hazcod/telenet-modem-firewall.txt

## telenet-modem-firewall.txt
# Generated by iptables-save v1.4.21 on Sun Jan 19 08:14:54 2020
*raw
:PREROUTING ACCEPT [17478:786616]
:OUTPUT ACCEPT [15285:6842393]
COMMIT
# Completed on Sun Jan 19 08:14:54 2020
# Generated by iptables-save v1.4.21 on Sun Jan 19 08:14:54 2020
*nat
:PREROUTING ACCEPT [412:43501]
:INPUT ACCEPT [54:3686]
:OUTPUT ACCEPT [105:9758]
:POSTROUTING ACCEPT [90:9194]
:CBN_NAT_PARENTAL_CONTROL - [0:0]
:CBN_NAT_PORT_FORWARD - [0:0]
:CBN_NAT_PORT_FORWARD_LAN - [0:0]
:CBN_NAT_PORT_TRIGGER - [0:0]
:CBN_NAT_REMOTE_ACCESS - [0:0]
:NAT_POSTROUTING_CHAIN - [0:0]
:NAT_PREROUTING_CHAIN - [0:0]
:POST_NAT_POSTROUTING_CHAIN - [0:0]
:POST_NAT_PREROUTING_CHAIN - [0:0]
:UPnP - [0:0]
:WiFiDog_l2sd0.2_Outgoing - [0:0]
:ZONE_CBN_NAT_PREROUTING_DMZ - [0:0]
-A PREROUTING -i l2sd0.2 -j WiFiDog_l2sd0.2_Outgoing
-A PREROUTING -j CBN_NAT_PARENTAL_CONTROL
-A PREROUTING -j NAT_PREROUTING_CHAIN
-A PREROUTING -j CBN_NAT_PORT_TRIGGER
-A PREROUTING -j CBN_NAT_REMOTE_ACCESS
-A PREROUTING -i erouter0 -j CBN_NAT_PORT_FORWARD
-A PREROUTING -i l2sd0.2 -j CBN_NAT_PORT_FORWARD_LAN
-A PREROUTING -i erouter0 -j ZONE_CBN_NAT_PREROUTING_DMZ
-A PREROUTING -j POST_NAT_PREROUTING_CHAIN
-A POSTROUTING -s 192.168.100.251/32 -o erouter0 -j MASQUERADE
-A POSTROUTING -s 192.168.100.254/32 -o wan0 -j MASQUERADE
-A POSTROUTING -o erouter0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A POSTROUTING -j NAT_POSTROUTING_CHAIN
-A POSTROUTING -s 192.168.0.0/24 ! -d 192.168.0.0/24 -o erouter0 -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/24 -o l2sd0.2 -j MASQUERADE
-A POSTROUTING -j POST_NAT_POSTROUTING_CHAIN
COMMIT
# Completed on Sun Jan 19 08:14:54 2020
# Generated by iptables-save v1.4.21 on Sun Jan 19 08:14:54 2020
*mangle
:PREROUTING ACCEPT [15570:645724]
:INPUT ACCEPT [14574:552056]
:FORWARD ACCEPT [808:58384]
:OUTPUT ACCEPT [14133:6719081]
:POSTROUTING ACCEPT [14940:6776455]
:CBN_GRE_TCPMSS - [0:0]
-A PREROUTING -m physdev --physdev-is-bridged -j ACCEPT
-A PREROUTING -i l2sd0.2 ! -p igmp -m iprange --dst-range 224.0.0.0-238.255.255.255 -j GWMETA --gwmeta-gwmask 0x10
-A FORWARD -j CBN_GRE_TCPMSS
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1420
COMMIT
# Completed on Sun Jan 19 08:14:54 2020
# Generated by iptables-save v1.4.21 on Sun Jan 19 08:14:54 2020
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:BASE_FORWARD_CHAIN - [0:0]
:BASE_INPUT_CHAIN - [0:0]
:BASE_OUTPUT_CHAIN - [0:0]
:BRIDGED_TRAFFIC_CHAIN - [0:0]
:CBN_DROP_LAN_TO_CBN_INT - [0:0]
:CBN_DROP_LAN_TO_HOST_EROUTER - [0:0]
:CBN_DROP_LAN_TO_HOST_HFC - [0:0]
:CBN_DROP_LAN_TO_HOST_LAN - [0:0]
:CBN_DROP_LAN_TO_HOST_RPC - [0:0]
:CBN_DSLITE_INPUT_CHAIN - [0:0]
:CBN_FILTER_IN_CHAIN - [0:0]
:CBN_FILTER_MAC_FILTER - [0:0]
:CBN_FILTER_OUT_CHAIN - [0:0]
:CBN_FILTER_PORT_FORWARD - [0:0]
:CBN_FILTER_PORT_FORWARD_LAN - [0:0]
:CBN_FILTER_PORT_TRIGGER - [0:0]
:CBN_IDS_ICMPFLOOD - [0:0]
:CBN_IDS_IPFLOOD - [0:0]
:CBN_IDS_IPFLOOD_LAN - [0:0]
:CBN_IDS_IPFRAG - [0:0]
:CBN_IDS_PSCAN - [0:0]
:CBN_IDS_PSCAN_UDP - [0:0]
:CBN_INPUT_ACCEPT - [0:0]
:CBN_INPUT_PRIMARY_NETWORK - [0:0]
:CBN_INPUT_REMOTEACCESS - [0:0]
:CBN_INPUT_SECONDARY_NETWORK - [0:0]
:CBN_MAC_FORWARD_IN_CHAIN - [0:0]
:CBN_TRUST_INPUT_L2SD0.4093 - [0:0]
:CBN_TRUST_INPUT_LAN0 - [0:0]
:CBN_TRUST_INPUT_MTA0 - [0:0]
:CBN_TRUST_INPUT_WAN0 - [0:0]
:DMZ_FORWARD_IN_CHAIN - [0:0]
:DMZ_FORWARD_OUT_CHAIN - [0:0]
:DMZ_INET_FORWARD_CHAIN - [0:0]
:DMZ_INPUT_CHAIN - [0:0]
:DMZ_LAN_FORWARD_CHAIN - [0:0]
:DMZ_OUTPUT_CHAIN - [0:0]
:EXT_BROADCAST_CHAIN - [0:0]
:EXT_FORWARD_IN_CHAIN - [0:0]
:EXT_FORWARD_OUT_CHAIN - [0:0]
:EXT_ICMP_FLOOD_CHAIN - [0:0]
:EXT_INPUT_CHAIN - [0:0]
:EXT_MULTICAST_CHAIN - [0:0]
:EXT_OUTPUT_CHAIN - [0:0]
:FORWARD_CHAIN - [0:0]
:HOST_BLOCK_DROP - [0:0]
:HOST_BLOCK_DST - [0:0]
:HOST_BLOCK_SRC - [0:0]
:INET_DMZ_FORWARD_CHAIN - [0:0]
:INPUT_CHAIN - [0:0]
:INT_FORWARD_IN_CHAIN - [0:0]
:INT_FORWARD_OUT_CHAIN - [0:0]
:INT_INPUT_CHAIN - [0:0]
:INT_OUTPUT_CHAIN - [0:0]
:LAN_INET_FORWARD_CHAIN - [0:0]
:OUTPUT_CHAIN - [0:0]
:POST_FORWARD_CHAIN - [0:0]
:POST_INPUT_CHAIN - [0:0]
:POST_INPUT_DROP_CHAIN - [0:0]
:POST_OUTPUT_CHAIN - [0:0]
:RESERVED_NET_CHK - [0:0]
:SPOOF_CHK - [0:0]
:VALID_CHK - [0:0]
:VPN_CHAIN - [0:0]
:ZONE_CBN_FILTER_FORWARD_DMZ - [0:0]
-A INPUT -s 192.168.100.251/32 -i l2sd0.3000 -j ACCEPT
-A INPUT -i l2sd0.4093 -j CBN_TRUST_INPUT_L2SD0.4093
