# Problem Squid (non-transparent) + DNS Local (Bind) [SOLVED]

## 236665

hi for all, sorry my english is bad. i have a problem. i installed a local dns (BIND), and now, Squid works very slow (1 minute or more to open websites on browsers), without squid, i can navegate websites quickly!

before, squid worked correctly when it doesn't had local dns! 

i want to have a local dns to improve internet connection, and squid to use proxy at the same time.

Note: I have DDNS (no-ip's service) because i don't have ip static

Ips:

Router: 192.168.1.1

PC Server (eth0): 192.168.1.2

PC Server (eth1) to connect to the LAN: 192.168.0.1

LAN: 192.168.0.0/24

Is it a wrong setting made for my fault?

my settings:

squid.conf

```

acl manager proto cache_object

acl localhost src 127.0.0.1/32 ::1

acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

acl localnet src 192.168.1.0/24   # RFC1918 possible internal network

acl localnet src 192.168.0.0/24   # RFC1918 possible internal network

acl SSL_ports port 443

acl Safe_ports port 80      # http

acl Safe_ports port 21      # ftp

acl Safe_ports port 443      # https

acl Safe_ports port 70      # gopher

acl Safe_ports port 210      # wais

acl Safe_ports port 1025-65535   # unregistered ports

acl Safe_ports port 280      # http-mgmt

acl Safe_ports port 488      # gss-http

acl Safe_ports port 591      # filemaker

acl Safe_ports port 777      # multiling http

acl Safe_ports port 901      # SWAT

acl CONNECT method CONNECT

http_access allow manager localhost

http_access deny manager

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localnet

http_access allow localhost

http_access allow localhost

http_access deny all

http_port 192.168.0.1:3128

dns_nameservers 127.0.0.1 192.168.1.1 

```

named.conf (BIND)

```

/*

 * Refer to the named.conf(5) and named(8) man pages, and the documentation

 * in /usr/share/doc/bind-9 for more details.

 * Online versions of the documentation can be found here:

 * http://www.isc.org/software/bind/documentation

 *

 * If you are going to set up an authoritative server, make sure you

 * understand the hairy details of how DNS works. Even with simple mistakes,

 * you can break connectivity for affected parties, or cause huge amounts of

 * useless Internet traffic.

 */

acl "xfer" {

   /* Deny transfers by default except for the listed hosts.

    * If we have other name servers, place them here.

    */

   none;

};

/*

 * You might put in here some ips which are allowed to use the cache or

 * recursive queries

 */

acl "trusted" {

   127.0.0.0/8;

   ::1/128;

};

options {

   directory "/var/bind";

   pid-file "/var/run/named/named.pid";

   /* https://www.isc.org/solutions/dlv >=bind-9.7.x only */

   //bindkeys-file "/etc/bind/bind.keys";

   listen-on-v6 { ::1; };

   listen-on { 127.0.0.1; };

   allow-query {

      /*

       * Accept queries from our "trusted" ACL.  We will

       * allow anyone to query our master zones below.

       * This prevents us from becoming a free DNS server

       * to the masses.

       */

      trusted;

   };

   allow-query-cache {

      /* Use the cache for the "trusted" ACL. */

      trusted;

   };

   allow-recursion {

      /* Only trusted addresses are allowed to use recursion. */

      trusted;

   };

   allow-transfer {

      /* Zone tranfers are denied by default. */

      none;

   };

   allow-update {

      /* Don't allow updates, e.g. via nsupdate. */

      none;

   };

   /*

   * If you've got a DNS server around at your upstream provider, enter its

   * IP address here, and enable the line below. This will make you benefit

   * from its cache, thus reduce overall DNS traffic in the Internet.

   *

   * Uncomment the following lines to turn on DNS forwarding, and change

   *  and/or update the forwarding ip address(es):

   */

/*

   forward first;

   forwarders {

   //   123.123.123.123;   // Your ISP NS

   //   124.124.124.124;   // Your ISP NS

   //   4.2.2.1;      // Level3 Public DNS

   //   4.2.2.2;      // Level3 Public DNS

   //   8.8.8.8;      // Google Open DNS

   //   8.8.4.4;      // Google Open DNS

      127.0.0.1;      // Loopback

      192.168.1.1;      // Router

   };

*/

   //dnssec-enable yes;

   //dnssec-validation yes;

   /* if you have problems and are behind a firewall: */

   query-source address * port 53;

};

/*

logging {

   channel default_log {

      file "/var/log/named/named.log" versions 5 size 50M;

      print-time yes;

      print-severity yes;

      print-category yes;

   };

   category default { default_log; };

   category general { default_log; };

};

*/

include "/etc/bind/rndc.key";

controls {

   inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { "rndc-key"; };

};

zone "." in {

   type hint;

   file "/var/bind/root.cache";

};

zone "localhost" IN {

   type master;

   file "pri/localhost.zone";

   notify no;

};

zone "127.in-addr.arpa" IN {

   type master;

   file "pri/127.zone";

   notify no;

};

/*

 * Briefly, a zone which has been declared delegation-only will be effectively

 * limited to containing NS RRs for subdomains, but no actual data beyond its

 * own apex (for example, its SOA RR and apex NS RRset). This can be used to

 * filter out "wildcard" or "synthesized" data from NAT boxes or from

 * authoritative name servers whose undelegated (in-zone) data is of no

 * interest.

 * See http://www.isc.org/software/bind/delegation-only for more info

 */

//zone "COM" { type delegation-only; };

//zone "NET" { type delegation-only; };

//zone "YOUR-DOMAIN.TLD" {

//   type master;

//   file "/var/bind/pri/YOUR-DOMAIN.TLD.zone";

//   allow-query { any; };

//   allow-transfer { xfer; };

//};

//zone "YOUR-SLAVE.TLD" {

//   type slave;

//   file "/var/bind/sec/YOUR-SLAVE.TLD.zone";

//   masters { <MASTER>; };

   /* Anybody is allowed to query but transfer should be controlled by the master. */

//   allow-query { any; };

//   allow-transfer { none; };

   /* The master should be the only one who notifies the slaves, shouldn't it? */

//   allow-notify { <MASTER>; };

//   notify no;

//};

