# Squid (no transparente) + DNS Local (Bind) [RESUELTO]

## 236665

hola a todos, tengo un problema. he instalado un servidor DNS local (BIND), y ahora, Squid funciona muy lento (1 minuto o más para abrir sitios web en los navegadores), sin SQUID, puedo navegar por los sitios web rápidamente (mucho mejor que antes gracias al DNS local que hice con BIND)

El problema que tengo es con Squid, antes cuando no usaba DNS local, Squid funcionaba correctamente, sin ir lento en ningun momento.

Lo que queria saber si es posible que el proxy puede funcionar correctamente con el DNS local de BIND, sin tener que recurrir a DNS publicos de Google, OpenDNS, etc.

Si es posible, sera que es una configuración incorrecta hecha por mi culpa, o que falte alguna cosa para configurar en squid.conf?

Nota: 

Tengo DDNS (servicio de no-ip), ya que no tengo ip estática, y atravez de ella tengo mi dominio.

IPS:

Router: 192.168.1.1

PC servidor (eth0) placa conectada al router: 192.168.1.2

PC servidor (eth1) placa conectada para la LAN: 192.168.0.1

LAN: 192.168.0.0/24

Mis configuraciones:

squid.conf 

```

acl manager proto cache_object

acl localhost src 127.0.0.1/32 ::1

acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

acl localnet src 192.168.1.0/24   # RFC1918 possible internal network

acl localnet src 192.168.0.0/24   # RFC1918 possible internal network

acl SSL_ports port 443

acl Safe_ports port 80      # http

acl Safe_ports port 21      # ftp

acl Safe_ports port 443      # https

acl Safe_ports port 70      # gopher

acl Safe_ports port 210      # wais

acl Safe_ports port 1025-65535   # unregistered ports

acl Safe_ports port 280      # http-mgmt

acl Safe_ports port 488      # gss-http

acl Safe_ports port 591      # filemaker

acl Safe_ports port 777      # multiling http

acl Safe_ports port 901      # SWAT

acl CONNECT method CONNECT

http_access allow manager localhost

http_access deny manager

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localnet

http_access allow localhost

http_access allow localhost

http_access deny all

http_port 192.168.0.1:3128

dns_nameservers 127.0.0.1 192.168.1.1

```

named.conf (BIND)

```

/*

 * Refer to the named.conf(5) and named(8) man pages, and the documentation

 * in /usr/share/doc/bind-9 for more details.

 * Online versions of the documentation can be found here:

 * http://www.isc.org/software/bind/documentation

 *

 * If you are going to set up an authoritative server, make sure you

 * understand the hairy details of how DNS works. Even with simple mistakes,

 * you can break connectivity for affected parties, or cause huge amounts of

 * useless Internet traffic.

 */

acl "xfer" {

   /* Deny transfers by default except for the listed hosts.

    * If we have other name servers, place them here.

    */

   none;

};

/*

 * You might put in here some ips which are allowed to use the cache or

 * recursive queries

 */

acl "trusted" {

   127.0.0.0/8;

   ::1/128;

};

options {

   directory "/var/bind";

   pid-file "/var/run/named/named.pid";

   /* https://www.isc.org/solutions/dlv >=bind-9.7.x only */

   //bindkeys-file "/etc/bind/bind.keys";

   listen-on-v6 { ::1; };

   listen-on { 127.0.0.1; };

   allow-query {

      /*

       * Accept queries from our "trusted" ACL.  We will

       * allow anyone to query our master zones below.

       * This prevents us from becoming a free DNS server

       * to the masses.

       */

      trusted;

   };

   allow-query-cache {

      /* Use the cache for the "trusted" ACL. */

      trusted;

   };

   allow-recursion {

      /* Only trusted addresses are allowed to use recursion. */

      trusted;

   };

   allow-transfer {

      /* Zone tranfers are denied by default. */

      none;

   };

   allow-update {

      /* Don't allow updates, e.g. via nsupdate. */

      none;

   };

   /*

   * If you've got a DNS server around at your upstream provider, enter its

   * IP address here, and enable the line below. This will make you benefit

   * from its cache, thus reduce overall DNS traffic in the Internet.

   *

   * Uncomment the following lines to turn on DNS forwarding, and change

   *  and/or update the forwarding ip address(es):

   */

/*

   forward first;

   forwarders {

   //   123.123.123.123;   // Your ISP NS

   //   124.124.124.124;   // Your ISP NS

   //   4.2.2.1;      // Level3 Public DNS

   //   4.2.2.2;      // Level3 Public DNS

   //   8.8.8.8;      // Google Open DNS

   //   8.8.4.4;      // Google Open DNS

      127.0.0.1;      // Loopback

      192.168.1.1;      // Router

   };

*/

   //dnssec-enable yes;

   //dnssec-validation yes;

   /* if you have problems and are behind a firewall: */

   query-source address * port 53;

};

/*

logging {

   channel default_log {

      file "/var/log/named/named.log" versions 5 size 50M;

      print-time yes;

      print-severity yes;

      print-category yes;

   };

   category default { default_log; };

   category general { default_log; };

};

*/

include "/etc/bind/rndc.key";

controls {

   inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { "rndc-key"; };

};

zone "." in {

   type hint;

   file "/var/bind/root.cache";

};

zone "localhost" IN {

   type master;

   file "pri/localhost.zone";

   notify no;

};

zone "127.in-addr.arpa" IN {

   type master;

   file "pri/127.zone";

   notify no;

};

/*

 * Briefly, a zone which has been declared delegation-only will be effectively

 * limited to containing NS RRs for subdomains, but no actual data beyond its

 * own apex (for example, its SOA RR and apex NS RRset). This can be used to

 * filter out "wildcard" or "synthesized" data from NAT boxes or from

 * authoritative name servers whose undelegated (in-zone) data is of no

 * interest.

 * See http://www.isc.org/software/bind/delegation-only for more info

 */

//zone "COM" { type delegation-only; };

//zone "NET" { type delegation-only; };

//zone "YOUR-DOMAIN.TLD" {

//   type master;

//   file "/var/bind/pri/YOUR-DOMAIN.TLD.zone";

//   allow-query { any; };

//   allow-transfer { xfer; };

//};

//zone "YOUR-SLAVE.TLD" {

//   type slave;

//   file "/var/bind/sec/YOUR-SLAVE.TLD.zone";

//   masters { <MASTER>; };

   /* Anybody is allowed to query but transfer should be controlled by the master. */

//   allow-query { any; };

//   allow-transfer { none; };

   /* The master should be the only one who notifies the slaves, shouldn't it? */

//   allow-notify { <MASTER>; };

//   notify no;

//};