-A INPUT -i mta0 -j CBN_TRUST_INPUT_MTA0
-A INPUT -i wan0 -j CBN_TRUST_INPUT_WAN0
-A INPUT -i lan0 -j CBN_TRUST_INPUT_LAN0
-A INPUT ! -p igmp -j CBN_IDS_IPFRAG
-A INPUT -p tcp -j CBN_IDS_PSCAN
-A INPUT -i erouter0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CBN_IDS_IPFLOOD
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CBN_IDS_IPFLOOD_LAN
-A INPUT -p udp -j CBN_IDS_PSCAN_UDP
-A INPUT -i erouter0 -p icmp -j CBN_IDS_ICMPFLOOD
-A INPUT -i erouter0 -p ipencap -j CBN_DSLITE_INPUT_CHAIN
-A INPUT -j BASE_INPUT_CHAIN
-A INPUT -j INPUT_CHAIN
-A INPUT -j HOST_BLOCK_SRC
-A INPUT -j SPOOF_CHK
-A INPUT -i erouter0 -j VALID_CHK
-A INPUT -d 224.0.0.0/4 -i erouter0 -j EXT_MULTICAST_CHAIN
-A INPUT -i erouter0 -j CBN_INPUT_ACCEPT
-A INPUT -i erouter0 -j CBN_INPUT_REMOTEACCESS
-A INPUT -i l2sd0.2 -j CBN_INPUT_PRIMARY_NETWORK
-A INPUT -i lsdbr2 -j CBN_INPUT_SECONDARY_NETWORK
-A INPUT -i erouter0 ! -p icmp -m state --state NEW -j EXT_INPUT_CHAIN
-A INPUT -i erouter0 -p icmp -m state --state NEW -m limit --limit 60/sec --limit-burst 100 -j EXT_INPUT_CHAIN
-A INPUT -i erouter0 -p icmp -m state --state NEW -j EXT_ICMP_FLOOD_CHAIN
-A INPUT -i l2sd0.2 -j INT_INPUT_CHAIN
-A INPUT -i ip6tnl1 -j ACCEPT
-A INPUT -j POST_INPUT_CHAIN
-A INPUT -m limit --limit 1/min -j LOG --log-prefix "AIF:Dropped INPUT packet: " --log-level 6
-A INPUT -j DROP
-A FORWARD -s 192.168.100.251/32 -i l2sd0.3000 -j ACCEPT
-A FORWARD -s 192.168.100.254/32 -i l2sd0.3000 -j ACCEPT
-A FORWARD -j BRIDGED_TRAFFIC_CHAIN
-A FORWARD -i l2sd0.2 -j CBN_FILTER_MAC_FILTER
-A FORWARD -o erouter0 -j VPN_CHAIN
-A FORWARD ! -p igmp -j CBN_IDS_IPFRAG
-A FORWARD -p tcp -j CBN_IDS_PSCAN
-A FORWARD -i erouter0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CBN_IDS_IPFLOOD
-A FORWARD -p udp -j CBN_IDS_PSCAN_UDP
-A FORWARD -j BASE_FORWARD_CHAIN
-A FORWARD -o erouter0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -j FORWARD_CHAIN
-A FORWARD -j HOST_BLOCK_SRC
-A FORWARD -j HOST_BLOCK_DST
-A FORWARD -i ip6tnl1 -j ACCEPT
-A FORWARD -o ip6tnl1 -j ACCEPT
-A FORWARD -j CBN_FILTER_IN_CHAIN
-A FORWARD -j CBN_FILTER_OUT_CHAIN
-A FORWARD -i erouter0 -j EXT_FORWARD_IN_CHAIN
-A FORWARD -o erouter0 -j EXT_FORWARD_OUT_CHAIN
-A FORWARD -i l2sd0.2 -j INT_FORWARD_IN_CHAIN
-A FORWARD -o l2sd0.2 -j INT_FORWARD_OUT_CHAIN
-A FORWARD -j SPOOF_CHK
-A FORWARD -i l2sd0.2 -o l2sd0.2 -j ACCEPT
-A FORWARD -i l2sd0.2 -o erouter0 -j LAN_INET_FORWARD_CHAIN
-A FORWARD -j POST_FORWARD_CHAIN
-A FORWARD -m limit --limit 1/min --limit-burst 3 -j LOG --log-prefix "AIF:Dropped FORWARD packet: " --log-level 6
-A FORWARD -j DROP
-A OUTPUT -j BASE_OUTPUT_CHAIN
-A OUTPUT -o erouter0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -j OUTPUT_CHAIN
-A OUTPUT -j HOST_BLOCK_DST
-A OUTPUT -o erouter0 -j EXT_OUTPUT_CHAIN
-A OUTPUT -o l2sd0.2 -j INT_OUTPUT_CHAIN
-A OUTPUT -j POST_OUTPUT_CHAIN
-A OUTPUT -j ACCEPT
-A BASE_FORWARD_CHAIN -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate ESTABLISHED -j DROP
-A BASE_FORWARD_CHAIN -m state --state ESTABLISHED -j ACCEPT
-A BASE_FORWARD_CHAIN -p tcp -m state --state RELATED -m tcp --dport 1024:65535 -j ACCEPT
-A BASE_FORWARD_CHAIN -p udp -m state --state RELATED -m udp --dport 1024:65535 -j ACCEPT
-A BASE_FORWARD_CHAIN -p icmp -m state --state RELATED -j ACCEPT
-A BASE_FORWARD_CHAIN -p gre -m state --state RELATED -j ACCEPT
-A BASE_FORWARD_CHAIN -m state --state RELATED -j ACCEPT
-A BASE_FORWARD_CHAIN -i lo -j ACCEPT
-A BASE_INPUT_CHAIN -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate ESTABLISHED -j DROP
-A BASE_INPUT_CHAIN -m state --state ESTABLISHED -j ACCEPT
-A BASE_INPUT_CHAIN -p tcp -m state --state RELATED -m tcp --dport 1024:65535 -j ACCEPT
-A BASE_INPUT_CHAIN -p udp -m state --state RELATED -m udp --dport 1024:65535 -j ACCEPT
-A BASE_INPUT_CHAIN -p icmp -m state --state RELATED -j ACCEPT
-A BASE_INPUT_CHAIN -i lo -j ACCEPT
-A BASE_OUTPUT_CHAIN -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate ESTABLISHED -j DROP
-A BASE_OUTPUT_CHAIN -m state --state ESTABLISHED -j ACCEPT
-A BASE_OUTPUT_CHAIN -o lo -j ACCEPT
-A BRIDGED_TRAFFIC_CHAIN -m physdev --physdev-is-bridged -j ACCEPT
-A CBN_DROP_LAN_TO_CBN_INT -d 192.168.100.250/32 -j DROP
-A CBN_DROP_LAN_TO_HOST_EROUTER -d 172.22.222.11/32 -j DROP
-A CBN_DROP_LAN_TO_HOST_HFC -d 0.3.87.92/32 -j DROP
-A CBN_DROP_LAN_TO_HOST_HFC -d 10.52.131.83/32 -j DROP
-A CBN_DROP_LAN_TO_HOST_LAN -p icmp -j ACCEPT
-A CBN_DROP_LAN_TO_HOST_LAN -p tcp -m tcp --dport 22 -j ACCEPT
-A CBN_DROP_LAN_TO_HOST_LAN -p tcp -m tcp --dport 23 -j ACCEPT
-A CBN_DROP_LAN_TO_HOST_LAN -p tcp -m tcp --dport 80 -j ACCEPT
-A CBN_DROP_LAN_TO_HOST_LAN -p udp -m udp --dport 161 -j ACCEPT
-A CBN_DROP_LAN_TO_HOST_LAN -j DROP
-A CBN_DROP_LAN_TO_HOST_RPC ! -s 192.168.254.254/32 -j DROP
-A CBN_IDS_ICMPFLOOD -i wan0 -m limit --limit 15/sec --limit-burst 15 -j RETURN
-A CBN_IDS_ICMPFLOOD -i wan0 -m limit --limit 5/min -j LOG --log-prefix "ICMP Flood: " --log-level 5
-A CBN_IDS_ICMPFLOOD -i wan0 -j DROP
-A CBN_IDS_ICMPFLOOD -i mta0 -m limit --limit 15/sec --limit-burst 15 -j RETURN
-A CBN_IDS_ICMPFLOOD -i mta0 -m limit --limit 5/min -j LOG --log-prefix "ICMP Flood: " --log-level 5
-A CBN_IDS_ICMPFLOOD -i mta0 -j DROP
-A CBN_INPUT_ACCEPT -j ACCEPT
-A CBN_INPUT_REMOTEACCESS -p tcp -m tcp --dport 8443 -j REJECT --reject-with icmp-host-unreachable
-A CBN_TRUST_INPUT_L2SD0.4093 -j ACCEPT
-A CBN_TRUST_INPUT_LAN0 -j ACCEPT
-A CBN_TRUST_INPUT_MTA0 -p icmp -j CBN_IDS_ICMPFLOOD
-A CBN_TRUST_INPUT_MTA0 -p udp -m udp --dport 53 -j DROP
-A CBN_TRUST_INPUT_MTA0 -p tcp -m tcp --dport 53 -j DROP
-A CBN_TRUST_INPUT_MTA0 -j ACCEPT
-A CBN_TRUST_INPUT_WAN0 -p icmp -j CBN_IDS_ICMPFLOOD
-A CBN_TRUST_INPUT_WAN0 -p udp -m udp --dport 53 -j DROP
-A CBN_TRUST_INPUT_WAN0 -p tcp -m tcp --dport 53 -j DROP
-A CBN_TRUST_INPUT_WAN0 -j ACCEPT
-A EXT_BROADCAST_CHAIN -p tcp -m tcp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV TCP broadcast: " --log-level 6
-A EXT_BROADCAST_CHAIN -p udp -m udp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV UDP broadcast: " --log-level 6
-A EXT_BROADCAST_CHAIN -p tcp -m tcp --dport 1024:65535 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV TCP broadcast: " --log-level 6
-A EXT_BROADCAST_CHAIN -p udp -m udp --dport 1024 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV UDP broadcast: " --log-level 6
-A EXT_BROADCAST_CHAIN -j DROP
-A EXT_FORWARD_IN_CHAIN -d 224.0.0.0/4 -i erouter0 -j ACCEPT
-A EXT_FORWARD_IN_CHAIN -j VALID_CHK
-A EXT_FORWARD_IN_CHAIN -i erouter0 -j CBN_FILTER_PORT_FORWARD
-A EXT_FORWARD_IN_CHAIN -i erouter0 -j CBN_FILTER_PORT_TRIGGER
-A EXT_FORWARD_IN_CHAIN -i erouter0 -j ZONE_CBN_FILTER_FORWARD_DMZ
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 3 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-unreachable flood: " --log-level 6
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 3 -j POST_INPUT_DROP_CHAIN
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 11 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-time-exceeded fld: " --log-level 6
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 11 -j POST_INPUT_DROP_CHAIN
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 12 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-param-problem fld: " --log-level 6
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 12 -j POST_INPUT_DROP_CHAIN
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-request(ping) fld: " --log-level 6
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 8 -j POST_INPUT_DROP_CHAIN
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 0 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-reply(pong) flood: " --log-level 6
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 0 -j POST_INPUT_DROP_CHAIN
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 4 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-source-quench fld: " --log-level 6
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 4 -j POST_INPUT_DROP_CHAIN
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP(other) flood: " --log-level 6
-A EXT_ICMP_FLOOD_CHAIN -p icmp -j POST_INPUT_DROP_CHAIN
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 0 -m limit --limit 6/hour --limit-burst 1 -j LOG --log-prefix "AIF:Port 0 OS fingerprint: " --log-level 6
-A EXT_INPUT_CHAIN -p udp -m udp --dport 0 -m limit --limit 6/hour --limit-burst 1 -j LOG --log-prefix "AIF:Port 0 OS fingerprint: " --log-level 6
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 0 -j POST_INPUT_DROP_CHAIN
-A EXT_INPUT_CHAIN -p udp -m udp --dport 0 -j POST_INPUT_DROP_CHAIN
-A EXT_INPUT_CHAIN -p tcp -m tcp --sport 0 -m limit --limit 6/hour -j LOG --log-prefix "AIF:TCP source port 0: " --log-level 6
-A EXT_INPUT_CHAIN -p udp -m udp --sport 0 -m limit --limit 6/hour -j LOG --log-prefix "AIF:UDP source port 0: " --log-level 6
