Discussione: [Modfs] Sviluppo pacchetti e porting su altri router
View Single Post
Old 28-12-2010, 15:50   #3
gnommo
Senior Member
 
L'Avatar di gnommo
 
Iscritto dal: Oct 2005
Messaggi: 4954
Cionci tempo fa mi chiedesti tutte le regole che il firmware imposta ad iptables.
Ecco qua, c'è giusto qualche porta aperta da me, il resto è del firmware:
Quote:
iptables -t nat -F
iptables -t filter -F
iptables -t mangle -F
iptables -t nat -X PRE_BASIC
iptables -t nat -N PRE_BASIC
iptables -t nat -X DNS
iptables -t nat -N DNS
iptables -t nat -X PRE_PROXY
iptables -t nat -N PRE_PROXY
iptables -t nat -X MINIUPNPD
iptables -t nat -N MINIUPNPD
iptables -t nat -X PT
iptables -t nat -N PT
iptables -t nat -X NAPT
iptables -t nat -N NAPT
iptables -t nat -X VS
iptables -t nat -N VS
iptables -t nat -X DMZ
iptables -t nat -N DMZ
iptables -t nat -X VPN
iptables -t nat -N VPN
iptables -t filter -X DOS
iptables -t filter -N DOS
iptables -t filter -X SCAN
iptables -t filter -N SCAN
iptables -t filter -X PROXY
iptables -t filter -N PROXY
iptables -t filter -X LOCAL_SERVICE
iptables -t filter -N LOCAL_SERVICE
iptables -t filter -X OUT_FILTER
iptables -t filter -N OUT_FILTER
iptables -t filter -X CFILTER
iptables -t filter -N CFILTER
iptables -t filter -X HTTP
iptables -t filter -N HTTP
iptables -t filter -X BLOCK
iptables -t filter -N BLOCK
iptables -t filter -X IN_FILTER
iptables -t filter -N IN_FILTER
iptables -t filter -X MINIUPNPD
iptables -t filter -N MINIUPNPD
iptables -t filter -X FW_BASIC
iptables -t filter -N FW_BASIC
iptables -t filter -X FTP_SHARES
iptables -t filter -N FTP_SHARES
iptables -t filter -X HTTPS_SHARES
iptables -t filter -N HTTPS_SHARES
iptables -t nat -A PREROUTING -j PRE_BASIC
iptables -t nat -A PREROUTING -j PRE_PROXY
iptables -t nat -A PREROUTING -j MINIUPNPD
iptables -t nat -A PREROUTING -j PT
iptables -t nat -A PREROUTING -j NAPT
iptables -t nat -A PREROUTING -j VS
iptables -t nat -A PREROUTING -j DMZ
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i ipsec0 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --syn -j DOS
iptables -A INPUT -p udp -j DOS
iptables -A INPUT -p icmp --icmp-type echo-request -j DOS
iptables -A INPUT -j PROXY
iptables -A INPUT -j LOCAL_SERVICE
iptables -P FORWARD DROP
iptables -A FORWARD -j OUT_FILTER
iptables -A FORWARD -j CFILTER
iptables -A FORWARD -j FW_BASIC
iptables -A FORWARD -p tcp --syn -j DOS
iptables -A FORWARD -p udp -j DOS
iptables -A FORWARD -p icmp --icmp-type echo-request -j DOS
iptables -A FORWARD -j IN_FILTER
iptables -A FORWARD -j MINIUPNPD
iptables -A FW_BASIC -i lo -j ACCEPT
iptables -A FW_BASIC -i ipsec0 -j ACCEPT
iptables -A FW_BASIC -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -A FW_BASIC -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -j VPN
iptables -I INPUT -i br0 -j ACCEPT
iptables -A FW_BASIC -i br0 -j ACCEPT
iptables -A DOS -i ! ppp1 -j RETURN
iptables -A DOS -m psd -j SCAN
iptables -A SCAN -m limit --limit 10/s -j LOG --log-level 4 --log-prefix "[PORT SCAN]"
iptables -A SCAN -j DROP
iptables -A DOS -p tcp --syn -m limit --limit 5/s --limit-burst 10 -j RETURN
iptables -A DOS -p udp -m limit --limit 5/s --limit-burst 10 -j RETURN
iptables -A DOS -p icmp --icmp-type echo-request -m limit --limit 5/s --limit-burst 60 -j RETURN
iptables -A DOS -m limit --limit 10/s -j LOG --log-level 4 --log-prefix "[DOS] "
iptables -A DOS -j DROP
iptables -I MINIUPNPD -t nat -i ! ppp1 -j RETURN
iptables -A PRE_BASIC -t nat -i ppp1 -d ! zzzzzzzz -j DROP
iptables -t nat -F PT
iptables -t nat -A PT -d ! 192.168.0.1 -j PNAT --set-mark 0x2511
iptables -A IN_FILTER -i ! ppp1 -j RETURN
iptables -t nat -A NAPT -s 0/0 -d zzzzzzzz -p udp --dport 4672:4672 -j DNAT --to 192.168.0.2:4672-4672
iptables -t nat -A NAPT -s 0/0 -d zzzzzzzz -p udp --dport 4672:4672 -j DROP
iptables -A IN_FILTER -d 192.168.0.2 -p udp --dport 4672:4672 -j ACCEPT
iptables -t nat -A NAPT -s 0/0 -d zzzzzzzz -p tcp --dport 54662:54662 -j DNAT --to 192.168.0.2:54662-54662
iptables -t nat -A NAPT -s 0/0 -d zzzzzzz -p tcp --dport 54662:54662 -j DROP
iptables -A IN_FILTER -d 192.168.0.2 -p tcp --dport 54662:54662 -j ACCEPT
iptables -A OUT_FILTER -i ! br0 -j RETURN
iptables -I INPUT -d zzzzzzzzzzzzzz -p tcp --dport 7547 -j ACCEPT

iptables -A INPUT -j FTP_SHARES
iptables -D INPUT -i br0 -p tcp --dport 20:21 -j DROP
iptables -I INPUT -i br0 -p tcp --dport 20:21 -j DROP
iptables -t nat -D PRE_BASIC -i ppp1 -p tcp --dport 21 -d zzzzzzzzzzzzz -j DNAT --to 192.168.0.1:20-21
iptables -t nat -D PRE_BASIC -i br0 -p tcp --dport 21 -d zzzzzzzzzzzzzzz -j DNAT --to 192.168.0.1:20-21
iptables -D FTP_SHARES -d 192.168.0.1 -p tcp --dport 20:21 -j ACCEPT
iptables -A INPUT -j HTTPS_SHARES
iptables -t nat -D PRE_BASIC -i ppp1 -p tcp --dport 443 -d zzzzzzzzzzzzzzzz -j DNAT --to 192.168.0.1:443
iptables -t nat -D PRE_BASIC -i br0 -p tcp --dport 443 -d zzzzzzzzzzzzzzzzzz -j DNAT --to 192.168.0.1:443
iptables -D HTTPS_SHARES -d 192.168.0.1 -p tcp --dport 443 -j ACCEPT
iptables -A LOCAL_SERVICE -d 192.168.0.1 -p tcp --dport 23 -j ACCEPT
iptables -t nat -A PRE_BASIC -d 192.168.0.1 -p tcp --dport 5000 -j DNAT --to 192.168.0.1:80
iptables -A CFILTER -i br0 -m string --algo bm --string GET -p tcp --dport 80 --tcp-flags ALL PSH,ACK -j HTTP
iptables -A CFILTER -i br0 -m string --algo bm --string POST -p tcp --dport 80 --tcp-flags ALL PSH,ACK -j HTTP
iptables -A CFILTER -i br0 -m string --algo bm --string HEAD -p tcp --dport 80 --tcp-flags ALL PSH,ACK -j HTTP
iptables -A BLOCK -j LOG --log-level 4 --log-prefix "[BLOCK]"
iptables -A BLOCK -p tcp --dport 80 -j REJECT --reject-with http-block
iptables -t nat -A POSTROUTING -o ppp1 -j MASQUERADE
iptables -A FORWARD -t mangle -m dscp --dscp-class CS7 -o ! br0 -j MARK --set-mark 0x04
iptables -A FORWARD -t mangle -m dscp --dscp-class CS6 -o ! br0 -j MARK --set-mark 0x04
iptables -A FORWARD -t mangle -m dscp --dscp-class CS5 -o ! br0 -j MARK --set-mark 0x03
iptables -A FORWARD -t mangle -m dscp --dscp-class CS4 -o ! br0 -j MARK --set-mark 0x03
iptables -A FORWARD -t mangle -m dscp --dscp-class CS3 -o ! br0 -j MARK --set-mark 0x02
iptables -A FORWARD -t mangle -m dscp --dscp-class CS2 -o ! br0 -j MARK --set-mark 0x01
iptables -A FORWARD -t mangle -m dscp --dscp-class CS1 -o ! br0 -j MARK --set-mark 0x01
iptables -A POSTROUTING -t mangle -o ppp1 -j IMQ --todev 0
#
__________________
MODFS mod firmware per DGN3500, DGN2200,WAG320n thread ufficiale
Miei post utili sul DGN3500:Test velocità wifi # Test sforzo: 1,2# Foto interno #
Ultima modifica di gnommo : 28-12-2010 alle 15:53.
gnommo è offline   Rispondi citando il messaggio o parte di esso