init

if-pre-up.d/iptables

@@ -1,3 +1,2 @@
 #!/bin/sh
-/sbin/iptables-restore /etc/iptables.up.rules
-
+/sbin/iptables-restore /etc/iptables.up.rules.stateless

iptables.up.rules

@@ -1,131 +0,0 @@
-# Well known ports      0:1023
-# Registered ports      1024:49151
-# Goldielocks zone      32768:65535
-# Dynamic/Private       49152:65535
-#
-# WAN			86.83.121.29
-# vps			185.66.250.42
-# tor-exit		185.87.185.45
-
-*filter
-
-:INPUT ACCEPT [0:0]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-:clutter - [0:0]
-
-# Local loopback
--A INPUT ! -i lo -d 127.0.0.0/8 -m limit --limit 5/min -j LOG --log-prefix "iptables dropped 127.0.0.0/8, from non localhost: " --log-level 7
--A INPUT ! -i lo -d 127.0.0.0/8 -j DROP
--A INPUT -i lo -j ACCEPT
--A OUTPUT -o lo -j ACCEPT
-
-# Active connections
--A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
--A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-
-# Ping
--A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-
-# FTP
-#-A OUTPUT -p tcp -m tcp --sport ? --dport 21 -j ACCEPT
-#-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 49152:65535 -j ACCEPT
-
-# SSH
--A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource
--A INPUT -p tcp -m tcp --dport 22 -m limit --limit 5/min -m recent --rcheck --seconds 40 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "iptalbes dropped SSH flood: "
--A INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 40 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP
--A INPUT -p tcp -m tcp --sport 1024:65535 --dport 22 -j ACCEPT
--A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 22 -j ACCEPT
-
-# Telnet
-#-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 23 -j ACCEPT
-
-# SMTP(S)
-#-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 25 -j ACCEPT
-#-A OUTPUT -p tcp -m tcp --sport 49152:65535 --dport 465 -j ACCEPT
-#-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 587 -j ACCEPT
-
-# WHOIS
--A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 43 -j ACCEPT
-
-# DNS
--A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT
--A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 53 -j ACCEPT
--A INPUT -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT
--A INPUT -p tcp -m tcp --sport 32768:65535 --dport 53 -j ACCEPT
-
-# DHCP client
--A INPUT -d 255.255.255.255 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
--A OUTPUT -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-
-# HTTP & HTTPS
--A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m recent --set --name HTTP --rsource
--A INPUT -p tcp -m tcp --dport 80 -m recent --rcheck --seconds 30 --hitcount 20 --rttl --name HTTP --rsource -j LOG --log-prefix "iptables dropped HTTP flood: " --log-level 4
--A INPUT -p tcp -m tcp --dport 80 -m recent --update --seconds 30 --hitcount 20 --rttl --name HTTP --rsource -j DROP
--A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -m comment --comment "Tor dir port"
--A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 80 -j ACCEPT
--A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -m recent --set --name HTTPS --rsource
--A INPUT -p tcp -m tcp --dport 443 -m recent --rcheck --seconds 30 --hitcount 20 --rttl --name HTTPS --rsource -j LOG --log-prefix "iptables dropped HTTPS flood: " --log-level 4
--A INPUT -p tcp -m tcp --dport 443 -m recent --update --seconds 30 --hitcount 20 --rttl --name HTTPS --rsource -j DROP
--A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -m comment --comment "Tor OR port"
--A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 443 -j ACCEPT
-
-# NTP
--A OUTPUT -p udp -m udp --sport 123 --dport 123 -j ACCEPT
-
-# IMAPs
-#-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 143 -j ACCEPT
-#-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 993 -j ACCEPT
-
-# PIP
-#-A OUTPUT -d 185.31.17.223 -p tcp -m tcp --sport 32768:65535 --dport 443 -j ACCEPT -m comment --comment "pip"
-
-# Socks5
-#-A OUTPUT -p tcp -m tcp --sport 57448:65535 --dport 1080 -j ACCEPT
-
-# OpenVPN
--A INPUT -p udp -m udp --sport 32768:65535 --dport 1194 -j ACCEPT -m comment --comment "OpenVPN"
-
-# Multicast DNS
-#-A OUTPUT -p udp -m udp --sport 5353 --dport 5353 -j clutter
-#-A OUTPUT -d 244.0.0.1 -j clutter -m comment --comment "Multicast DNS"
-#-A INPUT -d 224.0.0.1 -j clutter -m comment --comment "Multicast DNS"
-
-# Privoxy
--A INPUT -p tcp -m tcp --sport 32768:65535 --dport 8118 -j ACCEPT -m comment --comment "Privoxy"
-
-# OpenPGP HTTP Key servers
--A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 11371 -j ACCEPT -m comment --comment "OpenPGP HTTP key servers"
-
-# Traceroute
--A OUTPUT -p udp -m udp --sport 32768:65535 --dport 6881:33534 -j ACCEPT -m comment --comment "Traceroute"
-
-# Attacks, crawls, scans, etc to clutter chain
--A INPUT -p icmp -j clutter
--A INPUT -s 0.0.0.0 -d 255.255.255.255 -j clutter -m comment --comment "Broadcast messages"
--A INPUT -p udp -m udp --dport 19 -j clutter -m comment --comment "Character generator, looping to echo = DDoS"
--A INPUT -p tcp -m tcp --dport 23 -j clutter
--A INPUT -p udp -m udp --dport 53 -j clutter
--A INPUT -p udp -m udp --dport 111 -j clutter -m comment --comment "Probe/fingerprint Nix OS"
--A INPUT -p tcp -m tcp --dport 445 -j clutter -m comment --comment "MS-DS active directory"
--A INPUT -p tcp -m tcp --dport 2323 -j clutter -m comment --comment "3d-nfsd"
--A INPUT -p udp -m udp --dport 5060 -j clutter
--A INPUT -p tcp -m tcp --dport 3389 -j clutter -m comment --comment "MS terminal server RDP"
-
-#-A INPUT -d 255.255.255.255 -p tcp -m tcp --sport 67 --dport 68 -j clutter -m comment --comment "DHCP"
-#-A INPUT -m iprange --dst-range 185.66.250.254-185.66.250.255 -j clutter
-#-A INPUT -m mac --mac-source d4:ca:6d:74:87:0d -j clutter
-#-A INPUT -p udp -m udp --dport 3076 -j clutter -m comment --comment "orbix-config"
-
-# Log & drop
--A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables dropped: " --log-level 7
--A INPUT -j DROP
--A FORWARD -m limit --limit 5/min -j LOG --log-prefix "iptables forward dropped: " --log-level 7
--A FORWARD -j DROP
--A OUTPUT -m limit --limit 5/min -j LOG --log-prefix "iptables rejected: " --log-level 7
--A OUTPUT -j REJECT --reject-with icmp-port-unreachable
--A clutter -m limit --limit 5/min -j LOG --log-prefix "iptables clutter dropped: " --log-level 7
--A clutter -j DROP
-
-COMMIT

iptables.up.rules.statefull

@@ -0,0 +1,155 @@
+# Well known ports      0:1023
+# Registered ports      1024:49151
+# Goldielocks zone      32768:65535
+# Dynamic/Private       49152:65535
+#
+
+*filter
+
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:clutter - [0:0]
+
+# Local loopback
+-A INPUT ! -i lo -d 127.0.0.0/8 -m limit --limit 5/min -j LOG --log-prefix "iptables dropped 127.0.0.0/8, from non localhost: " --log-level 7
+-A INPUT ! -i lo -d 127.0.0.0/8 -j DROP
+-A INPUT -i lo -j ACCEPT
+-A OUTPUT -o lo -j ACCEPT
+
+# Local docker
+#-A OUTPUT ! -o eth0 -s 172.18.0.0/13 -d 172.18.0.0/13 -j ACCEPT -m comment --comment "Internal docker"
+#-A FORWARD ! -o eth0 ! -i eth0 -s 172.18.0.1/13 -d 172.18.0.1/13 -j ACCEPT -m comment --comment "Internal docker"
+
+# ICMP: Ping
+-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
+
+# FTP
+#-A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT
+#-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 49152:65535 -j ACCEPT
+
+# SSH
+-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource
+-A INPUT -p tcp -m tcp --dport 22 -m limit --limit 5/min -m recent --rcheck --seconds 40 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "iptalbes dropped SSH flood: "
+-A INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 40 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP
+-A INPUT -s 86.83.121.29,185.66.250.42 -p tcp -m tcp --sport 1024:65535 --dport 22 -j ACCEPT
+#-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
+#-A FORWARD -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource
+#-A FORWARD -p tcp -m tcp --dport 22 -m limit --limit 5/min -m recent --rcheck --seconds 40 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "iptalbes dropped SSH flood: "
+#-A FORWARD -p tcp -m tcp --dport 22 -m recent --update --seconds 40 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP
+#-A FORWARD ! -o eth0 -d 172.18.0.0/13 -p tcp -m tcp --dport 22 -j ACCEPT
+
+# SMTP
+#-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
+#-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
+
+# WHOIS
+-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 43 -j ACCEPT
+
+# DNS
+-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT
+
+# DHCP
+-A INPUT -i eth0 -d 255.255.255.255 -p udp -m udp --sport 67 --dport 68 -m limit --limit 5/min -j LOG --log-prefix "iptables allowed DHCP: " --log-level 7
+-A INPUT -i eth0 -d 255.255.255.255 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
+-A OUTPUT -o eth0 -p udp -m udp --sport 68 --dport 67 -m limit --limit 5/min -j LOG --log-prefix "iptables allowed DHCP: " --log-level 7
+-A OUTPUT -o eth0 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
+
+# HTTP & HTTPS
+#-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m recent --set --name HTTP --rsource
+#-A INPUT -p tcp -m tcp --dport 80 -m recent --rcheck --seconds 10 --hitcount 20 --rttl --name HTTP --rsource -j LOG --log-prefix "iptables dropped HTTP flood: " --log-level 4
+#-A INPUT -p tcp -m tcp --dport 80 -m recent --update --seconds 10 --hitcount 20 --rttl --name HTTP --rsource -j DROP
+-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -m comment --comment "Tor Dir port"
+-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
+
+#-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -m recent --set --name HTTPS --rsource
+#-A INPUT -p tcp -m tcp --dport 443 -m recent --rcheck --seconds 10 --hitcount 20 --rttl --name HTTPS --rsource -j LOG --log-prefix "iptables dropped HTTPS flood: " --log-level 4
+#-A INPUT -p tcp -m tcp --dport 443 -m recent --update --seconds 10 --hitcount 20 --rttl --name HTTPS --rsource -j DROP
+-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -m comment --comment "Tor relay ORport"
+-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
+
+# NTP
+-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
+
+# IMAP
+-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 143 -j ACCEPT 
+
+# IMAPS
+-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 993 -j ACCEPT
+
+# PIP
+#-A OUTPUT -d 185.31.17.223 -p tcp -m tcp --sport 32768:65535 --dport 443 -j ACCEPT -m comment --comment "pip"
+
+# SMTPS
+-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 465 -j ACCEPT -m comment --comment "SMTP SSL/TLS"
+-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 587 -j ACCEPT -m comment --comment "STARTTLS"
+
+# XMPP
+-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 5223 -j ACCEPT -m comment --comment "xmpps"
+-A OUTPUT -p udp -m udp --sport 32768:65535 --dport 1900 -j ACCEPT -m comment --comment "xmpp?"
+
+# Multicast DNS
+-A OUTPUT -p udp -m udp --sport 5353 --dport 5353 -j clutter
+-A OUTPUT -d 244.0.0.1 -j clutter -m comment --comment "Multicast DNS"
+-A INPUT -d 224.0.0.1 -j clutter -m comment --comment "Multicast DNS"
+
+# IRC
+-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 6667 -j ACCEPT
+-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 6697 -j ACCEPT -m comment --comment "ircs"
+
+# Bitcoin
+-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 8333 -j ACCEPT -m comment --comment "Bitcoin"
+
+# Tor
+-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 8000 -j ACCEPT -m comment --comment "Tor"
+-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 9001:9002 -j ACCEPT -m comment --comment "Tor"
+-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 9030:9031 -j ACCEPT -m comment --comment "Tor"
+
+# OpenPGP HTTP Key servers
+-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 11371 -j ACCEPT -m comment --comment "OpenPGP hkp HTTP key servers"
+
+# Torrents
+#-A OUTPUT -p udp -m udp --sport 51413 -j ACCEPT -m comment --comment "Torrents"
+#-A INPUT -p udp -m udp  --dport 51413 -j ACCEPT -m comment --comment "Torrents"
+
+# Traceroute
+-A OUTPUT -p udp -m udp --sport 32768:65535 --dport 6881:33534 -j ACCEPT -m comment --comment "Traceroute"
+
+# CloudFlare. Why see http://www.crimeflare.com/cfblock.html
+#-A INPUT -s 103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,104.16.0.0/12,108.162.192.0/18,131.0.72.0/22,141.101.64.0/18,162.158.0.0/15,172.64.0.0/13,173.245.48.0/20,188.114.96.0/20,190.93.240.0/20,197.234.240.0/22,198.41.128.0/17,199.27.128.0/21 -m limit --limit 5/min -j LOG --log-prefix "iptables dropped cloudflare: " --log-level 7
+#-A INPUT -s 103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,104.16.0.0/12,108.162.192.0/18,131.0.72.0/22,141.101.64.0/18,162.158.0.0/15,172.64.0.0/13,173.245.48.0/20,188.114.96.0/20,190.93.240.0/20,197.234.240.0/22,198.41.128.0/17,199.27.128.0/21 -j DROP -m comment --comment "CloudFlare http://www.crimeflare.com/cfblock.html"
+#-A OUTPUT -d 103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,104.16.0.0/12,108.162.192.0/18,131.0.72.0/22,141.101.64.0/18,162.158.0.0/15,172.64.0.0/13,173.245.48.0/20,188.114.96.0/20,190.93.240.0/20,197.234.240.0/22,198.41.128.0/17,199.27.128.0/21 -m limit --limit 5/min -j LOG --log-prefix "iptables dropped cloudflare: " --log-level 7
+#-A OUTPUT -d 103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,104.16.0.0/12,108.162.192.0/18,131.0.72.0/22,141.101.64.0/18,162.158.0.0/15,172.64.0.0/13,173.245.48.0/20,188.114.96.0/20,190.93.240.0/20,197.234.240.0/22,198.41.128.0/17,199.27.128.0/21 -j REJECT -m comment --comment "CloudFlare http://www.crimeflare.com/cfblock.html"
+
+# Attacks, crawls, scans, etc
+-A INPUT -p icmp -j clutter
+-A INPUT -s 0.0.0.0 -d 255.255.255.255 -j clutter -m comment --comment "Broadcast messages"
+-A INPUT -p udp -m udp --dport 19 -j clutter -m comment --comment "Character generator, looping to echo = DDoS"
+-A INPUT -p tcp -m tcp --dport 23 -j clutter
+-A INPUT -p udp -m udp --dport 53 -j clutter
+-A INPUT -p udp -m udp --dport 111 -j clutter -m comment --comment "Probe/fingerprint Nix OS"
+-A INPUT -p tcp -m tcp --dport 445 -j clutter -m comment --comment "MS-DS active directory"
+-A INPUT -p tcp -m tcp --dport 2323 -j clutter -m comment --comment "3d-nfsd"
+-A INPUT -p udp -m udp --dport 5060 -j clutter
+-A INPUT -p tcp -m tcp --dport 3389 -j clutter -m comment --comment "MS terminal server RDP"
+
+#-A INPUT -d 255.255.255.255 -p tcp -m tcp --sport 67 --dport 68 -j clutter -m comment --comment "DHCP"
+#-A INPUT -m iprange --dst-range 185.66.250.254-185.66.250.255 -j clutter
+#-A INPUT -m mac --mac-source d4:ca:6d:74:87:0d -j clutter
+#-A INPUT -p udp -m udp --dport 3076 -j clutter -m comment --comment "orbix-config"
+
+# Active connections
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+# Log & drop
+-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables dropped: " --log-level 7
+-A INPUT -j DROP
+-A FORWARD -m limit --limit 5/min -j LOG --log-prefix "iptables dropped: " --log-level 7
+-A FORWARD -j DROP
+-A OUTPUT -m limit --limit 5/min -j LOG --log-prefix "iptables rejected: " --log-level 7
+-A OUTPUT -j REJECT --reject-with icmp-port-unreachable
+-A clutter -m limit --limit 5/min -j LOG --log-prefix "iptables clutter dropped: " --log-level 7
+-A clutter -j DROP
+
+COMMIT

iptables.up.rules.stateless

@@ -0,0 +1,180 @@
+# Well known ports      0:1023
+# Registered ports      1024:49151
+# Goldielocks zone      32768:65535
+# Dynamic/Private       49152:65535
+
+# Disables connection tracking in the raw table. 
+*raw
+-A PREROUTING -j NOTRACK
+-A OUTPUT -j NOTRACK
+COMMIT
+
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:clutter - [0:0]
+
+# Local loopback
+-A INPUT ! -i lo -d 127.0.0.0/8 -m limit --limit 5/min -j LOG --log-prefix "iptables dropped 127.0.0.0/8, from non localhost: " --log-level 7
+-A INPUT ! -i lo -d 127.0.0.0/8 -j DROP
+-A INPUT -i lo -j ACCEPT
+-A OUTPUT -o lo -j ACCEPT
+
+# Local docker
+#-A OUTPUT ! -o eth0 -s 172.18.0.0/13 -d 172.18.0.0/13 -j ACCEPT -m comment --comment "Internal docker"
+#-A FORWARD ! -o eth0 ! -i eth0 -s 172.18.0.1/13 -d 172.18.0.1/13 -j ACCEPT -m comment --comment "Internal docker"
+
+# ICMP: Ping
+-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
+-A INPUT -d 185.87.185.45 -p icmp -m icmp --icmp-type 0 -j ACCEPT 
+-A OUTPUT -p icmp -j ACCEPT
+-A INPUT -d 185.87.185.45 -p icmp -j ACCEPT 
+
+
+# FTP
+#-A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT
+#-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 49152:65535 -j ACCEPT
+
+# SSH
+-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource
+-A INPUT -p tcp -m tcp --dport 22 -m limit --limit 5/min -m recent --rcheck --seconds 40 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "iptalbes dropped SSH flood: "
+-A INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 40 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP
+-A INPUT -s 86.83.121.29,185.66.250.42 -p tcp -m tcp --sport 1024:65535 --dport 22 -j ACCEPT
+#-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
+#-A FORWARD -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource
+#-A FORWARD -p tcp -m tcp --dport 22 -m limit --limit 5/min -m recent --rcheck --seconds 40 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "iptalbes dropped SSH flood: "
+#-A FORWARD -p tcp -m tcp --dport 22 -m recent --update --seconds 40 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP
+#-A FORWARD ! -o eth0 -d 172.18.0.0/13 -p tcp -m tcp --dport 22 -j ACCEPT
+
+# SMTP
+#-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
+#-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
+
+# WHOIS
+-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 43 -j ACCEPT
+
+# DNS
+-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT
+
+# DHCP
+-A INPUT -i eth0 -d 255.255.255.255 -p udp -m udp --sport 67 --dport 68 -m limit --limit 5/min -j LOG --log-prefix "iptables allowed DHCP: " --log-level 7
+-A INPUT -i eth0 -d 255.255.255.255 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
+-A OUTPUT -o eth0 -p udp -m udp --sport 68 --dport 67 -m limit --limit 5/min -j LOG --log-prefix "iptables allowed DHCP: " --log-level 7
+-A OUTPUT -o eth0 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
+
+# HTTP & HTTPS
+#-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m recent --set --name HTTP --rsource
+#-A INPUT -p tcp -m tcp --dport 80 -m recent --rcheck --seconds 10 --hitcount 20 --rttl --name HTTP --rsource -j LOG --log-prefix "iptables dropped HTTP flood: " --log-level 4
+#-A INPUT -p tcp -m tcp --dport 80 -m recent --update --seconds 10 --hitcount 20 --rttl --name HTTP --rsource -j DROP
+-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -m comment --comment "Tor Dir port"
+-A OUTPUT -d 45.79.136.0/24 -p tcp -m tcp --dport 80 -j REJECT -m comment --comment "WebIron complaint #YUL-135-74376"
+-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
+
+#-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -m recent --set --name HTTPS --rsource
+#-A INPUT -p tcp -m tcp --dport 443 -m recent --rcheck --seconds 10 --hitcount 20 --rttl --name HTTPS --rsource -j LOG --log-prefix "iptables dropped HTTPS flood: " --log-level 4
+#-A INPUT -p tcp -m tcp --dport 443 -m recent --update --seconds 10 --hitcount 20 --rttl --name HTTPS --rsource -j DROP
+-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -m comment --comment "Tor relay ORport"
+-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
+
+# NTP
+-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
+
+# IMAP
+-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 143 -j ACCEPT 
+
+# IMAPS
+-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 993 -j ACCEPT
+
+# PIP
+#-A OUTPUT -d 185.31.17.223 -p tcp -m tcp --sport 32768:65535 --dport 443 -j ACCEPT -m comment --comment "pip"
+
+# SMTPS
+-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 465 -j ACCEPT -m comment --comment "SMTP SSL/TLS"
+-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 587 -j ACCEPT -m comment --comment "STARTTLS"
+
+# Socks5
+-A INPUT -s 86.83.121.29 -p tcp -m tcp --dport 1080 -j ACCEPT
+
+# OpenVPN
+-A INPUT -p udp -m udp --dport 1194 -j ACCEPT -m comment --comment "OpenVPN"
+-A INPUT -i tun0 -j ACCEPT
+-A OUTPUT -o tun0 -j ACCEPT
+-A INPUT -s 86.83.121.29 -j ACCEPT
+
+# XMPP
+-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 5223 -j ACCEPT -m comment --comment "xmpps"
+-A OUTPUT -p udp -m udp --sport 32768:65535 --dport 1900 -j ACCEPT -m comment --comment "xmpp?"
+
+# Multicast DNS
+-A OUTPUT -p udp -m udp --sport 5353 --dport 5353 -j clutter
+-A OUTPUT -d 244.0.0.1 -j clutter -m comment --comment "Multicast DNS"
+-A INPUT -d 224.0.0.1 -j clutter -m comment --comment "Multicast DNS"
+
+# IRC
+-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 6667 -j ACCEPT
+-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 6697 -j ACCEPT -m comment --comment "ircs"
+
+# Privoxy
+-A INPUT -p tcp -m tcp --dport 8118 -j ACCEPT -m comment --comment "Privoxy"
+
+# Bitcoin
+-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 8333 -j ACCEPT -m comment --comment "Bitcoin"
+
+# Tor
+-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 8000 -j ACCEPT -m comment --comment "Tor"
+-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 9001:9002 -j ACCEPT -m comment --comment "Tor"
+-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 9030:9031 -j ACCEPT -m comment --comment "Tor"
+
+# OpenPGP HTTP Key servers
+-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 11371 -j ACCEPT -m comment --comment "OpenPGP hkp HTTP key servers"
+
+# Torrents
+#-A OUTPUT -p udp -m udp --sport 51413 -j ACCEPT -m comment --comment "Torrents"
+#-A INPUT -p udp -m udp  --dport 51413 -j ACCEPT -m comment --comment "Torrents"
+
+# Traceroute
+-A OUTPUT -p udp -m udp --sport 32768:65535 --dport 6881:33534 -j ACCEPT -m comment --comment "Traceroute"
+
+# CloudFlare. Why see http://www.crimeflare.com/cfblock.html
+#-A INPUT -s 103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,104.16.0.0/12,108.162.192.0/18,131.0.72.0/22,141.101.64.0/18,162.158.0.0/15,172.64.0.0/13,173.245.48.0/20,188.114.96.0/20,190.93.240.0/20,197.234.240.0/22,198.41.128.0/17,199.27.128.0/21 -m limit --limit 5/min -j LOG --log-prefix "iptables dropped cloudflare: " --log-level 7
+#-A INPUT -s 103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,104.16.0.0/12,108.162.192.0/18,131.0.72.0/22,141.101.64.0/18,162.158.0.0/15,172.64.0.0/13,173.245.48.0/20,188.114.96.0/20,190.93.240.0/20,197.234.240.0/22,198.41.128.0/17,199.27.128.0/21 -j DROP -m comment --comment "CloudFlare http://www.crimeflare.com/cfblock.html"
+#-A OUTPUT -d 103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,104.16.0.0/12,108.162.192.0/18,131.0.72.0/22,141.101.64.0/18,162.158.0.0/15,172.64.0.0/13,173.245.48.0/20,188.114.96.0/20,190.93.240.0/20,197.234.240.0/22,198.41.128.0/17,199.27.128.0/21 -m limit --limit 5/min -j LOG --log-prefix "iptables dropped cloudflare: " --log-level 7
+#-A OUTPUT -d 103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,104.16.0.0/12,108.162.192.0/18,131.0.72.0/22,141.101.64.0/18,162.158.0.0/15,172.64.0.0/13,173.245.48.0/20,188.114.96.0/20,190.93.240.0/20,197.234.240.0/22,198.41.128.0/17,199.27.128.0/21 -j REJECT -m comment --comment "CloudFlare http://www.crimeflare.com/cfblock.html"
+
+# Attacks, crawls, scans, etc
+-A INPUT -p icmp -j clutter
+-A INPUT -s 0.0.0.0 -d 255.255.255.255 -j clutter -m comment --comment "Broadcast messages"
+-A INPUT -p udp -m udp --dport 19 -j clutter -m comment --comment "Character generator, looping to echo = DDoS"
+-A INPUT -p tcp -m tcp --dport 23 -j clutter
+-A INPUT -p udp -m udp --dport 53 -j clutter
+-A INPUT -p udp -m udp --dport 111 -j clutter -m comment --comment "Probe/fingerprint Nix OS"
+-A INPUT -p tcp -m tcp --dport 445 -j clutter -m comment --comment "MS-DS active directory"
+-A INPUT -p tcp -m tcp --dport 2323 -j clutter -m comment --comment "3d-nfsd"
+-A INPUT -p udp -m udp --dport 5060 -j clutter
+-A INPUT -p tcp -m tcp --dport 3389 -j clutter -m comment --comment "MS terminal server RDP"
+
+#-A INPUT -d 255.255.255.255 -p tcp -m tcp --sport 67 --dport 68 -j clutter -m comment --comment "DHCP"
+#-A INPUT -m iprange --dst-range 185.66.250.254-185.66.250.255 -j clutter
+#-A INPUT -m mac --mac-source d4:ca:6d:74:87:0d -j clutter
+#-A INPUT -p udp -m udp --dport 3076 -j clutter -m comment --comment "orbix-config"
+
+# Default policy
+-A INPUT -p tcp ! --syn -j ACCEPT -m comment --comment "Allow already established incoming TCP connections"
+-A INPUT -p udp -j ACCEPT -m comment --comment "Allow all incoming UDP connections because we do not use connection tracking"
+-A OUTPUT -p tcp -m tcp --tcp-flags ACK,RST ACK,RST  --dport 1024:65535 -j ACCEPT -m comment --comment "Allow egress tcp 1024<, as statefull checking is to expensive on a Tor exit node."
+#-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+#-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+# Log & drop
+-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables dropped: " --log-level 7
+-A INPUT -j DROP
+-A FORWARD -m limit --limit 5/min -j LOG --log-prefix "iptables forward dropped: " --log-level 7
+-A FORWARD -j DROP
+#-A OUTPUT -m limit --limit 5/min -j LOG --log-prefix "iptables rejected: " --log-level 7
+#-A OUTPUT -j REJECT --reject-with icmp-port-unreachable
+-A OUTPUT -j ACCEPT
+-A clutter -m limit --limit 5/min -j LOG --log-prefix "iptables clutter dropped: " --log-level 7
+-A clutter -j DROP
+
+COMMIT

rsyslog.d/iptables.conf.old

@@ -0,0 +1,41 @@
+# /etc/rsyslog.d/iptables.conf
+
+if ( $msg contains ' iptables ')
+then {
+    /var/log/iptables/all.log
+}
+if ( $msg contains ' iptables dropped')
+then {
+    /var/log/iptables/drop.log
+}
+if ( $msg contains ' iptables rejected')
+then {
+    /var/log/iptables/reject.log
+    stop
+}
+if ( $msg contains ' iptables dropped' or $msg contains ' iptables rejected')
+then {
+    /var/log/iptables/troubleshoot.log
+    stop
+}
+
+if ( $msg contains ' iptables clutter dropped: ')
+then {
+    /var/log/iptables/clutter.log
+    stop
+}
+if ( $msg contains ' iptables attack dropped: ')
+then {
+    /var/log/iptables/attack.log
+    stop
+}
+if ( $msg contains ' iptables dropped spoof: ' or $msg contains 'iptables droped SSH flood: ' or $msg contains 'iptables dropped HTTP flood: ' or $msg contains 'iptables dropped HTTPS flood: ' or $msg contains 'iptables dropped 127.0.0.0/8, from non localhost: ')
+then {
+    /var/log/iptables/attack.log
+    stop
+}
+if ( $msg contains ' iptables allowed DHCP: ')
+then{
+    /var/log/iptables/dhcp.log
+    stop
+}