1# Generated by iptables-save v1.2.1a on Fri Jun 1 14:04:15 2001 2*filter 3:INPUT DROP [0:0] 4:FORWARD DROP [0:0] 5:OUTPUT ACCEPT [1531191:180073476] 6:user_chain - [0:0] 7 8# this should produce rule in the same chain 9-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 10 11# and these, too 12-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT 13-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 14-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 15 16# unusual combination of states, creates custom service object. Also, since the same rule 17# matches tcp service and custom service, branch will be created 18-A INPUT -s 192.168.2.0/24 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT 19 20# this creates a branch, matching service in the main policy and 21# ESTABLISHED,RELATE states in the branch 22# 23-A OUTPUT -d 21.21.21.21 -p tcp -m tcp --sport 22 -m state --state RELATED,ESTABLISHED -j ACCEPT 24 25# variant with a different action. New branch rule set should be created, different 26# from the one created for the rule above. 27# 28-A OUTPUT -d 21.21.21.21 -p tcp -m tcp --dport 23 -m state --state RELATED,ESTABLISHED -j DROP 29 30# more complex combination of states 31-A FORWARD -s 1.1.1.0/24 -d 2.2.2.0/24 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp ! --dport 80 -j ACCEPT 32 33# this should be recognized as built-in rule 34-A FORWARD -m state --state INVALID -j drop_invalid 35 36# this should be recognized as built-in rule 37-A OUTPUT -m state --state INVALID -j drop_invalid 38 39# these go into INPUT chain, should end up with firewall object in DST 40-A INPUT -i lo -j ACCEPT 41-A INPUT -j user_chain 42-A INPUT -j scan_checks_chain 43 44# both -i intf and -o intf in the same rule. Crearing a branch 45-A FORWARD -i eth0 -o eth1 -p udp --dport 1604 -j ACCEPT 46 47# testing action REJECT with option. Trying all possible options and aliases 48-A INPUT -p tcp --dport 0:8000 -j REJECT --reject-with tcp-reset 49 50-A INPUT -p udp --dport 0:8000 -j REJECT --reject-with icmp-net-unreachable 51-A INPUT -p udp --dport 0:8000 -j REJECT --reject-with net-unreach 52 53-A INPUT -p udp --dport 0:8000 -j REJECT --reject-with icmp-host-unreachable 54-A INPUT -p udp --dport 0:8000 -j REJECT --reject-with host-unreach 55 56-A INPUT -p udp --dport 0:8000 -j REJECT --reject-with icmp-proto-unreachable 57-A INPUT -p udp --dport 0:8000 -j REJECT --reject-with proto-unreach 58 59-A INPUT -p udp --dport 0:8000 -j REJECT --reject-with icmp-port-unreachable 60-A INPUT -p udp --dport 0:8000 -j REJECT --reject-with port-unreach 61 62-A INPUT -p udp --dport 0:8000 -j REJECT --reject-with icmp-net-prohibited 63-A INPUT -p udp --dport 0:8000 -j REJECT --reject-with net-prohib 64 65-A INPUT -p udp --dport 0:8000 -j REJECT --reject-with icmp-host-prohibited 66-A INPUT -p udp --dport 0:8000 -j REJECT --reject-with host-prohib 67 68-A INPUT -p udp --dport 0:8000 -j REJECT --reject-with icmp-admin-prohibited 69-A INPUT -p udp --dport 0:8000 -j REJECT --reject-with admin-prohib 70 71# was: bad --reject-with argument 72-A INPUT -p udp --dport 0:8000 -j REJECT --reject-with icmp-admin-prohibited 73-A INPUT -p udp --dport 0:8000 -j REJECT --reject-with admin-prohib 74 75 76# v2.1 does not support passing control to the same branch from 77# several rules This rule will have action 'branch' but branch name 78# will be 'user_chain1' This rule will have a comment explaining this 79# and branch rule set will be emtpy 80-A OUTPUT -j user_chain 81 82# Tests for module iprange 83-A FORWARD -m iprange --src-range 10.212.66.2-10.212.66.3 --dst-range 192.11.1.11-192.11.1.63 -j ACCEPT 84-A FORWARD -m iprange -s 10.212.66.2 --dst-range 192.11.1.11-192.11.1.63 -j ACCEPT 85-A FORWARD -m iprange --src-range 10.212.66.2-10.212.66.3 -d 192.11.1.11 -j ACCEPT 86 87# 88-A FORWARD -s 192.168.0.0/16 -m state --state NEW -j ACCEPT 89 90# this should end up with action "Continue" and logging on 91-A FORWARD -j LOG --log-prefix "FORWARD