#!/usr/bin/perl /usr/local/sbin/iptables-master mport multiport policy INPUT DROP FORWARD ACCEPT OUTPUT ACCEPT define dns 129.186.1.200,129.186.140.200,129.186.142.200 inb DROP martin 64.113.76.0/23 filter intraf in_ph card0 ACCEPT in_ph card1 ACCEPT prot ipv6 ACCEPT for s 10.0.0.0/8,127.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.168.0.0/16 src $s DROP state r,e ACCEPT ban 4 BANME 3600 limd tcp_f ! SYN,RST,ACK,FIN SYN DROP state i DROP udp 5353,7100,8777 $inb INPUT in lo ACCEPT intraf # src $martin udp 137,138 ACCEPT dst 0.0.0.255/0.0.0.255 DROP dst 0.0.0.0/0.0.0.255 DROP tcp 25,53,80,5222,5269 loga udp 53 ACCEPT tcp 22 key SSHGO 30 loga tcp 22 key SSHOPEN 0 loga tcp 22 trip SSHTRY logd tcp 12345 trip SSHGO logd tcp 54321 trip SSHOPEN logd #no logs of this # src $martin tcp 139,445 ACCEPT tcp 139,445 DROP udp 67,68,137,138,1026,1027,1028,1029,1434,7100,8777 bounce icmp 8 DROP #no bans for this tcp 993 log1ipD tcp 135,443,6000 logd tcp 113 logr log G trip BANME $inb FORWARD src 192.186.0.0/16 DROP src 0.0.0.0 dst 255.255.255.255 udp 67 '--sport 68' ACCEPT src 10.0.0.0/8 dst 255.255.255.255 udp 68 '--sport 67' ACCEPT intraf tcp 8914 ACCEPT udp 8914 ACCEPT src $martin tcp 139,445 ACCEPT src $martin udp 137,138 ACCEPT tcp 139,445,6000 DROP udp 137,138,1026,1027,1028,1029,1434 DROP # icmp 8 DROP OUTPUT out lo ACCEPT prot ipv6 ACCEPT state r,e ACCEPT tcp_f ALL RST ACCEPT state i log I state i DROP #the other servers in resolv.conf for ns $dns dst $ns udp 53 ACCEPT tree o own $o www-data log apache bind udp 53 ACCEPT tcp 53 ACCEPT log bind Debian-exim tcp 25,113 ACCEPT log exim daniel ACCEPT root ACCEPT ejabberd tcp 5269 ACCEPT log ejabb dst 0.0.0.255/0.0.0.255 ACCEPT LOG --log-uid '--log-prefix "E "' --log-tcp-sequence --log-tcp-options --log-ip-options bounce log1ipD key IPNOISE 0 $inb log Dn trip IPNOISE $inb loga log A ACCEPT logd log D $inb logr log R bounce bounce prot tcp reject tcp-reset prot icmp DROP reject port-unreach limd limit 20 2/min log B $inb