LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 02-15-2014, 02:32 PM   #1
welshdemon
LQ Newbie
 
Registered: Oct 2009
Posts: 13

Rep: Reputation: 0
Port scan shows ports open despite default iptables rule to DROP


Despite this rule after my other rules in iptables
-A INPUT -j DROP

A port scan shows this.

TCP ports 25,80,81,110,119,143,465,563,587,3128,8080,8081,8888

What the heck. Shouln't "DROP" prevent these from showing up?
They are definitely not set to ACCEPT in any rules.
 
Old 02-15-2014, 02:40 PM   #2
yzT!
Member
 
Registered: Jan 2013
Distribution: LMDE / Kali
Posts: 94

Rep: Reputation: 2
Well.. if you have those services running is normal that they are opened.

Btw, the rule to change the policy's behavior is -P INPUT DROP.

For further help, better put your rules here.
 
Old 02-15-2014, 04:12 PM   #3
welshdemon
LQ Newbie
 
Registered: Oct 2009
Posts: 13

Original Poster
Rep: Reputation: 0
This is a brand new server, just been set up. There should be nothing running on it, maybe apache, ssh, ftp.
There'd probably too many rules to post here. APF made them (including IPs from some some blacklists hence so many rules) , I'll try paste:


Code:
# Generated by iptables-save v1.4.7 on Sat Feb 15 20:27:48 2014
*nat
:PREROUTING ACCEPT [412:23152]
:POSTROUTING ACCEPT [16:913]
:OUTPUT ACCEPT [16:913]
COMMIT
# Completed on Sat Feb 15 20:27:48 2014
# Generated by iptables-save v1.4.7 on Sat Feb 15 20:27:48 2014
*mangle
:PREROUTING ACCEPT [4017:418624]
:INPUT ACCEPT [4017:418624]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4045:5967920]
:POSTROUTING ACCEPT [4045:5967920]
-A PREROUTING -p tcp -m tcp --sport 21 -j TOS --set-tos 0x08/0xff 
-A PREROUTING -p udp -m udp --sport 21 -j TOS --set-tos 0x08/0xff 
-A PREROUTING -p tcp -m tcp --sport 20 -j TOS --set-tos 0x08/0xff 
-A PREROUTING -p udp -m udp --sport 20 -j TOS --set-tos 0x08/0xff 
-A PREROUTING -p tcp -m tcp --sport 80 -j TOS --set-tos 0x08/0xff 
-A PREROUTING -p udp -m udp --sport 80 -j TOS --set-tos 0x08/0xff 
-A PREROUTING -p tcp -m tcp --sport 25 -j TOS --set-tos 0x10/0xff 
-A PREROUTING -p udp -m udp --sport 25 -j TOS --set-tos 0x10/0xff 
-A PREROUTING -p tcp -m tcp --sport 110 -j TOS --set-tos 0x10/0xff 
-A PREROUTING -p udp -m udp --sport 110 -j TOS --set-tos 0x10/0xff 
-A PREROUTING -p tcp -m tcp --sport 143 -j TOS --set-tos 0x10/0xff 
-A PREROUTING -p udp -m udp --sport 143 -j TOS --set-tos 0x10/0xff 
-A PREROUTING -p tcp -m tcp --sport 512:65535 -j TOS --set-tos 0x00/0xff 
-A PREROUTING -p udp -m udp --sport 512:65535 -j TOS --set-tos 0x00/0xff 
-A POSTROUTING -p tcp -m tcp --dport 21 -j TOS --set-tos 0x08/0xff 
-A POSTROUTING -p udp -m udp --dport 21 -j TOS --set-tos 0x08/0xff 
-A POSTROUTING -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08/0xff 
-A POSTROUTING -p udp -m udp --dport 20 -j TOS --set-tos 0x08/0xff 
-A POSTROUTING -p tcp -m tcp --dport 80 -j TOS --set-tos 0x08/0xff 
-A POSTROUTING -p udp -m udp --dport 80 -j TOS --set-tos 0x08/0xff 
-A POSTROUTING -p tcp -m tcp --dport 25 -j TOS --set-tos 0x10/0xff 
-A POSTROUTING -p udp -m udp --dport 25 -j TOS --set-tos 0x10/0xff 
-A POSTROUTING -p tcp -m tcp --dport 110 -j TOS --set-tos 0x10/0xff 
-A POSTROUTING -p udp -m udp --dport 110 -j TOS --set-tos 0x10/0xff 
-A POSTROUTING -p tcp -m tcp --dport 143 -j TOS --set-tos 0x10/0xff 
-A POSTROUTING -p udp -m udp --dport 143 -j TOS --set-tos 0x10/0xff 
-A POSTROUTING -p tcp -m tcp --dport 512:65535 -j TOS --set-tos 0x00/0xff 
-A POSTROUTING -p udp -m udp --dport 512:65535 -j TOS --set-tos 0x00/0xff 
COMMIT
# Completed on Sat Feb 15 20:27:48 2014
# Generated by iptables-save v1.4.7 on Sat Feb 15 20:27:48 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:DSHIELD - [0:0]
:FRAG_UDP - [0:0]
:IN_SANITY - [0:0]
:OUT_SANITY - [0:0]
:P2P - [0:0]
:PHP - [0:0]
:PROHIBIT - [0:0]
:PZERO - [0:0]
:REFRESH_TEMP - [0:0]
:RESET - [0:0]
:SDROP - [0:0]
:TALLOW - [0:0]
:TDENY - [0:0]
:TGALLOW - [0:0]
:TGDENY - [0:0]
-A INPUT -i lo -j ACCEPT 
-A INPUT -s 100.64.0.0/10 -i eth0 -j DROP 
-A INPUT -s 127.0.0.0/8 -i eth0 -j DROP 
-A INPUT -s 169.254.0.0/16 -i eth0 -j DROP 
-A INPUT -s 192.0.0.0/24 -i eth0 -j DROP 
-A INPUT -s 192.0.2.0/24 -i eth0 -j DROP 
-A INPUT -s 198.18.0.0/15 -i eth0 -j DROP 
-A INPUT -s 198.51.100.0/24 -i eth0 -j DROP 
-A INPUT -s 203.0.113.0/24 -i eth0 -j DROP 
-A INPUT -s 224.0.0.0/4 -i eth0 -j DROP 
-A INPUT -s 240.0.0.0/4 -i eth0 -j DROP 
-A INPUT -j REFRESH_TEMP 
-A INPUT -j TALLOW 
-A INPUT -j TDENY 
-A INPUT -j TGALLOW 
-A INPUT -j TGDENY 
-A INPUT -j PHP 
-A INPUT -j DSHIELD 
-A INPUT -j SDROP 
-A INPUT -p tcp -m tcp --dport 135:139 -j DROP 
-A INPUT -p udp -m udp --dport 135:139 -j DROP 
-A INPUT -p tcp -m tcp --dport 111 -j DROP 
-A INPUT -p udp -m udp --dport 111 -j DROP 
-A INPUT -p tcp -m tcp --dport 513 -j DROP 
-A INPUT -p udp -m udp --dport 513 -j DROP 
-A INPUT -p tcp -m tcp --dport 520 -j DROP 
-A INPUT -p udp -m udp --dport 520 -j DROP 
-A INPUT -p tcp -m tcp --dport 445 -j DROP 
-A INPUT -p udp -m udp --dport 445 -j DROP 
-A INPUT -p tcp -m tcp --dport 1433 -j DROP 
-A INPUT -p udp -m udp --dport 1433 -j DROP 
-A INPUT -p tcp -m tcp --dport 1434 -j DROP 
-A INPUT -p udp -m udp --dport 1434 -j DROP 
-A INPUT -p tcp -m tcp --dport 1234 -j DROP 
-A INPUT -p udp -m udp --dport 1234 -j DROP 
-A INPUT -p tcp -m tcp --dport 1524 -j DROP 
-A INPUT -p udp -m udp --dport 1524 -j DROP 
-A INPUT -p tcp -m tcp --dport 3127 -j DROP 
-A INPUT -p udp -m udp --dport 3127 -j DROP 
-A INPUT -j IN_SANITY 
-A INPUT -j FRAG_UDP 
-A INPUT -j PZERO 
-A INPUT -j P2P 
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 25250:25259 -j ACCEPT 
-A INPUT -p icmp -m icmp --icmp-type 3 -m limit --limit 30/sec -j ACCEPT 
-A INPUT -p icmp -m icmp --icmp-type 5 -m limit --limit 30/sec -j ACCEPT 
-A INPUT -p icmp -m icmp --icmp-type 11 -m limit --limit 30/sec -j ACCEPT 
-A INPUT -p icmp -m icmp --icmp-type 30 -m limit --limit 30/sec -j ACCEPT 
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP 
-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -s 78.110.160.234/32 -p udp -m udp --sport 53 --dport 1023:65535 -j ACCEPT 
-A INPUT -s 78.110.160.234/32 -p tcp -m tcp --sport 53 --dport 1023:65535 -j ACCEPT 
-A INPUT -p tcp -m tcp --sport 53 --dport 1023:65535 -j DROP 
-A INPUT -p udp -m udp --sport 53 --dport 1023:65535 -j DROP 
-A INPUT -s 77.74.192.36/32 -p udp -m udp --sport 53 --dport 1023:65535 -j ACCEPT 
-A INPUT -s 77.74.192.36/32 -p tcp -m tcp --sport 53 --dport 1023:65535 -j ACCEPT 
-A INPUT -p tcp -m tcp --sport 53 --dport 1023:65535 -j DROP 
-A INPUT -p udp -m udp --sport 53 --dport 1023:65535 -j DROP 
-A INPUT -p tcp -m tcp --sport 1023:65535 --dport 25251 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 25251,20 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p udp -m multiport --dports 25251,20 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m tcp --sport 25252 --dport 513:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 25252 --tcp-flags FIN,SYN,RST,ACK SYN -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p udp -m udp --dport 25252 -m state --state ESTABLISHED -j ACCEPT 
-A INPUT -p udp -m state --state NEW -m udp --dport 33434:33534 -j ACCEPT 
-A INPUT -p tcp -j DROP 
-A INPUT -p udp -j DROP 
-A INPUT -j DROP 
-A OUTPUT -o lo -j ACCEPT 
-A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 
-A OUTPUT -d 100.64.0.0/10 -o eth0 -j DROP 
-A OUTPUT -d 127.0.0.0/8 -o eth0 -j DROP 
-A OUTPUT -d 169.254.0.0/16 -o eth0 -j DROP 
-A OUTPUT -d 192.0.0.0/24 -o eth0 -j DROP 
-A OUTPUT -d 192.0.2.0/24 -o eth0 -j DROP 
-A OUTPUT -d 198.18.0.0/15 -o eth0 -j DROP 
-A OUTPUT -d 198.51.100.0/24 -o eth0 -j DROP 
-A OUTPUT -d 203.0.113.0/24 -o eth0 -j DROP 
-A OUTPUT -d 224.0.0.0/4 -o eth0 -j DROP 
-A OUTPUT -d 240.0.0.0/4 -o eth0 -j DROP 
-A OUTPUT -j REFRESH_TEMP 
-A OUTPUT -j TALLOW 
-A OUTPUT -j TDENY 
-A OUTPUT -j TGALLOW 
-A OUTPUT -j TGDENY 
-A OUTPUT -j PHP 
-A OUTPUT -j DSHIELD 
-A OUTPUT -j SDROP 
-A OUTPUT -p tcp -m tcp --dport 135:139 -j DROP 
-A OUTPUT -p udp -m udp --dport 135:139 -j DROP 