-A EXT_INPUT_CHAIN -p tcp -m tcp --sport 0 -j POST_INPUT_DROP_CHAIN
-A EXT_INPUT_CHAIN -p udp -m udp --sport 0 -j POST_INPUT_DROP_CHAIN
-A EXT_INPUT_CHAIN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 22 -j ACCEPT
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 80 -j ACCEPT
-A EXT_INPUT_CHAIN -p udp -m udp --dport 161 -j ACCEPT
-A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 20/sec --limit-burst 100 -j ACCEPT
-A EXT_INPUT_CHAIN -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j POST_INPUT_DROP_CHAIN
-A EXT_INPUT_CHAIN -d 255.255.255.255/32 -j EXT_BROADCAST_CHAIN
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV TCP packet: " --log-level 6
-A EXT_INPUT_CHAIN -p udp -m udp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV UDP packet: " --log-level 6
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 1024:65535 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV TCP packet: " --log-level 6
-A EXT_INPUT_CHAIN -p udp -m udp --dport 1024:65535 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV UDP packet: " --log-level 6
-A EXT_INPUT_CHAIN -p igmp -m limit --limit 1/min -j LOG --log-prefix "AIF:IGMP packet: " --log-level 6
-A EXT_INPUT_CHAIN -j POST_INPUT_CHAIN
-A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-request: " --log-level 6
-A EXT_INPUT_CHAIN -p icmp -m icmp ! --icmp-type 8 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-other: " --log-level 6
-A EXT_INPUT_CHAIN -p tcp -j POST_INPUT_DROP_CHAIN
-A EXT_INPUT_CHAIN -p udp -j POST_INPUT_DROP_CHAIN
-A EXT_INPUT_CHAIN -p igmp -j POST_INPUT_DROP_CHAIN
-A EXT_INPUT_CHAIN -p icmp -j POST_INPUT_DROP_CHAIN
-A EXT_INPUT_CHAIN -m limit --limit 1/min -j LOG --log-prefix "AIF:Other connect: " --log-level 6
-A EXT_INPUT_CHAIN -j POST_INPUT_DROP_CHAIN
-A EXT_MULTICAST_CHAIN -d 224.0.0.0/24 -i erouter0 -j ACCEPT
-A EXT_MULTICAST_CHAIN -p tcp -m tcp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV TCP multicast: " --log-level 6
-A EXT_MULTICAST_CHAIN -p udp -m udp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV UDP multicast: " --log-level 6
-A EXT_MULTICAST_CHAIN -p tcp -m tcp --dport 1024:65535 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV TCP multicast: " --log-level 6
-A EXT_MULTICAST_CHAIN -p udp -m udp --dport 1024 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV UDP multicast: " --log-level 6
-A EXT_MULTICAST_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-multicast-request: " --log-level 6
-A EXT_MULTICAST_CHAIN -p icmp -m icmp ! --icmp-type 8 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-multicast-other: " --log-level 6
-A EXT_MULTICAST_CHAIN -j DROP
-A HOST_BLOCK_DROP -m limit --limit 1/min --limit-burst 1 -j LOG --log-prefix "AIF:Blocked host(s): " --log-level 6
-A HOST_BLOCK_DROP -j DROP
-A INT_FORWARD_IN_CHAIN -i l2sd0.2 -j CBN_FILTER_PORT_FORWARD_LAN
-A INT_INPUT_CHAIN -j CBN_DROP_LAN_TO_HOST_HFC
-A INT_INPUT_CHAIN -j CBN_DROP_LAN_TO_HOST_EROUTER
-A INT_INPUT_CHAIN -d 192.168.100.1/32 -j CBN_DROP_LAN_TO_HOST_LAN
-A INT_INPUT_CHAIN -d 192.168.254.253/32 -j CBN_DROP_LAN_TO_HOST_RPC
-A INT_INPUT_CHAIN -d 192.168.100.250/32 -j CBN_DROP_LAN_TO_CBN_INT
-A INT_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 20/sec --limit-burst 100 -j ACCEPT
-A INT_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-request: " --log-level 6
-A INT_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -j DROP
-A INT_INPUT_CHAIN -j ACCEPT
-A LAN_INET_FORWARD_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 20/sec --limit-burst 100 -j ACCEPT
-A LAN_INET_FORWARD_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-request: " --log-level 6
-A LAN_INET_FORWARD_CHAIN -p icmp -m icmp --icmp-type 8 -j DROP
-A LAN_INET_FORWARD_CHAIN -p tcp -j ACCEPT
-A LAN_INET_FORWARD_CHAIN -p udp -j ACCEPT
-A LAN_INET_FORWARD_CHAIN -j ACCEPT
-A POST_INPUT_DROP_CHAIN -j DROP
-A SPOOF_CHK -s 192.168.0.0/24 -i l2sd0.2 -j RETURN
-A SPOOF_CHK -s 192.168.0.0/24 -m limit --limit 3/min -j LOG --log-prefix "AIF:Spoofed packet: " --log-level 6
-A SPOOF_CHK -s 192.168.0.0/24 -j POST_INPUT_DROP_CHAIN
-A SPOOF_CHK -j RETURN
COMMIT
	# Generated by iptables-save v1.4.21 on Sun Jan 19 08:14:54 2020
	*raw
	:PREROUTING ACCEPT [17478:786616]
	:OUTPUT ACCEPT [15285:6842393]
	COMMIT
	# Completed on Sun Jan 19 08:14:54 2020
	# Generated by iptables-save v1.4.21 on Sun Jan 19 08:14:54 2020
	*nat
	:PREROUTING ACCEPT [412:43501]
	:INPUT ACCEPT [54:3686]
	:OUTPUT ACCEPT [105:9758]
	:POSTROUTING ACCEPT [90:9194]
	:CBN_NAT_PARENTAL_CONTROL - [0:0]
	:CBN_NAT_PORT_FORWARD - [0:0]
	:CBN_NAT_PORT_FORWARD_LAN - [0:0]
	:CBN_NAT_PORT_TRIGGER - [0:0]
	:CBN_NAT_REMOTE_ACCESS - [0:0]
	:NAT_POSTROUTING_CHAIN - [0:0]
	:NAT_PREROUTING_CHAIN - [0:0]
	:POST_NAT_POSTROUTING_CHAIN - [0:0]
	:POST_NAT_PREROUTING_CHAIN - [0:0]
	:UPnP - [0:0]
	:WiFiDog_l2sd0.2_Outgoing - [0:0]
	:ZONE_CBN_NAT_PREROUTING_DMZ - [0:0]
	-A PREROUTING -i l2sd0.2 -j WiFiDog_l2sd0.2_Outgoing
	-A PREROUTING -j CBN_NAT_PARENTAL_CONTROL
	-A PREROUTING -j NAT_PREROUTING_CHAIN
	-A PREROUTING -j CBN_NAT_PORT_TRIGGER
	-A PREROUTING -j CBN_NAT_REMOTE_ACCESS
	-A PREROUTING -i erouter0 -j CBN_NAT_PORT_FORWARD
	-A PREROUTING -i l2sd0.2 -j CBN_NAT_PORT_FORWARD_LAN
	-A PREROUTING -i erouter0 -j ZONE_CBN_NAT_PREROUTING_DMZ
	-A PREROUTING -j POST_NAT_PREROUTING_CHAIN
	-A POSTROUTING -s 192.168.100.251/32 -o erouter0 -j MASQUERADE
	-A POSTROUTING -s 192.168.100.254/32 -o wan0 -j MASQUERADE
	-A POSTROUTING -o erouter0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
	-A POSTROUTING -j NAT_POSTROUTING_CHAIN
	-A POSTROUTING -s 192.168.0.0/24 ! -d 192.168.0.0/24 -o erouter0 -j MASQUERADE
	-A POSTROUTING -s 192.168.0.0/24 -o l2sd0.2 -j MASQUERADE
	-A POSTROUTING -j POST_NAT_POSTROUTING_CHAIN
	COMMIT
	# Completed on Sun Jan 19 08:14:54 2020
	# Generated by iptables-save v1.4.21 on Sun Jan 19 08:14:54 2020
	*mangle
	:PREROUTING ACCEPT [15570:645724]
	:INPUT ACCEPT [14574:552056]
	:FORWARD ACCEPT [808:58384]
	:OUTPUT ACCEPT [14133:6719081]
	:POSTROUTING ACCEPT [14940:6776455]
	:CBN_GRE_TCPMSS - [0:0]
	-A PREROUTING -m physdev --physdev-is-bridged -j ACCEPT
	-A PREROUTING -i l2sd0.2 ! -p igmp -m iprange --dst-range 224.0.0.0-238.255.255.255 -j GWMETA --gwmeta-gwmask 0x10
	-A FORWARD -j CBN_GRE_TCPMSS
	-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1420
	COMMIT
	# Completed on Sun Jan 19 08:14:54 2020
	# Generated by iptables-save v1.4.21 on Sun Jan 19 08:14:54 2020
	*filter
	:INPUT DROP [0:0]
	:FORWARD DROP [0:0]
	:OUTPUT ACCEPT [0:0]
	:BASE_FORWARD_CHAIN - [0:0]
	:BASE_INPUT_CHAIN - [0:0]
	:BASE_OUTPUT_CHAIN - [0:0]
	:BRIDGED_TRAFFIC_CHAIN - [0:0]
	:CBN_DROP_LAN_TO_CBN_INT - [0:0]
	:CBN_DROP_LAN_TO_HOST_EROUTER - [0:0]
	:CBN_DROP_LAN_TO_HOST_HFC - [0:0]
	:CBN_DROP_LAN_TO_HOST_LAN - [0:0]
	:CBN_DROP_LAN_TO_HOST_RPC - [0:0]
	:CBN_DSLITE_INPUT_CHAIN - [0:0]
	:CBN_FILTER_IN_CHAIN - [0:0]
	:CBN_FILTER_MAC_FILTER - [0:0]
	:CBN_FILTER_OUT_CHAIN - [0:0]
	:CBN_FILTER_PORT_FORWARD - [0:0]
	:CBN_FILTER_PORT_FORWARD_LAN - [0:0]
	:CBN_FILTER_PORT_TRIGGER - [0:0]
	:CBN_IDS_ICMPFLOOD - [0:0]
	:CBN_IDS_IPFLOOD - [0:0]
	:CBN_IDS_IPFLOOD_LAN - [0:0]
	:CBN_IDS_IPFRAG - [0:0]
	:CBN_IDS_PSCAN - [0:0]
	:CBN_IDS_PSCAN_UDP - [0:0]
	:CBN_INPUT_ACCEPT - [0:0]
	:CBN_INPUT_PRIMARY_NETWORK - [0:0]
	:CBN_INPUT_REMOTEACCESS - [0:0]
	:CBN_INPUT_SECONDARY_NETWORK - [0:0]
	:CBN_MAC_FORWARD_IN_CHAIN - [0:0]
	:CBN_TRUST_INPUT_L2SD0.4093 - [0:0]
	:CBN_TRUST_INPUT_LAN0 - [0:0]
	:CBN_TRUST_INPUT_MTA0 - [0:0]
	:CBN_TRUST_INPUT_WAN0 - [0:0]
	:DMZ_FORWARD_IN_CHAIN - [0:0]
	:DMZ_FORWARD_OUT_CHAIN - [0:0]
	:DMZ_INET_FORWARD_CHAIN - [0:0]
	:DMZ_INPUT_CHAIN - [0:0]
	:DMZ_LAN_FORWARD_CHAIN - [0:0]
	:DMZ_OUTPUT_CHAIN - [0:0]
	:EXT_BROADCAST_CHAIN - [0:0]
	:EXT_FORWARD_IN_CHAIN - [0:0]
	:EXT_FORWARD_OUT_CHAIN - [0:0]
	:EXT_ICMP_FLOOD_CHAIN - [0:0]
	:EXT_INPUT_CHAIN - [0:0]
	:EXT_MULTICAST_CHAIN - [0:0]
	:EXT_OUTPUT_CHAIN - [0:0]
	:FORWARD_CHAIN - [0:0]
	:HOST_BLOCK_DROP - [0:0]
	:HOST_BLOCK_DST - [0:0]
	:HOST_BLOCK_SRC - [0:0]
	:INET_DMZ_FORWARD_CHAIN - [0:0]
	:INPUT_CHAIN - [0:0]
	:INT_FORWARD_IN_CHAIN - [0:0]
	:INT_FORWARD_OUT_CHAIN - [0:0]
	:INT_INPUT_CHAIN - [0:0]
	:INT_OUTPUT_CHAIN - [0:0]
	:LAN_INET_FORWARD_CHAIN - [0:0]
	:OUTPUT_CHAIN - [0:0]
	:POST_FORWARD_CHAIN - [0:0]
	:POST_INPUT_CHAIN - [0:0]
	:POST_INPUT_DROP_CHAIN - [0:0]
	:POST_OUTPUT_CHAIN - [0:0]
	:RESERVED_NET_CHK - [0:0]
	:SPOOF_CHK - [0:0]
	:VALID_CHK - [0:0]
	:VPN_CHAIN - [0:0]
	:ZONE_CBN_FILTER_FORWARD_DMZ - [0:0]
	-A INPUT -s 192.168.100.251/32 -i l2sd0.3000 -j ACCEPT
	-A INPUT -i l2sd0.4093 -j CBN_TRUST_INPUT_L2SD0.4093
	-A INPUT -i mta0 -j CBN_TRUST_INPUT_MTA0
	-A INPUT -i wan0 -j CBN_TRUST_INPUT_WAN0
	-A INPUT -i lan0 -j CBN_TRUST_INPUT_LAN0
