Created
December 26, 2020 18:16
-
-
Save dsander/e71869f0038b19f9911cedf655bf0972 to your computer and use it in GitHub Desktop.
iptables-save
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Generated by iptables-save v1.8.3 on Sat Dec 26 10:00:14 2020 | |
*nat | |
:PREROUTING ACCEPT [153461:19320446] | |
:INPUT ACCEPT [18544:1380162] | |
:OUTPUT ACCEPT [229466:19045695] | |
:POSTROUTING ACCEPT [9987:608189] | |
:postrouting_cloud_rule - [0:0] | |
:postrouting_fritzweb_rule - [0:0] | |
:postrouting_ios_rule - [0:0] | |
:postrouting_lan_rule - [0:0] | |
:postrouting_rule - [0:0] | |
:postrouting_vdsl_rule - [0:0] | |
:postrouting_vpn_rule - [0:0] | |
:postrouting_wan_rule - [0:0] | |
:postrouting_wireguard_rule - [0:0] | |
:prerouting_cloud_rule - [0:0] | |
:prerouting_fritzweb_rule - [0:0] | |
:prerouting_ios_rule - [0:0] | |
:prerouting_lan_rule - [0:0] | |
:prerouting_rule - [0:0] | |
:prerouting_vdsl_rule - [0:0] | |
:prerouting_vpn_rule - [0:0] | |
:prerouting_wan_rule - [0:0] | |
:prerouting_wireguard_rule - [0:0] | |
:zone_cloud_postrouting - [0:0] | |
:zone_cloud_prerouting - [0:0] | |
:zone_fritzweb_postrouting - [0:0] | |
:zone_fritzweb_prerouting - [0:0] | |
:zone_ios_postrouting - [0:0] | |
:zone_ios_prerouting - [0:0] | |
:zone_lan_postrouting - [0:0] | |
:zone_lan_prerouting - [0:0] | |
:zone_vdsl_postrouting - [0:0] | |
:zone_vdsl_prerouting - [0:0] | |
:zone_vpn_postrouting - [0:0] | |
:zone_vpn_prerouting - [0:0] | |
:zone_wan_postrouting - [0:0] | |
:zone_wan_prerouting - [0:0] | |
:zone_wireguard_postrouting - [0:0] | |
:zone_wireguard_prerouting - [0:0] | |
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule | |
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting | |
-A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting | |
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_vpn_prerouting | |
-A PREROUTING -i eth0.30 -m comment --comment "!fw3" -j zone_cloud_prerouting | |
-A PREROUTING -i pppoe-vdsl -m comment --comment "!fw3" -j zone_vdsl_prerouting | |
-A PREROUTING -i wireguard -m comment --comment "!fw3" -j zone_wireguard_prerouting | |
-A PREROUTING -i eth0.3 -m comment --comment "!fw3" -j zone_fritzweb_prerouting | |
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule | |
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting | |
-A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting | |
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_vpn_postrouting | |
-A POSTROUTING -o eth0.30 -m comment --comment "!fw3" -j zone_cloud_postrouting | |
-A POSTROUTING -o pppoe-vdsl -m comment --comment "!fw3" -j zone_vdsl_postrouting | |
-A POSTROUTING -o wireguard -m comment --comment "!fw3" -j zone_wireguard_postrouting | |
-A POSTROUTING -o eth0.3 -m comment --comment "!fw3" -j zone_fritzweb_postrouting | |
-A zone_cloud_postrouting -m comment --comment "!fw3: Custom cloud postrouting rule chain" -j postrouting_cloud_rule | |
-A zone_cloud_postrouting -s 10.0.0.0/24 -d 10.0.0.12/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: ssh vdsl (reflection)" -j SNAT --to-source 10.0.0.1 | |
-A zone_cloud_postrouting -s 10.0.0.0/24 -d 10.0.0.2/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: cloud vdsl https (reflection)" -j SNAT --to-source 10.0.0.1 | |
-A zone_cloud_postrouting -s 10.0.0.0/24 -d 10.0.0.2/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: cloud vdsl http (reflection)" -j SNAT --to-source 10.0.0.1 | |
-A zone_cloud_postrouting -s 10.0.0.0/24 -d 10.0.0.2/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: cloud wan https (reflection)" -j SNAT --to-source 10.0.0.1 | |
-A zone_cloud_postrouting -s 10.0.0.0/24 -d 10.0.0.2/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: cloud wan http (reflection)" -j SNAT --to-source 10.0.0.1 | |
-A zone_cloud_prerouting -m comment --comment "!fw3: Custom cloud prerouting rule chain" -j prerouting_cloud_rule | |
