Перейти к содержимому
Калькуляторы

7sergeynazarov7

Пользователи
  • Публикации

    53
  • Зарегистрирован

  • Посещение

О 7sergeynazarov7

  • Звание
    Абитуриент
  1. DNS CIsco ASR1001-x

    Vlan6 вообще не принимает запросы ни от кого по TCP dump, но на vlan6 сидит ip dns-а 172.16.24.1, eth1 нет ip, все запросы с обращением слушает eth1   Какие еще варианты, подскажите пожалуйста ?
  2. DNS CIsco ASR1001-x

    тогда как заставить идти на vlan 6 root@rnat1:/# tcpdump -n -v -i vlan6 host 10.10.0.110 tcpdump: listening on vlan6, link-type EN10MB (Ethernet), capture size 65535 bytes ^C 0 packets captured 2 packets received by filter 0 packets dropped by kernel Убрал правила, все равно не попадает.   Уже 3 сутки воюю, ни как победить не получится, поэтому прощу помощи в разрешение этого вопроса.
  3. DNS CIsco ASR1001-x

    vlan6 сидит на eth1 iptables -F снова, закрыло доступ помогла отсроченная перезагрузка.   root@rnat1:/# tcpdump -n -v -i vlan6 host 10.10.0.110 tcpdump: listening on vlan6, link-type EN10MB (Ethernet), capture size 65535 bytes ^C 0 packets captured 2 packets received by filter 0 packets dropped by kernel На этом пусто.
  4. DNS CIsco ASR1001-x

    root@rnat1:/sbin# cat /etc/iptables-mangle.conf *mangle :PREROUTING ACCEPT [0:0] # ----- ANTI-HACK ----- -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j LOG -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j LOG -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j LOG -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j LOG -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP # #-A PREROUTING -p tcp ! -s 10.0.101.100 --dport 80 -i vlan3 -j TEE --gateway 172.16.34.1 -A PREROUTING -p tcp -i vlan3 -j TEE --gateway 172.16.34.1 -A PREROUTING -p tcp -i vlan4 -j TEE --gateway 172.16.34.1 -A PREROUTING -p udp -m udp --dport 53 -i vlan3 -j TEE --gateway 172.16.34.1 -A PREROUTING -p udp -m udp --dport 53 -i vlan4 -j TEE --gateway 172.16.34.1 #-A PREROUTING -p tcp --dport 80 -i vlan3 -j TEE --gateway 172.16.34.1 #-A PREROUTING -p tcp --dport 80 -i vlan4 -j TEE --gateway 172.16.34.1 #-A PREROUTING -p tcp --dport 443 -i vlan3 -j TEE --gateway 172.16.34.1 #-A PREROUTING -p tcp --dport 443 -i vlan4 -j TEE --gateway 172.16.34.1 #-A PREROUTING -p tcp --dport 8001 -i vlan3 -j TEE --gateway 172.16.34.1 #-A PREROUTING -p tcp --dport 8001 -i vlan4 -j TEE --gateway 172.16.34.1 #-A PREROUTING -i vlan3 -j TEE --gateway 172.16.34.1 #-A PREROUTING -i vlan4 -j TEE --gateway 172.16.34.1 :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT root@rnat1:/sbin# cat /etc/iptables-nat.conf *nat :PREROUTING ACCEPT [0:0] # ssh for support UTM5 #-A PREROUTING -s 77.72.80.1 -d 91.224.137.4 -p tcp --dport 22 -j DNAT --to-destination 172.16.8.2:22 # -A PREROUTING -s 91.224.137.5 -d 91.224.137.4 -p tcp --dport 22 -j DNAT --to-destination 172.16.8.2:22 # ------------- Доступ к биллингу для ФСБ #-A PREROUTING -s 10.0.0.250 -d 172.16.26.2 -p tcp --dport 443 -j DNAT --to-destination 172.16.16.2:443 -A PREROUTING -s 10.0.0.250 -d 172.16.26.2 -p tcp --dport 11758 -j DNAT --to-destination 172.16.16.2:11758 :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s 10.0.0.0/8 -o vlan12 -j SNAT --to-source 91.224.136.6 -A POSTROUTING -s 172.16.1.0/21 -o vlan12 -j SNAT --to-source 91.224.136.6 -A POSTROUTING -s 172.16.16.0/21 -d 10.0.0.0/8 -j RETURN -A POSTROUTING -s 172.16.16.0/21 -d 172.16.0.0/12 -j RETURN -A POSTROUTING -s 172.16.16.0/21 -d 192.168.0.0/16 -j RETURN -A POSTROUTING -s 172.16.16.0/21 -o vlan12 -j SNAT --to-source 91.224.136.6 -A POSTROUTING -s 172.31.0.0/21 -d 10.0.0.0/8 -j RETURN -A POSTROUTING -s 172.31.0.0/21 -d 172.16.0.0/12 -j RETURN -A POSTROUTING -s 172.31.0.0/21 -d 192.168.0.0/16 -j RETURN -A POSTROUTING -s 172.31.0.0/21 -o vlan12 -j SNAT --to-source 91.224.136.6 :OUTPUT ACCEPT [0:0] COMMIT   По тому же принципу и их можно обновлять.
  5. DNS CIsco ASR1001-x