	-A INPUT ! -p igmp -j CBN_IDS_IPFRAG
	-A INPUT -p tcp -j CBN_IDS_PSCAN
	-A INPUT -i erouter0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CBN_IDS_IPFLOOD
	-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CBN_IDS_IPFLOOD_LAN
	-A INPUT -p udp -j CBN_IDS_PSCAN_UDP
	-A INPUT -i erouter0 -p icmp -j CBN_IDS_ICMPFLOOD
	-A INPUT -i erouter0 -p ipencap -j CBN_DSLITE_INPUT_CHAIN
	-A INPUT -j BASE_INPUT_CHAIN
	-A INPUT -j INPUT_CHAIN
	-A INPUT -j HOST_BLOCK_SRC
	-A INPUT -j SPOOF_CHK
	-A INPUT -i erouter0 -j VALID_CHK
	-A INPUT -d 224.0.0.0/4 -i erouter0 -j EXT_MULTICAST_CHAIN
	-A INPUT -i erouter0 -j CBN_INPUT_ACCEPT
	-A INPUT -i erouter0 -j CBN_INPUT_REMOTEACCESS
	-A INPUT -i l2sd0.2 -j CBN_INPUT_PRIMARY_NETWORK
	-A INPUT -i lsdbr2 -j CBN_INPUT_SECONDARY_NETWORK
	-A INPUT -i erouter0 ! -p icmp -m state --state NEW -j EXT_INPUT_CHAIN
	-A INPUT -i erouter0 -p icmp -m state --state NEW -m limit --limit 60/sec --limit-burst 100 -j EXT_INPUT_CHAIN
	-A INPUT -i erouter0 -p icmp -m state --state NEW -j EXT_ICMP_FLOOD_CHAIN
	-A INPUT -i l2sd0.2 -j INT_INPUT_CHAIN
	-A INPUT -i ip6tnl1 -j ACCEPT
	-A INPUT -j POST_INPUT_CHAIN
	-A INPUT -m limit --limit 1/min -j LOG --log-prefix "AIF:Dropped INPUT packet: " --log-level 6
	-A INPUT -j DROP
	-A FORWARD -s 192.168.100.251/32 -i l2sd0.3000 -j ACCEPT
	-A FORWARD -s 192.168.100.254/32 -i l2sd0.3000 -j ACCEPT
	-A FORWARD -j BRIDGED_TRAFFIC_CHAIN
	-A FORWARD -i l2sd0.2 -j CBN_FILTER_MAC_FILTER
	-A FORWARD -o erouter0 -j VPN_CHAIN
	-A FORWARD ! -p igmp -j CBN_IDS_IPFRAG
	-A FORWARD -p tcp -j CBN_IDS_PSCAN
	-A FORWARD -i erouter0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CBN_IDS_IPFLOOD
	-A FORWARD -p udp -j CBN_IDS_PSCAN_UDP
	-A FORWARD -j BASE_FORWARD_CHAIN
	-A FORWARD -o erouter0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
	-A FORWARD -j FORWARD_CHAIN
	-A FORWARD -j HOST_BLOCK_SRC
	-A FORWARD -j HOST_BLOCK_DST
	-A FORWARD -i ip6tnl1 -j ACCEPT
	-A FORWARD -o ip6tnl1 -j ACCEPT
	-A FORWARD -j CBN_FILTER_IN_CHAIN
	-A FORWARD -j CBN_FILTER_OUT_CHAIN
	-A FORWARD -i erouter0 -j EXT_FORWARD_IN_CHAIN
	-A FORWARD -o erouter0 -j EXT_FORWARD_OUT_CHAIN
	-A FORWARD -i l2sd0.2 -j INT_FORWARD_IN_CHAIN
	-A FORWARD -o l2sd0.2 -j INT_FORWARD_OUT_CHAIN
	-A FORWARD -j SPOOF_CHK
	-A FORWARD -i l2sd0.2 -o l2sd0.2 -j ACCEPT
	-A FORWARD -i l2sd0.2 -o erouter0 -j LAN_INET_FORWARD_CHAIN
	-A FORWARD -j POST_FORWARD_CHAIN
	-A FORWARD -m limit --limit 1/min --limit-burst 3 -j LOG --log-prefix "AIF:Dropped FORWARD packet: " --log-level 6
	-A FORWARD -j DROP
	-A OUTPUT -j BASE_OUTPUT_CHAIN
	-A OUTPUT -o erouter0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
	-A OUTPUT -j OUTPUT_CHAIN
	-A OUTPUT -j HOST_BLOCK_DST
	-A OUTPUT -o erouter0 -j EXT_OUTPUT_CHAIN
	-A OUTPUT -o l2sd0.2 -j INT_OUTPUT_CHAIN
	-A OUTPUT -j POST_OUTPUT_CHAIN
	-A OUTPUT -j ACCEPT
	-A BASE_FORWARD_CHAIN -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate ESTABLISHED -j DROP
	-A BASE_FORWARD_CHAIN -m state --state ESTABLISHED -j ACCEPT
	-A BASE_FORWARD_CHAIN -p tcp -m state --state RELATED -m tcp --dport 1024:65535 -j ACCEPT
	-A BASE_FORWARD_CHAIN -p udp -m state --state RELATED -m udp --dport 1024:65535 -j ACCEPT
	-A BASE_FORWARD_CHAIN -p icmp -m state --state RELATED -j ACCEPT
	-A BASE_FORWARD_CHAIN -p gre -m state --state RELATED -j ACCEPT
	-A BASE_FORWARD_CHAIN -m state --state RELATED -j ACCEPT
	-A BASE_FORWARD_CHAIN -i lo -j ACCEPT
	-A BASE_INPUT_CHAIN -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate ESTABLISHED -j DROP
	-A BASE_INPUT_CHAIN -m state --state ESTABLISHED -j ACCEPT
	-A BASE_INPUT_CHAIN -p tcp -m state --state RELATED -m tcp --dport 1024:65535 -j ACCEPT
	-A BASE_INPUT_CHAIN -p udp -m state --state RELATED -m udp --dport 1024:65535 -j ACCEPT
	-A BASE_INPUT_CHAIN -p icmp -m state --state RELATED -j ACCEPT
	-A BASE_INPUT_CHAIN -i lo -j ACCEPT
	-A BASE_OUTPUT_CHAIN -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate ESTABLISHED -j DROP
	-A BASE_OUTPUT_CHAIN -m state --state ESTABLISHED -j ACCEPT
	-A BASE_OUTPUT_CHAIN -o lo -j ACCEPT
	-A BRIDGED_TRAFFIC_CHAIN -m physdev --physdev-is-bridged -j ACCEPT
	-A CBN_DROP_LAN_TO_CBN_INT -d 192.168.100.250/32 -j DROP
	-A CBN_DROP_LAN_TO_HOST_EROUTER -d 172.22.222.11/32 -j DROP
	-A CBN_DROP_LAN_TO_HOST_HFC -d 0.3.87.92/32 -j DROP
	-A CBN_DROP_LAN_TO_HOST_HFC -d 10.52.131.83/32 -j DROP
	-A CBN_DROP_LAN_TO_HOST_LAN -p icmp -j ACCEPT
