# Generated by iptables-save v1.4.8 on Thu Dec 6 20:40:12 2012 *nat :PREROUTING ACCEPT [4058961:472562093] :POSTROUTING ACCEPT [520148:34197998] :OUTPUT ACCEPT [526193:34690582] COMMIT # Completed on Thu Dec 6 20:40:12 2012 # Generated by iptables-save v1.4.8 on Thu Dec 6 20:40:12 2012 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :acceptlog - [0:0] :cs-bx - [0:0] :dev0-in - [0:0] :dev0-out - [0:0] :droplog - [0:0] :local-srvr - [0:0] :marklog - [0:0] :schl-srvr - [0:0] :world-bx - [0:0] :wrld-srvr - [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -i eth0 -j dev0-in -A INPUT -j droplog -A INPUT -j DROP -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o eth0 -j dev0-out -A OUTPUT -j droplog -A acceptlog -j LOG --log-prefix "[accept] " --log-level 6 -A acceptlog -j ACCEPT # Attempting to contact certain ports, just ignore # 137,138 Netbios (windows feature) -A cs-bx -p udp -m udp --dport 137 -j DROP -A cs-bx -p udp -m udp --dport 138 -j DROP # port for seeing who is logged in, don't support -A cs-bx -p udp -m udp --dport 513 -j DROP # Network print port, just drop -A cs-bx -s 131.156.145.90/32 -p udp -m udp --dport 631 -j DROP -A cs-bx -p udp -m udp --dport 17500 -j DROP # anything else log and drop -A cs-bx -j droplog # generated by routine that detect hack attacks and blocks ip. -A dev0-in -s 88.198.66.52/32 -j DROP # Incoming packet attempting to use turing as a broadcast pass through, # examine and drop. -A dev0-in -d 255.255.255.255/32 -j world-bx -A dev0-in -d 131.156.255.255/32 -j cs-bx -A dev0-in -d 131.156.145.255/32 -j cs-bx # Incoming targeting turing, process futher -A dev0-in -d 131.156.145.2/32 -j wrld-srvr # dev0-in rule returns to here to process anything not caught. # If from gateway, drop -A dev0-in -s 131.156.145.1/32 -d 224.0.0.1/32 -p igmp -j DROP # Else log and drop. -A dev0-in -j droplog # -A dev0-out -d 131.156.145.41/32 -j ACCEPT -A dev0-out -p tcp -m tcp --sport 22 -j ACCEPT -A dev0-out -p tcp -m tcp --dport 22 -j ACCEPT -A dev0-out -p udp -m udp --dport 53 -j ACCEPT -A dev0-out -p tcp -m tcp --dport 25 -j ACCEPT -A dev0-out -d 131.156.0.0/16 -p tcp -m tcp --sport 113 -j ACCEPT -A dev0-out -p tcp -m tcp --dport 113 -j ACCEPT -A dev0-out -p tcp -m tcp --sport 21 -j ACCEPT -A dev0-out -p tcp -m tcp --sport 20 -j ACCEPT -A dev0-out -d 131.156.97.101/32 -p tcp -m tcp --dport 21 -j ACCEPT -A dev0-out -d 131.156.97.101/32 -p tcp -m tcp --dport 20 -j ACCEPT -A dev0-out -d 131.156.29.4/32 -p tcp -m tcp --dport 21 -j ACCEPT -A dev0-out -d 131.156.29.4/32 -p tcp -m tcp --dport 20 -j ACCEPT -A dev0-out -p tcp -m tcp --dport 21 -j ACCEPT -A dev0-out -p tcp -m tcp --dport 20 -j ACCEPT -A dev0-out -d 131.156.0.0/16 -p tcp -m tcp --dport 80 -j ACCEPT -A dev0-out -p tcp -m tcp --dport 80 -j ACCEPT -A dev0-out -d 131.156.0.0/16 -p tcp -m tcp --dport 443 -j ACCEPT -A dev0-out -p tcp -m tcp --dport 443 -j ACCEPT -A dev0-out -p tcp -m tcp --sport 80 -j ACCEPT -A dev0-out -p tcp -m tcp --sport 443 -j ACCEPT -A dev0-out -p udp -m udp --sport 68 -j ACCEPT -A dev0-out -p udp -m udp --sport 123 -j ACCEPT -A dev0-out -p icmp -m icmp --icmp-type 8 -j ACCEPT -A dev0-out -p icmp -m icmp --icmp-type 0 -j ACCEPT -A dev0-out -p icmp -m icmp --icmp-type 3/3 -j ACCEPT -A dev0-out -d 131.156.0.0/16 -p tcp -m tcp --sport 80 -j ACCEPT -A dev0-out -d 131.156.0.0/16 -p tcp -m tcp --sport 443 -j ACCEPT -A dev0-out -p tcp -m tcp --dport 515 -j ACCEPT -A dev0-out -p tcp -m tcp --dport 587 -j ACCEPT -A dev0-out -d 131.156.0.0/16 -p udp -m udp --dport 4445 -j ACCEPT -A dev0-out -p tcp -m tcp --sport 9600:9649 -j ACCEPT -A dev0-out -p udp -m udp --sport 9600:9649 -j ACCEPT -A dev0-out -d 131.156.0.0/16 -p tcp -m tcp --sport 9800:9899 -j ACCEPT -A dev0-out -d 131.156.0.0/16 -p udp -m udp --sport 9800:9899 -j ACCEPT -A dev0-out -p tcp -m tcp --sport 13 -j ACCEPT -A dev0-out -p tcp -m tcp --dport 13 -j ACCEPT -A dev0-out -p tcp -m tcp --sport 9877 -j ACCEPT -A dev0-out -p tcp -m tcp --sport 9700:9749 -j ACCEPT -A dev0-out -p udp -m udp --sport 9700:9749 -j ACCEPT -A dev0-out -p tcp -m tcp --sport 9750 -j ACCEPT -A dev0-out -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT -A dev0-out -j acceptlog -A droplog -j LOG --log-prefix "[drop] " --log-level 6 -A droplog -j DROP -A local-srvr -s 192.168.8.0/24 -p tcp -m tcp --dport 1:1023 -j ACCEPT -A local-srvr -s 192.168.8.0/24 -p udp -m udp --dport 1:1023 -j ACCEPT -A local-srvr -s 192.168.8.0/24 -p tcp -m tcp --sport 1:1023 -j ACCEPT -A local-srvr -s 192.168.8.0/24 -p udp -m udp --sport 1:1023 -j ACCEPT -A local-srvr -s 192.168.8.11/32 -p tcp -m tcp --dport 9000:9999 -j ACCEPT -A local-srvr -s 192.168.8.11/32 -p udp -m udp --dport 9000:9999 -j ACCEPT -A local-srvr -s 192.168.8.11/32 -p tcp -m tcp --sport 9000:9999 -j ACCEPT -A local-srvr -s 192.168.8.11/32 -p udp -m udp --sport 9000:9999 -j ACCEPT -A local-srvr -s 192.168.8.0/24 -p tcp -m tcp --sport 2049 -j ACCEPT -A local-srvr -s 192.168.8.11/32 -p tcp -m tcp --dport 2049 -j ACCEPT -A local-srvr -p tcp -m tcp --sport 5432 -j ACCEPT -A local-srvr -p tcp -m tcp --sport 3306 -j ACCEPT -A local-srvr -p icmp -m icmp --icmp-type 8 -j ACCEPT -A local-srvr -p icmp -m icmp --icmp-type 0 -j ACCEPT -A local-srvr -j RETURN -A marklog -j LOG --log-prefix "[mark] " --log-level 6 -A marklog -j ACCEPT -A schl-srvr -s 131.156.0.0/16 -p udp -m udp --sport 123 -j ACCEPT -A schl-srvr -s 131.156.97.101/32 -p tcp -m tcp --sport 21 -j ACCEPT -A schl-srvr -s 131.156.97.101/32 -p tcp -m tcp --sport 20 -j ACCEPT -A schl-srvr -s 131.156.29.4/32 -p tcp -m tcp --sport 21 -j ACCEPT -A schl-srvr -s 131.156.29.4/32 -p tcp -m tcp --sport 20 -j ACCEPT -A schl-srvr -p tcp -m tcp --sport 25 ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A schl-srvr -s 131.156.0.0/16 -p tcp -m tcp --dport 113 -j ACCEPT -A schl-srvr -p tcp -m tcp --dport 80 -j ACCEPT -A schl-srvr -s 131.156.42.7/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT -A schl-srvr -s 131.156.0.0/16 -p tcp -m tcp --sport 636 ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A schl-srvr -s 131.156.0.0/16 -p tcp -m tcp --sport 389 ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A schl-srvr -s 131.156.5.76/32 -p tcp -m tcp --sport 515 -j ACCEPT -A schl-srvr -s 131.156.145.212/32 -p tcp -j ACCEPT -A schl-srvr -p tcp -m tcp --sport 587 ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A schl-srvr -s 131.156.145.115/32 -p tcp -j ACCEPT -A schl-srvr -s 131.156.0.0/16 -p tcp -m tcp --dport 9800:9899 -j ACCEPT -A schl-srvr -s 131.156.0.0/16 -p udp -m udp --dport 9800:9899 -j ACCEPT -A schl-srvr -s 131.156.102.85/32 -p tcp -m tcp --dport 9102 -j ACCEPT -A schl-srvr -s 131.156.145.41/32 -j ACCEPT -A schl-srvr -s 131.156.0.0/16 -p udp -m udp --sport 4445 -j ACCEPT -A schl-srvr -s 131.156.145.255/32 -j cs-bx -A schl-srvr -s 131.156.255.255/32 -j cs-bx -A schl-srvr -j RETURN # connection attempting pass through. We don't allow. So just drop packet. # Listed ports we don't support but understand and treat as harmless. -A world-bx -p udp -m udp --dport 67 -j DROP -A world-bx -p udp -m udp --dport 68 -j DROP -A world-bx -p udp -m udp --dport 2222 -j DROP -A world-bx -p udp -m udp --sport 177 -j DROP -A world-bx -p udp -m udp --dport 17500 -j DROP # Log the attempt of any other pass through before dropping. -A world-bx -j droplog # Test if input from campus or elsewhere -A wrld-srvr -s 131.156.0.0/16 -j schl-srvr # from campus # From a domain name server attempting to resolve a name, accept -A wrld-srvr -p udp -m udp --sport 53 -j ACCEPT # ssh login, accept -A wrld-srvr -p tcp -m tcp --dport 22 -j ACCEPT # If someone on turing is ssh'ing to another system, allow. # This is a way of allowing connection, if it was initiated from turing. -A wrld-srvr -p tcp -m tcp --sport 22 ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT # Allow rsync if initiated from turing. -A wrld-srvr -p tcp -m tcp --sport 873 ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT # Someone is attempting to contact the web server, accept. -A wrld-srvr -p tcp -m tcp --dport 80 -j ACCEPT # Allow access to remote web server if initiated from turing. -A wrld-srvr -p tcp -m tcp --sport 80 ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT # Allow https to web server on Turing. -A wrld-srvr -p tcp -m tcp --dport 443 -j ACCEPT -A wrld-srvr -p tcp -m tcp --sport 443 ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT # Allow ftp, but we don't actually have a server listening -A wrld-srvr -p tcp -m tcp --dport 21 -j ACCEPT -A wrld-srvr -p tcp -m tcp --dport 20 -j ACCEPT # Allow ftp out of turing as long as initiated from turing. -A wrld-srvr -p tcp -m tcp --sport 21 ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A wrld-srvr -p tcp -m tcp --sport 20 -j ACCEPT -A wrld-srvr -p tcp -m tcp --dport 25 -j ACCEPT -A wrld-srvr -p tcp -m tcp --sport 25 ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A wrld-srvr -p tcp -m tcp --sport 113 ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT # 13 used for synchronizing time clocks. -A wrld-srvr -p tcp -m tcp --dport 13 -j ACCEPT -A wrld-srvr -p tcp -m tcp --sport 13 -j ACCEPT # These are set aside for networking class to use. -A wrld-srvr -p tcp -m tcp --dport 9600:9649 -j ACCEPT -A wrld-srvr -p udp -m udp --dport 9600:9649 -j ACCEPT -A wrld-srvr -p tcp -m tcp --dport 9877 -j ACCEPT -A wrld-srvr -p tcp -m tcp --dport 9700:9749 -j ACCEPT -A wrld-srvr -p udp -m udp --dport 9700:9749 -j ACCEPT -A wrld-srvr -p tcp -m tcp --dport 9750 -j ACCEPT -A wrld-srvr -p icmp -m icmp --icmp-type 8 -j ACCEPT -A wrld-srvr -p icmp -m icmp --icmp-type 0 -j ACCEPT -A wrld-srvr -s 255.255.255.255/32 -j world-bx # These are user level ports. Allow if an approved server has initiated the # communication -A wrld-srvr -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT # These are ports we are not interested in servicing, drop -A wrld-srvr -p udp -m udp --dport 137 -j DROP -A wrld-srvr -p udp -m udp --dport 1026:1027 -j DROP -A wrld-srvr -p tcp -m tcp --dport 5364 --tcp-flags FIN,SYN,RST,ACK SYN -j DROP -A wrld-srvr -p tcp -m tcp --dport 2967 --tcp-flags FIN,SYN,RST,ACK SYN -j DROP -A wrld-srvr -j RETURN COMMIT # Completed on Thu Dec 6 20:40:12 2012