# Generated by iptables-save v1.4.3.2 on Sat May  2 03:38:55 2009
*nat
:PREROUTING ACCEPT [4:771]
:POSTROUTING ACCEPT [38:2729]
:OUTPUT ACCEPT [41:2981]
:NEW - [0:0]
:postrouting_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan - [0:0]
-A PREROUTING -p tcp -m state --state NEW -j NEW 
-A PREROUTING -j prerouting_rule 
-A PREROUTING -i eth0.1 -j prerouting_wan 
-A POSTROUTING -j postrouting_rule 
-A POSTROUTING -s 172.17.17.0/24 -o eth0.1 -j MASQUERADE 
-A NEW -m limit --limit 50/sec --limit-burst 100 -j RETURN 
-A postrouting_rule -d 10.0.0.0/8 -j ACCEPT 
-A postrouting_rule -d 172.16.0.0/12 -j ACCEPT 
-A postrouting_rule -d 192.168.0.0/16 -j ACCEPT 
-A prerouting_rule -i br-lan -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 
-A prerouting_rule -p tcp -m tcp --dport 2020 -m state --state NEW -m recent --set --name ATTACKER_SSH --rsource 
-A prerouting_rule -p tcp -m tcp --dport 2020 -j ACCEPT 
-A prerouting_rule -i eth0.1 -p tcp -m tcp --dport 2080 -j DNAT --to-destination 172.17.17.250 
COMMIT
# Completed on Sat May  2 03:38:55 2009
# Generated by iptables-save v1.4.3.2 on Sat May  2 03:38:55 2009
*raw
:PREROUTING ACCEPT [370:31230]
:OUTPUT ACCEPT [326:44408]
COMMIT
# Completed on Sat May  2 03:38:55 2009
# Generated by iptables-save v1.4.3.2 on Sat May  2 03:38:55 2009
*mangle
:PREROUTING ACCEPT [376:31470]
:INPUT ACCEPT [369:30660]
:FORWARD ACCEPT [7:810]
:OUTPUT ACCEPT [332:45080]
:POSTROUTING ACCEPT [335:45662]
COMMIT
# Completed on Sat May  2 03:38:55 2009
# Generated by iptables-save v1.4.3.2 on Sat May  2 03:38:55 2009
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:LAN_ACCEPT - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan - [0:0]
:input_rule - [0:0]
:input_wan - [0:0]
:output_rule - [0:0]
-A INPUT -m state --state INVALID -j DROP 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m tcp ! --tcp-option 2 --tcp-flags SYN SYN -j DROP 
-A INPUT -j input_rule 
-A INPUT -i eth0.1 -j input_wan 
-A INPUT -j LAN_ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -p gre -j ACCEPT 
-A INPUT -p tcp -j REJECT --reject-with tcp-reset 
-A INPUT -j REJECT --reject-with icmp-port-unreachable 
-A FORWARD -m state --state INVALID -j DROP 
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -j forwarding_rule 
-A FORWARD -i eth0.1 -j forwarding_wan 
-A FORWARD -i br-lan -o br-lan -j ACCEPT 
-A FORWARD -i br-lan -o eth0.1 -j ACCEPT 
-A OUTPUT -m state --state INVALID -j DROP 
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -j output_rule 
-A OUTPUT -j ACCEPT 
-A OUTPUT -p tcp -j REJECT --reject-with tcp-reset 
-A OUTPUT -j REJECT --reject-with icmp-port-unreachable 
-A LAN_ACCEPT -i eth0.1 -j RETURN 
-A LAN_ACCEPT -j ACCEPT 
-A forwarding_rule -d 63.135.80.0/20 -i br-lan -m iprange --src-range 172.17.17.2-172.17.17.10 -j DROP 
-A forwarding_rule -d 1.0.0.0/8 -i br-lan -m iprange --src-range 172.17.17.2-172.17.17.10 -j DROP 
-A forwarding_rule -d 205.188.0.0/16 -i br-lan -m iprange --src-range 172.17.17.2-172.17.17.10 -j DROP 
-A forwarding_rule -d 74.125.0.0/16 -i br-lan -m iprange --src-range 172.17.17.2-172.17.17.10 -j DROP 
-A forwarding_rule -d 69.147.64.0/18 -i br-lan -m iprange --src-range 172.17.17.2-172.17.17.10 -j DROP 
-A forwarding_rule -d 207.68.192.0/20 -i br-lan -m iprange --src-range 172.17.17.2-172.17.17.10 -j DROP 
-A forwarding_rule -d 207.68.128.0/18 -i br-lan -m iprange --src-range 172.17.17.2-172.17.17.10 -j DROP 
-A forwarding_rule -d 205.188.0.0/16 -i br-lan -m iprange --src-range 172.17.17.2-172.17.17.10 -j DROP 
-A forwarding_rule -d 64.12.0.0/16 -i br-lan -m iprange --src-range 172.17.17.2-172.17.17.10 -j DROP 
-A forwarding_rule -m policy --dir in --pol ipsec --mode tunnel -j ACCEPT 
-A forwarding_rule -m policy --dir out --pol ipsec --mode tunnel -j ACCEPT 
-A forwarding_rule -d 172.17.17.250/32 -i eth0.1 -p tcp -m tcp --dport 2080 -j ACCEPT 
-A forwarding_rule -s 172.17.17.247/32 -i br-lan -p tcp -m multiport --dports 21,80,3128,2000 -j ACCEPT 
-A forwarding_rule -s 172.17.17.200/32 -i br-lan -p udp -m udp --dport 9999 -j ACCEPT 
-A forwarding_rule -i br-lan -p tcp -m iprange --src-range 172.17.17.2-172.17.17.10 -m multiport --dports 21,22,53,80,443,1433,3128,3579,3580,8000,8765,9865 -j ACCEPT 
-A forwarding_rule -i br-lan -p udp -m iprange --src-range 172.17.17.2-172.17.17.10 -m multiport --dports 53 -j ACCEPT 
-A forwarding_rule -i br-lan -p tcp -m mac --mac-source 08:FA:KE:FA:KE:28 -j ACCEPT 
-A forwarding_rule -i br-lan -p udp -m mac --mac-source 08:FA:KE:FA:KE:28 -j ACCEPT 
-A forwarding_rule -j DROP 
-A input_rule -p esp -j ACCEPT 
-A input_rule -p udp -m udp --dport 500 -j ACCEPT 
-A input_rule -p udp -m udp --dport 4500 -j ACCEPT 
-A input_rule -p tcp -m tcp --dport 2020 -j ACCEPT 
COMMIT
# Completed on Sat May  2 03:38:55 2009