    Обновление происходит iptables-restore /etc/iptables-filter.conf
  6. DNS CIsco ASR1001-x

    root@rnat1:/sbin# cat /etc/iptables-mangle.conf *mangle :PREROUTING ACCEPT [0:0] # ----- ANTI-HACK ----- -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j LOG -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j LOG -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j LOG -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j LOG -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP # #-A PREROUTING -p tcp ! -s 10.0.101.100 --dport 80 -i vlan3 -j TEE --gateway 172.16.34.1 -A PREROUTING -p tcp -i vlan3 -j TEE --gateway 172.16.34.1 -A PREROUTING -p tcp -i vlan4 -j TEE --gateway 172.16.34.1 -A PREROUTING -p udp -m udp --dport 53 -i vlan3 -j TEE --gateway 172.16.34.1 -A PREROUTING -p udp -m udp --dport 53 -i vlan4 -j TEE --gateway 172.16.34.1 #-A PREROUTING -p tcp --dport 80 -i vlan3 -j TEE --gateway 172.16.34.1 #-A PREROUTING -p tcp --dport 80 -i vlan4 -j TEE --gateway 172.16.34.1 #-A PREROUTING -p tcp --dport 443 -i vlan3 -j TEE --gateway 172.16.34.1 #-A PREROUTING -p tcp --dport 443 -i vlan4 -j TEE --gateway 172.16.34.1 #-A PREROUTING -p tcp --dport 8001 -i vlan3 -j TEE --gateway 172.16.34.1 #-A PREROUTING -p tcp --dport 8001 -i vlan4 -j TEE --gateway 172.16.34.1 #-A PREROUTING -i vlan3 -j TEE --gateway 172.16.34.1 #-A PREROUTING -i vlan4 -j TEE --gateway 172.16.34.1 :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT   root@rnat1:/sbin# service --status-all [ + ] acpid [ + ] atd [ + ] bacula-fd [ - ] bootlogs [ ? ] bootmisc.sh [ ? ] checkfs.sh [ ? ] checkroot-bootclean.sh [ - ] checkroot.sh [ - ] console-setup [ + ] cron [ + ] dbus [ - ] exim4 [ ? ] fprobe-ulog [ - ] hostname.sh [ ? ] hwclock.sh [ - ] kbd [ - ] keyboard-setup [ ? ] killprocs [ ? ] kmod [ + ] mdadm [ + ] mdadm-raid [ ? ] mdadm-waitidle [ - ] motd [ ? ] mountall-bootclean.sh [ ? ] mountall.sh [ ? ] mountdevsubfs.sh [ ? ] mountkernfs.sh [ ? ] mountnfs-bootclean.sh [ ? ] mountnfs.sh [ ? ] mtab.sh [ ? ] networking [ - ] procps [ ? ] quagga [ ? ] rc.local [ + ] resolvconf [ - ] rmnologin [ - ] rsync [ + ] rsyslog [ - ] schroot [ ? ] sendsigs [ + ] snmpd [ + ] ssh [ + ] udev [ ? ] udev-mtab [ ? ] umountfs [ ? ] umountnfs.sh [ ? ] umountroot [ - ] urandom
  7. DNS CIsco ASR1001-x