```

resolv.conf 

```

domain quanticapc.no-ip.org

search quanticapc.no-ip.org

nameserver 127.0.0.1

nameserver 192.168.1.1 

```

host.conf 

```

# /etc/host.conf:

# $Header: /var/cvsroot/gentoo/src/patchsets/glibc/extra/etc/host.conf,v 1.1 2006/09/29 23:52:23 vapier Exp $

# The  file /etc/host.conf contains configuration information specific to

# the resolver library.  It should contain one configuration keyword  per

# line,  followed by appropriate configuration information.  The keywords

# recognized are order, trim, mdns, multi, nospoof, spoof, and reorder.

# This keyword specifies how host lookups are to be performed. It

# should be followed by one or more lookup methods, separated by

# commas.  Valid methods are bind, hosts, and nis.

#

order hosts, bind

# Valid  values are on and off.  If set to on, the resolv+ library

# will return all valid addresses for a host that appears  in  the

# /etc/hosts  file,  instead  of  only  the first.  This is off by

# default, as it may cause a substantial performance loss at sites

# with large hosts files.

#

multi on

```

Last edited by 236665 on Fri May 27, 2011 6:02 am; edited 1 time in total

----------

## ZaPa

Hola.

¿Tienes reglas de iptables aplicando calidad de servicio (QoS)?

Saludos.

----------

## 236665

 *ZaPa wrote:*   

> Hola.
> 
> ¿Tienes reglas de iptables aplicando calidad de servicio (QoS)?
> 
> Saludos.

 

Hola Zapa, me puse a fijar si habia hecho eso que dijistes, y cuando entre en mi script de iptables me di cuenta que tenia mal puesto las configuraciones de entrada de dns entonces le hice unos arreglos ahi mismo, ademas desde el foro en ingles me dijeron que esta mal el named.conf, donde me dijeron que el loopback no deberia de ir ahi, entonces buscando informacion, ahi tendria que ir los DNS de mi ISP o otro publico, en caso que BIND no pudiera resolverlo por si mismo ahora lo deje asi:

script iptables:

```

#!/bin/bash

## Export Interfaces Variables ##

 export LO=lo

 export LAN=eth1

 export WAN=eth0

## Export IPv4 Address Variables ##

#export IP_LO_GROUP=127.0.0.0/8

#export IP_LO=127.0.0.1/32

#export IP_LAN_GROUP=192.168.0.0/24

#export IP_LAN1=192.168.0.1/32

#export IP_LAN2=192.168.0.2/32

#export IP_LAN3=192.168.0.3/32

#export IP_LAN4=192.168.0.4/32

#export IP_LAN5=192.168.0.5/32

#export IP_LAN6=192.168.0.6/32

#export IP_LAN7=192.168.0.7/32

#export IP_LAN8=192.168.0.8/32

#export IP_LAN5=192.168.0.9/32

#export IP_LAN6=192.168.0.10/32

#export IP_LAN7=192.168.0.11/32

#export IP_LAN8=192.168.0.12/32

#export IP_WAN_GROUP=192.168.1.0/24

#export IP_WAN1=192.168.1.1/32

#export IP_WAN2=192.168.1.2/32

## Export IPv6 Variables ##

#export IP6_LO=::1/128

#export IP6_GROUP=fe80::/64

#export IP6_LAN1=fe80::208:54ff:fe2c:cf01/64

#export IP6_LAN2=fe80::219:66ff:feed:fa5f/64

#export IP6_LAN3=fe80::225:22ff:fe3d:96e0/64

#export IP6_WAN2=fe80::219:21ff:fe54:ea2f/64

## Clear All NAT Tables ##

 iptables -t nat -F

 iptables -t nat -X

 iptables -t nat -Z

## Setup NAT Build-in Policy Tables ##

#iptables -t nat -P PREROUTING ACCEPT

#iptables -t nat -P INPUT ACCEPT

#iptables -t nat -P OUTPUT ACCEPT

 iptables -t nat -P POSTROUTING ACCEPT 

#iptables -t nat -A PREROUTING -i ${WAN} -p tcp --dport 80 -j REDIRECT --to-port 3128

#iptables -t nat -A PREROUTING -i ${WAN} -p udp --dport 873 -j DNAT --to 192.168.0.1

#iptables -t nat -A PREROUTING -i ${WAN} -p tcp --dport 34000:35000 -j DNAT --to 192.168.0.9

#iptables -t nat -A PREROUTING -i ${WAN} -p udp --dport 34000:35000 -j DNAT --to 192.168.0.9

#iptables -t nat -A PREROUTING -i ${WAN} -p tcp --dport 39001 -j DNAT --to 192.168.0.9

#iptables -t nat -A PREROUTING -i ${WAN} -p udp --dport 39002 -j DNAT --to 192.168.0.9

## Configuring NAT POSTROUTING Build-in Chain Table ##

 iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

## Clear All IPv4 Filter Tables ##

 iptables -F

 iptables -X

 iptables -Z

## Setup IPv4 Filter Build-in Policy Tables ##

 iptables -P INPUT DROP

 iptables -P FORWARD DROP

 iptables -P OUTPUT DROP

## Create New IPv4 Filter Chains Tables ##

 iptables -N icmp_allowed

 iptables -N check-flags

 iptables -N allow-local-traffic-in

#iptables -N allow-ftp-traffic-in

 iptables -N allow-ftp-traffic-out

#iptables -N allow-ssh-traffic-in

 iptables -N allow-ssh-traffic-out

 iptables -N allow-dns-traffic-in

 iptables -N allow-dns-traffic-out

 iptables -N allow-http-traffic-in

 iptables -N allow-http-traffic-out

#iptables -N allow-ntp-traffic-in

 iptables -N allow-ntp-traffic-out

#iptables -N allow-https-traffic-in

 iptables -N allow-https-traffic-out

#iptables -N allow-smtp-traffic-in

 iptables -N allow-smtp-traffic-out

#iptables -N allow-rsync-traffic-in

 iptables -N allow-rsync-traffic-out

#iptables -N allow-imap-traffic-in

 iptables -N allow-imap-traffic-out

#iptables -N allow-pop3-traffic-in

 iptables -N allow-pop3-traffic-out

#iptables -N allow-streaming-traffic-in

 iptables -N allow-streaming-traffic-out

#iptables -N allow-irc-traffic-in

 iptables -N allow-irc-traffic-out

 iptables -N allow-noip-traffic-out

 iptables -N allow-git-traffic-out

#iptables -N allow-teamspeak-traffic-in

 iptables -N allow-teamspeak-traffic-out

#iptables -N allow-rfactor-traffic-in

 iptables -N allow-rfactor-traffic-out

 iptables -N allowed-connection

## Configuring IPv4 Filter INPUT Build-in Chain Table ##

 iptables -A INPUT -m state --state INVALID -j DROP

 iptables -A INPUT -p icmp -j icmp_allowed

 iptables -A INPUT -j check-flags

#iptables -A INPUT -i ${WAN} -j ACCEPT

#iptables -A INPUT -i ${WAN} -j allow-ftp-traffic-in

#iptables -A INPUT -i ${WAN} -j allow-ssh-traffic-in

 iptables -A INPUT -i ${WAN} -j allow-dns-traffic-in

#iptables -A INPUT -i ${WAN} -j allow-http-traffic-in

#iptables -A INPUT -i ${WAN} -j allow-ntp-traffic-in

#iptables -A INPUT -i ${WAN} -j allow-https-traffic-in

#iptables -A INPUT -i ${WAN} -j allow-rsync-traffic-in

#iptables -A INPUT -i ${WAN} -j allow-imap-traffic-in

#iptables -A INPUT -i ${WAN} -j allow-pop3-traffic-in

#iptables -A INPUT -i ${WAN} -j allow-streaming-traffic-in

#iptables -A INPUT -i ${WAN} -j allow-irc-traffic-in

#iptables -A INPUT -i ${WAN} -j allow-http-traffic-in

#iptables -A INPUT -i ${WAN} -j DROP

 iptables -A INPUT -i ${LO} -j ACCEPT

 iptables -A INPUT -i ${LAN} -j ACCEPT

 iptables -A INPUT -j allowed-connection

## Configuring IPv4 Filter FORWARD Build-in Chain Table ##

 iptables -A FORWARD -m state --state INVALID -j DROP

 iptables -A FORWARD -p icmp -j icmp_allowed

 iptables -A FORWARD -j check-flags

#iptables -A FORWARD -i ${WAN} -j ACCEPT

#iptables -A FORWARD -o ${WAN} -j ACCEPT

#iptables -A FORWARD -i ${WAN} -j allow-ftp-traffic-in

 iptables -A FORWARD -o ${WAN} -j allow-ftp-traffic-out

#iptables -A FORWARD -i ${WAN} -j allow-ssh-traffic-in

 iptables -A FORWARD -o ${WAN} -j allow-ssh-traffic-out

#iptables -A FORWARD -i ${WAN} -j allow-dns-traffic-in

 iptables -A FORWARD -o ${WAN} -j allow-dns-traffic-out

#iptables -A FORWARD -i ${WAN} -j allow-http-traffic-in

 iptables -A FORWARD -o ${WAN} -j allow-http-traffic-out

#iptables -A FORWARD -i ${WAN} -j allow-ntp-traffic-in

 iptables -A FORWARD -o ${WAN} -j allow-ntp-traffic-out

#iptables -A FORWARD -i ${WAN} -j allow-https-traffic-in

 iptables -A FORWARD -o ${WAN} -j allow-https-traffic-out

#iptables -A FORWARD -i ${WAN} -j allow-smtp-traffic-in

 iptables -A FORWARD -o ${WAN} -j allow-smtp-traffic-out

#iptables -A FORWARD -i ${WAN} -j allow-rsync-traffic-in

 iptables -A FORWARD -o ${WAN} -j allow-rsync-traffic-out

#iptables -A FORWARD -i ${WAN} -j allow-imap-traffic-in

 iptables -A FORWARD -o ${WAN} -j allow-imap-traffic-out

#iptables -A FORWARD -i ${WAN} -j allow-pop3-traffic-in

 iptables -A FORWARD -o ${WAN} -j allow-pop3-traffic-out

#iptables -A FORWARD -i ${WAN} -j allow-streaming-traffic-in

 iptables -A FORWARD -o ${WAN} -j allow-streaming-traffic-out

#iptables -A FORWARD -i ${WAN} -j allow-irc-traffic-in

 iptables -A FORWARD -o ${WAN} -j allow-irc-traffic-out

 iptables -A FORWARD -o ${WAN} -j allow-git-traffic-out

#iptables -A FORWARD -i ${WAN} -j allow-teamspeak-traffic-in

 iptables -A FORWARD -o ${WAN} -j allow-teamspeak-traffic-out

#iptables -A FORWARD -i ${WAN} -j allow-rfactor-traffic-in

 iptables -A FORWARD -o ${WAN} -j allow-rfactor-traffic-out

#iptables -A FORWARD -i ${WAN} -j DROP

#iptables -A FORWARD -o ${WAN} -j DROP

#iptables -A FORWARD -i ${LO} -j ACCEPT

#iptables -A FORWARD -o ${LO} -j ACCEPT

 iptables -A FORWARD -j allowed-connection

#iptables -A FORWARD -d 192.168.0.9 -p tcp --dport 34000:35000 -j ACCEPT

#iptables -A FORWARD -s 192.168.0.9 -p tcp --sport 34000:35000 -j ACCEPT

#iptables -A FORWARD -d 192.168.0.9 -p udp --dport 34000:35000 -j ACCEPT

#iptables -A FORWARD -s 192.168.0.9 -p udp --sport 34000:35000 -j ACCEPT

#iptables -A FORWARD -d 192.168.0.9 -p tcp --dport 39001 -j ACCEPT

#iptables -A FORWARD -s 192.168.0.9 -p tcp --sport 39001 -j ACCEPT

#iptables -A FORWARD -d 192.168.0.9 -p udp --dport 39002 -j ACCEPT

#iptables -A FORWARD -s 192.168.0.9 -p udp --sport 39002 -j ACCEPT

#iptables -A FORWARD -i ${WAN} -o ${LAN} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

## Configuring IPv4 Filter OUTPUT Build-in Chain Table ##

 iptables -A OUTPUT -m state --state INVALID -j DROP

 iptables -A OUTPUT -p icmp -j icmp_allowed

 iptables -A OUTPUT -j check-flags

#iptables -A OUTPUT -o ${WAN} -j ACCEPT

 iptables -A OUTPUT -o ${WAN} -j allow-ftp-traffic-out

 iptables -A OUTPUT -o ${WAN} -j allow-ssh-traffic-out

 iptables -A OUTPUT -o ${WAN} -j allow-dns-traffic-out

 iptables -A OUTPUT -o ${WAN} -j allow-http-traffic-out

 iptables -A OUTPUT -o ${WAN} -j allow-ntp-traffic-out

 iptables -A OUTPUT -o ${WAN} -j allow-https-traffic-out

#iptables -A OUTPUT -o ${WAN} -j allow-smtp-traffic-out

 iptables -A OUTPUT -o ${WAN} -j allow-rsync-traffic-out

#iptables -A OUTPUT -o ${WAN} -j allow-imap-traffic-out

#iptables -A OUTPUT -o ${WAN} -j allow-pop3-traffic-out

#iptables -A OUTPUT -o ${WAN} -j allow-irc-traffic-out

 iptables -A OUTPUT -o ${WAN} -j allow-noip-traffic-out

#iptables -A OUTPUT -o ${WAN} -j allow-git-traffic-out

#iptables -A OUTPUT -o ${WAN} -j DROP

 iptables -A OUTPUT -o ${LO} -j ACCEPT

 iptables -A OUTPUT -o ${LAN} -j ACCEPT

 iptables -A OUTPUT -j allowed-connection

## Configuring IPv4 Filter "icmp_allowed" Chain Table ##

 iptables -A icmp_allowed -p icmp -m state --state NEW -m icmp --icmp-type 11 -j ACCEPT

 iptables -A icmp_allowed -p icmp -m state --state NEW -m icmp --icmp-type 3 -j ACCEPT

 iptables -A icmp_allowed -p icmp -j LOG --log-prefix "Bad ICMP traffic:"

 iptables -A icmp_allowed -p icmp -j DROP

## Configuring IPv4 Filter "check-flags" Chain Table ##

 iptables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m limit --limit 5/min -j LOG --log-prefix "NMAP-XMAS:" --log-level 1

 iptables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP

 iptables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m limit --limit 5/min -j LOG --log-prefix "XMAS:" --log-level 1

 iptables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP

 iptables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -m limit --limit 5/min -j LOG --log-prefix "XMAS-PSH:" --log-level 1

 iptables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP

 iptables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 5/min -j LOG --log-prefix "NULL_SCAN:" --log-level 1

 iptables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP

 iptables -A check-flags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/min -j LOG --log-prefix "SYN/RST:" --log-level 5

 iptables -A check-flags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP

 iptables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min -j LOG --log-prefix "SYN/FIN:" --log-level 5

 iptables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP

## Configuring IPv4 Filter "allow-local-traffic-in" Chain Table ##

 iptables -A allow-local-traffic-in -p tcp -m limit --limit 1/sec -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT

 iptables -A allow-local-traffic-in -p tcp -m limit --limit 1/sec -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j ACCEPT

 iptables -A allow-local-traffic-in -p tcp -m limit --limit 1/sec -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j ACCEPT

 iptables -A allow-local-traffic-in -m state --state RELATED,ESTABLISHED -j ACCEPT

## Configuring IPv4 Filter "allow-ftp-traffic-in" Chain Table ##

#iptables -A allow-ftp-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 21 --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT

#iptables -A allow-ftp-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 21 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j ACCEPT

#iptables -A allow-ftp-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 21 --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j ACCEPT

#iptables -A allow-ftp-traffic-in -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 21 -j ACCEPT

## Configuring IPv4 Filter "allow-ftp-traffic-out" Chain Table ##

 iptables -A allow-ftp-traffic-out -p tcp -m tcp --dport 21 -j ACCEPT

## Configuring IPv4 Filter "allow-ssh-traffic-in" Chain Table ##

#iptables -A allow-ssh-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 22 --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT

#iptables -A allow-ssh-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 22 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j ACCEPT

#iptables -A allow-ssh-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 22 --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j ACCEPT

#iptables -A allow-ssh-traffic-in -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 22 -j ACCEPT

## Configuring IPv4 Filter "allow-ssh-traffic-out" Chain Table ##

#iptables -A allow-ssh-traffic-out -p tcp -m tcp --dport 22 -j ACCEPT

## Configuring IPv4 Filter "allow-dns-traffic-in" Chain Table ##

##

#iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT

#iptables -A INPUT -p udp --dport 53 -j ACCEPT

#iptables -A INPUT -p tcp --sport 53 -j ACCEPT

#iptables -A INPUT -p tcp --dport 53 -j ACCEPT

##

#iptables -A allow-dns-traffic-in -p udp -m state --state RELATED,ESTABLISHED -m udp --sport 53 -j ACCEPT

#iptables -A allow-dns-traffic-in -p udp --dport 53 -j ACCEPT

#iptables -A allow-dns-traffic-in -p tcp --sport 53 -j ACCEPT

#iptables -A allow-dns-traffic-in -p tcp --dport 53 -j ACCEPT

##

 iptables -A allow-dns-traffic-in -p udp -m limit --limit 1/sec -m udp --dport 53 -j ACCEPT

 iptables -A allow-dns-traffic-in -p udp -m state --state RELATED,ESTABLISHED -m udp --sport 53 -j ACCEPT

 iptables -A allow-dns-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 53 --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT

 iptables -A allow-dns-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 53 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j ACCEPT

 iptables -A allow-dns-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 53 --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j ACCEPT

 iptables -A allow-dns-traffic-in -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 53 -j ACCEPT

##

#iptables -A allow-dns-traffic-in -p udp -m state --state RELATED,ESTABLISHED -m udp --sport 53 -j ACCEPT

#iptables -A allow-dns-traffic-in -p udp -m state --state RELATED,ESTABLISHED -m udp --dport 53 -j ACCEPT

#iptables -A allow-dns-traffic-in -p tcp -m limit --limit 1/sec -m tcp --sport 53 --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT

#iptables -A allow-dns-traffic-in -p tcp -m limit --limit 1/sec -m tcp --sport 53 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j ACCEPT

#iptables -A allow-dns-traffic-in -p tcp -m limit --limit 1/sec -m tcp --sport 53 --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j ACCEPT

#iptables -A allow-dns-traffic-in -p tcp -m state --state RELATED,ESTABLISHED -m tcp --sport 53 -j ACCEPT

#iptables -A allow-dns-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 53 --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT

#iptables -A allow-dns-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 53 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j ACCEPT

#iptables -A allow-dns-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 53 --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j ACCEPT

#iptables -A allow-dns-traffic-in -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 53 -j ACCEPT

##

#iptables -A allow-dns-traffic-in -d ${DNS1} -p udp -m state --state RELATED,ESTABLISHED -m udp --dport 53 -j ACCEPT

#iptables -A allow-dns-traffic-in -d ${DNS2} -p udp -m state --state RELATED,ESTABLISHED -m udp --dport 53 -j ACCEPT

##

## Configuring IPv4 Filter "allow-dns-traffic-out" Chain Table ##

 iptables -A allow-dns-traffic-out -p udp -m udp --dport 53 -j ACCEPT

 iptables -A allow-dns-traffic-out -p tcp -m tcp --dport 53 -j ACCEPT

#iptables -A allow-dns-traffic-out -d ${DNS1} -p udp -m udp --dport 53 -j ACCEPT

#iptables -A allow-dns-traffic-out -d ${DNS1} -p tcp -m tcp --dport 53 -j ACCEPT

#iptables -A allow-dns-traffic-out -d ${DNS2} -p udp -m udp --dport 53 -j ACCEPT

#iptables -A allow-dns-traffic-out -d ${DNS2} -p tcp -m tcp --dport 53 -j ACCEPT

## Configuring IPv4 Filter "allow-http-traffic-in" Chain Table ##

#iptables -A allow-http-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 80 --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT

#iptables -A allow-http-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 80 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j ACCEPT

#iptables -A allow-http-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 80 --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j ACCEPT

#iptables -A allow-http-traffic-in -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 80 -j ACCEPT

## Configuring IPv4 Filter "allow-http-traffic-out" Chain Table ##

 iptables -A allow-http-traffic-out -p tcp -m tcp --dport 80 -j ACCEPT

## Configuring IPv4 Filter "allow-ntp-traffic-in" Chain Table ##

#iptables -A allow-ntp-traffic-out -p udp -m state --state RELATED,ESTABLISHED -m udp --dport 123 -j ACCEPT

## Configuring IPv4 Filter "allow-ntp-traffic-out" Chain Table ##

 iptables -A allow-ntp-traffic-out -p udp -m udp --dport 123 -j ACCEPT

## Configuring IPv4 Filter "allow-https-traffic-in" Chain Table ##

#iptables -A allow-https-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 443 --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT

#iptables -A allow-https-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 443 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j ACCEPT

#iptables -A allow-https-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 443 --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j ACCEPT

#iptables -A allow-https-traffic-in -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 443 -j ACCEPT

## Configuring IPv4 Filter "allow-https-traffic-out" Chain Table ##

 iptables -A allow-https-traffic-out -p tcp -m tcp --dport 443 -j ACCEPT

## Configuring IPv4 Filter "allow-smtp-traffic-in" Chain Table ##

## Configuring IPv4 Filter "allow-smtp-traffic-out" Chain Table ##

 iptables -A allow-smtp-traffic-out -p tcp -m tcp --dport 465 -j ACCEPT

 iptables -A allow-smtp-traffic-out -p tcp -m tcp --dport 587 -j ACCEPT

## Configuring IPv4 Filter "allow-rsync-traffic-in" Chain Table ##

#iptables -A allow-rsync-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 873 --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT

#iptables -A allow-rsync-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 873 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j ACCEPT

#iptables -A allow-rsync-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 873 --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j ACCEPT

#iptables -A allow-rsync-traffic-in -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 873 -j ACCEPT

## Configuring IPv4 Filter "allow-rsync-traffic-out" Chain Table ##

 iptables -A allow-rsync-traffic-out -p tcp -m tcp --dport 873 -j ACCEPT

## Configuring IPv4 Filter "allow-imap-traffic-out" Chain Table ##

 iptables -A allow-imap-traffic-out -p tcp -m tcp --dport 993 -j ACCEPT

## Configuring IPv4 Filter "allow-pop3-traffic-out" Chain Table ##

 iptables -A allow-pop3-traffic-out -p tcp -m tcp --dport 995 -j ACCEPT

## Configuring IPv4 Filter "allow-streaming-traffic-out" Chain Table ##

 iptables -A allow-streaming-traffic-out -p tcp -m tcp --dport 1935 -j ACCEPT

## Configuring IPv4 Filter "allow-irc-traffic-out" Chain Table ##

#iptables -A allow-irc-traffic-out -p tcp -m tcp --dport 194 -j ACCEPT

#iptables -A allow-irc-traffic-out -p tcp -m tcp --dport 529 -j ACCEPT

#iptables -A allow-irc-traffic-out -p tcp -m tcp --dport 994 -j ACCEPT

 iptables -A allow-irc-traffic-out -p tcp -m tcp --dport 6667 -j ACCEPT

## Configuring IPv4 Filter "allow-http-traffic-in" Chain Table ##

 iptables -A allow-http-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 8080 --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT

 iptables -A allow-http-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 8080 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j ACCEPT

 iptables -A allow-http-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 8080 --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j ACCEPT

 iptables -A allow-http-traffic-in -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 8080 -j ACCEPT

## Configuring IPv4 Filter "allow-noip-traffic-out" Chain Table ##

 iptables -A allow-noip-traffic-out -p tcp -m tcp --dport 8245 -j ACCEPT

## Configuring IPv4 Filter "allow-git-traffic-out" Chain Table ##

 iptables -A allow-git-traffic-out -p tcp -m tcp --dport 9418 -j ACCEPT

## Opening IPv4 Filter "allow-teamspeak-traffic-out" Chain Table ##

 iptables -A allow-teamspeak-traffic-out -p udp -m udp --dport 9987 -j ACCEPT

## Configuring IPv4 Filter "allow-rfactor-traffic-in" Chain Table ##

#iptables -A allow-rfactor-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 34000:35000 --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT 

#iptables -A allow-rfactor-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 34000:35000 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j ACCEPT

#iptables -A allow-rfactor-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 34000:35000 --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j ACCEPT

#iptables -A allow-rfactor-traffic-in -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 34000:35000 -j ACCEPT

#iptables -A allow-rfactor-traffic-in -p tcp -m tcp --dport 34000:35000 -j ACCEPT

#iptables -A allow-rfactor-traffic-in -p udp -m udp --dport 34000:35000 -j ACCEPT

#iptables -A allow-rfactor-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 39001 --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT

#iptables -A allow-rfactor-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 39001 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j ACCEPT

#iptables -A allow-rfactor-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 39001 --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j ACCEPT

#iptables -A allow-rfactor-traffic-in -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 39001 -j ACCEPT

#iptables -A allow-rfactor-traffic-in -p tcp -m tcp --dport 39001 -j ACCEPT

#iptables -A allow-rfactor-traffic-in -p udp -m udp --dport 39002 -j ACCEPT

## Configuring IPv4 Filter "allow-rfactor-traffic-out" Chain Table (UNDER OBSERVATION) ##

## iptables -A allow-rfactor-traffic-out -p udp -m udp --dport 1900 -j ACCEPT

## iptables -A allow-rfactor-traffic-out -p tcp -m tcp --dport 3484 -j ACCEPT

## iptables -A allow-rfactor-traffic-out -p udp -m udp --dport 3544 -j ACCEPT

## iptables -A allow-rfactor-traffic-out -p tcp -m tcp --dport 31000:31002 -j ACCEPT

## iptables -A allow-rfactor-traffic-out -p tcp -m tcp --dport 32000:32002 -j ACCEPT

## iptables -A allow-rfactor-traffic-out -p tcp -m tcp --dport 34384 -j ACCEPT

## Configuring IPv4 Filter "allow-rfactor-traffic-out" Chain Table (IF RFACTOR HAVE PROBLEMS TO CONNECT) ##

## iptables -A allow-rfactor-traffic-out -p tcp -m tcp --dport 34000:35000 -j ACCEPT

## Configuring IPv4 Filter "allow-rfactor-traffic-out" rFactor Hotlaps Chain Table ##

 iptables -A allow-rfactor-traffic-out -p tcp -m tcp --dport 27011:27015 -j ACCEPT

## Configuring IPv4 Filter "allow-rfactor-traffic-out" Chain Table (CHECK OK) ##

## Opening F1SR 1993 mod ports ##

 iptables -A allow-rfactor-traffic-out -p udp -m udp --dport 34297 -j ACCEPT

 iptables -A allow-rfactor-traffic-out -p udp -m udp --dport 34397 -j ACCEPT

 iptables -A allow-rfactor-traffic-out -p tcp -m tcp --dport 34447:34450 -j ACCEPT

## Opening FSONE 2009 mod ports ##

 iptables -A allow-rfactor-traffic-out -p udp -m udp --dport 34298 -j ACCEPT

 iptables -A allow-rfactor-traffic-out -p udp -m udp --dport 34398 -j ACCEPT 

 iptables -A allow-rfactor-traffic-out -p udp -m udp --dport 34299 -j ACCEPT

 iptables -A allow-rfactor-traffic-out -p udp -m udp --dport 34399:34400 -j ACCEPT

## Opening Matchmaker ports ##

 iptables -A allow-rfactor-traffic-out -p tcp -m tcp --dport 39001 -j ACCEPT

 iptables -A allow-rfactor-traffic-out -p udp -m udp --dport 39002 -j ACCEPT

## Configuring IPv4 Filter "allowed-wan-connection" Chain Table ##

 iptables -A allowed-connection -m state --state RELATED,ESTABLISHED -j ACCEPT

 iptables -A allowed-connection -i ${WAN} -m limit --limit 3/hour -j LOG --log-prefix "Bad packet from eth1:"

 iptables -A allowed-connection -j DROP

## Clear All IPv6 Filter Tables ##

 ip6tables -F

 ip6tables -X

 ip6tables -Z

## Setup IPv6 Filter Build-in Policy Tables ##

 ip6tables -P INPUT DROP

 ip6tables -P FORWARD DROP

 ip6tables -P OUTPUT DROP

## Create New IPv6 Filter Chains Tables ##

 ip6tables -N allow-dns-traffic-out

 ip6tables -N allow-ftp-traffic-out

 ip6tables -N allow-ntp-traffic-out

 ip6tables -N allow-ssh-traffic-in

 ip6tables -N allow-ssh-traffic-out

 ip6tables -N allow-www-traffic-out

 ip6tables -N allowed-connection

 ip6tables -N check-flags

 ip6tables -N icmpv6_allowed

## Configuring IPv6 Filter INPUT Build-in Chain Table ##

 ip6tables -A INPUT -m state --state INVALID -j DROP

#ip6tables -A INPUT -p icmpv6 -j icmpv6_allowed

 ip6tables -A INPUT -j check-flags

#ip6tables -A INPUT -i ${WAN} -j allow-ssh-traffic-in

 ip6tables -A INPUT -i ${WAN} -j DROP

 ip6tables -A INPUT -i ${LO} -j ACCEPT

 ip6tables -A INPUT -i ${LAN} -j ACCEPT

 ip6tables -A INPUT -j allowed-connection

## Configuring IPv6 Filter FORWARD Build-in Chain Table ##

 ip6tables -A FORWARD -m state --state INVALID -j DROP

#ip6tables -A FORWARD -p icmpv6 -j icmpv6_allowed

 ip6tables -A FORWARD -j check-flags

#ip6tables -A FORWARD -i ${WAN} -j ACCEPT

#ip6tables -A FORWARD -o ${WAN} -j ACCEPT

#ip6tables -A FORWARD -i ${WAN} -j allow-ssh-traffic-in

#ip6tables -A FORWARD -o ${WAN} -j allow-ssh-traffic-out

#ip6tables -A FORWARD -o ${WAN} -j allow-dns-traffic-out

#ip6tables -A FORWARD -o ${WAN} -j allow-ftp-traffic-out

#ip6tables -A FORWARD -o ${WAN} -j allow-ntp-traffic-out

#ip6tables -A FORWARD -o ${WAN} -j allow-www-traffic-out

 ip6tables -A FORWARD -i ${WAN} -j DROP

 ip6tables -A FORWARD -o ${WAN} -j DROP

#ip6tables -A FORWARD -i ${LO} -j ACCEPT

#ip6tables -A FORWARD -o ${LO} -j ACCEPT

 ip6tables -A FORWARD -j allowed-connection

## Configuring IPv6 Filter OUTPUT Build-in Chain Table ##

 ip6tables -A OUTPUT -m state --state INVALID -j DROP

#ip6tables -A OUTPUT -p icmpv6 -j icmpv6_allowed

 ip6tables -A OUTPUT -j check-flags

#ip6tables -A OUTPUT -o ${WAN} -j ACCEPT

#ip6tables -A OUTPUT -o ${WAN} -j allow-ssh-traffic-out

#ip6tables -A OUTPUT -o ${WAN} -j allow-dns-traffic-out

#ip6tables -A OUTPUT -o ${WAN} -j allow-ftp-traffic-out

#ip6tables -A OUTPUT -o ${WAN} -j allow-ntp-traffic-out

#ip6tables -A OUTPUT -o ${WAN} -j allow-www-traffic-out

 ip6tables -A OUTPUT -o ${WAN} -j DROP

 ip6tables -A OUTPUT -o ${LO} -j ACCEPT

 ip6tables -A OUTPUT -o ${LAN} -j ACCEPT

 ip6tables -A OUTPUT -j allowed-connection

## Configuring IPv6 Filter "allow-dns-traffic-out" Chain Table ##

#ip6tables -A allow-dns-traffic-out -d ${DNS1_V6} -p udp -m udp --dport 53 -j ACCEPT

#ip6tables -A allow-dns-traffic-out -d ${DNS2_V6} -p udp -m udp --dport 53 -j ACCEPT

#ip6tables -A allow-dns-traffic-out -d ${DNS3_V6} -p udp -m udp --dport 53 -j ACCEPT

#ip6tables -A allow-dns-traffic-out -d ${DNS4_V6} -p udp -m udp --dport 53 -j ACCEPT

## Configuring IPv6 Filter "allow-ftp-traffic-out" Chain Table ##

 ip6tables -A allow-ftp-traffic-out -p tcp -m tcp --dport 21 -j ACCEPT

## Configuring IPv6 Filter "allow-ntp-traffic-out" Chain Table ##

 ip6tables -A allow-ntp-traffic-out -p udp -m udp --dport 123 -j ACCEPT

## Configuring IPv6 Filter "allow-ssh-traffic-in" Chain Table ##

 ip6tables -A allow-ssh-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 22 --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT

 ip6tables -A allow-ssh-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 22 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j ACCEPT

 ip6tables -A allow-ssh-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 22 --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j ACCEPT

 ip6tables -A allow-ssh-traffic-in -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 22 -j ACCEPT

## Configuring IPv6 Filter "allow-ssh-traffic-out" Chain Table ##

 ip6tables -A allow-ssh-traffic-out -p tcp -m tcp --dport 22 -j ACCEPT

## Configuring IPv6 Filter "allow-www-traffic-out" Chain Table ##

 ip6tables -A allow-www-traffic-out -p tcp -m tcp --dport 80 -j ACCEPT

 ip6tables -A allow-www-traffic-out -p tcp -m tcp --dport 443 -j ACCEPT

## Configuring IPv6 Filter "allowed-connection" Chain Table ##

 ip6tables -A allowed-connection -m state --state RELATED,ESTABLISHED -j ACCEPT

 ip6tables -A allowed-connection -i ${WAN} -m limit --limit 3/hour -j LOG --log-prefix "Bad packet from eth1:"

 ip6tables -A allowed-connection -j DROP

## Configuring IPv6 Filter "check-flags" Chain Table ##

 ip6tables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m limit --limit 5/min -j LOG --log-prefix "NMAP-XMAS:" --log-level 1

 ip6tables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP

 ip6tables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m limit --limit 5/min -j LOG --log-prefix "XMAS:" --log-level 1

 ip6tables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP

 ip6tables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -m limit --limit 5/min -j LOG --log-prefix "XMAS-PSH:" --log-level 1

 ip6tables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP

 ip6tables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 5/min -j LOG --log-prefix "NULL_SCAN:" --log-level 1

 ip6tables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP

 ip6tables -A check-flags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/min -j LOG --log-prefix "SYN/RST:" --log-level 5

 ip6tables -A check-flags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP

 ip6tables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min -j LOG --log-prefix "SYN/FIN:" --log-level 5

 ip6tables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP

## Configuring IPv6 Filter "icmp_allowed" Chain Table ##

#ip6tables -A icmpv6_allowed -p icmpv6 -m state --state NEW -m icmp --icmpv6-type 11 -j ACCEPT

#ip6tables -A icmpv6_allowed -p icmpv6 -m state --state NEW -m icmp --icmpv6-type 3 -j ACCEPT

#ip6tables -A icmpv6_allowed -p icmpv6 -j LOG --log-prefix "Bad ICMP traffic:"

#ip6tables -A icmpv6_allowed -p icmpv6 -j DROP

## Setting IPv4 Forward and RP Filter Linux Kernel ##

#echo 1 > /proc/sys/net/ipv4/ip_forward

 for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done

## Save And Restart IPv4 Tables ##

 /etc/init.d/iptables save

 /etc/init.d/iptables restart

## Save And Restart IPv6 Tables ##

 /etc/init.d/ip6tables save

 /etc/init.d/ip6tables restart

## List IPv4 Tables ##

#iptables -t nat -L -v

#iptables -L -v

## List IPv6 Tables ##

#iptables -L -v

```

y el named lo modifique asi

```

/*

 * Refer to the named.conf(5) and named(8) man pages, and the documentation

 * in /usr/share/doc/bind-9 for more details.

 * Online versions of the documentation can be found here:

 * http://www.isc.org/software/bind/documentation

 *

 * If you are going to set up an authoritative server, make sure you

 * understand the hairy details of how DNS works. Even with simple mistakes,

 * you can break connectivity for affected parties, or cause huge amounts of

 * useless Internet traffic.

 */

acl "xfer" {

   /* Deny transfers by default except for the listed hosts.

    * If we have other name servers, place them here.

    */

   none;

};

/*

 * You might put in here some ips which are allowed to use the cache or

 * recursive queries

 */

acl "trusted" {

   127.0.0.0/8;

   ::1/128;

};

options {

   directory "/var/bind";

   pid-file "/var/run/named/named.pid";

   /* https://www.isc.org/solutions/dlv >=bind-9.7.x only */

   //bindkeys-file "/etc/bind/bind.keys";

   listen-on-v6 { ::1; };

   listen-on { 127.0.0.1; };

   allow-query {

      /*

       * Accept queries from our "trusted" ACL.  We will

       * allow anyone to query our master zones below.

       * This prevents us from becoming a free DNS server

       * to the masses.

       */

      trusted;

   };

   allow-query-cache {

      /* Use the cache for the "trusted" ACL. */

      trusted;

   };

   allow-recursion {

      /* Only trusted addresses are allowed to use recursion. */

      trusted;

   };

   allow-transfer {

      /* Zone tranfers are denied by default. */

      none;

   };

   allow-update {

      /* Don't allow updates, e.g. via nsupdate. */

      none;

   };

   /*

   * If you've got a DNS server around at your upstream provider, enter its

   * IP address here, and enable the line below. This will make you benefit

   * from its cache, thus reduce overall DNS traffic in the Internet.

   *

   * Uncomment the following lines to turn on DNS forwarding, and change

   *  and/or update the forwarding ip address(es):

   */

/*

   forward first;

   forwarders {

   //   123.123.123.123;   // Your ISP NS

   //   124.124.124.124;   // Your ISP NS

   //   4.2.2.1;      // Level3 Public DNS

   //   4.2.2.2;      // Level3 Public DNS

   //   8.8.8.8;      // Google Open DNS

   //   8.8.4.4;      // Google Open DNS

      200.40.220.245      // AntelData Public DNS

      200.40.30.245      // AntelData Public DNS

   };

*/

   //dnssec-enable yes;

   //dnssec-validation yes;

   /* if you have problems and are behind a firewall: */

   query-source address * port 53;

};

/*

logging {

   channel default_log {

      file "/var/log/named/named.log" versions 5 size 50M;

      print-time yes;

      print-severity yes;

      print-category yes;

   };

   category default { default_log; };

   category general { default_log; };

};

*/

include "/etc/bind/rndc.key";

controls {

   inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { "rndc-key"; };

};

zone "." in {

   type hint;

   file "/var/bind/root.cache";

};

zone "localhost" IN {

   type master;

   file "pri/localhost.zone";

   notify no;

};

zone "127.in-addr.arpa" IN {

   type master;

   file "pri/127.zone";

   notify no;

};

/*

 * Briefly, a zone which has been declared delegation-only will be effectively

 * limited to containing NS RRs for subdomains, but no actual data beyond its

 * own apex (for example, its SOA RR and apex NS RRset). This can be used to

 * filter out "wildcard" or "synthesized" data from NAT boxes or from

 * authoritative name servers whose undelegated (in-zone) data is of no

 * interest.

 * See http://www.isc.org/software/bind/delegation-only for more info

 */

//zone "COM" { type delegation-only; };

//zone "NET" { type delegation-only; };

//zone "YOUR-DOMAIN.TLD" {

//   type master;

//   file "/var/bind/pri/YOUR-DOMAIN.TLD.zone";

//   allow-query { any; };

//   allow-transfer { xfer; };

//};

//zone "YOUR-SLAVE.TLD" {

//   type slave;

//   file "/var/bind/sec/YOUR-SLAVE.TLD.zone";

//   masters { <MASTER>; };

   /* Anybody is allowed to query but transfer should be controlled by the master. */

//   allow-query { any; };

//   allow-transfer { none; };

   /* The master should be the only one who notifies the slaves, shouldn't it? */

//   allow-notify { <MASTER>; };

//   notify no;

//};

```

Luego reinicie, y el Squid funciona correctamente, gracias por haberme dado la pista, el problema estaba tmb en iptables, mas alla del bind, lo dare por solucionado, gracias por ayudarme

----------

