diff --git a/test/mandatory/filter-limit.json b/test/mandatory/filter-limit.json new file mode 100644 index 0000000000000000000000000000000000000000..a2fd1de047f4e11a13eb658a710951b95930be3e --- /dev/null +++ b/test/mandatory/filter-limit.json @@ -0,0 +1,41 @@ +{ + "filter": [ + { "conn-limit": 1 }, + { "conn-limit": 1, "action": "pass" }, + { "conn-limit": 1, "log": true }, + { "conn-limit": 1, "log": true, "action": "pass" }, + { "conn-limit": { "count": 1, "log": false } }, + { "conn-limit": { "count": 1, "log": false }, "action": "pass" }, + { "conn-limit": { "count": 1, "log": false }, "log": true }, + { + "conn-limit": { "count": 1, "log": false }, + "log": true, + "action": "pass" + }, + { "conn-limit": 30 }, + { "conn-limit": 30, "action": "pass" }, + { "conn-limit": 30, "log": true }, + { "conn-limit": { "count": 30, "log": false } }, + { "conn-limit": { "count": 30, "log": false }, "action": "pass" }, + { "conn-limit": { "count": 30, "log": false }, "log": true }, + + { "flow-limit": 1 }, + { "flow-limit": 1, "action": "pass" }, + { "flow-limit": 1, "log": true }, + { "flow-limit": 1, "log": true, "action": "pass" }, + { "flow-limit": { "count": 1, "log": false } }, + { "flow-limit": { "count": 1, "log": false }, "action": "pass" }, + { "flow-limit": { "count": 1, "log": false }, "log": true }, + { + "flow-limit": { "count": 1, "log": false }, + "log": true, + "action": "pass" + }, + { "flow-limit": 30 }, + { "flow-limit": 30, "action": "pass" }, + { "flow-limit": 30, "log": true }, + { "flow-limit": { "count": 30, "log": false } }, + { "flow-limit": { "count": 30, "log": false }, "action": "pass" }, + { "flow-limit": { "count": 30, "log": false }, "log": true } + ] +} diff --git a/test/mandatory/filter.json b/test/mandatory/filter.json new file mode 100644 index 0000000000000000000000000000000000000000..3918b9b130bf00fffcc6db1c7eac5687ffd1bbd4 --- /dev/null +++ b/test/mandatory/filter.json @@ -0,0 +1,10 @@ +{ + "filter": [ + {}, + { "action": "accept" }, + { "action": "drop" }, + { "action": "pass" }, + { "action": "reject" }, + { "action": "tarpit" } + ] +} diff --git a/test/mandatory/log.json b/test/mandatory/log.json new file mode 100644 index 0000000000000000000000000000000000000000..8dadc1b3281e6428ff5c89d213fd71f45ad84083 --- /dev/null +++ b/test/mandatory/log.json @@ -0,0 +1,13 @@ +{ + "filter": [ + {}, + { "action": "drop" }, + { "action": "pass" }, + { "log": false }, + { "log": false, "action": "drop" }, + { "log": false, "action": "pass" }, + { "log": true }, + { "log": true, "action": "drop" }, + { "log": true, "action": "pass" } + ] +} diff --git a/test/output/dump b/test/output/dump index 69774bf3e426dd0b360a0e5c88e248add5744b25..0b51d7d883581eef665b724bb36f0ddc17d191b4 100644 --- a/test/output/dump +++ b/test/output/dump @@ -1,3 +1,653 @@ +Filter 1 {} +(filter) + inet/filter/FORWARD -j ACCEPT + inet6/filter/FORWARD -j ACCEPT + inet/filter/INPUT -j ACCEPT + inet6/filter/INPUT -j ACCEPT + inet/filter/OUTPUT -j ACCEPT + inet6/filter/OUTPUT -j ACCEPT + +Filter 2 {"action":"accept"} +(filter) + inet/filter/FORWARD -j ACCEPT + inet6/filter/FORWARD -j ACCEPT + inet/filter/INPUT -j ACCEPT + inet6/filter/INPUT -j ACCEPT + inet/filter/OUTPUT -j ACCEPT + inet6/filter/OUTPUT -j ACCEPT + +Filter 3 {"action":"drop"} +(filter) + inet/filter/FORWARD -j logdrop-0 + inet6/filter/FORWARD -j logdrop-0 + inet/filter/INPUT -j logdrop-0 + inet6/filter/INPUT -j logdrop-0 + inet/filter/OUTPUT -j logdrop-0 + inet6/filter/OUTPUT -j logdrop-0 + inet/filter/logdrop-0 -m limit --limit 1/second -j LOG + inet6/filter/logdrop-0 -m limit --limit 1/second -j LOG + inet/filter/logdrop-0 -j DROP + inet6/filter/logdrop-0 -j DROP + +Filter 4 {"action":"pass"} +(filter) + inet/filter/FORWARD + inet6/filter/FORWARD + inet/filter/INPUT + inet6/filter/INPUT + inet/filter/OUTPUT + inet6/filter/OUTPUT + +Filter 5 {"action":"reject"} +(filter) + inet/filter/FORWARD -j logreject-0 + inet6/filter/FORWARD -j logreject-0 + inet/filter/INPUT -j logreject-0 + inet6/filter/INPUT -j logreject-0 + inet/filter/OUTPUT -j logreject-0 + inet6/filter/OUTPUT -j logreject-0 + inet/filter/logreject-0 -m limit --limit 1/second -j LOG + inet6/filter/logreject-0 -m limit --limit 1/second -j LOG + inet/filter/logreject-0 -j REJECT + inet6/filter/logreject-0 -j REJECT + +Filter 6 {"action":"tarpit"} +(filter) + inet/filter/FORWARD -j logtarpit-0 + inet6/filter/FORWARD -j logtarpit-0 + inet/filter/INPUT -j logtarpit-0 + inet6/filter/INPUT -j logtarpit-0 + inet/filter/OUTPUT -j logtarpit-0 + inet6/filter/OUTPUT -j logtarpit-0 + inet/filter/logtarpit-0 -m limit --limit 1/second -j LOG + inet6/filter/logtarpit-0 -m limit --limit 1/second -j LOG + inet/filter/logtarpit-0 -j tarpit + inet6/filter/logtarpit-0 -j tarpit + inet/raw/PREROUTING -j CT --notrack + inet6/raw/PREROUTING -j CT --notrack + inet/raw/OUTPUT -j CT --notrack + inet6/raw/OUTPUT -j CT --notrack + +Filter 7 {"conn-limit":1} +(filter-limit) + inet/filter/FORWARD -j limit-0 + inet6/filter/FORWARD -j limit-0 + inet/filter/INPUT -j limit-0 + inet6/filter/INPUT -j limit-0 + inet/filter/OUTPUT -j limit-0 + inet6/filter/OUTPUT -j limit-0 + inet/filter/limit-0 -m recent --name limit-0 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-1 + inet6/filter/limit-0 -m recent --name limit-0 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-1 + inet/filter/logdrop-1 -m limit --limit 1/second -j LOG + inet6/filter/logdrop-1 -m limit --limit 1/second -j LOG + inet/filter/logdrop-1 -j DROP + inet6/filter/logdrop-1 -j DROP + inet/filter/limit-0 -m recent --name limit-0 --rsource --mask 255.255.255.255 --set -j ACCEPT + inet6/filter/limit-0 -m recent --name limit-0 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT + +Filter 8 {"action":"pass","conn-limit":1} +(filter-limit) + inet/filter/FORWARD -j limit-1 + inet6/filter/FORWARD -j limit-1 + inet/filter/INPUT -j limit-1 + inet6/filter/INPUT -j limit-1 + inet/filter/OUTPUT -j limit-1 + inet6/filter/OUTPUT -j limit-1 + inet/filter/limit-1 -m recent --name limit-1 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-2 + inet6/filter/limit-1 -m recent --name limit-1 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-2 + inet/filter/logdrop-2 -m limit --limit 1/second -j LOG + inet6/filter/logdrop-2 -m limit --limit 1/second -j LOG + inet/filter/logdrop-2 -j DROP + inet6/filter/logdrop-2 -j DROP + inet/filter/limit-1 -m recent --name limit-1 --rsource --mask 255.255.255.255 --set + inet6/filter/limit-1 -m recent --name limit-1 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set + +Filter 9 {"conn-limit":1,"log":true} +(filter-limit) + inet/filter/FORWARD -j limit-2 + inet6/filter/FORWARD -j limit-2 + inet/filter/INPUT -j limit-2 + inet6/filter/INPUT -j limit-2 + inet/filter/OUTPUT -j limit-2 + inet6/filter/OUTPUT -j limit-2 + inet/filter/limit-2 -m recent --name limit-2 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-3 + inet6/filter/limit-2 -m recent --name limit-2 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-3 + inet/filter/logdrop-3 -m limit --limit 1/second -j LOG + inet6/filter/logdrop-3 -m limit --limit 1/second -j LOG + inet/filter/logdrop-3 -j DROP + inet6/filter/logdrop-3 -j DROP + inet/filter/limit-2 -m limit --limit 1/second -j LOG + inet6/filter/limit-2 -m limit --limit 1/second -j LOG + inet/filter/limit-2 -m recent --name limit-2 --rsource --mask 255.255.255.255 --set -j ACCEPT + inet6/filter/limit-2 -m recent --name limit-2 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT + +Filter 10 {"action":"pass","conn-limit":1,"log":true} +(filter-limit) + inet/filter/FORWARD -j limit-3 + inet6/filter/FORWARD -j limit-3 + inet/filter/INPUT -j limit-3 + inet6/filter/INPUT -j limit-3 + inet/filter/OUTPUT -j limit-3 + inet6/filter/OUTPUT -j limit-3 + inet/filter/limit-3 -m recent --name limit-3 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-4 + inet6/filter/limit-3 -m recent --name limit-3 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-4 + inet/filter/logdrop-4 -m limit --limit 1/second -j LOG + inet6/filter/logdrop-4 -m limit --limit 1/second -j LOG + inet/filter/logdrop-4 -j DROP + inet6/filter/logdrop-4 -j DROP + inet/filter/limit-3 -m recent --name limit-3 --rsource --mask 255.255.255.255 --set -m limit --limit 1/second -j LOG + inet6/filter/limit-3 -m recent --name limit-3 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -m limit --limit 1/second -j LOG + +Filter 11 {"conn-limit":{"count":1,"log":false}} +(filter-limit) + inet/filter/FORWARD -j limit-4 + inet6/filter/FORWARD -j limit-4 + inet/filter/INPUT -j limit-4 + inet6/filter/INPUT -j limit-4 + inet/filter/OUTPUT -j limit-4 + inet6/filter/OUTPUT -j limit-4 + inet/filter/limit-4 -m recent --name limit-4 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP + inet6/filter/limit-4 -m recent --name limit-4 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP + inet/filter/limit-4 -m recent --name limit-4 --rsource --mask 255.255.255.255 --set -j ACCEPT + inet6/filter/limit-4 -m recent --name limit-4 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT + +Filter 12 {"action":"pass","conn-limit":{"count":1,"log":false}} +(filter-limit) + inet/filter/FORWARD -j limit-5 + inet6/filter/FORWARD -j limit-5 + inet/filter/INPUT -j limit-5 + inet6/filter/INPUT -j limit-5 + inet/filter/OUTPUT -j limit-5 + inet6/filter/OUTPUT -j limit-5 + inet/filter/limit-5 -m recent --name limit-5 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP + inet6/filter/limit-5 -m recent --name limit-5 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP + inet/filter/limit-5 -m recent --name limit-5 --rsource --mask 255.255.255.255 --set + inet6/filter/limit-5 -m recent --name limit-5 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set + +Filter 13 {"conn-limit":{"count":1,"log":false},"log":true} +(filter-limit) + inet/filter/FORWARD -j limit-6 + inet6/filter/FORWARD -j limit-6 + inet/filter/INPUT -j limit-6 + inet6/filter/INPUT -j limit-6 + inet/filter/OUTPUT -j limit-6 + inet6/filter/OUTPUT -j limit-6 + inet/filter/limit-6 -m recent --name limit-6 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP + inet6/filter/limit-6 -m recent --name limit-6 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP + inet/filter/limit-6 -m limit --limit 1/second -j LOG + inet6/filter/limit-6 -m limit --limit 1/second -j LOG + inet/filter/limit-6 -m recent --name limit-6 --rsource --mask 255.255.255.255 --set -j ACCEPT + inet6/filter/limit-6 -m recent --name limit-6 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT + +Filter 14 {"action":"pass","conn-limit":{"count":1,"log":false},"log":true} +(filter-limit) + inet/filter/FORWARD -j limit-7 + inet6/filter/FORWARD -j limit-7 + inet/filter/INPUT -j limit-7 + inet6/filter/INPUT -j limit-7 + inet/filter/OUTPUT -j limit-7 + inet6/filter/OUTPUT -j limit-7 + inet/filter/limit-7 -m recent --name limit-7 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP + inet6/filter/limit-7 -m recent --name limit-7 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP + inet/filter/limit-7 -m recent --name limit-7 --rsource --mask 255.255.255.255 --set -m limit --limit 1/second -j LOG + inet6/filter/limit-7 -m recent --name limit-7 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -m limit --limit 1/second -j LOG + +Filter 15 {"conn-limit":30} +(filter-limit) + inet/filter/FORWARD -j limit-8 + inet6/filter/FORWARD -j limit-8 + inet/filter/INPUT -j limit-8 + inet6/filter/INPUT -j limit-8 + inet/filter/OUTPUT -j limit-8 + inet6/filter/OUTPUT -j limit-8 + inet/filter/limit-8 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-8 -j ACCEPT + inet6/filter/limit-8 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-8 -j ACCEPT + inet/filter/limit-8 -m limit --limit 1/second -j LOG + inet6/filter/limit-8 -m limit --limit 1/second -j LOG + inet/filter/limit-8 -j DROP + inet6/filter/limit-8 -j DROP + +Filter 16 {"action":"pass","conn-limit":30} +(filter-limit) + inet/filter/FORWARD -j limit-9 + inet6/filter/FORWARD -j limit-9 + inet/filter/INPUT -j limit-9 + inet6/filter/INPUT -j limit-9 + inet/filter/OUTPUT -j limit-9 + inet6/filter/OUTPUT -j limit-9 + inet/filter/limit-9 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-9 -j RETURN + inet6/filter/limit-9 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-9 -j RETURN + inet/filter/limit-9 -m limit --limit 1/second -j LOG + inet6/filter/limit-9 -m limit --limit 1/second -j LOG + inet/filter/limit-9 -j DROP + inet6/filter/limit-9 -j DROP + +Filter 17 {"conn-limit":30,"log":true} +(filter-limit) + inet/filter/FORWARD -j limit-10 + inet6/filter/FORWARD -j limit-10 + inet/filter/INPUT -j limit-10 + inet6/filter/INPUT -j limit-10 + inet/filter/OUTPUT -j limit-10 + inet6/filter/OUTPUT -j limit-10 + inet/filter/limit-10 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-10 -j logaccept-0 + inet6/filter/limit-10 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-10 -j logaccept-0 + inet/filter/logaccept-0 -m limit --limit 1/second -j LOG + inet6/filter/logaccept-0 -m limit --limit 1/second -j LOG + inet/filter/logaccept-0 -j ACCEPT + inet6/filter/logaccept-0 -j ACCEPT + inet/filter/limit-10 -m limit --limit 1/second -j LOG + inet6/filter/limit-10 -m limit --limit 1/second -j LOG + inet/filter/limit-10 -j DROP + inet6/filter/limit-10 -j DROP + +Filter 18 {"conn-limit":{"count":30,"log":false}} +(filter-limit) + inet/filter/FORWARD -j limit-11 + inet6/filter/FORWARD -j limit-11 + inet/filter/INPUT -j limit-11 + inet6/filter/INPUT -j limit-11 + inet/filter/OUTPUT -j limit-11 + inet6/filter/OUTPUT -j limit-11 + inet/filter/limit-11 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-11 -j ACCEPT + inet6/filter/limit-11 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-11 -j ACCEPT + inet/filter/limit-11 -j DROP + inet6/filter/limit-11 -j DROP + +Filter 19 {"action":"pass","conn-limit":{"count":30,"log":false}} +(filter-limit) + inet/filter/FORWARD -j limit-12 + inet6/filter/FORWARD -j limit-12 + inet/filter/INPUT -j limit-12 + inet6/filter/INPUT -j limit-12 + inet/filter/OUTPUT -j limit-12 + inet6/filter/OUTPUT -j limit-12 + inet/filter/limit-12 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-12 -j RETURN + inet6/filter/limit-12 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-12 -j RETURN + inet/filter/limit-12 -j DROP + inet6/filter/limit-12 -j DROP + +Filter 20 {"conn-limit":{"count":30,"log":false},"log":true} +(filter-limit) + inet/filter/FORWARD -j limit-13 + inet6/filter/FORWARD -j limit-13 + inet/filter/INPUT -j limit-13 + inet6/filter/INPUT -j limit-13 + inet/filter/OUTPUT -j limit-13 + inet6/filter/OUTPUT -j limit-13 + inet/filter/limit-13 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-13 -j logaccept-1 + inet6/filter/limit-13 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-13 -j logaccept-1 + inet/filter/logaccept-1 -m limit --limit 1/second -j LOG + inet6/filter/logaccept-1 -m limit --limit 1/second -j LOG + inet/filter/logaccept-1 -j ACCEPT + inet6/filter/logaccept-1 -j ACCEPT + inet/filter/limit-13 -j DROP + inet6/filter/limit-13 -j DROP + +Filter 21 {"flow-limit":1} +(filter-limit) + inet/filter/FORWARD -j limit-14 + inet6/filter/FORWARD -j limit-14 + inet/filter/INPUT -j limit-14 + inet6/filter/INPUT -j limit-14 + inet/filter/OUTPUT -j limit-14 + inet6/filter/OUTPUT -j limit-14 + inet/filter/limit-14 -m recent --name limit-14 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-5 + inet6/filter/limit-14 -m recent --name limit-14 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-5 + inet/filter/logdrop-5 -m limit --limit 1/second -j LOG + inet6/filter/logdrop-5 -m limit --limit 1/second -j LOG + inet/filter/logdrop-5 -j DROP + inet6/filter/logdrop-5 -j DROP + inet/filter/limit-14 -m recent --name limit-14 --rsource --mask 255.255.255.255 --set + inet6/filter/limit-14 -m recent --name limit-14 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set + inet/filter/FORWARD -j ACCEPT + inet6/filter/FORWARD -j ACCEPT + inet/filter/INPUT -j ACCEPT + inet6/filter/INPUT -j ACCEPT + inet/filter/OUTPUT -j ACCEPT + inet6/filter/OUTPUT -j ACCEPT + +Filter 22 {"action":"pass","flow-limit":1} +(filter-limit) + inet/filter/FORWARD -j limit-15 + inet6/filter/FORWARD -j limit-15 + inet/filter/INPUT -j limit-15 + inet6/filter/INPUT -j limit-15 + inet/filter/OUTPUT -j limit-15 + inet6/filter/OUTPUT -j limit-15 + inet/filter/limit-15 -m recent --name limit-15 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-6 + inet6/filter/limit-15 -m recent --name limit-15 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-6 + inet/filter/logdrop-6 -m limit --limit 1/second -j LOG + inet6/filter/logdrop-6 -m limit --limit 1/second -j LOG + inet/filter/logdrop-6 -j DROP + inet6/filter/logdrop-6 -j DROP + inet/filter/limit-15 -m recent --name limit-15 --rsource --mask 255.255.255.255 --set + inet6/filter/limit-15 -m recent --name limit-15 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set + +Filter 23 {"flow-limit":1,"log":true} +(filter-limit) + inet/filter/FORWARD -j limit-16 + inet6/filter/FORWARD -j limit-16 + inet/filter/INPUT -j limit-16 + inet6/filter/INPUT -j limit-16 + inet/filter/OUTPUT -j limit-16 + inet6/filter/OUTPUT -j limit-16 + inet/filter/limit-16 -m recent --name limit-16 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-7 + inet6/filter/limit-16 -m recent --name limit-16 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-7 + inet/filter/logdrop-7 -m limit --limit 1/second -j LOG + inet6/filter/logdrop-7 -m limit --limit 1/second -j LOG + inet/filter/logdrop-7 -j DROP + inet6/filter/logdrop-7 -j DROP + inet/filter/limit-16 -m recent --name limit-16 --rsource --mask 255.255.255.255 --set + inet6/filter/limit-16 -m recent --name limit-16 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set + inet/filter/FORWARD -j logaccept-final-0 + inet6/filter/FORWARD -j logaccept-final-0 + inet/filter/INPUT -j logaccept-final-0 + inet6/filter/INPUT -j logaccept-final-0 + inet/filter/OUTPUT -j logaccept-final-0 + inet6/filter/OUTPUT -j logaccept-final-0 + inet/filter/logaccept-final-0 -m limit --limit 1/second -j LOG + inet6/filter/logaccept-final-0 -m limit --limit 1/second -j LOG + inet/filter/logaccept-final-0 -j ACCEPT + inet6/filter/logaccept-final-0 -j ACCEPT + +Filter 24 {"action":"pass","flow-limit":1,"log":true} +(filter-limit) + inet/filter/FORWARD -j limit-17 + inet6/filter/FORWARD -j limit-17 + inet/filter/INPUT -j limit-17 + inet6/filter/INPUT -j limit-17 + inet/filter/OUTPUT -j limit-17 + inet6/filter/OUTPUT -j limit-17 + inet/filter/limit-17 -m recent --name limit-17 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-8 + inet6/filter/limit-17 -m recent --name limit-17 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-8 + inet/filter/logdrop-8 -m limit --limit 1/second -j LOG + inet6/filter/logdrop-8 -m limit --limit 1/second -j LOG + inet/filter/logdrop-8 -j DROP + inet6/filter/logdrop-8 -j DROP + inet/filter/limit-17 -m recent --name limit-17 --rsource --mask 255.255.255.255 --set -m limit --limit 1/second -j LOG + inet6/filter/limit-17 -m recent --name limit-17 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -m limit --limit 1/second -j LOG + +Filter 25 {"flow-limit":{"count":1,"log":false}} +(filter-limit) + inet/filter/FORWARD -j limit-18 + inet6/filter/FORWARD -j limit-18 + inet/filter/INPUT -j limit-18 + inet6/filter/INPUT -j limit-18 + inet/filter/OUTPUT -j limit-18 + inet6/filter/OUTPUT -j limit-18 + inet/filter/limit-18 -m recent --name limit-18 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP + inet6/filter/limit-18 -m recent --name limit-18 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP + inet/filter/limit-18 -m recent --name limit-18 --rsource --mask 255.255.255.255 --set + inet6/filter/limit-18 -m recent --name limit-18 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set + inet/filter/FORWARD -j ACCEPT + inet6/filter/FORWARD -j ACCEPT + inet/filter/INPUT -j ACCEPT + inet6/filter/INPUT -j ACCEPT + inet/filter/OUTPUT -j ACCEPT + inet6/filter/OUTPUT -j ACCEPT + +Filter 26 {"action":"pass","flow-limit":{"count":1,"log":false}} +(filter-limit) + inet/filter/FORWARD -j limit-19 + inet6/filter/FORWARD -j limit-19 + inet/filter/INPUT -j limit-19 + inet6/filter/INPUT -j limit-19 + inet/filter/OUTPUT -j limit-19 + inet6/filter/OUTPUT -j limit-19 + inet/filter/limit-19 -m recent --name limit-19 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP + inet6/filter/limit-19 -m recent --name limit-19 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP + inet/filter/limit-19 -m recent --name limit-19 --rsource --mask 255.255.255.255 --set + inet6/filter/limit-19 -m recent --name limit-19 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set + +Filter 27 {"flow-limit":{"count":1,"log":false},"log":true} +(filter-limit) + inet/filter/FORWARD -j limit-20 + inet6/filter/FORWARD -j limit-20 + inet/filter/INPUT -j limit-20 + inet6/filter/INPUT -j limit-20 + inet/filter/OUTPUT -j limit-20 + inet6/filter/OUTPUT -j limit-20 + inet/filter/limit-20 -m recent --name limit-20 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP + inet6/filter/limit-20 -m recent --name limit-20 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP + inet/filter/limit-20 -m recent --name limit-20 --rsource --mask 255.255.255.255 --set + inet6/filter/limit-20 -m recent --name limit-20 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set + inet/filter/FORWARD -j logaccept-final-1 + inet6/filter/FORWARD -j logaccept-final-1 + inet/filter/INPUT -j logaccept-final-1 + inet6/filter/INPUT -j logaccept-final-1 + inet/filter/OUTPUT -j logaccept-final-1 + inet6/filter/OUTPUT -j logaccept-final-1 + inet/filter/logaccept-final-1 -m limit --limit 1/second -j LOG + inet6/filter/logaccept-final-1 -m limit --limit 1/second -j LOG + inet/filter/logaccept-final-1 -j ACCEPT + inet6/filter/logaccept-final-1 -j ACCEPT + +Filter 28 {"action":"pass","flow-limit":{"count":1,"log":false},"log":true} +(filter-limit) + inet/filter/FORWARD -j limit-21 + inet6/filter/FORWARD -j limit-21 + inet/filter/INPUT -j limit-21 + inet6/filter/INPUT -j limit-21 + inet/filter/OUTPUT -j limit-21 + inet6/filter/OUTPUT -j limit-21 + inet/filter/limit-21 -m recent --name limit-21 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP + inet6/filter/limit-21 -m recent --name limit-21 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP + inet/filter/limit-21 -m recent --name limit-21 --rsource --mask 255.255.255.255 --set -m limit --limit 1/second -j LOG + inet6/filter/limit-21 -m recent --name limit-21 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -m limit --limit 1/second -j LOG + +Filter 29 {"flow-limit":30} +(filter-limit) + inet/filter/FORWARD -j limit-22 + inet6/filter/FORWARD -j limit-22 + inet/filter/INPUT -j limit-22 + inet6/filter/INPUT -j limit-22 + inet/filter/OUTPUT -j limit-22 + inet6/filter/OUTPUT -j limit-22 + inet/filter/limit-22 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-22 -j RETURN + inet6/filter/limit-22 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-22 -j RETURN + inet/filter/limit-22 -m limit --limit 1/second -j LOG + inet6/filter/limit-22 -m limit --limit 1/second -j LOG + inet/filter/limit-22 -j DROP + inet6/filter/limit-22 -j DROP + inet/filter/FORWARD -j ACCEPT + inet6/filter/FORWARD -j ACCEPT + inet/filter/INPUT -j ACCEPT + inet6/filter/INPUT -j ACCEPT + inet/filter/OUTPUT -j ACCEPT + inet6/filter/OUTPUT -j ACCEPT + +Filter 30 {"action":"pass","flow-limit":30} +(filter-limit) + inet/filter/FORWARD -j limit-23 + inet6/filter/FORWARD -j limit-23 + inet/filter/INPUT -j limit-23 + inet6/filter/INPUT -j limit-23 + inet/filter/OUTPUT -j limit-23 + inet6/filter/OUTPUT -j limit-23 + inet/filter/limit-23 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-23 -j RETURN + inet6/filter/limit-23 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-23 -j RETURN + inet/filter/limit-23 -m limit --limit 1/second -j LOG + inet6/filter/limit-23 -m limit --limit 1/second -j LOG + inet/filter/limit-23 -j DROP + inet6/filter/limit-23 -j DROP + +Filter 31 {"flow-limit":30,"log":true} +(filter-limit) + inet/filter/FORWARD -j limit-24 + inet6/filter/FORWARD -j limit-24 + inet/filter/INPUT -j limit-24 + inet6/filter/INPUT -j limit-24 + inet/filter/OUTPUT -j limit-24 + inet6/filter/OUTPUT -j limit-24 + inet/filter/limit-24 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-24 -j RETURN + inet6/filter/limit-24 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-24 -j RETURN + inet/filter/limit-24 -m limit --limit 1/second -j LOG + inet6/filter/limit-24 -m limit --limit 1/second -j LOG + inet/filter/limit-24 -j DROP + inet6/filter/limit-24 -j DROP + inet/filter/FORWARD -j logaccept-final-2 + inet6/filter/FORWARD -j logaccept-final-2 + inet/filter/INPUT -j logaccept-final-2 + inet6/filter/INPUT -j logaccept-final-2 + inet/filter/OUTPUT -j logaccept-final-2 + inet6/filter/OUTPUT -j logaccept-final-2 + inet/filter/logaccept-final-2 -m limit --limit 1/second -j LOG + inet6/filter/logaccept-final-2 -m limit --limit 1/second -j LOG + inet/filter/logaccept-final-2 -j ACCEPT + inet6/filter/logaccept-final-2 -j ACCEPT + +Filter 32 {"flow-limit":{"count":30,"log":false}} +(filter-limit) + inet/filter/FORWARD -j limit-25 + inet6/filter/FORWARD -j limit-25 + inet/filter/INPUT -j limit-25 + inet6/filter/INPUT -j limit-25 + inet/filter/OUTPUT -j limit-25 + inet6/filter/OUTPUT -j limit-25 + inet/filter/limit-25 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-25 -j RETURN + inet6/filter/limit-25 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-25 -j RETURN + inet/filter/limit-25 -j DROP + inet6/filter/limit-25 -j DROP + inet/filter/FORWARD -j ACCEPT + inet6/filter/FORWARD -j ACCEPT + inet/filter/INPUT -j ACCEPT + inet6/filter/INPUT -j ACCEPT + inet/filter/OUTPUT -j ACCEPT + inet6/filter/OUTPUT -j ACCEPT + +Filter 33 {"action":"pass","flow-limit":{"count":30,"log":false}} +(filter-limit) + inet/filter/FORWARD -j limit-26 + inet6/filter/FORWARD -j limit-26 + inet/filter/INPUT -j limit-26 + inet6/filter/INPUT -j limit-26 + inet/filter/OUTPUT -j limit-26 + inet6/filter/OUTPUT -j limit-26 + inet/filter/limit-26 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-26 -j RETURN + inet6/filter/limit-26 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-26 -j RETURN + inet/filter/limit-26 -j DROP + inet6/filter/limit-26 -j DROP + +Filter 34 {"flow-limit":{"count":30,"log":false},"log":true} +(filter-limit) + inet/filter/FORWARD -j limit-27 + inet6/filter/FORWARD -j limit-27 + inet/filter/INPUT -j limit-27 + inet6/filter/INPUT -j limit-27 + inet/filter/OUTPUT -j limit-27 + inet6/filter/OUTPUT -j limit-27 + inet/filter/limit-27 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-27 -j RETURN + inet6/filter/limit-27 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-27 -j RETURN + inet/filter/limit-27 -j DROP + inet6/filter/limit-27 -j DROP + inet/filter/FORWARD -j logaccept-final-3 + inet6/filter/FORWARD -j logaccept-final-3 + inet/filter/INPUT -j logaccept-final-3 + inet6/filter/INPUT -j logaccept-final-3 + inet/filter/OUTPUT -j logaccept-final-3 + inet6/filter/OUTPUT -j logaccept-final-3 + inet/filter/logaccept-final-3 -m limit --limit 1/second -j LOG + inet6/filter/logaccept-final-3 -m limit --limit 1/second -j LOG + inet/filter/logaccept-final-3 -j ACCEPT + inet6/filter/logaccept-final-3 -j ACCEPT + +Filter 35 {} +(log) + inet/filter/FORWARD -j ACCEPT + inet6/filter/FORWARD -j ACCEPT + inet/filter/INPUT -j ACCEPT + inet6/filter/INPUT -j ACCEPT + inet/filter/OUTPUT -j ACCEPT + inet6/filter/OUTPUT -j ACCEPT + +Filter 36 {"action":"drop"} +(log) + inet/filter/FORWARD -j logdrop-9 + inet6/filter/FORWARD -j logdrop-9 + inet/filter/INPUT -j logdrop-9 + inet6/filter/INPUT -j logdrop-9 + inet/filter/OUTPUT -j logdrop-9 + inet6/filter/OUTPUT -j logdrop-9 + inet/filter/logdrop-9 -m limit --limit 1/second -j LOG + inet6/filter/logdrop-9 -m limit --limit 1/second -j LOG + inet/filter/logdrop-9 -j DROP + inet6/filter/logdrop-9 -j DROP + +Filter 37 {"action":"pass"} +(log) + inet/filter/FORWARD + inet6/filter/FORWARD + inet/filter/INPUT + inet6/filter/INPUT + inet/filter/OUTPUT + inet6/filter/OUTPUT + +Filter 38 {"log":false} +(log) + inet/filter/FORWARD -j ACCEPT + inet6/filter/FORWARD -j ACCEPT + inet/filter/INPUT -j ACCEPT + inet6/filter/INPUT -j ACCEPT + inet/filter/OUTPUT -j ACCEPT + inet6/filter/OUTPUT -j ACCEPT + +Filter 39 {"action":"drop","log":false} +(log) + inet/filter/FORWARD -j DROP + inet6/filter/FORWARD -j DROP + inet/filter/INPUT -j DROP + inet6/filter/INPUT -j DROP + inet/filter/OUTPUT -j DROP + inet6/filter/OUTPUT -j DROP + +Filter 40 {"action":"pass","log":false} +(log) + inet/filter/FORWARD + inet6/filter/FORWARD + inet/filter/INPUT + inet6/filter/INPUT + inet/filter/OUTPUT + inet6/filter/OUTPUT + +Filter 41 {"log":true} +(log) + inet/filter/FORWARD -j logaccept-2 + inet6/filter/FORWARD -j logaccept-2 + inet/filter/INPUT -j logaccept-2 + inet6/filter/INPUT -j logaccept-2 + inet/filter/OUTPUT -j logaccept-2 + inet6/filter/OUTPUT -j logaccept-2 + inet/filter/logaccept-2 -m limit --limit 1/second -j LOG + inet6/filter/logaccept-2 -m limit --limit 1/second -j LOG + inet/filter/logaccept-2 -j ACCEPT + inet6/filter/logaccept-2 -j ACCEPT + +Filter 42 {"action":"drop","log":true} +(log) + inet/filter/FORWARD -j logdrop-10 + inet6/filter/FORWARD -j logdrop-10 + inet/filter/INPUT -j logdrop-10 + inet6/filter/INPUT -j logdrop-10 + inet/filter/OUTPUT -j logdrop-10 + inet6/filter/OUTPUT -j logdrop-10 + inet/filter/logdrop-10 -m limit --limit 1/second -j LOG + inet6/filter/logdrop-10 -m limit --limit 1/second -j LOG + inet/filter/logdrop-10 -j DROP + inet6/filter/logdrop-10 -j DROP + +Filter 43 {"action":"pass","log":true} +(log) + inet/filter/FORWARD -j logpass-0 + inet6/filter/FORWARD -j logpass-0 + inet/filter/INPUT -j logpass-0 + inet6/filter/INPUT -j logpass-0 + inet/filter/OUTPUT -j logpass-0 + inet6/filter/OUTPUT -j logpass-0 + inet/filter/logpass-0 -m limit --limit 1/second -j LOG + inet6/filter/logpass-0 -m limit --limit 1/second -j LOG + + Ipset awall-masquerade {"family":"inet","type":"hash:net"} (masquerade) @@ -198,17 +848,327 @@ hash:net family inet :INPUT DROP [0:0] :OUTPUT DROP [0:0] :icmp-routing - [0:0] +:limit-0 - [0:0] +:limit-1 - [0:0] +:limit-10 - [0:0] +:limit-11 - [0:0] +:limit-12 - [0:0] +:limit-13 - [0:0] +:limit-14 - [0:0] +:limit-15 - [0:0] +:limit-16 - [0:0] +:limit-17 - [0:0] +:limit-18 - [0:0] +:limit-19 - [0:0] +:limit-2 - [0:0] +:limit-20 - [0:0] +:limit-21 - [0:0] +:limit-22 - [0:0] +:limit-23 - [0:0] +:limit-24 - [0:0] +:limit-25 - [0:0] +:limit-26 - [0:0] +:limit-27 - [0:0] +:limit-3 - [0:0] +:limit-4 - [0:0] +:limit-5 - [0:0] +:limit-6 - [0:0] +:limit-7 - [0:0] +:limit-8 - [0:0] +:limit-9 - [0:0] +:logaccept-0 - [0:0] +:logaccept-1 - [0:0] +:logaccept-2 - [0:0] +:logaccept-final-0 - [0:0] +:logaccept-final-1 - [0:0] +:logaccept-final-2 - [0:0] +:logaccept-final-3 - [0:0] +:logdrop-0 - [0:0] +:logdrop-1 - [0:0] +:logdrop-10 - [0:0] +:logdrop-2 - [0:0] +:logdrop-3 - [0:0] +:logdrop-4 - [0:0] +:logdrop-5 - [0:0] +:logdrop-6 - [0:0] +:logdrop-7 - [0:0] +:logdrop-8 - [0:0] +:logdrop-9 - [0:0] +:logpass-0 - [0:0] +:logreject-0 - [0:0] +:logtarpit-0 - [0:0] +:tarpit - [0:0] +-A FORWARD -j limit-27 +-A FORWARD -j limit-26 +-A FORWARD -j limit-25 +-A FORWARD -j limit-24 +-A FORWARD -j limit-23 +-A FORWARD -j limit-22 +-A FORWARD -j limit-21 +-A FORWARD -j limit-20 +-A FORWARD -j limit-19 +-A FORWARD -j limit-18 +-A FORWARD -j limit-17 +-A FORWARD -j limit-16 +-A FORWARD -j limit-15 +-A FORWARD -j limit-14 -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT +-A FORWARD -j ACCEPT +-A FORWARD -j ACCEPT +-A FORWARD -j logdrop-0 +-A FORWARD +-A FORWARD -j logreject-0 +-A FORWARD -j logtarpit-0 +-A FORWARD -j limit-0 +-A FORWARD -j limit-1 +-A FORWARD -j limit-2 +-A FORWARD -j limit-3 +-A FORWARD -j limit-4 +-A FORWARD -j limit-5 +-A FORWARD -j limit-6 +-A FORWARD -j limit-7 +-A FORWARD -j limit-8 +-A FORWARD -j limit-9 +-A FORWARD -j limit-10 +-A FORWARD -j limit-11 +-A FORWARD -j limit-12 +-A FORWARD -j limit-13 +-A FORWARD -j ACCEPT +-A FORWARD -j logaccept-final-0 +-A FORWARD -j ACCEPT +-A FORWARD -j logaccept-final-1 +-A FORWARD -j ACCEPT +-A FORWARD -j logaccept-final-2 +-A FORWARD -j ACCEPT +-A FORWARD -j logaccept-final-3 +-A FORWARD -j ACCEPT +-A FORWARD -j logdrop-9 +-A FORWARD +-A FORWARD -j ACCEPT +-A FORWARD -j DROP +-A FORWARD +-A FORWARD -j logaccept-2 +-A FORWARD -j logdrop-10 +-A FORWARD -j logpass-0 -A FORWARD -p icmp -j icmp-routing +-A INPUT -j limit-27 +-A INPUT -j limit-26 +-A INPUT -j limit-25 +-A INPUT -j limit-24 +-A INPUT -j limit-23 +-A INPUT -j limit-22 +-A INPUT -j limit-21 +-A INPUT -j limit-20 +-A INPUT -j limit-19 +-A INPUT -j limit-18 +-A INPUT -j limit-17 +-A INPUT -j limit-16 +-A INPUT -j limit-15 +-A INPUT -j limit-14 -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT +-A INPUT -j ACCEPT +-A INPUT -j ACCEPT +-A INPUT -j logdrop-0 +-A INPUT +-A INPUT -j logreject-0 +-A INPUT -j logtarpit-0 +-A INPUT -j limit-0 +-A INPUT -j limit-1 +-A INPUT -j limit-2 +-A INPUT -j limit-3 +-A INPUT -j limit-4 +-A INPUT -j limit-5 +-A INPUT -j limit-6 +-A INPUT -j limit-7 +-A INPUT -j limit-8 +-A INPUT -j limit-9 +-A INPUT -j limit-10 +-A INPUT -j limit-11 +-A INPUT -j limit-12 +-A INPUT -j limit-13 +-A INPUT -j ACCEPT +-A INPUT -j logaccept-final-0 +-A INPUT -j ACCEPT +-A INPUT -j logaccept-final-1 +-A INPUT -j ACCEPT +-A INPUT -j logaccept-final-2 +-A INPUT -j ACCEPT +-A INPUT -j logaccept-final-3 +-A INPUT -j ACCEPT +-A INPUT -j logdrop-9 +-A INPUT +-A INPUT -j ACCEPT +-A INPUT -j DROP +-A INPUT +-A INPUT -j logaccept-2 +-A INPUT -j logdrop-10 +-A INPUT -j logpass-0 -A INPUT -p icmp -j icmp-routing +-A OUTPUT -j limit-27 +-A OUTPUT -j limit-26 +-A OUTPUT -j limit-25 +-A OUTPUT -j limit-24 +-A OUTPUT -j limit-23 +-A OUTPUT -j limit-22 +-A OUTPUT -j limit-21 +-A OUTPUT -j limit-20 +-A OUTPUT -j limit-19 +-A OUTPUT -j limit-18 +-A OUTPUT -j limit-17 +-A OUTPUT -j limit-16 +-A OUTPUT -j limit-15 +-A OUTPUT -j limit-14 -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A OUTPUT -o lo -j ACCEPT +-A OUTPUT -j ACCEPT +-A OUTPUT -j ACCEPT +-A OUTPUT -j logdrop-0 +-A OUTPUT +-A OUTPUT -j logreject-0 +-A OUTPUT -j logtarpit-0 +-A OUTPUT -j limit-0 +-A OUTPUT -j limit-1 +-A OUTPUT -j limit-2 +-A OUTPUT -j limit-3 +-A OUTPUT -j limit-4 +-A OUTPUT -j limit-5 +-A OUTPUT -j limit-6 +-A OUTPUT -j limit-7 +-A OUTPUT -j limit-8 +-A OUTPUT -j limit-9 +-A OUTPUT -j limit-10 +-A OUTPUT -j limit-11 +-A OUTPUT -j limit-12 +-A OUTPUT -j limit-13 +-A OUTPUT -j ACCEPT +-A OUTPUT -j logaccept-final-0 +-A OUTPUT -j ACCEPT +-A OUTPUT -j logaccept-final-1 +-A OUTPUT -j ACCEPT +-A OUTPUT -j logaccept-final-2 +-A OUTPUT -j ACCEPT +-A OUTPUT -j logaccept-final-3 +-A OUTPUT -j ACCEPT +-A OUTPUT -j logdrop-9 +-A OUTPUT +-A OUTPUT -j ACCEPT +-A OUTPUT -j DROP +-A OUTPUT +-A OUTPUT -j logaccept-2 +-A OUTPUT -j logdrop-10 +-A OUTPUT -j logpass-0 -A OUTPUT -p icmp -j icmp-routing -A icmp-routing -p icmp --icmp-type 3 -j ACCEPT -A icmp-routing -p icmp --icmp-type 11 -j ACCEPT -A icmp-routing -p icmp --icmp-type 12 -j ACCEPT +-A limit-0 -m recent --name limit-0 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-1 +-A limit-0 -m recent --name limit-0 --rsource --mask 255.255.255.255 --set -j ACCEPT +-A limit-1 -m recent --name limit-1 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-2 +-A limit-1 -m recent --name limit-1 --rsource --mask 255.255.255.255 --set +-A limit-10 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-10 -j logaccept-0 +-A limit-10 -m limit --limit 1/second -j LOG +-A limit-10 -j DROP +-A limit-11 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-11 -j ACCEPT +-A limit-11 -j DROP +-A limit-12 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-12 -j RETURN +-A limit-12 -j DROP +-A limit-13 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-13 -j logaccept-1 +-A limit-13 -j DROP +-A limit-14 -m recent --name limit-14 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-5 +-A limit-14 -m recent --name limit-14 --rsource --mask 255.255.255.255 --set +-A limit-15 -m recent --name limit-15 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-6 +-A limit-15 -m recent --name limit-15 --rsource --mask 255.255.255.255 --set +-A limit-16 -m recent --name limit-16 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-7 +-A limit-16 -m recent --name limit-16 --rsource --mask 255.255.255.255 --set +-A limit-17 -m recent --name limit-17 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-8 +-A limit-17 -m recent --name limit-17 --rsource --mask 255.255.255.255 --set -m limit --limit 1/second -j LOG +-A limit-18 -m recent --name limit-18 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP +-A limit-18 -m recent --name limit-18 --rsource --mask 255.255.255.255 --set +-A limit-19 -m recent --name limit-19 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP +-A limit-19 -m recent --name limit-19 --rsource --mask 255.255.255.255 --set +-A limit-2 -m recent --name limit-2 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-3 +-A limit-2 -m limit --limit 1/second -j LOG +-A limit-2 -m recent --name limit-2 --rsource --mask 255.255.255.255 --set -j ACCEPT +-A limit-20 -m recent --name limit-20 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP +-A limit-20 -m recent --name limit-20 --rsource --mask 255.255.255.255 --set +-A limit-21 -m recent --name limit-21 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP +-A limit-21 -m recent --name limit-21 --rsource --mask 255.255.255.255 --set -m limit --limit 1/second -j LOG +-A limit-22 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-22 -j RETURN +-A limit-22 -m limit --limit 1/second -j LOG +-A limit-22 -j DROP +-A limit-23 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-23 -j RETURN +-A limit-23 -m limit --limit 1/second -j LOG +-A limit-23 -j DROP +-A limit-24 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-24 -j RETURN +-A limit-24 -m limit --limit 1/second -j LOG +-A limit-24 -j DROP +-A limit-25 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-25 -j RETURN +-A limit-25 -j DROP +-A limit-26 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-26 -j RETURN +-A limit-26 -j DROP +-A limit-27 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-27 -j RETURN +-A limit-27 -j DROP +-A limit-3 -m recent --name limit-3 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-4 +-A limit-3 -m recent --name limit-3 --rsource --mask 255.255.255.255 --set -m limit --limit 1/second -j LOG +-A limit-4 -m recent --name limit-4 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP +-A limit-4 -m recent --name limit-4 --rsource --mask 255.255.255.255 --set -j ACCEPT +-A limit-5 -m recent --name limit-5 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP +-A limit-5 -m recent --name limit-5 --rsource --mask 255.255.255.255 --set +-A limit-6 -m recent --name limit-6 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP +-A limit-6 -m limit --limit 1/second -j LOG +-A limit-6 -m recent --name limit-6 --rsource --mask 255.255.255.255 --set -j ACCEPT +-A limit-7 -m recent --name limit-7 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP +-A limit-7 -m recent --name limit-7 --rsource --mask 255.255.255.255 --set -m limit --limit 1/second -j LOG +-A limit-8 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-8 -j ACCEPT +-A limit-8 -m limit --limit 1/second -j LOG +-A limit-8 -j DROP +-A limit-9 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-9 -j RETURN +-A limit-9 -m limit --limit 1/second -j LOG +-A limit-9 -j DROP +-A logaccept-0 -m limit --limit 1/second -j LOG +-A logaccept-0 -j ACCEPT +-A logaccept-1 -m limit --limit 1/second -j LOG +-A logaccept-1 -j ACCEPT +-A logaccept-2 -m limit --limit 1/second -j LOG +-A logaccept-2 -j ACCEPT +-A logaccept-final-0 -m limit --limit 1/second -j LOG +-A logaccept-final-0 -j ACCEPT +-A logaccept-final-1 -m limit --limit 1/second -j LOG +-A logaccept-final-1 -j ACCEPT +-A logaccept-final-2 -m limit --limit 1/second -j LOG +-A logaccept-final-2 -j ACCEPT +-A logaccept-final-3 -m limit --limit 1/second -j LOG +-A logaccept-final-3 -j ACCEPT +-A logdrop-0 -m limit --limit 1/second -j LOG +-A logdrop-0 -j DROP +-A logdrop-1 -m limit --limit 1/second -j LOG +-A logdrop-1 -j DROP +-A logdrop-10 -m limit --limit 1/second -j LOG +-A logdrop-10 -j DROP +-A logdrop-2 -m limit --limit 1/second -j LOG +-A logdrop-2 -j DROP +-A logdrop-3 -m limit --limit 1/second -j LOG +-A logdrop-3 -j DROP +-A logdrop-4 -m limit --limit 1/second -j LOG +-A logdrop-4 -j DROP +-A logdrop-5 -m limit --limit 1/second -j LOG +-A logdrop-5 -j DROP +-A logdrop-6 -m limit --limit 1/second -j LOG +-A logdrop-6 -j DROP +-A logdrop-7 -m limit --limit 1/second -j LOG +-A logdrop-7 -j DROP +-A logdrop-8 -m limit --limit 1/second -j LOG +-A logdrop-8 -j DROP +-A logdrop-9 -m limit --limit 1/second -j LOG +-A logdrop-9 -j DROP +-A logpass-0 -m limit --limit 1/second -j LOG +-A logreject-0 -m limit --limit 1/second -j LOG +-A logreject-0 -j REJECT +-A logtarpit-0 -m limit --limit 1/second -j LOG +-A logtarpit-0 -j tarpit +-A tarpit -p tcp -j TARPIT +-A tarpit -j DROP COMMIT *nat :POSTROUTING ACCEPT [0:0] @@ -216,6 +1176,12 @@ COMMIT -A POSTROUTING -m set --match-set awall-masquerade src -j awall-masquerade -A awall-masquerade -m set ! --match-set awall-masquerade dst -j MASQUERADE COMMIT +*raw +:OUTPUT ACCEPT [0:0] +:PREROUTING ACCEPT [0:0] +-A OUTPUT -j CT --notrack +-A PREROUTING -j CT --notrack +COMMIT # rules6-save generated by awall *filter @@ -223,17 +1189,333 @@ COMMIT :INPUT DROP [0:0] :OUTPUT DROP [0:0] :icmp-routing - [0:0] +:limit-0 - [0:0] +:limit-1 - [0:0] +:limit-10 - [0:0] +:limit-11 - [0:0] +:limit-12 - [0:0] +:limit-13 - [0:0] +:limit-14 - [0:0] +:limit-15 - [0:0] +:limit-16 - [0:0] +:limit-17 - [0:0] +:limit-18 - [0:0] +:limit-19 - [0:0] +:limit-2 - [0:0] +:limit-20 - [0:0] +:limit-21 - [0:0] +:limit-22 - [0:0] +:limit-23 - [0:0] +:limit-24 - [0:0] +:limit-25 - [0:0] +:limit-26 - [0:0] +:limit-27 - [0:0] +:limit-3 - [0:0] +:limit-4 - [0:0] +:limit-5 - [0:0] +:limit-6 - [0:0] +:limit-7 - [0:0] +:limit-8 - [0:0] +:limit-9 - [0:0] +:logaccept-0 - [0:0] +:logaccept-1 - [0:0] +:logaccept-2 - [0:0] +:logaccept-final-0 - [0:0] +:logaccept-final-1 - [0:0] +:logaccept-final-2 - [0:0] +:logaccept-final-3 - [0:0] +:logdrop-0 - [0:0] +:logdrop-1 - [0:0] +:logdrop-10 - [0:0] +:logdrop-2 - [0:0] +:logdrop-3 - [0:0] +:logdrop-4 - [0:0] +:logdrop-5 - [0:0] +:logdrop-6 - [0:0] +:logdrop-7 - [0:0] +:logdrop-8 - [0:0] +:logdrop-9 - [0:0] +:logpass-0 - [0:0] +:logreject-0 - [0:0] +:logtarpit-0 - [0:0] +:tarpit - [0:0] +-A FORWARD -j limit-27 +-A FORWARD -j limit-26 +-A FORWARD -j limit-25 +-A FORWARD -j limit-24 +-A FORWARD -j limit-23 +-A FORWARD -j limit-22 +-A FORWARD -j limit-21 +-A FORWARD -j limit-20 +-A FORWARD -j limit-19 +-A FORWARD -j limit-18 +-A FORWARD -j limit-17 +-A FORWARD -j limit-16 +-A FORWARD -j limit-15 +-A FORWARD -j limit-14 -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT +-A FORWARD -j ACCEPT +-A FORWARD -j ACCEPT +-A FORWARD -j logdrop-0 +-A FORWARD +-A FORWARD -j logreject-0 +-A FORWARD -j logtarpit-0 +-A FORWARD -j limit-0 +-A FORWARD -j limit-1 +-A FORWARD -j limit-2 +-A FORWARD -j limit-3 +-A FORWARD -j limit-4 +-A FORWARD -j limit-5 +-A FORWARD -j limit-6 +-A FORWARD -j limit-7 +-A FORWARD -j limit-8 +-A FORWARD -j limit-9 +-A FORWARD -j limit-10 +-A FORWARD -j limit-11 +-A FORWARD -j limit-12 +-A FORWARD -j limit-13 +-A FORWARD -j ACCEPT +-A FORWARD -j logaccept-final-0 +-A FORWARD -j ACCEPT +-A FORWARD -j logaccept-final-1 +-A FORWARD -j ACCEPT +-A FORWARD -j logaccept-final-2 +-A FORWARD -j ACCEPT +-A FORWARD -j logaccept-final-3 +-A FORWARD -j ACCEPT +-A FORWARD -j logdrop-9 +-A FORWARD +-A FORWARD -j ACCEPT +-A FORWARD -j DROP +-A FORWARD +-A FORWARD -j logaccept-2 +-A FORWARD -j logdrop-10 +-A FORWARD -j logpass-0 -A FORWARD -p icmpv6 -j icmp-routing +-A INPUT -j limit-27 +-A INPUT -j limit-26 +-A INPUT -j limit-25 +-A INPUT -j limit-24 +-A INPUT -j limit-23 +-A INPUT -j limit-22 +-A INPUT -j limit-21 +-A INPUT -j limit-20 +-A INPUT -j limit-19 +-A INPUT -j limit-18 +-A INPUT -j limit-17 +-A INPUT -j limit-16 +-A INPUT -j limit-15 +-A INPUT -j limit-14 -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT +-A INPUT -j ACCEPT +-A INPUT -j ACCEPT +-A INPUT -j logdrop-0 +-A INPUT +-A INPUT -j logreject-0 +-A INPUT -j logtarpit-0 +-A INPUT -j limit-0 +-A INPUT -j limit-1 +-A INPUT -j limit-2 +-A INPUT -j limit-3 +-A INPUT -j limit-4 +-A INPUT -j limit-5 +-A INPUT -j limit-6 +-A INPUT -j limit-7 +-A INPUT -j limit-8 +-A INPUT -j limit-9 +-A INPUT -j limit-10 +-A INPUT -j limit-11 +-A INPUT -j limit-12 +-A INPUT -j limit-13 +-A INPUT -j ACCEPT +-A INPUT -j logaccept-final-0 +-A INPUT -j ACCEPT +-A INPUT -j logaccept-final-1 +-A INPUT -j ACCEPT +-A INPUT -j logaccept-final-2 +-A INPUT -j ACCEPT +-A INPUT -j logaccept-final-3 +-A INPUT -j ACCEPT +-A INPUT -j logdrop-9 +-A INPUT +-A INPUT -j ACCEPT +-A INPUT -j DROP +-A INPUT +-A INPUT -j logaccept-2 +-A INPUT -j logdrop-10 +-A INPUT -j logpass-0 -A INPUT -p icmpv6 -j ACCEPT +-A OUTPUT -j limit-27 +-A OUTPUT -j limit-26 +-A OUTPUT -j limit-25 +-A OUTPUT -j limit-24 +-A OUTPUT -j limit-23 +-A OUTPUT -j limit-22 +-A OUTPUT -j limit-21 +-A OUTPUT -j limit-20 +-A OUTPUT -j limit-19 +-A OUTPUT -j limit-18 +-A OUTPUT -j limit-17 +-A OUTPUT -j limit-16 +-A OUTPUT -j limit-15 +-A OUTPUT -j limit-14 -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A OUTPUT -o lo -j ACCEPT +-A OUTPUT -j ACCEPT +-A OUTPUT -j ACCEPT +-A OUTPUT -j logdrop-0 +-A OUTPUT +-A OUTPUT -j logreject-0 +-A OUTPUT -j logtarpit-0 +-A OUTPUT -j limit-0 +-A OUTPUT -j limit-1 +-A OUTPUT -j limit-2 +-A OUTPUT -j limit-3 +-A OUTPUT -j limit-4 +-A OUTPUT -j limit-5 +-A OUTPUT -j limit-6 +-A OUTPUT -j limit-7 +-A OUTPUT -j limit-8 +-A OUTPUT -j limit-9 +-A OUTPUT -j limit-10 +-A OUTPUT -j limit-11 +-A OUTPUT -j limit-12 +-A OUTPUT -j limit-13 +-A OUTPUT -j ACCEPT +-A OUTPUT -j logaccept-final-0 +-A OUTPUT -j ACCEPT +-A OUTPUT -j logaccept-final-1 +-A OUTPUT -j ACCEPT +-A OUTPUT -j logaccept-final-2 +-A OUTPUT -j ACCEPT +-A OUTPUT -j logaccept-final-3 +-A OUTPUT -j ACCEPT +-A OUTPUT -j logdrop-9 +-A OUTPUT +-A OUTPUT -j ACCEPT +-A OUTPUT -j DROP +-A OUTPUT +-A OUTPUT -j logaccept-2 +-A OUTPUT -j logdrop-10 +-A OUTPUT -j logpass-0 -A OUTPUT -p icmpv6 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 1 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT +-A limit-0 -m recent --name limit-0 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-1 +-A limit-0 -m recent --name limit-0 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT +-A limit-1 -m recent --name limit-1 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-2 +-A limit-1 -m recent --name limit-1 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set +-A limit-10 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-10 -j logaccept-0 +-A limit-10 -m limit --limit 1/second -j LOG +-A limit-10 -j DROP +-A limit-11 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-11 -j ACCEPT +-A limit-11 -j DROP +-A limit-12 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-12 -j RETURN +-A limit-12 -j DROP +-A limit-13 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-13 -j logaccept-1 +-A limit-13 -j DROP +-A limit-14 -m recent --name limit-14 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-5 +-A limit-14 -m recent --name limit-14 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set +-A limit-15 -m recent --name limit-15 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-6 +-A limit-15 -m recent --name limit-15 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set +-A limit-16 -m recent --name limit-16 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-7 +-A limit-16 -m recent --name limit-16 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set +-A limit-17 -m recent --name limit-17 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-8 +-A limit-17 -m recent --name limit-17 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -m limit --limit 1/second -j LOG +-A limit-18 -m recent --name limit-18 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP +-A limit-18 -m recent --name limit-18 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set +-A limit-19 -m recent --name limit-19 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP +-A limit-19 -m recent --name limit-19 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set +-A limit-2 -m recent --name limit-2 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-3 +-A limit-2 -m limit --limit 1/second -j LOG +-A limit-2 -m recent --name limit-2 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT +-A limit-20 -m recent --name limit-20 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP +-A limit-20 -m recent --name limit-20 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set +-A limit-21 -m recent --name limit-21 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP +-A limit-21 -m recent --name limit-21 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -m limit --limit 1/second -j LOG +-A limit-22 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-22 -j RETURN +-A limit-22 -m limit --limit 1/second -j LOG +-A limit-22 -j DROP +-A limit-23 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-23 -j RETURN +-A limit-23 -m limit --limit 1/second -j LOG +-A limit-23 -j DROP +-A limit-24 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-24 -j RETURN +-A limit-24 -m limit --limit 1/second -j LOG +-A limit-24 -j DROP +-A limit-25 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-25 -j RETURN +-A limit-25 -j DROP +-A limit-26 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-26 -j RETURN +-A limit-26 -j DROP +-A limit-27 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-27 -j RETURN +-A limit-27 -j DROP +-A limit-3 -m recent --name limit-3 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-4 +-A limit-3 -m recent --name limit-3 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -m limit --limit 1/second -j LOG +-A limit-4 -m recent --name limit-4 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP +-A limit-4 -m recent --name limit-4 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT +-A limit-5 -m recent --name limit-5 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP +-A limit-5 -m recent --name limit-5 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set +-A limit-6 -m recent --name limit-6 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP +-A limit-6 -m limit --limit 1/second -j LOG +-A limit-6 -m recent --name limit-6 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT +-A limit-7 -m recent --name limit-7 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP +-A limit-7 -m recent --name limit-7 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -m limit --limit 1/second -j LOG +-A limit-8 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-8 -j ACCEPT +-A limit-8 -m limit --limit 1/second -j LOG +-A limit-8 -j DROP +-A limit-9 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-9 -j RETURN +-A limit-9 -m limit --limit 1/second -j LOG +-A limit-9 -j DROP +-A logaccept-0 -m limit --limit 1/second -j LOG +-A logaccept-0 -j ACCEPT +-A logaccept-1 -m limit --limit 1/second -j LOG +-A logaccept-1 -j ACCEPT +-A logaccept-2 -m limit --limit 1/second -j LOG +-A logaccept-2 -j ACCEPT +-A logaccept-final-0 -m limit --limit 1/second -j LOG +-A logaccept-final-0 -j ACCEPT +-A logaccept-final-1 -m limit --limit 1/second -j LOG +-A logaccept-final-1 -j ACCEPT +-A logaccept-final-2 -m limit --limit 1/second -j LOG +-A logaccept-final-2 -j ACCEPT +-A logaccept-final-3 -m limit --limit 1/second -j LOG +-A logaccept-final-3 -j ACCEPT +-A logdrop-0 -m limit --limit 1/second -j LOG +-A logdrop-0 -j DROP +-A logdrop-1 -m limit --limit 1/second -j LOG +-A logdrop-1 -j DROP +-A logdrop-10 -m limit --limit 1/second -j LOG +-A logdrop-10 -j DROP +-A logdrop-2 -m limit --limit 1/second -j LOG +-A logdrop-2 -j DROP +-A logdrop-3 -m limit --limit 1/second -j LOG +-A logdrop-3 -j DROP +-A logdrop-4 -m limit --limit 1/second -j LOG +-A logdrop-4 -j DROP +-A logdrop-5 -m limit --limit 1/second -j LOG +-A logdrop-5 -j DROP +-A logdrop-6 -m limit --limit 1/second -j LOG +-A logdrop-6 -j DROP +-A logdrop-7 -m limit --limit 1/second -j LOG +-A logdrop-7 -j DROP +-A logdrop-8 -m limit --limit 1/second -j LOG +-A logdrop-8 -j DROP +-A logdrop-9 -m limit --limit 1/second -j LOG +-A logdrop-9 -j DROP +-A logpass-0 -m limit --limit 1/second -j LOG +-A logreject-0 -m limit --limit 1/second -j LOG +-A logreject-0 -j REJECT +-A logtarpit-0 -m limit --limit 1/second -j LOG +-A logtarpit-0 -j tarpit +-A tarpit -p tcp -j TARPIT +-A tarpit -j DROP +COMMIT +*raw +:OUTPUT ACCEPT [0:0] +:PREROUTING ACCEPT [0:0] +-A OUTPUT -j CT --notrack +-A PREROUTING -j CT --notrack COMMIT diff --git a/test/output/rules-save b/test/output/rules-save index 06c601d822d8421e627199193fa073cf670e6e5e..31d3efa04f2048c1b70887ebddea991a92672317 100644 --- a/test/output/rules-save +++ b/test/output/rules-save @@ -4,17 +4,327 @@ :INPUT DROP [0:0] :OUTPUT DROP [0:0] :icmp-routing - [0:0] +:limit-0 - [0:0] +:limit-1 - [0:0] +:limit-10 - [0:0] +:limit-11 - [0:0] +:limit-12 - [0:0] +:limit-13 - [0:0] +:limit-14 - [0:0] +:limit-15 - [0:0] +:limit-16 - [0:0] +:limit-17 - [0:0] +:limit-18 - [0:0] +:limit-19 - [0:0] +:limit-2 - [0:0] +:limit-20 - [0:0] +:limit-21 - [0:0] +:limit-22 - [0:0] +:limit-23 - [0:0] +:limit-24 - [0:0] +:limit-25 - [0:0] +:limit-26 - [0:0] +:limit-27 - [0:0] +:limit-3 - [0:0] +:limit-4 - [0:0] +:limit-5 - [0:0] +:limit-6 - [0:0] +:limit-7 - [0:0] +:limit-8 - [0:0] +:limit-9 - [0:0] +:logaccept-0 - [0:0] +:logaccept-1 - [0:0] +:logaccept-2 - [0:0] +:logaccept-final-0 - [0:0] +:logaccept-final-1 - [0:0] +:logaccept-final-2 - [0:0] +:logaccept-final-3 - [0:0] +:logdrop-0 - [0:0] +:logdrop-1 - [0:0] +:logdrop-10 - [0:0] +:logdrop-2 - [0:0] +:logdrop-3 - [0:0] +:logdrop-4 - [0:0] +:logdrop-5 - [0:0] +:logdrop-6 - [0:0] +:logdrop-7 - [0:0] +:logdrop-8 - [0:0] +:logdrop-9 - [0:0] +:logpass-0 - [0:0] +:logreject-0 - [0:0] +:logtarpit-0 - [0:0] +:tarpit - [0:0] +-A FORWARD -j limit-27 +-A FORWARD -j limit-26 +-A FORWARD -j limit-25 +-A FORWARD -j limit-24 +-A FORWARD -j limit-23 +-A FORWARD -j limit-22 +-A FORWARD -j limit-21 +-A FORWARD -j limit-20 +-A FORWARD -j limit-19 +-A FORWARD -j limit-18 +-A FORWARD -j limit-17 +-A FORWARD -j limit-16 +-A FORWARD -j limit-15 +-A FORWARD -j limit-14 -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT +-A FORWARD -j ACCEPT +-A FORWARD -j ACCEPT +-A FORWARD -j logdrop-0 +-A FORWARD +-A FORWARD -j logreject-0 +-A FORWARD -j logtarpit-0 +-A FORWARD -j limit-0 +-A FORWARD -j limit-1 +-A FORWARD -j limit-2 +-A FORWARD -j limit-3 +-A FORWARD -j limit-4 +-A FORWARD -j limit-5 +-A FORWARD -j limit-6 +-A FORWARD -j limit-7 +-A FORWARD -j limit-8 +-A FORWARD -j limit-9 +-A FORWARD -j limit-10 +-A FORWARD -j limit-11 +-A FORWARD -j limit-12 +-A FORWARD -j limit-13 +-A FORWARD -j ACCEPT +-A FORWARD -j logaccept-final-0 +-A FORWARD -j ACCEPT +-A FORWARD -j logaccept-final-1 +-A FORWARD -j ACCEPT +-A FORWARD -j logaccept-final-2 +-A FORWARD -j ACCEPT +-A FORWARD -j logaccept-final-3 +-A FORWARD -j ACCEPT +-A FORWARD -j logdrop-9 +-A FORWARD +-A FORWARD -j ACCEPT +-A FORWARD -j DROP +-A FORWARD +-A FORWARD -j logaccept-2 +-A FORWARD -j logdrop-10 +-A FORWARD -j logpass-0 -A FORWARD -p icmp -j icmp-routing +-A INPUT -j limit-27 +-A INPUT -j limit-26 +-A INPUT -j limit-25 +-A INPUT -j limit-24 +-A INPUT -j limit-23 +-A INPUT -j limit-22 +-A INPUT -j limit-21 +-A INPUT -j limit-20 +-A INPUT -j limit-19 +-A INPUT -j limit-18 +-A INPUT -j limit-17 +-A INPUT -j limit-16 +-A INPUT -j limit-15 +-A INPUT -j limit-14 -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT +-A INPUT -j ACCEPT +-A INPUT -j ACCEPT +-A INPUT -j logdrop-0 +-A INPUT +-A INPUT -j logreject-0 +-A INPUT -j logtarpit-0 +-A INPUT -j limit-0 +-A INPUT -j limit-1 +-A INPUT -j limit-2 +-A INPUT -j limit-3 +-A INPUT -j limit-4 +-A INPUT -j limit-5 +-A INPUT -j limit-6 +-A INPUT -j limit-7 +-A INPUT -j limit-8 +-A INPUT -j limit-9 +-A INPUT -j limit-10 +-A INPUT -j limit-11 +-A INPUT -j limit-12 +-A INPUT -j limit-13 +-A INPUT -j ACCEPT +-A INPUT -j logaccept-final-0 +-A INPUT -j ACCEPT +-A INPUT -j logaccept-final-1 +-A INPUT -j ACCEPT +-A INPUT -j logaccept-final-2 +-A INPUT -j ACCEPT +-A INPUT -j logaccept-final-3 +-A INPUT -j ACCEPT +-A INPUT -j logdrop-9 +-A INPUT +-A INPUT -j ACCEPT +-A INPUT -j DROP +-A INPUT +-A INPUT -j logaccept-2 +-A INPUT -j logdrop-10 +-A INPUT -j logpass-0 -A INPUT -p icmp -j icmp-routing +-A OUTPUT -j limit-27 +-A OUTPUT -j limit-26 +-A OUTPUT -j limit-25 +-A OUTPUT -j limit-24 +-A OUTPUT -j limit-23 +-A OUTPUT -j limit-22 +-A OUTPUT -j limit-21 +-A OUTPUT -j limit-20 +-A OUTPUT -j limit-19 +-A OUTPUT -j limit-18 +-A OUTPUT -j limit-17 +-A OUTPUT -j limit-16 +-A OUTPUT -j limit-15 +-A OUTPUT -j limit-14 -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A OUTPUT -o lo -j ACCEPT +-A OUTPUT -j ACCEPT +-A OUTPUT -j ACCEPT +-A OUTPUT -j logdrop-0 +-A OUTPUT +-A OUTPUT -j logreject-0 +-A OUTPUT -j logtarpit-0 +-A OUTPUT -j limit-0 +-A OUTPUT -j limit-1 +-A OUTPUT -j limit-2 +-A OUTPUT -j limit-3 +-A OUTPUT -j limit-4 +-A OUTPUT -j limit-5 +-A OUTPUT -j limit-6 +-A OUTPUT -j limit-7 +-A OUTPUT -j limit-8 +-A OUTPUT -j limit-9 +-A OUTPUT -j limit-10 +-A OUTPUT -j limit-11 +-A OUTPUT -j limit-12 +-A OUTPUT -j limit-13 +-A OUTPUT -j ACCEPT +-A OUTPUT -j logaccept-final-0 +-A OUTPUT -j ACCEPT +-A OUTPUT -j logaccept-final-1 +-A OUTPUT -j ACCEPT +-A OUTPUT -j logaccept-final-2 +-A OUTPUT -j ACCEPT +-A OUTPUT -j logaccept-final-3 +-A OUTPUT -j ACCEPT +-A OUTPUT -j logdrop-9 +-A OUTPUT +-A OUTPUT -j ACCEPT +-A OUTPUT -j DROP +-A OUTPUT +-A OUTPUT -j logaccept-2 +-A OUTPUT -j logdrop-10 +-A OUTPUT -j logpass-0 -A OUTPUT -p icmp -j icmp-routing -A icmp-routing -p icmp --icmp-type 3 -j ACCEPT -A icmp-routing -p icmp --icmp-type 11 -j ACCEPT -A icmp-routing -p icmp --icmp-type 12 -j ACCEPT +-A limit-0 -m recent --name limit-0 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-1 +-A limit-0 -m recent --name limit-0 --rsource --mask 255.255.255.255 --set -j ACCEPT +-A limit-1 -m recent --name limit-1 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-2 +-A limit-1 -m recent --name limit-1 --rsource --mask 255.255.255.255 --set +-A limit-10 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-10 -j logaccept-0 +-A limit-10 -m limit --limit 1/second -j LOG +-A limit-10 -j DROP +-A limit-11 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-11 -j ACCEPT +-A limit-11 -j DROP +-A limit-12 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-12 -j RETURN +-A limit-12 -j DROP +-A limit-13 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-13 -j logaccept-1 +-A limit-13 -j DROP +-A limit-14 -m recent --name limit-14 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-5 +-A limit-14 -m recent --name limit-14 --rsource --mask 255.255.255.255 --set +-A limit-15 -m recent --name limit-15 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-6 +-A limit-15 -m recent --name limit-15 --rsource --mask 255.255.255.255 --set +-A limit-16 -m recent --name limit-16 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-7 +-A limit-16 -m recent --name limit-16 --rsource --mask 255.255.255.255 --set +-A limit-17 -m recent --name limit-17 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-8 +-A limit-17 -m recent --name limit-17 --rsource --mask 255.255.255.255 --set -m limit --limit 1/second -j LOG +-A limit-18 -m recent --name limit-18 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP +-A limit-18 -m recent --name limit-18 --rsource --mask 255.255.255.255 --set +-A limit-19 -m recent --name limit-19 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP +-A limit-19 -m recent --name limit-19 --rsource --mask 255.255.255.255 --set +-A limit-2 -m recent --name limit-2 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-3 +-A limit-2 -m limit --limit 1/second -j LOG +-A limit-2 -m recent --name limit-2 --rsource --mask 255.255.255.255 --set -j ACCEPT +-A limit-20 -m recent --name limit-20 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP +-A limit-20 -m recent --name limit-20 --rsource --mask 255.255.255.255 --set +-A limit-21 -m recent --name limit-21 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP +-A limit-21 -m recent --name limit-21 --rsource --mask 255.255.255.255 --set -m limit --limit 1/second -j LOG +-A limit-22 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-22 -j RETURN +-A limit-22 -m limit --limit 1/second -j LOG +-A limit-22 -j DROP +-A limit-23 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-23 -j RETURN +-A limit-23 -m limit --limit 1/second -j LOG +-A limit-23 -j DROP +-A limit-24 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-24 -j RETURN +-A limit-24 -m limit --limit 1/second -j LOG +-A limit-24 -j DROP +-A limit-25 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-25 -j RETURN +-A limit-25 -j DROP +-A limit-26 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-26 -j RETURN +-A limit-26 -j DROP +-A limit-27 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-27 -j RETURN +-A limit-27 -j DROP +-A limit-3 -m recent --name limit-3 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-4 +-A limit-3 -m recent --name limit-3 --rsource --mask 255.255.255.255 --set -m limit --limit 1/second -j LOG +-A limit-4 -m recent --name limit-4 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP +-A limit-4 -m recent --name limit-4 --rsource --mask 255.255.255.255 --set -j ACCEPT +-A limit-5 -m recent --name limit-5 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP +-A limit-5 -m recent --name limit-5 --rsource --mask 255.255.255.255 --set +-A limit-6 -m recent --name limit-6 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP +-A limit-6 -m limit --limit 1/second -j LOG +-A limit-6 -m recent --name limit-6 --rsource --mask 255.255.255.255 --set -j ACCEPT +-A limit-7 -m recent --name limit-7 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP +-A limit-7 -m recent --name limit-7 --rsource --mask 255.255.255.255 --set -m limit --limit 1/second -j LOG +-A limit-8 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-8 -j ACCEPT +-A limit-8 -m limit --limit 1/second -j LOG +-A limit-8 -j DROP +-A limit-9 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-9 -j RETURN +-A limit-9 -m limit --limit 1/second -j LOG +-A limit-9 -j DROP +-A logaccept-0 -m limit --limit 1/second -j LOG +-A logaccept-0 -j ACCEPT +-A logaccept-1 -m limit --limit 1/second -j LOG +-A logaccept-1 -j ACCEPT +-A logaccept-2 -m limit --limit 1/second -j LOG +-A logaccept-2 -j ACCEPT +-A logaccept-final-0 -m limit --limit 1/second -j LOG +-A logaccept-final-0 -j ACCEPT +-A logaccept-final-1 -m limit --limit 1/second -j LOG +-A logaccept-final-1 -j ACCEPT +-A logaccept-final-2 -m limit --limit 1/second -j LOG +-A logaccept-final-2 -j ACCEPT +-A logaccept-final-3 -m limit --limit 1/second -j LOG +-A logaccept-final-3 -j ACCEPT +-A logdrop-0 -m limit --limit 1/second -j LOG +-A logdrop-0 -j DROP +-A logdrop-1 -m limit --limit 1/second -j LOG +-A logdrop-1 -j DROP +-A logdrop-10 -m limit --limit 1/second -j LOG +-A logdrop-10 -j DROP +-A logdrop-2 -m limit --limit 1/second -j LOG +-A logdrop-2 -j DROP +-A logdrop-3 -m limit --limit 1/second -j LOG +-A logdrop-3 -j DROP +-A logdrop-4 -m limit --limit 1/second -j LOG +-A logdrop-4 -j DROP +-A logdrop-5 -m limit --limit 1/second -j LOG +-A logdrop-5 -j DROP +-A logdrop-6 -m limit --limit 1/second -j LOG +-A logdrop-6 -j DROP +-A logdrop-7 -m limit --limit 1/second -j LOG +-A logdrop-7 -j DROP +-A logdrop-8 -m limit --limit 1/second -j LOG +-A logdrop-8 -j DROP +-A logdrop-9 -m limit --limit 1/second -j LOG +-A logdrop-9 -j DROP +-A logpass-0 -m limit --limit 1/second -j LOG +-A logreject-0 -m limit --limit 1/second -j LOG +-A logreject-0 -j REJECT +-A logtarpit-0 -m limit --limit 1/second -j LOG +-A logtarpit-0 -j tarpit +-A tarpit -p tcp -j TARPIT +-A tarpit -j DROP COMMIT *nat :POSTROUTING ACCEPT [0:0] @@ -22,3 +332,9 @@ COMMIT -A POSTROUTING -m set --match-set awall-masquerade src -j awall-masquerade -A awall-masquerade -m set ! --match-set awall-masquerade dst -j MASQUERADE COMMIT +*raw +:OUTPUT ACCEPT [0:0] +:PREROUTING ACCEPT [0:0] +-A OUTPUT -j CT --notrack +-A PREROUTING -j CT --notrack +COMMIT diff --git a/test/output/rules6-save b/test/output/rules6-save index 419fd052cbb324d252a2abef47a1b37d3c487c90..c8c4fc4aab2cb8ddac1652741785b5c29b822dc9 100644 --- a/test/output/rules6-save +++ b/test/output/rules6-save @@ -4,16 +4,332 @@ :INPUT DROP [0:0] :OUTPUT DROP [0:0] :icmp-routing - [0:0] +:limit-0 - [0:0] +:limit-1 - [0:0] +:limit-10 - [0:0] +:limit-11 - [0:0] +:limit-12 - [0:0] +:limit-13 - [0:0] +:limit-14 - [0:0] +:limit-15 - [0:0] +:limit-16 - [0:0] +:limit-17 - [0:0] +:limit-18 - [0:0] +:limit-19 - [0:0] +:limit-2 - [0:0] +:limit-20 - [0:0] +:limit-21 - [0:0] +:limit-22 - [0:0] +:limit-23 - [0:0] +:limit-24 - [0:0] +:limit-25 - [0:0] +:limit-26 - [0:0] +:limit-27 - [0:0] +:limit-3 - [0:0] +:limit-4 - [0:0] +:limit-5 - [0:0] +:limit-6 - [0:0] +:limit-7 - [0:0] +:limit-8 - [0:0] +:limit-9 - [0:0] +:logaccept-0 - [0:0] +:logaccept-1 - [0:0] +:logaccept-2 - [0:0] +:logaccept-final-0 - [0:0] +:logaccept-final-1 - [0:0] +:logaccept-final-2 - [0:0] +:logaccept-final-3 - [0:0] +:logdrop-0 - [0:0] +:logdrop-1 - [0:0] +:logdrop-10 - [0:0] +:logdrop-2 - [0:0] +:logdrop-3 - [0:0] +:logdrop-4 - [0:0] +:logdrop-5 - [0:0] +:logdrop-6 - [0:0] +:logdrop-7 - [0:0] +:logdrop-8 - [0:0] +:logdrop-9 - [0:0] +:logpass-0 - [0:0] +:logreject-0 - [0:0] +:logtarpit-0 - [0:0] +:tarpit - [0:0] +-A FORWARD -j limit-27 +-A FORWARD -j limit-26 +-A FORWARD -j limit-25 +-A FORWARD -j limit-24 +-A FORWARD -j limit-23 +-A FORWARD -j limit-22 +-A FORWARD -j limit-21 +-A FORWARD -j limit-20 +-A FORWARD -j limit-19 +-A FORWARD -j limit-18 +-A FORWARD -j limit-17 +-A FORWARD -j limit-16 +-A FORWARD -j limit-15 +-A FORWARD -j limit-14 -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT +-A FORWARD -j ACCEPT +-A FORWARD -j ACCEPT +-A FORWARD -j logdrop-0 +-A FORWARD +-A FORWARD -j logreject-0 +-A FORWARD -j logtarpit-0 +-A FORWARD -j limit-0 +-A FORWARD -j limit-1 +-A FORWARD -j limit-2 +-A FORWARD -j limit-3 +-A FORWARD -j limit-4 +-A FORWARD -j limit-5 +-A FORWARD -j limit-6 +-A FORWARD -j limit-7 +-A FORWARD -j limit-8 +-A FORWARD -j limit-9 +-A FORWARD -j limit-10 +-A FORWARD -j limit-11 +-A FORWARD -j limit-12 +-A FORWARD -j limit-13 +-A FORWARD -j ACCEPT +-A FORWARD -j logaccept-final-0 +-A FORWARD -j ACCEPT +-A FORWARD -j logaccept-final-1 +-A FORWARD -j ACCEPT +-A FORWARD -j logaccept-final-2 +-A FORWARD -j ACCEPT +-A FORWARD -j logaccept-final-3 +-A FORWARD -j ACCEPT +-A FORWARD -j logdrop-9 +-A FORWARD +-A FORWARD -j ACCEPT +-A FORWARD -j DROP +-A FORWARD +-A FORWARD -j logaccept-2 +-A FORWARD -j logdrop-10 +-A FORWARD -j logpass-0 -A FORWARD -p icmpv6 -j icmp-routing +-A INPUT -j limit-27 +-A INPUT -j limit-26 +-A INPUT -j limit-25 +-A INPUT -j limit-24 +-A INPUT -j limit-23 +-A INPUT -j limit-22 +-A INPUT -j limit-21 +-A INPUT -j limit-20 +-A INPUT -j limit-19 +-A INPUT -j limit-18 +-A INPUT -j limit-17 +-A INPUT -j limit-16 +-A INPUT -j limit-15 +-A INPUT -j limit-14 -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT +-A INPUT -j ACCEPT +-A INPUT -j ACCEPT +-A INPUT -j logdrop-0 +-A INPUT +-A INPUT -j logreject-0 +-A INPUT -j logtarpit-0 +-A INPUT -j limit-0 +-A INPUT -j limit-1 +-A INPUT -j limit-2 +-A INPUT -j limit-3 +-A INPUT -j limit-4 +-A INPUT -j limit-5 +-A INPUT -j limit-6 +-A INPUT -j limit-7 +-A INPUT -j limit-8 +-A INPUT -j limit-9 +-A INPUT -j limit-10 +-A INPUT -j limit-11 +-A INPUT -j limit-12 +-A INPUT -j limit-13 +-A INPUT -j ACCEPT +-A INPUT -j logaccept-final-0 +-A INPUT -j ACCEPT +-A INPUT -j logaccept-final-1 +-A INPUT -j ACCEPT +-A INPUT -j logaccept-final-2 +-A INPUT -j ACCEPT +-A INPUT -j logaccept-final-3 +-A INPUT -j ACCEPT +-A INPUT -j logdrop-9 +-A INPUT +-A INPUT -j ACCEPT +-A INPUT -j DROP +-A INPUT +-A INPUT -j logaccept-2 +-A INPUT -j logdrop-10 +-A INPUT -j logpass-0 -A INPUT -p icmpv6 -j ACCEPT +-A OUTPUT -j limit-27 +-A OUTPUT -j limit-26 +-A OUTPUT -j limit-25 +-A OUTPUT -j limit-24 +-A OUTPUT -j limit-23 +-A OUTPUT -j limit-22 +-A OUTPUT -j limit-21 +-A OUTPUT -j limit-20 +-A OUTPUT -j limit-19 +-A OUTPUT -j limit-18 +-A OUTPUT -j limit-17 +-A OUTPUT -j limit-16 +-A OUTPUT -j limit-15 +-A OUTPUT -j limit-14 -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A OUTPUT -o lo -j ACCEPT +-A OUTPUT -j ACCEPT +-A OUTPUT -j ACCEPT +-A OUTPUT -j logdrop-0 +-A OUTPUT +-A OUTPUT -j logreject-0 +-A OUTPUT -j logtarpit-0 +-A OUTPUT -j limit-0 +-A OUTPUT -j limit-1 +-A OUTPUT -j limit-2 +-A OUTPUT -j limit-3 +-A OUTPUT -j limit-4 +-A OUTPUT -j limit-5 +-A OUTPUT -j limit-6 +-A OUTPUT -j limit-7 +-A OUTPUT -j limit-8 +-A OUTPUT -j limit-9 +-A OUTPUT -j limit-10 +-A OUTPUT -j limit-11 +-A OUTPUT -j limit-12 +-A OUTPUT -j limit-13 +-A OUTPUT -j ACCEPT +-A OUTPUT -j logaccept-final-0 +-A OUTPUT -j ACCEPT +-A OUTPUT -j logaccept-final-1 +-A OUTPUT -j ACCEPT +-A OUTPUT -j logaccept-final-2 +-A OUTPUT -j ACCEPT +-A OUTPUT -j logaccept-final-3 +-A OUTPUT -j ACCEPT +-A OUTPUT -j logdrop-9 +-A OUTPUT +-A OUTPUT -j ACCEPT +-A OUTPUT -j DROP +-A OUTPUT +-A OUTPUT -j logaccept-2 +-A OUTPUT -j logdrop-10 +-A OUTPUT -j logpass-0 -A OUTPUT -p icmpv6 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 1 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT +-A limit-0 -m recent --name limit-0 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-1 +-A limit-0 -m recent --name limit-0 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT +-A limit-1 -m recent --name limit-1 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-2 +-A limit-1 -m recent --name limit-1 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set +-A limit-10 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-10 -j logaccept-0 +-A limit-10 -m limit --limit 1/second -j LOG +-A limit-10 -j DROP +-A limit-11 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-11 -j ACCEPT +-A limit-11 -j DROP +-A limit-12 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-12 -j RETURN +-A limit-12 -j DROP +-A limit-13 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-13 -j logaccept-1 +-A limit-13 -j DROP +-A limit-14 -m recent --name limit-14 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-5 +-A limit-14 -m recent --name limit-14 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set +-A limit-15 -m recent --name limit-15 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-6 +-A limit-15 -m recent --name limit-15 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set +-A limit-16 -m recent --name limit-16 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-7 +-A limit-16 -m recent --name limit-16 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set +-A limit-17 -m recent --name limit-17 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-8 +-A limit-17 -m recent --name limit-17 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -m limit --limit 1/second -j LOG +-A limit-18 -m recent --name limit-18 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP +-A limit-18 -m recent --name limit-18 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set +-A limit-19 -m recent --name limit-19 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP +-A limit-19 -m recent --name limit-19 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set +-A limit-2 -m recent --name limit-2 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-3 +-A limit-2 -m limit --limit 1/second -j LOG +-A limit-2 -m recent --name limit-2 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT +-A limit-20 -m recent --name limit-20 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP +-A limit-20 -m recent --name limit-20 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set +-A limit-21 -m recent --name limit-21 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP +-A limit-21 -m recent --name limit-21 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -m limit --limit 1/second -j LOG +-A limit-22 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-22 -j RETURN +-A limit-22 -m limit --limit 1/second -j LOG +-A limit-22 -j DROP +-A limit-23 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-23 -j RETURN +-A limit-23 -m limit --limit 1/second -j LOG +-A limit-23 -j DROP +-A limit-24 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-24 -j RETURN +-A limit-24 -m limit --limit 1/second -j LOG +-A limit-24 -j DROP +-A limit-25 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-25 -j RETURN +-A limit-25 -j DROP +-A limit-26 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-26 -j RETURN +-A limit-26 -j DROP +-A limit-27 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-27 -j RETURN +-A limit-27 -j DROP +-A limit-3 -m recent --name limit-3 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-4 +-A limit-3 -m recent --name limit-3 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -m limit --limit 1/second -j LOG +-A limit-4 -m recent --name limit-4 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP +-A limit-4 -m recent --name limit-4 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT +-A limit-5 -m recent --name limit-5 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP +-A limit-5 -m recent --name limit-5 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set +-A limit-6 -m recent --name limit-6 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP +-A limit-6 -m limit --limit 1/second -j LOG +-A limit-6 -m recent --name limit-6 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT +-A limit-7 -m recent --name limit-7 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP +-A limit-7 -m recent --name limit-7 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -m limit --limit 1/second -j LOG +-A limit-8 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-8 -j ACCEPT +-A limit-8 -m limit --limit 1/second -j LOG +-A limit-8 -j DROP +-A limit-9 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-9 -j RETURN +-A limit-9 -m limit --limit 1/second -j LOG +-A limit-9 -j DROP +-A logaccept-0 -m limit --limit 1/second -j LOG +-A logaccept-0 -j ACCEPT +-A logaccept-1 -m limit --limit 1/second -j LOG +-A logaccept-1 -j ACCEPT +-A logaccept-2 -m limit --limit 1/second -j LOG +-A logaccept-2 -j ACCEPT +-A logaccept-final-0 -m limit --limit 1/second -j LOG +-A logaccept-final-0 -j ACCEPT +-A logaccept-final-1 -m limit --limit 1/second -j LOG +-A logaccept-final-1 -j ACCEPT +-A logaccept-final-2 -m limit --limit 1/second -j LOG +-A logaccept-final-2 -j ACCEPT +-A logaccept-final-3 -m limit --limit 1/second -j LOG +-A logaccept-final-3 -j ACCEPT +-A logdrop-0 -m limit --limit 1/second -j LOG +-A logdrop-0 -j DROP +-A logdrop-1 -m limit --limit 1/second -j LOG +-A logdrop-1 -j DROP +-A logdrop-10 -m limit --limit 1/second -j LOG +-A logdrop-10 -j DROP +-A logdrop-2 -m limit --limit 1/second -j LOG +-A logdrop-2 -j DROP +-A logdrop-3 -m limit --limit 1/second -j LOG +-A logdrop-3 -j DROP +-A logdrop-4 -m limit --limit 1/second -j LOG +-A logdrop-4 -j DROP +-A logdrop-5 -m limit --limit 1/second -j LOG +-A logdrop-5 -j DROP +-A logdrop-6 -m limit --limit 1/second -j LOG +-A logdrop-6 -j DROP +-A logdrop-7 -m limit --limit 1/second -j LOG +-A logdrop-7 -j DROP +-A logdrop-8 -m limit --limit 1/second -j LOG +-A logdrop-8 -j DROP +-A logdrop-9 -m limit --limit 1/second -j LOG +-A logdrop-9 -j DROP +-A logpass-0 -m limit --limit 1/second -j LOG +-A logreject-0 -m limit --limit 1/second -j LOG +-A logreject-0 -j REJECT +-A logtarpit-0 -m limit --limit 1/second -j LOG +-A logtarpit-0 -j tarpit +-A tarpit -p tcp -j TARPIT +-A tarpit -j DROP +COMMIT +*raw +:OUTPUT ACCEPT [0:0] +:PREROUTING ACCEPT [0:0] +-A OUTPUT -j CT --notrack +-A PREROUTING -j CT --notrack COMMIT