dport 25 -j LOG --log-prefix "SMTP "      --log-level 6
$O -s $all       -p tcp --dport 25 $tcpflags -j $A


# $I -s $local     -p tcp --dport 25 -j LOG --log-prefix "SMTP LOCAL "  --log-level 6
$I -s $local -d $local    -p tcp -m tcp --dport 25 $tcpflags -j $A
$I -s $local     -p tcp -m tcp --dport 25 $tcpflags -j $A
$I -s $hblock    -p tcp -m tcp --dport 25 $tcpflags -j $A
$I -s $all       -p tcp --dport 25 -j LOG --log-prefix "SMTP "        --log-level 6
$I -s $all       -p tcp -m tcp --dport 25 $tcpflags -j $A

# Bootstrap Protocol Client pop3 mail  - Inbound port 110:110
# $O -s $all         -p tcp   --dport 110:110 -j LOG --log-prefix "POP " --log-level 6
$O -s $all         -p tcp   --dport 110 -j $A

# $I -s $all         -p tcp  -d $hostip --dport 110:110 -j LOG --log-prefix "POP "  --log-level 6
$I -s $all -i eth0 -p tcp -m tcp --dport 110 -j $A


# SUN Remote Procedure Call - port Mapper - TCP $hblock - port 111
$I -s $local  -p tcp -i eth0 $tcpflags -d $local --dport 111    -j $A 
# SUN Remote Procedure Call - port Mapper - port 111 - UDP
$I -s $local  -p udp -i eth0          -d $local --dport 111     -j $A

$I -s $all    -d $hostip  -p udp --dport 111 -j LOG --log-prefix "Port-111 IN " --log-level 6
$I -s $all    -p tcp -m tcp  $tcpflags -d $hostip  --dport 111  -j $A
$I -s $all    -p udp                   -d $hostip  --dport 111  -j $A

# Network Time Protocol - ntp - port 123 UDP port 17
#$O -s $hostip  -p udp  -d $poolntp   --dport 123     -j $A
$O -s $hostip   -p udp  -d $hblock    --dport 123     -j $A
$O -s $hostip   -p udp  -d $radardev  --dport 123     -j $A

$I -s $hblock   -p udp  -d $hostip    --dport 123:123 -j LOG --log-prefix "NTP "  --log-level 6
$I -s $hblock   -p udp  -d $hostip    --dport 123     -j $A
$I -s $radardev -p udp  -d $hostip    --dport 123     -j $A

$I -s $hblock   -p udp  -d $radardev  --dport 123     -j $A

# port 139 - netbios
$I -s $hostip -p udp --dport 136:139 -j LOG --log-prefix "139 " --log-level 6

$I -s $all         -p tcp --dport 139 $tcpflags -j $D
$I -s $all -i eth0 -p udp --dport 139 -j $D

# port 143 - IMAP - dovecot service
#$O -s $hblock  -d $hblock  -p tcp --dport 143 $tcpflags -j $A
#$I -s $hblock  -d $hblock  -p tcp --dport 143 $tcpflags -j $A

#$I -s $hblock         -p tcp                    --dport 143 -j LOG --log-prefix "IMAP " --log-level 6
#$I -p tcp --dport 143 -i eth0 -m state  --state NEW -m recent --set
#$I -p tcp --dport 143 -i eth0 -m recent --update --seconds 80 --hitcount 5 -j DROP
#$I -s $hblock         -p tcp -m tcp             --dport 143 -j $A

# Port 161 snmpd trap
$I -p udp -s 192.168.1.11 --dport 161 -j ACCEPT

# port 443 - Web SSL
$I -s $all          -p udp --dport 443 -j LOG --log-prefix "SSL " --log-level 6
$I -s $all          -p tcp --dport 443 $tcpflags -j $A
#$I -s $all          -p udp --dport 443 -j $A

# snmptrap - SNMP Trap - udp - port 162
# $O -s $hostip -p udp --dport 162 -j LOG --log-prefix "SNMP OUT " --log-level 6
##$I -s $router   -p udp --dport 162 -j LOG --log-prefix "SNMP " --log-level 6
##$I -s $router   -p udp -m udp --dport 162 -j $A
$I -s $all      -p udp --dport 162 -j LOG --log-prefix "SNMP " --log-level 6
$I -s $all      -p udp -m udp --dport 162 -j $A

# Local computer - 127.0.0.1 IP Address
# $I -s ! $local -j LOG --log-prefix "ipTables LOCAL " --log-level 6
$I -i lo -j $A

## N F S  Ports ** Need to have nfs service running **
## NFS Rules needed for FC4, FC5, and FC8
#$I -s $hostip   -p tcp --dport 2049 -j LOG --log-prefix "NFS IN " --log-level 6
#$I -s $hblock  -p tcp -i eth0 -d $hostip   --dport   111    -j $A
#$I -s $all     -p tcp -i eth0 -d $hostip   --dport   111    -j $D
#$I -s $hblock  -p tcp -i eth0 -d $hostip   --dport   831    -j $A
#$I -s $all     -p tcp -i eth0 -d $hostip   --dport   831    -j $D
#$I -s $hblock  -p tcp -i eth0 -d $hostip   --dport  2049    -j $A
#$I -s $all     -p tcp -i eth0 -d $hostip   --dport  2049    -j $D
# ===============================================================

$I -s $all       -p tcp -m tcp --dport 25 $tcpflags -j $A

# Cups printing
$O -s $hostip    -p tcp -m tcp --dport 631          -j $A
$I -s $hostip    -p tcp -m tcp --dport 631          -j $A


# VPN ports needed opened.
$I -s $all       -p udp -m udp --dport   500 -j $A
$O -s $all       -p udp -m udp --dport   500 -j $A
$I -s $all       -p udp -m udp --dport  4500 -j $A
$O -s $all       -p udp -m udp --dport  4500 -j $A
$I -s $all       -p udp -m udp --dport 10000 -j $A
$O -s $all       -p udp -m udp --dport 10000 -j $A



### **************************************  CHECK OUT THIS RULE CLOSELY!!!
$I -i eth0 -j $A
### **************************************


# L O W   P O R T   R A N G E
# ports 0:1023 port range from 0 - 1023 - tcp
$I -s $local      -p tcp -m tcp --dport $low $tcpflags -j $A
##$I -s $router     -p tcp -m tcp --dport $low $tcpflags -j $A
$I -s $hostip     -p tcp -m tcp --dport $low $tcpflags -j $A
## $I -s $local   -p tcp --dport $low -j LOG --log-prefix "tcpLO IN " --log-level 6
$I -s $all        -p tcp -m tcp --dport $low $tcpflags -j $D

# Major port range from 0:1023 - udp - Reject
$I -s $local      -p udp --dport $low -j $A
##$I -s $router     -p udp --dport $low -j $A
$I -s $hostip     -p udp --dport $low -j $A
$I -s $dcl        -p udp --dport $low -j $A
$I -s $all        -p udp --dport $low -j LOG --log-prefix "udpLO IN " --log-level 6
$I -s $all        -p udp --dport $low -j $D

$I -s 216.126.32.61 -d $hostip -p tcp -j $A

# if add  REJECT, get error message --reject-with icmp-port-unreachable

# vnc VNC ports 5900:5909
# $I -s $hostip -d $hostip -p tcp --dport 5900:5903              -j $A
$I -s $dcl    -d $hostip -p tcp --dport 5900:5903              -j $A
$I -s $mac    -d $hostip -p tcp --dport 5900:5903              -j $A
$I -s $pi     -d $hostip -p tcp --dport 5900:5903              -j $A
$I -s $pifi   -d $hostip -p tcp --dport 5900:5903              -j $A
$I -s $all               -p tcp --dport 5900:5903  -j LOG --log-prefix "udpLO IN " --log-level 6
$I -s $all               -p tcp --dport 5900:5903              -j $D

# $I -s $hostip -d $hostip -p udp --dport 5900:5903              -j $A
$I -s $dcl     -d $hostip -p udp --dport 5900:5903              -j $A
$I -s $mac     -d $hostip -p udp --dport 5900:5903              -j $A
$I -s $pi      -d $hostip -p udp --dport 5900:5903              -j $A
$I -s $pifi    -d $hostip -p udp --dport 5900:5903              -j $A
$I -s $all                -p udp --dport 5900:5903              -j $D

$I -s $all     -d $hostip -p tcp --dport 8886:8886              -j $A

# For using netcat or 'nc' chat at port 8889.
$I -s $hblock -d $hostip -p tcp --dport 8889:8889               -j $A
$I -s $rrblock -d $hostip -p tcp --dport 8889:8889              -j $A


# P O R T S   0 : 1 0 2 3  - ports 0:1023
# Block ALL syn packets first, unless declared and allowed above.
# Allow ack packets through with next rule.
$I  -s $all    -d $hostip   -i eth0  -p tcp   --syn --dport 0:1023    -j $D
$I  -s $all    -d $hostip   -i eth0  -p tcp         --dport 0:1023    -j $A

# netstat -tulpn | egrep "samba|smbd|nmbd|winbind"  - For samba ports

# P O R T S   1 0 2 4  :  6 5 5 3 5
# Allow TCP reply or ack packets back in ; ipchains -A ppp-in -p TCP ! -y -j $A
# ! -y = request back with ack packets only. ???   -y only allow syn packets out.  ???
# ports 1024:65535 - $hostip - ALL OUTBOUND FROM HIGHER PORTS OK
## ************************************************************************
# Next rule most likely needed for chat mode.
# P O R T S   1 0 2 4  :  6 5 5 3 5
# Block ALL syn packets first, unless declared and allowed above.
# Allow ack packets through with next rule.
$I  -s $hostip -d $hostip  -i eth0  -p tcp                            -j $A
$I  -s $all    -d $hostip  -i eth0  -p tcp   --syn --dport 1024:65535 -j $D
$I  -s $all    -d $hostip  -i eth0  -p tcp         --dport 1024:65535 -j $A


# Major port range from 1024:65535 - udp - icmp - Reject
## $I -s $all -p udp --dport $high -j LOG --log-prefix "udpHI IN " --log-level 6
##$I -s $router      -p udp --dport $high -j $A
$I -s $hostip      -p udp --dport $high -j $A
$I -s $all         -p udp --dport $high -j $D

#  F I N A L   O U T P U T   S T A T U S
# If nothing else has been blocked above, then allow output.
# Major output logging can and should be done here if needed.
$O  -s $hostip  -d $all -p 1  -j $A
$O  -s $hostip  -d $all -p 6  -j $A
$O  -s $hostip  -d $all -p 17 -j $A

# echo "String L equal to: $L"


	save_area() {
date_string=`date +"%A %B %e, %G at %I:%M:%S%P %Z"`
# C O M M A N D    S E C T I O N
cp /home/bin/2iptfw /home/bin/3iptfw
cp /home/bin/1iptfw /home/bin/2iptfw

cat $0 > /www/dcl/html/key/ipt.txt
echo "" >> /www/dcl/html/key/ipt.txt
echo "" >> /www/dcl/html/key/ipt.txt
iptables -L -n --line-numbers >> /www/dcl/html/key/ipt.txt
echo " " >> /www/dcl/html/key/ipt.txt
echo "Generated by root via (`iptables --version`) on $date_string." >> /www/dcl/html/key/ipt.txt
# iptables-save > /root/iptables-san
  }

        show_rules() {
                if [ -e /home/bin/blk ]; then
                        echo "Showing COMMON BLOCKED SITE RULES."       >> /www/dcl/html/key/ipt.txt
                        cat /home/bin/blk                               >> /www/dcl/html/key/ipt.txt
                else
                        echo "Showing LOCAL BLOCKED SITE RULES."        >> /www/dcl/html/key/ipt.txt
                        cat /home/bin/blk-local                         >> /www/dcl/html/key/ipt.txt
                        echo "Else statement getting executed instead."
                fi

        echo " " >> /www/dcl/html/key/ipt.txt
        echo "Generated by root via (`iptables --version`) on $date_string." >> /www/dcl/html/key/ipt.txt
  }

# Save firewall settings
     if [ "$1" == "s" ]; then save_area;  fi

cp /home/bin/iptfw /home/bin/1iptfw

# echo " (`iptables --version`)"
echo "$brwn F I R E W A L L   E N A B L E D   O N   H O S T :$nrm   $grn'$host'$nrm"


Chain INPUT (policy DROP)
num  target     prot opt source               destination         
1    LocalSUBNET  all  --  192.168.1.0/24       192.168.1.0/24      
2    PublicSUBNET  all  --  192.168.1.0/24      !192.168.1.0/24      
3    PublicSUBNET  all  -- !192.168.1.0/24       192.168.1.0/24      
4    DROP       all  --  192.168.122.1        0.0.0.0/0           
5    LOG        tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpts:6660:6669 LOG flags 0 level 6 prefix "IRC "
6    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpts:6660:6669
7    ACCEPT     icmp --  192.168.1.0/24       0.0.0.0/0           
8    LOG        icmp --  192.168.1.14         0.0.0.0/0            LOG flags 0 level 6 prefix "ICMP "
9               icmp --  192.168.1.14         0.0.0.0/0            icmptype 8
10   LOG        icmp --  74.195.176.183       0.0.0.0/0            LOG flags 0 level 6 prefix "ICMP "
11              icmp --  74.195.176.183       0.0.0.0/0            icmptype 8
12   LOG        icmp --  192.168.1.11         0.0.0.0/0            LOG flags 0 level 6 prefix "ICMP "
13              icmp --  192.168.1.11         0.0.0.0/0            icmptype 8
14   LOG        icmp --  192.168.1.0/24       0.0.0.0/0            LOG flags 0 level 6 prefix "ICMP "
15              icmp --  192.168.1.0/24       0.0.0.0/0            icmptype 8
16   ACCEPT     icmp --  192.168.1.14         0.0.0.0/0            icmptype 0
17   ACCEPT     icmp --  192.168.1.11         0.0.0.0/0            icmptype 0
18   ACCEPT     icmp --  74.195.176.183       0.0.0.0/0            icmptype 0
19   ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 0
20   LOG        icmp --  0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 6 prefix "ICMP "
21   ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 8
22   ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 0
23   ACCEPT     icmp --  192.168.1.0/24       0.0.0.0/0           
24   ACCEPT     icmp --  74.195.176.183       0.0.0.0/0            icmptype 11
25   ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 11
26   LOG        icmp --  0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 6 prefix "ICMP DENY "
27   ACCEPT     icmp --  0.0.0.0/0            192.168.1.11        
28   DROP       tcp  --  96.17.202.0/24       0.0.0.0/0            tcp dpt:80
29   LOG        tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:43 LOG flags 0 level 6 prefix "Whois "
30   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:43
31   ACCEPT     all  --  207.46.98.0/24       192.168.1.11        
32   ACCEPT     all  --  65.54.188.0/24       192.168.1.11        
33   DROP       all  --  1.93.0.0/16          0.0.0.0/0           
34   DROP       all  --  1.162.0.0/16         0.0.0.0/0           
35   DROP       all  --  1.163.0.0/16         0.0.0.0/0           
36   DROP       all  --  1.169.0.0/16         0.0.0.0/0           
37   DROP       all  --  1.171.0.0/16         0.0.0.0/0           
38   DROP       all  --  118.161.0.0/16       0.0.0.0/0           
39   DROP       all  --  114.36.0.0/16        0.0.0.0/0           
40   DROP       all  --  114.42.0.0/16        0.0.0.0/0           
41   DROP       all  --  114.43.0.0/16        0.0.0.0/0           
42   DROP       all  --  114.44.0.0/16        0.0.0.0/0           
43   DROP       all  --  114.45.0.0/16        0.0.0.0/0           
44   DROP       all  --  114.46.0.0/16        0.0.0.0/0           
45   DROP       all  --  118.165.0.0/16       0.0.0.0/0           
46   DROP       all  --  118.166.0.0/16       0.0.0.0/0           
47   DROP       all  --  118.168.0.0/16       0.0.0.0/0           
48   DROP       all  --  36.224.0.0/16        0.0.0.0/0           
49   DROP       all  --  36.226.0.0/16        0.0.0.0/0           
50   DROP       all  --  36.225.0.0/16        0.0.0.0/0           
51   DROP       all  --  203.188.0.0/16       0.0.0.0/0           
52   DROP       all  --  1.164.115.156        0.0.0.0/0           
53   DROP       all  --  14.0.0.0/8           0.0.0.0/0           
54   DROP       all  --  27.0.0.0/8           0.0.0.0/0           
55   DROP       all  --  36.0.0.0/8           0.0.0.0/0           
56   DROP       all  --  58.0.0.0/8           0.0.0.0/0           
57   DROP       all  --  42.0.0.0/8           0.0.0.0/0           
58   DROP       all  --  49.0.0.0/8           0.0.0.0/0           
59   DROP       all  --  59.0.0.0/8           0.0.0.0/0           
60   DROP       all  --  60.0.0.0/8           0.0.0.0/0           
61   DROP       all  --  61.0.0.0/8           0.0.0.0/0           
62   DROP       all  --  78.90.0.0/16         0.0.0.0/0           
63   DROP       tcp  --  81.12.0.0/16         0.0.0.0/0            tcp flags:0x17/0x02
64   DROP       tcp  --  83.0.0.0/8           0.0.0.0/0            tcp flags:0x17/0x02
65   DROP       tcp  --  84.0.0.0/8           0.0.0.0/0            tcp flags:0x17/0x02
66   DROP       tcp  --  86.126.0.0/16        0.0.0.0/0            tcp flags:0x17/0x02
67   DROP       tcp  --  88.0.0.0/8           0.0.0.0/0            tcp flags:0x17/0x02
68   DROP       tcp  --  91.121.0.0/16        0.0.0.0/0            tcp flags:0x17/0x02
69   DROP       all  --  95.0.0.0/8           0.0.0.0/0           
70   DROP       all  --  110.0.0.0/8          0.0.0.0/0           
71   DROP       all  --  111.0.0.0/8          0.0.0.0/0           
72   DROP       all  --  112.0.0.0/8          0.0.0.0/0           
73   DROP       all  --  114.0.0.0/8          0.0.0.0/0           
74   DROP       all  --  115.0.0.0/8          0.0.0.0/0           
75   DROP       all  --  120.0.0.0/8          0.0.0.0/0           
76   DROP       all  --  121.0.0.0/8          0.0.0.0/0           
77   DROP       all  --  123.0.0.0/8          0.0.0.0/0           
78   DROP       all  --  122.0.0.0/8          0.0.0.0/0           
79   DROP       tcp  --  124.0.0.0/8          0.0.0.0/0            tcp flags:0x17/0x02
80   DROP       tcp  --  125.0.0.0/8          0.0.0.0/0            tcp flags:0x17/0x02
81   DROP       tcp  --  144.46.0.0/16        0.0.0.0/0            tcp flags:0x17/0x02
82   DROP       all  --  183.0.0.0/8          0.0.0.0/0           
83   DROP       tcp  --  200.104.0.0/16       0.0.0.0/0            tcp flags:0x17/0x02
84   DROP       tcp  --  200.140.0.0/16       0.0.0.0/0            tcp flags:0x17/0x02
85   DROP       tcp  --  201.32.0.0/16        0.0.0.0/0            tcp flags:0x17/0x02
86   DROP       tcp  --  201.34.0.0/16        0.0.0.0/0            tcp flags:0x17/0x02
87   DROP       all  --  201.50.0.0/16        0.0.0.0/0           
88   DROP       tcp  --  201.144.0.0/16       0.0.0.0/0            tcp flags:0x17/0x02
89   DROP       all  --  201.245.0.0/16       0.0.0.0/0           
90   DROP       all  --  202.30.0.0/16        0.0.0.0/0           
91   DROP       all  --  202.39.0.0/16        0.0.0.0/0           
92   DROP       all  --  202.44.0.0/16        0.0.0.0/0           
93   DROP       all  --  202.46.0.0/16        0.0.0.0/0           
94   DROP       all  --  202.54.0.0/16        0.0.0.0/0           
95   DROP       all  --  202.57.0.0/16        0.0.0.0/0           
96   DROP       all  --  202.99.0.0/16        0.0.0.0/0           
97   DROP       all  --  202.143.0.0/16       0.0.0.0/0           
98   DROP       all  --  202.153.0.0/16       0.0.0.0/0           
99   DROP       all  --  202.155.0.0/16       0.0.0.0/0           
100  DROP       all  --  202.180.0.0/16       0.0.0.0/0           
101  DROP       all  --  202.186.0.0/16       0.0.0.0/0           
102  DROP       all  --  203.69.0.0/16        0.0.0.0/0           
103  DROP       all  --  203.123.0.0/16       0.0.0.0/0           
104  DROP       all  --  203.129.0.0/16       0.0.0.0/0           
105  DROP       all  --  203.158.0.0/16       0.0.0.0/0           
106  DROP       all  --  203.167.0.0/16       0.0.0.0/0           
107  DROP       all  --  203.253.0.0/16       0.0.0.0/0           
108  DROP       all  --  210.3.0.0/16         0.0.0.0/0           
109  DROP       all  --  210.22.0.0/16        0.0.0.0/0           
110  DROP       all  --  210.42.0.0/16        0.0.0.0/0           
111  DROP       all  --  210.70.0.0/16        0.0.0.0/0           
112  DROP       all  --  210.202.0.0/16       0.0.0.0/0           
113  DROP       all  --  210.21.0.0/16        0.0.0.0/0           
114  DROP       all  --  210.66.0.0/16        0.0.0.0/0           
115  DROP       all  --  210.83.0.0/16        0.0.0.0/0           
116  DROP       tcp  --  210.94.0.0/16        0.0.0.0/0            tcp flags:0x17/0x02
117  DROP       tcp  --  210.109.0.0/16       0.0.0.0/0            tcp flags:0x17/0x02
118  DROP       tcp  --  210.118.0.0/16       0.0.0.0/0            tcp flags:0x17/0x02
119  DROP       tcp  --  210.183.0.0/16       0.0.0.0/0            tcp flags:0x17/0x02
120  DROP       tcp  --  210.218.0.0/16       0.0.0.0/0            tcp flags:0x17/0x02
121  DROP       tcp  --  210.222.0.0/16       0.0.0.0/0            tcp flags:0x17/0x02
122  DROP       tcp  --  210.224.0.0/16       0.0.0.0/0            tcp flags:0x17/0x02
123  DROP       tcp  --  210.240.0.0/16       0.0.0.0/0            tcp flags:0x17/0x02
124  DROP       tcp  --  210.243.0.0/16       0.0.0.0/0            tcp flags:0x17/0x02
125  DROP       tcp  --  210.244.0.0/16       0.0.0.0/0            tcp flags:0x17/0x02
126  DROP       tcp  --  210.245.0.0/16       0.0.0.0/0            tcp flags:0x17/0x02
127  DROP       tcp  --  210.254.0.0/16       0.0.0.0/0            tcp flags:0x17/0x02
128  DROP       tcp  --  211.0.0.0/8          0.0.0.0/0            tcp flags:0x17/0x02
129  DROP       tcp  --  212.227.0.0/16       0.0.0.0/0            tcp flags:0x17/0x02
130  DROP       tcp  --  212.244.0.0/16       0.0.0.0/0            tcp flags:0x17/0x02
131  DROP       all  --  218.0.0.0/8          0.0.0.0/0           
132  DROP       all  --  219.138.135.0/24     0.0.0.0/0           
133  DROP       all  --  220.0.0.0/8          0.0.0.0/0           
134  DROP       all  --  221.0.0.0/8          0.0.0.0/0           
135  DROP       all  --  222.0.0.0/8          0.0.0.0/0           
136  DROP       all  --  223.0.0.0/8          0.0.0.0/0           
137  DROP       all  --  210.76.0.0/16        0.0.0.0/0           
138  DROP       all  --  114.43.0.0/16        0.0.0.0/0           
139  DROP       all  --  37.151.0.0/16        0.0.0.0/0           
140  DROP       all  --  116.10.191.0/24      0.0.0.0/0           
141  DROP       all  --  115.239.228.9        0.0.0.0/0           
142  DROP       all  --  183.136.216.3        0.0.0.0/0           
143  DROP       all  --  182.100.67.112       0.0.0.0/0           
144  DROP       all  --  218.87.111.0/24      0.0.0.0/0           
145  DROP       all  --  221.229.166.29       0.0.0.0/0           
146  DROP       all  --  180.210.234.87       0.0.0.0/0           
147  DROP       all  --  113.174.198.19       0.0.0.0/0           
148  DROP       all  --  222.186.160.49       0.0.0.0/0           
149  DROP       all  --  122.195.189.84       0.0.0.0/0           
150  DROP       all  --  218.65.30.0/24       0.0.0.0/0           
151  DROP       all  --  45.114.11.28         0.0.0.0/0           
152  DROP       all  --  45.114.11.34         0.0.0.0/0           
153  DROP       all  --  218.87.109.62        0.0.0.0/0           
154  DROP       all  --  80.82.70.167         0.0.0.0/0           
155  DROP       all  --  182.100.67.59        0.0.0.0/0           
156  DROP       all  --  178.210.216.159      0.0.0.0/0           
157  DROP       all  --  221.203.142.70       0.0.0.0/0           
158  DROP       all  --  91.201.236.114       0.0.0.0/0           
159  DROP       all  --  59.45.79.40          0.0.0.0/0           
160  DROP       all  --  183.3.202.108        0.0.0.0/0           
161  DROP       all  --  59.63.188.44         0.0.0.0/0           
162  DROP       all  --  195.154.56.69        0.0.0.0/0           
163  DROP       all  --  91.224.160.131       0.0.0.0/0           
164  DROP       all  --  91.224.160.10        0.0.0.0/0           
165  DROP       all  --  193.201.225.116      0.0.0.0/0           
166  DROP       all  --  91.224.160.108       0.0.0.0/0           
167  DROP       all  --  91.224.160.106       0.0.0.0/0           
168  DROP       all  --  91.224.161.103       0.0.0.0/0           
169  DROP       all  --  106.247.230.226      0.0.0.0/0           
170  DROP       all  --  116.31.116.18        0.0.0.0/0           
171  ACCEPT     all  --  127.0.0.1            127.0.0.1           
172  LOG        udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53 LOG flags 2 level 6 prefix "DNS "
173  ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53
174  LOG        udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:953 LOG flags 2 level 6 prefix "DNS "
175  ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:953
176  ACCEPT     tcp  --  192.168.1.0/24       0.0.0.0/0            tcp dpt:69
177  ACCEPT     tcp  --  192.168.1.0/24       0.0.0.0/0            tcp dpt:25150
178  ACCEPT     tcp  --  192.168.1.0/24       0.0.0.0/0            tcp dpt:25151
179  LOG        tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 LOG flags 0 level 6 prefix "WEB "
180  ACCEPT     tcp  --  192.168.1.0/24       0.0.0.0/0            tcp dpt:80
181  ACCEPT     tcp  --  192.168.1.14         0.0.0.0/0            tcp dpt:80
182  ACCEPT     tcp  --  76.30.213.50         0.0.0.0/0            tcp dpt:80
183  LOG        tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8886 LOG flags 0 level 6 prefix "WEB 8886 "
184  ACCEPT     tcp  --  127.0.0.1            0.0.0.0/0            tcp dpt:8886
185  ACCEPT     tcp  --  192.168.1.0/24       0.0.0.0/0            tcp dpt:8886
186  ACCEPT     tcp  --  192.168.1.14         0.0.0.0/0            tcp dpt:8886
187  ACCEPT     tcp  --  74.195.176.183       0.0.0.0/0            tcp dpt:8886
188  ACCEPT     tcp  --  192.168.1.14         0.0.0.0/0            tcp dpt:8886
189  LOG        tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 LOG flags 0 level 6 prefix "WEB "
190  DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80
191  ACCEPT     tcp  --  192.168.1.11         0.0.0.0/0            tcp dpt:22
192  ACCEPT     tcp  --  192.168.1.14         0.0.0.0/0            tcp dpt:22
193  ACCEPT     tcp  --  192.168.1.11         0.0.0.0/0            tcp dpt:22
194  ACCEPT     tcp  --  192.168.1.17         0.0.0.0/0            tcp dpt:22
195  LOG        tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22 LOG flags 0 level 6 prefix "SSH "
196  ACCEPT     tcp  --  76.30.213.50         0.0.0.0/0            tcp dpt:22
197  ACCEPT     tcp  --  74.195.0.0/16        0.0.0.0/0            tcp dpt:22
198  ACCEPT     tcp  --  74.196.0.0/16        0.0.0.0/0            tcp dpt:22
199  ACCEPT     tcp  --  192.168.1.0/24       0.0.0.0/0            tcp dpt:22
200  ACCEPT     tcp  --  192.168.1.22         0.0.0.0/0            tcp dpt:22
201  ACCEPT     tcp  --  74.195.176.183       0.0.0.0/0            tcp dpt:22
202  ACCEPT     tcp  --  192.168.1.0/24       0.0.0.0/0            tcp dpt:22
203  DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
204  ACCEPT     tcp  --  192.168.1.14         0.0.0.0/0            tcp dpts:20:21 flags:0x16/0x02
205  LOG        tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpts:20:21 LOG flags 0 level 6 prefix "FTP "
206  DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpts:20:21 flags:0x16/0x02
207  LOG        tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:20 LOG flags 0 level 6 prefix "FtpData "
208  DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:20 flags:0x16/0x02
209  ACCEPT     udp  --  192.168.1.0/24       0.0.0.0/0            udp spt:23
210  ACCEPT     tcp  --  192.168.1.0/24       0.0.0.0/0            tcp dpt:23 flags:0x16/0x02
211  ACCEPT     tcp  --  192.168.1.0/24       0.0.0.0/0            tcp dpt:23
212  LOG        tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:23 LOG flags 0 level 6 prefix "TELNET DENY "
213  DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:23
214  ACCEPT     tcp  --  127.0.0.1            127.0.0.1            tcp dpt:25 flags:0x16/0x02
215  ACCEPT     tcp  --  127.0.0.1            0.0.0.0/0            tcp dpt:25 flags:0x16/0x02
216  ACCEPT     tcp  --  192.168.1.0/24       0.0.0.0/0            tcp dpt:25 flags:0x16/0x02
217  LOG        tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:25 LOG flags 0 level 6 prefix "SMTP "
218  ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:25 flags:0x16/0x02
219  ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:110
220  ACCEPT     tcp  --  127.0.0.1            127.0.0.1            tcp dpt:111 flags:0x16/0x02
221  ACCEPT     udp  --  127.0.0.1            127.0.0.1            udp dpt:111
222  LOG        udp  --  0.0.0.0/0            192.168.1.11         udp dpt:111 LOG flags 0 level 6 prefix "Port-111 IN "
223  ACCEPT     tcp  --  0.0.0.0/0            192.168.1.11         tcp dpt:111 flags:0x16/0x02
224  ACCEPT     udp  --  0.0.0.0/0            192.168.1.11         udp dpt:111
225  LOG        udp  --  192.168.1.0/24       192.168.1.11         udp dpt:123 LOG flags 0 level 6 prefix "NTP "
226  ACCEPT     udp  --  192.168.1.0/24       192.168.1.11         udp dpt:123
227  ACCEPT     udp  --  216.126.32.120       192.168.1.11         udp dpt:123
228  ACCEPT     udp  --  192.168.1.0/24       216.126.32.120       udp dpt:123
229  LOG        udp  --  192.168.1.11         0.0.0.0/0            udp dpts:136:139 LOG flags 0 level 6 prefix "139 "
230  DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:139 flags:0x16/0x02
231  DROP       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:139
232  ACCEPT     udp  --  192.168.1.11         0.0.0.0/0            udp dpt:161
233  LOG        udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:443 LOG flags 0 level 6 prefix "SSL "
234  ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443 flags:0x16/0x02
235  LOG        udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:162 LOG flags 0 level 6 prefix "SNMP "
236  ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:162
237  ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
238  ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:25 flags:0x16/0x02
239  ACCEPT     tcp  --  192.168.1.11         0.0.0.0/0            tcp dpt:631
240  ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:500
241  ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:4500
242  ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:10000
243  ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
244  ACCEPT     tcp  --  127.0.0.1            0.0.0.0/0            tcp dpts:0:1023 flags:0x16/0x02
245  ACCEPT     tcp  --  192.168.1.11         0.0.0.0/0            tcp dpts:0:1023 flags:0x16/0x02
246  DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpts:0:1023 flags:0x16/0x02
247  ACCEPT     udp  --  127.0.0.1            0.0.0.0/0            udp dpts:0:1023
248  ACCEPT     udp  --  192.168.1.11         0.0.0.0/0            udp dpts:0:1023
249  ACCEPT     udp  --  192.168.1.14         0.0.0.0/0            udp dpts:0:1023
250  LOG        udp  --  0.0.0.0/0            0.0.0.0/0            udp dpts:0:1023 LOG flags 0 level 6 prefix "udpLO IN "
251  DROP       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpts:0:1023
252  ACCEPT     tcp  --  216.126.32.61        192.168.1.11        
253  ACCEPT     tcp  --  192.168.1.14         192.168.1.11         tcp dpts:5900:5903
254  ACCEPT     tcp  --  192.168.1.203        192.168.1.11         tcp dpts:5900:5903
255  ACCEPT     tcp  --  192.168.1.17         192.168.1.11         tcp dpts:5900:5903
256  ACCEPT     tcp  --  192.168.1.220        192.168.1.11         tcp dpts:5900:5903
257  LOG        tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpts:5900:5903 LOG flags 0 level 6 prefix "udpLO IN "
258  DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpts:5900:5903
259  ACCEPT     udp  --  192.168.1.14         192.168.1.11         udp dpts:5900:5903
260  ACCEPT     udp  --  192.168.1.203        192.168.1.11         udp dpts:5900:5903
261  ACCEPT     udp  --  192.168.1.17         192.168.1.11         udp dpts:5900:5903
262  ACCEPT     udp  --  192.168.1.220        192.168.1.11         udp dpts:5900:5903
263  DROP       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpts:5900:5903
264  ACCEPT     tcp  --  0.0.0.0/0            192.168.1.11         tcp dpt:8886
265  ACCEPT     tcp  --  192.168.1.0/24       192.168.1.11         tcp dpt:8889
266  ACCEPT     tcp  --  216.126.32.0/24      192.168.1.11         tcp dpt:8889
267  DROP       tcp  --  0.0.0.0/0            192.168.1.11         tcp dpts:0:1023 flags:0x17/0x02
268  ACCEPT     tcp  --  0.0.0.0/0            192.168.1.11         tcp dpts:0:1023
269  ACCEPT     tcp  --  192.168.1.11         192.168.1.11        
270  DROP       tcp  --  0.0.0.0/0            192.168.1.11         tcp dpts:1024:65535 flags:0x17/0x02
271  ACCEPT     tcp  --  0.0.0.0/0            192.168.1.11         tcp dpts:1024:65535
272  ACCEPT     udp  --  192.168.1.11         0.0.0.0/0            udp dpts:1024:65535
273  DROP       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpts:1024:65535

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    DROP       all  --  192.168.122.1        0.0.0.0/0           
2    DROP       all  --  192.168.1.11         195.22.25.130       
3    DROP       all  --  192.168.1.11         203.123.49.3        
4    LOG        tcp  --  192.168.1.11         0.0.0.0/0            tcp dpts:6660:6669 LOG flags 0 level 6 prefix "IRC "
5    DROP       tcp  --  192.168.1.11         0.0.0.0/0            tcp dpts:6660:6669
6    ACCEPT     icmp --  192.168.1.0/24       0.0.0.0/0           
7    ACCEPT     icmp --  192.168.1.11         0.0.0.0/0           
8    ACCEPT     icmp --  192.168.1.11         0.0.0.0/0           
9    DROP       tcp  --  96.17.202.0/24       0.0.0.0/0            tcp dpt:80
10   ACCEPT     tcp  --  192.168.1.0/24       0.0.0.0/0            tcp dpt:80
11   LOG        tcp  --  192.168.1.11         0.0.0.0/0            tcp dpt:80 LOG flags 0 level 6 prefix "WebDcl "
12   ACCEPT     tcp  --  192.168.1.11         0.0.0.0/0            tcp dpt:80
13   ACCEPT     all  --  127.0.0.1            127.0.0.1           
14   ACCEPT     udp  --  192.168.1.0/24       0.0.0.0/0           
15   LOG        udp  --  0.0.0.0/0            0.0.0.0/0            LOG flags 2 level 6 prefix "UDP "
16   DROP       udp  --  122.152.96.20        0.0.0.0/0           
17   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53
18   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:953
19   ACCEPT     tcp  --  192.168.1.0/24       0.0.0.0/0            tcp dpt:69
20   ACCEPT     tcp  --  192.168.1.0/24       0.0.0.0/0            tcp dpt:25150
21   ACCEPT     tcp  --  192.168.1.0/24       0.0.0.0/0            tcp dpt:25151
22   LOG        tcp  --  192.168.1.14         0.0.0.0/0            tcp dpt:80 LOG flags 0 level 6 prefix "WEB "
23   ACCEPT     tcp  --  192.168.1.14         0.0.0.0/0            tcp dpt:80
24   LOG        tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 LOG flags 0 level 6 prefix "WEB "
25   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80
26   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
27   LOG        tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpts:20:21 LOG flags 0 level 6 prefix "FTP "
28   ACCEPT     tcp  --  192.168.1.11         192.168.1.14         tcp dpts:20:21
29   ACCEPT     tcp  --  192.168.1.11         0.0.0.0/0            tcp dpts:20:21 flags:0x16/0x02
30   LOG        tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:23 LOG flags 0 level 6 prefix "TELNET "
31   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp spt:23
32   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp spt:23
33   ACCEPT     tcp  --  192.168.1.0/24       0.0.0.0/0            tcp dpt:25 flags:0x16/0x02
34   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:25 flags:0x16/0x02
35   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:110
36   ACCEPT     udp  --  192.168.1.11         192.168.1.0/24       udp dpt:123
37   ACCEPT     udp  --  192.168.1.11         216.126.32.120       udp dpt:123
38   ACCEPT     tcp  --  192.168.1.11         0.0.0.0/0            tcp dpt:631
39   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:500
40   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:4500
41   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:10000
42   ACCEPT     icmp --  192.168.1.11         0.0.0.0/0           
43   ACCEPT     tcp  --  192.168.1.11         0.0.0.0/0           
44   ACCEPT     udp  --  192.168.1.11         0.0.0.0/0           

Chain LocalSUBNET (1 references)
num  target     prot opt source               destination         
1    RETURN     all  --  192.168.1.0/24       192.168.1.0/24      

Chain PublicSUBNET (2 references)
num  target     prot opt source               destination         
1    RETURN     all  --  192.168.1.0/24      !192.168.1.0/24      
2    RETURN     all  -- !192.168.1.0/24       192.168.1.0/24      

Chain untrusted-limit (0 references)
num  target     prot opt source               destination         
1    RETURN     tcp  -- !192.168.1.0/24       192.168.1.0/24       tcp dpts:6000:6099 limit: avg 303/sec burst 300
2    RETURN     all  -- !192.168.1.0/24       192.168.1.0/24       limit: avg 1000/sec burst 1000
3    DROP       all  --  0.0.0.0/0            0.0.0.0/0           
 
Generated by root via (iptables v1.4.21) on Friday December 23, 2016 at 02:34:38pm CST.
Top of Page