DAS SICHERHEITSSCHILD VON ANONYMOUS

Hallo Leute! Heute möchte ich Ihnen meine iptables und die gleiche mikrotik-Sicherheitskonfiguration mit Erklärung jedes Teils vorstellen. Lasst uns beginnen!

Dies ist der erste Teil, der Sie vor DDos- und Dos-Angriffen schützt, außerdem schränkt er die Fähigkeit von ping auf beide Arten ein

-A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -m comment --comment NO_DDOS_RULES -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m comment --comment NO_DDOS_RULES -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m comment --comment NO_DDOS_RULES -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -m comment --comment NO_DDOS_RULES -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,ACK FIN -m comment --comment NO_DDOS_RULES -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags ACK,URG URG -m comment --comment NO_DDOS_RULES -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags PSH,ACK PSH -m comment --comment NO_DDOS_RULES -j DROP
-A PREROUTING -m conntrack --ctstate INVALID -m comment --comment NO_DDOS_RULES -j DROP
-A PREROUTING -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -m comment --comment NO_DDOS_RULES -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m comment --comment NO_DDOS_RULES -j DROP
-A PREROUTING -s 224.0.0.0/3 -m comment --comment NO_DDOS_RULES -j DROP
-A PREROUTING -s 169.254.0.0/16 -m comment --comment NO_DDOS_RULES -j DROP
-A PREROUTING -s 172.16.0.0/12 -m comment --comment NO_DDOS_RULES -j DROP
-A PREROUTING -s 192.0.2.0/24 -m comment --comment NO_DDOS_RULES -j DROP
-A PREROUTING -s 192.168.0.0/16 -m comment --comment NO_DDOS_RULES -j DROP
-A PREROUTING -s 240.0.0.0/5 -m comment --comment NO_DDOS_RULES -j DROP
-A PREROUTING -s 127.0.0.0/8 ! -i lo -m comment --comment NO_DDOS_RULES -j DROP
-A PREROUTING -p icmp -m comment --comment NO_ICMP -j DROP
-A PREROUTING -f -m comment --comment NO_DDOS_RULES -j DROP
Dies sind die Regeln, die es mir ermöglichen, eine Verbindung zu den Cisco-DNS-Diensten herzustellen
-A PREROUTING -s 208.67.222.123 -p udp -m udp --sport 53 -m state --state NEW,ESTABLISHED -m comment --comment DNS_CISCO_INPUT -j ACCEPT
-A PREROUTING -s 208.67.222.123 -p udp -m udp --sport 53 -m state --state NEW,ESTABLISHED -m comment --comment DNS_CISCO_INPUT -j ACCEPT

-A POSTROUTING -d 208.67.220.123 -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -m comment --comment DNS_CISCO_OUTPUT -j ACCEPT
-A POSTROUTING -d 208.67.220.123 -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -m comment --comment DNS_CISCO_OUTPUT -j ACCEPT

Dies ist ein großer Teil der Regeln, die es mir ermöglichen, mich mit den öffentlichen VPN-Diensten wie Psiphon und Thunder VPN zu verbinden 

-A PREROUTING -p tcp -s 8.21.110.66 -m multiport --sports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_TCP -j ACCEPT
-A PREROUTING -p tcp -s 194.28.84.109 -m multiport --sports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_TCP -j ACCEPT
-A PREROUTING -p tcp -s 79.142.76.177 -m multiport --sports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_TCP -j ACCEPT
-A PREROUTING -p tcp -s 198.98.50.134 -m multiport --sports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_TCP -j ACCEPT
-A PREROUTING -p tcp -s 185.236.202.74 -m multiport --sports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_TCP -j ACCEPT
-A PREROUTING -p tcp -s 193.9.114.186 -m multiport --sports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_TCP -j ACCEPT
-A PREROUTING -p tcp -s 37.46.114.43 -m multiport --sports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_TCP -j ACCEPT
-A PREROUTING -p tcp -s 87.101.92.226 -m multiport --sports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_TCP -j ACCEPT
-A PREROUTING -p tcp -s 172.104.129.8 -m multiport --sports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_TCP -j ACCEPT
-A PREROUTING -p tcp -s 213.108.105.86 -m multiport --sports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_TCP -j ACCEPT
-A PREROUTING -p tcp -s 209.95.50.117 -m multiport --sports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_TCP -j ACCEPT
-A PREROUTING -p tcp -s 128.127.104.95 -m multiport --sports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_TCP -j ACCEPT
-A PREROUTING -p tcp -s 185.189.115.74 -m multiport --sports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_TCP -j ACCEPT
-A PREROUTING -p tcp -s 162.159.192.5 -m multiport --sports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_TCP -j ACCEPT
-A PREROUTING -p tcp -s 88.202.230.183 -m multiport --sports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_TCP -j ACCEPT
-A PREROUTING -p tcp -s 23.88.33.159 -m multiport --sports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_TCP -j ACCEPT
-A PREROUTING -p tcp -s 198.7.62.204 -m multiport --sports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_TCP -j ACCEPT
-A PREROUTING -p tcp -s 51.38.83.188 -m multiport --sports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_TCP -j ACCEPT
-A PREROUTING -p tcp -s 185.186.142.71 -m multiport --sports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_TCP -j ACCEPT
-A PREROUTING -p tcp -s 45.137.155.59 -m multiport --sports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_TCP -j ACCEPT
-A PREROUTING -p tcp -s 51.195.37.158 -m multiport --sports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_TCP -j ACCEPT
-A PREROUTING -p tcp -s 51.75.74.253 -m multiport --sports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_TCP -j ACCEPT
-A PREROUTING -p tcp -s 192.168.218.226 -m multiport --sports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_TCP -j ACCEPT
-A PREROUTING -p tcp -s 139.162.246.212 -m multiport --sports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_TCP -j ACCEPT
-A PREROUTING -p tcp -s 165.231.190.10 -m multiport --sports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_TCP -j ACCEPT
-A PREROUTING -p tcp -s 51.15.105.14 -m multiport --sports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_TCP -j ACCEPT
-A PREROUTING -p tcp -s 196.240.126.98 -m multiport --sports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_TCP -j ACCEPT
-A PREROUTING -p tcp -s 165.231.161.146 -m multiport --sports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_TCP -j ACCEPT
-A PREROUTING -p tcp -s 178.62.40.168 -m multiport --sports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_TCP -j ACCEPT
-A PREROUTING -p tcp -s 82.196.8.19 -m multiport --sports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_TCP -j ACCEPT
-A PREROUTING -p tcp -s 196.196.203.130 -m multiport --sports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_TCP -j ACCEPT
-A PREROUTING -p tcp -s 109.248.11.129 -m multiport --sports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_TCP -j ACCEPT
-A PREROUTING -p tcp -s 185.225.210.35 -m multiport --sports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_TCP -j ACCEPT
-A PREROUTING -p tcp -s 5.255.88.7 -m multiport --sports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_TCP -j ACCEPT
-A PREROUTING -p tcp -s 192.46.234.109 -m multiport --sports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_TCP -j ACCEPT
-A PREROUTING -p tcp -s 139.162.159.188 -m multiport --sports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_TCP -j ACCEPT
-A PREROUTING -p tcp -s 196.196.51.10 -m multiport --sports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_TCP -j ACCEPT

-A POSTROUTING -p tcp -d 8.21.110.66 -m multiport --dports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_TCP -j ACCEPT
-A POSTROUTING -p tcp -d 194.28.84.109 -m multiport --dports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_TCP -j ACCEPT
-A POSTROUTING -p tcp -d 79.142.76.177 -m multiport --dports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_TCP -j ACCEPT
-A POSTROUTING -p tcp -d 198.98.50.134 -m multiport --dports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_TCP -j ACCEPT
-A POSTROUTING -p tcp -d 185.236.202.74 -m multiport --dports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_TCP -j ACCEPT
-A POSTROUTING -p tcp -d 193.9.114.186 -m multiport --dports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_TCP -j ACCEPT
-A POSTROUTING -p tcp -d 37.46.114.43 -m multiport --dports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_TCP -j ACCEPT
-A POSTROUTING -p tcp -d 87.101.92.226 -m multiport --dports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_TCP -j ACCEPT
-A POSTROUTING -p tcp -d 172.104.129.8 -m multiport --dports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_TCP -j ACCEPT
-A POSTROUTING -p tcp -d 213.108.105.86 -m multiport --dports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_TCP -j ACCEPT
-A POSTROUTING -p tcp -d 209.95.50.117 -m multiport --dports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_TCP -j ACCEPT
-A POSTROUTING -p tcp -d 128.127.104.95 -m multiport --dports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_TCP -j ACCEPT
-A POSTROUTING -p tcp -d 185.189.115.74 -m multiport --dports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_TCP -j ACCEPT
-A POSTROUTING -p tcp -d 162.159.192.5 -m multiport --dports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_TCP -j ACCEPT
-A POSTROUTING -p tcp -d 88.202.230.183 -m multiport --dports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_TCP -j ACCEPT
-A POSTROUTING -p tcp -d 23.88.33.159 -m multiport --dports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_TCP -j ACCEPT
-A POSTROUTING -p tcp -d 198.7.62.204 -m multiport --dports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN -j ACCEPT
-A POSTROUTING -p tcp -d 51.38.83.188 -m multiport --dports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN -j ACCEPT
-A POSTROUTING -p tcp -d 185.186.142.71 -m multiport --dports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_TCP -j ACCEPT
-A POSTROUTING -p tcp -d 45.137.155.59 -m multiport --dports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_TCP -j ACCEPT
-A POSTROUTING -p tcp -d 51.195.37.158 -m multiport --dports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_TCP -j ACCEPT
-A POSTROUTING -p tcp -d 51.75.74.253 -m multiport --dports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_TCP -j ACCEPT
-A POSTROUTING -p tcp -d 192.168.218.226 -m multiport --dports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_TCP -j ACCEPT
-A POSTROUTING -p tcp -d 139.162.246.212 -m multiport --dports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_TCP -j ACCEPT
-A POSTROUTING -p tcp -d 165.231.190.10 -m multiport --dports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_TCP -j ACCEPT
-A POSTROUTING -p tcp -d 51.15.105.14 -m multiport --dports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_TCP -j ACCEPT
-A POSTROUTING -p tcp -d 196.240.126.98 -m multiport --dports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_TCP -j ACCEPT
-A POSTROUTING -p tcp -d 165.231.161.146 -m multiport --dports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_TCP -j ACCEPT
-A POSTROUTING -p tcp -d 178.62.40.168 -m multiport --dports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_TCP -j ACCEPT
-A POSTROUTING -p tcp -d 82.196.8.19 -m multiport --dports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_TCP -j ACCEPT
-A POSTROUTING -p tcp -d 196.196.203.130 -m multiport --dports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_TCP -j ACCEPT
-A POSTROUTING -p tcp -d 109.248.11.129 -m multiport --dports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_TCP -j ACCEPT
-A POSTROUTING -p tcp -d 185.225.210.35 -m multiport --dports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_TCP -j ACCEPT
-A POSTROUTING -p tcp -d 5.255.88.7 -m multiport --dports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_TCP -j ACCEPT
-A POSTROUTING -p tcp -d 192.46.234.109 -m multiport --dports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_TCP -j ACCEPT
-A POSTROUTING -p tcp -d 139.162.159.188 -m multiport --dports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_TCP -j ACCEPT
-A POSTROUTING -p tcp -d 196.196.51.10 -m multiport --dports 50505,7449,7450,8082,22104,80,443,1195 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_TCP -j ACCEPT

-A PREROUTING -p udp -s 8.21.110.66 -m multiport --sports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 8.21.110.66 -m multiport --sports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 194.28.84.109 -m multiport --sports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 194.28.84.109 -m multiport --sports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 79.142.76.177 -m multiport --sports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 79.142.76.177 -m multiport --sports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 198.98.50.134 -m multiport --sports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 198.98.50.134 -m multiport --sports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 185.236.202.74 -m multiport --sports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 185.236.202.74 -m multiport --sports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 193.9.114.186 -m multiport --sports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 193.9.114.186 -m multiport --sports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 37.46.114.43 -m multiport --sports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 37.46.114.43 -m multiport --sports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 87.101.92.226 -m multiport --sports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 87.101.92.226 -m multiport --sports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 172.104.129.8 -m multiport --sports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 172.104.129.8 -m multiport --sports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 213.108.105.86 -m multiport --sports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 213.108.105.86 -m multiport --sports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 209.95.50.117 -m multiport --sports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 209.95.50.117 -m multiport --sports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 128.127.104.95 -m multiport --sports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 128.127.104.95 -m multiport --sports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 185.189.115.74 -m multiport --sports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 185.189.115.74 -m multiport --sports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 162.159.192.5 -m multiport --sports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 162.159.192.5 -m multiport --sports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 88.202.230.183 -m multiport --sports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 88.202.230.183 -m multiport --sports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 23.88.33.159 -m multiport --sports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 23.88.33.159 -m multiport --sports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 198.7.62.204 -m multiport --sports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 198.7.62.204 -m multiport --sports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 51.38.83.188 -m multiport --sports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 51.38.83.188 -m multiport --sports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 185.186.142.71 -m multiport --sports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 185.186.142.71 -m multiport --sports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 45.137.155.59 -m multiport --sports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 45.137.155.59 -m multiport --sports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 51.195.37.158 -m multiport --sports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 51.195.37.158 -m multiport --sports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 51.75.74.253 -m multiport --sports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 51.75.74.253 -m multiport --sports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 192.168.218.226 -m multiport --sports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 192.168.218.226 -m multiport --sports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 139.162.246.212 -m multiport --sports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 139.162.246.212 -m multiport --sports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 165.231.190.10 -m multiport --sports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 165.231.190.10 -m multiport --sports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 51.15.105.14 -m multiport --sports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 51.15.105.14 -m multiport --sports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 196.240.126.98 -m multiport --sports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 196.240.126.98 -m multiport --sports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 165.231.161.146 -m multiport --sports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 165.231.161.146 -m multiport --sports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 178.62.40.168 -m multiport --sports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 178.62.40.168 -m multiport --sports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 82.196.8.19 -m multiport --sports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 82.196.8.19 -m multiport --sports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 196.196.203.130 -m multiport --sports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 196.196.203.130 -m multiport --sports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 109.248.11.129 -m multiport --sports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 109.248.11.129 -m multiport --sports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 185.225.210.35 -m multiport --sports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 185.225.210.35 -m multiport --sports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 5.255.88.7 -m multiport --sports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 5.255.88.7 -m multiport --sports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 192.46.234.109 -m multiport --sports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 192.46.234.109 -m multiport --sports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 139.162.159.188 -m multiport --sports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 139.162.159.188 -m multiport --sports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 196.196.51.10 -m multiport --sports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT
-A PREROUTING -p udp -s 196.196.51.10 -m multiport --sports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_INPUT_UDP -j ACCEPT

-A POSTROUTING -p udp -d 8.21.110.66 -m multiport --dports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 8.21.110.66 -m multiport --dports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 194.28.84.109 -m multiport --dports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 194.28.84.109 -m multiport --dports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 79.142.76.177 -m multiport --dports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 79.142.76.177 -m multiport --dports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 198.98.50.134 -m multiport --dports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 198.98.50.134 -m multiport --dports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 185.236.202.74 -m multiport --dports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 185.236.202.74 -m multiport --dports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 193.9.114.186 -m multiport --dports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 193.9.114.186 -m multiport --dports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 37.46.114.43 -m multiport --dports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 37.46.114.43 -m multiport --dports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 87.101.92.226 -m multiport --dports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 87.101.92.226 -m multiport --dports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 172.104.129.8 -m multiport --dports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 172.104.129.8 -m multiport --dports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 213.108.105.86 -m multiport --dports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 213.108.105.86 -m multiport --dports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 209.95.50.117 -m multiport --dports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 209.95.50.117 -m multiport --dports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 128.127.104.95 -m multiport --dports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 128.127.104.95 -m multiport --dports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 185.189.115.74 -m multiport --dports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 185.189.115.74 -m multiport --dports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 162.159.192.5 -m multiport --dports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 162.159.192.5 -m multiport --dports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 88.202.230.183 -m multiport --dports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 88.202.230.183 -m multiport --dports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 23.88.33.159 -m multiport --dports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 23.88.33.159 -m multiport --dports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 198.7.62.204 -m multiport --dports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 198.7.62.204 -m multiport --dports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 51.38.83.188 -m multiport --dports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 51.38.83.188 -m multiport --dports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 185.186.142.71 -m multiport --dports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 185.186.142.71 -m multiport --dports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 45.137.155.59 -m multiport --dports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 45.137.155.59 -m multiport --dports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 51.195.37.158 -m multiport --dports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 51.195.37.158 -m multiport --dports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 51.75.74.253 -m multiport --dports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 51.75.74.253 -m multiport --dports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 192.168.218.226 -m multiport --dports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 192.168.218.226 -m multiport --dports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 139.162.246.212 -m multiport --dports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 139.162.246.212 -m multiport --dports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 165.231.190.10 -m multiport --dports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 165.231.190.10 -m multiport --dports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 51.15.105.14 -m multiport --dports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 51.15.105.14 -m multiport --dports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 196.240.126.98 -m multiport --dports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 196.240.126.98 -m multiport --dports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 165.231.161.146 -m multiport --dports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 165.231.161.146 -m multiport --dports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 178.62.40.168 -m multiport --dports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 178.62.40.168 -m multiport --dports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 82.196.8.19 -m multiport --dports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 82.196.8.19 -m multiport --dports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 196.196.203.130 -m multiport --dports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 196.196.203.130 -m multiport --dports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 109.248.11.129 -m multiport --dports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 109.248.11.129 -m multiport --dports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 185.225.210.35 -m multiport --dports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 185.225.210.35 -m multiport --dports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 5.255.88.7 -m multiport --dports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 5.255.88.7 -m multiport --dports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 192.46.234.109 -m multiport --dports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 192.46.234.109 -m multiport --dports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 139.162.159.188 -m multiport --dports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 139.162.159.188 -m multiport --dports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 196.196.51.10 -m multiport --dports 33451,5060,4569,1900,7449,7450,2408,500,1701,4500,25000,13859,16200,50633,11488 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT
-A POSTROUTING -p udp -d 196.196.51.10 -m multiport --dports 16615,19697 -m state --state NEW,ESTABLISHED -m comment --comment VPN_OUTPUT_UDP -j ACCEPT

Hier sind die Regeln für den Zugriff auf die binance ips, ich habe es mit meiner mikrotik-Hardware gepackt und Sie können genauso handeln wie ich, nur möchte ich es nicht veröffentlichen:

-A PREROUTING -s "Geben Sie hier Ihre Binance-IP ein" -m state --state NEW,ESTABLISHED -m comment --comment BINANCE_INPUT -j ACCEPT
-A PREROUTING -s "Geben Sie hier Ihre Binance-IP ein" -m state --state NEW,ESTABLISHED -m comment --comment BINANCE_INPUT -j ACCEPT

-A POSTROUTING -d "Geben Sie hier Ihre Binance-IP ein" -m state --state NEW,ESTABLISHED -m comment --comment BINANCE_OUTPUT -j ACCEPT
-A POSTROUTING -d "Geben Sie hier Ihre Binance-IP ein" -m state --state NEW,ESTABLISHED -m comment --comment BINANCE_OUTPUT -j ACCEPT

In diesem Bereich habe ich Regeln für Anfragen akzeptiert, die an meine Internet-Bank weitergeleitet und von meiner Bank speziell für mich bereitgestellt wurden:

-A PREROUTING -s "Geben Sie hier Ihre Bank-IP ein"/32 -p tcp --sport 443 -m state --state NEW,ESTABLISHED -m comment --comment BANK_INPUT -j ACCEPT
-A PREROUTING -s "Geben Sie hier Ihre Bank-IP ein"/32 -p tcp --sport 443 -m state --state NEW,ESTABLISHED -m comment --comment BANK_INPUT -j ACCEPT

-A POSTROUTING -d "Geben Sie hier Ihre Bank-IP ein"/32 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -m comment --comment BANK_OUTPUT -j ACCEPT
-A POSTROUTING -d "Geben Sie hier Ihre Bank-IP ein"/32 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -m comment --comment BANK_OUTPUT -j ACCEPT

Diese Regeln akzeptieren unsere Anfragen, die entweder über Telnet- oder Webprotokolle an Ihren Router geleitet werden können und nur von unserer Schnittstelle ausgehen, die mit dem Router verbunden ist:

-A PREROUTING -i enp0s25 -s 10.0.1.1 -m multiport -p tcp --sports 23,80 -m state --state NEW,ESTABLISHED -m comment --comment ROUTER_TELNET_INPUT -j ACCEPT
-A POSTROUTING -o enp0s25 -d 10.0.1.1 -m multiport -p tcp --dports 23,80 -m state --state NEW,ESTABLISHED -m comment --comment ROUTER_TELNET_OUTPUT -j ACCEPT
-A PREROUTING -i enp0s25 -s 10.0.1.1 -p tcp --sport 80 -m state --state NEW,ESTABLISHED -m comment --comment ROUTER_WEB_INPUT -j ACCEPT
-A POSTROUTING -o enp0s25 -d 10.0.1.1 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -m comment --comment ROUTER_WEB_OUTPUT -j ACCEPT
Hier drin verwerfen wir alle Anfragen, die an die spezifischen Ports unserer Maschine gerichtet sind, wie z. B. ssh, telnet, ftp, active directory ldap, rdp:
-A PREROUTING -i lo -p tcp -m multiport --sports 22,23,3389,21,20,389,636 -m state --state NEW,ESTABLISHED -m comment --comment NO_ACCESS_INPUT -j DROP
-A PREROUTING -i lo -p udp -m multiport --sports 21,20,22,23,389,636 -m state --state NEW,ESTABLISHED -m comment --comment NO_ACCESS_INPUT -j DROP
-A POSTROUTING -o lo -p tcp -m multiport --dports 22,23,3389,21,20,389,636 -m state --state NEW,ESTABLISHED -m comment --comment NO_ACCESS_OUTPUT -j DROP
-A POSTROUTING -o lo -p udp -m multiport --dports 21,20,22,23,389,636 -m state --state NEW,ESTABLISHED -m comment --comment NO_ACCESS_OUTPUT -j DROP
Diese Regel lässt jeden Datenverkehr nur von VPN-Schnittstellen Ihres Linux-Rechners zu:
-A PREROUTING -i tun2 -m comment --comment ACCEPT_VPN_INTERFACE_INPUT -j ACCEPT
-A PREROUTING -i tun0 -m comment --comment ACCEPT_VPN_INTERFACE_INPUT -j ACCEPT
-A POSTROUTING -o tun2 -m comment --comment ACCEPT_VPN_INTERFACE_OUTPUT -j ACCEPT
-A POSTROUTING -o tun0 -m comment --comment ACCEPT_VPN_INTERFACE_OUTPUT -j ACCEPT
Als nächstes erlauben wir den Zugriff auf unseren Grafana-Server:
-A PREROUTING -i lo -s 127.0.0.1/32 -m comment --comment ACCEPT_GRAFANA_INPUT -j ACCEPT
-A POSTROUTING -o lo -d 127.0.0.1/32 -m comment --comment ACCEPT_GRAFANA_OUTPUT -j ACCEPT
Dieser Teil schränkt jeden unerwarteten Verkehr von Prerouting und Postrouting ein, der von anderen Regeln unten nicht akzeptiert wurde:
-P FORWARD DROP
-P PREROUTING DROP
-P POSTROUTING DROP
Diese Konfiguration ist einfach zu installieren, fügen Sie sie einfach in eine Textdatei ein und führen Sie dann den nächsten Befehl in Ihrem Terminal aus:
sudo iptables-restore < yourfile.txt
Dies sind alle Regeln, die Sie aus Sicherheitsgründen benötigen, aber ich werde als Nächstes dieselben Regeln für Ihr Mikrotik verwenden. Fügen Sie dies einfach in Ihr Mikrotik-Terminal ein

SEIEN SIE VORSICHTIG, ES GIBT REGELN, DIE IHRE MIKROTIK FÜR IMMER FÜR DEN ZUGRIFF SPERREN KÖNNEN

/ip firewall filter
add action=fasttrack-connection chain=forward comment=fasttrack \
    connection-state=established,related protocol=tcp src-address=10.0.1.0/24
add action=fasttrack-connection chain=forward protocol=udp src-address=\
    10.0.1.0/24
add action=add-src-to-address-list address-list=CONNECTION_LIMIT \
    address-list-timeout=1d chain=input comment=conn_limit connection-limit=\
    32,32 dst-address=10.0.1.0/24 log=yes log-prefix="ATTACK LIMIT 32" \
    protocol=tcp
add action=accept chain=forward comment=accept_valid connection-state=\
    established,related in-interface=pppoe-out1
add action=reject chain=forward comment=reject_invalid connection-state=\
    invalid in-interface=pppoe-out1 reject-with=icmp-network-unreachable
add action=reject chain=input comment=ddos_filter connection-state=new \
    in-interface=pppoe-out1 protocol=tcp reject-with=icmp-network-unreachable \
    tcp-mss=!536-65535
add action=reject chain=input in-interface=pppoe-out1 protocol=tcp \
    reject-with=icmp-network-unreachable tcp-flags=fin,syn
add action=reject chain=input in-interface=pppoe-out1 protocol=tcp \
    reject-with=icmp-network-unreachable tcp-flags=syn,rst
add action=reject chain=input in-interface=pppoe-out1 protocol=tcp \
    reject-with=icmp-network-unreachable tcp-flags=fin,rst
add action=reject chain=input in-interface=pppoe-out1 protocol=tcp \
    reject-with=icmp-network-unreachable tcp-flags=fin,ack
add action=reject chain=input in-interface=pppoe-out1 protocol=tcp \
    reject-with=icmp-network-unreachable tcp-flags=ack,urg
add action=reject chain=input in-interface=pppoe-out1 protocol=tcp \
    reject-with=icmp-network-unreachable tcp-flags=psh,ack
add action=reject chain=input connection-state=new in-interface=pppoe-out1 \
    protocol=tcp reject-with=icmp-network-unreachable tcp-flags=\
    !fin,!syn,!rst,!ack
add action=reject chain=forward comment=no_icmp in-interface=pppoe-out1 \
    protocol=icmp reject-with=icmp-network-unreachable
add action=reject chain=input in-interface=pppoe-out1 protocol=icmp \
    reject-with=icmp-network-unreachable
add action=reject chain=forward comment=reject_local dst-address=10.0.1.0/24 \
    in-interface=pppoe-out1 reject-with=icmp-network-unreachable \
    src-address-list=LOCAL
add action=reject chain=input in-interface=pppoe-out1 reject-with=\
    icmp-network-unreachable src-address-list=LOCAL
add action=accept chain=forward comment=DNS out-interface=pppoe-out1 port=53 \
    protocol=udp src-address=10.0.1.0/24
add action=accept chain=forward comment=GLOBAL disabled=yes out-interface=\
    pppoe-out1 port=443 protocol=tcp src-address=10.0.1.0/24
add action=accept chain=forward comment=STEAM disabled=yes dst-address-list=\
    STEAM out-interface=pppoe-out1 port=27015,27015-27030,80 protocol=tcp \
    src-address=10.0.1.0/24
add action=accept chain=forward disabled=yes dst-address-list=STEAM \
    out-interface=pppoe-out1 port=27015-27030,27000-27100,4380,3478,4379,4380 \
    protocol=udp src-address=10.0.1.0/24
add action=reject chain=forward comment=DROP_MICROSOFT dst-address-list=\
    MICROSOFT out-interface=pppoe-out1 reject-with=icmp-network-unreachable \
    src-address=10.0.1.0/24
add action=accept chain=forward comment=VPN dst-address-list=VPN \
    out-interface=pppoe-out1 port="33451,5060,4569,1900,7449,7450,2408,500,170\
    1,4500,25000,13859,16200,50633,11488" protocol=udp src-address=\
    10.0.1.0/24
add action=accept chain=forward dst-address-list=VPN out-interface=pppoe-out1 \
    port=16615,19697 protocol=udp src-address=10.0.1.0/24
add action=accept chain=forward dst-address-list=VPN out-interface=pppoe-out1 \
    port=50505,7449,7450,8082,22104,80,443,1195 protocol=tcp src-address=\
    10.0.1.0/24
add action=accept chain=forward comment=TOR dst-address-list=TOR \
    out-interface=pppoe-out1 port=9150,27020,27015,38224,63425,8444,443,80 \
    protocol=tcp src-address=10.0.1.0/24
add action=accept chain=forward comment=BINANCE dst-address-list=BINANCE \
    out-interface=pppoe-out1 port=443 protocol=tcp src-address=10.0.1.0/24
add action=accept chain=forward comment=BANK dst-address-list=BANK \
    out-interface=pppoe-out1 port=443 protocol=tcp src-address=10.0.1.0/24
add action=accept chain=forward in-interface=pppoe-out1 port=443 protocol=tcp \
    src-address-list=BANK
add action=accept chain=input comment=Established_Wan_Accept \
    connection-state=established dst-address=10.0.1.1 dst-address-list=VPN
add action=reject chain=forward comment=NO_ACCESS reject-with=\
    icmp-network-unreachable src-address-list=NO_ACCESS_LIST
add action=reject chain=input log-prefix="ATTACK ACCESS INPUT" reject-with=\
    icmp-network-unreachable src-address-list=NO_ACCESS_LIST
add action=add-src-to-address-list address-list=NO_ACCESS_LIST \
    address-list-timeout=none-dynamic chain=forward comment=NO_ACCESS_LIST \
    dst-address=10.0.1.0/24 in-interface=pppoe-out1 log=yes log-prefix=\
    "ATTACK NO ACCESS FRWD ADD SRC" port=22,23,3389,21,20,389,636 protocol=\
    tcp
add action=add-src-to-address-list address-list=NO_ACCESS_LIST \
    address-list-timeout=none-dynamic chain=forward dst-address=10.0.1.0/24 \
    in-interface=pppoe-out1 log=yes log-prefix=\
    "ATTACK NO ACCESS FRWD ADD SRC" port=21,20,22,23,389,636 protocol=udp
add action=add-src-to-address-list address-list=NO_ACCESS_LIST \
    address-list-timeout=none-dynamic chain=input dst-address=10.0.1.0/24 \
    in-interface=pppoe-out1 log=yes log-prefix=\
    "ATTACK NO ACCESS INPUT ADD SRC" port=22,23,3389,21,20,389,636,8291 \
    protocol=tcp
add action=add-src-to-address-list address-list=NO_ACCESS_LIST \
    address-list-timeout=none-dynamic chain=input dst-address=10.0.1.0/24 \
    in-interface=pppoe-out1 log=yes log-prefix=\
    "ATTACK NO ACCESS INPUT ADD SRC" port=22,23,3389,21,20,389,636,8291 \
    protocol=udp
add action=add-src-to-address-list address-list=NO_ACCESS_LIST \
    address-list-timeout=none-dynamic chain=input comment=REJECT_INPUT_LAN \
    disabled=yes dst-address=10.0.1.0/24 in-interface-list=LAN log=yes \
    log-prefix="ATTACK NO ACCESS INPUT ADD SRC" port=\
    21,20,22,23,389,636,80,8291 protocol=udp
add action=add-src-to-address-list address-list=NO_ACCESS_LIST \
    address-list-timeout=none-dynamic chain=input disabled=yes dst-address=\
    10.0.1.0/24 in-interface-list=LAN log-prefix=\
    "ATTACK NO ACCESS INPUT ADD SRC" port=22,23,3389,21,20,389,636,8291 \
    protocol=tcp
add action=reject chain=input comment=PORT_BROOT in-interface=pppoe-out1 log=\
    yes log-prefix="ATTACK PORT BROOT INPUT" protocol=tcp reject-with=\
    icmp-network-unreachable src-address-list=PORT_BROOT_DROP
add action=add-src-to-address-list address-list=PORT_BROOT_DROP \
    address-list-timeout=none-dynamic chain=input comment=PORT_BROOT_ADD_LIST \
    dst-port=98 in-interface=pppoe-out1 log=yes log-prefix=\
    "ATTACK PORT BROOT INPUT ADD SRC" protocol=tcp
add action=reject chain=forward dst-address-list=JABBER log-prefix=CHILLI \
    reject-with=icmp-network-unreachable
add action=accept chain=input comment=Allow_limited_pings dst-address=\
    10.0.1.0/24 in-interface=pppoe-out1 limit=50/5s,2:packet protocol=icmp
add action=tarpit chain=input connection-limit=3,32 log=yes log-prefix=\
    "LIMITED PINGS" protocol=tcp src-address-list=BLOCKED_ADDR
add action=add-dst-to-address-list address-list=CONNECTION_LIMIT \
    address-list-timeout=1d chain=input comment=Connection_limit \
    connection-limit=200,32 dst-address=10.0.1.0/24 in-interface=pppoe-out1 \
    log=yes log-prefix="LIMIT 200" protocol=tcp
add action=reject chain=input comment=Adr_list_connection-limit_drop \
    dst-address=10.0.1.0/24 in-interface=pppoe-out1 log=yes log-prefix=\
    "CONNECTION LIMIT RJCT" reject-with=icmp-network-unreachable \
    src-address-list=CONNECTION_LIMIT
add action=reject chain=input comment=Port_scanner_drop in-interface=\
    pppoe-out1 reject-with=icmp-network-unreachable src-address-list=\
    PORT_SCANNERS
add action=add-src-to-address-list address-list=PORT_SCANNERS \
    address-list-timeout=none-dynamic chain=input in-interface=pppoe-out1 \
    protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=PORT_SCANNERS \
    address-list-timeout=none-dynamic chain=input in-interface=pppoe-out1 \
    protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=PORT_SCANNERS \
    address-list-timeout=none-dynamic chain=input in-interface=pppoe-out1 \
    protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=PORT_SCANNERS \
    address-list-timeout=none-dynamic chain=input in-interface=pppoe-out1 \
    protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=PORT_SCANNERS \
    address-list-timeout=none-dynamic chain=input in-interface=pppoe-out1 \
    protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=PORT_SCANNERS \
    address-list-timeout=none-dynamic chain=input in-interface=pppoe-out1 \
    protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=PORT_SCANNERS \
    address-list-timeout=none-dynamic chain=input in-interface=pppoe-out1 \
    protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=reject chain=input comment=Pings_Drop dst-address=10.0.1.0/24 \
    in-interface=pppoe-out1 protocol=icmp reject-with=\
    icmp-network-unreachable
add action=reject chain=input comment=Drop_winbox_black_list dst-address=\
    10.0.1.0/24 dst-port=5323,5324 in-interface=pppoe-out1 log=yes \
    log-prefix="BLACK LIST ATTACK" protocol=tcp reject-with=\
    icmp-network-unreachable src-address-list=BLACK_LIST
add action=add-src-to-address-list address-list=BLACK_LIST \
    address-list-timeout=5m chain=input comment=Winbox_add_black_list \
    connection-state=new dst-address=10.0.1.0/24 dst-port=5323,5324 \
    in-interface=pppoe-out1 protocol=tcp src-address-list=SSH_STAGE_3
add action=add-src-to-address-list address-list=SSH_STAGE_1 \
    address-list-timeout=1m chain=input comment=Winbox_Ssh_stage1 \
    connection-state=new dst-address=10.0.1.0/24 dst-port=5323,5324 \
    in-interface=pppoe-out1 protocol=tcp
add action=accept chain=input comment=Accept_Winbox_Ssh dst-port=5323,5324 \
    in-interface=pppoe-out1 protocol=tcp src-address=10.0.1.0/24
add action=accept chain=input comment=Related_Wan_Accept connection-state=\
    related dst-address=10.0.1.0/24
add action=reject chain=input comment=reject_input in-interface=pppoe-out1 \
    log-prefix="ATTACK INPUT" reject-with=icmp-network-unreachable
add action=reject chain=input comment=reject_web_fig dst-address=10.0.1.0/24 \
    in-interface=pppoe-out1 port=80,22,23,8291 protocol=tcp reject-with=\
    icmp-network-unreachable
add action=reject chain=forward comment=reject_dev1 log-prefix="DEV1 RJCT" \
    out-interface=pppoe-out1 reject-with=icmp-network-unreachable \
    src-address=10.0.1.0/24 src-mac-address=FÜGEN SIE HIER DIE MAC-ADRESSE IHRES GERÄTS EIN
add action=reject chain=forward comment=reject_dev1log-prefix=\
    "DEV1 RJCT" out-interface=pppoe-out1 reject-with=icmp-network-unreachable \
    src-address=10.0.1.0/24 src-mac-address=
FÜGEN SIE HIER DIE MAC-ADRESSE IHRES GERÄTS EIN
add action=reject chain=forward comment=reject_dev2_eth out-interface=\
    pppoe-out1 reject-with=icmp-network-unreachable src-address=10.0.1.0/24 \
    src-mac-address=FÜGEN SIE HIER DIE MAC-ADRESSE IHRES GERÄTS EIN
add action=reject chain=forward comment=reject_dev2 log-prefix="HWI RJCT" \
    out-interface=pppoe-out1 reject-with=icmp-network-unreachable \
    src-address=10.0.1.0/24 src-mac-address=FÜGEN SIE HIER DIE MAC-ADRESSE IHRES GERÄTS EIN
add action=reject chain=forward comment=allow_only_dev3 log-prefix=\
    "ONLY DEV3 RJCT" out-interface=pppoe-out1 reject-with=\
    icmp-network-unreachable src-mac-address=!FÜGEN SIE HIER DIE MAC-ADRESSE IHRES GERÄTS EIN
add action=reject chain=forward comment=reject_dev4 out-interface=pppoe-out1 \
    reject-with=icmp-network-unreachable src-address=10.0.1.0/24 \
    src-mac-address=FÜGEN SIE HIER DIE MAC-ADRESSE IHRES GERÄTS EIN
add action=reject chain=input comment=REJECT_BRIDGE disabled=yes \
    in-interface=bridge1 out-interface=bridge1 reject-with=\
    icmp-network-unreachable
add action=reject chain=forward comment=reject_all log-prefix="ALL RJCT" \
    out-interface=pppoe-out1 reject-with=icmp-network-unreachable \
    src-address=10.0.1.0/24
add action=reject chain=output out-interface=pppoe-out1 reject-with=\
    icmp-network-unreachable src-address=10.0.1.0/24

Folge meinem twitter @derkodierer

Comments

Post a Comment

Popular posts from this blog

DATA FLOW: СТАТИЧЕСКИЙ АНАЛИЗ ПОТОКА ДАННЫХ

Image
Всем привет, сегодняшняя тема об аналитике данных в рамках тестирования ! Статический анализ - это ряд методов , предназначенных для поиска ошибок через анализ фрагмента кода . Эти методы могут указать как на актуальные, так и на потенциальные баги , выделяя некорректное поведение (напр. никогда нечитаемые элементы данных). Так вот эти методы почти всегда применяются к группам данных в рамках одной большой детерминированной (те принимающей на вход и отдающей на выход определённые данные) программы . Имея исходный код программы, мы можем не запуская эту самую программу провести аналитику . Вот например : - Могут быть выявлены нестандартные, аномальные или сомнительные фрагменты программы. Они могут указывать на логические ошибки: неинициализированные переменные, невыполняемый код, неправильно рассчитанные границы массива, переменные к которым никто не обращается и тд. - Соответствие интерфейса - Могут быть выявлены перекрестные ссылки на данные и элементы управления, что возмож...
Read more

JAVA: ВВЕДЕНИЕ

Image
Всем привет, сегодня мы начинаем серию статей о Java , от введения до Spring .  Поехали! Что такое Java ? Java - это   строго-типизированный объектно-ориентированный язык программирования. Что это значит? Строго-типизированный  - значит что если Вы создали переменную типа int в Java, то присвоить этой переменной значение какого либо другого типа не получится . Объектно-ориентированный - значит что всё в java представляет собой объект и процедурный подход реализуем костыльным путём, создающим всего один объект на всю программу, что чистым процедурным подходом не является. Java похож на C++ , потому что C++ тоже строго-типизировавнный и мульти-парадигменный (т.е. поддерживающий обьектно-ориентированный и процедурные подходы ) язык. Python же наоборот, динамически-типизируемый обьектно-ориентированный язык программирования . То есть указывать тип переменной при её создании не нужно, python сам определит его тип, а потом его ещё и изменит, если потребуется.....
Read more

THE ANONYMOUS SHIELD

Image
  Hello guys! Today im going to show you my configuration of iptables and MikroTik router. Lets begin! This is the beginning, next rules protect you from dos and ddos attacks, and in addition forbid the ping protocol for both, input and output: -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -m comment --comment NO_DDOS_RULES -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m comment --comment NO_DDOS_RULES -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m comment --comment NO_DDOS_RULES -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -m comment --comment NO_DDOS_RULES -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,ACK FIN -m comment --comment NO_DDOS_RULES -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags ACK,URG URG -m comment --comment NO_DDOS_RULES -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags PSH,ACK PSH -m comment --comment NO_DDOS_RULES -j DROP -A PREROUTING -m conntrack --ctstate INVALID ...
Read more