	-A CBN_DROP_LAN_TO_HOST_LAN -p tcp -m tcp --dport 22 -j ACCEPT
	-A CBN_DROP_LAN_TO_HOST_LAN -p tcp -m tcp --dport 23 -j ACCEPT
	-A CBN_DROP_LAN_TO_HOST_LAN -p tcp -m tcp --dport 80 -j ACCEPT
	-A CBN_DROP_LAN_TO_HOST_LAN -p udp -m udp --dport 161 -j ACCEPT
	-A CBN_DROP_LAN_TO_HOST_LAN -j DROP
	-A CBN_DROP_LAN_TO_HOST_RPC ! -s 192.168.254.254/32 -j DROP
	-A CBN_IDS_ICMPFLOOD -i wan0 -m limit --limit 15/sec --limit-burst 15 -j RETURN
	-A CBN_IDS_ICMPFLOOD -i wan0 -m limit --limit 5/min -j LOG --log-prefix "ICMP Flood: " --log-level 5
	-A CBN_IDS_ICMPFLOOD -i wan0 -j DROP
	-A CBN_IDS_ICMPFLOOD -i mta0 -m limit --limit 15/sec --limit-burst 15 -j RETURN
	-A CBN_IDS_ICMPFLOOD -i mta0 -m limit --limit 5/min -j LOG --log-prefix "ICMP Flood: " --log-level 5
	-A CBN_IDS_ICMPFLOOD -i mta0 -j DROP
	-A CBN_INPUT_ACCEPT -j ACCEPT
	-A CBN_INPUT_REMOTEACCESS -p tcp -m tcp --dport 8443 -j REJECT --reject-with icmp-host-unreachable
	-A CBN_TRUST_INPUT_L2SD0.4093 -j ACCEPT
	-A CBN_TRUST_INPUT_LAN0 -j ACCEPT
	-A CBN_TRUST_INPUT_MTA0 -p icmp -j CBN_IDS_ICMPFLOOD
	-A CBN_TRUST_INPUT_MTA0 -p udp -m udp --dport 53 -j DROP
	-A CBN_TRUST_INPUT_MTA0 -p tcp -m tcp --dport 53 -j DROP
	-A CBN_TRUST_INPUT_MTA0 -j ACCEPT
	-A CBN_TRUST_INPUT_WAN0 -p icmp -j CBN_IDS_ICMPFLOOD
	-A CBN_TRUST_INPUT_WAN0 -p udp -m udp --dport 53 -j DROP
	-A CBN_TRUST_INPUT_WAN0 -p tcp -m tcp --dport 53 -j DROP
	-A CBN_TRUST_INPUT_WAN0 -j ACCEPT
	-A EXT_BROADCAST_CHAIN -p tcp -m tcp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV TCP broadcast: " --log-level 6
	-A EXT_BROADCAST_CHAIN -p udp -m udp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV UDP broadcast: " --log-level 6
	-A EXT_BROADCAST_CHAIN -p tcp -m tcp --dport 1024:65535 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV TCP broadcast: " --log-level 6
	-A EXT_BROADCAST_CHAIN -p udp -m udp --dport 1024 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV UDP broadcast: " --log-level 6
	-A EXT_BROADCAST_CHAIN -j DROP
	-A EXT_FORWARD_IN_CHAIN -d 224.0.0.0/4 -i erouter0 -j ACCEPT
	-A EXT_FORWARD_IN_CHAIN -j VALID_CHK
	-A EXT_FORWARD_IN_CHAIN -i erouter0 -j CBN_FILTER_PORT_FORWARD
	-A EXT_FORWARD_IN_CHAIN -i erouter0 -j CBN_FILTER_PORT_TRIGGER
	-A EXT_FORWARD_IN_CHAIN -i erouter0 -j ZONE_CBN_FILTER_FORWARD_DMZ
	-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 3 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-unreachable flood: " --log-level 6
	-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 3 -j POST_INPUT_DROP_CHAIN
	-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 11 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-time-exceeded fld: " --log-level 6
	-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 11 -j POST_INPUT_DROP_CHAIN
	-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 12 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-param-problem fld: " --log-level 6
	-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 12 -j POST_INPUT_DROP_CHAIN
	-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-request(ping) fld: " --log-level 6
	-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 8 -j POST_INPUT_DROP_CHAIN
	-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 0 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-reply(pong) flood: " --log-level 6
	-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 0 -j POST_INPUT_DROP_CHAIN
	-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 4 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-source-quench fld: " --log-level 6
	-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 4 -j POST_INPUT_DROP_CHAIN
	-A EXT_ICMP_FLOOD_CHAIN -p icmp -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP(other) flood: " --log-level 6
	-A EXT_ICMP_FLOOD_CHAIN -p icmp -j POST_INPUT_DROP_CHAIN
	-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 0 -m limit --limit 6/hour --limit-burst 1 -j LOG --log-prefix "AIF:Port 0 OS fingerprint: " --log-level 6
	-A EXT_INPUT_CHAIN -p udp -m udp --dport 0 -m limit --limit 6/hour --limit-burst 1 -j LOG --log-prefix "AIF:Port 0 OS fingerprint: " --log-level 6
	-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 0 -j POST_INPUT_DROP_CHAIN
	-A EXT_INPUT_CHAIN -p udp -m udp --dport 0 -j POST_INPUT_DROP_CHAIN
	-A EXT_INPUT_CHAIN -p tcp -m tcp --sport 0 -m limit --limit 6/hour -j LOG --log-prefix "AIF:TCP source port 0: " --log-level 6
