Eu preciso de alguma ajuda para ler minhas regras de IPtables, minhas regras parecem funcionar, mas não tenho certeza

1

Como o título diz, eu preciso de alguma ajuda para ler minhas regras de iptable, minhas regras parecem funcionar, mas não tenho certeza. Minha configuração é a seguinte: ISP --- > modem a cabo --- > Comutador Ethernet --- > netbook / servidor / firewall / wifi --- > Dispositivos conectados sem fio.

Meu netbook é um servidor que tem o Ubuntu 13.04 Raring 32bit executando OpenVPN, Email e Iodo (IP-Over-DNS). Este mesmo netbook também funciona como um roteador sem fio usando dhcp, hostapd para wifi e iptables como firewall.

eth0 é a WAN com o IP de 192.168.1.2
wlan0 é a LAN com o IP de 10.0.0.2
dns0 e dns1 é o túnel de iodo com os IPs de 172.168.0.1 (dns0) e 172.16.2.1 (dns1)
tun0 é o meu túnel OpenVPN com o IP de 10.0.2.1

O que deve acontecer é que todas as solicitações de entrada / saída de portas devem ser BLOQUEADAS para / do próprio servidor / roteador, exceto:
Portas 80 e 443 para navegação na web
Ports 25, 587, 110, 995, 143 e 993 para vários serviços de email
Port 22 para ssh
Port 1194 para OpenVPN

Todas as portas de entrada / saída devem ser BLOQUEADAS de / para conexões na minha VPN, conexões em Iodo e conexões Wi-Fi, exceto:
Porta 53 para solicitações de DNS
Portas 80 e 443 para navegação na web
Portas 8080 para acessar os serviços da faculdade | Porto 29304 para skype
Portas 6783, 6784 e 6785 para o Streamer Splashtop Portas 5060 a 5080 e porta 65535 para CallCentric VOIP
Portas 19305 a 19309; Portas 5228 e 14259 para vários serviços do Google
Portas 80 (udp), 6969 e 1337 para torrents
Porta 25 para email
Port 587 para email do iCloud
Portas 465, 587, 993, 994 e 995 para o Gmail
Portas 7070, 1338, 6667 e 6697 para o IRC
Ports 2000, 1843 e 843 para jogos online baseados em texto como MUDs
Port 22 para SSH
Porta 1194 para VPN
Portas 3478 a 3487, 16384 a 16387, 16393 a 16402 e 5223 para iMessages e Facetime

Abaixo estão as minhas regras do iptables, eu coloquei estas regras em / etc / default / iptables para que estas regras sejam configuradas a cada inicialização.

###****FIREWALL PRESETUP****###

*nat

# Wireless devices wlan0
-A POSTROUTING -o eth0 -s 10.0.0.2/24 -j MASQUERADE

# Personal VPN tun0 to this network from my devices
-A POSTROUTING -o eth0 -s 10.0.2.0/24 -j MASQUERADE

# Iodine (IP-over-DNS) dns0 and dns1
-A POSTROUTING -o eth0 -s 172.16.0.1/27 -j MASQUERADE
-A POSTROUTING -o eth0 -s 172.16.2.1/27 -j MASQUERADE

