sergius@server:~$ sudo iptables -L -n
[sudo] password for sergius:
Chain INPUT (policy DROP)
target prot opt source destination
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp flags:!0x17/0x02
ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:0x3F/0x3F
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:0x3F/0x00
DROP icmp -- 0.0.0.0/0 0.0.0.0/0
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
SYN_FLOOD tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 #conn/32 > 20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 #conn/32 > 30
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 #conn/32 > 30
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306 #conn/32 > 50
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:411 #conn/32 > 40
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1209 #conn/32 > 40
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1411 #conn/32 > 40
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:11209 #conn/32 > 40
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2710 #conn/32 > 50
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:27025 #conn/32 > 15
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:27015 #conn/32 > 15
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 ctstate RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 ctstate NEW limit: avg 10/sec burst 10
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW limit: avg 20/sec burst 20
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ctstate RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ctstate NEW limit: avg 20/sec burst 20
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306 ctstate RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306 ctstate NEW limit: avg 30/sec burst 30
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:411 ctstate RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:411 ctstate NEW limit: avg 20/sec burst 20
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1209 ctstate RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1209 ctstate NEW limit: avg 20/sec burst 20
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1411 ctstate RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1411 ctstate NEW limit: avg 20/sec burst 20
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:11209 ctstate RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:11209 ctstate NEW limit: avg 20/sec burst 20
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2710 ctstate RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2710 ctstate NEW limit: avg 30/sec burst 30
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:27025 ctstate RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:27025 ctstate NEW limit: avg 10/sec burst 10
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:27015 ctstate RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:27015 ctstate NEW limit: avg 10/sec burst 10
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:411
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1209
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1411
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:11209
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2710
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:27025
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:27015
Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:411
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1209
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1411
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:11209
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2710
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:27025
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:27015
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
Chain SYN_FLOOD (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 2/sec burst 6
DROP all -- 0.0.0.0/0 0.0.0.0/0
sergius@server:~$
sergius@server:~$ sudo iptables-save -c
# Generated by iptables-save v1.4.10 on Thu Oct 6 09:55:06 2011
*filter
:INPUT DROP [44:2817]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:SYN_FLOOD - [0:0]
[0:0] -A INPUT -p tcp -m conntrack --ctstate NEW -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
[0:0] -A INPUT -p esp -j ACCEPT
[0:0] -A INPUT -p ah -j ACCEPT
[173:46397] -A INPUT -i lo -j ACCEPT
[11440:9076530] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[1:349] -A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
[0:0] -A INPUT -m state --state INVALID -j DROP
[0:0] -A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
[0:0] -A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
[0:0] -A INPUT -p icmp -j DROP
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
[0:0] -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
[46:2380] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j SYN_FLOOD
[895:78725] -A INPUT ! -i ppp0 -p udp -m udp --dport 137:139 -j DROP
[0:0] -A INPUT ! -i eth0 -p udp -m udp --dport 137:139 -j DROP
[0:0] -A INPUT -p tcp -m tcp --dport 21 -m connlimit --connlimit-above 20 --connlimit-mask 32 -j DROP
[0:0] -A INPUT -p tcp -m tcp --dport 80 -m connlimit --connlimit-above 30 --connlimit-mask 32 -j DROP
[0:0] -A INPUT -p tcp -m tcp --dport 443 -m connlimit --connlimit-above 30 --connlimit-mask 32 -j DROP
[0:0] -A INPUT -p tcp -m tcp --dport 3306 -m connlimit --connlimit-above 50 --connlimit-mask 32 -j DROP
[0:0] -A INPUT -p tcp -m tcp --dport 411 -m connlimit --connlimit-above 40 --connlimit-mask 32 -j DROP
[0:0] -A INPUT -p tcp -m tcp --dport 1209 -m connlimit --connlimit-above 40 --connlimit-mask 32 -j DROP
[0:0] -A INPUT -p tcp -m tcp --dport 1411 -m connlimit --connlimit-above 40 --connlimit-mask 32 -j DROP
[0:0] -A INPUT -p tcp -m tcp --dport 11209 -m connlimit --connlimit-above 40 --connlimit-mask 32 -j DROP
[0:0] -A INPUT -p tcp -m tcp --dport 2710 -m connlimit --connlimit-above 50 --connlimit-mask 32 -j DROP
[0:0] -A INPUT -p tcp -m tcp --dport 27025 -m connlimit --connlimit-above 15 --connlimit-mask 32 -j DROP
[0:0] -A INPUT -p tcp -m tcp --dport 27015 -m connlimit --connlimit-above 15 --connlimit-mask 32 -j DROP
[0:0] -A INPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW -m limit --limit 10/sec --limit-burst 10 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -m limit --limit 20/sec --limit-burst 20 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW -m limit --limit 20/sec --limit-burst 20 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 3306 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 3306 -m conntrack --ctstate NEW -m limit --limit 30/sec --limit-burst 30 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 411 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[12:620] -A INPUT -p tcp -m tcp --dport 411 -m conntrack --ctstate NEW -m limit --limit 20/sec --limit-burst 20 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 1209 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 1209 -m conntrack --ctstate NEW -m limit --limit 20/sec --limit-burst 20 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 1411 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 1411 -m conntrack --ctstate NEW -m limit --limit 20/sec --limit-burst 20 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 11209 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 11209 -m conntrack --ctstate NEW -m limit --limit 20/sec --limit-burst 20 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 2710 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[21:1072] -A INPUT -p tcp -m tcp --dport 2710 -m conntrack --ctstate NEW -m limit --limit 30/sec --limit-burst 30 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 27025 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 27025 -m conntrack --ctstate NEW -m limit --limit 10/sec --limit-burst 10 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 27015 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 27015 -m conntrack --ctstate NEW -m limit --limit 10/sec --limit-burst 10 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 411 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 1209 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 1411 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 11209 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 2710 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 27025 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 27015 -j ACCEPT
[0:0] -A FORWARD -m state --state INVALID -j DROP
[173:46397] -A OUTPUT -o lo -j ACCEPT
[11:959] -A OUTPUT -m state --state NEW -j ACCEPT
[9283:951508] -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -p udp -m udp --sport 68 --dport 67 -j ACCEPT
[0:0] -A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT
[0:0] -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
[0:0] -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
[0:0] -A OUTPUT -p tcp -m tcp --dport 3306 -j ACCEPT
[0:0] -A OUTPUT -p tcp -m tcp --dport 411 -j ACCEPT
[0:0] -A OUTPUT -p tcp -m tcp --dport 1209 -j ACCEPT
[0:0] -A OUTPUT -p tcp -m tcp --dport 1411 -j ACCEPT
[0:0] -A OUTPUT -p tcp -m tcp --dport 11209 -j ACCEPT
[0:0] -A OUTPUT -p tcp -m tcp --dport 2710 -j ACCEPT
[0:0] -A OUTPUT -p tcp -m tcp --dport 27025 -j ACCEPT
[0:0] -A OUTPUT -p tcp -m tcp --dport 27015 -j ACCEPT
[0:0] -A OUTPUT -o ppp0 -p tcp -m tcp --dport 53 -j ACCEPT
[0:0] -A OUTPUT -o ppp0 -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -j ACCEPT
[0:0] -A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT
[46:2380] -A SYN_FLOOD -m limit --limit 2/sec --limit-burst 6 -j RETURN
[0:0] -A SYN_FLOOD -j DROP
COMMIT
# Completed on Thu Oct 6 09:55:06 2011
sergius@server:~$