# Generado por iptables-save # necesita revision, falta el NAT para la LAN *filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT DROP [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -i eth1 -p icmp -j ACCEPT -A INPUT -i eth2 -p icmp -j ACCEPT -A INPUT -i eth0 -s ip-externa-confianza -j ACCEPT -A INPUT -s 192.168.1.0/255.255.255.0 -j ACCEPT -A INPUT -p udp -m udp --sport 161 -j ACCEPT -A INPUT -p tcp -m tcp --sport 80 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --sport 20:21 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -A INPUT -s dns1 -p udp -m udp --sport 53 -j ACCEPT -A INPUT -s dns2 -p udp -m udp --sport 53 -j ACCEPT -A INPUT -s 130.206.3.166 -p udp -m udp --dport 123 -j ACCEPT -A INPUT -p tcp -m tcp --dport 1:1024 -j DROP -A INPUT -p tcp -m tcp --dport 19720 -j DROP -A INPUT -p tcp -m tcp --dport 1972 -j DROP -A INPUT -p tcp -m tcp --dport 3306 -j DROP -A INPUT -p udp -m udp --dport 1:1024 -j DROP -A FORWARD -p icmp -j ACCEPT -A FORWARD -s 192.168.1.0/255.255.0.0 -p udp -m udp --dport 53 -j ACCEPT -A FORWARD -d 192.168.1.0/255.255.0.0 -p udp -m udp --sport 53 -j ACCEPT -A FORWARD -s 192.168.1.0/255.255.0.0 -p tcp -m tcp -j ACCEPT -A FORWARD -d 192.168.1.0/255.255.0.0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -p icmp -j ACCEPT -A OUTPUT -o eth1 -p icmp -j ACCEPT -A OUTPUT -o eth2 -p icmp -j ACCEPT -A OUTPUT -o eth0 -d ip-externa-confianza -j ACCEPT -A OUTPUT -d 192.168.1.0/255.255.255.0 -j ACCEPT -A OUTPUT -p udp -m udp --dport 161 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 20:21 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 1024:65535 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -d dns1 -p udp -m udp --dport 53 -j ACCEPT -A OUTPUT -d dns2 -p udp -m udp --dport 53 -j ACCEPT -A OUTPUT -d 130.206.3.166 -p udp -m udp --sport 123 -j ACCEPT COMMIT