-A zone_cloud_prerouting -s 10.0.0.0/24 -d 83.xx.xx.xxx/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: ssh vdsl (reflection)" -j DNAT --to-destination 10.0.0.12:22 | |
-A zone_cloud_prerouting -s 10.0.0.0/24 -d 83.xx.xx.xxx/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: cloud vdsl https (reflection)" -j DNAT --to-destination 10.0.0.2:443 | |
-A zone_cloud_prerouting -s 10.0.0.0/24 -d 83.xx.xx.xxx/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: cloud vdsl http (reflection)" -j DNAT --to-destination 10.0.0.2:80 | |
-A zone_cloud_prerouting -s 10.0.0.0/24 -d 185.xxx.xxx.xxx/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: cloud wan https (reflection)" -j DNAT --to-destination 10.0.0.2:443 | |
-A zone_cloud_prerouting -s 10.0.0.0/24 -d 185.xxx.xxx.xxx/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: cloud wan http (reflection)" -j DNAT --to-destination 10.0.0.2:80 | |
-A zone_fritzweb_postrouting -m comment --comment "!fw3: Custom fritzweb postrouting rule chain" -j postrouting_fritzweb_rule | |
-A zone_fritzweb_postrouting -m comment --comment "!fw3" -j MASQUERADE | |
-A zone_fritzweb_prerouting -m comment --comment "!fw3: Custom fritzweb prerouting rule chain" -j prerouting_fritzweb_rule | |
-A zone_ios_postrouting -m comment --comment "!fw3: Custom ios postrouting rule chain" -j postrouting_ios_rule | |
-A zone_ios_prerouting -m comment --comment "!fw3: Custom ios prerouting rule chain" -j prerouting_ios_rule | |
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule | |
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.232/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: ssh (reflection)" -j SNAT --to-source 192.168.1.1 | |
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.212/32 -p tcp -m tcp --dport 22000 -m comment --comment "!fw3: syncthing (reflection)" -j SNAT --to-source 192.168.1.1 | |
-A zone_lan_postrouting -s 192.168.1.0/24 -d 10.0.0.2/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: vdsl proxy http (reflection)" -j SNAT --to-source 192.168.1.1 | |
-A zone_lan_postrouting -s 192.168.1.0/24 -d 10.0.0.2/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: vdsl proxy https (reflection)" -j SNAT --to-source 192.168.1.1 | |
-A zone_lan_postrouting -s 192.168.1.0/24 -d 10.0.0.2/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: wan proxy http (reflection)" -j SNAT --to-source 192.168.1.1 | |
-A zone_lan_postrouting -s 192.168.1.0/24 -d 10.0.0.2/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: wan proxy https (reflection)" -j SNAT --to-source 192.168.1.1 | |
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.1/32 -p udp -m udp --dport 13377 -m comment --comment "!fw3: wireguard vdsl (reflection)" -j SNAT --to-source 192.168.1.1 | |
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.1/32 -p udp -m udp --dport 13377 -m comment --comment "!fw3: wireguard cable (reflection)" -j SNAT --to-source 192.168.1.1 | |
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule | |
-A zone_lan_prerouting -s 192.168.1.0/24 -d 185.xxx.xxx.xxx/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: ssh (reflection)" -j DNAT --to-destination 192.168.1.232:22 | |
-A zone_lan_prerouting -s 192.168.1.0/24 -d 185.xxx.xxx.xxx/32 -p tcp -m tcp --dport 22000 -m comment --comment "!fw3: syncthing (reflection)" -j DNAT --to-destination 192.168.1.212:22000 | |
-A zone_lan_prerouting -s 192.168.1.0/24 -d 83.xx.xx.xxx/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: vdsl proxy http (reflection)" -j DNAT --to-destination 10.0.0.2:80 | |
-A zone_lan_prerouting -s 192.168.1.0/24 -d 83.xx.xx.xxx/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: vdsl proxy https (reflection)" -j DNAT --to-destination 10.0.0.2:443 | |
-A zone_lan_prerouting -s 192.168.1.0/24 -d 185.xxx.xxx.xxx/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: wan proxy http (reflection)" -j DNAT --to-destination 10.0.0.2:80 | |
-A zone_lan_prerouting -s 192.168.1.0/24 -d 185.xxx.xxx.xxx/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: wan proxy https (reflection)" -j DNAT --to-destination 10.0.0.2:443 | |
-A zone_lan_prerouting -s 192.168.1.0/24 -d 83.xx.xx.xxx/32 -p udp -m udp --dport 13377 -m comment --comment "!fw3: wireguard vdsl (reflection)" -j DNAT --to-destination 192.168.1.1:13377 | |
-A zone_lan_prerouting -s 192.168.1.0/24 -d 185.xxx.xxx.xxx/32 -p udp -m udp --dport 13377 -m comment --comment "!fw3: wireguard cable (reflection)" -j DNAT --to-destination 192.168.1.1:13377 | |
-A zone_vdsl_postrouting -m comment --comment "!fw3: Custom vdsl postrouting rule chain" -j postrouting_vdsl_rule | |
-A zone_vdsl_postrouting -m comment --comment "!fw3" -j MASQUERADE | |
-A zone_vdsl_prerouting -m comment --comment "!fw3: Custom vdsl prerouting rule chain" -j prerouting_vdsl_rule | |
-A zone_vdsl_prerouting -p tcp -m tcp --dport 22 -m comment --comment "!fw3: ssh vdsl" -j DNAT --to-destination 10.0.0.12:22 | |
-A zone_vdsl_prerouting -p tcp -m tcp --dport 80 -m comment --comment "!fw3: vdsl proxy http" -j DNAT --to-destination 10.0.0.2:80 | |
-A zone_vdsl_prerouting -p tcp -m tcp --dport 443 -m comment --comment "!fw3: vdsl proxy https" -j DNAT --to-destination 10.0.0.2:443 | |
-A zone_vdsl_prerouting -p tcp -m tcp --dport 443 -m comment --comment "!fw3: cloud vdsl https" -j DNAT --to-destination 10.0.0.2:443 | |
-A zone_vdsl_prerouting -p tcp -m tcp --dport 80 -m comment --comment "!fw3: cloud vdsl http" -j DNAT --to-destination 10.0.0.2:80 | |
-A zone_vdsl_prerouting -p udp -m udp --dport 13377 -m comment --comment "!fw3: wireguard vdsl" -j DNAT --to-destination 192.168.1.1:13377 | |
-A zone_vpn_postrouting -m comment --comment "!fw3: Custom vpn postrouting rule chain" -j postrouting_vpn_rule | |
-A zone_vpn_postrouting -m comment --comment "!fw3" -j MASQUERADE | |
-A zone_vpn_prerouting -m comment --comment "!fw3: Custom vpn prerouting rule chain" -j prerouting_vpn_rule | |
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule | |
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE | |
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule | |
-A zone_wan_prerouting -p tcp -m tcp --dport 22 -m comment --comment "!fw3: ssh" -j DNAT --to-destination 192.168.1.232:22 | |
-A zone_wan_prerouting -p tcp -m tcp --dport 22000 -m comment --comment "!fw3: syncthing" -j DNAT --to-destination 192.168.1.212:22000 | |
-A zone_wan_prerouting -p tcp -m tcp --dport 80 -m comment --comment "!fw3: wan proxy http" -j DNAT --to-destination 10.0.0.2:80 | |
-A zone_wan_prerouting -p tcp -m tcp --dport 443 -m comment --comment "!fw3: wan proxy https" -j DNAT --to-destination 10.0.0.2:443 | |
-A zone_wan_prerouting -p tcp -m tcp --dport 443 -m comment --comment "!fw3: cloud wan https" -j DNAT --to-destination 10.0.0.2:443 | |
-A zone_wan_prerouting -p tcp -m tcp --dport 80 -m comment --comment "!fw3: cloud wan http" -j DNAT --to-destination 10.0.0.2:80 | |
-A zone_wan_prerouting -p udp -m udp --dport 13377 -m comment --comment "!fw3: wireguard cable" -j DNAT --to-destination 192.168.1.1:13377 | |
-A zone_wireguard_postrouting -m comment --comment "!fw3: Custom wireguard postrouting rule chain" -j postrouting_wireguard_rule | |
-A zone_wireguard_postrouting -m comment --comment "!fw3" -j MASQUERADE | |
-A zone_wireguard_prerouting -m comment --comment "!fw3: Custom wireguard prerouting rule chain" -j prerouting_wireguard_rule | |
COMMIT | |
# Completed on Sat Dec 26 10:00:14 2020 | |
# Generated by iptables-save v1.8.3 on Sat Dec 26 10:00:14 2020 | |
*raw | |
:PREROUTING ACCEPT [39778315:35205102684] | |
:OUTPUT ACCEPT [354228:52711063] | |
:zone_cloud_helper - [0:0] | |
:zone_ios_helper - [0:0] | |
:zone_lan_helper - [0:0] | |
-A PREROUTING -i br-lan -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper | |
-A PREROUTING -i eth0.30 -m comment --comment "!fw3: cloud CT helper assignment" -j zone_cloud_helper | |
COMMIT | |
# Completed on Sat Dec 26 10:00:14 2020 | |
# Generated by iptables-save v1.8.3 on Sat Dec 26 10:00:14 2020 | |
*mangle | |