	-A EXT_INPUT_CHAIN -p udp -m udp --sport 0 -m limit --limit 6/hour -j LOG --log-prefix "AIF:UDP source port 0: " --log-level 6
	-A EXT_INPUT_CHAIN -p tcp -m tcp --sport 0 -j POST_INPUT_DROP_CHAIN
	-A EXT_INPUT_CHAIN -p udp -m udp --sport 0 -j POST_INPUT_DROP_CHAIN
	-A EXT_INPUT_CHAIN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
	-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 22 -j ACCEPT
	-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 80 -j ACCEPT
	-A EXT_INPUT_CHAIN -p udp -m udp --dport 161 -j ACCEPT
	-A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 20/sec --limit-burst 100 -j ACCEPT
	-A EXT_INPUT_CHAIN -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j POST_INPUT_DROP_CHAIN
	-A EXT_INPUT_CHAIN -d 255.255.255.255/32 -j EXT_BROADCAST_CHAIN
	-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV TCP packet: " --log-level 6
	-A EXT_INPUT_CHAIN -p udp -m udp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV UDP packet: " --log-level 6
	-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 1024:65535 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV TCP packet: " --log-level 6
	-A EXT_INPUT_CHAIN -p udp -m udp --dport 1024:65535 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV UDP packet: " --log-level 6
	-A EXT_INPUT_CHAIN -p igmp -m limit --limit 1/min -j LOG --log-prefix "AIF:IGMP packet: " --log-level 6
	-A EXT_INPUT_CHAIN -j POST_INPUT_CHAIN
	-A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-request: " --log-level 6
	-A EXT_INPUT_CHAIN -p icmp -m icmp ! --icmp-type 8 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-other: " --log-level 6
	-A EXT_INPUT_CHAIN -p tcp -j POST_INPUT_DROP_CHAIN
	-A EXT_INPUT_CHAIN -p udp -j POST_INPUT_DROP_CHAIN
	-A EXT_INPUT_CHAIN -p igmp -j POST_INPUT_DROP_CHAIN
	-A EXT_INPUT_CHAIN -p icmp -j POST_INPUT_DROP_CHAIN
	-A EXT_INPUT_CHAIN -m limit --limit 1/min -j LOG --log-prefix "AIF:Other connect: " --log-level 6
	-A EXT_INPUT_CHAIN -j POST_INPUT_DROP_CHAIN
	-A EXT_MULTICAST_CHAIN -d 224.0.0.0/24 -i erouter0 -j ACCEPT
	-A EXT_MULTICAST_CHAIN -p tcp -m tcp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV TCP multicast: " --log-level 6
	-A EXT_MULTICAST_CHAIN -p udp -m udp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV UDP multicast: " --log-level 6
	-A EXT_MULTICAST_CHAIN -p tcp -m tcp --dport 1024:65535 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV TCP multicast: " --log-level 6
	-A EXT_MULTICAST_CHAIN -p udp -m udp --dport 1024 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV UDP multicast: " --log-level 6
	-A EXT_MULTICAST_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-multicast-request: " --log-level 6
	-A EXT_MULTICAST_CHAIN -p icmp -m icmp ! --icmp-type 8 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-multicast-other: " --log-level 6
	-A EXT_MULTICAST_CHAIN -j DROP
	-A HOST_BLOCK_DROP -m limit --limit 1/min --limit-burst 1 -j LOG --log-prefix "AIF:Blocked host(s): " --log-level 6
	-A HOST_BLOCK_DROP -j DROP
	-A INT_FORWARD_IN_CHAIN -i l2sd0.2 -j CBN_FILTER_PORT_FORWARD_LAN
	-A INT_INPUT_CHAIN -j CBN_DROP_LAN_TO_HOST_HFC
	-A INT_INPUT_CHAIN -j CBN_DROP_LAN_TO_HOST_EROUTER
	-A INT_INPUT_CHAIN -d 192.168.100.1/32 -j CBN_DROP_LAN_TO_HOST_LAN
	-A INT_INPUT_CHAIN -d 192.168.254.253/32 -j CBN_DROP_LAN_TO_HOST_RPC
	-A INT_INPUT_CHAIN -d 192.168.100.250/32 -j CBN_DROP_LAN_TO_CBN_INT
	-A INT_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 20/sec --limit-burst 100 -j ACCEPT
	-A INT_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-request: " --log-level 6
	-A INT_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -j DROP
	-A INT_INPUT_CHAIN -j ACCEPT
	-A LAN_INET_FORWARD_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 20/sec --limit-burst 100 -j ACCEPT
	-A LAN_INET_FORWARD_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-request: " --log-level 6
	-A LAN_INET_FORWARD_CHAIN -p icmp -m icmp --icmp-type 8 -j DROP
	-A LAN_INET_FORWARD_CHAIN -p tcp -j ACCEPT
	-A LAN_INET_FORWARD_CHAIN -p udp -j ACCEPT
	-A LAN_INET_FORWARD_CHAIN -j ACCEPT
	-A POST_INPUT_DROP_CHAIN -j DROP
	-A SPOOF_CHK -s 192.168.0.0/24 -i l2sd0.2 -j RETURN
	-A SPOOF_CHK -s 192.168.0.0/24 -m limit --limit 3/min -j LOG --log-prefix "AIF:Spoofed packet: " --log-level 6
	-A SPOOF_CHK -s 192.168.0.0/24 -j POST_INPUT_DROP_CHAIN
	-A SPOOF_CHK -j RETURN
	COMMIT