diff options
Diffstat (limited to 'test/output/filter-dnat/dump')
-rw-r--r-- | test/output/filter-dnat/dump | 267 |
1 files changed, 150 insertions, 117 deletions
diff --git a/test/output/filter-dnat/dump b/test/output/filter-dnat/dump index 54b5da8..a146fc5 100644 --- a/test/output/filter-dnat/dump +++ b/test/output/filter-dnat/dump @@ -12,123 +12,139 @@ Dnat 2 {"in":"B"} inet/nat/PREROUTING -i eth1 -s 10.0.0.0/12 -j REDIRECT -Filter 1 {"dest":"192.168.0.1","dnat":"10.0.0.1","in":"A","service":"smtp"} -(filter-dnat) - inet/filter/FORWARD -i eth0 -p tcp --dport 25 -d 10.0.0.1 -m conntrack --ctstate DNAT -j ACCEPT - inet/filter/INPUT -i eth0 -p tcp --dport 25 -d 10.0.0.1 -m conntrack --ctstate DNAT -j ACCEPT - inet/nat/PREROUTING -i eth0 -p tcp --dport 25 -d 192.168.0.1 -j DNAT --to-destination 10.0.0.1 - -Filter 2 {"dest":"192.168.0.2","dnat":{"addr":"10.0.0.2","port":8080},"in":"A","service":"http"} -(filter-dnat) - inet/filter/FORWARD -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -m conntrack --ctstate DNAT -j ACCEPT - inet/filter/INPUT -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -m conntrack --ctstate DNAT -j ACCEPT - inet/nat/PREROUTING -i eth0 -p tcp --dport 80 -d 192.168.0.2 -j DNAT --to-destination 10.0.0.2:8080 - -Filter 3 {"dnat":{"addr":"10.0.0.3","port":"8022-8033"},"in":"A","service":"ssh"} -(filter-dnat) - inet/filter/FORWARD -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -m conntrack --ctstate DNAT -j ACCEPT - inet/filter/INPUT -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -m conntrack --ctstate DNAT -j ACCEPT - inet/nat/PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to-destination 10.0.0.3:8022-8033 - inet6/filter/FORWARD -i eth0 -p tcp --dport 22 -j ACCEPT - inet6/filter/INPUT -i eth0 -p tcp --dport 22 -j ACCEPT - -Filter 4 {"action":"pass","in":"_fw","log":"ulog"} -(log) - inet/filter/OUTPUT -m limit --limit 12/minute -j ULOG - -Filter 5 {"in":["_fw","A"]} -(zone) - inet/filter/FORWARD -i eth0 -j ACCEPT - inet/filter/INPUT -i eth0 -j ACCEPT - inet/filter/OUTPUT -j ACCEPT - inet6/filter/FORWARD -i eth0 -j ACCEPT - inet6/filter/INPUT -i eth0 -j ACCEPT - inet6/filter/OUTPUT -j ACCEPT - -Filter 6 {"in":"B","out":"C"} -(zone) - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT - -Filter 7 {"out":["_fw","B"]} -(zone) - inet/filter/FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/INPUT -j ACCEPT - inet/filter/OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet6/filter/FORWARD -o eth1 -d fc00::/7 -j ACCEPT - inet6/filter/INPUT -j ACCEPT - inet6/filter/OUTPUT -o eth1 -d fc00::/7 -j ACCEPT - -Filter 8 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]} -(zone) - inet/filter/FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth0 -o eth4 -j ACCEPT - inet/filter/FORWARD -i eth0 -o eth5 -j ACCEPT - inet/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT - inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT - inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT - inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT - inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT - inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT - inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT - inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT - inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT - inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT - inet/filter/FORWARD -i eth4 -o eth0 -j ACCEPT - inet/filter/FORWARD -i eth5 -o eth0 -j ACCEPT - inet/filter/FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -i eth4 -o eth4 -j ACCEPT - inet/filter/FORWARD -i eth4 -o eth5 -j ACCEPT - inet/filter/FORWARD -i eth5 -o eth4 -j ACCEPT - inet/filter/FORWARD -i eth5 -o eth5 -j ACCEPT - inet/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT - inet/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT - inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT - inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT - inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT - inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT - inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT - inet/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT - inet6/filter/FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT - inet6/filter/FORWARD -i eth0 -o eth4 -j ACCEPT - inet6/filter/FORWARD -i eth0 -o eth5 -j ACCEPT - inet6/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT - inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT - inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT - inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT - inet6/filter/FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT - inet6/filter/FORWARD -i eth4 -o eth0 -j ACCEPT - inet6/filter/FORWARD -i eth5 -o eth0 -j ACCEPT - inet6/filter/FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT - inet6/filter/FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT - inet6/filter/FORWARD -i eth4 -o eth4 -j ACCEPT - inet6/filter/FORWARD -i eth4 -o eth5 -j ACCEPT - inet6/filter/FORWARD -i eth5 -o eth4 -j ACCEPT - inet6/filter/FORWARD -i eth5 -o eth5 -j ACCEPT - inet6/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT - inet6/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT - inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT - inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT - inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT - inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT - inet6/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT +Filter 1 {"dest":"192.168.0.1","dnat":"10.0.0.1","in":"A","service":"smtp"} +(filter-dnat) + inet/filter/FORWARD -i eth0 -p tcp --dport 25 -d 10.0.0.1 -m conntrack --ctstate DNAT -j ACCEPT + inet/filter/INPUT -i eth0 -p tcp --dport 25 -d 10.0.0.1 -m conntrack --ctstate DNAT -j ACCEPT + inet/nat/PREROUTING -i eth0 -p tcp --dport 25 -d 192.168.0.1 -j DNAT --to-destination 10.0.0.1 + +Filter 2 {"dest":"192.168.0.2","dnat":{"addr":"10.0.0.2","port":8080},"in":"A","service":"http"} +(filter-dnat) + inet/filter/FORWARD -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -m conntrack --ctstate DNAT -j ACCEPT + inet/filter/INPUT -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -m conntrack --ctstate DNAT -j ACCEPT + inet/nat/PREROUTING -i eth0 -p tcp --dport 80 -d 192.168.0.2 -j DNAT --to-destination 10.0.0.2:8080 + +Filter 3 {"dnat":{"addr":"10.0.0.3","port":"8022-8033"},"in":"A","service":"ssh"} +(filter-dnat) + inet/filter/FORWARD -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -m conntrack --ctstate DNAT -j ACCEPT + inet/filter/INPUT -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -m conntrack --ctstate DNAT -j ACCEPT + inet/nat/PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to-destination 10.0.0.3:8022-8033 + inet6/filter/FORWARD -i eth0 -p tcp --dport 22 -j ACCEPT + inet6/filter/INPUT -i eth0 -p tcp --dport 22 -j ACCEPT + +Filter 4 {"conn-limit":2,"dnat":"10.0.0.4","in":"A","service":"https"} +(filter-dnat) + inet/filter/FORWARD -i eth0 -p tcp --dport 443 -d 10.0.0.4 -m conntrack --ctstate DNAT -j limit-https-0 + inet/filter/INPUT -i eth0 -p tcp --dport 443 -d 10.0.0.4 -m conntrack --ctstate DNAT -j limit-https-0 + inet/filter/limit-https-0 -m recent --name limit-https-0 --rsource --mask 255.255.255.255 --update --hitcount 2 --seconds 1 -j logdrop-https-0 + inet/filter/limit-https-0 -m recent --name limit-https-0 --rsource --mask 255.255.255.255 --set -j ACCEPT + inet/filter/logdrop-https-0 -m limit --limit 1/second -j LOG + inet/filter/logdrop-https-0 -j DROP + inet/nat/PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination 10.0.0.4 + inet6/filter/FORWARD -i eth0 -p tcp --dport 443 -j limit-https-0 + inet6/filter/INPUT -i eth0 -p tcp --dport 443 -j limit-https-0 + inet6/filter/limit-https-0 -m recent --name limit-https-0 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 2 --seconds 1 -j logdrop-https-0 + inet6/filter/limit-https-0 -m recent --name limit-https-0 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT + inet6/filter/logdrop-https-0 -m limit --limit 1/second -j LOG + inet6/filter/logdrop-https-0 -j DROP + +Filter 5 {"action":"pass","in":"_fw","log":"ulog"} +(log) + inet/filter/OUTPUT -m limit --limit 12/minute -j ULOG + +Filter 6 {"in":["_fw","A"]} +(zone) + inet/filter/FORWARD -i eth0 -j ACCEPT + inet/filter/INPUT -i eth0 -j ACCEPT + inet/filter/OUTPUT -j ACCEPT + inet6/filter/FORWARD -i eth0 -j ACCEPT + inet6/filter/INPUT -i eth0 -j ACCEPT + inet6/filter/OUTPUT -j ACCEPT + +Filter 7 {"in":"B","out":"C"} +(zone) + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT + +Filter 8 {"out":["_fw","B"]} +(zone) + inet/filter/FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/INPUT -j ACCEPT + inet/filter/OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet6/filter/FORWARD -o eth1 -d fc00::/7 -j ACCEPT + inet6/filter/INPUT -j ACCEPT + inet6/filter/OUTPUT -o eth1 -d fc00::/7 -j ACCEPT + +Filter 9 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]} +(zone) + inet/filter/FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth0 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth0 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth0 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth0 -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT + inet6/filter/FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT + inet6/filter/FORWARD -i eth0 -o eth4 -j ACCEPT + inet6/filter/FORWARD -i eth0 -o eth5 -j ACCEPT + inet6/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT + inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT + inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT + inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT + inet6/filter/FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT + inet6/filter/FORWARD -i eth4 -o eth0 -j ACCEPT + inet6/filter/FORWARD -i eth5 -o eth0 -j ACCEPT + inet6/filter/FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT + inet6/filter/FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT + inet6/filter/FORWARD -i eth4 -o eth4 -j ACCEPT + inet6/filter/FORWARD -i eth4 -o eth5 -j ACCEPT + inet6/filter/FORWARD -i eth5 -o eth4 -j ACCEPT + inet6/filter/FORWARD -i eth5 -o eth5 -j ACCEPT + inet6/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT + inet6/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT + inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT + inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT + inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT + inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT + inet6/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT Ipset awall-masquerade {"family":"inet","type":"hash:net"} @@ -471,11 +487,14 @@ hash:net family inet :INPUT DROP [0:0] :OUTPUT DROP [0:0] :icmp-routing - [0:0] +:limit-https-0 - [0:0] +:logdrop-https-0 - [0:0] -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT -A FORWARD -p icmp -m conntrack --ctstate RELATED -j icmp-routing -A FORWARD -i eth0 -p tcp --dport 25 -d 10.0.0.1 -m conntrack --ctstate DNAT -j ACCEPT -A FORWARD -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -m conntrack --ctstate DNAT -j ACCEPT -A FORWARD -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -m conntrack --ctstate DNAT -j ACCEPT +-A FORWARD -i eth0 -p tcp --dport 443 -d 10.0.0.4 -m conntrack --ctstate DNAT -j limit-https-0 -A FORWARD -i eth0 -j ACCEPT -A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT -A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT @@ -537,6 +556,7 @@ hash:net family inet -A INPUT -i eth0 -p tcp --dport 25 -d 10.0.0.1 -m conntrack --ctstate DNAT -j ACCEPT -A INPUT -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -m conntrack --ctstate DNAT -j ACCEPT -A INPUT -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -m conntrack --ctstate DNAT -j ACCEPT +-A INPUT -i eth0 -p tcp --dport 443 -d 10.0.0.4 -m conntrack --ctstate DNAT -j limit-https-0 -A INPUT -i eth0 -j ACCEPT -A INPUT -j ACCEPT -A INPUT -p icmp -j icmp-routing @@ -550,6 +570,10 @@ hash:net family inet -A icmp-routing -p icmp --icmp-type 3 -j ACCEPT -A icmp-routing -p icmp --icmp-type 11 -j ACCEPT -A icmp-routing -p icmp --icmp-type 12 -j ACCEPT +-A limit-https-0 -m recent --name limit-https-0 --rsource --mask 255.255.255.255 --update --hitcount 2 --seconds 1 -j logdrop-https-0 +-A limit-https-0 -m recent --name limit-https-0 --rsource --mask 255.255.255.255 --set -j ACCEPT +-A logdrop-https-0 -m limit --limit 1/second -j LOG +-A logdrop-https-0 -j DROP COMMIT *mangle :FORWARD ACCEPT [0:0] @@ -578,6 +602,7 @@ COMMIT -A PREROUTING -i eth0 -p tcp --dport 25 -d 192.168.0.1 -j DNAT --to-destination 10.0.0.1 -A PREROUTING -i eth0 -p tcp --dport 80 -d 192.168.0.2 -j DNAT --to-destination 10.0.0.2:8080 -A PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to-destination 10.0.0.3:8022-8033 +-A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination 10.0.0.4 -A PREROUTING -i eth0 -j REDIRECT -A PREROUTING -i eth1 -s 10.0.0.0/12 -j REDIRECT -A masquerade -m set ! --match-set awall-masquerade dst -j MASQUERADE @@ -597,9 +622,12 @@ COMMIT :INPUT DROP [0:0] :OUTPUT DROP [0:0] :icmp-routing - [0:0] +:limit-https-0 - [0:0] +:logdrop-https-0 - [0:0] -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT -A FORWARD -p icmpv6 -m conntrack --ctstate RELATED -j icmp-routing -A FORWARD -i eth0 -p tcp --dport 22 -j ACCEPT +-A FORWARD -i eth0 -p tcp --dport 443 -j limit-https-0 -A FORWARD -i eth0 -j ACCEPT -A FORWARD -o eth1 -d fc00::/7 -j ACCEPT -A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT @@ -633,6 +661,7 @@ COMMIT -A INPUT -p icmpv6 -m conntrack --ctstate RELATED -j icmp-routing -A INPUT -i lo -j ACCEPT -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT +-A INPUT -i eth0 -p tcp --dport 443 -j limit-https-0 -A INPUT -i eth0 -j ACCEPT -A INPUT -j ACCEPT -A INPUT -p icmpv6 -j ACCEPT @@ -646,6 +675,10 @@ COMMIT -A icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT +-A limit-https-0 -m recent --name limit-https-0 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 2 --seconds 1 -j logdrop-https-0 +-A limit-https-0 -m recent --name limit-https-0 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT +-A logdrop-https-0 -m limit --limit 1/second -j LOG +-A logdrop-https-0 -j DROP COMMIT *mangle :INPUT ACCEPT [0:0] |