Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
tree: e379264f85
Fetching contributors…

Cannot retrieve contributors at this time

97 lines (78 sloc) 2.952 kb
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:upnp - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -p udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
# v6
-A INPUT --proto 41 -s 216.66.80.26 -j ACCEPT
# dhcp
-A INPUT -i eth0 -p udp --dport 67:68 -j ACCEPT
-A INPUT -i br0 -p udp --dport 67:68 -j ACCEPT
# upnp
-A INPUT -p udp --dport 1900 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 49152 -m state --state NEW -j ACCEPT
-A FORWARD -j upnp
# snmp
-A INPUT -p udp --dport 161 -j ACCEPT
# dropbox spams bcast?
-A INPUT -p udp --dport 17500 -j DROP
# Don't log packets, small flash drive in this box:
#-A INPUT -j LOG
-A INPUT -j DROP
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:services - [0:0]
:loopback - [0:0]
:upnp - [0:0]
-A PREROUTING -i eth1 -j services
-A POSTROUTING -o eth1 -j MASQUERADE
# NAT loopback
-A PREROUTING -d 93.97.176.250 -i br0 -j services
-A POSTROUTING -s 172.31.24.0/24 -o br0 -j loopback
# UPnP (make sure this is last)
-A PREROUTING -j upnp
-A services -p tcp --dport 22 -j DNAT --to-destination 172.31.24.101
-A services -p tcp --dport 80 -j DNAT --to-destination 172.31.24.101
-A services -p tcp --dport 8001 -s 85.119.83.146 -j DNAT --to-destination 172.31.24.101
-A services -p tcp --dport 8002 -s 85.119.83.146 -j DNAT --to-destination 172.31.24.101
-A services -p tcp --dport 8003 -s 85.119.83.146 -j DNAT --to-destination 172.31.24.101
-A services -p tcp --dport 8004 -s 85.119.83.146 -j DNAT --to-destination 172.31.24.101
-A services -p tcp --dport 8010 -j DNAT --to-destination 172.31.24.101
-A services -p tcp --dport 8022 -j DNAT --to-destination 172.31.24.3:22
-A loopback -p tcp --dport 22 -j SNAT --to-source 172.31.24.3
-A loopback -p tcp --dport 80 -j SNAT --to-source 172.31.24.3
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:shaper - [0:0]
-A POSTROUTING -o eth1 -j shaper
# Priority: 20 (ICMP)
-A shaper -p icmp -j MARK --set-mark 0x14
# Priority: 21 (DNS)
-A shaper -p udp -m udp --dport 53 -j MARK --set-mark 0x15
-A shaper -p udp -m udp --sport 53 -j MARK --set-mark 0x15
# Priority: 26 (minimise cost)
-A shaper -p tcp -m tos --tos 0x02/0xff -j MARK --set-mark 0x1a
# Priority: 22 (minimise delay)
-A shaper -p tcp -m tos --tos 0x10/0xff -j MARK --set-mark 0x16
# Priority: 23 (short ACKs)
-A shaper -p tcp -m tcp -m length --tcp-flags SYN,RST,ACK ACK --length 0:128 -j MARK --set-mark 0x17
# Priority: 26 (FTP-data)
-A shaper -p tcp -m tcp --dport 20 -j MARK --set-mark 0x1a
# Priority: 25 (Well-known ports)
-A shaper -p tcp -m tcp --sport 0:1024 -j MARK --set-xmark 0x19
-A shaper -p tcp -m tcp --dport 0:1024 -j MARK --set-xmark 0x19
COMMIT
Jump to Line
Something went wrong with that request. Please try again.