:PREROUTING ACCEPT [39778315:35205102684] | |
:INPUT ACCEPT [365590:36992837] | |
:FORWARD ACCEPT [39325916:35154122529] | |
:OUTPUT ACCEPT [354228:52711063] | |
:POSTROUTING ACCEPT [39679240:35206750778] | |
:mwan3_connected - [0:0] | |
:mwan3_hook - [0:0] | |
:mwan3_iface_in_vdsl - [0:0] | |
:mwan3_iface_in_wan - [0:0] | |
:mwan3_ifaces_in - [0:0] | |
:mwan3_policy_balanced - [0:0] | |
:mwan3_policy_cable_only - [0:0] | |
:mwan3_policy_cable_vdsl - [0:0] | |
:mwan3_policy_vdsl_cable - [0:0] | |
:mwan3_policy_vdsl_only - [0:0] | |
:mwan3_rule_https - [0:0] | |
:mwan3_rule_https_cloud - [0:0] | |
:mwan3_rules - [0:0] | |
-A PREROUTING -j mwan3_hook | |
-A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu | |
-A FORWARD -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu | |
-A FORWARD -o pppoe-vdsl -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone vdsl MTU fixing" -j TCPMSS --clamp-mss-to-pmtu | |
-A FORWARD -i pppoe-vdsl -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone vdsl MTU fixing" -j TCPMSS --clamp-mss-to-pmtu | |
-A OUTPUT -j mwan3_hook | |
-A mwan3_connected -m set --match-set mwan3_connected dst -j MARK --set-xmark 0x3f00/0x3f00 | |
-A mwan3_hook -j CONNMARK --restore-mark --nfmask 0x3f00 --ctmask 0x3f00 | |
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_ifaces_in | |
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_connected | |
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_rules | |
-A mwan3_hook -j CONNMARK --save-mark --nfmask 0x3f00 --ctmask 0x3f00 | |
-A mwan3_hook -m mark ! --mark 0x3f00/0x3f00 -j mwan3_connected | |
-A mwan3_iface_in_vdsl -i pppoe-vdsl -m set --match-set mwan3_connected src -m mark --mark 0x0/0x3f00 -m comment --comment default -j MARK --set-xmark 0x3f00/0x3f00 | |
-A mwan3_iface_in_vdsl -i pppoe-vdsl -m mark --mark 0x0/0x3f00 -m comment --comment vdsl -j MARK --set-xmark 0x200/0x3f00 | |
-A mwan3_iface_in_wan -i eth1 -m set --match-set mwan3_connected src -m mark --mark 0x0/0x3f00 -m comment --comment default -j MARK --set-xmark 0x3f00/0x3f00 | |
-A mwan3_iface_in_wan -i eth1 -m mark --mark 0x0/0x3f00 -m comment --comment wan -j MARK --set-xmark 0x100/0x3f00 | |
-A mwan3_ifaces_in -m mark --mark 0x0/0x3f00 -j mwan3_iface_in_wan | |
-A mwan3_ifaces_in -m mark --mark 0x0/0x3f00 -j mwan3_iface_in_vdsl | |
-A mwan3_policy_balanced -m mark --mark 0x0/0x3f00 -m statistic --mode random --probability 0.50000000000 -m comment --comment "vdsl 2 4" -j MARK --set-xmark 0x200/0x3f00 | |
-A mwan3_policy_balanced -m mark --mark 0x0/0x3f00 -m comment --comment "wan 2 2" -j MARK --set-xmark 0x100/0x3f00 | |
-A mwan3_policy_cable_only -m mark --mark 0x0/0x3f00 -m comment --comment "wan 2 2" -j MARK --set-xmark 0x100/0x3f00 | |
-A mwan3_policy_cable_vdsl -m mark --mark 0x0/0x3f00 -m comment --comment "wan 2 2" -j MARK --set-xmark 0x100/0x3f00 | |
-A mwan3_policy_vdsl_cable -m mark --mark 0x0/0x3f00 -m comment --comment "vdsl 2 2" -j MARK --set-xmark 0x200/0x3f00 | |
-A mwan3_policy_vdsl_only -m mark --mark 0x0/0x3f00 -m comment --comment "vdsl 2 2" -j MARK --set-xmark 0x200/0x3f00 | |
-A mwan3_rule_https -m mark --mark 0x0/0x3f00 -j MARK --set-xmark 0x100/0x3f00 | |
-A mwan3_rule_https -m mark --mark 0x100/0x3f00 -m set ! --match-set mwan3_sticky_https src,src -j MARK --set-xmark 0x0/0x3f00 | |
-A mwan3_rule_https -m mark --mark 0x0/0x3f00 -j mwan3_policy_cable_vdsl | |
-A mwan3_rule_https -m mark ! --mark 0xfc00/0xfc00 -j SET --del-set mwan3_sticky_https src,src | |
-A mwan3_rule_https -m mark ! --mark 0xfc00/0xfc00 -j SET --add-set mwan3_sticky_https src,src | |
-A mwan3_rule_https_cloud -m mark --mark 0x0/0x3f00 -j MARK --set-xmark 0x200/0x3f00 | |
-A mwan3_rule_https_cloud -m mark --mark 0x200/0x3f00 -m set ! --match-set mwan3_sticky_https_cloud src,src -j MARK --set-xmark 0x0/0x3f00 | |
-A mwan3_rule_https_cloud -m mark --mark 0x0/0x3f00 -j mwan3_policy_vdsl_cable | |
