# Generated by iptables-save v1.4.14 on Thu Oct 29 10:59:25 2015
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:bad-tcp - [0:0]
:dhcpv6 - [0:0]
:forward-protect - [0:0]
:icmp-ratelimit - [0:0]
:icmpv4-forward - [0:0]
:icmpv4-input - [0:0]
:icmpv6-forward - [0:0]
:icmpv6-input - [0:0]
:icmpv6-local - [0:0]
:icmpv6-related - [0:0]
:limit_enemy - [0:0]
:ll - [0:0]
:mc - [0:0]
:mc-ll - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j icmpv4-input
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate NEW,RELATED --ctproto 6 -j bad-tcp
-A INPUT -i eth0.10 -m conntrack --ctstate NEW --ctproto 17 --ctorigsrcport 68 --ctorigdstport 67 -j ACCEPT
-A INPUT -i eth0.11 -m conntrack --ctstate NEW --ctproto 17 --ctorigsrcport 68 --ctorigdstport 67 -j ACCEPT
-A INPUT -i eth0.12 -m conntrack --ctstate NEW --ctproto 17 --ctorigsrcport 68 --ctorigdstport 67 -j ACCEPT
-A INPUT -i eth0.13 -m conntrack --ctstate NEW --ctproto 17 --ctorigsrcport 68 --ctorigdstport 67 -j ACCEPT
-A INPUT -i eth0.14 -m conntrack --ctstate NEW --ctproto 17 --ctorigsrcport 68 --ctorigdstport 67 -j ACCEPT
-A INPUT -i eth0.20 -m conntrack --ctstate NEW --ctproto 17 --ctorigsrcport 68 --ctorigdstport 67 -j ACCEPT
-A INPUT -i eth0.21 -m conntrack --ctstate NEW --ctproto 17 --ctorigsrcport 68 --ctorigdstport 67 -j ACCEPT
-A INPUT -i eth0.22 -m conntrack --ctstate NEW --ctproto 17 --ctorigsrcport 68 --ctorigdstport 67 -j ACCEPT
-A INPUT -i eth0.23 -m conntrack --ctstate NEW --ctproto 17 --ctorigsrcport 68 --ctorigdstport 67 -j ACCEPT
-A INPUT -i eth0.24 -m conntrack --ctstate NEW --ctproto 17 --ctorigsrcport 68 --ctorigdstport 67 -j ACCEPT
-A INPUT -i eth0.10 -m conntrack --ctstate NEW --ctproto 6 --ctorigdstport 53 -j ACCEPT
-A INPUT -i eth0.10 -m conntrack --ctstate NEW --ctproto 17 --ctorigdstport 53 -j ACCEPT
-A INPUT -i eth0.11 -m conntrack --ctstate NEW --ctproto 6 --ctorigdstport 53 -j ACCEPT
-A INPUT -i eth0.11 -m conntrack --ctstate NEW --ctproto 17 --ctorigdstport 53 -j ACCEPT
-A INPUT -i eth0.12 -m conntrack --ctstate NEW --ctproto 6 --ctorigdstport 53 -j ACCEPT
-A INPUT -i eth0.12 -m conntrack --ctstate NEW --ctproto 17 --ctorigdstport 53 -j ACCEPT
-A INPUT -i eth0.14 -m conntrack --ctstate NEW --ctproto 6 --ctorigdstport 53 -j ACCEPT
-A INPUT -i eth0.14 -m conntrack --ctstate NEW --ctproto 17 --ctorigdstport 53 -j ACCEPT
-A INPUT -i eth0.19 -m conntrack --ctstate NEW --ctproto 6 --ctorigdstport 53 -j ACCEPT
-A INPUT -i eth0.19 -m conntrack --ctstate NEW --ctproto 17 --ctorigdstport 53 -j ACCEPT
-A INPUT -i eth0.20 -m conntrack --ctstate NEW --ctproto 6 --ctorigdstport 53 -j ACCEPT
-A INPUT -i eth0.20 -m conntrack --ctstate NEW --ctproto 17 --ctorigdstport 53 -j ACCEPT
-A INPUT -i eth0.21 -m conntrack --ctstate NEW --ctproto 6 --ctorigdstport 53 -j ACCEPT
-A INPUT -i eth0.21 -m conntrack --ctstate NEW --ctproto 17 --ctorigdstport 53 -j ACCEPT
-A INPUT -i eth0.24 -m conntrack --ctstate NEW --ctproto 6 --ctorigdstport 53 -j ACCEPT
-A INPUT -i eth0.24 -m conntrack --ctstate NEW --ctproto 17 --ctorigdstport 53 -j ACCEPT
-A INPUT -i eth0.50 -m conntrack --ctstate NEW --ctproto 6 --ctorigdstport 22 -j ACCEPT
-A INPUT -i eth0.+ -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -p icmp -j icmpv4-forward
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -i eth0.22 -m conntrack --ctstate NEW,RELATED -j limit_enemy
-A FORWARD -m conntrack --ctstate NEW,RELATED --ctproto 6 -j bad-tcp
-A FORWARD -i eth0.12 -o eth0.10 -p tcp -m conntrack --ctstate NEW -m multiport --dports 139,445 -j ACCEPT
-A FORWARD -i eth0.13 -o eth0.10 -p tcp -m conntrack --ctstate NEW -m multiport --dports 139,445 -j ACCEPT
-A FORWARD -i eth0.11 -o eth0.10 -p tcp -m conntrack --ctstate NEW -m multiport --dports 139,445,631,9418 -j ACCEPT
-A FORWARD -i eth0.20 -o eth0.11 -p tcp -m conntrack --ctstate NEW -m multiport --dports 22,6543 -j ACCEPT
-A FORWARD -i eth0.10 -o eth0.11 -p tcp -m conntrack --ctstate NEW -m multiport --dports 139,445,631,9418 -j ACCEPT
-A FORWARD -i eth0.12 -o eth0.11 -p tcp -m conntrack --ctstate NEW -m multiport --dports 22,139,445 -j ACCEPT
-A FORWARD -i eth0.13 -o eth0.11 -p tcp -m conntrack --ctstate NEW -m multiport --dports 139,445 -j ACCEPT
-A FORWARD -i eth0.10 -o eth0.13 -p tcp -m conntrack --ctstate NEW -m multiport --dports 22,4713 -j ACCEPT
-A FORWARD -i eth0.11 -o eth0.13 -p tcp -m conntrack --ctstate NEW -m multiport --dports 22,80,4713 -j ACCEPT
-A FORWARD -i eth0.23 -o eth0.13 -p tcp -m conntrack --ctstate NEW -m multiport --dports 53,80 -j ACCEPT
-A FORWARD -i eth0.23 -o eth0.13 -p udp -m conntrack --ctstate NEW -m udp --dport 53 -j ACCEPT
-A FORWARD -i eth0.10 -o eth1 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -i eth0.11 -o eth1 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -i eth0.12 -o eth1 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -i eth0.14 -o eth1 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -i eth0.20 -o eth1 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -i eth0.21 -o eth1 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -i eth0.24 -o eth1 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -i eth0.13 -o tun0 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -i eth0.22 -o tun0 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -i eth0.19 -o eth1 -m conntrack --ctstate NEW --ctproto 17 --ctorigdst 131.159.20.148 -j ACCEPT
-A FORWARD -d 192.168.10.32/32 -i eth1 -o eth0.10 -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -j forward-protect
-A FORWARD -d 192.168.11.32/32 -i eth1 -o eth0.11 -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -j forward-protect
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -j icmp-ratelimit
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m conntrack --ctstate NEW -m owner --uid-owner 0 -j ACCEPT
-A OUTPUT -o eth1 -m owner --uid-owner 104 -m conntrack --ctstate NEW --ctproto 17 --ctorigdstport 53 -j ACCEPT
-A OUTPUT -o eth1 -m owner --uid-owner 104 -m conntrack --ctstate NEW --ctproto 6 --ctorigdstport 53 -j ACCEPT
-A OUTPUT -o eth1 -p udp -m conntrack --ctstate NEW -m owner --uid-owner 105 -m udp --sport 1024:65535 --dport 123 -j ACCEPT
-A bad-tcp -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -j REJECT --reject-with tcp-reset
-A bad-tcp -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A forward-protect -m recent --set --name forward-protect --rsource
-A forward-protect -m recent --rcheck --seconds 770 --hitcount 42 --name forward-protect --rsource -j DROP
-A forward-protect -m recent --rcheck --seconds 17123 --hitcount 348 --name forward-protect --rsource -j DROP
-A forward-protect -j ACCEPT
-A icmp-ratelimit -m hashlimit --hashlimit-above 1000/sec --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name limit-icmp-src- -j DROP
-A icmp-ratelimit -m hashlimit --hashlimit-above 1000/sec --hashlimit-burst 5 --hashlimit-mode dstip --hashlimit-name limit-icmp-dst- -j DROP
-A icmp-ratelimit -m hashlimit --hashlimit-above 125/sec --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name limit-icmp-src- -j DROP
-A icmp-ratelimit -m hashlimit --hashlimit-above 125/sec --hashlimit-burst 5 --hashlimit-mode dstip --hashlimit-name limit-icmp-dst- -j DROP
-A icmpv4-forward -j icmp-ratelimit
-A icmpv4-forward -m conntrack --ctstate RELATED -j ACCEPT
-A icmpv4-forward -p icmp -m icmp --icmp-type 0 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A icmpv4-forward -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW,ESTABLISHED -j RETURN
-A icmpv4-forward -j DROP
-A icmpv4-input -p icmp -j icmp-ratelimit
-A icmpv4-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A icmpv4-input -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A icmpv4-input -j DROP
-A limit_enemy -m hashlimit --hashlimit-above 20/sec --hashlimit-burst 14497 --hashlimit-mode srcip --hashlimit-name newconnections --hashlimit-htable-expire 31991 -j DROP
-A limit_enemy -m connlimit --connlimit-above 6298 --connlimit-mask 32 --connlimit-saddr -m recent --set --name limited --rsource -j DROP
-A limit_enemy -m recent --remove --name limited --rsource
COMMIT
# Completed on Thu Oct 29 10:59:25 2015
# Generated by iptables-save v1.4.14 on Thu Oct 29 10:59:25 2015
*nat
:PREROUTING ACCEPT
:INPUT ACCEPT
:OUTPUT ACCEPT
:POSTROUTING ACCEPT
-A PREROUTING -i eth1 -p tcp -m conntrack --ctstate NEW -m tcp --dport 24562 -j DNAT --to-destination 192.168.10.64:443
-A PREROUTING -i eth1 -p tcp -m conntrack --ctstate NEW -m tcp --dport 24562 -j DNAT --to-destination 192.168.11.64:443
-A POSTROUTING -o eth1 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -o eth1 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -o eth1 -j MASQUERADE
-A POSTROUTING -o tun0 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -o tun0 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -o tun0 -j MASQUERADE
COMMIT
# Completed on Thu Oct 29 10:59:25 2015
# Generated by iptables-save v1.4.14 on Thu Oct 29 10:59:25 2015
*mangle
:PREROUTING ACCEPT
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
:POSTROUTING ACCEPT
-A PREROUTING -i eth0.10 -m conntrack --ctstate NEW,RELATED -j CONNMARK --set-xmark 0xa00/0xff00
-A PREROUTING -i eth0.11 -m conntrack --ctstate NEW,RELATED -j CONNMARK --set-xmark 0xb00/0xff00
-A PREROUTING ! -d 192.168.0.0/16 -i eth0.13 -m conntrack --ctstate NEW,RELATED -j CONNMARK --set-xmark 0x1/0x1
-A PREROUTING ! -d 192.168.0.0/16 -i eth0.22 -m conntrack --ctstate NEW,RELATED -j CONNMARK --set-xmark 0x1/0x1
-A PREROUTING -i eth0.+ -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A POSTROUTING -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Thu Oct 29 10:59:25 2015
# Generated by iptables-save v1.4.14 on Thu Oct 29 10:59:25 2015
*raw
:PREROUTING ACCEPT
:OUTPUT ACCEPT
:invalid_ext -
:invalid_vpn -
:spoof_vlan_10 -
:spoof_vlan_11 -
:spoof_vlan_12 -
:spoof_vlan_13 -
:spoof_vlan_14 -
:spoof_vlan_19 -
:spoof_vlan_20 -
:spoof_vlan_21 -
:spoof_vlan_22 -
:spoof_vlan_23 -
:spoof_vlan_24 -
:spoof_vlan_50 -
-A PREROUTING -i lo -j CT --notrack
-A PREROUTING -i eth0.10 -j spoof_vlan_10
-A PREROUTING -i eth0.11 -j spoof_vlan_11
-A PREROUTING -i eth0.12 -j spoof_vlan_12
-A PREROUTING -i eth0.13 -j spoof_vlan_13
-A PREROUTING -i eth0.14 -j spoof_vlan_14
-A PREROUTING -i eth0.19 -j spoof_vlan_19
-A PREROUTING -i eth0.20 -j spoof_vlan_20
-A PREROUTING -i eth0.21 -j spoof_vlan_21
-A PREROUTING -i eth0.22 -j spoof_vlan_22
-A PREROUTING -i eth0.23 -j spoof_vlan_23
-A PREROUTING -i eth0.24 -j spoof_vlan_24
-A PREROUTING -i eth0.50 -j spoof_vlan_50
-A PREROUTING -i eth1 -j invalid_ext
-A PREROUTING -i tun0 -j invalid_vpn
-A PREROUTING -i eth0.22 -m recent --rcheck --name limited --rsource -m hashlimit --hashlimit-above 10/sec --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name limited_packets -j DROP
-A OUTPUT -o lo -j CT --notrack
-A invalid_ext -s 0.0.0.0/8 -j DROP
-A invalid_ext -d 0.0.0.0/8 -j DROP
-A invalid_ext -s 10.0.0.0/8 -j DROP
-A invalid_ext -d 10.0.0.0/8 -j DROP
-A invalid_ext -s 100.64.0.0/10 -j DROP
-A invalid_ext -d 100.64.0.0/10 -j DROP
-A invalid_ext -s 127.0.0.0/8 -j DROP
-A invalid_ext -d 127.0.0.0/8 -j DROP
-A invalid_ext -s 169.254.0.0/16 -j DROP
-A invalid_ext -d 169.254.0.0/16 -j DROP
-A invalid_ext -s 172.16.0.0/12 -j DROP
-A invalid_ext -d 172.16.0.0/12 -j DROP
-A invalid_ext -s 192.0.0.0/24 -j DROP
-A invalid_ext -d 192.0.0.0/24 -j DROP
-A invalid_ext -s 192.0.0.0/29 -j DROP
-A invalid_ext -d 192.0.0.0/29 -j DROP
-A invalid_ext -s 192.0.2.0/24 -j DROP
-A invalid_ext -d 192.0.2.0/24 -j DROP
-A invalid_ext -s 192.88.99.0/24 -j DROP
-A invalid_ext -d 192.88.99.0/24 -j DROP
-A invalid_ext -s 192.168.0.0/16 -j DROP
-A invalid_ext -d 192.168.0.0/16 -j DROP
-A invalid_ext -s 198.18.0.0/15 -j DROP
-A invalid_ext -d 198.18.0.0/15 -j DROP
-A invalid_ext -s 198.51.100.0/24 -j DROP
-A invalid_ext -d 198.51.100.0/24 -j DROP
-A invalid_ext -s 203.0.113.0/24 -j DROP
-A invalid_ext -d 203.0.113.0/24 -j DROP
-A invalid_ext -s 224.0.0.0/4 -j DROP
-A invalid_ext -d 224.0.0.0/4 -j DROP
-A invalid_ext -s 240.0.0.0/4 -j DROP
-A invalid_ext -d 240.0.0.0/4 -j DROP
-A invalid_ext -s 255.255.255.255/32 -j DROP
-A invalid_ext -d 255.255.255.255/32 -j DROP
-A invalid_vpn -s 0.0.0.0/8 -j DROP
-A invalid_vpn -d 0.0.0.0/8 -j DROP
-A invalid_vpn -s 100.64.0.0/10 -j DROP
-A invalid_vpn -d 100.64.0.0/10 -j DROP
-A invalid_vpn -s 127.0.0.0/8 -j DROP
-A invalid_vpn -d 127.0.0.0/8 -j DROP
-A invalid_vpn -s 169.254.0.0/16 -j DROP
-A invalid_vpn -d 169.254.0.0/16 -j DROP
-A invalid_vpn -s 172.16.0.0/12 -j DROP
-A invalid_vpn -d 172.16.0.0/12 -j DROP
-A invalid_vpn -s 192.0.0.0/24 -j DROP
-A invalid_vpn -d 192.0.0.0/24 -j DROP
-A invalid_vpn -s 192.0.0.0/29 -j DROP
-A invalid_vpn -d 192.0.0.0/29 -j DROP
-A invalid_vpn -s 192.0.2.0/24 -j DROP
-A invalid_vpn -d 192.0.2.0/24 -j DROP
-A invalid_vpn -s 192.88.99.0/24 -j DROP
-A invalid_vpn -d 192.88.99.0/24 -j DROP
-A invalid_vpn -s 192.168.0.0/16 -j DROP
-A invalid_vpn -d 192.168.0.0/16 -j DROP
-A invalid_vpn -s 198.18.0.0/15 -j DROP
-A invalid_vpn -d 198.18.0.0/15 -j DROP
-A invalid_vpn -s 198.51.100.0/24 -j DROP
-A invalid_vpn -d 198.51.100.0/24 -j DROP
-A invalid_vpn -s 203.0.113.0/24 -j DROP
-A invalid_vpn -d 203.0.113.0/24 -j DROP
-A invalid_vpn -s 224.0.0.0/4 -j DROP
-A invalid_vpn -d 224.0.0.0/4 -j DROP
-A invalid_vpn -s 240.0.0.0/4 -j DROP
-A invalid_vpn -d 240.0.0.0/4 -j DROP
-A invalid_vpn -s 255.255.255.255/32 -j DROP
-A invalid_vpn -d 255.255.255.255/32 -j DROP
-A spoof_vlan_10 -s 0.0.0.0/32 -i eth0.10 -p udp -m addrtype --dst-type BROADCAST -m pkttype --pkt-type broadcast -m udp --sport 68 --dport 67 -j RETURN
-A spoof_vlan_10 -m iprange --src-range 192.168.10.1-192.168.10.191 -j RETURN
-A spoof_vlan_10 -j DROP
-A spoof_vlan_11 -s 0.0.0.0/32 -i eth0.11 -p udp -m addrtype --dst-type BROADCAST -m pkttype --pkt-type broadcast -m udp --sport 68 --dport 67 -j RETURN
-A spoof_vlan_11 -m iprange --src-range 192.168.11.1-192.168.11.191 -j RETURN
-A spoof_vlan_11 -j DROP
-A spoof_vlan_12 -s 0.0.0.0/32 -i eth0.12 -p udp -m addrtype --dst-type BROADCAST -m pkttype --pkt-type broadcast -m udp --sport 68 --dport 67 -j RETURN
-A spoof_vlan_12 -m iprange --src-range 192.168.12.1-192.168.12.191 -j RETURN
-A spoof_vlan_12 -j DROP
-A spoof_vlan_13 -s 0.0.0.0/32 -i eth0.13 -p udp -m addrtype --dst-type BROADCAST -m pkttype --pkt-type broadcast -m udp --sport 68 --dport 67 -j RETURN
-A spoof_vlan_13 -m iprange --src-range 192.168.13.1-192.168.13.191 -j RETURN
-A spoof_vlan_13 -j DROP
-A spoof_vlan_14 -s 0.0.0.0/32 -i eth0.14 -p udp -m addrtype --dst-type BROADCAST -m pkttype --pkt-type broadcast -m udp --sport 68 --dport 67 -j RETURN
-A spoof_vlan_14 -m iprange --src-range 192.168.14.1-192.168.14.191 -j RETURN
-A spoof_vlan_14 -j DROP
-A spoof_vlan_19 -m iprange --src-range 192.168.19.1-192.168.19.191 -j RETURN
-A spoof_vlan_19 -j DROP
-A spoof_vlan_20 -s 0.0.0.0/32 -i eth0.20 -p udp -m addrtype --dst-type BROADCAST -m pkttype --pkt-type broadcast -m udp --sport 68 --dport 67 -j RETURN
-A spoof_vlan_20 -m iprange --src-range 192.168.20.1-192.168.20.191 -j RETURN
-A spoof_vlan_20 -j DROP
-A spoof_vlan_21 -s 0.0.0.0/32 -i eth0.21 -p udp -m addrtype --dst-type BROADCAST -m pkttype --pkt-type broadcast -m udp --sport 68 --dport 67 -j RETURN
-A spoof_vlan_21 -m iprange --src-range 192.168.21.1-192.168.21.191 -j RETURN
-A spoof_vlan_21 -j DROP
-A spoof_vlan_22 -s 0.0.0.0/32 -i eth0.22 -p udp -m addrtype --dst-type BROADCAST -m pkttype --pkt-type broadcast -m udp --sport 68 --dport 67 -j RETURN
-A spoof_vlan_22 -m iprange --src-range 192.168.22.1-192.168.22.191 -j RETURN
-A spoof_vlan_22 -j DROP
-A spoof_vlan_23 -s 0.0.0.0/32 -i eth0.23 -p udp -m addrtype --dst-type BROADCAST -m pkttype --pkt-type broadcast -m udp --sport 68 --dport 67 -j RETURN
-A spoof_vlan_23 -m iprange --src-range 192.168.23.1-192.168.23.191 -j RETURN
-A spoof_vlan_23 -j DROP
-A spoof_vlan_24 -s 0.0.0.0/32 -i eth0.24 -p udp -m addrtype --dst-type BROADCAST -m pkttype --pkt-type broadcast -m udp --sport 68 --dport 67 -j RETURN
-A spoof_vlan_24 -m iprange --src-range 192.168.24.1-192.168.24.191 -j RETURN
-A spoof_vlan_24 -j DROP
-A spoof_vlan_50 -j DROP
COMMIT
# Completed on Thu Oct 29 10:59:25 2015