catch-all" 92 93# should have icmp (-1,-1) in SRV -- should recognize this as icmp 94# even though it is uppercased 95-A user_chain -s 128.143.0.0/16 -p ICMP -j ACCEPT 96 97# numeric protocol spec 98-A user_chain -d 192.168.1.1 -i eth0 -p 47 -j ACCEPT 99 100# target RETURN 101-A user_chain -s 1.1.0.0/16 -p ICMP -j RETURN 102 103# this should be reproduced using custom service object even though it 104# is in user-defined chain 105# 106-A user_chain -m state --state RELATED,ESTABLISHED -j ACCEPT 107 108-A user_chain -s 192.168.19.0/24 -p tcp -m tcp --dport 5432 -m state --state NEW -j ACCEPT 109-A user_chain -s 192.168.16.125 -p tcp -m tcp --dport 5432 -m state --state NEW -j ACCEPT 110-A user_chain -s 192.168.0.0/16 -p tcp -m tcp --dport 873 -m state --state NEW -j ACCEPT 111-A user_chain -s 192.168.0.0/16 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT 112-A user_chain -s 192.0.34.166 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT 113-A user_chain -s 192.168.19.0/24 -p tcp -m tcp --dport 137:139 -m state --state NEW -j ACCEPT 114 115 116-A user_chain -s 192.168.19.0/24 -p tcp -m tcp --dport :1023 -m state --state NEW -j ACCEPT 117-A user_chain -s 192.168.19.0/24 -p tcp -m tcp --dport 6000: -m state --state NEW -j ACCEPT 118 119-A user_chain -s 192.168.0.0/16 -p udp --dport 137 -m state --state NEW -j ACCEPT 120-A user_chain -s 192.168.0.0/16 -p udp --dport 138 -m state --state NEW -j ACCEPT 121-A user_chain -s 192.168.0.0/16 -p tcp -m tcp --dport 139 -m state --state NEW -j ACCEPT 122-A user_chain -s 192.168.0.0/16 -p tcp -m tcp --dport 445 -m state --state NEW -j ACCEPT 123-A user_chain -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT 124 125-A user_chain -s 192.168.0.0/16 -p tcp -m tcp --dport 8080 -m state --state NEW -j ACCEPT 126-A user_chain -s 192.0.34.166 -p tcp -m tcp --dport 8080 -m state --state NEW -j ACCEPT 127 128-A user_chain -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT 129 130-A user_chain -s 127.0.0.1 -p tcp -m tcp --dport 631 -m state --state NEW -j ACCEPT 131-A user_chain -s 127.0.0.1 -p tcp -m tcp --dport 515 -m state --state NEW -j ACCEPT 132 133# different combinations of tcp flags in combination with some other 134# options. Taken from a real policy. 135# 136-A scan_checks_chain -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m limit --limit 3/min -j LOG --log-prefix "Stealth XMAS scan: " --log-level 7 137-A scan_checks_chain -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -m limit --limit 3/min -j LOG --log-prefix "Stealth XMAS-PSH scan: " --log-level 7 138-A scan_checks_chain -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m limit --limit 3/min -j LOG --log-prefix "Stealth XMAS-ALL scan: " --log-level 7 139-A scan_checks_chain -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -m limit --limit 3/min -j LOG --log-prefix "Stealth FIN scan: " --log-level 7 140-A scan_checks_chain -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 3/min -j LOG --log-prefix "Stealth SYN/RST scan: " --log-level 7 141-A scan_checks_chain -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 3/min -j LOG --log-prefix "Stealth SYN/FIN scan(?): " --log-level 7 142-A scan_checks_chain -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 3/min -j LOG --log-prefix "Stealth Null scan: " --log-level 7 143-A scan_checks_chain -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP 144-A scan_checks_chain -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP 145-A scan_checks_chain -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP 146-A scan_checks_chain -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP 147-A scan_checks_chain -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP 148-A scan_checks_chain -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP 149-A scan_checks_chain -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP 150-A scan_checks_chain -i eth0 -p tcp -m tcp --syn -j ACCEPT 151-A scan_checks_chain -i eth0 -p tcp -m tcp ! --syn -j ACCEPT 152 153 154# was: bad port spec 155-A user_chain -s 192.168.0.0/16 -p tcp -m tcp --dport 8088 -m state --state NEW -j ACCEPT 156 157# Log prefix and log limit test 158# Also need action Continue (or NOP) 159-A user_chain -s ! 128.143.0.0/16 -m limit --limit 25/hour -j LOG --log-prefix user_chain_notlocal: 160 161-A user_chain -s 128.143.0.0/16 -p tcp --dport 427 -j ACCEPT 162-A user_chain -s 128.143.0.0/16 -p udp --dport 427 -j ACCEPT 163-A user_chain -s 128.143.0.0/16 -p tcp --dport 548 -j ACCEPT 164-A user_chain -s 128.143.0.0/16 -p tcp --dport 201 -j ACCEPT 165-A user_chain -s 128.143.0.0/16 -p tcp --dport 202 -j ACCEPT 166-A user_chain -s 128.143.0.0/16 -p tcp --dport 204 -j ACCEPT 167-A user_chain -s 128.143.0.0/16 -p tcp --dport 206 -j ACCEPT 168 169# --dports does not necessarily follow -m multiport 170# 171-A user_chain -m multiport -s 128.143.0.0/16 -p tcp --dports 548,201,202,204,206 -j ACCEPT 172 173# there can be just one port with multiport 174# 175-A user_chain -m multiport -s 128.143.0.0/16 -p tcp --dports 2222 -j ACCEPT 176 177# source ports with multiport 178-A user_chain -m multiport -s 128.143.0.0/16 -p tcp --sports 548,201,202,204,206 -j ACCEPT 179-A user_chain -m multiport -s 128.143.0.0/16 -p tcp --sports 2222 -j ACCEPT 180 181# --ports (source OR destination port) 182-A user_chain -m multiport -s 128.143.0.0/16 -p tcp --ports 548,201,202,204,206 -j ACCEPT 183-A user_chain -m multiport -s 128.143.0.0/16 -p tcp --ports 2222 -j ACCEPT 184 185# various port range cases 186# it is unclear if multiport supports open-ended ranges such as ":1024" or "1024:" 187# 188-A user_chain -m multiport -s 128.143.0.0/16 -p tcp --dports 201:206,311 -j ACCEPT 189-A user_chain -m multiport -s 128.143.0.0/16 -p tcp --dports 548,201:206 -j ACCEPT 190-A user_chain -m multiport -s 128.143.0.0/16 -p tcp --dports 548,201:206,311:315 -j ACCEPT 191-A user_chain -m multiport -s 128.143.0.0/16 -p tcp --dports 201:206,311:315,548 -j ACCEPT 192 193-A user_chain -m multiport -s 128.143.0.0/16 -p tcp --sports 201:206,311 -j ACCEPT 194-A user_chain -m multiport -s 128.143.0.0/16 -p tcp --sports 548,201:206 -j ACCEPT 195-A user_chain -m multiport -s 128.143.0.0/16 -p tcp --sports 548,201:206,311:315 -j ACCEPT 196-A user_chain -m multiport -s 128.143.0.0/16 -p tcp --sports 201:206,311:315,548 -j ACCEPT 197 198-A user_chain -m multiport -s 128.143.0.0/16 -p tcp --ports 201:206,311 -j ACCEPT 199-A user_chain -m multiport -s 128.143.0.0/16 -p tcp --ports 548,201:206 -j ACCEPT 200-A user_chain -m multiport -s 128.143.0.0/16 -p tcp --ports 548,201:206,311:315 -j ACCEPT 201-A user_chain -m multiport -s 128.143.0.0/16 -p tcp --ports 201:206,311:315,548 -j ACCEPT 202 203# now with negation 204-A user_chain -m multiport -s 128.143.0.0/16 -p tcp ! --dports 548,201,202,204,206 -j ACCEPT 205 206 207# icmp 208-A user_chain -p icmp -s 128.143.0.0/16 --icmp-type any -j ACCEPT 209-A user_chain -p icmp -s 128.143.0.0/16 --icmp-type 3 -j ACCEPT 210-A user_chain -p icmp -s 128.143.0.0/16 --icmp-type network-unknown -j ACCEPT 211 212 213# module length 214-A user_chain -m length --length 400:65535 -j DROP 215 216# Module recent 217-A user_chain -m recent --name badguy --rcheck --seconds 60 -j DROP 218-A user_chain -p tcp -i eth0 --dport 139 -m recent --name badguy --set -j DROP 219 220# combinations of a regular service and module or two modules 221# 222-A user_chain -s 128.143.0.0/16 -p tcp --dport 5190 -m mark --mark 0x11 -j DROP 223-A user_chain -s 128.143.0.0/16 -p tcp --dport 5190 -m length --length 400:1500 -j DROP 224-A user_chain -m mark --mark 0x11 -m length --length 400:1500 -j DROP 225 226# this rule has negation in the mark match but no negation in port match 227-A user_chain -p tcp -m mark ! --mark 0x4 -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j MARK --set-mark 0x1 228 229# negation with tcp match 230-A user_chain -p tcp -m mark --mark 0x4 -m tcp ! --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j MARK --set-mark 0x1 231 232# this rule has three matches which is not supported 233-A user_chain -p tcp -m length --length 0:128 -m mark --mark 0x4 -m tcp --sport 53 -j ACCEPT 234-A user_chain -p tcp -m length --length 0:128 -m mark ! --mark 0x4 -m tcp --sport 53 -j ACCEPT 235 236# bug 1703, SF bug 3065435 237-A user_chain -m pkttype --pkt-type broadcast -j DROP 238 239-A user_chain -j DROP 240 241COMMIT 242 243# mangle table 244*mangle 245:PREROUTING ACCEPT 246:INPUT ACCEPT 247:FORWARD ACCEPT 248:OUTPUT ACCEPT 249:POSTROUTING ACCEPT 250 251# mark in FORWARD 252-A FORWARD -i eth1 -p tcp --dport smtp -j MARK --set-mark 16 253 254# mark in FORWARD, argument is hex 255-A FORWARD -i eth1 -p tcp --dport smtp -j MARK --set-mark 0xa 256-A FORWARD -i eth1 -p tcp --dport smtp -j MARK --set-mark 0xB 257 258# mark in PREROUTING (check option "ipt_mark_prerouting") 259-A PREROUTING -i eth1 -p tcp --dport smtp -j MARK --set-mark 16 260 261# option "ipt_mark_connections" 262-A PREROUTING -j CONNMARK --restore-mark 263 264# packets from me going out 265-A POSTROUTING -o eth1 -p tcp --sport smtp -j MARK --set-mark 16 266-A POSTROUTING -j CONNMARK --save-mark 267 268# test ROUTE target 269-A POSTROUTING -m mark --mark 1 -j ROUTE --oif eth0 --continue 270-A POSTROUTING -m mark --mark 2 -j ROUTE --oif eth2 --continue 271 272# test TOS target with parameters (unsupported, but parser 273# should not crash on it) 274-A POSTROUTING -d 192.168.1.1 -j TOS --set-tos Minimize-Delay 275-A POSTROUTING -d 192.168.1.1 -j TOS --set-tos 0x10 276 277-A POSTROUTING -s 192.168.1.0/24 -j CLASSIFY --set-class 0001:0010 278-A POSTROUTING -s 192.168.2.0/24 -j CLASSIFY --set-class 1:10 279 280COMMIT 281 282*nat 283:PREROUTING ACCEPT [1502:275921] 284:POSTROUTING ACCEPT [406:45653] 285:OUTPUT ACCEPT [406:45653] 286 287-A POSTROUTING -o eth1 -s 192.168.1.0/24 -j SNAT --to-source 222.222.222.222 288-A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source 192.168.1.1 289-A POSTROUTING -o eth+ -s 192.168.1.32/27 -j SNAT --to-source 222.222.222.10-222.222.222.100 290-A POSTROUTING -o eth+ -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.20 --dport 80 -j SNAT --to-source 192.168.1.1 291-A POSTROUTING -o eth+ -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.20 --dport 80 -j SNAT --to-source 192.168.1.1-192.168.1.10 292-A POSTROUTING -o eth1 -p tcp -m tcp -s 192.168.1.10 --sport 1000:1010 -j SNAT --to-source 222.222.222.222:1000-1010 293 294-A POSTROUTING -o eth2 -s 192.168.1.0/24 -j MASQUERADE 295 296-A POSTROUTING -s 192.168.1.0/24 -j NETMAP --to 222.222.222.0/24 297 298-A PREROUTING -p tcp -m tcp -d 222.222.222.222 --dport 25 -j DNAT --to-destination 192.168.1.10:25 299-A PREROUTING -p tcp -m tcp -d 222.222.222.222 --dport 25 -j DNAT --to-destination 192.168.1.10:25-50 300-A PREROUTING -p icmp -m icmp -d 222.222.222.222 --icmp-type 8/0 -j DNAT --to-destination 192.168.1.10 301-A PREROUTING -p tcp -m tcp --sport 1000:1010 -d 222.222.222.222 -j DNAT --to-destination 192.168.1.10 302-A PREROUTING -p tcp -m tcp -d 222.222.222.222 --dport 4000:4010 -j DNAT --to-destination 192.168.1.10:4000-4010 303-A PREROUTING -p tcp -m tcp -m multiport -d 222.222.222.222 --dports 6667,3128,113,53,21,80,119,25,22,23,540,70,13,2105,443 -j DNAT --to-destination 192.168.1.10 304 305-A PREROUTING -d 222.222.222.13/32 -p tcp -m multiport --dports 1720,3230:3243 -j DNAT --to-destination 192.168.1.212 306 307# numeric protocol spec 308-A PREROUTING -d 192.168.3.145 -i eth0 -p 47 -j DNAT --to-destination 1.1.1.1 309 310# a "no nat" rule 311-A POSTROUTING -s 192.168.1.0/24 -d 192.168.2.0/24 -j ACCEPT 312 313# redirect rule 314-A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 315 316# a couple of nat rules in chain OUTPUT 317-A OUTPUT -p tcp -m tcp -d 192.168.1.22 --dport 80 -j DNAT --to-destination 192.168.2.10:80 318-A OUTPUT -p icmp -m icmp -d 22.22.22.23 --icmp-type 11/0 -j DNAT --to-destination 192.168.1.10 319 320COMMIT 321