-A mwan3_rule_https_cloud -m mark ! --mark 0xfc00/0xfc00 -j SET --del-set mwan3_sticky_https_cloud src,src | |
-A mwan3_rule_https_cloud -m mark ! --mark 0xfc00/0xfc00 -j SET --add-set mwan3_sticky_https_cloud src,src | |
-A mwan3_rules -s 192.168.1.179/32 -m mark --mark 0x0/0x3f00 -j mwan3_policy_cable_vdsl | |
-A mwan3_rules -p udp -m multiport --dports 1337 -m mark --mark 0x0/0x3f00 -j mwan3_policy_vdsl_only | |
-A mwan3_rules -s 192.168.1.185/32 -m mark --mark 0x0/0x3f00 -j mwan3_policy_vdsl_cable | |
-A mwan3_rules -s 192.168.1.0/24 -p tcp -m multiport --dports 443 -m mark --mark 0x0/0x3f00 -j mwan3_rule_https | |
-A mwan3_rules -s 192.168.1.0/24 -m mark --mark 0x0/0x3f00 -j mwan3_policy_cable_vdsl | |
-A mwan3_rules -s 192.168.1.144/32 -m mark --mark 0x0/0x3f00 -j mwan3_policy_vdsl_cable | |
-A mwan3_rules -s 192.168.1.235/32 -m mark --mark 0x0/0x3f00 -j mwan3_policy_vdsl_cable | |
-A mwan3_rules -s 10.0.0.0/24 -p tcp -m multiport --dports 443 -m mark --mark 0x0/0x3f00 -j mwan3_rule_https_cloud | |
-A mwan3_rules -s 10.0.0.0/24 -m mark --mark 0x0/0x3f00 -j mwan3_policy_vdsl_cable | |
-A mwan3_rules -m mark --mark 0x0/0x3f00 -j mwan3_policy_cable_vdsl | |
COMMIT | |
# Completed on Sat Dec 26 10:00:14 2020 | |
# Generated by iptables-save v1.8.3 on Sat Dec 26 10:00:14 2020 | |
*filter | |
:INPUT ACCEPT [10:782] | |
:FORWARD DROP [0:0] | |
:OUTPUT ACCEPT [0:0] | |
:forwarding_cloud_rule - [0:0] | |
:forwarding_fritzweb_rule - [0:0] | |
:forwarding_ios_rule - [0:0] | |
:forwarding_lan_rule - [0:0] | |
:forwarding_rule - [0:0] | |
:forwarding_vdsl_rule - [0:0] | |
:forwarding_vpn_rule - [0:0] | |
:forwarding_wan_rule - [0:0] | |
:forwarding_wireguard_rule - [0:0] | |
:input_cloud_rule - [0:0] | |
:input_fritzweb_rule - [0:0] | |
:input_ios_rule - [0:0] | |
:input_lan_rule - [0:0] | |
:input_rule - [0:0] | |
:input_vdsl_rule - [0:0] | |
:input_vpn_rule - [0:0] | |
:input_wan_rule - [0:0] | |
:input_wireguard_rule - [0:0] | |
:output_cloud_rule - [0:0] | |
:output_fritzweb_rule - [0:0] | |
:output_ios_rule - [0:0] | |
:output_lan_rule - [0:0] | |
:output_rule - [0:0] | |
:output_vdsl_rule - [0:0] | |
:output_vpn_rule - [0:0] | |
:output_wan_rule - [0:0] | |
:output_wireguard_rule - [0:0] | |
:reject - [0:0] | |
:syn_flood - [0:0] | |
:zone_cloud_dest_ACCEPT - [0:0] | |
:zone_cloud_dest_REJECT - [0:0] | |
:zone_cloud_forward - [0:0] | |
:zone_cloud_input - [0:0] | |
:zone_cloud_output - [0:0] | |
:zone_cloud_src_ACCEPT - [0:0] | |
:zone_fritzweb_dest_ACCEPT - [0:0] | |
:zone_fritzweb_dest_REJECT - [0:0] | |
:zone_fritzweb_forward - [0:0] | |
:zone_fritzweb_input - [0:0] | |
:zone_fritzweb_output - [0:0] | |
:zone_fritzweb_src_ACCEPT - [0:0] | |
:zone_ios_dest_ACCEPT - [0:0] | |
:zone_ios_dest_REJECT - [0:0] | |
:zone_ios_forward - [0:0] | |
:zone_ios_input - [0:0] | |
:zone_ios_output - [0:0] | |
:zone_ios_src_ACCEPT - [0:0] | |
:zone_lan_dest_ACCEPT - [0:0] | |
:zone_lan_forward - [0:0] | |
:zone_lan_input - [0:0] | |
:zone_lan_output - [0:0] | |
:zone_lan_src_ACCEPT - [0:0] | |
:zone_vdsl_dest_ACCEPT - [0:0] | |
:zone_vdsl_dest_REJECT - [0:0] | |
:zone_vdsl_forward - [0:0] | |
:zone_vdsl_input - [0:0] | |
:zone_vdsl_output - [0:0] | |
:zone_vdsl_src_REJECT - [0:0] | |
:zone_vpn_dest_ACCEPT - [0:0] | |
:zone_vpn_forward - [0:0] | |
:zone_vpn_input - [0:0] | |
:zone_vpn_output - [0:0] | |
:zone_vpn_src_ACCEPT - [0:0] | |
:zone_wan_dest_ACCEPT - [0:0] | |
:zone_wan_dest_REJECT - [0:0] | |
:zone_wan_forward - [0:0] | |
:zone_wan_input - [0:0] | |
:zone_wan_output - [0:0] | |
:zone_wan_src_REJECT - [0:0] | |
:zone_wireguard_dest_ACCEPT - [0:0] | |
:zone_wireguard_forward - [0:0] | |
:zone_wireguard_input - [0:0] | |
:zone_wireguard_output - [0:0] | |
:zone_wireguard_src_ACCEPT - [0:0] | |
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT | |
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule | |
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT | |
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood | |
-A INPUT -p udp -m udp --dport 1194 -m comment --comment "!fw3: Allow-OpenVPN-Inbound" -j ACCEPT | |
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input | |
-A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input | |
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_vpn_input | |
-A INPUT -i eth0.30 -m comment --comment "!fw3" -j zone_cloud_input | |
-A INPUT -i pppoe-vdsl -m comment --comment "!fw3" -j zone_vdsl_input | |
-A INPUT -i wireguard -m comment --comment "!fw3" -j zone_wireguard_input | |
-A INPUT -i eth0.3 -m comment --comment "!fw3" -j zone_fritzweb_input | |
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule | |
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT | |
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward | |
-A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward | |
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_vpn_forward | |
-A FORWARD -i eth0.30 -m comment --comment "!fw3" -j zone_cloud_forward | |
-A FORWARD -i pppoe-vdsl -m comment --comment "!fw3" -j zone_vdsl_forward | |
-A FORWARD -i wireguard -m comment --comment "!fw3" -j zone_wireguard_forward | |
-A FORWARD -i eth0.3 -m comment --comment "!fw3" -j zone_fritzweb_forward | |
-A FORWARD -m comment --comment "!fw3" -j reject | |
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT | |
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule | |
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT | |
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output | |
-A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output | |
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_vpn_output | |
-A OUTPUT -o eth0.30 -m comment --comment "!fw3" -j zone_cloud_output | |
-A OUTPUT -o pppoe-vdsl -m comment --comment "!fw3" -j zone_vdsl_output | |
-A OUTPUT -o wireguard -m comment --comment "!fw3" -j zone_wireguard_output | |
-A OUTPUT -o eth0.3 -m comment --comment "!fw3" -j zone_fritzweb_output | |
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset | |
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable | |
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN | |
-A syn_flood -m comment --comment "!fw3" -j DROP | |
-A zone_cloud_dest_ACCEPT -o eth0.30 -m comment --comment "!fw3" -j ACCEPT | |
-A zone_cloud_dest_REJECT -o eth0.30 -m comment --comment "!fw3" -j reject | |
-A zone_cloud_forward -m comment --comment "!fw3: Custom cloud forwarding rule chain" -j forwarding_cloud_rule | |
-A zone_cloud_forward -s 10.0.0.11/32 -d 200.0.0.42/32 -p tcp -m comment --comment "!fw3: dokku to projective gitlab" -j zone_vpn_dest_ACCEPT | |
-A zone_cloud_forward -s 10.0.0.11/32 -d 200.0.0.42/32 -p udp -m comment --comment "!fw3: dokku to projective gitlab" -j zone_vpn_dest_ACCEPT | |
-A zone_cloud_forward -m comment --comment "!fw3: Zone cloud to wan forwarding policy" -j zone_wan_dest_ACCEPT | |
-A zone_cloud_forward -m comment --comment "!fw3: Zone cloud to vdsl forwarding policy" -j zone_vdsl_dest_ACCEPT | |
-A zone_cloud_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT | |
-A zone_cloud_forward -m comment --comment "!fw3" -j zone_cloud_dest_REJECT | |
-A zone_cloud_input -m comment --comment "!fw3: Custom cloud input rule chain" -j input_cloud_rule | |
-A zone_cloud_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT | |
-A zone_cloud_input -m comment --comment "!fw3" -j zone_cloud_src_ACCEPT | |
-A zone_cloud_output -m comment --comment "!fw3: Custom cloud output rule chain" -j output_cloud_rule | |
-A zone_cloud_output -m comment --comment "!fw3" -j zone_cloud_dest_ACCEPT | |
-A zone_cloud_src_ACCEPT -i eth0.30 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT | |
-A zone_fritzweb_dest_ACCEPT -o eth0.3 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP | |
-A zone_fritzweb_dest_ACCEPT -o eth0.3 -m comment --comment "!fw3" -j ACCEPT | |
-A zone_fritzweb_dest_REJECT -o eth0.3 -m comment --comment "!fw3" -j reject | |
-A zone_fritzweb_forward -m comment --comment "!fw3: Custom fritzweb forwarding rule chain" -j forwarding_fritzweb_rule | |
-A zone_fritzweb_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT | |
-A zone_fritzweb_forward -m comment --comment "!fw3" -j zone_fritzweb_dest_REJECT | |
-A zone_fritzweb_input -m comment --comment "!fw3: Custom fritzweb input rule chain" -j input_fritzweb_rule | |
-A zone_fritzweb_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT | |
-A zone_fritzweb_input -m comment --comment "!fw3" -j zone_fritzweb_src_ACCEPT | |
-A zone_fritzweb_output -m comment --comment "!fw3: Custom fritzweb output rule chain" -j output_fritzweb_rule | |
-A zone_fritzweb_output -m comment --comment "!fw3" -j zone_fritzweb_dest_ACCEPT | |
-A zone_fritzweb_src_ACCEPT -i eth0.3 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT | |
-A zone_ios_forward -m comment --comment "!fw3: Custom ios forwarding rule chain" -j forwarding_ios_rule | |
-A zone_ios_forward -m comment --comment "!fw3: Zone ios to vdsl forwarding policy" -j zone_vdsl_dest_ACCEPT | |
-A zone_ios_forward -m comment --comment "!fw3: Zone ios to wan forwarding policy" -j zone_wan_dest_ACCEPT | |
-A zone_ios_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT | |
-A zone_ios_forward -m comment --comment "!fw3" -j zone_ios_dest_REJECT | |
-A zone_ios_input -m comment --comment "!fw3: Custom ios input rule chain" -j input_ios_rule | |
-A zone_ios_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT | |
-A zone_ios_input -m comment --comment "!fw3" -j zone_ios_src_ACCEPT | |
-A zone_ios_output -m comment --comment "!fw3: Custom ios output rule chain" -j output_ios_rule | |
-A zone_ios_output -m comment --comment "!fw3" -j zone_ios_dest_ACCEPT | |
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT | |
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule | |
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to cloud forwarding policy" -j zone_cloud_dest_ACCEPT | |
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to fritzweb forwarding policy" -j zone_fritzweb_dest_ACCEPT | |
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to ios forwarding policy" -j zone_ios_dest_ACCEPT | |
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to vdsl forwarding policy" -j zone_vdsl_dest_ACCEPT | |
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to vpn forwarding policy" -j zone_vpn_dest_ACCEPT | |
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT | |
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wireguard forwarding policy" -j zone_wireguard_dest_ACCEPT | |
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT | |
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT | |
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule | |
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT | |
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT | |
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule | |
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT | |
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT | |
-A zone_vdsl_dest_ACCEPT -o pppoe-vdsl -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP | |
-A zone_vdsl_dest_ACCEPT -o pppoe-vdsl -m comment --comment "!fw3" -j ACCEPT | |
-A zone_vdsl_dest_REJECT -o pppoe-vdsl -m comment --comment "!fw3" -j reject | |
-A zone_vdsl_forward -m comment --comment "!fw3: Custom vdsl forwarding rule chain" -j forwarding_vdsl_rule | |
-A zone_vdsl_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT | |
-A zone_vdsl_forward -m comment --comment "!fw3" -j zone_vdsl_dest_REJECT | |
-A zone_vdsl_input -m comment --comment "!fw3: Custom vdsl input rule chain" -j input_vdsl_rule | |
-A zone_vdsl_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT | |
-A zone_vdsl_input -m comment --comment "!fw3" -j zone_vdsl_src_REJECT | |
-A zone_vdsl_output -m comment --comment "!fw3: Custom vdsl output rule chain" -j output_vdsl_rule | |
-A zone_vdsl_output -m comment --comment "!fw3" -j zone_vdsl_dest_ACCEPT | |
