Netfilter

2018-07-31

Raspberry Pi (Linux)

現状、ラズパイルーターのNetfilterは、たったこれだけ。

uptime 9days

-----FILTER-----

Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
4845K 1888M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
44645 3000K ACCEPT all -- br0 * 192.168.1.0/24 192.168.1.254
302 137K ACCEPT udp -- br0 * 0.0.0.0/0 0.0.0.0/0 udp spts:67:68 dpts:67:68
17 5248 ACCEPT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:500
5 700 ACCEPT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:4500
417 21184 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 flags:0x17/0x02 state NEW
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
76000 6607K LOGGING all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
9 456 DROP tcp -- br0 ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpts:137:139
101 7878 DROP udp -- br0 ppp0 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139
30 1520 DROP tcp -- br0 ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
0 0 DROP udp -- br0 ppp0 0.0.0.0/0 0.0.0.0/0 udp dpt:445
6 264 DROP tcp -- br0 ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:111
0 0 DROP udp -- br0 ppp0 0.0.0.0/0 0.0.0.0/0 udp dpt:111
8600K 2282M ACCEPT all -- br0 ppp0 192.168.1.0/24 0.0.0.0/0
31M 43G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
10442 601K ACCEPT tcp -- ppp0 br0 0.0.0.0/0 192.168.1.1 tcp dpt:80
194 10840 ACCEPT tcp -- ppp0 br0 0.0.0.0/0 192.168.1.1 tcp dpt:25
21 1060 ACCEPT tcp -- ppp0 br0 0.0.0.0/0 192.168.1.1 tcp dpt:587
316 16412 ACCEPT tcp -- ppp0 br0 0.0.0.0/0 192.168.1.1 tcp dpt:995
4105 223K ACCEPT tcp -- ppp0 br0 0.0.0.0/0 192.168.1.1 tcp dpt:22

Chain OUTPUT (policy ACCEPT 345K packets, 205M bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0

Chain LOGGING (1 references)
pkts bytes target prot opt in out source destination
76000 6607K DROP all -- * * 0.0.0.0/0 0.0.0.0/0

-----NAT-----

Chain PREROUTING (policy ACCEPT 11786 packets, 2210K bytes)
pkts bytes target prot opt in out source destination
10799 622K DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.1.1:80
194 10840 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 to:192.168.1.1:25
21 1060 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:587 to:192.168.1.1:587
316 16412 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:995 to:192.168.1.1:995
4106 223K DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 to:192.168.1.1:22

Chain POSTROUTING (policy ACCEPT 3649 packets, 237K bytes)
pkts bytes target prot opt in out source destination
59881 15M MASQUERADE all -- * ppp0 192.168.1.0/24 0.0.0.0/0

-----MANGLE-----

Chain FORWARD (policy ACCEPT 6015K packets, 6769M bytes)
pkts bytes target prot opt in out source destination
3773 211K TCPMSS tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 tcpmss match 1400:65495 TCPMSS clamp to PMTU