From b8cfaece6e2f5f84826d3980be280248f631a6c1 Mon Sep 17 00:00:00 2001 From: Frank Brehm Date: Sun, 9 Sep 2018 00:10:02 +0200 Subject: [PATCH] daily autocommit --- iptables/rules.v4 | 51 +++++++++++++++++++++++++++-------------------- iptables/rules.v6 | 18 ++++++++--------- 2 files changed, 38 insertions(+), 31 deletions(-) diff --git a/iptables/rules.v4 b/iptables/rules.v4 index 087e5ee..67c01cf 100644 --- a/iptables/rules.v4 +++ b/iptables/rules.v4 @@ -1,20 +1,16 @@ -# Generated by iptables-save v1.6.1 on Fri Sep 7 10:33:38 2018 +# Generated by iptables-save v1.6.1 on Sat Sep 8 08:56:14 2018 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] -:OUTPUT ACCEPT [514:97020] +:OUTPUT ACCEPT [12549:2037978] +:ssh_spam - [0:0] -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate RELATED -j ACCEPT --A INPUT -s 221.232.0.0/14 -p tcp -m tcp --dport 22 -j DROP --A INPUT -s 61.183.0.0/16 -p tcp -m tcp --dport 22 -j DROP --A INPUT -s 61.184.0.0/16 -p tcp -m tcp --dport 22 -j DROP --A INPUT -s 125.65.42.0/24 -p tcp -m tcp --dport 22 -j DROP --A INPUT -s 133.9.187.135/32 -p tcp -m tcp --dport 22 -j DROP --A INPUT -s 216.32.92.138/32 -p tcp -m tcp --dport 22 -j DROP +-A INPUT -p tcp -m tcp --dport 22 -j ssh_spam -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j NFLOG --nflog-prefix "INPUT ssh " --nflog-threshold 1 -A INPUT -p tcp -m tcp --dport 80 -j NFLOG --nflog-prefix "INPUT http " --nflog-threshold 1 @@ -54,24 +50,35 @@ -A FORWARD -j NFLOG --nflog-prefix "FORWARD Drop " --nflog-threshold 1 -A FORWARD -j DROP -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT +-A ssh_spam -s 216.32.92.138/32 -j DROP +-A ssh_spam -s 133.9.187.135/32 -j DROP +-A ssh_spam -s 125.65.42.0/24 -j DROP +-A ssh_spam -s 61.184.0.0/16 -j DROP +-A ssh_spam -s 61.183.0.0/16 -j DROP +-A ssh_spam -s 221.232.0.0/14 -j DROP +-A ssh_spam -s 116.16.0.0/12 -j DROP +-A ssh_spam -s 119.28.0.0/15 -j DROP +-A ssh_spam -s 106.51.0.0/17 -j DROP +-A ssh_spam -s 93.183.207.0/24 -j DROP +-A ssh_spam -s 106.240.0.0/12 -j DROP COMMIT -# Completed on Fri Sep 7 10:33:38 2018 -# Generated by iptables-save v1.6.1 on Fri Sep 7 10:33:38 2018 +# Completed on Sat Sep 8 08:56:14 2018 +# Generated by iptables-save v1.6.1 on Sat Sep 8 08:56:14 2018 *mangle -:PREROUTING ACCEPT [2780971:1073916911] -:INPUT ACCEPT [2775019:1073614296] -:FORWARD ACCEPT [530:60638] -:OUTPUT ACCEPT [981171:208638362] -:POSTROUTING ACCEPT [1124728:225421903] +:PREROUTING ACCEPT [4147926:1783697462] +:INPUT ACCEPT [4138943:1783249271] +:FORWARD ACCEPT [860:85551] +:OUTPUT ACCEPT [1507972:309460513] +:POSTROUTING ACCEPT [1716341:333808167] -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill COMMIT -# Completed on Fri Sep 7 10:33:38 2018 -# Generated by iptables-save v1.6.1 on Fri Sep 7 10:33:38 2018 +# Completed on Sat Sep 8 08:56:14 2018 +# Generated by iptables-save v1.6.1 on Sat Sep 8 08:56:14 2018 *nat -:PREROUTING ACCEPT [175037:83596528] -:INPUT ACCEPT [169380:83319440] -:OUTPUT ACCEPT [115353:23384772] -:POSTROUTING ACCEPT [111775:22620528] +:PREROUTING ACCEPT [251857:120251084] +:INPUT ACCEPT [242673:119791895] +:OUTPUT ACCEPT [172111:34294620] +:POSTROUTING ACCEPT [167146:33201777] -A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN -A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 @@ -79,4 +86,4 @@ COMMIT -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE -A POSTROUTING -o eth1 -j MASQUERADE COMMIT -# Completed on Fri Sep 7 10:33:38 2018 +# Completed on Sat Sep 8 08:56:14 2018 diff --git a/iptables/rules.v6 b/iptables/rules.v6 index 405ca19..b946623 100644 --- a/iptables/rules.v6 +++ b/iptables/rules.v6 @@ -1,8 +1,8 @@ -# Generated by ip6tables-save v1.6.1 on Fri Sep 7 10:33:38 2018 +# Generated by ip6tables-save v1.6.1 on Sat Sep 8 08:56:14 2018 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] -:OUTPUT ACCEPT [705:86754] +:OUTPUT ACCEPT [992:120194] :f_mail - [0:0] -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate RELATED -j ACCEPT @@ -51,13 +51,13 @@ -A f_mail -j NFLOG --nflog-prefix "IPv6 F_MAIL Reject " --nflog-threshold 1 -A f_mail -j REJECT --reject-with icmp6-port-unreachable COMMIT -# Completed on Fri Sep 7 10:33:38 2018 -# Generated by ip6tables-save v1.6.1 on Fri Sep 7 10:33:38 2018 +# Completed on Sat Sep 8 08:56:14 2018 +# Generated by ip6tables-save v1.6.1 on Sat Sep 8 08:56:14 2018 *mangle -:PREROUTING ACCEPT [13771:4996662] -:INPUT ACCEPT [1513:206900] +:PREROUTING ACCEPT [20964:7428896] +:INPUT ACCEPT [2281:389623] :FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [705:86754] -:POSTROUTING ACCEPT [1228:161933] +:OUTPUT ACCEPT [992:120194] +:POSTROUTING ACCEPT [1736:224931] COMMIT -# Completed on Fri Sep 7 10:33:38 2018 +# Completed on Sat Sep 8 08:56:14 2018 -- 2.39.5