COMMIT

###****BEGIN GLOBAL FIREWALL****###

*filter

# Block unwanted traffic
:FORWARD DROP
:INPUT DROP

# Allow wanted traffic to/from all interfaces
:OUTPUT ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# Make sure wanted traffic to/from wlan0 (LAN) is allowed
-A FORWARD -i wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Make sure wanted traffic to/from tun0 (VPN) is allowed
-A FORWARD -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun0 -o eth0 -s 10.0.2.0/25 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Also allow traffic to/from tun0 (VPN) to wlan0 (LAN)
-A FORWARD -i tun0 -o wlan0 -s 10.0.2.0/25 -d 10.0.0.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Also allow traffic to/from tun0 (VPN) to eth0 (WAN)
-A FORWARD -i tun0 -o eth0 -s 10.0.2.0/25 -d 192.168.2.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Make sure wanted traffic to/from dns0 and dns1, Iodine (IP-over-DNS), is allowed
-A FORWARD -i dns0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i dns1 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Also allow traffic to/from dns0 and dns1, Iodine (IP-over-DNS), to wlan0 (LAN)
-A FORWARD -i dns0 -o wlan0 -s 172.16.0.1/27 -d 10.0.0.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i dns1 -o wlan0 -s 172.16.2.1/27 -d 10.0.0.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Also allow traffic to/from dns0 and dns1, Iodine (IP-over-DNS), to eth0 (WAN)
-A FORWARD -i dns0 -o wlan0 -s 172.16.0.1/27 -d 192.168.2.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i dns1 -o wlan0 -s 172.16.2.1/27 -d 192.168.2.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow wanted traffic into the router itself
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

###****BEGIN WIFI FIREWALL ****###

#Logging
#-A FORWARD -i wlan0 -o eth0 -p tcp --syn -j LOG --log-prefix "syn packet:"
#-I FORWARD 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# dns
-A FORWARD -i wlan0 -o eth0 -p udp --dport 53 -j ACCEPT

# http, https
-A FORWARD -i wlan0 -o eth0 -p tcp --dport 80 -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -p tcp --dport 443 -j ACCEPT

# Los Rios College eServices (and others)
-A FORWARD -i wlan0 -o eth0 -p tcp --dport 8080 -j ACCEPT

# Skype (Outgoing)
-A FORWARD -i wlan0 -o eth0 -p udp --dport 29304 -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -p tcp --dport 29304 -j ACCEPT

# Skype (Incoming)
-A FORWARD -i eth0 -o wlan0 -p udp --dport 29304 -j ACCEPT
-A FORWARD -i eth0 -o wlan0 -p tcp --dport 29304 -j ACCEPT

# Splashtop streamer
-A FORWARD -i wlan0 -o eth0 -m multiport -p tcp --dport 6783:6785 -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -m multiport -p udp --dport 6783:6785 -j ACCEPT

# CallCentric VOIP
-A FORWARD -i wlan0 -o eth0 -m multiport -p udp --dport 5060:5080 -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -p udp --dport 65535 -j ACCEPT

# Google hangout, voip, and other google services
-A FORWARD -i wlan0 -o eth0 -m multiport -p udp --dport 19305:19309 -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -m multiport -p tcp --dport 19305:19309 -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -p udp --dport 5228 -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -p tcp --dport 5228 -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -p udp --dport 14259 -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -p tcp --dport 14259 -j ACCEPT

# Torrent
-A FORWARD -i wlan0 -o eth0 -p udp --dport 80 -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -p udp --dport 6969 -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -p udp --dport 1337 -j ACCEPT

# Email
-A FORWARD -i wlan0 -o eth0 -p tcp --dport 25 -j ACCEPT

# iCloud Email
-A FORWARD -i wlan0 -o eth0 -p tcp --dport 587 -j ACCEPT

# Gmail SMTP SSL
-A FORWARD -i wlan0 -o eth0 -p udp --dport 465 -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -p tcp --dport 465 -j ACCEPT

# Gmail SMTP StartTLS
-A FORWARD -i wlan0 -o eth0 -p udp --dport 587 -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -p tcp --dport 587 -j ACCEPT

# Gmail IMAP SSL
-A FORWARD -i wlan0 -o eth0 -m multiport -p udp --dport 993:995 -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -m multiport -p tcp --dport 993:995 -j ACCEPT

# irc
-A FORWARD -i wlan0 -o eth0 -p tcp --dport 7070 -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -p tcp --dport 1338 -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -p tcp --dport 6667 -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -p tcp --dport 6697 -j ACCEPT

# MUD
-A FORWARD -i wlan0 -o eth0 -p tcp --dport 2000 -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -p tcp --dport 1843 -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -p tcp --dport 843 -j ACCEPT

# ssh
-A FORWARD -i wlan0 -o eth0 -p tcp --dport 22 -j ACCEPT

# vpn
-A FORWARD -i wlan0 -o eth0 -p udp --dport 1194 -j ACCEPT

# iOS iMessages, Facetime
-A FORWARD -i wlan0 -o eth0 -m multiport -p udp --dport 3478:3487 -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -p tcp --dport 5223 -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -m multiport -p udp --dport 16384:16387 -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -m multiport -p udp --dport 16393:16402 -j ACCEPT

# Allow PING from remote hosts.
-A FORWARD -i wlan0 -o eth0 -p icmp --icmp-type echo-request -j ACCEPT

###****BEGIN IODINE (IP-over-DNS, dns0 and dns1) FIREWALL ****###

#Logging
#-A FORWARD -i dns0 -o eth0 -p tcp --syn -j LOG --log-prefix "syn packet:"

# dns
-A FORWARD -i dns0 -o eth0 -p udp --dport 53 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p udp --dport 53 -j ACCEPT

# http, https
-A FORWARD -i dns0 -o eth0 -p tcp --dport 80 -j ACCEPT
-A FORWARD -i dns0 -o eth0 -p tcp --dport 443 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p tcp --dport 80 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p tcp --dport 443 -j ACCEPT

# Los Rios College eServices (and others)
-A FORWARD -i dns0 -o eth0 -p tcp --dport 8080 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p tcp --dport 8080 -j ACCEPT

# Skype (Outgoing)
-A FORWARD -i dns0 -o eth0 -p udp --dport 29304 -j ACCEPT
-A FORWARD -i dns0 -o eth0 -p tcp --dport 29304 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p udp --dport 29304 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p tcp --dport 29304 -j ACCEPT

# Skype (Incoming)
-A FORWARD -i eth0 -o dns0 -p udp --dport 29304 -j ACCEPT
-A FORWARD -i eth0 -o dns0 -p tcp --dport 29304 -j ACCEPT
-A FORWARD -i eth0 -o dns1 -p udp --dport 29304 -j ACCEPT
-A FORWARD -i eth0 -o dns1 -p tcp --dport 29304 -j ACCEPT

# Splashtop streamer
-A FORWARD -i dns0 -o eth0 -m multiport -p tcp --dport 6783:6785 -j ACCEPT
-A FORWARD -i dns0 -o eth0 -m multiport -p udp --dport 6783:6785 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -m multiport -p tcp --dport 6783:6785 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -m multiport -p udp --dport 6783:6785 -j ACCEPT

# CallCentric VOIP
-A FORWARD -i dns0 -o eth0 -m multiport -p udp --dport 5060:5080 -j ACCEPT
-A FORWARD -i dns0 -o eth0 -p udp --dport 65535 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -m multiport -p udp --dport 5060:5080 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p udp --dport 65535 -j ACCEPT

# Google hangout, voip, and other google services
-A FORWARD -i dns0 -o eth0 -m multiport -p udp --dport 19305:19309 -j ACCEPT
-A FORWARD -i dns0 -o eth0 -m multiport -p tcp --dport 19305:19309 -j ACCEPT
-A FORWARD -i dns0 -o eth0 -p udp --dport 5228 -j ACCEPT
-A FORWARD -i dns0 -o eth0 -p tcp --dport 5228 -j ACCEPT
-A FORWARD -i dns0 -o eth0 -p udp --dport 14259 -j ACCEPT
-A FORWARD -i dns0 -o eth0 -p tcp --dport 14259 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -m multiport -p udp --dport 19305:19309 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -m multiport -p tcp --dport 19305:19309 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p udp --dport 5228 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p tcp --dport 5228 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p udp --dport 14259 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p tcp --dport 14259 -j ACCEPT

# Torrent
-A FORWARD -i dns0 -o eth0 -p udp --dport 80 -j ACCEPT
-A FORWARD -i dns0 -o eth0 -p udp --dport 6969 -j ACCEPT
-A FORWARD -i dns0 -o eth0 -p udp --dport 1337 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p udp --dport 80 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p udp --dport 6969 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p udp --dport 1337 -j ACCEPT

# Email
-A FORWARD -i dns0 -o eth0 -p tcp --dport 25 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p tcp --dport 25 -j ACCEPT

# iCloud Email
-A FORWARD -i dns0 -o eth0 -p tcp --dport 587 -j ACCEPT
-A FORWARD -i dns1 -o eth -p tcp --dport 587 -j ACCEPT

# Gmail SMTP SSL
-A FORWARD -i dns0 -o eth0 -p udp --dport 465 -j ACCEPT
-A FORWARD -i dns0 -o eth0 -p tcp --dport 465 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p udp --dport 465 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p tcp --dport 465 -j ACCEPT

# Gmail SMTP StartTLS
-A FORWARD -i dns0 -o eth0 -p udp --dport 587 -j ACCEPT
-A FORWARD -i dns0 -o eth0 -p tcp --dport 587 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p udp --dport 587 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p tcp --dport 587 -j ACCEPT

# Gmail IMAP SSL
-A FORWARD -i dns0 -o eth0 -m multiport -p udp --dport 993:995 -j ACCEPT
-A FORWARD -i dns0 -o eth0 -m multiport -p tcp --dport 993:995 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -m multiport -p udp --dport 993:995 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -m multiport -p tcp --dport 993:995 -j ACCEPT

# irc
-A FORWARD -i dns0 -o eth0 -p tcp --dport 7070 -j ACCEPT
-A FORWARD -i dns0 -o eth0 -p tcp --dport 1338 -j ACCEPT
-A FORWARD -i dns0 -o eth0 -p tcp --dport 6667 -j ACCEPT
-A FORWARD -i dns0 -o eth0 -p tcp --dport 6697 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p tcp --dport 7070 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p tcp --dport 1338 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p tcp --dport 6667 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p tcp --dport 6697 -j ACCEPT

# MUD
-A FORWARD -i dns0 -o eth0 -p tcp --dport 2000 -j ACCEPT
-A FORWARD -i dns0 -o eth0 -p tcp --dport 1843 -j ACCEPT
-A FORWARD -i dns0 -o eth0 -p tcp --dport 843 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p tcp --dport 2000 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p tcp --dport 1843 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p tcp --dport 843 -j ACCEPT

# ssh
-A FORWARD -i dns0 -o eth0 -p tcp --dport 22 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p tcp --dport 22 -j ACCEPT

# vpn
-A FORWARD -i dns0 -o eth0 -p udp --dport 1194 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p udp --dport 1194 -j ACCEPT

# iOS iMessages, Facetime
-A FORWARD -i dns0 -o eth0 -m multiport -p udp --dport 3478:3487 -j ACCEPT
-A FORWARD -i dns0 -o eth0 -p tcp --dport 5223 -j ACCEPT
-A FORWARD -i dns0 -o eth0 -m multiport -p udp --dport 16384:16387 -j ACCEPT
-A FORWARD -i dns0 -o eth0 -m multiport -p udp --dport 16393:16402 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -m multiport -p udp --dport 3478:3487 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p tcp --dport 5223 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -m multiport -p udp --dport 16384:16387 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -m multiport -p udp --dport 16393:16402 -j ACCEPT

# Allow PING from remote hosts.
-A FORWARD -i dns0 -o eth0 -p icmp --icmp-type echo-request -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p icmp --icmp-type echo-request -j ACCEPT

###****BEGIN VPN FIREWALL****###

#Logging
#-A FORWARD -i tun0 -o eth0 -p tcp --syn -j LOG --log-prefix "syn packet:"

# dns
-A FORWARD -i tun0 -o eth0 -p udp --dport 53 -j ACCEPT

# http, https
-A FORWARD -i tun0 -o eth0 -p tcp --dport 80 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -p tcp --dport 443 -j ACCEPT

# Los Rios College eServices (and others)
-A FORWARD -i tun0 -o eth0 -p tcp --dport 8080 -j ACCEPT

# Skype (Outgoing)
-A FORWARD -i tun0 -o eth0 -p udp --dport 29304 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -p tcp --dport 29304 -j ACCEPT

# Skype (Incoming)
-A FORWARD -i eth0 -o tun0 -p udp --dport 29304 -j ACCEPT
-A FORWARD -i eth0 -o tun0 -p tcp --dport 29304 -j ACCEPT

# Splashtop streamer
-A FORWARD -i tun0 -o eth0 -m multiport -p tcp --dport 6783:6785 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -m multiport -p udp --dport 6783:6785 -j ACCEPT

# CallCentric VOIP
-A FORWARD -i tun0 -o eth0 -m multiport -p udp --dport 5060:5080 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -p udp --dport 65535 -j ACCEPT

# Google hangout, voip, and other google services
-A FORWARD -i tun0 -o eth0 -m multiport -p udp --dport 19305:19309 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -m multiport -p tcp --dport 19305:19309 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -p udp --dport 5228 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -p tcp --dport 5228 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -p udp --dport 14259 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -p tcp --dport 14259 -j ACCEPT

# Torrent
-A FORWARD -i tun0 -o eth0 -p udp --dport 80 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -p udp --dport 6969 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -p udp --dport 1337 -j ACCEPT

# Email
-A FORWARD -i tun0 -o eth0 -p tcp --dport 25 -j ACCEPT

# iCloud Email
-A FORWARD -i tun0 -o eth0 -p tcp --dport 587 -j ACCEPT

# Gmail SMTP SSL
-A FORWARD -i tun0 -o eth0 -p udp --dport 465 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -p tcp --dport 465 -j ACCEPT

# Gmail SMTP StartTLS
-A FORWARD -i tun0 -o eth0 -p udp --dport 587 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -p tcp --dport 587 -j ACCEPT

# Gmail IMAP SSL
-A FORWARD -i tun0 -o eth0 -m multiport -p udp --dport 993:995 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -m multiport -p tcp --dport 993:995 -j ACCEPT

# irc
-A FORWARD -i tun0 -o eth0 -p tcp --dport 7070 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -p tcp --dport 1338 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -p tcp --dport 6667 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -p tcp --dport 6697 -j ACCEPT

# MUD
-A FORWARD -i tun0 -o eth0 -p tcp --dport 2000 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -p tcp --dport 1843 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -p tcp --dport 843 -j ACCEPT

# ssh
-A FORWARD -i tun0 -o eth0 -p tcp --dport 22 -j ACCEPT

# vpn
-A FORWARD -i tun0 -o eth0 -p udp --dport 1194 -j ACCEPT

# iOS iMessages, Facetime
-A FORWARD -i tun0 -o eth0 -m multiport -p udp --dport 3478:3487 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -p tcp --dport 5223 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -m multiport -p udp --dport 16384:16387 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -m multiport -p udp --dport 16393:16402 -j ACCEPT

# Allow PING from remote hosts.
-A FORWARD -i tun0 -o eth0 -p icmp --icmp-type echo-request -j ACCEPT

###****BEGIN SERVER FIREWALL****###

#Logging
#-A FORWARD -i wlan0 -o eth0 -p tcp --syn -j LOG --log-prefix "syn packet:"

# Loop device.
-A INPUT -i lo -j ACCEPT

# http, https
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

# smtp, submission
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 587 -j ACCEPT

# pop3, pop3s
-A INPUT -p tcp --dport 110 -j ACCEPT
-A INPUT -p tcp --dport 995 -j ACCEPT

# imap, imaps
-A INPUT -p tcp --dport 143 -j ACCEPT
-A INPUT -p tcp --dport 993 -j ACCEPT

# ssh
-A INPUT -p tcp --dport 22 -j ACCEPT

# vpn
-A INPUT -p udp --dport 1194 -j ACCEPT

# Allow PING from remote hosts.
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT

COMMIT

Esta é a saída de "iptables -nvL" para mostrar o que está em vigor, link essas linhas fail2ban estão lá porque tenho fail2ban instalado.

Esta é a saída de "iptables -S" para mostrar o que está em vigor, link novamente as linhas fail2ban estão lá porque eu tenho fail2ban instalado.

    
por Raansu 01.07.2013 / 06:56

0 respostas