    root@rnat1:/home/user# cat /etc/rc.local #!/bin/sh -e # # rc.local # # This script is executed at the end of each multiuser runlevel. # Make sure that the script will "exit 0" on success or any other # value on error. # # In order to enable or disable this script just change the execution # bits. # # By default this script does nothing. sysctl -p modprobe ip_gre modprobe ip_nat_pptp /etc/rc.chroot-fs-mount /etc/rc.chroot-bind9-start exit 0 Куда то засунули хорошо.   root@rnat1:/home/user# locate iptables /data0/chroot_1/sbin/iptables /data0/chroot_1/sbin/iptables-restore /data0/chroot_1/sbin/iptables-save /data0/chroot_1/usr/bin/iptables-xml /data0/chroot_1/usr/sbin/iptables-apply /data0/chroot_1/usr/share/iptables /data0/chroot_1/usr/share/doc/iptables /data0/chroot_1/usr/share/doc/iptables/INCOMPATIBILITIES /data0/chroot_1/usr/share/doc/iptables/README.Debian /data0/chroot_1/usr/share/doc/iptables/changelog.Debian.gz /data0/chroot_1/usr/share/doc/iptables/changelog.gz /data0/chroot_1/usr/share/doc/iptables/copyright /data0/chroot_1/usr/share/iptables/iptables.xslt /data0/chroot_1/usr/share/lintian/overrides/iptables /data0/chroot_1/usr/share/man/man8/iptables-apply.8.gz /data0/chroot_1/usr/share/man/man8/iptables-restore.8.gz /data0/chroot_1/usr/share/man/man8/iptables-save.8.gz /data0/chroot_1/usr/share/man/man8/iptables-xml.8.gz /data0/chroot_1/usr/share/man/man8/iptables.8.gz /data0/chroot_1/usr/share/mime/text/x-iptables.xml /data0/chroot_1/var/cache/apt/archives/iptables_1.4.14-3.1_amd64.deb /data0/chroot_1/var/lib/dpkg/info/iptables.list /data0/chroot_1/var/lib/dpkg/info/iptables.md5sums /data0/chroot_1/var/lib/dpkg/info/iptables.postinst /data0/chroot_1/var/lib/dpkg/info/iptables.postrm /data0/chroot_1/var/lib/dpkg/info/iptables.shlibs /etc/iptables-filter.conf /etc/iptables-mangle.conf /etc/iptables-nat.conf /home/rimidal/DNS/iptables-filter.conf /home/rimidal/DNS/iptables-mangle.conf /home/rimidal/DNS/iptables-nat.conf /sbin/iptables /sbin/iptables-restore /sbin/iptables-save /usr/bin/iptables-xml /usr/sbin/iptables-apply /usr/share/iptables /usr/share/bash-completion/completions/iptables /usr/share/doc/iptables /usr/share/doc/iptables/INCOMPATIBILITIES /usr/share/doc/iptables/README.Debian /usr/share/doc/iptables/changelog.Debian.gz /usr/share/doc/iptables/changelog.gz /usr/share/doc/iptables/copyright /usr/share/iptables/iptables.xslt /usr/share/lintian/overrides/iptables /usr/share/man/man8/iptables-apply.8.gz /usr/share/man/man8/iptables-restore.8.gz /usr/share/man/man8/iptables-save.8.gz /usr/share/man/man8/iptables-xml.8.gz /usr/share/man/man8/iptables.8.gz /usr/share/mime/text/x-iptables.xml /var/lib/dpkg/info/iptables.list /var/lib/dpkg/info/iptables.md5sums /var/lib/dpkg/info/iptables.postinst /var/lib/dpkg/info/iptables.postrm /var/lib/dpkg/info/iptables.shlibs
  8. DNS CIsco ASR1001-x

    Это не полный вывод, дописал строчку к тому что было.   iptables-restore /etc/iptables-filter.conf так подойдет ?
  9. DNS CIsco ASR1001-x

    Как без потери связи с ним, находится далеко просто. Аккуратно выключить правила, чтоб посмотреть из-за них или нет ?   Сделал *filter :INPUT ACCEPT [0:0] :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] # ------ loopback На тестовом пк по прежнему не работает.
  10. DNS CIsco ASR1001-x

    iptables -F роутер стал недоступен, пришлось перезагружать   7
  11. DNS CIsco ASR1001-x

    tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 30098/named tcp 0 0 127.0.0.1:2601 0.0.0.0:* LISTEN 2835/zebra tcp 0 0 127.0.0.1:2604 0.0.0.0:* LISTEN 2952/ospfd tcp 0 0 172.16.8.12:9102 0.0.0.0:* LISTEN 3054/bacula-fd tcp 0 0 91.224.136.6:53 0.0.0.0:* LISTEN 30098/named tcp 0 0 172.16.24.1:53 0.0.0.0:* LISTEN 30098/named tcp 0 0 172.16.8.12:53 0.0.0.0:* LISTEN 30098/named tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 30098/named tcp 0 0 172.16.8.12:22 0.0.0.0:* LISTEN 3094/sshd udp 0 0 91.224.136.6:53 0.0.0.0:* 30098/named udp 0 0 172.16.24.1:53 0.0.0.0:* 30098/named udp 0 0 172.16.8.12:53 0.0.0.0:* 30098/named udp 0 0 127.0.0.1:53 0.0.0.0:* 30098/named udp 0 0 0.0.0.0:50252 0.0.0.0:* 2584/rsyslogd udp 0 0 172.16.8.12:161 0.0.0.0:* 3048/snmpd udp 0 0 127.0.0.1:161 0.0.0.0:* 3048/snmpd raw 0 0 0.0.0.0:89 0.0.0.0:* 7 2952/ospfd raw6 0 0 :::58 :::* 7 2835/zebra Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node PID/Program name Path unix 2 [ ACC ] STREAM LISTENING 6424 2746/acpid /var/run/acpid.socket unix 2 [ ACC ] STREAM LISTENING 6479 3055/dbus-daemon /var/run/dbus/system_bus_socket unix 2 [ ACC ] STREAM LISTENING 5972 2952/ospfd /var/run/quagga/ospfd.vty unix 2 [ ACC ] SEQPACKET LISTENING 4755 398/udevd /run/udev/control unix 2 [ ACC ] STREAM LISTENING 8435 2835/zebra /var/run/quagga/zserv.api unix 2 [ ACC ] STREAM LISTENING 8439 2835/zebra /var/run/quagga/zebra.vty
  12. DNS CIsco ASR1001-x

    Не находит по этой команде.
  13. DNS CIsco ASR1001-x

    root@rnat1:/etc# cat iptables-nat.conf *nat :PREROUTING ACCEPT [0:0] # ssh for support UTM5 #-A PREROUTING -s 77.72.80.1 -d 91.224.137.4 -p tcp --dport 22 -j DNAT --to-destination 172.16.8.2:22 # -A PREROUTING -s 91.224.137.5 -d 91.224.137.4 -p tcp --dport 22 -j DNAT --to-destination 172.16.8.2:22 # ------------- Доступ к биллингу для #-A PREROUTING -s 10.0.0.250 -d 172.16.26.2 -p tcp --dport 443 -j DNAT --to-destination 172.16.16.2:443 -A PREROUTING -s 10.0.0.250 -d 172.16.26.2 -p tcp --dport 11758 -j DNAT --to-destination 172.16.16.2:11758 :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s 10.0.0.0/8 -o vlan12 -j SNAT --to-source 91.224.136.6 -A POSTROUTING -s 172.16.1.0/21 -o vlan12 -j SNAT --to-source 91.224.136.6 -A POSTROUTING -s 172.16.16.0/21 -d 10.0.0.0/8 -j RETURN -A POSTROUTING -s 172.16.16.0/21 -d 172.16.0.0/12 -j RETURN -A POSTROUTING -s 172.16.16.0/21 -d 192.168.0.0/16 -j RETURN -A POSTROUTING -s 172.16.16.0/21 -o vlan12 -j SNAT --to-source 91.224.136.6 -A POSTROUTING -s 172.31.0.0/21 -d 10.0.0.0/8 -j RETURN -A POSTROUTING -s 172.31.0.0/21 -d 172.16.0.0/12 -j RETURN -A POSTROUTING -s 172.31.0.0/21 -d 192.168.0.0/16 -j RETURN -A POSTROUTING -s 172.31.0.0/21 -o vlan12 -j SNAT --to-source 91.224.136.6 :OUTPUT ACCEPT [0:0] COMMIT Как правильно выключить в Debian ? Не нахожу команды, чтоб востановить сразу как проверю ?
  14. DNS CIsco ASR1001-x

    Это боевой, сейчас попробую так.
  15. DNS CIsco ASR1001-x

    root@rnat1:/# iptables -L -n -v Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:139 reject-with icmp-port-unreachable 4 160 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 reject-with icmp-port-unreachable 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:445 reject-with icmp-port-unreachable 13 596 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 reject-with icmp-port-unreachable 21 4786 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:137:138 reject-with icmp-port-unreachable 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:138 reject-with icmp-port-unreachable 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:631 reject-with icmp-port-unreachable 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631 reject-with icmp-port-unreachable 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:631 reject-with icmp-port-unreachable 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:631 reject-with icmp-port-unreachable 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x03/0x03 LOG flags 0 level 4 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x06/0x06 LOG flags 0 level 4 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x03/0x03 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x06/0x06 0 0 REJECT all -- * * 91.224.137.4 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT all -- * * 172.16.8.12 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT all -- * * 172.31.0.10 0.0.0.0/0 reject-with icmp-port-unreachable 68109 14M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 0 319 19122 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 0 0 ACCEPT tcp -- vlan3 * 172.31.0.0/21 172.31.0.0/21 tcp dpt:179 0 0 ACCEPT 89 -- vlan3 * 172.31.0.0/21 172.31.0.0/21 0 0 ACCEPT 89 -- vlan12 * 91.224.137.0/28 91.224.137.0/28 0 0 ACCEPT all -- * * 224.0.0.0/8 0.0.0.0/0 700 112K ACCEPT all -- * * 0.0.0.0/0 224.0.0.0/8 0 0 ACCEPT tcp -- * * 172.16.8.0/21 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT udp -- eth1 * 10.10.0.110 0.0.0.0/0 udp dpt:53 0 0 ACCEPT tcp -- eth1 * 10.10.0.110 0.0.0.0/0 tcp dpt:53 0 0 ACCEPT tcp -- vlan6 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 0 0 ACCEPT udp -- vlan6 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ACCEPT tcp -- vlan4 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 0 0 ACCEPT udp -- vlan4 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 769 44084 ACCEPT tcp -- vlan3 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 89552 5828K ACCEPT udp -- vlan3 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 50 4000 ACCEPT udp -- * * 172.16.8.16 0.0.0.0/0 udp dpt:161 0 0 ACCEPT udp -- * * 172.16.8.8 0.0.0.0/0 udp dpt:161 0 0 ACCEPT tcp -- vlan2 * 172.16.8.16 0.0.0.0/0 tcp dpt:9102 0 0 ACCEPT tcp -- vlan2 * 172.16.8.16 0.0.0.0/0 tcp spt:9103 154K 8873K REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp reject-with tcp-reset 85109 7062K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x03/0x03 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x06/0x06 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:139 reject-with icmp-port-unreachable 2 80 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 reject-with icmp-port-unreachable 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:445 reject-with icmp-port-unreachable 154 7612 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 reject-with icmp-port-unreachable 6 468 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:137:138 reject-with icmp-port-unreachable 11 858 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:138 reject-with icmp-port-unreachable 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:631 reject-with icmp-port-unreachable 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631 reject-with icmp-port-unreachable 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:631 reject-with icmp-port-unreachable 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:631 reject-with icmp-port-unreachable 2364 217K ULOG all -- * * 172.16.0.0/12 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 queue_threshold 1 6439 1001K ULOG all -- * * 0.0.0.0/0 172.16.0.0/12 ULOG copy_range 0 nlgroup 1 queue_threshold 1 0 0 ACCEPT icmp -- * * 10.0.101.0/24 0.0.0.0/0 icmptype 0 0 0 ACCEPT icmp -- * * 10.0.101.0/24 0.0.0.0/0 icmptype 8 0 0 ACCEPT all -- * * 10.0.101.0/24 172.16.0.0/12 0 0 ACCEPT all -- * * 172.16.0.0/12 10.0.101.0/24 100 6140 ACCEPT all -- * * 10.0.0.0/8 172.16.24.0/24 0 0 ACCEPT all -- * * 10.0.0.0/8 172.16.25.0/24 0 0 ACCEPT all -- * * 10.0.0.0/8 172.16.26.0/24 0 0 ACCEPT tcp -- * * 10.0.0.250 172.16.16.2 tcp dpt:443 0 0 ACCEPT tcp -- * * 10.0.0.250 172.16.16.2 tcp dpt:11758 1041 119K REJECT all -- * * 10.0.0.0/8 172.16.0.0/12 reject-with icmp-port-unreachable 0 0 REJECT all -- * * 10.0.0.0/8 192.168.0.0/16 reject-with icmp-port-unreachable 235 20644 REJECT all -- * * 10.0.0.0/8 10.0.0.0/8 reject-with icmp-port-unreachable 37 4084 LOG tcp -- * * !172.16.16.7 !172.16.16.7 tcp dpt:25 LOG flags 0 level 4 prefix "CTRL 25 port: " 41 2526 LOG tcp -- * * !172.16.16.7 !172.16.16.7 tcp spt:25 LOG flags 0 level 4 prefix "CTRL 25 port: " 0 0 REJECT tcp -- * * 10.0.19.46 0.0.0.0/0 tcp dpt:25 reject-with icmp-port-unreachable 0 0 REJECT tcp -- * * 0.0.0.0/0 10.0.19.46 tcp spt:25 reject-with icmp-port-unreachable 0 0 REJECT tcp -- * * 10.0.16.162 0.0.0.0/0 tcp dpt:25 reject-with icmp-port-unreachable 0 0 REJECT tcp -- * * 0.0.0.0/0 10.0.16.162 tcp spt:25 reject-with icmp-port-unreachable 0 0 ACCEPT 47 -- * * 10.0.0.0/8 0.0.0.0/0 0 0 ACCEPT 47 -- * * 0.0.0.0/0 10.0.0.0/8 31M 31G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 1235K 82M ACCEPT all -- * * 10.0.0.0/8 0.0.0.0/0 4524 575K ACCEPT all -- * * 0.0.0.0/0 10.0.0.0/8 2270K 423M ACCEPT all -- * * 91.224.136.0/24 0.0.0.0/0 448K 563M ACCEPT all -- * * 0.0.0.0/0 91.224.136.0/24 0 0 ACCEPT all -- * * 91.224.137.0/24 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 91.224.137.0/24 845 64009 ACCEPT all -- * * 172.16.16.0/21 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 172.16.16.0/21 10 1110 ACCEPT all -- * * 172.16.0.0/21 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 172.16.0.0/21 102 7782 ACCEPT all -- * * 172.31.0.0/21 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 172.31.0.0/21 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 287K 67M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 1844K 111M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 7320K 1373M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 0 0 ACCEPT tcp -- * vlan2 0.0.0.0/0 172.16.8.16 tcp spt:9102 0 0 ACCEPT tcp -- * vlan2 0.0.0.0/0 172.16.8.16 tcp dpt:9103 1182K 102M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0