```

resolv.conf

```

domain quanticapc.no-ip.org

search quanticapc.no-ip.org

nameserver 127.0.0.1

nameserver 192.168.1.1

```

host.conf

```

# /etc/host.conf:

# $Header: /var/cvsroot/gentoo/src/patchsets/glibc/extra/etc/host.conf,v 1.1 2006/09/29 23:52:23 vapier Exp $

# The  file /etc/host.conf contains configuration information specific to

# the resolver library.  It should contain one configuration keyword  per

# line,  followed by appropriate configuration information.  The keywords

# recognized are order, trim, mdns, multi, nospoof, spoof, and reorder.

# This keyword specifies how host lookups are to be performed. It

# should be followed by one or more lookup methods, separated by

# commas.  Valid methods are bind, hosts, and nis.

#

order hosts, bind

# Valid  values are on and off.  If set to on, the resolv+ library

# will return all valid addresses for a host that appears  in  the

# /etc/hosts  file,  instead  of  only  the first.  This is off by

# default, as it may cause a substantial performance loss at sites

# with large hosts files.

#

multi on

```

Last edited by 236665 on Fri May 27, 2011 6:00 am; edited 1 time in total

----------

## nativemad

Hi, 

 *Quote:*   

>   forward first; 
> 
>    forwarders { 
> 
>    //   123.123.123.123;   // Your ISP NS 
> ...

 

I don't think that the loop here is intended!?

----------

## 236665

 *nativemad wrote:*   

> Hi, 
> 
>  *Quote:*     forward first; 
> 
>    forwarders { 
> ...

 

hi, you are right! i had a mistake on my named.conf setting, now i deleted that configuration and i typed my ISP DNS address.

Too, i found other mistake, it was in iptables script (in the DNS input settings):

now leave the settings in this way:

named.conf

```

/*

 * Refer to the named.conf(5) and named(8) man pages, and the documentation

 * in /usr/share/doc/bind-9 for more details.

 * Online versions of the documentation can be found here:

 * http://www.isc.org/software/bind/documentation

 *

 * If you are going to set up an authoritative server, make sure you

 * understand the hairy details of how DNS works. Even with simple mistakes,

 * you can break connectivity for affected parties, or cause huge amounts of

 * useless Internet traffic.

 */

acl "xfer" {

   /* Deny transfers by default except for the listed hosts.

    * If we have other name servers, place them here.

    */

   none;

};

/*

 * You might put in here some ips which are allowed to use the cache or

 * recursive queries

 */

acl "trusted" {

   127.0.0.0/8;

   ::1/128;

};

options {

   directory "/var/bind";

   pid-file "/var/run/named/named.pid";

   /* https://www.isc.org/solutions/dlv >=bind-9.7.x only */

   //bindkeys-file "/etc/bind/bind.keys";

   listen-on-v6 { ::1; };

   listen-on { 127.0.0.1; };

   allow-query {

      /*

       * Accept queries from our "trusted" ACL.  We will

       * allow anyone to query our master zones below.

       * This prevents us from becoming a free DNS server

       * to the masses.

       */

      trusted;

   };

   allow-query-cache {

      /* Use the cache for the "trusted" ACL. */

      trusted;

   };

   allow-recursion {

      /* Only trusted addresses are allowed to use recursion. */

      trusted;

   };

   allow-transfer {

      /* Zone tranfers are denied by default. */

      none;

   };

   allow-update {

      /* Don't allow updates, e.g. via nsupdate. */

      none;

   };

   /*

   * If you've got a DNS server around at your upstream provider, enter its

   * IP address here, and enable the line below. This will make you benefit

   * from its cache, thus reduce overall DNS traffic in the Internet.

   *

   * Uncomment the following lines to turn on DNS forwarding, and change

   *  and/or update the forwarding ip address(es):

   */

/*

   forward first;

   forwarders {

   //   123.123.123.123;   // Your ISP NS

   //   124.124.124.124;   // Your ISP NS

   //   4.2.2.1;      // Level3 Public DNS

   //   4.2.2.2;      // Level3 Public DNS

   //   8.8.8.8;      // Google Open DNS

   //   8.8.4.4;      // Google Open DNS

      200.40.220.245      // AntelData Public DNS

      200.40.30.245      // AntelData Public DNS

   };

*/

   //dnssec-enable yes;

   //dnssec-validation yes;

   /* if you have problems and are behind a firewall: */

   query-source address * port 53;

};

/*

logging {

   channel default_log {

      file "/var/log/named/named.log" versions 5 size 50M;

      print-time yes;

      print-severity yes;

      print-category yes;

   };

   category default { default_log; };

   category general { default_log; };

};

*/

include "/etc/bind/rndc.key";

controls {

   inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { "rndc-key"; };

};

zone "." in {

   type hint;

   file "/var/bind/root.cache";

};

zone "localhost" IN {

   type master;

   file "pri/localhost.zone";

   notify no;

};

zone "127.in-addr.arpa" IN {

   type master;

   file "pri/127.zone";

   notify no;

};

/*

 * Briefly, a zone which has been declared delegation-only will be effectively

 * limited to containing NS RRs for subdomains, but no actual data beyond its

 * own apex (for example, its SOA RR and apex NS RRset). This can be used to

 * filter out "wildcard" or "synthesized" data from NAT boxes or from

 * authoritative name servers whose undelegated (in-zone) data is of no

 * interest.

 * See http://www.isc.org/software/bind/delegation-only for more info

 */

//zone "COM" { type delegation-only; };

//zone "NET" { type delegation-only; };

//zone "YOUR-DOMAIN.TLD" {

//   type master;

//   file "/var/bind/pri/YOUR-DOMAIN.TLD.zone";

//   allow-query { any; };

//   allow-transfer { xfer; };

//};

//zone "YOUR-SLAVE.TLD" {

//   type slave;

//   file "/var/bind/sec/YOUR-SLAVE.TLD.zone";

//   masters { <MASTER>; };

   /* Anybody is allowed to query but transfer should be controlled by the master. */

//   allow-query { any; };

//   allow-transfer { none; };

   /* The master should be the only one who notifies the slaves, shouldn't it? */

//   allow-notify { <MASTER>; };

//   notify no;

//};

```

iptables script

```

#!/bin/bash

## Export Interfaces Variables ##

 export LO=lo

 export LAN=eth1

 export WAN=eth0

## Export IPv4 Address Variables ##

#export IP_LO_GROUP=127.0.0.0/8

#export IP_LO=127.0.0.1/32

#export IP_LAN_GROUP=192.168.0.0/24

#export IP_LAN1=192.168.0.1/32

#export IP_LAN2=192.168.0.2/32

#export IP_LAN3=192.168.0.3/32

#export IP_LAN4=192.168.0.4/32

#export IP_LAN5=192.168.0.5/32

#export IP_LAN6=192.168.0.6/32

#export IP_LAN7=192.168.0.7/32

#export IP_LAN8=192.168.0.8/32

#export IP_LAN5=192.168.0.9/32

#export IP_LAN6=192.168.0.10/32

#export IP_LAN7=192.168.0.11/32

#export IP_LAN8=192.168.0.12/32

#export IP_WAN_GROUP=192.168.1.0/24

#export IP_WAN1=192.168.1.1/32

#export IP_WAN2=192.168.1.2/32

## Export IPv6 Variables ##

#export IP6_LO=::1/128

#export IP6_GROUP=fe80::/64

#export IP6_LAN1=fe80::208:54ff:fe2c:cf01/64

#export IP6_LAN2=fe80::219:66ff:feed:fa5f/64

#export IP6_LAN3=fe80::225:22ff:fe3d:96e0/64

#export IP6_WAN2=fe80::219:21ff:fe54:ea2f/64

## Clear All NAT Tables ##

 iptables -t nat -F

 iptables -t nat -X

 iptables -t nat -Z

## Setup NAT Build-in Policy Tables ##

#iptables -t nat -P PREROUTING ACCEPT

#iptables -t nat -P INPUT ACCEPT

#iptables -t nat -P OUTPUT ACCEPT

 iptables -t nat -P POSTROUTING ACCEPT

#iptables -t nat -A PREROUTING -i ${WAN} -p tcp --dport 80 -j REDIRECT --to-port 3128

#iptables -t nat -A PREROUTING -i ${WAN} -p udp --dport 873 -j DNAT --to 192.168.0.1

#iptables -t nat -A PREROUTING -i ${WAN} -p tcp --dport 34000:35000 -j DNAT --to 192.168.0.9

#iptables -t nat -A PREROUTING -i ${WAN} -p udp --dport 34000:35000 -j DNAT --to 192.168.0.9

#iptables -t nat -A PREROUTING -i ${WAN} -p tcp --dport 39001 -j DNAT --to 192.168.0.9

#iptables -t nat -A PREROUTING -i ${WAN} -p udp --dport 39002 -j DNAT --to 192.168.0.9

## Configuring NAT POSTROUTING Build-in Chain Table ##

 iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

## Clear All IPv4 Filter Tables ##

 iptables -F

 iptables -X

 iptables -Z

## Setup IPv4 Filter Build-in Policy Tables ##

 iptables -P INPUT DROP

 iptables -P FORWARD DROP

 iptables -P OUTPUT DROP

## Create New IPv4 Filter Chains Tables ##

 iptables -N icmp_allowed

 iptables -N check-flags

 iptables -N allow-local-traffic-in

#iptables -N allow-ftp-traffic-in

 iptables -N allow-ftp-traffic-out

#iptables -N allow-ssh-traffic-in

 iptables -N allow-ssh-traffic-out

 iptables -N allow-dns-traffic-in

 iptables -N allow-dns-traffic-out

 iptables -N allow-http-traffic-in

 iptables -N allow-http-traffic-out

#iptables -N allow-ntp-traffic-in

 iptables -N allow-ntp-traffic-out

#iptables -N allow-https-traffic-in

 iptables -N allow-https-traffic-out

#iptables -N allow-smtp-traffic-in

 iptables -N allow-smtp-traffic-out

#iptables -N allow-rsync-traffic-in

 iptables -N allow-rsync-traffic-out

#iptables -N allow-imap-traffic-in

 iptables -N allow-imap-traffic-out

#iptables -N allow-pop3-traffic-in

 iptables -N allow-pop3-traffic-out

#iptables -N allow-streaming-traffic-in

 iptables -N allow-streaming-traffic-out

#iptables -N allow-irc-traffic-in

 iptables -N allow-irc-traffic-out

 iptables -N allow-noip-traffic-out

 iptables -N allow-git-traffic-out

#iptables -N allow-teamspeak-traffic-in

 iptables -N allow-teamspeak-traffic-out

#iptables -N allow-rfactor-traffic-in

 iptables -N allow-rfactor-traffic-out

 iptables -N allowed-connection

## Configuring IPv4 Filter INPUT Build-in Chain Table ##

 iptables -A INPUT -m state --state INVALID -j DROP

 iptables -A INPUT -p icmp -j icmp_allowed

 iptables -A INPUT -j check-flags

#iptables -A INPUT -i ${WAN} -j ACCEPT

#iptables -A INPUT -i ${WAN} -j allow-ftp-traffic-in

#iptables -A INPUT -i ${WAN} -j allow-ssh-traffic-in

 iptables -A INPUT -i ${WAN} -j allow-dns-traffic-in

#iptables -A INPUT -i ${WAN} -j allow-http-traffic-in

#iptables -A INPUT -i ${WAN} -j allow-ntp-traffic-in

#iptables -A INPUT -i ${WAN} -j allow-https-traffic-in

#iptables -A INPUT -i ${WAN} -j allow-rsync-traffic-in

#iptables -A INPUT -i ${WAN} -j allow-imap-traffic-in

#iptables -A INPUT -i ${WAN} -j allow-pop3-traffic-in

#iptables -A INPUT -i ${WAN} -j allow-streaming-traffic-in

#iptables -A INPUT -i ${WAN} -j allow-irc-traffic-in

#iptables -A INPUT -i ${WAN} -j allow-http-traffic-in

#iptables -A INPUT -i ${WAN} -j DROP

 iptables -A INPUT -i ${LO} -j ACCEPT

 iptables -A INPUT -i ${LAN} -j ACCEPT

 iptables -A INPUT -j allowed-connection

## Configuring IPv4 Filter FORWARD Build-in Chain Table ##

 iptables -A FORWARD -m state --state INVALID -j DROP

 iptables -A FORWARD -p icmp -j icmp_allowed

 iptables -A FORWARD -j check-flags

#iptables -A FORWARD -i ${WAN} -j ACCEPT

#iptables -A FORWARD -o ${WAN} -j ACCEPT

#iptables -A FORWARD -i ${WAN} -j allow-ftp-traffic-in

 iptables -A FORWARD -o ${WAN} -j allow-ftp-traffic-out

#iptables -A FORWARD -i ${WAN} -j allow-ssh-traffic-in

 iptables -A FORWARD -o ${WAN} -j allow-ssh-traffic-out

#iptables -A FORWARD -i ${WAN} -j allow-dns-traffic-in

 iptables -A FORWARD -o ${WAN} -j allow-dns-traffic-out

#iptables -A FORWARD -i ${WAN} -j allow-http-traffic-in

 iptables -A FORWARD -o ${WAN} -j allow-http-traffic-out

#iptables -A FORWARD -i ${WAN} -j allow-ntp-traffic-in

 iptables -A FORWARD -o ${WAN} -j allow-ntp-traffic-out

#iptables -A FORWARD -i ${WAN} -j allow-https-traffic-in

 iptables -A FORWARD -o ${WAN} -j allow-https-traffic-out

#iptables -A FORWARD -i ${WAN} -j allow-smtp-traffic-in

 iptables -A FORWARD -o ${WAN} -j allow-smtp-traffic-out

#iptables -A FORWARD -i ${WAN} -j allow-rsync-traffic-in

 iptables -A FORWARD -o ${WAN} -j allow-rsync-traffic-out

#iptables -A FORWARD -i ${WAN} -j allow-imap-traffic-in

 iptables -A FORWARD -o ${WAN} -j allow-imap-traffic-out

#iptables -A FORWARD -i ${WAN} -j allow-pop3-traffic-in

 iptables -A FORWARD -o ${WAN} -j allow-pop3-traffic-out

#iptables -A FORWARD -i ${WAN} -j allow-streaming-traffic-in

 iptables -A FORWARD -o ${WAN} -j allow-streaming-traffic-out

#iptables -A FORWARD -i ${WAN} -j allow-irc-traffic-in

 iptables -A FORWARD -o ${WAN} -j allow-irc-traffic-out

 iptables -A FORWARD -o ${WAN} -j allow-git-traffic-out

#iptables -A FORWARD -i ${WAN} -j allow-teamspeak-traffic-in

 iptables -A FORWARD -o ${WAN} -j allow-teamspeak-traffic-out

#iptables -A FORWARD -i ${WAN} -j allow-rfactor-traffic-in

 iptables -A FORWARD -o ${WAN} -j allow-rfactor-traffic-out

#iptables -A FORWARD -i ${WAN} -j DROP

#iptables -A FORWARD -o ${WAN} -j DROP

#iptables -A FORWARD -i ${LO} -j ACCEPT

#iptables -A FORWARD -o ${LO} -j ACCEPT

 iptables -A FORWARD -j allowed-connection

#iptables -A FORWARD -d 192.168.0.9 -p tcp --dport 34000:35000 -j ACCEPT

#iptables -A FORWARD -s 192.168.0.9 -p tcp --sport 34000:35000 -j ACCEPT

#iptables -A FORWARD -d 192.168.0.9 -p udp --dport 34000:35000 -j ACCEPT

#iptables -A FORWARD -s 192.168.0.9 -p udp --sport 34000:35000 -j ACCEPT

#iptables -A FORWARD -d 192.168.0.9 -p tcp --dport 39001 -j ACCEPT

#iptables -A FORWARD -s 192.168.0.9 -p tcp --sport 39001 -j ACCEPT

#iptables -A FORWARD -d 192.168.0.9 -p udp --dport 39002 -j ACCEPT

#iptables -A FORWARD -s 192.168.0.9 -p udp --sport 39002 -j ACCEPT

#iptables -A FORWARD -i ${WAN} -o ${LAN} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

## Configuring IPv4 Filter OUTPUT Build-in Chain Table ##

 iptables -A OUTPUT -m state --state INVALID -j DROP

 iptables -A OUTPUT -p icmp -j icmp_allowed

 iptables -A OUTPUT -j check-flags

#iptables -A OUTPUT -o ${WAN} -j ACCEPT

 iptables -A OUTPUT -o ${WAN} -j allow-ftp-traffic-out

 iptables -A OUTPUT -o ${WAN} -j allow-ssh-traffic-out

 iptables -A OUTPUT -o ${WAN} -j allow-dns-traffic-out

 iptables -A OUTPUT -o ${WAN} -j allow-http-traffic-out

 iptables -A OUTPUT -o ${WAN} -j allow-ntp-traffic-out

 iptables -A OUTPUT -o ${WAN} -j allow-https-traffic-out

#iptables -A OUTPUT -o ${WAN} -j allow-smtp-traffic-out

 iptables -A OUTPUT -o ${WAN} -j allow-rsync-traffic-out

#iptables -A OUTPUT -o ${WAN} -j allow-imap-traffic-out

#iptables -A OUTPUT -o ${WAN} -j allow-pop3-traffic-out

#iptables -A OUTPUT -o ${WAN} -j allow-irc-traffic-out

 iptables -A OUTPUT -o ${WAN} -j allow-noip-traffic-out

#iptables -A OUTPUT -o ${WAN} -j allow-git-traffic-out

#iptables -A OUTPUT -o ${WAN} -j DROP

 iptables -A OUTPUT -o ${LO} -j ACCEPT

 iptables -A OUTPUT -o ${LAN} -j ACCEPT

 iptables -A OUTPUT -j allowed-connection

## Configuring IPv4 Filter "icmp_allowed" Chain Table ##

 iptables -A icmp_allowed -p icmp -m state --state NEW -m icmp --icmp-type 11 -j ACCEPT

 iptables -A icmp_allowed -p icmp -m state --state NEW -m icmp --icmp-type 3 -j ACCEPT

 iptables -A icmp_allowed -p icmp -j LOG --log-prefix "Bad ICMP traffic:"

 iptables -A icmp_allowed -p icmp -j DROP

## Configuring IPv4 Filter "check-flags" Chain Table ##

 iptables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m limit --limit 5/min -j LOG --log-prefix "NMAP-XMAS:" --log-level 1

 iptables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP

 iptables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m limit --limit 5/min -j LOG --log-prefix "XMAS:" --log-level 1

 iptables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP

 iptables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -m limit --limit 5/min -j LOG --log-prefix "XMAS-PSH:" --log-level 1

 iptables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP

 iptables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 5/min -j LOG --log-prefix "NULL_SCAN:" --log-level 1

 iptables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP

 iptables -A check-flags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/min -j LOG --log-prefix "SYN/RST:" --log-level 5

 iptables -A check-flags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP

 iptables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min -j LOG --log-prefix "SYN/FIN:" --log-level 5

 iptables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP

## Configuring IPv4 Filter "allow-local-traffic-in" Chain Table ##

 iptables -A allow-local-traffic-in -p tcp -m limit --limit 1/sec -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT

 iptables -A allow-local-traffic-in -p tcp -m limit --limit 1/sec -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j ACCEPT

 iptables -A allow-local-traffic-in -p tcp -m limit --limit 1/sec -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j ACCEPT

 iptables -A allow-local-traffic-in -m state --state RELATED,ESTABLISHED -j ACCEPT

## Configuring IPv4 Filter "allow-ftp-traffic-in" Chain Table ##

#iptables -A allow-ftp-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 21 --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT

#iptables -A allow-ftp-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 21 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j ACCEPT

#iptables -A allow-ftp-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 21 --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j ACCEPT

#iptables -A allow-ftp-traffic-in -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 21 -j ACCEPT

## Configuring IPv4 Filter "allow-ftp-traffic-out" Chain Table ##

 iptables -A allow-ftp-traffic-out -p tcp -m tcp --dport 21 -j ACCEPT

## Configuring IPv4 Filter "allow-ssh-traffic-in" Chain Table ##

#iptables -A allow-ssh-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 22 --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT

#iptables -A allow-ssh-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 22 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j ACCEPT

#iptables -A allow-ssh-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 22 --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j ACCEPT

#iptables -A allow-ssh-traffic-in -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 22 -j ACCEPT

## Configuring IPv4 Filter "allow-ssh-traffic-out" Chain Table ##

#iptables -A allow-ssh-traffic-out -p tcp -m tcp --dport 22 -j ACCEPT

## Configuring IPv4 Filter "allow-dns-traffic-in" Chain Table ##

##

#iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT

#iptables -A INPUT -p udp --dport 53 -j ACCEPT

#iptables -A INPUT -p tcp --sport 53 -j ACCEPT

#iptables -A INPUT -p tcp --dport 53 -j ACCEPT

##

#iptables -A allow-dns-traffic-in -p udp -m state --state RELATED,ESTABLISHED -m udp --sport 53 -j ACCEPT

#iptables -A allow-dns-traffic-in -p udp --dport 53 -j ACCEPT

#iptables -A allow-dns-traffic-in -p tcp --sport 53 -j ACCEPT

#iptables -A allow-dns-traffic-in -p tcp --dport 53 -j ACCEPT

##

 iptables -A allow-dns-traffic-in -p udp -m limit --limit 1/sec -m udp --dport 53 -j ACCEPT

 iptables -A allow-dns-traffic-in -p udp -m state --state RELATED,ESTABLISHED -m udp --sport 53 -j ACCEPT

 iptables -A allow-dns-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 53 --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT

 iptables -A allow-dns-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 53 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j ACCEPT

 iptables -A allow-dns-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 53 --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j ACCEPT

 iptables -A allow-dns-traffic-in -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 53 -j ACCEPT

##

#iptables -A allow-dns-traffic-in -p udp -m state --state RELATED,ESTABLISHED -m udp --sport 53 -j ACCEPT

#iptables -A allow-dns-traffic-in -p udp -m state --state RELATED,ESTABLISHED -m udp --dport 53 -j ACCEPT

#iptables -A allow-dns-traffic-in -p tcp -m limit --limit 1/sec -m tcp --sport 53 --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT

#iptables -A allow-dns-traffic-in -p tcp -m limit --limit 1/sec -m tcp --sport 53 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j ACCEPT

#iptables -A allow-dns-traffic-in -p tcp -m limit --limit 1/sec -m tcp --sport 53 --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j ACCEPT

#iptables -A allow-dns-traffic-in -p tcp -m state --state RELATED,ESTABLISHED -m tcp --sport 53 -j ACCEPT

#iptables -A allow-dns-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 53 --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT

#iptables -A allow-dns-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 53 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j ACCEPT

#iptables -A allow-dns-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 53 --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j ACCEPT

#iptables -A allow-dns-traffic-in -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 53 -j ACCEPT

##

#iptables -A allow-dns-traffic-in -d ${DNS1} -p udp -m state --state RELATED,ESTABLISHED -m udp --dport 53 -j ACCEPT

#iptables -A allow-dns-traffic-in -d ${DNS2} -p udp -m state --state RELATED,ESTABLISHED -m udp --dport 53 -j ACCEPT

##

## Configuring IPv4 Filter "allow-dns-traffic-out" Chain Table ##

 iptables -A allow-dns-traffic-out -p udp -m udp --dport 53 -j ACCEPT

 iptables -A allow-dns-traffic-out -p tcp -m tcp --dport 53 -j ACCEPT

#iptables -A allow-dns-traffic-out -d ${DNS1} -p udp -m udp --dport 53 -j ACCEPT

#iptables -A allow-dns-traffic-out -d ${DNS1} -p tcp -m tcp --dport 53 -j ACCEPT

#iptables -A allow-dns-traffic-out -d ${DNS2} -p udp -m udp --dport 53 -j ACCEPT

#iptables -A allow-dns-traffic-out -d ${DNS2} -p tcp -m tcp --dport 53 -j ACCEPT

## Configuring IPv4 Filter "allow-http-traffic-in" Chain Table ##

#iptables -A allow-http-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 80 --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT

#iptables -A allow-http-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 80 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j ACCEPT

#iptables -A allow-http-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 80 --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j ACCEPT

#iptables -A allow-http-traffic-in -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 80 -j ACCEPT

## Configuring IPv4 Filter "allow-http-traffic-out" Chain Table ##

 iptables -A allow-http-traffic-out -p tcp -m tcp --dport 80 -j ACCEPT

## Configuring IPv4 Filter "allow-ntp-traffic-in" Chain Table ##

#iptables -A allow-ntp-traffic-out -p udp -m state --state RELATED,ESTABLISHED -m udp --dport 123 -j ACCEPT

## Configuring IPv4 Filter "allow-ntp-traffic-out" Chain Table ##

 iptables -A allow-ntp-traffic-out -p udp -m udp --dport 123 -j ACCEPT

## Configuring IPv4 Filter "allow-https-traffic-in" Chain Table ##

#iptables -A allow-https-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 443 --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT

#iptables -A allow-https-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 443 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j ACCEPT

#iptables -A allow-https-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 443 --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j ACCEPT

#iptables -A allow-https-traffic-in -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 443 -j ACCEPT

## Configuring IPv4 Filter "allow-https-traffic-out" Chain Table ##

 iptables -A allow-https-traffic-out -p tcp -m tcp --dport 443 -j ACCEPT

## Configuring IPv4 Filter "allow-smtp-traffic-in" Chain Table ##

## Configuring IPv4 Filter "allow-smtp-traffic-out" Chain Table ##

 iptables -A allow-smtp-traffic-out -p tcp -m tcp --dport 465 -j ACCEPT

 iptables -A allow-smtp-traffic-out -p tcp -m tcp --dport 587 -j ACCEPT

## Configuring IPv4 Filter "allow-rsync-traffic-in" Chain Table ##

#iptables -A allow-rsync-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 873 --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT

#iptables -A allow-rsync-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 873 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j ACCEPT

#iptables -A allow-rsync-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 873 --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j ACCEPT

#iptables -A allow-rsync-traffic-in -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 873 -j ACCEPT

## Configuring IPv4 Filter "allow-rsync-traffic-out" Chain Table ##

 iptables -A allow-rsync-traffic-out -p tcp -m tcp --dport 873 -j ACCEPT

## Configuring IPv4 Filter "allow-imap-traffic-out" Chain Table ##

 iptables -A allow-imap-traffic-out -p tcp -m tcp --dport 993 -j ACCEPT

## Configuring IPv4 Filter "allow-pop3-traffic-out" Chain Table ##

 iptables -A allow-pop3-traffic-out -p tcp -m tcp --dport 995 -j ACCEPT

## Configuring IPv4 Filter "allow-streaming-traffic-out" Chain Table ##

 iptables -A allow-streaming-traffic-out -p tcp -m tcp --dport 1935 -j ACCEPT

## Configuring IPv4 Filter "allow-irc-traffic-out" Chain Table ##

#iptables -A allow-irc-traffic-out -p tcp -m tcp --dport 194 -j ACCEPT

#iptables -A allow-irc-traffic-out -p tcp -m tcp --dport 529 -j ACCEPT

#iptables -A allow-irc-traffic-out -p tcp -m tcp --dport 994 -j ACCEPT

 iptables -A allow-irc-traffic-out -p tcp -m tcp --dport 6667 -j ACCEPT

## Configuring IPv4 Filter "allow-http-traffic-in" Chain Table ##

 iptables -A allow-http-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 8080 --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT

 iptables -A allow-http-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 8080 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j ACCEPT

 iptables -A allow-http-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 8080 --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j ACCEPT

 iptables -A allow-http-traffic-in -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 8080 -j ACCEPT

## Configuring IPv4 Filter "allow-noip-traffic-out" Chain Table ##

 iptables -A allow-noip-traffic-out -p tcp -m tcp --dport 8245 -j ACCEPT

## Configuring IPv4 Filter "allow-git-traffic-out" Chain Table ##

 iptables -A allow-git-traffic-out -p tcp -m tcp --dport 9418 -j ACCEPT

## Opening IPv4 Filter "allow-teamspeak-traffic-out" Chain Table ##

 iptables -A allow-teamspeak-traffic-out -p udp -m udp --dport 9987 -j ACCEPT

## Configuring IPv4 Filter "allow-rfactor-traffic-in" Chain Table ##

#iptables -A allow-rfactor-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 34000:35000 --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT

#iptables -A allow-rfactor-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 34000:35000 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j ACCEPT

#iptables -A allow-rfactor-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 34000:35000 --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j ACCEPT

#iptables -A allow-rfactor-traffic-in -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 34000:35000 -j ACCEPT

#iptables -A allow-rfactor-traffic-in -p tcp -m tcp --dport 34000:35000 -j ACCEPT

#iptables -A allow-rfactor-traffic-in -p udp -m udp --dport 34000:35000 -j ACCEPT

#iptables -A allow-rfactor-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 39001 --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT

#iptables -A allow-rfactor-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 39001 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j ACCEPT

#iptables -A allow-rfactor-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 39001 --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j ACCEPT

#iptables -A allow-rfactor-traffic-in -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 39001 -j ACCEPT

#iptables -A allow-rfactor-traffic-in -p tcp -m tcp --dport 39001 -j ACCEPT

#iptables -A allow-rfactor-traffic-in -p udp -m udp --dport 39002 -j ACCEPT

## Configuring IPv4 Filter "allow-rfactor-traffic-out" Chain Table (UNDER OBSERVATION) ##

## iptables -A allow-rfactor-traffic-out -p udp -m udp --dport 1900 -j ACCEPT

## iptables -A allow-rfactor-traffic-out -p tcp -m tcp --dport 3484 -j ACCEPT

## iptables -A allow-rfactor-traffic-out -p udp -m udp --dport 3544 -j ACCEPT

## iptables -A allow-rfactor-traffic-out -p tcp -m tcp --dport 31000:31002 -j ACCEPT

## iptables -A allow-rfactor-traffic-out -p tcp -m tcp --dport 32000:32002 -j ACCEPT

## iptables -A allow-rfactor-traffic-out -p tcp -m tcp --dport 34384 -j ACCEPT

## Configuring IPv4 Filter "allow-rfactor-traffic-out" Chain Table (IF RFACTOR HAVE PROBLEMS TO CONNECT) ##

## iptables -A allow-rfactor-traffic-out -p tcp -m tcp --dport 34000:35000 -j ACCEPT

## Configuring IPv4 Filter "allow-rfactor-traffic-out" rFactor Hotlaps Chain Table ##

 iptables -A allow-rfactor-traffic-out -p tcp -m tcp --dport 27011:27015 -j ACCEPT

## Configuring IPv4 Filter "allow-rfactor-traffic-out" Chain Table (CHECK OK) ##

## Opening F1SR 1993 mod ports ##

 iptables -A allow-rfactor-traffic-out -p udp -m udp --dport 34297 -j ACCEPT

 iptables -A allow-rfactor-traffic-out -p udp -m udp --dport 34397 -j ACCEPT

 iptables -A allow-rfactor-traffic-out -p tcp -m tcp --dport 34447:34450 -j ACCEPT

## Opening FSONE 2009 mod ports ##

 iptables -A allow-rfactor-traffic-out -p udp -m udp --dport 34298 -j ACCEPT

 iptables -A allow-rfactor-traffic-out -p udp -m udp --dport 34398 -j ACCEPT

 iptables -A allow-rfactor-traffic-out -p udp -m udp --dport 34299 -j ACCEPT

 iptables -A allow-rfactor-traffic-out -p udp -m udp --dport 34399:34400 -j ACCEPT

## Opening Matchmaker ports ##

 iptables -A allow-rfactor-traffic-out -p tcp -m tcp --dport 39001 -j ACCEPT

 iptables -A allow-rfactor-traffic-out -p udp -m udp --dport 39002 -j ACCEPT

## Configuring IPv4 Filter "allowed-wan-connection" Chain Table ##

 iptables -A allowed-connection -m state --state RELATED,ESTABLISHED -j ACCEPT

 iptables -A allowed-connection -i ${WAN} -m limit --limit 3/hour -j LOG --log-prefix "Bad packet from eth1:"

 iptables -A allowed-connection -j DROP

## Clear All IPv6 Filter Tables ##

 ip6tables -F

 ip6tables -X

 ip6tables -Z

## Setup IPv6 Filter Build-in Policy Tables ##

 ip6tables -P INPUT DROP

 ip6tables -P FORWARD DROP

 ip6tables -P OUTPUT DROP

## Create New IPv6 Filter Chains Tables ##

 ip6tables -N allow-dns-traffic-out

 ip6tables -N allow-ftp-traffic-out

 ip6tables -N allow-ntp-traffic-out

 ip6tables -N allow-ssh-traffic-in

 ip6tables -N allow-ssh-traffic-out

 ip6tables -N allow-www-traffic-out

 ip6tables -N allowed-connection

 ip6tables -N check-flags

 ip6tables -N icmpv6_allowed

## Configuring IPv6 Filter INPUT Build-in Chain Table ##

 ip6tables -A INPUT -m state --state INVALID -j DROP

#ip6tables -A INPUT -p icmpv6 -j icmpv6_allowed

 ip6tables -A INPUT -j check-flags

#ip6tables -A INPUT -i ${WAN} -j allow-ssh-traffic-in

 ip6tables -A INPUT -i ${WAN} -j DROP

 ip6tables -A INPUT -i ${LO} -j ACCEPT

 ip6tables -A INPUT -i ${LAN} -j ACCEPT

 ip6tables -A INPUT -j allowed-connection

## Configuring IPv6 Filter FORWARD Build-in Chain Table ##

 ip6tables -A FORWARD -m state --state INVALID -j DROP

#ip6tables -A FORWARD -p icmpv6 -j icmpv6_allowed

 ip6tables -A FORWARD -j check-flags

#ip6tables -A FORWARD -i ${WAN} -j ACCEPT

#ip6tables -A FORWARD -o ${WAN} -j ACCEPT

#ip6tables -A FORWARD -i ${WAN} -j allow-ssh-traffic-in

#ip6tables -A FORWARD -o ${WAN} -j allow-ssh-traffic-out

#ip6tables -A FORWARD -o ${WAN} -j allow-dns-traffic-out

#ip6tables -A FORWARD -o ${WAN} -j allow-ftp-traffic-out

#ip6tables -A FORWARD -o ${WAN} -j allow-ntp-traffic-out

