[Firehol-support] Errors when running firehol
Jason Miller
jason at milr.com
Fri Jan 23 23:09:44 CET 2015
I got a lot of errors the first time I tried running firehol 2.0:
Errors are below, I've attached output of firehol debug
--------------------------------------------------------------------------------
ERROR : # 1.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 14 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_internet_ftp_c5 -m conntrack --ctstate ESTABLISHED\,RELATED -m helper --helper ftp -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name.
--------------------------------------------------------------------------------
ERROR : # 2.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 14 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_internet_ftp_c5 -m conntrack --ctstate ESTABLISHED\,RELATED -m helper --helper ftp -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name.
--------------------------------------------------------------------------------
ERROR : # 3.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 14 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_internet_irc_c6 -m conntrack --ctstate ESTABLISHED\,RELATED -m helper --helper irc -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name.
--------------------------------------------------------------------------------
ERROR : # 4.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 14 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_internet_irc_c6 -m conntrack --ctstate ESTABLISHED\,RELATED -m helper --helper irc -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name.
--------------------------------------------------------------------------------
ERROR : # 5.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 16 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_internet -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=IN-internet:
OUTPUT :
iptables: No chain/target/match by that name.
--------------------------------------------------------------------------------
ERROR : # 6.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 16 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_internet -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=OUT-internet:
OUTPUT :
iptables: No chain/target/match by that name.
--------------------------------------------------------------------------------
ERROR : # 7.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 20 of /etc/firehol/firehol.conf
COMMAND : /sbin/ip6tables -t filter -A out_inet_ftp_c5 -m conntrack --ctstate ESTABLISHED\,RELATED -m helper --helper ftp -j ACCEPT
OUTPUT :
ip6tables: No chain/target/match by that name.
--------------------------------------------------------------------------------
ERROR : # 8.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 20 of /etc/firehol/firehol.conf
COMMAND : /sbin/ip6tables -t filter -A in_inet_ftp_c5 -m conntrack --ctstate ESTABLISHED\,RELATED -m helper --helper ftp -j ACCEPT
OUTPUT :
ip6tables: No chain/target/match by that name.
--------------------------------------------------------------------------------
ERROR : # 9.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 20 of /etc/firehol/firehol.conf
COMMAND : /sbin/ip6tables -t filter -A out_inet_irc_c6 -m conntrack --ctstate ESTABLISHED\,RELATED -m helper --helper irc -j ACCEPT
OUTPUT :
ip6tables: No chain/target/match by that name.
--------------------------------------------------------------------------------
ERROR : # 10.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 20 of /etc/firehol/firehol.conf
COMMAND : /sbin/ip6tables -t filter -A in_inet_irc_c6 -m conntrack --ctstate ESTABLISHED\,RELATED -m helper --helper irc -j ACCEPT
OUTPUT :
ip6tables: No chain/target/match by that name.
--------------------------------------------------------------------------------
ERROR : # 11.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 22 of /etc/firehol/firehol.conf
COMMAND : /sbin/ip6tables -t filter -A in_inet -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=IN-inet:
OUTPUT :
ip6tables: No chain/target/match by that name.
--------------------------------------------------------------------------------
ERROR : # 12.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 22 of /etc/firehol/firehol.conf
COMMAND : /sbin/ip6tables -t filter -A out_inet -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=OUT-inet:
OUTPUT :
ip6tables: No chain/target/match by that name.
--------------------------------------------------------------------------------
ERROR : # 13.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 24 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_l2i4_ftp_s2 -m conntrack --ctstate ESTABLISHED\,RELATED -m helper --helper ftp -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name.
--------------------------------------------------------------------------------
ERROR : # 14.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 24 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_l2i4_ftp_s2 -m conntrack --ctstate ESTABLISHED\,RELATED -m helper --helper ftp -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name.
--------------------------------------------------------------------------------
ERROR : # 15.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 24 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_l2i4_irc_s3 -m conntrack --ctstate ESTABLISHED\,RELATED -m helper --helper irc -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name.
--------------------------------------------------------------------------------
ERROR : # 16.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 24 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_l2i4_irc_s3 -m conntrack --ctstate ESTABLISHED\,RELATED -m helper --helper irc -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name.
--------------------------------------------------------------------------------
ERROR : # 17.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 28 of /etc/firehol/firehol.conf
COMMAND : /sbin/ip6tables -t filter -A in_l2i6_ftp_s3 -m conntrack --ctstate ESTABLISHED\,RELATED -m helper --helper ftp -j ACCEPT
OUTPUT :
ip6tables: No chain/target/match by that name.
--------------------------------------------------------------------------------
ERROR : # 18.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 28 of /etc/firehol/firehol.conf
COMMAND : /sbin/ip6tables -t filter -A out_l2i6_ftp_s3 -m conntrack --ctstate ESTABLISHED\,RELATED -m helper --helper ftp -j ACCEPT
OUTPUT :
ip6tables: No chain/target/match by that name.
--------------------------------------------------------------------------------
ERROR : # 19.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 28 of /etc/firehol/firehol.conf
COMMAND : /sbin/ip6tables -t filter -A in_l2i6_irc_s4 -m conntrack --ctstate ESTABLISHED\,RELATED -m helper --helper irc -j ACCEPT
OUTPUT :
ip6tables: No chain/target/match by that name.
--------------------------------------------------------------------------------
ERROR : # 20.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 28 of /etc/firehol/firehol.conf
COMMAND : /sbin/ip6tables -t filter -A out_l2i6_irc_s4 -m conntrack --ctstate ESTABLISHED\,RELATED -m helper --helper irc -j ACCEPT
OUTPUT :
ip6tables: No chain/target/match by that name.
--------------------------------------------------------------------------------
ERROR : # 21.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line FIN of /etc/firehol/firehol.conf
COMMAND : /sbin/ip6tables -t filter -A INPUT -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=IN-unknown:
OUTPUT :
ip6tables: No chain/target/match by that name.
--------------------------------------------------------------------------------
ERROR : # 22.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line FIN of /etc/firehol/firehol.conf
COMMAND : /sbin/ip6tables -t filter -A OUTPUT -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=OUT-unknown:
OUTPUT :
ip6tables: No chain/target/match by that name.
--------------------------------------------------------------------------------
ERROR : # 23.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line FIN of /etc/firehol/firehol.conf
COMMAND : /sbin/ip6tables -t filter -A FORWARD -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=PASS-unknown:
OUTPUT :
ip6tables: No chain/target/match by that name.
-------------- next part --------------
FireHOL: Saving your old firewall to a temporary file: OK
FireHOL: Processing file /etc/firehol/firehol.conf: OK
# === CONFIGURATION STATEMENT =================================================
# CONF: 1>>> version 6
# === CONFIGURATION STATEMENT =================================================
# CONF: 7>>> interface br0 en3ps0
# INFO>>> Creating chain 'in_en3ps0' under 'INPUT' in table 'filter'
/sbin/iptables -t filter -P INPUT ACCEPT
/sbin/iptables -t filter -P OUTPUT ACCEPT
/sbin/iptables -t filter -P FORWARD ACCEPT
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
/sbin/iptables -t filter -N in_en3ps0
/sbin/ip6tables -t filter -P INPUT ACCEPT
/sbin/ip6tables -t filter -P OUTPUT ACCEPT
/sbin/ip6tables -t filter -P FORWARD ACCEPT
/sbin/ip6tables -A INPUT -i lo -j ACCEPT
/sbin/ip6tables -A OUTPUT -o lo -j ACCEPT
/sbin/ip6tables -t filter -N in_en3ps0
/sbin/iptables -t filter -A INPUT -i br0 -j in_en3ps0
/sbin/ip6tables -t filter -A INPUT -i br0 -j in_en3ps0
# INFO>>> Creating chain 'out_en3ps0' under 'OUTPUT' in table 'filter'
/sbin/iptables -t filter -N out_en3ps0
/sbin/ip6tables -t filter -N out_en3ps0
/sbin/iptables -t filter -A OUTPUT -o br0 -j out_en3ps0
/sbin/ip6tables -t filter -A OUTPUT -o br0 -j out_en3ps0
# === CONFIGURATION STATEMENT =================================================
# CONF: 8>>> policy accept
# INFO>>> Setting policy of en3ps0 to accept
# === CONFIGURATION STATEMENT =================================================
# CONF: 10>>> interface en2ps0 internet src not unroutable_ips\(\)
# INFO>>> Finilizing interface 'en3ps0'
/sbin/iptables -t filter -A in_en3ps0 -m conntrack --ctstate RELATED -j ACCEPT
/sbin/ip6tables -t filter -A in_en3ps0 -m conntrack --ctstate RELATED -j ACCEPT
/sbin/iptables -t filter -A out_en3ps0 -m conntrack --ctstate RELATED -j ACCEPT
/sbin/ip6tables -t filter -A out_en3ps0 -m conntrack --ctstate RELATED -j ACCEPT
/sbin/iptables -t filter -A in_en3ps0 -j ACCEPT
/sbin/ip6tables -t filter -A in_en3ps0 -j ACCEPT
/sbin/iptables -t filter -A out_en3ps0 -j ACCEPT
/sbin/ip6tables -t filter -A out_en3ps0 -j ACCEPT
# INFO>>> Creating chain 'in_internet' under 'INPUT' in table 'filter'
/sbin/iptables -t filter -N in_internet
/sbin/iptables -t filter -A in_internet -s 0.0.0.0/8 -j RETURN
/sbin/iptables -t filter -A in_internet -s 127.0.0.0/8 -j RETURN
/sbin/iptables -t filter -A in_internet -s 240.0.0.0/4 -j RETURN
/sbin/iptables -t filter -A in_internet -s 10.0.0.0/8 -j RETURN
/sbin/iptables -t filter -A in_internet -s 169.254.0.0/16 -j RETURN
/sbin/iptables -t filter -A in_internet -s 172.16.0.0/12 -j RETURN
/sbin/iptables -t filter -A in_internet -s 192.0.2.0/24 -j RETURN
/sbin/iptables -t filter -A in_internet -s 192.88.99.0/24 -j RETURN
/sbin/iptables -t filter -A in_internet -s 192.168.0.0/16 -j RETURN
/sbin/iptables -t filter -A INPUT -i en2ps0 -j in_internet
# INFO>>> Creating chain 'out_internet' under 'OUTPUT' in table 'filter'
/sbin/iptables -t filter -N out_internet
/sbin/iptables -t filter -A out_internet -d 0.0.0.0/8 -j RETURN
/sbin/iptables -t filter -A out_internet -d 127.0.0.0/8 -j RETURN
/sbin/iptables -t filter -A out_internet -d 240.0.0.0/4 -j RETURN
/sbin/iptables -t filter -A out_internet -d 10.0.0.0/8 -j RETURN
/sbin/iptables -t filter -A out_internet -d 169.254.0.0/16 -j RETURN
/sbin/iptables -t filter -A out_internet -d 172.16.0.0/12 -j RETURN
/sbin/iptables -t filter -A out_internet -d 192.0.2.0/24 -j RETURN
/sbin/iptables -t filter -A out_internet -d 192.88.99.0/24 -j RETURN
