table inet fw4 { flowtable ft { hook ingress priority filter devices = { lan1, lan2, lan3, lan4, pppoe-wan, wan } flags offload counter } chain input { type filter hook input priority filter; policy drop; iif "lo" accept comment "!fw4: Accept traffic from loopback" ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" tcp flags & (fin | syn | rst | ack) == syn jump syn_flood comment "!fw4: Rate limit TCP syn packets" iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic" iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic" jump handle_reject } chain forward { type filter hook forward priority filter; policy drop; meta l4proto { tcp, udp } flow add @ft ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic" iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic" jump handle_reject } chain output { type filter hook output priority filter; policy accept; oif "lo" accept comment "!fw4: Accept traffic towards loopback" ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic" oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic" } chain prerouting { type filter hook prerouting priority filter; policy accept; iifname "br-lan" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment" } chain handle_reject { meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic" reject comment "!fw4: Reject any other traffic" } chain syn_flood { limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit" drop comment "!fw4: Drop excess packets" } chain input_lan { jump accept_from_lan } chain output_lan { jump accept_to_lan } chain forward_lan { jump accept_to_wan comment "!fw4: Accept lan to wan forwarding" jump accept_to_lan } chain helper_lan { } chain accept_from_lan { iifname "br-lan" counter packets 1004587 bytes 1443831784 accept comment "!fw4: accept lan IPv4/IPv6 traffic" } chain accept_to_lan { oifname "br-lan" counter packets 154610 bytes 11048356 accept comment "!fw4: accept lan IPv4/IPv6 traffic" } chain input_wan { meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew" icmp type echo-request counter packets 3698 bytes 254685 accept comment "!fw4: Allow-Ping" meta nfproto ipv4 meta l4proto igmp counter packets 0 bytes 0 accept comment "!fw4: Allow-IGMP" meta nfproto ipv6 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6" ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . 0, mld-listener-report . 0, mld-listener-done . 0, mld2-listener-report . 0 } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD" icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second burst 5 packets counter packets 6754 bytes 381368 accept comment "!fw4: Allow-ICMPv6-Input" icmpv6 type . icmpv6 code { packet-too-big . 0, parameter-problem . 0, nd-neighbor-solicit . 0, nd-neighbor-advert . 0, parameter-problem . 1 } limit rate 1000/second burst 5 packets counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Input" tcp dport 5049 counter packets 6 bytes 360 accept comment "!fw4: tharyrok tmp ssh" jump reject_from_wan } chain output_wan { jump accept_to_wan } chain forward_wan { icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second burst 5 packets counter packets 121 bytes 9272 accept comment "!fw4: Allow-ICMPv6-Forward" icmpv6 type . icmpv6 code { packet-too-big . 0, parameter-problem . 0, parameter-problem . 1 } limit rate 1000/second burst 5 packets counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward" meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP" udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP" jump reject_to_wan } chain accept_to_wan { meta nfproto ipv4 oifname "pppoe-wan" ct state invalid counter packets 27115 bytes 1305143 drop comment "!fw4: Prevent NAT leakage" oifname "pppoe-wan" counter packets 430674 bytes 159292423 accept comment "!fw4: accept wan IPv4/IPv6 traffic" } chain reject_from_wan { iifname "pppoe-wan" counter packets 18310 bytes 5381220 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic" } chain reject_to_wan { oifname "pppoe-wan" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic" } chain dstnat { type nat hook prerouting priority dstnat; policy accept; } chain srcnat { type nat hook postrouting priority srcnat; policy accept; oifname "pppoe-wan" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic" } chain srcnat_wan { meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic" } chain raw_prerouting { type filter hook prerouting priority raw; policy accept; } chain raw_output { type filter hook output priority raw; policy accept; } chain mangle_prerouting { type filter hook prerouting priority mangle; policy accept; } chain mangle_postrouting { type filter hook postrouting priority mangle; policy accept; oifname "pppoe-wan" tcp flags & (fin | syn | rst) == syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing" } chain mangle_input { type filter hook input priority mangle; policy accept; } chain mangle_output { type route hook output priority mangle; policy accept; } chain mangle_forward { type filter hook forward priority mangle; policy accept; iifname "pppoe-wan" tcp flags & (fin | syn | rst) == syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing" } }