-A zone_vdsl_src_REJECT -i pppoe-vdsl -m comment --comment "!fw3" -j reject | |
-A zone_vpn_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP | |
-A zone_vpn_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT | |
-A zone_vpn_forward -m comment --comment "!fw3: Custom vpn forwarding rule chain" -j forwarding_vpn_rule | |
-A zone_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT | |
-A zone_vpn_forward -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT | |
-A zone_vpn_input -m comment --comment "!fw3: Custom vpn input rule chain" -j input_vpn_rule | |
-A zone_vpn_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT | |
-A zone_vpn_input -m comment --comment "!fw3" -j zone_vpn_src_ACCEPT | |
-A zone_vpn_output -m comment --comment "!fw3: Custom vpn output rule chain" -j output_vpn_rule | |
-A zone_vpn_output -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT | |
-A zone_vpn_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT | |
-A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP | |
-A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT | |
-A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject | |
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule | |
-A zone_wan_forward -p tcp -m comment --comment "!fw3: access fritzbox" -j zone_lan_dest_ACCEPT | |
-A zone_wan_forward -p udp -m comment --comment "!fw3: access fritzbox" -j zone_lan_dest_ACCEPT | |
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT | |
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT | |
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule | |
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT | |
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT | |
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT | |
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT | |
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule | |
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT | |
-A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject | |
-A zone_wireguard_dest_ACCEPT -o wireguard -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP | |
-A zone_wireguard_dest_ACCEPT -o wireguard -m comment --comment "!fw3" -j ACCEPT | |
-A zone_wireguard_forward -m comment --comment "!fw3: Custom wireguard forwarding rule chain" -j forwarding_wireguard_rule | |
-A zone_wireguard_forward -m comment --comment "!fw3: Zone wireguard to cloud forwarding policy" -j zone_cloud_dest_ACCEPT | |
-A zone_wireguard_forward -m comment --comment "!fw3: Zone wireguard to ios forwarding policy" -j zone_ios_dest_ACCEPT | |
-A zone_wireguard_forward -m comment --comment "!fw3: Zone wireguard to vdsl forwarding policy" -j zone_vdsl_dest_ACCEPT | |
-A zone_wireguard_forward -m comment --comment "!fw3: Zone wireguard to vpn forwarding policy" -j zone_vpn_dest_ACCEPT | |
-A zone_wireguard_forward -m comment --comment "!fw3: Zone wireguard to wan forwarding policy" -j zone_wan_dest_ACCEPT | |
-A zone_wireguard_forward -m comment --comment "!fw3: Zone wireguard to lan forwarding policy" -j zone_lan_dest_ACCEPT | |
-A zone_wireguard_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT | |
-A zone_wireguard_forward -m comment --comment "!fw3" -j zone_wireguard_dest_ACCEPT | |
-A zone_wireguard_input -m comment --comment "!fw3: Custom wireguard input rule chain" -j input_wireguard_rule | |
-A zone_wireguard_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT | |
-A zone_wireguard_input -m comment --comment "!fw3" -j zone_wireguard_src_ACCEPT | |
-A zone_wireguard_output -m comment --comment "!fw3: Custom wireguard output rule chain" -j output_wireguard_rule | |
-A zone_wireguard_output -m comment --comment "!fw3" -j zone_wireguard_dest_ACCEPT | |
-A zone_wireguard_src_ACCEPT -i wireguard -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT | |
COMMIT | |
# Completed on Sat Dec 26 10:00:14 2020 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment