for x in ${TCP_PORT_LOG} do iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} --syn -j LOG --log-prefix "INVALID:${x} SYN IN:" iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} --syn -j DROP iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state NEW -j LOG --log-prefix "INVAILD${x}PORT IN:" iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state NEW -j DROP iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "PORT:${x} attempt:" --log-tcp-options --log-ip-options --log-tcp-sequence iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -j DROP done
#bulid a chain for the udp port or port range you want to deny
for x in ${UDP_PORT_LOG}
do iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -m limit --limit 3/m -j LOG --log-prefix "INVAILD PORT:${x} UDP IN:" iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -j DROP done
#iptables -A INPUT -i ! ${UPLINK} -j ACCEPT
#iptables -A INPUT -i ${LAN} -p tcp -s ${MANAGE_IP} -j ACCEPT for x in ${MANAGE_IP} do iptables -t filter -A INPUT -p tcp -s ${x} --dport 22 -j ACCEPT iptables -t filter -A OUTPUT -p tcp -d ${x} -j ACCEPT
done #build a chain for the tcp port or port range you want to open on this firewll
for x in ${OPEN_TCP} do iptables -A INPUT -p tcp --dport ${x} --syn -j ACCEPT iptables -A INPUT -p tcp --dport ${x} -j ACCEPT iptables -A INPUT -p tcp --dport ${x} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT done
#build a chain for the udp port or port range you want to open on this firewall
for x in ${OPEN_UDP} do iptables -A INPUT -p udp --dport ${x} -j ACCEPT iptables -A INPUT -p udp --dport ${x} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT done
#build a chain to drop and log IGMP iptables -A INPUT -p igmp -m limit --limit 2/m -j LOG --log-level 6 --log-prefix "DROP IGMP" iptables -A INPUT -p igmp -j DROP
#drop and log invalid ip range iptables -A INPUT -i ${UPLINK} -s 192.168.0.0/24 -j DROP-AND-LOG iptables -A INPUT -i ${UPLINK} -s 10.0.0.0/8 -j DROP iptables -A INPUT -i ${UPLINK} -s 172.12.0.0/16 -j DROP-AND-LOG iptables -A INPUT -i ${UPLINK} -s 224.0.0.0/4 -j DROP-AND-LOG iptables -A INPUT -i ${UPLINK} -s 240.0.0.0/5 -j DROP-AND-LOG iptables -A INPUT -i ${UPLINK} -s 169.254.0.0/16 -j DROP-AND-LOG iptables -A INPUT -i ${UPLINK} -s 192.0.2.0/24 -j DROP-AND-LOG iptables -A INPUT -i ${UPLINK} -p ! udp -d 224.0.0.0/4 -j DROP iptables -A INPUT -i ${UPLINK} -p udp -d 224.0.0.0/4 -j ACCEPT iptables -A INPUT -i ${UPLINK} -d 127.0.0.1 -j DROP-AND-LOG iptables -A INPUT -i ${UPLINK} -s 127.0.0.1 -j DROP-AND-LOG iptables -A INPUT -i ${UPLINK} -s 0.0.0.0 -j DROP-AND-LOG iptables -A INPUT -i ${UPLINK} -s 255.255.255.255 -j DROP-AND-LOG #drop and log invalid manage ip in