ROSA Forum

Код: Выделить всё

#net.ipv4.ip_forward = 1
#iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

Код: Выделить всё

nameserver 8.8.8.8

Код: Выделить всё

#iptables -t nat -A POSTROUTING -o 1abrvalg120o(короче новое название eth1, сейчас не вспомню как точно) -j MASQUERADE

Код: Выделить всё

sudo cat /proc/sys/net/ipv4/ip_forward

Код: Выделить всё

sudo iptables-save

Код: Выделить всё

$ sudo iptables-save                    
# Generated by iptables-save v1.4.21 on Thu Apr 14 00:15:34 2016
*nat
:PREROUTING ACCEPT [159:22262]
:INPUT ACCEPT [11:2972]
:OUTPUT ACCEPT [1238:85386]
:POSTROUTING ACCEPT [1238:85386]
COMMIT
# Completed on Thu Apr 14 00:15:34 2016
# Generated by iptables-save v1.4.21 on Thu Apr 14 00:15:34 2016
*mangle
:PREROUTING ACCEPT [25512:26543372]
:INPUT ACCEPT [25403:26530849]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [20622:2279618]
:POSTROUTING ACCEPT [20779:2309892]
:tcfor - [0:0]
:tcin - [0:0]
:tcout - [0:0]
:tcpost - [0:0]
:tcpre - [0:0]
-A PREROUTING -j tcpre
-A INPUT -j tcin
-A FORWARD -j MARK --set-xmark 0x0/0xff
-A FORWARD -j tcfor
-A OUTPUT -j tcout
-A POSTROUTING -j tcpost
COMMIT
# Completed on Thu Apr 14 00:15:34 2016
# Generated by iptables-save v1.4.21 on Thu Apr 14 00:15:34 2016
*raw
:PREROUTING ACCEPT [25512:26543372]
:OUTPUT ACCEPT [20622:2279618]
-A PREROUTING -p udp -m udp --dport 10080 -j CT --helper amanda
-A PREROUTING -p tcp -m tcp --dport 21 -j CT --helper ftp
-A PREROUTING -p udp -m udp --dport 1719 -j CT --helper RAS
-A PREROUTING -p tcp -m tcp --dport 1720 -j CT --helper Q.931
-A PREROUTING -p tcp -m tcp --dport 6667 -j CT --helper irc
-A PREROUTING -p udp -m udp --dport 137 -j CT --helper netbios-ns
-A PREROUTING -p tcp -m tcp --dport 1723 -j CT --helper pptp
-A PREROUTING -p tcp -m tcp --dport 6566 -j CT --helper sane
-A PREROUTING -p udp -m udp --dport 5060 -j CT --helper sip
-A PREROUTING -p udp -m udp --dport 161 -j CT --helper snmp
-A PREROUTING -p udp -m udp --dport 69 -j CT --helper tftp
-A OUTPUT -p udp -m udp --dport 10080 -j CT --helper amanda
-A OUTPUT -p tcp -m tcp --dport 21 -j CT --helper ftp
-A OUTPUT -p udp -m udp --dport 1719 -j CT --helper RAS
-A OUTPUT -p tcp -m tcp --dport 1720 -j CT --helper Q.931
-A OUTPUT -p tcp -m tcp --dport 6667 -j CT --helper irc
-A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns
-A OUTPUT -p tcp -m tcp --dport 1723 -j CT --helper pptp
-A OUTPUT -p tcp -m tcp --dport 6566 -j CT --helper sane
-A OUTPUT -p udp -m udp --dport 5060 -j CT --helper sip
-A OUTPUT -p udp -m udp --dport 161 -j CT --helper snmp
-A OUTPUT -p udp -m udp --dport 69 -j CT --helper tftp
COMMIT
# Completed on Thu Apr 14 00:15:34 2016
# Generated by iptables-save v1.4.21 on Thu Apr 14 00:15:34 2016
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:Broadcast - [0:0]
:Drop - [0:0]
:Ethernet_fwd - [0:0]
:Ethernet_in - [0:0]
:Reject - [0:0]
:Tele2_fwd - [0:0]
:Tele2_in - [0:0]
:dynamic - [0:0]
:enp0s20u1_fwd - [0:0]
:enp0s20u1_in - [0:0]
:enp3s0_fwd - [0:0]
:enp3s0_in - [0:0]
:fw-loc - [0:0]
:fw-net - [0:0]
:loc-fw - [0:0]
:loc-net - [0:0]
:loc_frwd - [0:0]
:logdrop - [0:0]
:logflags - [0:0]
:logreject - [0:0]
:net-fw - [0:0]
:net-loc - [0:0]
:net_frwd - [0:0]
:reject - [0:0]
:sfilter - [0:0]
:shorewall - [0:0]
:tcpflags - [0:0]
-A INPUT -i Tele2 -j Tele2_in
-A INPUT -i enp0s20u1 -j enp0s20u1_in
-A INPUT -i enp3s0 -j enp3s0_in
-A INPUT -i Ethernet -j Ethernet_in
-A INPUT -i lo -j ACCEPT
-A INPUT -j Reject
-A INPUT -j LOG --log-prefix "Shorewall:INPUT:REJECT:" --log-level 6
-A INPUT -g reject
-A FORWARD -i Tele2 -j Tele2_fwd
-A FORWARD -i enp0s20u1 -j enp0s20u1_fwd
-A FORWARD -i enp3s0 -j enp3s0_fwd
-A FORWARD -i Ethernet -j Ethernet_fwd
-A FORWARD -j Reject
-A FORWARD -j LOG --log-prefix "Shorewall:FORWARD:REJECT:" --log-level 6
-A FORWARD -g reject
-A OUTPUT -o Tele2 -j fw-net
-A OUTPUT -o enp0s20u1 -j fw-net
-A OUTPUT -o enp3s0 -j fw-loc
-A OUTPUT -o Ethernet -j fw-loc
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j Reject
-A OUTPUT -j LOG --log-prefix "Shorewall:OUTPUT:REJECT:" --log-level 6
-A OUTPUT -g reject
-A Broadcast -m addrtype --dst-type BROADCAST -j DROP
-A Broadcast -m addrtype --dst-type MULTICAST -j DROP
-A Broadcast -m addrtype --dst-type ANYCAST -j DROP
-A Drop
-A Drop -j Broadcast
-A Drop -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP types" -j ACCEPT
-A Drop -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types" -j ACCEPT
-A Drop -m conntrack --ctstate INVALID -j DROP
-A Drop -p udp -m multiport --dports 135,445 -m comment --comment SMB -j DROP
-A Drop -p udp -m udp --dport 137:139 -m comment --comment SMB -j DROP
-A Drop -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment SMB -j DROP
-A Drop -p tcp -m multiport --dports 135,139,445 -m comment --comment SMB -j DROP
-A Drop -p udp -m udp --dport 1900 -m comment --comment UPnP -j DROP
-A Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A Drop -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -j DROP
-A Ethernet_fwd -o Ethernet -g sfilter
-A Ethernet_fwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A Ethernet_fwd -p tcp -j tcpflags
-A Ethernet_fwd -j loc_frwd
-A Ethernet_in -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A Ethernet_in -p tcp -j tcpflags
-A Ethernet_in -j loc-fw
-A Reject
-A Reject -j Broadcast
-A Reject -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP types" -j ACCEPT
-A Reject -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types" -j ACCEPT
-A Reject -m conntrack --ctstate INVALID -j DROP
-A Reject -p udp -m multiport --dports 135,445 -m comment --comment SMB -j reject
-A Reject -p udp -m udp --dport 137:139 -m comment --comment SMB -j reject
-A Reject -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment SMB -j reject
-A Reject -p tcp -m multiport --dports 135,139,445 -m comment --comment SMB -j reject
-A Reject -p udp -m udp --dport 1900 -m comment --comment UPnP -j DROP
-A Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A Reject -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -j DROP
-A Tele2_fwd -o Tele2 -g sfilter
-A Tele2_fwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A Tele2_fwd -p tcp -j tcpflags
-A Tele2_fwd -j net_frwd
-A Tele2_in -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A Tele2_in -p tcp -j tcpflags
-A Tele2_in -j net-fw
-A enp0s20u1_fwd -o enp0s20u1 -g sfilter
-A enp0s20u1_fwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A enp0s20u1_fwd -p tcp -j tcpflags
-A enp0s20u1_fwd -j net_frwd
-A enp0s20u1_in -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A enp0s20u1_in -p tcp -j tcpflags
-A enp0s20u1_in -j net-fw
-A enp3s0_fwd -o enp3s0 -g sfilter
-A enp3s0_fwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A enp3s0_fwd -p tcp -j tcpflags
-A enp3s0_fwd -j loc_frwd
-A enp3s0_in -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A enp3s0_in -p tcp -j tcpflags
-A enp3s0_in -j loc-fw
-A fw-loc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A fw-loc -j ACCEPT
-A fw-net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A fw-net -j ACCEPT
-A loc-fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A loc-fw -j ACCEPT
-A loc-net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A loc-net -j ACCEPT
-A loc_frwd -o Tele2 -j loc-net
-A loc_frwd -o enp0s20u1 -j loc-net
-A loc_frwd -o enp3s0 -j ACCEPT
-A loc_frwd -o Ethernet -j ACCEPT
-A logdrop -j DROP
-A logflags -j LOG --log-prefix "Shorewall:logflags:DROP:" --log-level 6 --log-ip-options
-A logflags -j DROP
-A logreject -j reject
-A net-fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A net-fw -j Drop
-A net-fw -j DROP
-A net-loc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A net-loc -j Drop
-A net-loc -j DROP
-A net_frwd -o Tele2 -j ACCEPT
-A net_frwd -o enp0s20u1 -j ACCEPT
-A net_frwd -o enp3s0 -j net-loc
-A net_frwd -o Ethernet -j net-loc
-A reject -m addrtype --src-type BROADCAST -j DROP
-A reject -s 224.0.0.0/4 -j DROP
-A reject -p igmp -j DROP
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A reject -j REJECT --reject-with icmp-host-prohibited
-A sfilter -j LOG --log-prefix "Shorewall:sfilter:DROP:" --log-level 6
-A sfilter -j DROP
-A shorewall -m recent --set --name %CURRENTTIME --mask 255.255.255.255 --rsource
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g logflags
-A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g logflags
COMMIT
# Completed on Thu Apr 14 00:15:34 2016

Код: Выделить всё

# iptables-save
# Generated by iptables-save v1.4.21 on Thu Apr 14 00:21:16 2016
*nat
:PREROUTING ACCEPT [163:10688]
:INPUT ACCEPT [2:154]
:OUTPUT ACCEPT [45:3105]
:POSTROUTING ACCEPT [37:2418]
-A POSTROUTING -o enp0s20u1 -j MASQUERADE
COMMIT
# Completed on Thu Apr 14 00:21:16 2016
# Generated by iptables-save v1.4.21 on Thu Apr 14 00:21:16 2016
*mangle
:PREROUTING ACCEPT [26743:26903170]
:INPUT ACCEPT [26090:26707100]
:FORWARD ACCEPT [488:179907]
:OUTPUT ACCEPT [21539:2444331]
:POSTROUTING ACCEPT [22023:2644562]
:tcfor - [0:0]
:tcin - [0:0]
:tcout - [0:0]
:tcpost - [0:0]
:tcpre - [0:0]
-A PREROUTING -j tcpre
-A INPUT -j tcin
-A FORWARD -j MARK --set-xmark 0x0/0xff
-A FORWARD -j tcfor
-A OUTPUT -j tcout
-A POSTROUTING -j tcpost
COMMIT
# Completed on Thu Apr 14 00:21:16 2016
# Generated by iptables-save v1.4.21 on Thu Apr 14 00:21:16 2016
*raw
:PREROUTING ACCEPT [26743:26903170]
:OUTPUT ACCEPT [21539:2444331]
-A PREROUTING -p udp -m udp --dport 10080 -j CT --helper amanda
-A PREROUTING -p tcp -m tcp --dport 21 -j CT --helper ftp
-A PREROUTING -p udp -m udp --dport 1719 -j CT --helper RAS
-A PREROUTING -p tcp -m tcp --dport 1720 -j CT --helper Q.931
-A PREROUTING -p tcp -m tcp --dport 6667 -j CT --helper irc
-A PREROUTING -p udp -m udp --dport 137 -j CT --helper netbios-ns
-A PREROUTING -p tcp -m tcp --dport 1723 -j CT --helper pptp
-A PREROUTING -p tcp -m tcp --dport 6566 -j CT --helper sane
-A PREROUTING -p udp -m udp --dport 5060 -j CT --helper sip
-A PREROUTING -p udp -m udp --dport 161 -j CT --helper snmp
-A PREROUTING -p udp -m udp --dport 69 -j CT --helper tftp
-A OUTPUT -p udp -m udp --dport 10080 -j CT --helper amanda
-A OUTPUT -p tcp -m tcp --dport 21 -j CT --helper ftp
-A OUTPUT -p udp -m udp --dport 1719 -j CT --helper RAS
-A OUTPUT -p tcp -m tcp --dport 1720 -j CT --helper Q.931
-A OUTPUT -p tcp -m tcp --dport 6667 -j CT --helper irc
-A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns
-A OUTPUT -p tcp -m tcp --dport 1723 -j CT --helper pptp
-A OUTPUT -p tcp -m tcp --dport 6566 -j CT --helper sane
-A OUTPUT -p udp -m udp --dport 5060 -j CT --helper sip
-A OUTPUT -p udp -m udp --dport 161 -j CT --helper snmp
-A OUTPUT -p udp -m udp --dport 69 -j CT --helper tftp
COMMIT
# Completed on Thu Apr 14 00:21:16 2016
# Generated by iptables-save v1.4.21 on Thu Apr 14 00:21:16 2016
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:Broadcast - [0:0]
:Drop - [0:0]
:Ethernet_fwd - [0:0]
:Ethernet_in - [0:0]
:Reject - [0:0]
:Tele2_fwd - [0:0]
:Tele2_in - [0:0]
:dynamic - [0:0]
:enp0s20u1_fwd - [0:0]
:enp0s20u1_in - [0:0]
:enp3s0_fwd - [0:0]
:enp3s0_in - [0:0]
:fw-loc - [0:0]
:fw-net - [0:0]
:loc-fw - [0:0]
:loc-net - [0:0]
:loc_frwd - [0:0]
:logdrop - [0:0]
:logflags - [0:0]
:logreject - [0:0]
:net-fw - [0:0]
:net-loc - [0:0]
:net_frwd - [0:0]
:reject - [0:0]
:sfilter - [0:0]
:shorewall - [0:0]
:tcpflags - [0:0]
-A INPUT -i Tele2 -j Tele2_in
-A INPUT -i enp0s20u1 -j enp0s20u1_in
-A INPUT -i enp3s0 -j enp3s0_in
-A INPUT -i Ethernet -j Ethernet_in
-A INPUT -i lo -j ACCEPT
-A INPUT -j Reject
-A INPUT -j LOG --log-prefix "Shorewall:INPUT:REJECT:" --log-level 6
-A INPUT -g reject
-A FORWARD -i Tele2 -j Tele2_fwd
-A FORWARD -i enp0s20u1 -j enp0s20u1_fwd
-A FORWARD -i enp3s0 -j enp3s0_fwd
-A FORWARD -i Ethernet -j Ethernet_fwd
-A FORWARD -j Reject
-A FORWARD -j LOG --log-prefix "Shorewall:FORWARD:REJECT:" --log-level 6
-A FORWARD -g reject
-A OUTPUT -o Tele2 -j fw-net
-A OUTPUT -o enp0s20u1 -j fw-net
-A OUTPUT -o enp3s0 -j fw-loc
-A OUTPUT -o Ethernet -j fw-loc
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j Reject
-A OUTPUT -j LOG --log-prefix "Shorewall:OUTPUT:REJECT:" --log-level 6
-A OUTPUT -g reject
-A Broadcast -m addrtype --dst-type BROADCAST -j DROP
-A Broadcast -m addrtype --dst-type MULTICAST -j DROP
-A Broadcast -m addrtype --dst-type ANYCAST -j DROP
-A Drop
-A Drop -j Broadcast
-A Drop -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP types" -j ACCEPT
-A Drop -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types" -j ACCEPT
-A Drop -m conntrack --ctstate INVALID -j DROP
-A Drop -p udp -m multiport --dports 135,445 -m comment --comment SMB -j DROP
-A Drop -p udp -m udp --dport 137:139 -m comment --comment SMB -j DROP
-A Drop -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment SMB -j DROP
-A Drop -p tcp -m multiport --dports 135,139,445 -m comment --comment SMB -j DROP
-A Drop -p udp -m udp --dport 1900 -m comment --comment UPnP -j DROP
-A Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A Drop -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -j DROP
-A Ethernet_fwd -o Ethernet -g sfilter
-A Ethernet_fwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A Ethernet_fwd -p tcp -j tcpflags
-A Ethernet_fwd -j loc_frwd
-A Ethernet_in -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A Ethernet_in -p tcp -j tcpflags
-A Ethernet_in -j loc-fw
-A Reject
-A Reject -j Broadcast
-A Reject -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP types" -j ACCEPT
-A Reject -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types" -j ACCEPT
-A Reject -m conntrack --ctstate INVALID -j DROP
-A Reject -p udp -m multiport --dports 135,445 -m comment --comment SMB -j reject
-A Reject -p udp -m udp --dport 137:139 -m comment --comment SMB -j reject
-A Reject -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment SMB -j reject
-A Reject -p tcp -m multiport --dports 135,139,445 -m comment --comment SMB -j reject
-A Reject -p udp -m udp --dport 1900 -m comment --comment UPnP -j DROP
-A Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A Reject -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -j DROP
-A Tele2_fwd -o Tele2 -g sfilter
-A Tele2_fwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A Tele2_fwd -p tcp -j tcpflags
-A Tele2_fwd -j net_frwd
-A Tele2_in -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A Tele2_in -p tcp -j tcpflags
-A Tele2_in -j net-fw
-A enp0s20u1_fwd -o enp0s20u1 -g sfilter
-A enp0s20u1_fwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A enp0s20u1_fwd -p tcp -j tcpflags
-A enp0s20u1_fwd -j net_frwd
-A enp0s20u1_in -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A enp0s20u1_in -p tcp -j tcpflags
-A enp0s20u1_in -j net-fw
-A enp3s0_fwd -o enp3s0 -g sfilter
-A enp3s0_fwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A enp3s0_fwd -p tcp -j tcpflags
-A enp3s0_fwd -j loc_frwd
-A enp3s0_in -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A enp3s0_in -p tcp -j tcpflags
-A enp3s0_in -j loc-fw
-A fw-loc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A fw-loc -j ACCEPT
-A fw-net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A fw-net -j ACCEPT
-A loc-fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A loc-fw -j ACCEPT
-A loc-net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A loc-net -j ACCEPT
-A loc_frwd -o Tele2 -j loc-net
-A loc_frwd -o enp0s20u1 -j loc-net
-A loc_frwd -o enp3s0 -j ACCEPT
-A loc_frwd -o Ethernet -j ACCEPT
-A logdrop -j DROP
-A logflags -j LOG --log-prefix "Shorewall:logflags:DROP:" --log-level 6 --log-ip-options
-A logflags -j DROP
-A logreject -j reject
-A net-fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A net-fw -j Drop
-A net-fw -j DROP
-A net-loc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A net-loc -j Drop
-A net-loc -j DROP
-A net_frwd -o Tele2 -j ACCEPT
-A net_frwd -o enp0s20u1 -j ACCEPT
-A net_frwd -o enp3s0 -j net-loc
-A net_frwd -o Ethernet -j net-loc
-A reject -m addrtype --src-type BROADCAST -j DROP
-A reject -s 224.0.0.0/4 -j DROP
-A reject -p igmp -j DROP
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A reject -j REJECT --reject-with icmp-host-prohibited
-A sfilter -j LOG --log-prefix "Shorewall:sfilter:DROP:" --log-level 6
-A sfilter -j DROP
-A shorewall -m recent --set --name %CURRENTTIME --mask 255.255.255.255 --rsource
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g logflags
-A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g logflags
COMMIT
# Completed on Thu Apr 14 00:21:16 2016

Код: Выделить всё

sudo sysctl -w net.ipv4.ip_forward=1