#ip6tables -A FORWARD -o ${WAN} -j allow-www-traffic-out

 ip6tables -A FORWARD -i ${WAN} -j DROP

 ip6tables -A FORWARD -o ${WAN} -j DROP

#ip6tables -A FORWARD -i ${LO} -j ACCEPT

#ip6tables -A FORWARD -o ${LO} -j ACCEPT

 ip6tables -A FORWARD -j allowed-connection

## Configuring IPv6 Filter OUTPUT Build-in Chain Table ##

 ip6tables -A OUTPUT -m state --state INVALID -j DROP

#ip6tables -A OUTPUT -p icmpv6 -j icmpv6_allowed

 ip6tables -A OUTPUT -j check-flags

#ip6tables -A OUTPUT -o ${WAN} -j ACCEPT

#ip6tables -A OUTPUT -o ${WAN} -j allow-ssh-traffic-out

#ip6tables -A OUTPUT -o ${WAN} -j allow-dns-traffic-out

#ip6tables -A OUTPUT -o ${WAN} -j allow-ftp-traffic-out

#ip6tables -A OUTPUT -o ${WAN} -j allow-ntp-traffic-out

#ip6tables -A OUTPUT -o ${WAN} -j allow-www-traffic-out

 ip6tables -A OUTPUT -o ${WAN} -j DROP

 ip6tables -A OUTPUT -o ${LO} -j ACCEPT

 ip6tables -A OUTPUT -o ${LAN} -j ACCEPT

 ip6tables -A OUTPUT -j allowed-connection

## Configuring IPv6 Filter "allow-dns-traffic-out" Chain Table ##

#ip6tables -A allow-dns-traffic-out -d ${DNS1_V6} -p udp -m udp --dport 53 -j ACCEPT

#ip6tables -A allow-dns-traffic-out -d ${DNS2_V6} -p udp -m udp --dport 53 -j ACCEPT

#ip6tables -A allow-dns-traffic-out -d ${DNS3_V6} -p udp -m udp --dport 53 -j ACCEPT

#ip6tables -A allow-dns-traffic-out -d ${DNS4_V6} -p udp -m udp --dport 53 -j ACCEPT

## Configuring IPv6 Filter "allow-ftp-traffic-out" Chain Table ##

 ip6tables -A allow-ftp-traffic-out -p tcp -m tcp --dport 21 -j ACCEPT

## Configuring IPv6 Filter "allow-ntp-traffic-out" Chain Table ##

 ip6tables -A allow-ntp-traffic-out -p udp -m udp --dport 123 -j ACCEPT

## Configuring IPv6 Filter "allow-ssh-traffic-in" Chain Table ##

 ip6tables -A allow-ssh-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 22 --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT

 ip6tables -A allow-ssh-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 22 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j ACCEPT

 ip6tables -A allow-ssh-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 22 --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j ACCEPT

 ip6tables -A allow-ssh-traffic-in -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 22 -j ACCEPT

## Configuring IPv6 Filter "allow-ssh-traffic-out" Chain Table ##

 ip6tables -A allow-ssh-traffic-out -p tcp -m tcp --dport 22 -j ACCEPT

## Configuring IPv6 Filter "allow-www-traffic-out" Chain Table ##

 ip6tables -A allow-www-traffic-out -p tcp -m tcp --dport 80 -j ACCEPT

 ip6tables -A allow-www-traffic-out -p tcp -m tcp --dport 443 -j ACCEPT

## Configuring IPv6 Filter "allowed-connection" Chain Table ##

 ip6tables -A allowed-connection -m state --state RELATED,ESTABLISHED -j ACCEPT

 ip6tables -A allowed-connection -i ${WAN} -m limit --limit 3/hour -j LOG --log-prefix "Bad packet from eth1:"

 ip6tables -A allowed-connection -j DROP

## Configuring IPv6 Filter "check-flags" Chain Table ##

 ip6tables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m limit --limit 5/min -j LOG --log-prefix "NMAP-XMAS:" --log-level 1

 ip6tables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP

 ip6tables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m limit --limit 5/min -j LOG --log-prefix "XMAS:" --log-level 1

 ip6tables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP

 ip6tables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -m limit --limit 5/min -j LOG --log-prefix "XMAS-PSH:" --log-level 1

 ip6tables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP

 ip6tables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 5/min -j LOG --log-prefix "NULL_SCAN:" --log-level 1

 ip6tables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP

 ip6tables -A check-flags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/min -j LOG --log-prefix "SYN/RST:" --log-level 5

 ip6tables -A check-flags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP

 ip6tables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min -j LOG --log-prefix "SYN/FIN:" --log-level 5

 ip6tables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP

## Configuring IPv6 Filter "icmp_allowed" Chain Table ##

#ip6tables -A icmpv6_allowed -p icmpv6 -m state --state NEW -m icmp --icmpv6-type 11 -j ACCEPT

#ip6tables -A icmpv6_allowed -p icmpv6 -m state --state NEW -m icmp --icmpv6-type 3 -j ACCEPT

#ip6tables -A icmpv6_allowed -p icmpv6 -j LOG --log-prefix "Bad ICMP traffic:"

#ip6tables -A icmpv6_allowed -p icmpv6 -j DROP

## Setting IPv4 Forward and RP Filter Linux Kernel ##

#echo 1 > /proc/sys/net/ipv4/ip_forward

 for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done

## Save And Restart IPv4 Tables ##

 /etc/init.d/iptables save

 /etc/init.d/iptables restart

## Save And Restart IPv6 Tables ##

 /etc/init.d/ip6tables save

 /etc/init.d/ip6tables restart

## List IPv4 Tables ##

#iptables -t nat -L -v

#iptables -L -v

## List IPv6 Tables ##

#iptables -L -v 

```

Now, Squid works correctly, thanks for all!!  :Smile: 

----------

