IPTABLES 不会在关闭的端口上丢弃数据包

IPTABLES 不会在关闭的端口上丢弃数据包

因此,我尝试在 iptables 上创建规则,阻止除 21、22、27015 之外的端口上的所有数据包,但洪水/数据包能够从 50 或 60 等端口到达并加载我的网络。这是我在 iptables 上添加的规则列表:


Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 DROP       all  --  *      *       206.81.9.31          0.0.0.0/0   
    6  4487 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:27017
 238K  179M DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:27016
    3  2273 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:111
8157K 6129M ufw-before-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            recent: UPDATE seconds: 120 hit_count: 1 name: FREESWITCH_BADGUY side: source mask: 255.255.255.255 LOG flags 0 level 6 prefix "FREESWITCH BAD: "
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            multiport dports 21,22,27015 recent: SET name: FREESWITCH_BADGUY side: source mask: 255.255.255.255
8157K 6129M ufw-before-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
7565K 5761M ufw-after-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
7565K 5761M ufw-after-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
7565K 5761M ufw-reject-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
7565K 5761M ufw-track-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    1    40 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            #conn src/32 > 40 reject-with tcp-reset
    1    44 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW limit: avg 60/sec burst 20
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            #conn src/32 > 80 reject-with tcp-reset
  591 28740 SYNPROXY   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp ctstate INVALID,UNTRACKED SYNPROXY sack-perm timestamp wscale 7 mss 1460
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            #conn src/32 > 111 reject-with tcp-reset
    0     0            tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW recent: UPDATE seconds: 60 hit_count: 10 name: DEFAULT side: source mask: 255.255.255.255
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
2526K 1941M DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:27016
    0     0 DROP       tcp  --  eth1   *      !1.2.3.4              0.0.0.0/0            tcp dpt:80
    0     0 DROP       udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0            udp dpt:!80
    0     0 DROP       udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0            udp dpt:!27016
    0     0 ACCEPT     all  --  eth1   *       185.226.0.0/16       0.0.0.0/0   
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpts:1:20
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpts:23:27014
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpts:27016:65535
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 1:20
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 23:27014
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 27016:65500
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:21
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:27015
 169K  128M DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 27016:65500
1985K 1518M DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 23:27014
  133  102K DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpts:27016:65535
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpts:23:27014
   96 72094 RATE-LIMIT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:27015 limit: avg 150/min burst 200

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 ufw-before-logging-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ufw-before-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ufw-after-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ufw-after-logging-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ufw-reject-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ufw-track-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 80 packets, 4404 bytes)
 pkts bytes target     prot opt in     out     source               destination 
75873   29M ufw-before-logging-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0
75873   29M ufw-before-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 1784  106K ufw-after-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 1784  106K ufw-after-logging-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 1784  106K ufw-reject-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 1784  106K ufw-track-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain RATE-LIMIT (1 references)
 pkts bytes target     prot opt in     out     source               destination 
   96 72094 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 151/sec burst 20
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: up to 50/sec burst 20
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: up to 150/sec burst 20
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4 prefix "IPTables-Rejected: "

Chain port-scanning (0 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x04 limit: avg 1/sec burst 2
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0   

Chain ufw-after-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain ufw-after-input (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:137
    4  2295 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:138
    0     0 ufw-skip-to-policy-input  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:139
   73  3728 ufw-skip-to-policy-input  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:445
    3  2315 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    5  3950 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:68
    0     0 ufw-skip-to-policy-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination 
  442 68204 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain ufw-after-output (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain ufw-before-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 12
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
    0     0 ufw-user-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-before-input (1 references)
 pkts bytes target     prot opt in     out     source               destination 
   50  5262 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0   
 6166  632K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ufw-logging-deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 12
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
4713K 3577M ufw-not-local  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251          udp dpt:5353
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            239.255.255.250      udp dpt:1900
4713K 3577M ufw-user-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-before-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain ufw-before-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain ufw-before-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain ufw-before-output (1 references)
 pkts bytes target     prot opt in     out     source               destination 
   50  5262 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0   
61382   27M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
  983 53571 ufw-user-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-logging-allow (0 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID limit: avg 3/min burst 10
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
 pkts bytes target     prot opt in     out     source               destination 
4713K 3577M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
    0     0 ufw-logging-deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0   

Chain ufw-reject-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain ufw-reject-input (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain ufw-reject-output (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain ufw-skip-to-policy-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0   

Chain ufw-skip-to-policy-input (7 references)
 pkts bytes target     prot opt in     out     source               destination 
   85 12288 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0   

Chain ufw-skip-to-policy-output (0 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   

Chain ufw-track-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain ufw-track-input (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain ufw-track-output (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    1    60 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW
   21  1755 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW

Chain ufw-user-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain ufw-user-input (1 references)
 pkts bytes target     prot opt in     out     source               destination 
   81  4784 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:21
    6  4558 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:21
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:27015
 511K  363M ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:27015
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 /* 'dapp_OpenSSH' */
    0     0 ACCEPT     tcp  --  *      *       185.226.88.178       0.0.0.0/0            tcp dpt:22
    0     0 DROP       all  --  *      *       206.81.9.31          0.0.0.0/0   

Chain ufw-user-limit (0 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   

Chain ufw-user-logging-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain ufw-user-logging-input (0 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain ufw-user-logging-output (0 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain ufw-user-output (1 references)
 pkts bytes target     prot opt in     out     source               destination 





------------------------------------------------------------------------------------------------------------------------------------------------------------------


-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N RATE-LIMIT
-N port-scanning
-N ufw-after-forward
-N ufw-after-input
-N ufw-after-logging-forward
-N ufw-after-logging-input
-N ufw-after-logging-output
-N ufw-after-output
-N ufw-before-forward
-N ufw-before-input
-N ufw-before-logging-forward
-N ufw-before-logging-input
-N ufw-before-logging-output
-N ufw-before-output
-N ufw-logging-allow
-N ufw-logging-deny
-N ufw-not-local
-N ufw-reject-forward
-N ufw-reject-input
-N ufw-reject-output
-N ufw-skip-to-policy-forward
-N ufw-skip-to-policy-input
-N ufw-skip-to-policy-output
-N ufw-track-forward
-N ufw-track-input
-N ufw-track-output
-N ufw-user-forward
-N ufw-user-input
-N ufw-user-limit
-N ufw-user-limit-accept
-N ufw-user-logging-forward
-N ufw-user-logging-input
-N ufw-user-logging-output
-N ufw-user-output
-A INPUT -s 206.81.9.31/32 -j DROP
-A INPUT -p udp -m udp --dport 27017 -j DROP
-A INPUT -p udp -m udp --dport 27016 -j DROP
-A INPUT -p udp -m udp --dport 111 -j DROP
-A INPUT -j ufw-before-logging-input
-A INPUT -i eth0 -p tcp -m recent --update --seconds 120 --hitcount 1 --name FREESWITCH_BADGUY --mask 255.255.255.255 --rsource -j LOG --log-prefix "FREESWITCH BAD: " --log-level 6
-A INPUT -i eth0 -p tcp -m multiport --dports 21,22,27015 -m recent --set --name FREESWITCH_BADGUY --mask 255.255.255.255 --rsource -j ACCEPT
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m connlimit --connlimit-above 40 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/sec --limit-burst 20 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
-A INPUT -p tcp -m connlimit --connlimit-above 80 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p tcp -m connlimit --connlimit-above 111 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 80 -j DROP
-A INPUT -p udp -m udp --dport 27016 -j DROP
-A INPUT ! -s 1.2.3.4/32 -i eth1 -p tcp -m tcp --dport 80 -j DROP
-A INPUT -i eth1 -p udp -m udp ! --dport 80 -j DROP
-A INPUT -i eth1 -p udp -m udp ! --dport 27016 -j DROP
-A INPUT -s 185.226.0.0/16 -i eth1 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1:20 -j DROP
-A INPUT -p tcp -m tcp --dport 23:27014 -j DROP
-A INPUT -p tcp -m tcp --dport 27016:65535 -j DROP
-A INPUT -p tcp -m multiport --dports 1:20 -j DROP
-A INPUT -p tcp -m multiport --dports 23:27014 -j DROP
-A INPUT -p tcp -m multiport --dports 27016:65500 -j DROP
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 27015 -j ACCEPT
-A INPUT -p udp -m multiport --dports 27016:65500 -j DROP
-A INPUT -p udp -m multiport --dports 23:27014 -j DROP
-A INPUT -p udp -m udp --dport 27016:65535 -j DROP
-A INPUT -p udp -m udp --dport 23:27014 -j DROP
-A INPUT -m conntrack --ctstate NEW -j RATE-LIMIT
-A INPUT -p udp -m udp --dport 27015 -m limit --limit 150/min --limit-burst 200 -j ACCEPT
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A RATE-LIMIT -m limit --limit 151/sec --limit-burst 20 -j ACCEPT
-A RATE-LIMIT -j DROP
-A RATE-LIMIT -m hashlimit --hashlimit-upto 50/sec --hashlimit-burst 20 --hashlimit-name conn_rate_limit -j ACCEPT
-A RATE-LIMIT -m hashlimit --hashlimit-upto 150/sec --hashlimit-burst 20 --hashlimit-name conn_rate_limit -j ACCEPT
-A RATE-LIMIT -j DROP
-A RATE-LIMIT -j LOG --log-prefix "IPTables-Rejected: "
-A port-scanning -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec --limit-burst 2 -j RETURN
-A port-scanning -j DROP
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 22 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 21 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 21 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 27015 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 27015 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 22 -m comment --comment "\'dapp_OpenSSH\'" -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT

相关内容