/sbin/iptables -t filter -A out_internet -d 192.168.0.0/16 -j RETURN
/sbin/iptables -t filter -A OUTPUT -o en2ps0 -j out_internet
# === CONFIGURATION STATEMENT =================================================
# CONF: 11>>> server smtps accept
# INFO>>> Preparing for service 'smtps' of type 'server' under interface 'internet'
# INFO>>> Creating chain 'in_internet_smtps_s1' under 'in_internet' in table 'filter'
/sbin/iptables -t filter -N in_internet_smtps_s1
/sbin/iptables -t filter -A in_internet -j in_internet_smtps_s1
# INFO>>> Creating chain 'out_internet_smtps_s1' under 'out_internet' in table 'filter'
/sbin/iptables -t filter -N out_internet_smtps_s1
/sbin/iptables -t filter -A out_internet -j out_internet_smtps_s1
# INFO>>> Running simple rules for server 'smtps'
# INFO>>> Rules for smtps server, with server port(s) 'tcp/465' and client port(s) 'default'
/sbin/iptables -t filter -A in_internet_smtps_s1 -p tcp --sport 1024:65535 --dport 465 -m conntrack --ctstate NEW\,ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A out_internet_smtps_s1 -p tcp --sport 465 --dport 1024:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# === CONFIGURATION STATEMENT =================================================
# CONF: 12>>> server https accept
# INFO>>> Preparing for service 'https' of type 'server' under interface 'internet'
# INFO>>> Creating chain 'in_internet_https_s2' under 'in_internet' in table 'filter'
/sbin/iptables -t filter -N in_internet_https_s2
/sbin/iptables -t filter -A in_internet -j in_internet_https_s2
# INFO>>> Creating chain 'out_internet_https_s2' under 'out_internet' in table 'filter'
/sbin/iptables -t filter -N out_internet_https_s2
/sbin/iptables -t filter -A out_internet -j out_internet_https_s2
# INFO>>> Running simple rules for server 'https'
# INFO>>> Rules for https server, with server port(s) 'tcp/443' and client port(s) 'default'
/sbin/iptables -t filter -A in_internet_https_s2 -p tcp --sport 1024:65535 --dport 443 -m conntrack --ctstate NEW\,ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A out_internet_https_s2 -p tcp --sport 443 --dport 1024:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# === CONFIGURATION STATEMENT =================================================
# CONF: 13>>> server ssh accept
# INFO>>> Preparing for service 'ssh' of type 'server' under interface 'internet'
# INFO>>> Creating chain 'in_internet_ssh_s3' under 'in_internet' in table 'filter'
/sbin/iptables -t filter -N in_internet_ssh_s3
/sbin/iptables -t filter -A in_internet -j in_internet_ssh_s3
# INFO>>> Creating chain 'out_internet_ssh_s3' under 'out_internet' in table 'filter'
/sbin/iptables -t filter -N out_internet_ssh_s3
/sbin/iptables -t filter -A out_internet -j out_internet_ssh_s3
# INFO>>> Running simple rules for server 'ssh'
# INFO>>> Rules for ssh server, with server port(s) 'tcp/22' and client port(s) 'default'
/sbin/iptables -t filter -A in_internet_ssh_s3 -p tcp --sport 1024:65535 --dport 22 -m conntrack --ctstate NEW\,ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A out_internet_ssh_s3 -p tcp --sport 22 --dport 1024:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# === CONFIGURATION STATEMENT =================================================
# CONF: 14>>> client all accept
# INFO>>> Preparing for service 'all' of type 'client' under interface 'internet'
# INFO>>> Creating chain 'in_internet_all_c4' under 'in_internet' in table 'filter'
/sbin/iptables -t filter -N in_internet_all_c4
/sbin/iptables -t filter -A in_internet -j in_internet_all_c4
# INFO>>> Creating chain 'out_internet_all_c4' under 'out_internet' in table 'filter'
/sbin/iptables -t filter -N out_internet_all_c4
/sbin/iptables -t filter -A out_internet -j out_internet_all_c4
# INFO>>> Running complex rules function rules_all() for client 'all'
/sbin/iptables -t filter -A out_internet_all_c4 -m conntrack --ctstate NEW\,ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A in_internet_all_c4 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# === CONFIGURATION STATEMENT =================================================
# CONF: 14>>> client ftp accept
# INFO>>> Preparing for service 'ftp' of type 'client' under interface 'internet'
# INFO>>> Creating chain 'in_internet_ftp_c5' under 'in_internet' in table 'filter'
/sbin/iptables -t filter -N in_internet_ftp_c5
/sbin/iptables -t filter -A in_internet -j in_internet_ftp_c5
# INFO>>> Creating chain 'out_internet_ftp_c5' under 'out_internet' in table 'filter'
/sbin/iptables -t filter -N out_internet_ftp_c5
/sbin/iptables -t filter -A out_internet -j out_internet_ftp_c5
# INFO>>> Adding kernel module 'nf_conntrack_ftp' in the list of kernel modules to load
# INFO>>> Running simple rules for client 'ftp'
# INFO>>> Rules for ftp client, with server port(s) 'tcp/21' and client port(s) 'default'
/sbin/iptables -t filter -A out_internet_ftp_c5 -p tcp --sport 32768:61000 --dport 21 -m conntrack --ctstate NEW\,ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A in_internet_ftp_c5 -p tcp --sport 21 --dport 32768:61000 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# INFO>>> Rules for ftp client, with helper 'ftp'
/sbin/iptables -t filter -A out_internet_ftp_c5 -m conntrack --ctstate ESTABLISHED\,RELATED -m helper --helper ftp -j ACCEPT
/sbin/iptables -t filter -A in_internet_ftp_c5 -m conntrack --ctstate ESTABLISHED\,RELATED -m helper --helper ftp -j ACCEPT
# === CONFIGURATION STATEMENT =================================================
# CONF: 14>>> client irc accept
# INFO>>> Preparing for service 'irc' of type 'client' under interface 'internet'
# INFO>>> Creating chain 'in_internet_irc_c6' under 'in_internet' in table 'filter'
/sbin/iptables -t filter -N in_internet_irc_c6
/sbin/iptables -t filter -A in_internet -j in_internet_irc_c6
# INFO>>> Creating chain 'out_internet_irc_c6' under 'out_internet' in table 'filter'
/sbin/iptables -t filter -N out_internet_irc_c6
/sbin/iptables -t filter -A out_internet -j out_internet_irc_c6
# INFO>>> Adding kernel module 'nf_conntrack_irc' in the list of kernel modules to load
# INFO>>> Running simple rules for client 'irc'
# INFO>>> Rules for irc client, with server port(s) 'tcp/6667' and client port(s) 'default'
/sbin/iptables -t filter -A out_internet_irc_c6 -p tcp --sport 32768:61000 --dport 6667 -m conntrack --ctstate NEW\,ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A in_internet_irc_c6 -p tcp --sport 6667 --dport 32768:61000 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# INFO>>> Rules for irc client, with helper 'irc'
/sbin/iptables -t filter -A out_internet_irc_c6 -m conntrack --ctstate ESTABLISHED\,RELATED -m helper --helper irc -j ACCEPT
/sbin/iptables -t filter -A in_internet_irc_c6 -m conntrack --ctstate ESTABLISHED\,RELATED -m helper --helper irc -j ACCEPT
# === CONFIGURATION STATEMENT =================================================
# CONF: 16>>> interface WAN6 inet src not unroutable_ips\(\)
# INFO>>> Finilizing interface 'internet'
/sbin/iptables -t filter -A in_internet -m conntrack --ctstate RELATED -j ACCEPT
/sbin/iptables -t filter -A out_internet -m conntrack --ctstate RELATED -j ACCEPT
/sbin/iptables -t filter -A in_internet -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=IN-internet:
/sbin/iptables -t filter -A in_internet -j DROP
/sbin/iptables -t filter -A out_internet -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=OUT-internet:
/sbin/iptables -t filter -A out_internet -j DROP
# INFO>>> Creating chain 'in_inet' under 'INPUT' in table 'filter'
/sbin/ip6tables -t filter -N in_inet
/sbin/ip6tables -t filter -A in_inet -s ::/8 -j RETURN
/sbin/ip6tables -t filter -A in_inet -s 0100::/8 -j RETURN
/sbin/ip6tables -t filter -A in_inet -s 0200::/7 -j RETURN
/sbin/ip6tables -t filter -A in_inet -s 0400::/6 -j RETURN
/sbin/ip6tables -t filter -A in_inet -s 0800::/5 -j RETURN
/sbin/ip6tables -t filter -A in_inet -s 1000::/4 -j RETURN
/sbin/ip6tables -t filter -A in_inet -s 4000::/3 -j RETURN
/sbin/ip6tables -t filter -A in_inet -s 6000::/3 -j RETURN
/sbin/ip6tables -t filter -A in_inet -s 8000::/3 -j RETURN
/sbin/ip6tables -t filter -A in_inet -s A000::/3 -j RETURN
/sbin/ip6tables -t filter -A in_inet -s C000::/3 -j RETURN
/sbin/ip6tables -t filter -A in_inet -s E000::/4 -j RETURN
/sbin/ip6tables -t filter -A in_inet -s F000::/5 -j RETURN
/sbin/ip6tables -t filter -A in_inet -s F800::/6 -j RETURN
/sbin/ip6tables -t filter -A in_inet -s FE00::/9 -j RETURN
/sbin/ip6tables -t filter -A in_inet -s FEC0::/10 -j RETURN
/sbin/ip6tables -t filter -A in_inet -s FC00::/7 -j RETURN
/sbin/ip6tables -t filter -A in_inet -s FE80::/10 -j RETURN
/sbin/ip6tables -t filter -A INPUT -i WAN6 -j in_inet
# INFO>>> Creating chain 'out_inet' under 'OUTPUT' in table 'filter'
/sbin/ip6tables -t filter -N out_inet
/sbin/ip6tables -t filter -A out_inet -d ::/8 -j RETURN
/sbin/ip6tables -t filter -A out_inet -d 0100::/8 -j RETURN
/sbin/ip6tables -t filter -A out_inet -d 0200::/7 -j RETURN
/sbin/ip6tables -t filter -A out_inet -d 0400::/6 -j RETURN
/sbin/ip6tables -t filter -A out_inet -d 0800::/5 -j RETURN
/sbin/ip6tables -t filter -A out_inet -d 1000::/4 -j RETURN
/sbin/ip6tables -t filter -A out_inet -d 4000::/3 -j RETURN
/sbin/ip6tables -t filter -A out_inet -d 6000::/3 -j RETURN
/sbin/ip6tables -t filter -A out_inet -d 8000::/3 -j RETURN
/sbin/ip6tables -t filter -A out_inet -d A000::/3 -j RETURN
/sbin/ip6tables -t filter -A out_inet -d C000::/3 -j RETURN
/sbin/ip6tables -t filter -A out_inet -d E000::/4 -j RETURN
/sbin/ip6tables -t filter -A out_inet -d F000::/5 -j RETURN
/sbin/ip6tables -t filter -A out_inet -d F800::/6 -j RETURN
/sbin/ip6tables -t filter -A out_inet -d FE00::/9 -j RETURN
/sbin/ip6tables -t filter -A out_inet -d FEC0::/10 -j RETURN
/sbin/ip6tables -t filter -A out_inet -d FC00::/7 -j RETURN
/sbin/ip6tables -t filter -A out_inet -d FE80::/10 -j RETURN
/sbin/ip6tables -t filter -A OUTPUT -o WAN6 -j out_inet
# === CONFIGURATION STATEMENT =================================================
# CONF: 17>>> server smtps accept
# INFO>>> Preparing for service 'smtps' of type 'server' under interface 'inet'
# INFO>>> Creating chain 'in_inet_smtps_s1' under 'in_inet' in table 'filter'
/sbin/ip6tables -t filter -N in_inet_smtps_s1
/sbin/ip6tables -t filter -A in_inet -j in_inet_smtps_s1
# INFO>>> Creating chain 'out_inet_smtps_s1' under 'out_inet' in table 'filter'
/sbin/ip6tables -t filter -N out_inet_smtps_s1
/sbin/ip6tables -t filter -A out_inet -j out_inet_smtps_s1
# INFO>>> Running simple rules for server 'smtps'
# INFO>>> Rules for smtps server, with server port(s) 'tcp/465' and client port(s) 'default'
/sbin/ip6tables -t filter -A in_inet_smtps_s1 -p tcp --sport 1024:65535 --dport 465 -m conntrack --ctstate NEW\,ESTABLISHED -j ACCEPT
/sbin/ip6tables -t filter -A out_inet_smtps_s1 -p tcp --sport 465 --dport 1024:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# === CONFIGURATION STATEMENT =================================================
# CONF: 18>>> server https accept
# INFO>>> Preparing for service 'https' of type 'server' under interface 'inet'
# INFO>>> Creating chain 'in_inet_https_s2' under 'in_inet' in table 'filter'
/sbin/ip6tables -t filter -N in_inet_https_s2
/sbin/ip6tables -t filter -A in_inet -j in_inet_https_s2
# INFO>>> Creating chain 'out_inet_https_s2' under 'out_inet' in table 'filter'
/sbin/ip6tables -t filter -N out_inet_https_s2
/sbin/ip6tables -t filter -A out_inet -j out_inet_https_s2
# INFO>>> Running simple rules for server 'https'
# INFO>>> Rules for https server, with server port(s) 'tcp/443' and client port(s) 'default'
/sbin/ip6tables -t filter -A in_inet_https_s2 -p tcp --sport 1024:65535 --dport 443 -m conntrack --ctstate NEW\,ESTABLISHED -j ACCEPT
/sbin/ip6tables -t filter -A out_inet_https_s2 -p tcp --sport 443 --dport 1024:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# === CONFIGURATION STATEMENT =================================================
# CONF: 19>>> server ssh accept
# INFO>>> Preparing for service 'ssh' of type 'server' under interface 'inet'
# INFO>>> Creating chain 'in_inet_ssh_s3' under 'in_inet' in table 'filter'
/sbin/ip6tables -t filter -N in_inet_ssh_s3
/sbin/ip6tables -t filter -A in_inet -j in_inet_ssh_s3
# INFO>>> Creating chain 'out_inet_ssh_s3' under 'out_inet' in table 'filter'
/sbin/ip6tables -t filter -N out_inet_ssh_s3
/sbin/ip6tables -t filter -A out_inet -j out_inet_ssh_s3
# INFO>>> Running simple rules for server 'ssh'
# INFO>>> Rules for ssh server, with server port(s) 'tcp/22' and client port(s) 'default'
/sbin/ip6tables -t filter -A in_inet_ssh_s3 -p tcp --sport 1024:65535 --dport 22 -m conntrack --ctstate NEW\,ESTABLISHED -j ACCEPT
/sbin/ip6tables -t filter -A out_inet_ssh_s3 -p tcp --sport 22 --dport 1024:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# === CONFIGURATION STATEMENT =================================================
# CONF: 20>>> client all accept
# INFO>>> Preparing for service 'all' of type 'client' under interface 'inet'
# INFO>>> Creating chain 'in_inet_all_c4' under 'in_inet' in table 'filter'
/sbin/ip6tables -t filter -N in_inet_all_c4
/sbin/ip6tables -t filter -A in_inet -j in_inet_all_c4
# INFO>>> Creating chain 'out_inet_all_c4' under 'out_inet' in table 'filter'
/sbin/ip6tables -t filter -N out_inet_all_c4
/sbin/ip6tables -t filter -A out_inet -j out_inet_all_c4
# INFO>>> Running complex rules function rules_all() for client 'all'
/sbin/ip6tables -t filter -A out_inet_all_c4 -m conntrack --ctstate NEW\,ESTABLISHED -j ACCEPT
/sbin/ip6tables -t filter -A in_inet_all_c4 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# === CONFIGURATION STATEMENT =================================================
# CONF: 20>>> client ftp accept
# INFO>>> Preparing for service 'ftp' of type 'client' under interface 'inet'
# INFO>>> Creating chain 'in_inet_ftp_c5' under 'in_inet' in table 'filter'
/sbin/ip6tables -t filter -N in_inet_ftp_c5
/sbin/ip6tables -t filter -A in_inet -j in_inet_ftp_c5
# INFO>>> Creating chain 'out_inet_ftp_c5' under 'out_inet' in table 'filter'
/sbin/ip6tables -t filter -N out_inet_ftp_c5
/sbin/ip6tables -t filter -A out_inet -j out_inet_ftp_c5
# INFO>>> Running simple rules for client 'ftp'
# INFO>>> Rules for ftp client, with server port(s) 'tcp/21' and client port(s) 'default'
/sbin/ip6tables -t filter -A out_inet_ftp_c5 -p tcp --sport 32768:61000 --dport 21 -m conntrack --ctstate NEW\,ESTABLISHED -j ACCEPT
/sbin/ip6tables -t filter -A in_inet_ftp_c5 -p tcp --sport 21 --dport 32768:61000 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# INFO>>> Rules for ftp client, with helper 'ftp'
/sbin/ip6tables -t filter -A out_inet_ftp_c5 -m conntrack --ctstate ESTABLISHED\,RELATED -m helper --helper ftp -j ACCEPT
/sbin/ip6tables -t filter -A in_inet_ftp_c5 -m conntrack --ctstate ESTABLISHED\,RELATED -m helper --helper ftp -j ACCEPT
# === CONFIGURATION STATEMENT =================================================
# CONF: 20>>> client irc accept
# INFO>>> Preparing for service 'irc' of type 'client' under interface 'inet'
# INFO>>> Creating chain 'in_inet_irc_c6' under 'in_inet' in table 'filter'
/sbin/ip6tables -t filter -N in_inet_irc_c6
/sbin/ip6tables -t filter -A in_inet -j in_inet_irc_c6
# INFO>>> Creating chain 'out_inet_irc_c6' under 'out_inet' in table 'filter'
/sbin/ip6tables -t filter -N out_inet_irc_c6
/sbin/ip6tables -t filter -A out_inet -j out_inet_irc_c6
# INFO>>> Running simple rules for client 'irc'
# INFO>>> Rules for irc client, with server port(s) 'tcp/6667' and client port(s) 'default'
/sbin/ip6tables -t filter -A out_inet_irc_c6 -p tcp --sport 32768:61000 --dport 6667 -m conntrack --ctstate NEW\,ESTABLISHED -j ACCEPT
/sbin/ip6tables -t filter -A in_inet_irc_c6 -p tcp --sport 6667 --dport 32768:61000 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# INFO>>> Rules for irc client, with helper 'irc'
/sbin/ip6tables -t filter -A out_inet_irc_c6 -m conntrack --ctstate ESTABLISHED\,RELATED -m helper --helper irc -j ACCEPT
/sbin/ip6tables -t filter -A in_inet_irc_c6 -m conntrack --ctstate ESTABLISHED\,RELATED -m helper --helper irc -j ACCEPT
# === CONFIGURATION STATEMENT =================================================
# CONF: 22>>> router l2i4 inface en3ps0 outface en2ps0
# INFO>>> Finilizing interface 'inet'
/sbin/ip6tables -t filter -A in_inet -m conntrack --ctstate RELATED -j ACCEPT
/sbin/ip6tables -t filter -A out_inet -m conntrack --ctstate RELATED -j ACCEPT
/sbin/ip6tables -t filter -A in_inet -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=IN-inet:
/sbin/ip6tables -t filter -A in_inet -j DROP
/sbin/ip6tables -t filter -A out_inet -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=OUT-inet:
/sbin/ip6tables -t filter -A out_inet -j DROP
# INFO>>> Creating chain 'in_l2i4' under 'FORWARD' in table 'filter'
/sbin/iptables -t filter -N in_l2i4
/sbin/iptables -t filter -A FORWARD -i en3ps0 -o en2ps0 -j in_l2i4
# INFO>>> Creating chain 'out_l2i4' under 'FORWARD' in table 'filter'
/sbin/iptables -t filter -N out_l2i4
/sbin/iptables -t filter -A FORWARD -i en2ps0 -o en3ps0 -j out_l2i4
# === CONFIGURATION STATEMENT =================================================
# CONF: 23>>> masquerade
# INFO>>> Initializing masquerade on interface 'en2ps0'
/sbin/iptables -t nat -A POSTROUTING -o en2ps0 -j MASQUERADE
# === CONFIGURATION STATEMENT =================================================
# CONF: 24>>> route all accept
# INFO>>> Preparing for service 'all' of type 'server' under interface 'l2i4'
# INFO>>> Creating chain 'in_l2i4_all_s1' under 'in_l2i4' in table 'filter'
/sbin/iptables -t filter -N in_l2i4_all_s1
/sbin/iptables -t filter -A in_l2i4 -j in_l2i4_all_s1
# INFO>>> Creating chain 'out_l2i4_all_s1' under 'out_l2i4' in table 'filter'
/sbin/iptables -t filter -N out_l2i4_all_s1
/sbin/iptables -t filter -A out_l2i4 -j out_l2i4_all_s1
# INFO>>> Running complex rules function rules_all() for server 'all'
/sbin/iptables -t filter -A in_l2i4_all_s1 -m conntrack --ctstate NEW\,ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A out_l2i4_all_s1 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# === CONFIGURATION STATEMENT =================================================
# CONF: 24>>> server ftp accept
# INFO>>> Preparing for service 'ftp' of type 'server' under interface 'l2i4'
# INFO>>> Creating chain 'in_l2i4_ftp_s2' under 'in_l2i4' in table 'filter'
/sbin/iptables -t filter -N in_l2i4_ftp_s2
/sbin/iptables -t filter -A in_l2i4 -j in_l2i4_ftp_s2
# INFO>>> Creating chain 'out_l2i4_ftp_s2' under 'out_l2i4' in table 'filter'
/sbin/iptables -t filter -N out_l2i4_ftp_s2
/sbin/iptables -t filter -A out_l2i4 -j out_l2i4_ftp_s2
# INFO>>> Adding kernel module 'nf_nat_ftp' in the list of kernel modules to load
# INFO>>> Running simple rules for server 'ftp'
# INFO>>> Rules for ftp server, with server port(s) 'tcp/21' and client port(s) 'default'
/sbin/iptables -t filter -A in_l2i4_ftp_s2 -p tcp --sport 1024:65535 --dport 21 -m conntrack --ctstate NEW\,ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A out_l2i4_ftp_s2 -p tcp --sport 21 --dport 1024:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# INFO>>> Rules for ftp server, with helper 'ftp'
/sbin/iptables -t filter -A in_l2i4_ftp_s2 -m conntrack --ctstate ESTABLISHED\,RELATED -m helper --helper ftp -j ACCEPT
/sbin/iptables -t filter -A out_l2i4_ftp_s2 -m conntrack --ctstate ESTABLISHED\,RELATED -m helper --helper ftp -j ACCEPT
# === CONFIGURATION STATEMENT =================================================
# CONF: 24>>> server irc accept
# INFO>>> Preparing for service 'irc' of type 'server' under interface 'l2i4'
# INFO>>> Creating chain 'in_l2i4_irc_s3' under 'in_l2i4' in table 'filter'
/sbin/iptables -t filter -N in_l2i4_irc_s3
/sbin/iptables -t filter -A in_l2i4 -j in_l2i4_irc_s3
# INFO>>> Creating chain 'out_l2i4_irc_s3' under 'out_l2i4' in table 'filter'
/sbin/iptables -t filter -N out_l2i4_irc_s3
/sbin/iptables -t filter -A out_l2i4 -j out_l2i4_irc_s3
# INFO>>> Adding kernel module 'nf_nat_irc' in the list of kernel modules to load
# INFO>>> Running simple rules for server 'irc'
# INFO>>> Rules for irc server, with server port(s) 'tcp/6667' and client port(s) 'default'
/sbin/iptables -t filter -A in_l2i4_irc_s3 -p tcp --sport 1024:65535 --dport 6667 -m conntrack --ctstate NEW\,ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A out_l2i4_irc_s3 -p tcp --sport 6667 --dport 1024:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# INFO>>> Rules for irc server, with helper 'irc'
/sbin/iptables -t filter -A in_l2i4_irc_s3 -m conntrack --ctstate ESTABLISHED\,RELATED -m helper --helper irc -j ACCEPT
/sbin/iptables -t filter -A out_l2i4_irc_s3 -m conntrack --ctstate ESTABLISHED\,RELATED -m helper --helper irc -j ACCEPT
# === CONFIGURATION STATEMENT =================================================
# CONF: 26>>> router l2i6 inface en3ps0 outface he6
# INFO>>> Finilizing router 'l2i4'
/sbin/iptables -t filter -A in_l2i4 -m conntrack --ctstate RELATED -j ACCEPT
/sbin/iptables -t filter -A out_l2i4 -m conntrack --ctstate RELATED -j ACCEPT
# INFO>>> Creating chain 'in_l2i6' under 'FORWARD' in table 'filter'
/sbin/ip6tables -t filter -N in_l2i6
/sbin/ip6tables -t filter -A FORWARD -i en3ps0 -o he6 -j in_l2i6
# INFO>>> Creating chain 'out_l2i6' under 'FORWARD' in table 'filter'
/sbin/ip6tables -t filter -N out_l2i6
/sbin/ip6tables -t filter -A FORWARD -i he6 -o en3ps0 -j out_l2i6
# === CONFIGURATION STATEMENT =================================================
# CONF: 27>>> server ipv6error accept
# INFO>>> Preparing for service 'ipv6error' of type 'server' under interface 'l2i6'
# INFO>>> Creating chain 'in_l2i6_ipv6error_s1' under 'in_l2i6' in table 'filter'
/sbin/ip6tables -t filter -N in_l2i6_ipv6error_s1
/sbin/ip6tables -t filter -A in_l2i6 -j in_l2i6_ipv6error_s1
# INFO>>> Creating chain 'out_l2i6_ipv6error_s1' under 'out_l2i6' in table 'filter'
/sbin/ip6tables -t filter -N out_l2i6_ipv6error_s1
/sbin/ip6tables -t filter -A out_l2i6 -j out_l2i6_ipv6error_s1
# INFO>>> Running complex rules function rules_ipv6error() for server 'ipv6error'
/sbin/ip6tables -t filter -A in_l2i6_ipv6error_s1 -p icmpv6 -m conntrack --ctstate ESTABLISHED\,RELATED --icmpv6-type destination-unreachable -j ACCEPT
/sbin/ip6tables -t filter -A out_l2i6_ipv6error_s1 -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
/sbin/ip6tables -t filter -A in_l2i6_ipv6error_s1 -p icmpv6 -m conntrack --ctstate ESTABLISHED\,RELATED --icmpv6-type packet-too-big -j ACCEPT
/sbin/ip6tables -t filter -A out_l2i6_ipv6error_s1 -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
/sbin/ip6tables -t filter -A in_l2i6_ipv6error_s1 -p icmpv6 -m conntrack --ctstate ESTABLISHED\,RELATED --icmpv6-type ttl-zero-during-transit -j ACCEPT
/sbin/ip6tables -t filter -A out_l2i6_ipv6error_s1 -p icmpv6 --icmpv6-type ttl-zero-during-transit -j ACCEPT
/sbin/ip6tables -t filter -A in_l2i6_ipv6error_s1 -p icmpv6 -m conntrack --ctstate ESTABLISHED\,RELATED --icmpv6-type ttl-zero-during-reassembly -j ACCEPT
/sbin/ip6tables -t filter -A out_l2i6_ipv6error_s1 -p icmpv6 --icmpv6-type ttl-zero-during-reassembly -j ACCEPT
/sbin/ip6tables -t filter -A in_l2i6_ipv6error_s1 -p icmpv6 -m conntrack --ctstate ESTABLISHED\,RELATED --icmpv6-type unknown-header-type -j ACCEPT
/sbin/ip6tables -t filter -A out_l2i6_ipv6error_s1 -p icmpv6 --icmpv6-type unknown-header-type -j ACCEPT
/sbin/ip6tables -t filter -A in_l2i6_ipv6error_s1 -p icmpv6 -m conntrack --ctstate ESTABLISHED\,RELATED --icmpv6-type unknown-option -j ACCEPT
/sbin/ip6tables -t filter -A out_l2i6_ipv6error_s1 -p icmpv6 --icmpv6-type unknown-option -j ACCEPT
# === CONFIGURATION STATEMENT =================================================
# CONF: 28>>> route all accept
# INFO>>> Preparing for service 'all' of type 'server' under interface 'l2i6'
# INFO>>> Creating chain 'in_l2i6_all_s2' under 'in_l2i6' in table 'filter'
/sbin/ip6tables -t filter -N in_l2i6_all_s2
/sbin/ip6tables -t filter -A in_l2i6 -j in_l2i6_all_s2
# INFO>>> Creating chain 'out_l2i6_all_s2' under 'out_l2i6' in table 'filter'
/sbin/ip6tables -t filter -N out_l2i6_all_s2
/sbin/ip6tables -t filter -A out_l2i6 -j out_l2i6_all_s2
# INFO>>> Running complex rules function rules_all() for server 'all'
/sbin/ip6tables -t filter -A in_l2i6_all_s2 -m conntrack --ctstate NEW\,ESTABLISHED -j ACCEPT
/sbin/ip6tables -t filter -A out_l2i6_all_s2 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# === CONFIGURATION STATEMENT =================================================
# CONF: 28>>> server ftp accept
# INFO>>> Preparing for service 'ftp' of type 'server' under interface 'l2i6'
# INFO>>> Creating chain 'in_l2i6_ftp_s3' under 'in_l2i6' in table 'filter'
/sbin/ip6tables -t filter -N in_l2i6_ftp_s3
/sbin/ip6tables -t filter -A in_l2i6 -j in_l2i6_ftp_s3
# INFO>>> Creating chain 'out_l2i6_ftp_s3' under 'out_l2i6' in table 'filter'
/sbin/ip6tables -t filter -N out_l2i6_ftp_s3
/sbin/ip6tables -t filter -A out_l2i6 -j out_l2i6_ftp_s3
# INFO>>> Running simple rules for server 'ftp'
# INFO>>> Rules for ftp server, with server port(s) 'tcp/21' and client port(s) 'default'
/sbin/ip6tables -t filter -A in_l2i6_ftp_s3 -p tcp --sport 1024:65535 --dport 21 -m conntrack --ctstate NEW\,ESTABLISHED -j ACCEPT
/sbin/ip6tables -t filter -A out_l2i6_ftp_s3 -p tcp --sport 21 --dport 1024:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# INFO>>> Rules for ftp server, with helper 'ftp'
/sbin/ip6tables -t filter -A in_l2i6_ftp_s3 -m conntrack --ctstate ESTABLISHED\,RELATED -m helper --helper ftp -j ACCEPT
/sbin/ip6tables -t filter -A out_l2i6_ftp_s3 -m conntrack --ctstate ESTABLISHED\,RELATED -m helper --helper ftp -j ACCEPT
# === CONFIGURATION STATEMENT =================================================
# CONF: 28>>> server irc accept
# INFO>>> Preparing for service 'irc' of type 'server' under interface 'l2i6'
# INFO>>> Creating chain 'in_l2i6_irc_s4' under 'in_l2i6' in table 'filter'
/sbin/ip6tables -t filter -N in_l2i6_irc_s4
/sbin/ip6tables -t filter -A in_l2i6 -j in_l2i6_irc_s4
# INFO>>> Creating chain 'out_l2i6_irc_s4' under 'out_l2i6' in table 'filter'
/sbin/ip6tables -t filter -N out_l2i6_irc_s4
/sbin/ip6tables -t filter -A out_l2i6 -j out_l2i6_irc_s4
# INFO>>> Running simple rules for server 'irc'
# INFO>>> Rules for irc server, with server port(s) 'tcp/6667' and client port(s) 'default'
/sbin/ip6tables -t filter -A in_l2i6_irc_s4 -p tcp --sport 1024:65535 --dport 6667 -m conntrack --ctstate NEW\,ESTABLISHED -j ACCEPT
/sbin/ip6tables -t filter -A out_l2i6_irc_s4 -p tcp --sport 6667 --dport 1024:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# INFO>>> Rules for irc server, with helper 'irc'
/sbin/ip6tables -t filter -A in_l2i6_irc_s4 -m conntrack --ctstate ESTABLISHED\,RELATED -m helper --helper irc -j ACCEPT
/sbin/ip6tables -t filter -A out_l2i6_irc_s4 -m conntrack --ctstate ESTABLISHED\,RELATED -m helper --helper irc -j ACCEPT
# INFO>>> Finilizing router 'l2i6'
/sbin/ip6tables -t filter -A in_l2i6 -m conntrack --ctstate RELATED -j ACCEPT
/sbin/ip6tables -t filter -A out_l2i6 -m conntrack --ctstate RELATED -j ACCEPT
# INFO>>> Finilizing firewall policies
/sbin/ip6tables -t filter -A INPUT -m conntrack --ctstate RELATED -j ACCEPT
/sbin/ip6tables -t filter -A OUTPUT -m conntrack --ctstate RELATED -j ACCEPT
/sbin/ip6tables -t filter -A FORWARD -m conntrack --ctstate RELATED -j ACCEPT
/sbin/ip6tables -t filter -A INPUT -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=IN-unknown:
/sbin/ip6tables -t filter -A INPUT -j DROP
/sbin/ip6tables -t filter -A OUTPUT -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=OUT-unknown:
/sbin/ip6tables -t filter -A OUTPUT -j DROP
/sbin/ip6tables -t filter -A FORWARD -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=PASS-unknown:
/sbin/ip6tables -t filter -A FORWARD -j DROP
More information about the Firehol-support
mailing list