aboutsummaryrefslogtreecommitdiffstats
path: root/test/output/filter-dnat/dump
diff options
context:
space:
mode:
Diffstat (limited to 'test/output/filter-dnat/dump')
-rw-r--r--test/output/filter-dnat/dump267
1 files changed, 150 insertions, 117 deletions
diff --git a/test/output/filter-dnat/dump b/test/output/filter-dnat/dump
index 54b5da8..a146fc5 100644
--- a/test/output/filter-dnat/dump
+++ b/test/output/filter-dnat/dump
@@ -12,123 +12,139 @@ Dnat 2 {"in":"B"}
inet/nat/PREROUTING -i eth1 -s 10.0.0.0/12 -j REDIRECT
-Filter 1 {"dest":"192.168.0.1","dnat":"10.0.0.1","in":"A","service":"smtp"}
-(filter-dnat)
- inet/filter/FORWARD -i eth0 -p tcp --dport 25 -d 10.0.0.1 -m conntrack --ctstate DNAT -j ACCEPT
- inet/filter/INPUT -i eth0 -p tcp --dport 25 -d 10.0.0.1 -m conntrack --ctstate DNAT -j ACCEPT
- inet/nat/PREROUTING -i eth0 -p tcp --dport 25 -d 192.168.0.1 -j DNAT --to-destination 10.0.0.1
-
-Filter 2 {"dest":"192.168.0.2","dnat":{"addr":"10.0.0.2","port":8080},"in":"A","service":"http"}
-(filter-dnat)
- inet/filter/FORWARD -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -m conntrack --ctstate DNAT -j ACCEPT
- inet/filter/INPUT -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -m conntrack --ctstate DNAT -j ACCEPT
- inet/nat/PREROUTING -i eth0 -p tcp --dport 80 -d 192.168.0.2 -j DNAT --to-destination 10.0.0.2:8080
-
-Filter 3 {"dnat":{"addr":"10.0.0.3","port":"8022-8033"},"in":"A","service":"ssh"}
-(filter-dnat)
- inet/filter/FORWARD -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -m conntrack --ctstate DNAT -j ACCEPT
- inet/filter/INPUT -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -m conntrack --ctstate DNAT -j ACCEPT
- inet/nat/PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to-destination 10.0.0.3:8022-8033
- inet6/filter/FORWARD -i eth0 -p tcp --dport 22 -j ACCEPT
- inet6/filter/INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
-
-Filter 4 {"action":"pass","in":"_fw","log":"ulog"}
-(log)
- inet/filter/OUTPUT -m limit --limit 12/minute -j ULOG
-
-Filter 5 {"in":["_fw","A"]}
-(zone)
- inet/filter/FORWARD -i eth0 -j ACCEPT
- inet/filter/INPUT -i eth0 -j ACCEPT
- inet/filter/OUTPUT -j ACCEPT
- inet6/filter/FORWARD -i eth0 -j ACCEPT
- inet6/filter/INPUT -i eth0 -j ACCEPT
- inet6/filter/OUTPUT -j ACCEPT
-
-Filter 6 {"in":"B","out":"C"}
-(zone)
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
-
-Filter 7 {"out":["_fw","B"]}
-(zone)
- inet/filter/FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/INPUT -j ACCEPT
- inet/filter/OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet6/filter/FORWARD -o eth1 -d fc00::/7 -j ACCEPT
- inet6/filter/INPUT -j ACCEPT
- inet6/filter/OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
-
-Filter 8 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]}
-(zone)
- inet/filter/FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth0 -o eth4 -j ACCEPT
- inet/filter/FORWARD -i eth0 -o eth5 -j ACCEPT
- inet/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT
- inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT
- inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT
- inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT
- inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT
- inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT
- inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/FORWARD -i eth4 -o eth0 -j ACCEPT
- inet/filter/FORWARD -i eth5 -o eth0 -j ACCEPT
- inet/filter/FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth4 -o eth4 -j ACCEPT
- inet/filter/FORWARD -i eth4 -o eth5 -j ACCEPT
- inet/filter/FORWARD -i eth5 -o eth4 -j ACCEPT
- inet/filter/FORWARD -i eth5 -o eth5 -j ACCEPT
- inet/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
- inet6/filter/FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
- inet6/filter/FORWARD -i eth0 -o eth4 -j ACCEPT
- inet6/filter/FORWARD -i eth0 -o eth5 -j ACCEPT
- inet6/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
- inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT
- inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT
- inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT
- inet6/filter/FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT
- inet6/filter/FORWARD -i eth4 -o eth0 -j ACCEPT
- inet6/filter/FORWARD -i eth5 -o eth0 -j ACCEPT
- inet6/filter/FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT
- inet6/filter/FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT
- inet6/filter/FORWARD -i eth4 -o eth4 -j ACCEPT
- inet6/filter/FORWARD -i eth4 -o eth5 -j ACCEPT
- inet6/filter/FORWARD -i eth5 -o eth4 -j ACCEPT
- inet6/filter/FORWARD -i eth5 -o eth5 -j ACCEPT
- inet6/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
- inet6/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
- inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
- inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT
- inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
- inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
- inet6/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
+Filter 1 {"dest":"192.168.0.1","dnat":"10.0.0.1","in":"A","service":"smtp"}
+(filter-dnat)
+ inet/filter/FORWARD -i eth0 -p tcp --dport 25 -d 10.0.0.1 -m conntrack --ctstate DNAT -j ACCEPT
+ inet/filter/INPUT -i eth0 -p tcp --dport 25 -d 10.0.0.1 -m conntrack --ctstate DNAT -j ACCEPT
+ inet/nat/PREROUTING -i eth0 -p tcp --dport 25 -d 192.168.0.1 -j DNAT --to-destination 10.0.0.1
+
+Filter 2 {"dest":"192.168.0.2","dnat":{"addr":"10.0.0.2","port":8080},"in":"A","service":"http"}
+(filter-dnat)
+ inet/filter/FORWARD -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -m conntrack --ctstate DNAT -j ACCEPT
+ inet/filter/INPUT -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -m conntrack --ctstate DNAT -j ACCEPT
+ inet/nat/PREROUTING -i eth0 -p tcp --dport 80 -d 192.168.0.2 -j DNAT --to-destination 10.0.0.2:8080
+
+Filter 3 {"dnat":{"addr":"10.0.0.3","port":"8022-8033"},"in":"A","service":"ssh"}
+(filter-dnat)
+ inet/filter/FORWARD -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -m conntrack --ctstate DNAT -j ACCEPT
+ inet/filter/INPUT -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -m conntrack --ctstate DNAT -j ACCEPT
+ inet/nat/PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to-destination 10.0.0.3:8022-8033
+ inet6/filter/FORWARD -i eth0 -p tcp --dport 22 -j ACCEPT
+ inet6/filter/INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
+
+Filter 4 {"conn-limit":2,"dnat":"10.0.0.4","in":"A","service":"https"}
+(filter-dnat)
+ inet/filter/FORWARD -i eth0 -p tcp --dport 443 -d 10.0.0.4 -m conntrack --ctstate DNAT -j limit-https-0
+ inet/filter/INPUT -i eth0 -p tcp --dport 443 -d 10.0.0.4 -m conntrack --ctstate DNAT -j limit-https-0
+ inet/filter/limit-https-0 -m recent --name limit-https-0 --rsource --mask 255.255.255.255 --update --hitcount 2 --seconds 1 -j logdrop-https-0
+ inet/filter/limit-https-0 -m recent --name limit-https-0 --rsource --mask 255.255.255.255 --set -j ACCEPT
+ inet/filter/logdrop-https-0 -m limit --limit 1/second -j LOG
+ inet/filter/logdrop-https-0 -j DROP
+ inet/nat/PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination 10.0.0.4
+ inet6/filter/FORWARD -i eth0 -p tcp --dport 443 -j limit-https-0
+ inet6/filter/INPUT -i eth0 -p tcp --dport 443 -j limit-https-0
+ inet6/filter/limit-https-0 -m recent --name limit-https-0 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 2 --seconds 1 -j logdrop-https-0
+ inet6/filter/limit-https-0 -m recent --name limit-https-0 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT
+ inet6/filter/logdrop-https-0 -m limit --limit 1/second -j LOG
+ inet6/filter/logdrop-https-0 -j DROP
+
+Filter 5 {"action":"pass","in":"_fw","log":"ulog"}
+(log)
+ inet/filter/OUTPUT -m limit --limit 12/minute -j ULOG
+
+Filter 6 {"in":["_fw","A"]}
+(zone)
+ inet/filter/FORWARD -i eth0 -j ACCEPT
+ inet/filter/INPUT -i eth0 -j ACCEPT
+ inet/filter/OUTPUT -j ACCEPT
+ inet6/filter/FORWARD -i eth0 -j ACCEPT
+ inet6/filter/INPUT -i eth0 -j ACCEPT
+ inet6/filter/OUTPUT -j ACCEPT
+
+Filter 7 {"in":"B","out":"C"}
+(zone)
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+
+Filter 8 {"out":["_fw","B"]}
+(zone)
+ inet/filter/FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/INPUT -j ACCEPT
+ inet/filter/OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet6/filter/FORWARD -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/INPUT -j ACCEPT
+ inet6/filter/OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
+
+Filter 9 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]}
+(zone)
+ inet/filter/FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth0 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth0 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth0 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth0 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/FORWARD -i eth0 -o eth4 -j ACCEPT
+ inet6/filter/FORWARD -i eth0 -o eth5 -j ACCEPT
+ inet6/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT
+ inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT
+ inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT
+ inet6/filter/FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/FORWARD -i eth4 -o eth0 -j ACCEPT
+ inet6/filter/FORWARD -i eth5 -o eth0 -j ACCEPT
+ inet6/filter/FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/FORWARD -i eth4 -o eth4 -j ACCEPT
+ inet6/filter/FORWARD -i eth4 -o eth5 -j ACCEPT
+ inet6/filter/FORWARD -i eth5 -o eth4 -j ACCEPT
+ inet6/filter/FORWARD -i eth5 -o eth5 -j ACCEPT
+ inet6/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
+ inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
+ inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
+ inet6/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
Ipset awall-masquerade {"family":"inet","type":"hash:net"}
@@ -471,11 +487,14 @@ hash:net family inet
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
+:limit-https-0 - [0:0]
+:logdrop-https-0 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A FORWARD -i eth0 -p tcp --dport 25 -d 10.0.0.1 -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -m conntrack --ctstate DNAT -j ACCEPT
+-A FORWARD -i eth0 -p tcp --dport 443 -d 10.0.0.4 -m conntrack --ctstate DNAT -j limit-https-0
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
@@ -537,6 +556,7 @@ hash:net family inet
-A INPUT -i eth0 -p tcp --dport 25 -d 10.0.0.1 -m conntrack --ctstate DNAT -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -m conntrack --ctstate DNAT -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -m conntrack --ctstate DNAT -j ACCEPT
+-A INPUT -i eth0 -p tcp --dport 443 -d 10.0.0.4 -m conntrack --ctstate DNAT -j limit-https-0
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmp -j icmp-routing
@@ -550,6 +570,10 @@ hash:net family inet
-A icmp-routing -p icmp --icmp-type 3 -j ACCEPT
-A icmp-routing -p icmp --icmp-type 11 -j ACCEPT
-A icmp-routing -p icmp --icmp-type 12 -j ACCEPT
+-A limit-https-0 -m recent --name limit-https-0 --rsource --mask 255.255.255.255 --update --hitcount 2 --seconds 1 -j logdrop-https-0
+-A limit-https-0 -m recent --name limit-https-0 --rsource --mask 255.255.255.255 --set -j ACCEPT
+-A logdrop-https-0 -m limit --limit 1/second -j LOG
+-A logdrop-https-0 -j DROP
COMMIT
*mangle
:FORWARD ACCEPT [0:0]
@@ -578,6 +602,7 @@ COMMIT
-A PREROUTING -i eth0 -p tcp --dport 25 -d 192.168.0.1 -j DNAT --to-destination 10.0.0.1
-A PREROUTING -i eth0 -p tcp --dport 80 -d 192.168.0.2 -j DNAT --to-destination 10.0.0.2:8080
-A PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to-destination 10.0.0.3:8022-8033
+-A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination 10.0.0.4
-A PREROUTING -i eth0 -j REDIRECT
-A PREROUTING -i eth1 -s 10.0.0.0/12 -j REDIRECT
-A masquerade -m set ! --match-set awall-masquerade dst -j MASQUERADE
@@ -597,9 +622,12 @@ COMMIT
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
+:limit-https-0 - [0:0]
+:logdrop-https-0 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -p icmpv6 -m conntrack --ctstate RELATED -j icmp-routing
-A FORWARD -i eth0 -p tcp --dport 22 -j ACCEPT
+-A FORWARD -i eth0 -p tcp --dport 443 -j limit-https-0
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -o eth1 -d fc00::/7 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
@@ -633,6 +661,7 @@ COMMIT
-A INPUT -p icmpv6 -m conntrack --ctstate RELATED -j icmp-routing
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
+-A INPUT -i eth0 -p tcp --dport 443 -j limit-https-0
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmpv6 -j ACCEPT
@@ -646,6 +675,10 @@ COMMIT
-A icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT
+-A limit-https-0 -m recent --name limit-https-0 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 2 --seconds 1 -j logdrop-https-0
+-A limit-https-0 -m recent --name limit-https-0 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT
+-A logdrop-https-0 -m limit --limit 1/second -j LOG
+-A logdrop-https-0 -j DROP
COMMIT
*mangle
:INPUT ACCEPT [0:0]
generated by cgit v1.2.3 (git 2.41.0) at 2024-04-24 01:06:25 +0000