История изменений

:INPUT DROP [2:112]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -p tcp -m multiport --dports 0:65535 -m set --match-set f2b-recidive src -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m multiport --dports 25,465,587,443,993,110,995 -m set --match-set f2b-postfix-bad-helo src -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m multiport --dports 80,443 -m set --match-set f2b-nginx-botsearch src -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m conntrack --ctstate INVALID -m comment --comment "Drop invalid packets" -j DROP
-A INPUT -p tcp -m conntrack --ctstate INVALID,NEW -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "Prevent SYN-Flood atack" -j REJECT --reject-with tcp-reset
-A INPUT -s 127.0.0.0/8 -i lo -m comment --comment "Grant all access for loppback input traffic" -j ACCEPT
-A INPUT -s 192.168.77.0/24 -i eth1 -m comment --comment "Grant all access for intranet input traffic" -j ACCEPT
-A INPUT -i eth1 -p udp -m multiport --dports 53,67,68 -m conntrack --ctstate NEW -m comment --comment "Accept DNS/DHCP UDP traffic for intranet" -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -m comment --comment "Accept DNS TCP traffic for intranet" -j ACCEPT
-A INPUT -i eth0 -f -m comment --comment "Drop all fragmented packets" -j DROP
-A INPUT -i eth0 -m geoip --source-country CN,VN,TW,UA  -m comment --comment "Deny all traffic from restricted countries" -j DROP
-A INPUT -i eth0 -m psd --psd-weight-threshold 21 --psd-delay-threshold 300 --psd-lo-ports-weight 3 --psd-hi-ports-weight 1  -m comment --comment "Prevent port-scaning by legal method" -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,ACK FIN -m comment --comment "FIN-scan protection" -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m comment --comment "X-scan protect" -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m comment --comment "N-scan protect" -j DROP
-A INPUT -i eth0 -p tcp -m osf --genre NMAP -m comment --comment "NMAP OS detection protection" -j DROP
-A INPUT -s 10.0.0.0/8 -i eth0 -m comment --comment "Antispoofing Class A from internet" -j DROP
-A INPUT -s 172.16.0.0/12 -i eth0 -m comment --comment "Antispoffing Class B from internet" -j DROP
-A INPUT -s 192.168.0.0/16 -i eth0 -m comment --comment "Antispoofing Class C from internet" -j DROP
-A INPUT -s 224.0.0.0/8 -i eth0 -m comment --comment "Antispoffing Class D(multicast) from internet" -j DROP
-A INPUT -s 240.0.0.0/5 -i eth0 -m comment --comment "Antispoofing Class E from internet" -j DROP
-A INPUT -s 127.0.0.0/8 -i eth0 -m comment --comment "Antispoofing Loopback from internet" -j DROP
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 0 -m limit --limit 2/sec -m comment --comment "ICMP \'echo reply\' with some restricts" -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -m limit --limit 2/sec -m comment --comment "ICMP \'echo request\' with some restricts" -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 3 -m comment --comment "ICMP \'Destination unreachable\'" -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 12 -m comment --comment "ICMP \'IP Header bad\'" -j ACCEPT
-A INPUT -d 192.168.77.254/32 -i eth0 -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -m recent --update --seconds 120 --hitcount 4 --name ssh_brutforce --mask 255.255.255.255 --rsource -m comment --comment "SSH brutforce prevent in gate.lan" -j DELUDE
-A INPUT -d 192.168.77.254/32 -i eth0 -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource -m comment --comment "SSH accept normal connect to gate.lan" -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m multiport --dports 80,443 -m connlimit --connlimit-above 20 --connlimit-mask 32 --connlimit-saddr -m comment --comment "Restric connects to WEB ports for 20 counts per one IP" -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m multiport --dports 80,443 -m connlimit --connlimit-above 150 --connlimit-mask 0 --connlimit-saddr -m comment --comment "Restrict all connects to WEB ports for 150 counts" -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m multiport --dports 25,465,587,993 -m connlimit --connlimit-above 5 --connlimit-mask 32 --connlimit-saddr -m comment --comment "Restric connects to MAIL ports for 5 per one IP" -j DROP
-A INPUT -i eth0 -p udp -m udp --dport 53 -m string --hex-string "|0000ff0001|" --algo bm --to 65535 -m comment --comment "Restrict ANY request to our DNS" -j DROP
-A INPUT -i eth0 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -m recent --update --seconds 180 --hitcount 3 --name dns_any --mask 255.255.255.255 --rsource -m comment --comment "Restrict ANY request to our DNS" -j DROP
-A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "Accept all established connection from WAN to router" -j ACCEPT
-A INPUT -i eth0 -p tcp -m conntrack --ctstate NEW -m multiport --dports 25,53,80,443,465,587,993 -m comment --comment "Accept allowed WAN TCP ports" -j ACCEPT
-A INPUT -i eth0 -p udp -m conntrack --ctstate NEW -m multiport --dports 53 -m comment --comment "Accept allowed WAN UDP ports" -j ACCEPT

-A OUTPUT -m conntrack --ctstate INVALID -j DROP
-A OUTPUT -p tcp -m conntrack --ctstate INVALID,NEW -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with tcp-reset
-A OUTPUT -d 127.0.0.0/8 -o lo -j ACCEPT
-A OUTPUT -d 192.168.77.0/24 -o eth1 -j ACCEPT
-A OUTPUT -o eth0 -p icmp -m icmp --icmp-type 0 -m limit --limit 2/sec -m comment --comment "ICMP \'echo reply\' with some restricts" -j ACCEPT
-A OUTPUT -o eth0 -p icmp -m icmp --icmp-type 8 -m limit --limit 2/sec -m comment --comment "ICMP \'echo request\' with some restricts" -j ACCEPT
-A OUTPUT -o eth0 -p icmp -m icmp --icmp-type 3 -m comment --comment "ICMP \'destination unreachable\'" -j ACCEPT
-A OUTPUT -o eth0 -p icmp -m icmp --icmp-type 4 -m comment --comment "ICMP \'source quench\'" -j ACCEPT
-A OUTPUT -o eth0 -p icmp -m icmp --icmp-type 11 -m comment --comment "ICMP \'time-to-live exceeded\'" -j ACCEPT
-A OUTPUT -o eth0 -p icmp -m icmp --icmp-type 12 -m comment --comment "ICMP \'IP header bad\'" -j ACCEPT
-A OUTPUT -o eth0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT

:INPUT DROP [2:112]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -p tcp -m multiport --dports 0:65535 -m set --match-set f2b-recidive src -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m multiport --dports 25,465,587,443,993,110,995 -m set --match-set f2b-postfix-bad-helo src -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m multiport --dports 80,443 -m set --match-set f2b-nginx-botsearch src -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m conntrack --ctstate INVALID -m comment --comment "Drop invalid packets" -j DROP
-A INPUT -p tcp -m conntrack --ctstate INVALID,NEW -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "Prevent SYN-Flood atack" -j REJECT --reject-with tcp-reset
-A INPUT -s 127.0.0.0/8 -i lo -m comment --comment "Grant all access for loppback input traffic" -j ACCEPT
-A INPUT -s 192.168.77.0/24 -i eth1 -m comment --comment "Grant all access for intranet input traffic" -j ACCEPT
-A INPUT -i eth1 -p udp -m multiport --dports 53,67,68 -m conntrack --ctstate NEW -m comment --comment "Accept DNS/DHCP UDP traffic for intranet" -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -m comment --comment "Accept DNS TCP traffic for intranet" -j ACCEPT
-A INPUT -i eth0 -f -m comment --comment "Drop all fragmented packets" -j DROP
-A INPUT -i eth0 -m geoip --source-country CN,VN,TW,UA  -m comment --comment "Deny all traffic from restricted countries" -j DROP
-A INPUT -i eth0 -m psd --psd-weight-threshold 21 --psd-delay-threshold 300 --psd-lo-ports-weight 3 --psd-hi-ports-weight 1  -m comment --comment "Prevent port-scaning by legal method" -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,ACK FIN -m comment --comment "FIN-scan protection" -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m comment --comment "X-scan protect" -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m comment --comment "N-scan protect" -j DROP
-A INPUT -i eth0 -p tcp -m osf --genre NMAP -m comment --comment "NMAP OS detection protection" -j DROP
-A INPUT -s 10.0.0.0/8 -i eth0 -m comment --comment "Antispoofing Class A from internet" -j DROP
-A INPUT -s 172.16.0.0/12 -i eth0 -m comment --comment "Antispoffing Class B from internet" -j DROP
-A INPUT -s 192.168.0.0/16 -i eth0 -m comment --comment "Antispoofing Class C from internet" -j DROP
-A INPUT -s 224.0.0.0/8 -i eth0 -m comment --comment "Antispoffing Class D(multicast) from internet" -j DROP
-A INPUT -s 240.0.0.0/5 -i eth0 -m comment --comment "Antispoofing Class E from internet" -j DROP
-A INPUT -s 127.0.0.0/8 -i eth0 -m comment --comment "Antispoofing Loopback from internet" -j DROP
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 0 -m limit --limit 2/sec -m comment --comment "ICMP \'echo reply\' with some restricts" -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -m limit --limit 2/sec -m comment --comment "ICMP \'echo request\' with some restricts" -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 3 -m comment --comment "ICMP \'Destination unreachable\'" -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 12 -m comment --comment "ICMP \'IP Header bad\'" -j ACCEPT
-A INPUT -d 192.168.77.254/32 -i eth0 -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -m recent --update --seconds 120 --hitcount 4 --name ssh_brutforce --mask 255.255.255.255 --rsource -m comment --comment "SSH brutforce prevent in gate.lan" -j DELUDE
-A INPUT -d 192.168.77.254/32 -i eth0 -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource -m comment --comment "SSH accept normal connect to gate.lan" -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m multiport --dports 80,443 -m connlimit --connlimit-above 20 --connlimit-mask 32 --connlimit-saddr -m comment --comment "Restric connects to WEB ports for 20 counts per one IP" -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m multiport --dports 80,443 -m connlimit --connlimit-above 150 --connlimit-mask 0 --connlimit-saddr -m comment --comment "Restrict all connects to WEB ports for 150 counts" -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m multiport --dports 25,465,587,993 -m connlimit --connlimit-above 5 --connlimit-mask 32 --connlimit-saddr -m comment --comment "Restric connects to MAIL ports for 5 per one IP" -j DROP
-A INPUT -i eth0 -p udp -m udp --dport 53 -m string --hex-string "|0000ff0001|" --algo bm --to 65535 -m comment --comment "Restrict ANY request to our DNS" -j DROP
-A INPUT -i eth0 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -m recent --update --seconds 180 --hitcount 3 --name dns_any --mask 255.255.255.255 --rsource -m comment --comment "Restrict ANY request to our DNS" -j DROP
-A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "Accept all established connection from WAN to router" -j ACCEPT
-A INPUT -i eth0 -p tcp -m conntrack --ctstate NEW -m multiport --dports 25,53,80,443,465,587,993 -m comment --comment "Accept allowed WAN TCP ports" -j ACCEPT
-A INPUT -i eth0 -p udp -m conntrack --ctstate NEW -m multiport --dports 53 -m comment --comment "Accept allowed WAN UDP ports" -j ACCEPT

-A OUTPUT -m conntrack --ctstate INVALID -j DROP
-A OUTPUT -p tcp -m conntrack --ctstate INVALID,NEW -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with tcp-reset
-A OUTPUT -d 127.0.0.0/8 -o lo -j ACCEPT
-A OUTPUT -d 192.168.77.0/24 -o eth1 -j ACCEPT
-A OUTPUT -o eth0 -p icmp -m icmp --icmp-type 0 -m limit --limit 2/sec -m comment --comment "ICMP \'echo reply\' with some restricts" -j ACCEPT
-A OUTPUT -o eth0 -p icmp -m icmp --icmp-type 8 -m limit --limit 2/sec -m comment --comment "ICMP \'echo request\' with some restricts" -j ACCEPT
-A OUTPUT -o eth0 -p icmp -m icmp --icmp-type 3 -m comment --comment "ICMP \'destination unreachable\'" -j ACCEPT
-A OUTPUT -o eth0 -p icmp -m icmp --icmp-type 4 -m comment --comment "ICMP \'source quench\'" -j ACCEPT
-A OUTPUT -o eth0 -p icmp -m icmp --icmp-type 11 -m comment --comment "ICMP \'time-to-live exceeded\'" -j ACCEPT
-A OUTPUT -o eth0 -p icmp -m icmp --icmp-type 12 -m comment --comment "ICMP \'IP header bad\'" -j ACCEPT
-A OUTPUT -o eth0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT

:INPUT DROP [2:112]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -p tcp -m multiport --dports 0:65535 -m set --match-set f2b-recidive src -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m multiport --dports 25,465,587,443,993,110,995 -m set --match-set f2b-postfix-bad-helo src -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m multiport --dports 80,443 -m set --match-set f2b-nginx-botsearch src -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m conntrack --ctstate INVALID -m comment --comment "Drop invalid packets" -j DROP
-A INPUT -p tcp -m conntrack --ctstate INVALID,NEW -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "Prevent SYN-Flood atack" -j REJECT --reject-with tcp-reset
-A INPUT -s 127.0.0.0/8 -i lo -m comment --comment "Grant all access for loppback input traffic" -j ACCEPT
-A INPUT -s 192.168.77.0/24 -i eth1 -m comment --comment "Grant all access for intranet input traffic" -j ACCEPT
-A INPUT -i eth1 -p udp -m multiport --dports 53,67,68 -m conntrack --ctstate NEW -m comment --comment "Accept DNS/DHCP UDP traffic for intranet" -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -m comment --comment "Accept DNS TCP traffic for intranet" -j ACCEPT
-A INPUT -i eth0 -f -m comment --comment "Drop all fragmented packets" -j DROP
-A INPUT -i eth0 -m geoip --source-country CN,VN,TW,UA  -m comment --comment "Deny all traffic from restricted countries" -j DROP
-A INPUT -i eth0 -m psd --psd-weight-threshold 21 --psd-delay-threshold 300 --psd-lo-ports-weight 3 --psd-hi-ports-weight 1  -m comment --comment "Prevent port-scaning by legal method" -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,ACK FIN -m comment --comment "FIN-scan protection" -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m comment --comment "X-scan protect" -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m comment --comment "N-scan protect" -j DROP
-A INPUT -i eth0 -p tcp -m osf --genre NMAP -m comment --comment "NMAP OS detection protection" -j DROP
-A INPUT -s 10.0.0.0/8 -i eth0 -m comment --comment "Antispoofing Class A from internet" -j DROP
-A INPUT -s 172.16.0.0/12 -i eth0 -m comment --comment "Antispoffing Class B from internet" -j DROP
-A INPUT -s 192.168.0.0/16 -i eth0 -m comment --comment "Antispoofing Class C from internet" -j DROP
-A INPUT -s 224.0.0.0/8 -i eth0 -m comment --comment "Antispoffing Class D(multicast) from internet" -j DROP
-A INPUT -s 240.0.0.0/5 -i eth0 -m comment --comment "Antispoofing Class E from internet" -j DROP
-A INPUT -s 127.0.0.0/8 -i eth0 -m comment --comment "Antispoofing Loopback from internet" -j DROP
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 0 -m limit --limit 2/sec -m comment --comment "ICMP \'echo reply\' with some restricts" -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -m limit --limit 2/sec -m comment --comment "ICMP \'echo request\' with some restricts" -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 3 -m comment --comment "ICMP \'Destination unreachable\'" -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 12 -m comment --comment "ICMP \'IP Header bad\'" -j ACCEPT
-A INPUT -d 192.168.77.254/32 -i eth0 -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -m recent --update --seconds 120 --hitcount 4 --name ssh_brutforce --mask 255.255.255.255 --rsource -m comment --comment "SSH brutforce prevent in gate.lan" -j DELUDE
-A INPUT -d 192.168.77.254/32 -i eth0 -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource -m comment --comment "SSH accept normal connect to gate.lan" -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m multiport --dports 80,443 -m connlimit --connlimit-above 20 --connlimit-mask 32 --connlimit-saddr -m comment --comment "Restric connects to WEB ports for 20 counts per one IP" -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m multiport --dports 80,443 -m connlimit --connlimit-above 150 --connlimit-mask 0 --connlimit-saddr -m comment --comment "Restrict all connects to WEB ports for 150 counts" -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m multiport --dports 25,465,587,993 -m connlimit --connlimit-above 5 --connlimit-mask 32 --connlimit-saddr -m comment --comment "Restric connects to MAIL ports for 5 per one IP" -j DROP
-A INPUT -i eth0 -p udp -m udp --dport 53 -m string --hex-string "|0000ff0001|" --algo bm --to 65535 -m comment --comment "Restrict ANY request to our DNS" -j DROP
-A INPUT -i eth0 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -m recent --update --seconds 180 --hitcount 3 --name dns_any --mask 255.255.255.255 --rsource -m comment --comment "Restrict ANY request to our DNS" -j DROP
-A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "Accept all established connection from WAN to router" -j ACCEPT
-A INPUT -i eth0 -p tcp -m conntrack --ctstate NEW -m multiport --dports 25,53,80,443,465,587,993 -m comment --comment "Accept allowed WAN TCP ports" -j ACCEPT
-A INPUT -i eth0 -p udp -m conntrack --ctstate NEW -m multiport --dports 53 -m comment --comment "Accept allowed WAN UDP ports" -j ACCEPT

-A OUTPUT -m conntrack --ctstate INVALID -j DROP
-A OUTPUT -p tcp -m conntrack --ctstate INVALID,NEW -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with tcp-reset
-A OUTPUT -d 127.0.0.0/8 -o lo -j ACCEPT
-A OUTPUT -d 192.168.77.0/24 -o eth1 -j ACCEPT
-A OUTPUT -o eth0 -p icmp -m icmp --icmp-type 0 -m limit --limit 2/sec -m comment --comment "ICMP \'echo reply\' with some restricts" -j ACCEPT
-A OUTPUT -o eth0 -p icmp -m icmp --icmp-type 8 -m limit --limit 2/sec -m comment --comment "ICMP \'echo request\' with some restricts" -j ACCEPT
-A OUTPUT -o eth0 -p icmp -m icmp --icmp-type 3 -m comment --comment "ICMP \'destination unreachable\'" -j ACCEPT
-A OUTPUT -o eth0 -p icmp -m icmp --icmp-type 4 -m comment --comment "ICMP \'source quench\'" -j ACCEPT
-A OUTPUT -o eth0 -p icmp -m icmp --icmp-type 11 -m comment --comment "ICMP \'time-to-live exceeded\'" -j ACCEPT
-A OUTPUT -o eth0 -p icmp -m icmp --icmp-type 12 -m comment --comment "ICMP \'IP header bad\'" -j ACCEPT
-A OUTPUT -o eth0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT