因此,我尝试在 iptables 上创建规则,阻止除 21、22、27015 之外的端口上的所有数据包,但洪水/数据包能够从 50 或 60 等端口到达并加载我的网络。这是我在 iptables 上添加的规则列表:
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 206.81.9.31 0.0.0.0/0
6 4487 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:27017
238K 179M DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:27016
3 2273 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:111
8157K 6129M ufw-before-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 recent: UPDATE seconds: 120 hit_count: 1 name: FREESWITCH_BADGUY side: source mask: 255.255.255.255 LOG flags 0 level 6 prefix "FREESWITCH BAD: "
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 multiport dports 21,22,27015 recent: SET name: FREESWITCH_BADGUY side: source mask: 255.255.255.255
8157K 6129M ufw-before-input all -- * * 0.0.0.0/0 0.0.0.0/0
7565K 5761M ufw-after-input all -- * * 0.0.0.0/0 0.0.0.0/0
7565K 5761M ufw-after-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
7565K 5761M ufw-reject-input all -- * * 0.0.0.0/0 0.0.0.0/0
7565K 5761M ufw-track-input all -- * * 0.0.0.0/0 0.0.0.0/0
1 40 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 #conn src/32 > 40 reject-with tcp-reset
1 44 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW limit: avg 60/sec burst 20
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 #conn src/32 > 80 reject-with tcp-reset
591 28740 SYNPROXY tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp ctstate INVALID,UNTRACKED SYNPROXY sack-perm timestamp wscale 7 mss 1460
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 #conn src/32 > 111 reject-with tcp-reset
0 0 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW recent: UPDATE seconds: 60 hit_count: 10 name: DEFAULT side: source mask: 255.255.255.255
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
2526K 1941M DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:27016
0 0 DROP tcp -- eth1 * !1.2.3.4 0.0.0.0/0 tcp dpt:80
0 0 DROP udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:!80
0 0 DROP udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:!27016
0 0 ACCEPT all -- eth1 * 185.226.0.0/16 0.0.0.0/0
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1:20
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:23:27014
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:27016:65535
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 1:20
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 23:27014
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 27016:65500
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:27015
169K 128M DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 27016:65500
1985K 1518M DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 23:27014
133 102K DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:27016:65535
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:23:27014
96 72094 RATE-LIMIT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:27015 limit: avg 150/min burst 200
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ufw-before-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-before-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-reject-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-track-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 80 packets, 4404 bytes)
pkts bytes target prot opt in out source destination
75873 29M ufw-before-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
75873 29M ufw-before-output all -- * * 0.0.0.0/0 0.0.0.0/0
1784 106K ufw-after-output all -- * * 0.0.0.0/0 0.0.0.0/0
1784 106K ufw-after-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
1784 106K ufw-reject-output all -- * * 0.0.0.0/0 0.0.0.0/0
1784 106K ufw-track-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain RATE-LIMIT (1 references)
pkts bytes target prot opt in out source destination
96 72094 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 151/sec burst 20
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 limit: up to 50/sec burst 20
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 limit: up to 150/sec burst 20
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "IPTables-Rejected: "
Chain port-scanning (0 references)
pkts bytes target prot opt in out source destination
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: avg 1/sec burst 2
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-after-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
4 2295 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138
0 0 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
73 3728 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
3 2315 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
5 3950 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ufw-skip-to-policy-input all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
pkts bytes target prot opt in out source destination
442 68204 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ufw-user-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-input (1 references)
pkts bytes target prot opt in out source destination
50 5262 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
6166 632K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
4713K 3577M ufw-not-local all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0 239.255.255.250 udp dpt:1900
4713K 3577M ufw-user-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-logging-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-output (1 references)
pkts bytes target prot opt in out source destination
50 5262 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
61382 27M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
983 53571 ufw-user-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID limit: avg 3/min burst 10
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
pkts bytes target prot opt in out source destination
4713K 3577M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-reject-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-input (7 references)
pkts bytes target prot opt in out source destination
85 12288 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-track-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-output (1 references)
pkts bytes target prot opt in out source destination
1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
21 1755 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
Chain ufw-user-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
81 4784 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
6 4558 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:27015
511K 363M ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:27015
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 /* 'dapp_OpenSSH' */
0 0 ACCEPT tcp -- * * 185.226.88.178 0.0.0.0/0 tcp dpt:22
0 0 DROP all -- * * 206.81.9.31 0.0.0.0/0
Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-output (1 references)
pkts bytes target prot opt in out source destination
------------------------------------------------------------------------------------------------------------------------------------------------------------------
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N RATE-LIMIT
-N port-scanning
-N ufw-after-forward
-N ufw-after-input
-N ufw-after-logging-forward
-N ufw-after-logging-input
-N ufw-after-logging-output
-N ufw-after-output
-N ufw-before-forward
-N ufw-before-input
-N ufw-before-logging-forward
-N ufw-before-logging-input
-N ufw-before-logging-output
-N ufw-before-output
-N ufw-logging-allow
-N ufw-logging-deny
-N ufw-not-local
-N ufw-reject-forward
-N ufw-reject-input
-N ufw-reject-output
-N ufw-skip-to-policy-forward
-N ufw-skip-to-policy-input
-N ufw-skip-to-policy-output
-N ufw-track-forward
-N ufw-track-input
-N ufw-track-output
-N ufw-user-forward
-N ufw-user-input
-N ufw-user-limit
-N ufw-user-limit-accept
-N ufw-user-logging-forward
-N ufw-user-logging-input
-N ufw-user-logging-output
-N ufw-user-output
-A INPUT -s 206.81.9.31/32 -j DROP
-A INPUT -p udp -m udp --dport 27017 -j DROP
-A INPUT -p udp -m udp --dport 27016 -j DROP
-A INPUT -p udp -m udp --dport 111 -j DROP
-A INPUT -j ufw-before-logging-input
-A INPUT -i eth0 -p tcp -m recent --update --seconds 120 --hitcount 1 --name FREESWITCH_BADGUY --mask 255.255.255.255 --rsource -j LOG --log-prefix "FREESWITCH BAD: " --log-level 6
-A INPUT -i eth0 -p tcp -m multiport --dports 21,22,27015 -m recent --set --name FREESWITCH_BADGUY --mask 255.255.255.255 --rsource -j ACCEPT
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m connlimit --connlimit-above 40 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/sec --limit-burst 20 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
-A INPUT -p tcp -m connlimit --connlimit-above 80 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p tcp -m connlimit --connlimit-above 111 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 80 -j DROP
-A INPUT -p udp -m udp --dport 27016 -j DROP
-A INPUT ! -s 1.2.3.4/32 -i eth1 -p tcp -m tcp --dport 80 -j DROP
-A INPUT -i eth1 -p udp -m udp ! --dport 80 -j DROP
-A INPUT -i eth1 -p udp -m udp ! --dport 27016 -j DROP
-A INPUT -s 185.226.0.0/16 -i eth1 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1:20 -j DROP
-A INPUT -p tcp -m tcp --dport 23:27014 -j DROP
-A INPUT -p tcp -m tcp --dport 27016:65535 -j DROP
-A INPUT -p tcp -m multiport --dports 1:20 -j DROP
-A INPUT -p tcp -m multiport --dports 23:27014 -j DROP
-A INPUT -p tcp -m multiport --dports 27016:65500 -j DROP
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 27015 -j ACCEPT
-A INPUT -p udp -m multiport --dports 27016:65500 -j DROP
-A INPUT -p udp -m multiport --dports 23:27014 -j DROP
-A INPUT -p udp -m udp --dport 27016:65535 -j DROP
-A INPUT -p udp -m udp --dport 23:27014 -j DROP
-A INPUT -m conntrack --ctstate NEW -j RATE-LIMIT
-A INPUT -p udp -m udp --dport 27015 -m limit --limit 150/min --limit-burst 200 -j ACCEPT
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A RATE-LIMIT -m limit --limit 151/sec --limit-burst 20 -j ACCEPT
-A RATE-LIMIT -j DROP
-A RATE-LIMIT -m hashlimit --hashlimit-upto 50/sec --hashlimit-burst 20 --hashlimit-name conn_rate_limit -j ACCEPT
-A RATE-LIMIT -m hashlimit --hashlimit-upto 150/sec --hashlimit-burst 20 --hashlimit-name conn_rate_limit -j ACCEPT
-A RATE-LIMIT -j DROP
-A RATE-LIMIT -j LOG --log-prefix "IPTables-Rejected: "
-A port-scanning -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec --limit-burst 2 -j RETURN
-A port-scanning -j DROP
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 22 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 21 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 21 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 27015 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 27015 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 22 -m comment --comment "\'dapp_OpenSSH\'" -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT