# Generated by iptables-save v1.8.4 on Tue Oct 20 17:37:31 2020
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:HONEYPOT - [0:0]
:DSHIELD - [0:0]
:BDEALL - [0:0]
:SPAMDROP - [0:0]
:CRYPTOPHP - [0:0]
:EMAILSPAMMERS - [0:0]
:BFB - [0:0]
:BOGON - [0:0]
:BDE - [0:0]
:BADBOTS - [0:0]
:SPAMEDROP - [0:0]
:TOREXITNODES - [0:0]
:MAXMIND - [0:0]
:PORTFLOOD - [0:0]
:LOGDROPIN - [0:0]
:LOGDROPOUT - [0:0]
:DENYIN - [0:0]
:DENYOUT - [0:0]
:ALLOWIN - [0:0]
:ALLOWOUT - [0:0]
:LOCALINPUT - [0:0]
:LOCALOUTPUT - [0:0]
:INVDROP - [0:0]
:INVALID - [0:0]
:SMTPOUTPUT - [0:0]
:DOCKER - [0:0]
-A INPUT ! -i lo -p tcp -m tcp --dport 8889 -m limit --limit 15/min --limit-burst 150 -j ACCEPT
-A INPUT ! -i lo -p tcp -m tcp --dport 8888 -m limit --limit 15/min --limit-burst 150 -j ACCEPT
-A INPUT ! -i lo -j LOCALINPUT
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -p tcp -j INVALID
-A INPUT ! -i lo -p tcp -m tcp --dport 25 -m conntrack --ctstate NEW -m recent --set --name 25 --mask 255.255.255.255 --rsource 
-A INPUT ! -i lo -p tcp -m tcp --dport 25 -m conntrack --ctstate NEW -m recent --update --seconds 5 --hitcount 15 --name 25 --mask 255.255.255.255 --rsource -j PORTFLOOD
-A INPUT ! -i lo -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A INPUT ! -i lo -p icmp -m icmp --icmp-type 8 -j LOGDROPIN
-A INPUT ! -i lo -p icmp -j ACCEPT
-A INPUT ! -i lo -m conntrack --ctstate RELATED -m helper --helper ftp -j ACCEPT
-A INPUT ! -i lo -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 20 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 21 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 25 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 26 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 53 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 80 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 88 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 110 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 143 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 443 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 465 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 587 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 904 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 953 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 992 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 993 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 995 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 1907:1909 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 1723 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 1986 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 2082 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 2083 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 2086 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 2087 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 2095 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 2096 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 8080 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 8443 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 8800 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 8988 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 9391 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 9999 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 65534 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 5080 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 5665 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 5666 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 5222 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 5269 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 52222 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 40000:40100 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 11898 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 20 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 21 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 53 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 67 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 68 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 123 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 161 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 500 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 514 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 517 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 518 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 1194 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 1514 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 1701 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 1981 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 4500 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 33434:33523 -j ACCEPT
-A INPUT ! -i lo -j LOGDROPIN
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m tcp --sport 8889 -m limit --limit 15/min --limit-burst 150 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m tcp --sport 8888 -m limit --limit 15/min --limit-burst 150 -j ACCEPT
-A OUTPUT ! -o lo -j LOCALOUTPUT
-A OUTPUT ! -o lo -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT ! -o lo -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m tcp --sport 53 -j ACCEPT
-A OUTPUT ! -o lo -p udp -m udp --sport 53 -j ACCEPT
-A OUTPUT -j SMTPOUTPUT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT ! -o lo -p tcp -j INVALID
-A OUTPUT ! -o lo -p icmp -j ACCEPT
-A OUTPUT ! -o lo -m conntrack --ctstate RELATED -m helper --helper ftp -j ACCEPT
-A OUTPUT ! -o lo -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 1:65535 -j ACCEPT
-A OUTPUT ! -o lo -p udp -m conntrack --ctstate NEW -m udp --dport 1:65535 -j ACCEPT
-A OUTPUT ! -o lo -j LOGDROPOUT
-A HONEYPOT -m set --match-set bl_HONEYPOT src -j DROP
-A DSHIELD -m set --match-set bl_DSHIELD src -j DROP
-A BDEALL -m set --match-set bl_BDEALL src -j DROP
-A SPAMDROP -m set --match-set bl_SPAMDROP src -j DROP
-A CRYPTOPHP -m set --match-set bl_CRYPTOPHP src -j DROP
-A EMAILSPAMMERS -m set --match-set bl_EMAILSPAMMERS src -j DROP
-A BFB -m set --match-set bl_BFB src -j DROP
-A BOGON -m set --match-set bl_BOGON src -j DROP
-A BDE -m set --match-set bl_BDE src -j DROP
-A BADBOTS -m set --match-set bl_BADBOTS src -j DROP
-A SPAMEDROP -m set --match-set bl_SPAMEDROP src -j DROP
-A TOREXITNODES -m set --match-set bl_TOREXITNODES src -j DROP
-A MAXMIND -m set --match-set bl_MAXMIND src -j DROP
-A PORTFLOOD -m limit --limit 30/min -j LOG --log-prefix "Firewall: *Port Flood* "
-A PORTFLOOD -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 67 -j DROP
-A LOGDROPIN -p udp -m udp --dport 67 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 68 -j DROP
-A LOGDROPIN -p udp -m udp --dport 68 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 111 -j DROP
-A LOGDROPIN -p udp -m udp --dport 111 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 113 -j DROP
-A LOGDROPIN -p udp -m udp --dport 113 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 135:139 -j DROP
-A LOGDROPIN -p udp -m udp --dport 135:139 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 445 -j DROP
-A LOGDROPIN -p udp -m udp --dport 445 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 500 -j DROP
-A LOGDROPIN -p udp -m udp --dport 500 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 513 -j DROP
-A LOGDROPIN -p udp -m udp --dport 513 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 520 -j DROP
-A LOGDROPIN -p udp -m udp --dport 520 -j DROP
-A LOGDROPIN -p tcp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *TCP_IN Blocked* "
-A LOGDROPIN -p udp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *UDP_IN Blocked* "
-A LOGDROPIN -p icmp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *ICMP_IN Blocked* "
-A LOGDROPIN -j DROP
-A LOGDROPOUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 30/min -j LOG --log-prefix "Firewall: *TCP_OUT Blocked* " --log-uid
-A LOGDROPOUT -p udp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *UDP_OUT Blocked* " --log-uid
-A LOGDROPOUT -p icmp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *ICMP_OUT Blocked* " --log-uid
-A LOGDROPOUT -j REJECT --reject-with icmp-port-unreachable
-A DENYIN -m set --match-set chain_DENY src -j DROP
-A DENYOUT -m set --match-set chain_DENY dst -j LOGDROPOUT
-A ALLOWIN -s 194.63.143.34/32 ! -i lo -p tcp -m tcp --dport 5666 -j ACCEPT
-A ALLOWIN -s 134.19.177.221/32 ! -i lo -p tcp -m tcp --dport 5666 -j ACCEPT
-A ALLOWIN -s 91.210.104.27/32 ! -i lo -p tcp -m tcp --dport 5666 -j ACCEPT
-A ALLOWIN -m set --match-set chain_ALLOW src -j ACCEPT
-A ALLOWOUT -m set --match-set chain_ALLOW dst -j ACCEPT
-A LOCALINPUT ! -i lo -j ALLOWIN
-A LOCALINPUT ! -i lo -j DENYIN
-A LOCALINPUT ! -i lo -j HONEYPOT
-A LOCALINPUT ! -i lo -j DSHIELD
-A LOCALINPUT ! -i lo -j BDEALL
-A LOCALINPUT ! -i lo -j SPAMDROP
-A LOCALINPUT ! -i lo -j CRYPTOPHP
-A LOCALINPUT ! -i lo -j EMAILSPAMMERS
-A LOCALINPUT ! -i lo -j BFB
-A LOCALINPUT ! -i lo -j BOGON
-A LOCALINPUT ! -i lo -j BDE
-A LOCALINPUT ! -i lo -j BADBOTS
-A LOCALINPUT ! -i lo -j SPAMEDROP
-A LOCALINPUT ! -i lo -j TOREXITNODES
-A LOCALINPUT ! -i lo -j MAXMIND
-A LOCALOUTPUT ! -o lo -j ALLOWOUT
-A LOCALOUTPUT ! -o lo -j DENYOUT
-A INVDROP -m conntrack --ctstate INVALID -m limit --limit 30/min -j LOG --log-prefix "Firewall: *INVALID* "
-A INVDROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 30/min -j LOG --log-prefix "Firewall: *INV_AN* "
-A INVDROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m limit --limit 30/min -j LOG --log-prefix "Firewall: *INV_AA* "
-A INVDROP -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 30/min -j LOG --log-prefix "Firewall: *INV_SFSF* "
-A INVDROP -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 30/min -j LOG --log-prefix "Firewall: *INV_SRSR* "
-A INVDROP -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -m limit --limit 30/min -j LOG --log-prefix "Firewall: *INV_FRFR* "
-A INVDROP -p tcp -m tcp --tcp-flags FIN,ACK FIN -m limit --limit 30/min -j LOG --log-prefix "Firewall: *INV_AFF* "
-A INVDROP -p tcp -m tcp --tcp-flags PSH,ACK PSH -m limit --limit 30/min -j LOG --log-prefix "Firewall: *INV_APP* "
-A INVDROP -p tcp -m tcp --tcp-flags ACK,URG URG -m limit --limit 30/min -j LOG --log-prefix "Firewall: *INV_AUU* "
-A INVDROP -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -m limit --limit 30/min -j LOG --log-prefix "Firewall: *INV_NOSYN* "
-A INVDROP -j DROP
-A INVALID -m conntrack --ctstate INVALID -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags FIN,ACK FIN -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags PSH,ACK PSH -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags ACK,URG URG -j INVDROP
-A INVALID -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j INVDROP
-A SMTPOUTPUT -o lo -p tcp -m multiport --dports 25,465,587 -j ACCEPT
-A SMTPOUTPUT -p tcp -m multiport --dports 25,465,587 -m owner --gid-owner 65534 -j ACCEPT
-A SMTPOUTPUT -p tcp -m multiport --dports 25,465,587 -m owner --gid-owner 12 -j ACCEPT
-A SMTPOUTPUT -p tcp -m multiport --dports 25,465,587 -m owner --uid-owner 65534 -j ACCEPT
-A SMTPOUTPUT -p tcp -m multiport --dports 25,465,587 -m owner --uid-owner 101 -j ACCEPT
-A SMTPOUTPUT -p tcp -m multiport --dports 25,465,587 -m owner --uid-owner 89 -j ACCEPT
-A SMTPOUTPUT -p tcp -m multiport --dports 25,465,587 -m owner --uid-owner 0 -j ACCEPT
-A SMTPOUTPUT -p tcp -m multiport --dports 25,465,587 -j LOGDROPOUT
COMMIT
# Completed on Tue Oct 20 17:37:31 2020
# Generated by iptables-save v1.8.4 on Tue Oct 20 17:37:31 2020
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp --dport 21 -j CT --helper ftp
-A OUTPUT -p tcp -m tcp --dport 21 -j CT --helper ftp
COMMIT
# Completed on Tue Oct 20 17:37:31 2020
# Generated by iptables-save v1.8.4 on Tue Oct 20 17:37:31 2020
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Tue Oct 20 17:37:31 2020
# Generated by iptables-save v1.8.4 on Tue Oct 20 17:37:31 2020
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING ! -i lo -p tcp -m set --match-set MESSENGER src -m multiport --dports 80,2082,2093,2095 -j REDIRECT --to-ports 8888
-A PREROUTING ! -i lo -p tcp -m set --match-set MESSENGER src -m multiport --dports 21 -j REDIRECT --to-ports 8889
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
COMMIT
# Completed on Tue Oct 20 17:37:31 2020