-A OUTPUT -p tcp -m tcp --dport 111 -j DROP 
-A OUTPUT -p udp -m udp --dport 111 -j DROP 
-A OUTPUT -p tcp -m tcp --dport 513 -j DROP 
-A OUTPUT -p udp -m udp --dport 513 -j DROP 
-A OUTPUT -p tcp -m tcp --dport 520 -j DROP 
-A OUTPUT -p udp -m udp --dport 520 -j DROP 
-A OUTPUT -p tcp -m tcp --dport 445 -j DROP 
-A OUTPUT -p udp -m udp --dport 445 -j DROP 
-A OUTPUT -p tcp -m tcp --dport 1433 -j DROP 
-A OUTPUT -p udp -m udp --dport 1433 -j DROP 
-A OUTPUT -p tcp -m tcp --dport 1434 -j DROP 
-A OUTPUT -p udp -m udp --dport 1434 -j DROP 
-A OUTPUT -p tcp -m tcp --dport 1234 -j DROP 
-A OUTPUT -p udp -m udp --dport 1234 -j DROP 
-A OUTPUT -p tcp -m tcp --dport 1524 -j DROP 
-A OUTPUT -p udp -m udp --dport 1524 -j DROP 
-A OUTPUT -p tcp -m tcp --dport 3127 -j DROP 
-A OUTPUT -p udp -m udp --dport 3127 -j DROP 
-A OUTPUT -j OUT_SANITY 
-A OUTPUT -j FRAG_UDP 
-A OUTPUT -j PZERO 
-A OUTPUT -j P2P 
-A OUTPUT -p tcp -m tcp --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -p udp -m udp --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -d 78.110.160.234/32 -p udp -m udp --sport 1023:65535 --dport 53 -j ACCEPT 
-A OUTPUT -d 78.110.160.234/32 -p tcp -m tcp --sport 1023:65535 --dport 53 -j ACCEPT 
-A OUTPUT -d 78.110.160.234/32 -p udp -m udp --sport 1023:65535 --dport 53 -j ACCEPT 
-A OUTPUT -d 78.110.160.234/32 -p tcp -m tcp --sport 1023:65535 --dport 53 -j ACCEPT 
-A OUTPUT -d 77.74.192.36/32 -p udp -m udp --sport 1023:65535 --dport 53 -j ACCEPT 
-A OUTPUT -d 77.74.192.36/32 -p tcp -m tcp --sport 1023:65535 --dport 53 -j ACCEPT 
-A OUTPUT -d 77.74.192.36/32 -p udp -m udp --sport 1023:65535 --dport 53 -j ACCEPT 
-A OUTPUT -d 77.74.192.36/32 -p tcp -m tcp --sport 1023:65535 --dport 53 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --sport 25251 --dport 1023:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -p tcp -m multiport --dports 25251,20 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -p udp -m multiport --dports 25251,20 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -p udp -m state --state NEW -m udp --dport 33434:33534 -j ACCEPT 
-A OUTPUT -j ACCEPT 
-A DSHIELD -s 61.134.56.0/24 -j DROP 
-A DSHIELD -s 210.231.114.0/24 -j DROP 
-A DSHIELD -s 125.211.198.0/24 -j DROP 
-A DSHIELD -s 89.35.201.0/24 -j DROP 
-A DSHIELD -s 125.211.198.0/24 -j DROP 
-A DSHIELD -s 202.103.11.0/24 -j DROP 
-A DSHIELD -s 219.138.39.0/24 -j DROP 
-A DSHIELD -s 61.132.223.0/24 -j DROP 
-A DSHIELD -s 89.35.78.0/24 -j DROP 
-A DSHIELD -s 202.99.11.0/24 -j DROP 
-A DSHIELD -s 125.211.198.0/24 -j DROP 
-A DSHIELD -s 89.39.184.0/24 -j DROP 
-A DSHIELD -s 125.211.198.0/24 -j DROP 
-A DSHIELD -s 89.39.128.0/24 -j DROP 
-A DSHIELD -s 125.211.198.0/24 -j DROP 
-A DSHIELD -s 122.225.1.0/24 -j DROP 
-A DSHIELD -s 221.206.121.0/24 -j DROP 
-A DSHIELD -s 89.33.87.0/24 -j DROP 
-A DSHIELD -s 125.211.198.0/24 -j DROP 
-A DSHIELD -s 89.37.212.0/24 -j DROP 
-A DSHIELD -s 125.211.198.0/24 -j DROP 
-A DSHIELD -s 61.153.50.0/24 -j DROP 
-A DSHIELD -s 89.21.132.0/24 -j DROP 
-A DSHIELD -s 83.242.164.0/24 -j DROP 
-A DSHIELD -s 221.206.121.0/24 -j DROP 
-A DSHIELD -s 221.206.121.0/24 -j DROP 
-A DSHIELD -s 125.211.198.0/24 -j DROP 
-A DSHIELD -s 125.211.198.0/24 -j DROP 
-A DSHIELD -s 221.206.123.0/24 -j DROP 
-A DSHIELD -s 222.39.12.0/24 -j DROP 
-A DSHIELD -s 89.37.234.0/24 -j DROP 
-A DSHIELD -s 89.38.94.0/24 -j DROP 
-A DSHIELD -s 88.183.173.0/24 -j DROP 
-A DSHIELD -s 125.211.198.0/24 -j DROP 
-A DSHIELD -s 218.6.9.0/24 -j DROP 
-A DSHIELD -s 89.44.42.0/24 -j DROP 
-A DSHIELD -s 212.241.200.0/24 -j DROP 
-A DSHIELD -s 125.211.198.0/24 -j DROP 
-A DSHIELD -s 220.163.85.0/24 -j DROP 
-A DSHIELD -s 89.34.87.0/24 -j DROP 
-A DSHIELD -s 89.40.76.0/24 -j DROP 
-A DSHIELD -s 89.44.54.0/24 -j DROP 
-A DSHIELD -s 89.39.168.0/24 -j DROP 
-A DSHIELD -s 89.39.5.0/24 -j DROP 
-A DSHIELD -s 89.39.55.0/24 -j DROP 
-A DSHIELD -s 89.39.55.0/24 -j DROP 
-A DSHIELD -s 89.44.3.0/24 -j DROP 
-A DSHIELD -s 89.44.139.0/24 -j DROP 
-A DSHIELD -s 139.175.68.0/24 -j DROP 
-A DSHIELD -s 78.128.60.0/24 -j DROP 
-A DSHIELD -s 89.39.187.0/24 -j DROP 
-A DSHIELD -s 195.95.223.0/24 -j DROP 
-A DSHIELD -s 203.153.186.0/24 -j DROP 
-A DSHIELD -s 89.44.24.0/24 -j DROP 
-A DSHIELD -s 89.44.236.0/24 -j DROP 
-A DSHIELD -s 89.42.203.0/24 -j DROP 
-A DSHIELD -s 89.44.25.0/24 -j DROP 
-A DSHIELD -s 89.42.206.0/24 -j DROP 
-A DSHIELD -s 89.34.101.0/24 -j DROP 
-A DSHIELD -s 89.44.104.0/24 -j DROP 
-A DSHIELD -s 89.40.72.0/24 -j DROP 
-A DSHIELD -s 89.44.31.0/24 -j DROP 
-A DSHIELD -s 89.40.99.0/24 -j DROP 
-A DSHIELD -s 89.41.89.0/24 -j DROP 
-A DSHIELD -s 89.35.79.0/24 -j DROP 
-A DSHIELD -s 89.39.49.0/24 -j DROP 
-A DSHIELD -s 89.39.52.0/24 -j DROP 
-A DSHIELD -s 89.39.253.0/24 -j DROP 
-A DSHIELD -s 89.38.40.0/24 -j DROP 
-A DSHIELD -s 89.39.6.0/24 -j DROP 
-A DSHIELD -s 89.39.41.0/24 -j DROP 
-A DSHIELD -s 219.84.218.0/24 -j DROP 
-A DSHIELD -s 89.38.164.0/24 -j DROP 
-A DSHIELD -s 89.39.130.0/24 -j DROP 
-A DSHIELD -s 89.44.207.0/24 -j DROP 
-A DSHIELD -s 125.211.198.0/24 -j DROP 
-A DSHIELD -s 221.206.121.0/24 -j DROP 
-A DSHIELD -s 89.38.166.0/24 -j DROP 
-A DSHIELD -s 125.211.198.0/24 -j DROP 
-A DSHIELD -s 89.40.245.0/24 -j DROP 
-A DSHIELD -s 125.211.198.0/24 -j DROP 
-A DSHIELD -s 89.44.23.0/24 -j DROP 
-A DSHIELD -s 213.98.22.0/24 -j DROP 
-A DSHIELD -s 202.75.222.0/24 -j DROP 
-A DSHIELD -s 89.40.51.0/24 -j DROP 
-A DSHIELD -s 89.42.211.0/24 -j DROP 
-A DSHIELD -s 125.211.198.0/24 -j DROP 
-A DSHIELD -s 89.40.76.0/24 -j DROP 
-A DSHIELD -s 125.211.198.0/24 -j DROP 
-A DSHIELD -s 89.36.189.0/24 -j DROP 
-A DSHIELD -s 89.36.161.0/24 -j DROP 
-A DSHIELD -s 89.41.106.0/24 -j DROP 
-A DSHIELD -s 89.39.185.0/24 -j DROP 
-A DSHIELD -s 89.39.0.0/24 -j DROP 
-A DSHIELD -s 218.246.182.0/24 -j DROP 
-A DSHIELD -s 89.37.232.0/24 -j DROP 
-A DSHIELD -s 89.222.153.0/24 -j DROP 
-A DSHIELD -s 89.37.233.0/24 -j DROP 
-A DSHIELD -s 164.164.33.0/24 -j DROP 
-A DSHIELD -s 89.39.54.0/24 -j DROP 
-A FRAG_UDP -p udp -f -j DROP 
-A IN_SANITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP 
-A IN_SANITY -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP 
-A IN_SANITY -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP 
-A IN_SANITY -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP 
-A IN_SANITY -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP 
-A IN_SANITY -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP 
-A IN_SANITY -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DROP 
-A IN_SANITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP 
-A IN_SANITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP 
-A IN_SANITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP 
-A IN_SANITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP 
-A OUT_SANITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP 
-A OUT_SANITY -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP 
-A OUT_SANITY -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP 
-A OUT_SANITY -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP 
-A OUT_SANITY -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP 
-A OUT_SANITY -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DROP 
-A OUT_SANITY -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP 
-A P2P -p tcp -m tcp --dport 1214 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p tcp -m tcp --sport 1214 --dport 1024:65534 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p udp -m udp --sport 1024:65534 --dport 1214 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p udp -m udp --sport 1214 --dport 1024:65534 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p tcp -m tcp --dport 2323 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p tcp -m tcp --sport 2323 --dport 1024:65534 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p udp -m udp --sport 1024:65534 --dport 2323 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p udp -m udp --sport 2323 --dport 1024:65534 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p tcp -m tcp --sport 1024:65534 --dport 4660:4678 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p tcp -m tcp --sport 4660:4678 --dport 1024:65534 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p udp -m udp --sport 1024:65534 --dport 4660:4678 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p udp -m udp --sport 4660:4678 --dport 1024:65534 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p tcp -m tcp --dport 6257 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p tcp -m tcp --sport 6257 --dport 1024:65534 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p udp -m udp --sport 1024:65534 --dport 6257 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p udp -m udp --sport 6257 --dport 1024:65534 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p tcp -m tcp --dport 6699 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p tcp -m tcp --sport 6699 --dport 1024:65534 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p udp -m udp --sport 1024:65534 --dport 6699 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p udp -m udp --sport 6699 --dport 1024:65534 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p tcp -m tcp --dport 6346 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p tcp -m tcp --sport 6346 --dport 1024:65534 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p udp -m udp --sport 1024:65534 --dport 6346 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p udp -m udp --sport 6346 --dport 1024:65534 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p tcp -m tcp --dport 6347 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p tcp -m tcp --sport 6347 --dport 1024:65534 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p udp -m udp --sport 1024:65534 --dport 6347 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p udp -m udp --sport 6347 --dport 1024:65534 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p tcp -m tcp --sport 1024:65534 --dport 6881:6889 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p tcp -m tcp --sport 6881:6889 --dport 1024:65534 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p udp -m udp --sport 1024:65534 --dport 6881:6889 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p udp -m udp --sport 6881:6889 --dport 1024:65534 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p tcp -m tcp --dport 6346 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p tcp -m tcp --sport 6346 --dport 1024:65534 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p udp -m udp --sport 1024:65534 --dport 6346 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p udp -m udp --sport 6346 --dport 1024:65534 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p tcp -m tcp --dport 7778 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p tcp -m tcp --sport 7778 --dport 1024:65534 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p udp -m udp --sport 1024:65534 --dport 7778 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p udp -m udp --sport 7778 --dport 1024:65534 -j REJECT --reject-with icmp-port-unreachable 
-A PHP -s 103.20.39.199/32 -j DROP 
-A PHP -s 111.73.45.185/32 -j DROP 
-A PHP -s 112.123.168.148/32 -j DROP 
-A PHP -s 112.123.168.152/32 -j DROP 
-A PHP -s 112.123.168.153/32 -j DROP 
-A PHP -s 112.168.218.86/32 -j DROP 
-A PHP -s 112.184.172.244/32 -j DROP 
-A PHP -s 112.216.45.114/32 -j DROP 
-A PHP -s 112.216.48.252/32 -j DROP 
-A PHP -s 112.216.8.158/32 -j DROP 
-A PHP -s 113.161.69.72/32 -j DROP 
-A PHP -s 113.161.70.2/32 -j DROP 
-A PHP -s 113.162.90.218/32 -j DROP 
-A PHP -s 114.32.168.26/32 -j DROP 
-A PHP -s 114.41.227.146/32 -j DROP 
-A PHP -s 118.97.212.178/32 -j DROP 
-A PHP -s 122.224.67.242/32 -j DROP 
-A PHP -s 122.252.246.234/32 -j DROP 
-A PHP -s 124.105.78.119/32 -j DROP 
-A PHP -s 125.34.146.202/32 -j DROP 
-A PHP -s 125.34.146.222/32 -j DROP 
-A PHP -s 125.34.151.171/32 -j DROP 
-A PHP -s 125.34.151.236/32 -j DROP 
-A PHP -s 142.4.101.65/32 -j DROP 
-A PHP -s 14.52.137.54/32 -j DROP 
-A PHP -s 168.63.52.15/32 -j DROP 
-A PHP -s 168.63.76.156/32 -j DROP 
-A PHP -s 168.63.84.74/32 -j DROP 
-A PHP -s 173.44.37.226/32 -j DROP 
-A PHP -s 173.44.37.234/32 -j DROP 
-A PHP -s 173.44.37.242/32 -j DROP 
-A PHP -s 173.44.37.250/32 -j DROP 
-A PHP -s 176.31.17.40/32 -j DROP 
-A PHP -s 178.137.94.80/32 -j DROP 
-A PHP -s 178.168.103.64/32 -j DROP 
-A PHP -s 187.174.173.18/32 -j DROP 
-A PHP -s 187.35.114.119/32 -j DROP 
-A PHP -s 188.143.232.31/32 -j DROP 
-A PHP -s 190.120.228.20/32 -j DROP 
-A PHP -s 190.202.116.101/32 -j DROP 
-A PHP -s 190.90.194.2/32 -j DROP 
-A PHP -s 192.74.242.227/32 -j DROP 
-A PHP -s 193.194.92.242/32 -j DROP 
-A PHP -s 193.95.90.194/32 -j DROP 
-A PHP -s 195.229.236.245/32 -j DROP 
-A PHP -s 195.229.236.247/32 -j DROP 
-A PHP -s 198.2.208.18/32 -j DROP 
-A PHP -s 198.2.213.49/32 -j DROP 
-A PHP -s 198.245.49.39/32 -j DROP 
-A PHP -s 199.15.234.218/32 -j DROP 
-A PHP -s 200.146.119.149/32 -j DROP 
-A PHP -s 200.247.100.178/32 -j DROP 
-A PHP -s 201.0.205.15/32 -j DROP 
-A PHP -s 201.18.107.234/32 -j DROP 
-A PHP -s 202.47.8.70/32 -j DROP 
-A PHP -s 203.217.120.145/32 -j DROP 
-A PHP -s 203.69.52.61/32 -j DROP 
-A PHP -s 204.234.238.10/32 -j DROP 
-A PHP -s 210.109.97.63/32 -j DROP 
-A PHP -s 210.51.44.48/32 -j DROP 
-A PHP -s 210.68.52.117/32 -j DROP 
-A PHP -s 211.151.186.228/32 -j DROP 
-A PHP -s 211.33.121.231/32 -j DROP 
-A PHP -s 211.54.17.249/32 -j DROP 
-A PHP -s 213.132.241.7/32 -j DROP 
-A PHP -s 213.135.97.189/32 -j DROP 
-A PHP -s 216.12.207.226/32 -j DROP 
-A PHP -s 216.151.130.179/32 -j DROP 
-A PHP -s 216.244.85.234/32 -j DROP 
-A PHP -s 216.40.222.82/32 -j DROP 
-A PHP -s 220.132.122.186/32 -j DROP 
-A PHP -s 221.192.33.30/32 -j DROP 
-A PHP -s 222.231.57.104/32 -j DROP 
-A PHP -s 222.236.16.14/32 -j DROP 
-A PHP -s 24.70.95.205/32 -j DROP 
-A PHP -s 37.130.227.133/32 -j DROP 
-A PHP -s 46.105.114.75/32 -j DROP 
-A PHP -s 46.183.162.100/32 -j DROP 
-A PHP -s 59.125.64.4/32 -j DROP 
-A PHP -s 59.57.14.92/32 -j DROP 
-A PHP -s 60.170.244.97/32 -j DROP 
-A PHP -s 61.149.132.118/32 -j DROP 
-A PHP -s 64.34.255.239/32 -j DROP 
-A PHP -s 67.86.138.59/32 -j DROP 
-A PHP -s 67.90.21.150/32 -j DROP 
-A PHP -s 69.144.93.12/32 -j DROP 
-A PHP -s 69.245.150.159/32 -j DROP 
-A PHP -s 69.26.184.254/32 -j DROP 
-A PHP -s 70.84.55.114/32 -j DROP 
-A PHP -s 71.206.81.186/32 -j DROP 
-A PHP -s 74.53.243.18/32 -j DROP 
-A PHP -s 75.125.47.162/32 -j DROP 
-A PHP -s 80.52.246.170/32 -j DROP 
-A PHP -s 85.95.236.45/32 -j DROP 
-A PHP -s 87.246.177.138/32 -j DROP 
-A PHP -s 87.97.218.147/32 -j DROP 
-A PHP -s 88.190.47.232/32 -j DROP 
-A PHP -s 88.190.61.100/32 -j DROP 
-A PHP -s 88.190.61.96/32 -j DROP 
-A PHP -s 89.122.29.82/32 -j DROP 
-A PHP -s 89.123.2.153/32 -j DROP 
-A PHP -s 89.123.2.45/32 -j DROP 
-A PHP -s 89.123.25.228/32 -j DROP 
-A PHP -s 89.123.34.75/32 -j DROP 
-A PHP -s 89.123.40.126/32 -j DROP 
-A PHP -s 89.123.42.97/32 -j DROP 
-A PHP -s 89.123.61.130/32 -j DROP 
-A PHP -s 91.121.170.197/32 -j DROP 
-A PHP -s 91.197.89.186/32 -j DROP 
-A PHP -s 91.214.49.252/32 -j DROP 
-A PHP -s 91.236.74.121/32 -j DROP 
-A PHP -s 91.236.75.29/32 -j DROP 
-A PHP -s 92.82.225.42/32 -j DROP 
-A PHP -s 92.82.225.48/32 -j DROP 
-A PHP -s 92.82.226.161/32 -j DROP 
-A PHP -s 92.82.232.181/32 -j DROP 
-A PHP -s 92.82.232.217/32 -j DROP 
-A PHP -s 92.85.167.80/32 -j DROP 
-A PHP -s 92.85.32.165/32 -j DROP 
-A PHP -s 92.85.36.232/32 -j DROP 
-A PHP -s 92.85.38.155/32 -j DROP 
-A PHP -s 93.115.94.85/32 -j DROP 
-A PHP -s 96.32.107.166/32 -j DROP 
-A PHP -s 96.47.224.42/32 -j DROP 
-A PHP -s 96.47.224.50/32 -j DROP 
-A PHP -s 96.47.225.170/32 -j DROP 
-A PHP -s 96.47.225.178/32 -j DROP 
-A PHP -s 96.47.225.186/32 -j DROP 
-A PHP -s 96.47.225.66/32 -j DROP 
-A PHP -s 96.47.225.74/32 -j DROP 
-A PHP -s 96.47.225.82/32 -j DROP 
-A PHP -s 96.52.173.241/32 -j DROP 
-A PROHIBIT -j REJECT --reject-with icmp-host-prohibited 
-A PZERO -p tcp -m tcp --dport 0 -j DROP 
-A PZERO -p udp -m udp --dport 0 -j DROP 
-A PZERO -p tcp -m tcp --sport 0 -j DROP 
-A PZERO -p udp -m udp --sport 0 -j DROP 
-A RESET -p tcp -j REJECT --reject-with tcp-reset

Last edited by unSpawn; 02-16-2014 at 05:54 AM. Reason: //Add vBB code tags
 
Old 02-15-2014, 04:12 PM   #4
welshdemon
LQ Newbie
 
Registered: Oct 2009
Posts: 13

Original Poster
Rep: Reputation: 0
Code:
-A SDROP -s 1.32.0.0/16 -j DROP 
-A SDROP -s 2.56.0.0/14 -j DROP 
-A SDROP -s 5.34.242.0/23 -j DROP 
-A SDROP -s 5.72.0.0/14 -j DROP 
-A SDROP -s 5.180.0.0/14 -j DROP 
-A SDROP -s 14.129.0.0/16 -j DROP 
-A SDROP -s 14.192.48.0/21 -j DROP 
-A SDROP -s 14.192.56.0/22 -j DROP 
-A SDROP -s 31.11.43.0/24 -j DROP 
-A SDROP -s 31.222.200.0/21 -j DROP 
-A SDROP -s 37.139.49.0/24 -j DROP 
-A SDROP -s 37.148.216.0/21 -j DROP 
-A SDROP -s 42.1.128.0/17 -j DROP 
-A SDROP -s 46.29.248.0/22 -j DROP 
-A SDROP -s 46.148.112.0/20 -j DROP 
-A SDROP -s 49.8.0.0/14 -j DROP 
-A SDROP -s 61.45.251.0/24 -j DROP 
-A SDROP -s 62.122.72.0/23 -j DROP 
-A SDROP -s 62.182.152.0/21 -j DROP 
-A SDROP -s 64.15.0.0/20 -j DROP 
-A SDROP -s 64.44.0.0/16 -j DROP 
-A SDROP -s 64.112.0.0/17 -j DROP 
-A SDROP -s 64.112.128.0/18 -j DROP 
-A SDROP -s 64.185.224.0/20 -j DROP 
-A SDROP -s 64.234.224.0/20 -j DROP 
-A SDROP -s 66.11.112.0/20 -j DROP 
-A SDROP -s 66.198.240.0/20 -j DROP 
-A SDROP -s 66.231.64.0/20 -j DROP 
-A SDROP -s 67.209.112.0/20 -j DROP 
-A SDROP -s 67.211.208.0/20 -j DROP 
-A SDROP -s 67.213.128.0/20 -j DROP 
-A SDROP -s 67.218.208.0/20 -j DROP 
-A SDROP -s 68.66.192.0/18 -j DROP 
-A SDROP -s 70.32.0.0/19 -j DROP 
-A SDROP -s 72.13.16.0/20 -j DROP 
-A SDROP -s 74.123.96.0/21 -j DROP 
-A SDROP -s 78.31.184.0/21 -j DROP 
-A SDROP -s 78.31.211.0/24 -j DROP 
-A SDROP -s 79.110.16.0/20 -j DROP 
-A SDROP -s 79.110.48.0/20 -j DROP 
-A SDROP -s 79.173.104.0/21 -j DROP 
-A SDROP -s 81.22.152.0/23 -j DROP 
-A SDROP -s 85.121.39.0/24 -j DROP 
-A SDROP -s 85.202.160.0/20 -j DROP 
-A SDROP -s 86.55.40.0/23 -j DROP 
-A SDROP -s 86.55.42.0/23 -j DROP 
-A SDROP -s 86.55.140.0/24 -j DROP 
-A SDROP -s 86.55.210.0/23 -j DROP 
-A SDROP -s 87.243.112.0/22 -j DROP 
-A SDROP -s 88.135.16.0/20 -j DROP 
-A SDROP -s 89.114.9.0/24 -j DROP 
-A SDROP -s 89.114.97.0/24 -j DROP 
-A SDROP -s 91.108.181.0/24 -j DROP 
-A SDROP -s 91.195.254.0/23 -j DROP 
-A SDROP -s 91.197.96.0/22 -j DROP 
-A SDROP -s 91.198.40.0/24 -j DROP 
-A SDROP -s 91.198.127.0/24 -j DROP 
-A SDROP -s 91.200.164.0/22 -j DROP 
-A SDROP -s 91.200.248.0/22 -j DROP 
-A SDROP -s 91.201.124.0/22 -j DROP 
-A SDROP -s 91.201.236.0/22 -j DROP 
-A SDROP -s 91.203.20.0/22 -j DROP 
-A SDROP -s 91.207.116.0/23 -j DROP 
-A SDROP -s 91.208.16.0/24 -j DROP 
-A SDROP -s 91.209.12.0/24 -j DROP 
-A SDROP -s 91.212.45.0/24 -j DROP 
-A SDROP -s 91.212.104.0/24 -j DROP 
-A SDROP -s 91.212.135.0/24 -j DROP 
-A SDROP -s 91.212.198.0/24 -j DROP 
-A SDROP -s 91.212.201.0/24 -j DROP 
-A SDROP -s 91.212.220.0/24 -j DROP 
-A SDROP -s 91.213.29.0/24 -j DROP 
-A SDROP -s 91.213.72.0/24 -j DROP 
-A SDROP -s 91.213.93.0/24 -j DROP 
-A SDROP -s 91.213.94.0/24 -j DROP 
-A SDROP -s 91.213.121.0/24 -j DROP 
-A SDROP -s 91.213.126.0/24 -j DROP 
-A SDROP -s 91.213.148.0/24 -j DROP 
-A SDROP -s 91.213.167.0/24 -j DROP 
-A SDROP -s 91.213.172.0/24 -j DROP 
-A SDROP -s 91.213.174.0/24 -j DROP 
-A SDROP -s 91.213.175.0/24 -j DROP 
-A SDROP -s 91.213.217.0/24 -j DROP 
-A SDROP -s 91.216.3.0/24 -j DROP 
-A SDROP -s 91.216.73.0/24 -j DROP 
-A SDROP -s 91.217.162.0/24 -j DROP 
-A SDROP -s 91.217.249.0/24 -j DROP 
-A SDROP -s 91.220.35.0/24 -j DROP 
-A SDROP -s 91.220.62.0/24 -j DROP 
-A SDROP -s 91.220.63.0/24 -j DROP 
-A SDROP -s 91.220.90.0/24 -j DROP 
-A SDROP -s 91.220.163.0/24 -j DROP 
-A SDROP -s 91.223.77.0/24 -j DROP 
-A SDROP -s 91.223.231.0/24 -j DROP 
-A SDROP -s 91.226.97.0/24 -j DROP 
-A SDROP -s 91.228.132.0/24 -j DROP 
-A SDROP -s 91.229.60.0/22 -j DROP 
-A SDROP -s 91.229.248.0/24 -j DROP 
-A SDROP -s 91.230.110.0/24 -j DROP 
-A SDROP -s 91.230.143.0/24 -j DROP 
-A SDROP -s 91.230.147.0/24 -j DROP 
-A SDROP -s 91.231.156.0/24 -j DROP 
-A SDROP -s 91.234.36.0/24 -j DROP 
-A SDROP -s 91.234.255.0/24 -j DROP 
-A SDROP -s 91.235.2.0/24 -j DROP 
-A SDROP -s 91.236.120.0/24 -j DROP 
-A SDROP -s 91.237.249.0/24 -j DROP 
-A SDROP -s 91.238.82.0/24 -j DROP 
-A SDROP -s 91.239.15.0/24 -j DROP 
-A SDROP -s 91.239.24.0/24 -j DROP 
-A SDROP -s 91.239.238.0/24 -j DROP 
-A SDROP -s 91.240.165.0/24 -j DROP 
-A SDROP -s 91.242.217.0/24 -j DROP 
-A SDROP -s 91.243.115.0/24 -j DROP 
-A SDROP -s 93.175.240.0/20 -j DROP 
-A SDROP -s 94.26.112.0/20 -j DROP 
-A SDROP -s 94.60.121.0/24 -j DROP 
-A SDROP -s 94.60.122.0/23 -j DROP 
-A SDROP -s 94.61.247.0/24 -j DROP 
-A SDROP -s 94.63.146.0/24 -j DROP 
-A SDROP -s 94.63.147.0/24 -j DROP 
-A SDROP -s 94.63.149.0/24 -j DROP 
-A SDROP -s 94.63.150.0/23 -j DROP 
-A SDROP -s 94.63.240.0/24 -j DROP 
-A SDROP -s 94.63.243.0/24 -j DROP 
-A SDROP -s 94.63.244.0/24 -j DROP 
-A SDROP -s 94.63.245.0/24 -j DROP 
-A SDROP -s 94.63.246.0/24 -j DROP 
-A SDROP -s 94.63.247.0/24 -j DROP 
-A SDROP -s 94.130.0.0/15 -j DROP 
-A SDROP -s 94.154.128.0/18 -j DROP 
-A SDROP -s 94.158.240.0/20 -j DROP 
-A SDROP -s 95.215.140.0/22 -j DROP 
-A SDROP -s 95.216.0.0/15 -j DROP 
-A SDROP -s 101.192.0.0/14 -j DROP 
-A SDROP -s 101.236.0.0/14 -j DROP 
-A SDROP -s 101.248.0.0/15 -j DROP 
-A SDROP -s 101.252.0.0/15 -j DROP 
-A SDROP -s 103.2.44.0/22 -j DROP 
-A SDROP -s 103.10.68.0/22 -j DROP 
-A SDROP -s 103.12.216.0/22 -j DROP 
-A SDROP -s 103.16.76.0/24 -j DROP 
-A SDROP -s 103.246.72.0/22 -j DROP 
-A SDROP -s 106.96.0.0/16 -j DROP 
-A SDROP -s 109.94.208.0/20 -j DROP 
-A SDROP -s 109.196.96.0/20 -j DROP 
-A SDROP -s 110.44.128.0/20 -j DROP 
-A SDROP -s 110.232.160.0/20 -j DROP 
-A SDROP -s 113.20.160.0/19 -j DROP 
-A SDROP -s 115.85.133.0/24 -j DROP 
-A SDROP -s 116.144.0.0/15 -j DROP 
-A SDROP -s 116.146.0.0/15 -j DROP 
-A SDROP -s 116.197.152.0/21 -j DROP 
-A SDROP -s 121.46.64.0/18 -j DROP 
-A SDROP -s 122.202.96.0/19 -j DROP 
-A SDROP -s 124.68.0.0/15 -j DROP 
-A SDROP -s 124.70.0.0/15 -j DROP 
-A SDROP -s 128.13.0.0/16 -j DROP 
-A SDROP -s 128.168.0.0/16 -j DROP 
-A SDROP -s 128.191.0.0/16 -j DROP 
-A SDROP -s 129.76.64.0/18 -j DROP 
-A SDROP -s 130.201.0.0/16 -j DROP 
-A SDROP -s 130.222.0.0/16 -j DROP 
-A SDROP -s 132.145.0.0/16 -j DROP 
-A SDROP -s 132.232.0.0/16 -j DROP 
-A SDROP -s 134.23.0.0/16 -j DROP 
-A SDROP -s 134.33.0.0/16 -j DROP 
-A SDROP -s 134.127.0.0/16 -j DROP 
-A SDROP -s 134.172.0.0/16 -j DROP 
-A SDROP -s 134.209.0.0/16 -j DROP 
-A SDROP -s 134.239.0.0/16 -j DROP 
-A SDROP -s 136.228.0.0/16 -j DROP 
-A SDROP -s 136.230.0.0/16 -j DROP 
-A SDROP -s 137.76.0.0/16 -j DROP 
-A SDROP -s 138.43.0.0/16 -j DROP 
-A SDROP -s 139.47.0.0/16 -j DROP 
-A SDROP -s 139.150.0.0/16 -j DROP 
-A SDROP -s 139.167.0.0/16 -j DROP 
-A SDROP -s 140.167.0.0/16 -j DROP 
-A SDROP -s 140.170.0.0/16 -j DROP 
-A SDROP -s 141.136.16.0/24 -j DROP 
-A SDROP -s 141.136.17.0/24 -j DROP 
-A SDROP -s 141.136.22.0/24 -j DROP 
-A SDROP -s 141.136.27.0/24 -j DROP 
-A SDROP -s 143.49.0.0/16 -j DROP 
-A SDROP -s 143.64.0.0/16 -j DROP 
-A SDROP -s 143.135.0.0/16 -j DROP 
-A SDROP -s 143.189.0.0/16 -j DROP 
-A SDROP -s 144.207.0.0/16 -j DROP 
-A SDROP -s 147.50.0.0/16 -j DROP 
-A SDROP -s 148.105.0.0/16 -j DROP 
-A SDROP -s 148.154.0.0/16 -j DROP 
-A SDROP -s 148.178.0.0/16 -j DROP 
-A SDROP -s 148.248.0.0/16 -j DROP 
-A SDROP -s 149.118.0.0/16 -j DROP 
-A SDROP -s 149.143.64.0/18 -j DROP 
-A SDROP -s 150.126.0.0/16 -j DROP 
-A SDROP -s 150.141.0.0/16 -j DROP 
-A SDROP -s 151.123.0.0/16 -j DROP 
-A SDROP -s 151.192.0.0/16 -j DROP 
-A SDROP -s 151.237.184.0/22 -j DROP 
-A SDROP -s 152.136.0.0/16 -j DROP 
-A SDROP -s 152.147.0.0/16 -j DROP 
-A SDROP -s 154.10.0.0/16 -j DROP 
-A SDROP -s 155.190.0.0/16 -j DROP 
-A SDROP -s 157.186.0.0/16 -j DROP 
-A SDROP -s 157.195.0.0/16 -j DROP 
-A SDROP -s 157.226.0.0/16 -j DROP 
-A SDROP -s 157.231.0.0/16 -j DROP 
-A SDROP -s 157.232.0.0/16 -j DROP 
-A SDROP -s 158.54.0.0/16 -j DROP 
-A SDROP -s 158.131.0.0/16 -j DROP 
-A SDROP -s 159.85.0.0/16 -j DROP 
-A SDROP -s 159.111.0.0/16 -j DROP 
-A SDROP -s 159.135.0.0/16 -j DROP 
-A SDROP -s 159.141.0.0/16 -j DROP 
-A SDROP -s 159.223.0.0/16 -j DROP 
-A SDROP -s 161.189.0.0/16 -j DROP 
-A SDROP -s 161.232.0.0/16 -j DROP 
-A SDROP -s 162.125.0.0/16 -j DROP 
-A SDROP -s 162.211.236.0/22 -j DROP 
-A SDROP -s 162.217.4.0/22 -j DROP 
-A SDROP -s 163.47.19.0/24 -j DROP 
-A SDROP -s 163.182.0.0/16 -j DROP 
-A SDROP -s 163.253.0.0/16 -j DROP 
-A SDROP -s 164.60.0.0/16 -j DROP 
-A SDROP -s 165.192.0.0/16 -j DROP 
-A SDROP -s 165.209.0.0/16 -j DROP 
-A SDROP -s 165.225.0.0/17 -j DROP 
-A SDROP -s 165.225.192.0/18 -j DROP 
-A SDROP -s 167.28.0.0/16 -j DROP 
-A SDROP -s 167.74.0.0/18 -j DROP 
-A SDROP -s 167.97.0.0/16 -j DROP 
-A SDROP -s 167.224.0.0/19 -j DROP 
-A SDROP -s 168.129.0.0/16 -j DROP 
-A SDROP -s 170.67.0.0/16 -j DROP 
-A SDROP -s 170.113.0.0/16 -j DROP 
-A SDROP -s 170.114.0.0/16 -j DROP 
-A SDROP -s 170.120.0.0/16 -j DROP 
-A SDROP -s 173.205.0.0/21 -j DROP 
-A SDROP -s 173.205.8.0/21 -j DROP 
-A SDROP -s 173.205.16.0/21 -j DROP 
-A SDROP -s 173.205.24.0/21 -j DROP 
-A SDROP -s 173.205.32.0/21 -j DROP 
-A SDROP -s 173.205.40.0/21 -j DROP 
-A SDROP -s 173.205.48.0/21 -j DROP 
-A SDROP -s 173.249.160.0/19 -j DROP 
-A SDROP -s 174.136.192.0/18 -j DROP 
-A SDROP -s 176.47.0.0/16 -j DROP 
-A SDROP -s 176.61.136.0/22 -j DROP 
-A SDROP -s 176.110.101.0/24 -j DROP 
-A SDROP -s 177.21.64.0/20 -j DROP 
-A SDROP -s 177.36.16.0/20 -j DROP 
-A SDROP -s 178.159.176.0/20 -j DROP 
-A SDROP -s 185.11.140.0/24 -j DROP 
-A SDROP -s 185.11.143.0/24 -j DROP 
-A SDROP -s 185.24.108.0/22 -j DROP 
-A SDROP -s 186.190.224.0/21 -j DROP 
-A SDROP -s 188.247.135.0/24 -j DROP 
-A SDROP -s 188.247.230.0/24 -j DROP 
-A SDROP -s 192.5.103.0/24 -j DROP 
-A SDROP -s 192.26.25.0/24 -j DROP 
-A SDROP -s 192.31.212.0/23 -j DROP 
-A SDROP -s 192.40.29.0/24 -j DROP 
-A SDROP -s 192.43.153.0/24 -j DROP 
-A SDROP -s 192.43.154.0/23 -j DROP 
-A SDROP -s 192.43.156.0/22 -j DROP 
-A SDROP -s 192.43.160.0/24 -j DROP 
-A SDROP -s 192.43.175.0/24 -j DROP 
-A SDROP -s 192.43.176.0/21 -j DROP 
-A SDROP -s 192.43.184.0/24 -j DROP 
-A SDROP -s 192.54.39.0/24 -j DROP 
-A SDROP -s 192.54.73.0/24 -j DROP 
-A SDROP -s 192.67.16.0/24 -j DROP 
-A SDROP -s 192.67.160.0/22 -j DROP 
-A SDROP -s 192.84.243.0/24 -j DROP 
-A SDROP -s 192.86.85.0/24 -j DROP 
-A SDROP -s 192.88.74.0/24 -j DROP 
-A SDROP -s 192.100.142.0/24 -j DROP 
-A SDROP -s 192.101.44.0/24 -j DROP 
-A SDROP -s 192.101.181.0/24 -j DROP 
-A SDROP -s 192.101.200.0/21 -j DROP 
-A SDROP -s 192.101.240.0/21 -j DROP 
-A SDROP -s 192.101.248.0/23 -j DROP 
-A SDROP -s 192.112.112.0/20 -j DROP 
-A SDROP -s 192.158.51.0/24 -j DROP 
-A SDROP -s 192.160.44.0/24 -j DROP 
-A SDROP -s 192.171.64.0/19 -j DROP 
-A SDROP -s 192.190.49.0/24 -j DROP 
-A SDROP -s 192.197.87.0/24 -j DROP 
-A SDROP -s 192.219.120.0/21 -j DROP 
-A SDROP -s 192.219.128.0/18 -j DROP 
-A SDROP -s 192.219.192.0/20 -j DROP 
-A SDROP -s 192.219.208.0/21 -j DROP 
-A SDROP -s 192.229.32.0/19 -j DROP 
-A SDROP -s 192.245.101.0/24 -j DROP 
-A SDROP -s 193.0.129.0/24 -j DROP 
-A SDROP -s 193.0.146.0/23 -j DROP 
-A SDROP -s 193.7.192.0/19 -j DROP 
-A SDROP -s 193.16.213.0/24 -j DROP 
-A SDROP -s 193.22.144.0/20 -j DROP 
-A SDROP -s 193.23.126.0/24 -j DROP 
-A SDROP -s 193.25.48.0/20 -j DROP 
-A SDROP -s 193.26.64.0/19 -j DROP 
-A SDROP -s 193.43.134.0/24 -j DROP 
-A SDROP -s 193.46.211.0/24 -j DROP 
-A SDROP -s 193.104.12.0/24 -j DROP 
-A SDROP -s 193.104.34.0/24 -j DROP 
-A SDROP -s 193.104.41.0/24 -j DROP 
-A SDROP -s 193.104.94.0/24 -j DROP 
-A SDROP -s 193.104.110.0/24 -j DROP 
-A SDROP -s 193.104.176.0/24 -j DROP 
-A SDROP -s 193.105.141.0/24 -j DROP 
-A SDROP -s 193.105.154.0/24 -j DROP 
-A SDROP -s 193.105.184.0/24 -j DROP 
-A SDROP -s 193.105.207.0/24 -j DROP 
-A SDROP -s 193.105.245.0/24 -j DROP 
-A SDROP -s 193.106.32.0/22 -j DROP 
-A SDROP -s 193.107.16.0/22 -j DROP 
-A SDROP -s 193.108.178.0/24 -j DROP 
-A SDROP -s 193.110.136.0/24 -j DROP 
-A SDROP -s 193.111.235.0/24 -j DROP 
-A SDROP -s 193.150.168.0/24 -j DROP 
-A SDROP -s 193.164.11.0/24 -j DROP 
-A SDROP -s 193.178.120.0/22 -j DROP 
-A SDROP -s 193.200.167.0/24 -j DROP 
-A SDROP -s 193.227.240.0/23 -j DROP 
-A SDROP -s 193.228.145.0/24 -j DROP 
-A SDROP -s 193.243.166.0/24 -j DROP 
-A SDROP -s 194.0.177.0/24 -j DROP 
-A SDROP -s 194.0.245.0/24 -j DROP 
-A SDROP -s 194.1.152.0/24 -j DROP 
-A SDROP -s 194.1.184.0/24 -j DROP 
-A SDROP -s 194.1.220.0/23 -j DROP 
-A SDROP -s 194.1.247.0/24 -j DROP 
-A SDROP -s 194.15.32.0/19 -j DROP 
-A SDROP -s 194.29.185.0/24 -j DROP 
-A SDROP -s 194.50.116.0/24 -j DROP 
-A SDROP -s 194.54.156.0/22 -j DROP 
-A SDROP -s 194.60.242.0/24 -j DROP 
-A SDROP -s 194.110.160.0/22 -j DROP 
-A SDROP -s 194.126.251.0/24 -j DROP 
-A SDROP -s 194.140.237.0/24 -j DROP 
-A SDROP -s 194.156.64.0/18 -j DROP 
-A SDROP -s 194.242.2.0/23 -j DROP 
-A SDROP -s 194.247.58.0/24 -j DROP 
-A SDROP -s 195.3.144.0/22 -j DROP 
-A SDROP -s 195.5.161.0/24 -j DROP 
-A SDROP -s 195.20.141.0/24 -j DROP 
-A SDROP -s 195.68.222.0/23 -j DROP 
-A SDROP -s 195.78.108.0/23 -j DROP 
-A SDROP -s 195.85.204.0/24 -j DROP 
-A SDROP -s 195.88.190.0/23 -j DROP 
-A SDROP -s 195.114.8.0/23 -j DROP 
-A SDROP -s 195.149.88.0/24 -j DROP 
-A SDROP -s 195.149.90.0/24 -j DROP 
-A SDROP -s 195.182.57.0/24 -j DROP 
-A SDROP -s 195.190.157.0/24 -j DROP 
-A SDROP -s 195.191.56.0/23 -j DROP 
-A SDROP -s 195.191.102.0/23 -j DROP 
-A SDROP -s 195.225.176.0/22 -j DROP 
-A SDROP -s 195.226.197.0/24 -j DROP 
-A SDROP -s 195.226.220.0/24 -j DROP 
-A SDROP -s 195.234.76.0/22 -j DROP 
-A SDROP -s 195.246.200.0/24 -j DROP 
-A SDROP -s 196.1.109.0/24 -j DROP 
-A SDROP -s 196.63.0.0/16 -j DROP 
-A SDROP -s 196.193.0.0/16 -j DROP 
-A SDROP -s 198.13.0.0/20 -j DROP 
-A SDROP -s 198.14.128.0/19 -j DROP 
-A SDROP -s 198.14.160.0/19 -j DROP 
-A SDROP -s 198.20.16.0/20 -j DROP 
-A SDROP -s 198.23.32.0/20 -j DROP 
-A SDROP -s 198.45.32.0/20 -j DROP 
-A SDROP -s 198.45.64.0/19 -j DROP 
-A SDROP -s 198.48.16.0/20 -j DROP 
-A SDROP -s 198.56.64.0/18 -j DROP 
-A SDROP -s 198.57.64.0/20 -j DROP 
-A SDROP -s 198.62.70.0/24 -j DROP 
-A SDROP -s 198.62.76.0/24 -j DROP 
-A SDROP -s 198.96.224.0/20 -j DROP 
-A SDROP -s 198.151.64.0/18 -j DROP 
-A SDROP -s 198.151.152.0/22 -j DROP 
-A SDROP -s 198.162.208.0/20 -j DROP 
-A SDROP -s 198.167.255.0/24 -j DROP 
-A SDROP -s 198.169.201.0/24 -j DROP 
-A SDROP -s 198.176.48.0/21 -j DROP 
-A SDROP -s 198.177.175.0/24 -j DROP 
-A SDROP -s 198.177.176.0/22 -j DROP 
-A SDROP -s 198.177.180.0/24 -j DROP 
-A SDROP -s 198.177.214.0/24 -j DROP 
-A SDROP -s 198.178.64.0/19 -j DROP 
-A SDROP -s 198.181.32.0/20 -j DROP 
-A SDROP -s 198.181.64.0/19 -j DROP 
-A SDROP -s 198.183.32.0/19 -j DROP 
-A SDROP -s 198.184.64.0/18 -j DROP 
-A SDROP -s 198.184.193.0/24 -j DROP 
-A SDROP -s 198.186.25.0/24 -j DROP 
-A SDROP -s 198.186.208.0/24 -j DROP 
-A SDROP -s 198.187.64.0/18 -j DROP 
-A SDROP -s 198.190.173.0/24 -j DROP 
-A SDROP -s 198.199.212.0/24 -j DROP 
-A SDROP -s 198.204.0.0/21 -j DROP 
-A SDROP -s 198.205.64.0/19 -j DROP 
-A SDROP -s 199.5.152.0/23 -j DROP 
-A SDROP -s 199.9.24.0/21 -j DROP 
-A SDROP -s 199.26.96.0/19 -j DROP 
-A SDROP -s 199.26.137.0/24 -j DROP 
-A SDROP -s 199.33.145.0/24 -j DROP 
-A SDROP -s 199.34.128.0/18 -j DROP 
-A SDROP -s 199.46.32.0/19 -j DROP 
-A SDROP -s 199.58.248.0/21 -j DROP 
-A SDROP -s 199.60.102.0/24 -j DROP 
-A SDROP -s 199.71.192.0/20 -j DROP 
-A SDROP -s 199.84.55.0/24 -j DROP 
-A SDROP -s 199.84.56.0/22 -j DROP 
-A SDROP -s 199.84.60.0/24 -j DROP 
-A SDROP -s 199.84.64.0/19 -j DROP 
-A SDROP -s 199.84.96.0/19 -j DROP 
-A SDROP -s 199.87.208.0/21 -j DROP 
-A SDROP -s 199.88.32.0/20 -j DROP 
-A SDROP -s 199.88.48.0/22 -j DROP 
-A SDROP -s 199.89.16.0/20 -j DROP 
-A SDROP -s 199.89.198.0/24 -j DROP 
-A SDROP -s 199.120.163.0/24 -j DROP 
-A SDROP -s 199.165.32.0/19 -j DROP 
-A SDROP -s 199.166.200.0/22 -j DROP 
-A SDROP -s 199.184.82.0/24 -j DROP 
-A SDROP -s 199.185.192.0/20 -j DROP 
-A SDROP -s 199.196.192.0/19 -j DROP 
-A SDROP -s 199.198.160.0/20 -j DROP 
-A SDROP -s 199.198.176.0/21 -j DROP 
-A SDROP -s 199.198.184.0/23 -j DROP 
-A SDROP -s 199.198.188.0/22 -j DROP 
-A SDROP -s 199.200.64.0/19 -j DROP 
-A SDROP -s 199.212.96.0/20 -j DROP 
-A SDROP -s 199.223.0.0/20 -j DROP 
-A SDROP -s 199.230.64.0/19 -j DROP 
-A SDROP -s 199.230.96.0/21 -j DROP 
-A SDROP -s 199.233.85.0/24 -j DROP 
-A SDROP -s 199.233.96.0/24 -j DROP 
-A SDROP -s 199.245.138.0/24 -j DROP 
-A SDROP -s 199.246.137.0/24 -j DROP 
-A SDROP -s 199.246.213.0/24 -j DROP 
-A SDROP -s 199.246.215.0/24 -j DROP 
-A SDROP -s 199.248.64.0/18 -j DROP 
-A SDROP -s 199.249.64.0/19 -j DROP 
-A SDROP -s 199.253.224.0/20 -j DROP 
-A SDROP -s 199.254.32.0/20 -j DROP 
-A SDROP -s 200.3.115.0/24 -j DROP 
-A SDROP -s 200.3.128.0/20 -j DROP 
-A SDROP -s 200.22.0.0/16 -j DROP 
-A SDROP -s 200.105.32.0/20 -j DROP 
-A SDROP -s 202.0.192.0/18 -j DROP 
-A SDROP -s 202.20.32.0/19 -j DROP 
-A SDROP -s 202.21.64.0/19 -j DROP 
-A SDROP -s 202.61.108.0/24 -j DROP 
-A SDROP -s 202.68.0.0/18 -j DROP 
-A SDROP -s 203.31.88.0/23 -j DROP 
-A SDROP -s 203.34.70.0/23 -j DROP 
-A SDROP -s 203.34.71.0/24 -j DROP 
-A SDROP -s 204.19.38.0/23 -j DROP 
-A SDROP -s 204.44.32.0/20 -j DROP 
-A SDROP -s 204.44.192.0/20 -j DROP 
-A SDROP -s 204.44.224.0/20 -j DROP 
-A SDROP -s 204.52.255.0/24 -j DROP 
-A SDROP -s 204.57.16.0/20 -j DROP 
-A SDROP -s 204.75.228.0/24 -j DROP 
-A SDROP -s 204.86.16.0/20 -j DROP 
-A SDROP -s 204.87.199.0/24 -j DROP 
-A SDROP -s 204.89.224.0/24 -j DROP 
-A SDROP -s 204.106.128.0/18 -j DROP 
-A SDROP -s 204.106.192.0/19 -j DROP 
-A SDROP -s 204.107.208.0/24 -j DROP 
-A SDROP -s 204.126.244.0/23 -j DROP 
-A SDROP -s 204.128.151.0/24 -j DROP 
-A SDROP -s 204.128.180.0/24 -j DROP 
-A SDROP -s 204.130.167.0/24 -j DROP 
-A SDROP -s 204.147.240.0/20 -j DROP 
-A SDROP -s 204.152.224.0/21 -j DROP 
-A SDROP -s 204.155.128.0/20 -j DROP 
-A SDROP -s 204.187.155.0/24 -j DROP 
-A SDROP -s 204.187.156.0/22 -j DROP 
-A SDROP -s 204.187.160.0/19 -j DROP 
-A SDROP -s 204.187.192.0/19 -j DROP 
-A SDROP -s 204.187.224.0/20 -j DROP 
-A SDROP -s 204.187.240.0/21 -j DROP 
-A SDROP -s 204.187.248.0/22 -j DROP 
-A SDROP -s 204.187.252.0/23 -j DROP 
-A SDROP -s 204.187.254.0/24 -j DROP 
-A SDROP -s 204.194.184.0/21 -j DROP 
-A SDROP -s 204.225.159.0/24 -j DROP 
-A SDROP -s 204.225.210.0/24 -j DROP 
-A SDROP -s 204.236.0.0/19 -j DROP 
-A SDROP -s 204.237.136.0/21 -j DROP 
-A SDROP -s 204.237.168.0/21 -j DROP 
-A SDROP -s 204.237.232.0/21 -j DROP 
-A SDROP -s 204.237.240.0/21 -j DROP 
-A SDROP -s 205.137.0.0/20 -j DROP 
-A SDROP -s 205.142.104.0/22 -j DROP 
-A SDROP -s 205.144.0.0/20 -j DROP 
-A SDROP -s 205.144.176.0/20 -j DROP 
-A SDROP -s 205.151.128.0/19 -j DROP 
-A SDROP -s 205.159.45.0/24 -j DROP 
-A SDROP -s 205.159.180.0/24 -j DROP 
-A SDROP -s 205.166.84.0/24 -j DROP 
-A SDROP -s 205.172.176.0/22 -j DROP 
-A SDROP -s 205.172.244.0/22 -j DROP 
-A SDROP -s 205.175.160.0/19 -j DROP 
-A SDROP -s 205.189.71.0/24 -j DROP 
-A SDROP -s 205.189.72.0/23 -j DROP 
-A SDROP -s 205.203.0.0/19 -j DROP 
-A SDROP -s 205.203.224.0/19 -j DROP 
-A SDROP -s 205.207.134.0/24 -j DROP 
-A SDROP -s 205.210.107.0/24 -j DROP 
-A SDROP -s 205.210.139.0/24 -j DROP 
-A SDROP -s 205.214.128.0/19 -j DROP 
-A SDROP -s 205.233.224.0/20 -j DROP 
-A SDROP -s 205.236.185.0/24 -j DROP 
-A SDROP -s 205.236.189.0/24 -j DROP 
-A SDROP -s 205.253.0.0/16 -j DROP 
-A SDROP -s 206.51.29.0/24 -j DROP 
-A SDROP -s 206.81.0.0/19 -j DROP 
-A SDROP -s 206.123.128.0/19 -j DROP 
-A SDROP -s 206.127.192.0/19 -j DROP 
-A SDROP -s 206.130.188.0/24 -j DROP 
-A SDROP -s 206.195.224.0/19 -j DROP 
-A SDROP -s 206.197.28.0/24 -j DROP 
-A SDROP -s 206.197.29.0/24 -j DROP 
-A SDROP -s 206.201.48.0/20 -j DROP 
-A SDROP -s 206.203.64.0/18 -j DROP 
-A SDROP -s 206.209.80.0/20 -j DROP 
-A SDROP -s 206.224.160.0/19 -j DROP 
-A SDROP -s 206.226.0.0/19 -j DROP 
-A SDROP -s 206.226.32.0/19 -j DROP 
-A SDROP -s 206.227.64.0/18 -j DROP 
-A SDROP -s 207.22.192.0/18 -j DROP 
-A SDROP -s 207.32.128.0/19 -j DROP 
-A SDROP -s 207.45.224.0/20 -j DROP 
-A SDROP -s 207.110.64.0/19 -j DROP 
-A SDROP -s 207.110.96.0/19 -j DROP 
-A SDROP -s 207.110.128.0/18 -j DROP 
-A SDROP -s 207.183.192.0/19 -j DROP 
-A SDROP -s 207.189.0.0/19 -j DROP 
-A SDROP -s 207.199.128.0/18 -j DROP 
-A SDROP -s 207.226.192.0/20 -j DROP 
-A SDROP -s 207.230.96.0/19 -j DROP 
-A SDROP -s 207.231.96.0/19 -j DROP 
-A SDROP -s 207.234.0.0/17 -j DROP 
-A SDROP -s 207.254.128.0/21 -j DROP 
-A SDROP -s 208.70.168.0/21 -j DROP 
-A SDROP -s 208.76.208.0/21 -j DROP 
-A SDROP -s 208.81.136.0/21 -j DROP 
-A SDROP -s 208.90.0.0/21 -j DROP 
-A SDROP -s 208.93.96.0/21 -j DROP 
-A SDROP -s 208.117.80.0/20 -j DROP 
-A SDROP -s 209.51.32.0/20 -j DROP 
-A SDROP -s 209.66.128.0/19 -j DROP 
-A SDROP -s 209.95.192.0/19 -j DROP 
-A SDROP -s 209.145.0.0/19 -j DROP 
-A SDROP -s 209.147.64.0/19 -j DROP 
-A SDROP -s 209.182.64.0/19 -j DROP 
-A SDROP -s 209.198.176.0/20 -j DROP 
-A SDROP -s 213.109.96.0/22 -j DROP 
-A SDROP -s 213.109.208.0/20 -j DROP 
-A SDROP -s 216.30.144.0/20 -j DROP 
-A SDROP -s 216.155.0.0/18 -j DROP 
-A SDROP -s 216.162.112.0/20 -j DROP 
-A SDROP -s 216.212.192.0/19 -j DROP 
-A SDROP -s 223.168.0.0/16 -j DROP 
-A SDROP -s 223.169.0.0/16 -j DROP 
-A SDROP -s 223.170.0.0/16 -j DROP 
-A SDROP -s 223.171.0.0/16 -j DROP 
-A SDROP -s 223.172.0.0/16 -j DROP 
-A SDROP -s 223.173.0.0/16 -j DROP 
-A SDROP -s 223.254.0.0/16 -j DROP 
COMMIT
# Completed on Sat Feb 15 20:27:48 2014

Last edited by unSpawn; 02-16-2014 at 05:55 AM. Reason: //Add vBB code tags
 
Old 02-16-2014, 04:13 AM   #5
yzT!
Member
 
Registered: Jan 2013
Distribution: LMDE / Kali
Posts: 94

Rep: Reputation: 2
As I have expected, you have a mess with those rules. You're doing it the wrong way, you have to set the policies to DROP and then whitelisting the connections you want to accept.
 
Old 02-16-2014, 06:02 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,526
Blog Entries: 51

Rep: Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601
Quote:
Originally Posted by yzT! View Post
You're doing it the wrong way, you have to set the policies to DROP and then whitelisting the connections you want to accept.
While commendable that policy will not work on a server where services have to be publicly accessible.
 
Old 02-16-2014, 06:13 AM   #7
welshdemon
LQ Newbie
 
Registered: Oct 2009
Posts: 13

Original Poster
Rep: Reputation: 0
APF made that list. My old VPS host advised I install APF because of the attacks I was getting. Why would APF make a mess?

I tried to copy advice from other websites, many people say the first rule should be to DROP ALL and then make rules to open ports as you say, but then I kept locking myself out no matter what I tried.

This website says to add that rule last! http://linux.overshoot.tv/wiki/serve...ocking_traffic

I am so confused and have had lots of headache after too many hours reading about stuff that in the end doesnt work and gets me nowhere

All I want is to block everything apart from 80, and some custom ports, say 33350-33359. Surely not difficult you'd think? But I am having no luck.

Oh and then to maybe add some rules to prevent flooding of requests, but that can wait. If it would at least block all ports apart from 80 to start with, maybe less script kiddies would find my server on scans of ip ranges and my server will not get attacked so much!

Last edited by welshdemon; 02-16-2014 at 06:17 AM.
 
Old 02-16-2014, 06:32 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,526
Blog Entries: 51

Rep: Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601
Quote:
Originally Posted by welshdemon View Post
There'd probably too many rules to post here. APF made them (including IPs from some some blacklists hence so many rules) ,
Basically what you have to understand is the "Linux Firewall" consists of a kernel part (called "Netfilter") and a user land part. The latter is used for rule management: loading, deletion, modifying, etc. The pivotal and only tool that manages these rules is called 'iptables'. Any other tool like the CLI system-config-firewall tool in RHEL and CentOS, UFW in Ubuntu, the firewall module of Webmin are what we call front-ends: they essentially only provide an "easy" interface to, and underneath only use, iptables.

*Note there is a separate category of tools that disguise the fact they're no more than hyped up, overrated front-ends by enshrouding everything in marketoid language. You'll find these tools often get recommended in (web log) posts or in forums where small hosting companies, people with a strong point-and-click preference and other sheeple hang out.

Web-based management panels should be used by people who already have practical admin level knowledge of the OS, it's inner workings and the services it provides. So my first advice, and this understandably is more generic than you would have hoped for, would be to stop relying on User Interfaces and learn to admin a server "the right way". (And yes, that means reading the documentation and using the command line.)
 
Old 02-16-2014, 06:35 AM   #9
welshdemon
LQ Newbie
 
Registered: Oct 2009
Posts: 13

Original Poster
Rep: Reputation: 0
ARGH! It has done it again.

I follow this guide, It seemed to be going OK, as soon as I add that last rule to DROP it locks everything out! SSH drops, HTTP isn't accessible.
I added port 80 and SSH....then

iptables -A INPUT -j DROP


http://linux.overshoot.tv/wiki/serve...ocking_traffic


What the hell am I doing wrong? Following guides such as this and getting locked out every time. This is why I gave up on iptables and tried APF...
 
Old 02-16-2014, 06:56 AM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,526
Blog Entries: 51

Rep: Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601
Quote:
Originally Posted by welshdemon View Post
What the hell am I doing wrong?
This Universe has a way of letting you know certain elemental rules like causality need to be obeyed ;-p
No shortcuts.

Restore the OSes default firewall rule set and next time remember to white-list your management IP (range).
 
Old 02-16-2014, 07:35 AM   #11
yzT!
Member
 
Registered: Jan 2013
Distribution: LMDE / Kali
Posts: 94

Rep: Reputation: 2
Code:
-P OUTPUT ACCEPT
-P INPUT DROP

-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp (or udp?) --dport 33350:33359 -j ACCEPT
with those rules you should be suited.
 
Old 02-16-2014, 11:02 AM   #12
welshdemon
LQ Newbie
 
Registered: Oct 2009
Posts: 13

Original Poster
Rep: Reputation: 0
Thanks for a helpful answer yzT!

I used those rules, yet a portscan still shows these as being open: 25,80,81,110,119,143,465,563,587,3128,8080,8081,8888
OK it was a full "Connect" portscan and not "SYN", but still, surely if incoming is set to drop, there should be no reply?


Does this look correct?

# Generated by iptables-save v1.4.7 on Sun Feb 16 17:04:15 2014
*nat
:PREROUTING ACCEPT [5271:292487]
:POSTROUTING ACCEPT [178:10289]
:OUTPUT ACCEPT [178:10289]
COMMIT
# Completed on Sun Feb 16 17:04:15 2014
# Generated by iptables-save v1.4.7 on Sun Feb 16 17:04:15 2014
*mangle
:PREROUTING ACCEPT [52659:4845763]
:INPUT ACCEPT [52659:4845763]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [46134:65995471]
:POSTROUTING ACCEPT [46134:65995471]
COMMIT
# Completed on Sun Feb 16 17:04:15 2014
# Generated by iptables-save v1.4.7 on Sun Feb 16 17:04:15 2014
*filter
:INPUT DROP [611:30859]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [46134:65995471]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
COMMIT
 
Old 02-16-2014, 11:08 AM   #13
welshdemon
LQ Newbie
 
Registered: Oct 2009
Posts: 13

Original Poster
Rep: Reputation: 0
OK, banner grabbing only shows anything for port 80, which of course should be open. The rest show nothing, which makes me think they are being blocked after all. But why does the port scan show them as open, this will lead script kiddy scans to show my server up with lots of services, and they might start poking at it. This is exactly what Im trying to avoid


SuperScan Report - 02/16/14 17:04:37

IP *******
Hostname [Unknown]
TCP Ports (13)
25 Simple Mail Transfer
80 World Wide Web HTTP
81 HOSTS2 Name Server
110 Post Office Protocol - Version 3
119 Network News Transfer Protocol
143 Internet Message Access Protocol
465 SMTPS
563 nntp protocol over TLS/SSL
587 Message Submission (Sendmail)
3128 Squid HTTP Proxy
8080 HTTP / HTTP Proxy
8081 HTTP / HTTP Proxy
8888 NewsEDGE server TCP / AnswerBook2

TCP Port Banner
80
World Wide Web HTTP
HTTP/1.1 200 OK

Date: Sun, 16 Feb 2014 17:13:15 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

Content-Length: 1

Connection: close

Content-Type: text/html; charset=UTF-8
 
Old 02-16-2014, 03:04 PM   #14
yzT!
Member
 
Registered: Jan 2013
Distribution: LMDE / Kali
Posts: 94

Rep: Reputation: 2
The point is: do you need those services running? If the answer is no, then you know what you have to do...
 
Old 02-17-2014, 01:52 AM   #15
ericson007
Member
 
Registered: Sep 2004
Location: Japan
Distribution: CentOS 6.5
Posts: 410

Rep: Reputation: 59
Just curious, does your vps share an ip with other vps servers?

Some companies do include a static ip but you have to request it first, like in the case of inmotion. Others have it included in the plan and activated.

Last edited by ericson007; 02-17-2014 at 02:03 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Iptables Drop rule sree123 Linux - Newbie 2 06-16-2012 02:00 PM
Prerouting with DROP as the default rule loureed4 Linux - Security 14 08-11-2011 09:23 AM
[SOLVED] iptables: drop rule mrmnemo Linux - Newbie 3 04-20-2010 11:14 PM
nmap shows port 80 open on WAN IP scan. NuxIT Linux - Security 10 06-24-2006 01:21 AM
how to drop all packets to one host with the default rule of accept dan5009 Linux - Security 1 08-20-2003 05:55 PM


All times are GMT -5. The time now is 03:31 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration