No rules in ipv4 firewall iptable chains

professor_jonny · February 24, 2022, 12:04pm

Hi I have no rules in my ipv4 firewall iptables chains except mwan3, but in my ipv6 chains all the stuff set in my firewall seems to be there.

Im using fw3 with banip and noticed I could not pick input/ forward lan and wan rules with ipv4 but can with ipv6 alearting me to the fault.

any idea how imay go about fixing this this ?

i also get this:
Warning: iptables-legacy tables present, use iptables-legacy-save to see them

anon50098793 · February 24, 2022, 12:37pm

opkg list-installed | grep sqm-scripts
grep BUILD_ID /etc/os-release

professor_jonny · February 24, 2022, 5:43pm

Hi this is the output:

root@OpenWrt:~# opkg list-installed | grep sqm-scripts
sqm-scripts - 1.5.1-3
root@OpenWrt:~# grep BUILD_ID /etc/os-release
BUILD_ID="r19032-563552a077"

professor_jonny · March 1, 2022, 10:09am

below is the output of the iptables and firewall.
is my problem that my rules are in the legacy tables?
I dont really understand but we are in transition to fw4 and do i need to update to fw4 ? as I believe some of my installed stuff wont operate under fw4 like bcp38, and qos over nftables etc...

root@OpenWrt:~# iptables-save
# Generated by iptables-save v1.8.7 on Tue Mar  1 23:03:09 2022
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:mwan3_connected - [0:0]
:mwan3_hook - [0:0]
:mwan3_iface_in_Wan - [0:0]
:mwan3_ifaces_in - [0:0]
:mwan3_policy_Wan_Wwan - [0:0]
:mwan3_policy_Wan_only - [0:0]
:mwan3_policy_Wwan_Wan - [0:0]
:mwan3_policy_Wwan_only - [0:0]
:mwan3_policy_balanced - [0:0]
:mwan3_rule_https - [0:0]
:mwan3_rules - [0:0]
-A PREROUTING -j mwan3_hook
-A OUTPUT -j mwan3_hook
-A mwan3_connected -m set --match-set mwan3_connected dst -j MARK --set-xmark 0x3f00/0x3f00
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j CONNMARK --restore-mark --nfmask 0x3f00 --ctmask 0x3f00
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_ifaces_in
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_connected
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_rules
-A mwan3_hook -j CONNMARK --save-mark --nfmask 0x3f00 --ctmask 0x3f00
-A mwan3_hook -m mark ! --mark 0x3f00/0x3f00 -j mwan3_connected
-A mwan3_iface_in_Wan -i wan -m set --match-set mwan3_connected src -m mark --mark 0x0/0x3f00 -m comment --comment default -j MARK --set-xmark 0x3f00/0x3f00
-A mwan3_iface_in_Wan -i wan -m mark --mark 0x0/0x3f00 -m comment --comment Wan -j MARK --set-xmark 0x100/0x3f00
-A mwan3_ifaces_in -m mark --mark 0x0/0x3f00 -j mwan3_iface_in_Wan
-A mwan3_policy_Wan_Wwan -m mark --mark 0x0/0x3f00 -m comment --comment "Wan 3 3" -j MARK --set-xmark 0x100/0x3f00
-A mwan3_policy_Wan_only -m mark --mark 0x0/0x3f00 -m comment --comment "Wan 3 3" -j MARK --set-xmark 0x100/0x3f00
-A mwan3_policy_Wwan_Wan -m mark --mark 0x0/0x3f00 -m comment --comment "Wan 3 3" -j MARK --set-xmark 0x100/0x3f00
-A mwan3_policy_Wwan_only -m mark --mark 0x0/0x3f00 -m comment --comment unreachable -j MARK --set-xmark 0x3e00/0x3f00
-A mwan3_policy_balanced -m mark --mark 0x0/0x3f00 -m comment --comment "Wan 3 3" -j MARK --set-xmark 0x100/0x3f00
-A mwan3_rule_https -m mark --mark 0x0/0x3f00 -j mwan3_policy_Wan_only
-A mwan3_rule_https -m mark ! --mark 0xfc00/0xfc00 -j SET --del-set mwan3_sticky_https src,src
-A mwan3_rule_https -m mark ! --mark 0xfc00/0xfc00 -j SET --add-set mwan3_sticky_https src,src
-A mwan3_rules -p tcp -m multiport --dports 443 -m mark --mark 0x0/0x3f00 -j mwan3_rule_https
-A mwan3_rules -m mark --mark 0x0/0x3f00 -j mwan3_policy_Wan_only
COMMIT
# Completed on Tue Mar  1 23:03:09 2022
# Generated by iptables-save v1.8.7 on Tue Mar  1 23:03:09 2022
*filter
:INPUT ACCEPT [182417:32526286]
:FORWARD ACCEPT [6439686:4902533909]
:OUTPUT ACCEPT [162141:26633666]
COMMIT
# Completed on Tue Mar  1 23:03:09 2022
# Warning: iptables-legacy tables present, use iptables-legacy-save to see them

root@OpenWrt:~# ip6tables-save
# Generated by ip6tables-save v1.8.7 on Tue Mar  1 23:05:12 2022
*mangle
:PREROUTING ACCEPT [41:6007]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A FORWARD -o wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone Wan_Zone MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone Wan_Zone MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Tue Mar  1 23:05:12 2022
# Generated by ip6tables-save v1.8.7 on Tue Mar  1 23:05:12 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_Adults_Zone_rule - [0:0]
:forwarding_Kids_Zone_rule - [0:0]
:forwarding_Wan_Zone_rule - [0:0]
:forwarding_rule - [0:0]
:input_Adults_Zone_rule - [0:0]
:input_Kids_Zone_rule - [0:0]
:input_Wan_Zone_rule - [0:0]
:input_rule - [0:0]
:output_Adults_Zone_rule - [0:0]
:output_Kids_Zone_rule - [0:0]
:output_Wan_Zone_rule - [0:0]
:output_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_Adults_Zone_dest_ACCEPT - [0:0]
:zone_Adults_Zone_forward - [0:0]
:zone_Adults_Zone_input - [0:0]
:zone_Adults_Zone_output - [0:0]
:zone_Adults_Zone_src_ACCEPT - [0:0]
:zone_Kids_Zone_dest_ACCEPT - [0:0]
:zone_Kids_Zone_dest_REJECT - [0:0]
:zone_Kids_Zone_forward - [0:0]
:zone_Kids_Zone_input - [0:0]
:zone_Kids_Zone_output - [0:0]
:zone_Kids_Zone_src_ACCEPT - [0:0]
:zone_Wan_Zone_dest_ACCEPT - [0:0]
:zone_Wan_Zone_dest_REJECT - [0:0]
:zone_Wan_Zone_forward - [0:0]
:zone_Wan_Zone_input - [0:0]
:zone_Wan_Zone_output - [0:0]
:zone_Wan_Zone_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-Adults_Lan -m comment --comment "!fw3" -j zone_Adults_Zone_input
-A INPUT -i wan -m comment --comment "!fw3" -j zone_Wan_Zone_input
-A INPUT -i br-Kids_Lan -m comment --comment "!fw3" -j zone_Kids_Zone_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -i br-Adults_Lan -m comment --comment "!fw3" -j zone_Adults_Zone_forward
-A FORWARD -i wan -m comment --comment "!fw3" -j zone_Wan_Zone_forward
-A FORWARD -i br-Kids_Lan -m comment --comment "!fw3" -j zone_Kids_Zone_forward
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-Adults_Lan -m comment --comment "!fw3" -j zone_Adults_Zone_output
-A OUTPUT -o wan -m comment --comment "!fw3" -j zone_Wan_Zone_output
-A OUTPUT -o br-Kids_Lan -m comment --comment "!fw3" -j zone_Kids_Zone_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
-A syn_flood -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_Adults_Zone_dest_ACCEPT -o br-Adults_Lan -m comment --comment "!fw3" -j ACCEPT
-A zone_Adults_Zone_forward -m comment --comment "!fw3: Custom Adults_Zone forwarding rule chain" -j forwarding_Adults_Zone_rule
-A zone_Adults_Zone_forward -m comment --comment "!fw3: Zone Adults_Zone to Wan_Zone forwarding policy" -j zone_Wan_Zone_dest_ACCEPT
-A zone_Adults_Zone_forward -m comment --comment "!fw3" -j zone_Adults_Zone_dest_ACCEPT
-A zone_Adults_Zone_input -m comment --comment "!fw3: Custom Adults_Zone input rule chain" -j input_Adults_Zone_rule
-A zone_Adults_Zone_input -m comment --comment "!fw3" -j zone_Adults_Zone_src_ACCEPT
-A zone_Adults_Zone_output -m comment --comment "!fw3: Custom Adults_Zone output rule chain" -j output_Adults_Zone_rule
-A zone_Adults_Zone_output -m comment --comment "!fw3" -j zone_Adults_Zone_dest_ACCEPT
-A zone_Adults_Zone_src_ACCEPT -i br-Adults_Lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_Kids_Zone_dest_ACCEPT -o br-Kids_Lan -m comment --comment "!fw3" -j ACCEPT
-A zone_Kids_Zone_dest_REJECT -o br-Kids_Lan -m comment --comment "!fw3" -j reject
-A zone_Kids_Zone_forward -m comment --comment "!fw3: Custom Kids_Zone forwarding rule chain" -j forwarding_Kids_Zone_rule
-A zone_Kids_Zone_forward -m comment --comment "!fw3: Zone Kids_Zone to Wan_Zone forwarding policy" -j zone_Wan_Zone_dest_ACCEPT
-A zone_Kids_Zone_forward -m comment --comment "!fw3" -j zone_Kids_Zone_dest_ACCEPT
-A zone_Kids_Zone_input -m comment --comment "!fw3: Custom Kids_Zone input rule chain" -j input_Kids_Zone_rule
-A zone_Kids_Zone_input -m comment --comment "!fw3" -j zone_Kids_Zone_src_ACCEPT
-A zone_Kids_Zone_output -m comment --comment "!fw3: Custom Kids_Zone output rule chain" -j output_Kids_Zone_rule
-A zone_Kids_Zone_output -m comment --comment "!fw3" -j zone_Kids_Zone_dest_ACCEPT
-A zone_Kids_Zone_src_ACCEPT -i br-Kids_Lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_Wan_Zone_dest_ACCEPT -o wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_Wan_Zone_dest_ACCEPT -o wan -m comment --comment "!fw3" -j ACCEPT
-A zone_Wan_Zone_dest_REJECT -o wan -m comment --comment "!fw3" -j reject
-A zone_Wan_Zone_forward -m comment --comment "!fw3: Custom Wan_Zone forwarding rule chain" -j forwarding_Wan_Zone_rule
-A zone_Wan_Zone_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_Wan_Zone_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_Wan_Zone_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_Wan_Zone_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_Wan_Zone_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_Wan_Zone_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_Wan_Zone_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_Wan_Zone_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_Adults_Zone_dest_ACCEPT
-A zone_Wan_Zone_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_Adults_Zone_dest_ACCEPT
-A zone_Wan_Zone_forward -p tcp -m time --timestart 02:30:00 --timestop 06:30:00 --kerneltz -m comment --comment "!fw3: Kids_Block" -j zone_Kids_Zone_dest_REJECT
-A zone_Wan_Zone_forward -p udp -m time --timestart 02:30:00 --timestop 06:30:00 --kerneltz -m comment --comment "!fw3: Kids_Block" -j zone_Kids_Zone_dest_REJECT
-A zone_Wan_Zone_forward -m comment --comment "!fw3" -j zone_Wan_Zone_dest_REJECT
-A zone_Wan_Zone_input -m comment --comment "!fw3: Custom Wan_Zone input rule chain" -j input_Wan_Zone_rule
-A zone_Wan_Zone_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
-A zone_Wan_Zone_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_Wan_Zone_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_Wan_Zone_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_Wan_Zone_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_Wan_Zone_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_Wan_Zone_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_Wan_Zone_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_Wan_Zone_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_Wan_Zone_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_Wan_Zone_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_Wan_Zone_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_Wan_Zone_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_Wan_Zone_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_Wan_Zone_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_Wan_Zone_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_Wan_Zone_input -m comment --comment "!fw3" -j zone_Wan_Zone_src_REJECT
-A zone_Wan_Zone_output -m comment --comment "!fw3: Custom Wan_Zone output rule chain" -j output_Wan_Zone_rule
-A zone_Wan_Zone_output -m comment --comment "!fw3" -j zone_Wan_Zone_dest_ACCEPT
-A zone_Wan_Zone_src_REJECT -i wan -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Tue Mar  1 23:05:12 2022

root@OpenWrt:~# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='Adults_Lan'
firewall.@zone[0].name='Adults_Zone'
firewall.@zone[1]=zone
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].name='Wan_Zone'
firewall.@zone[1].network='Wan' 'Wan6' 'Wwan'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='Adults_Zone'
firewall.@forwarding[0].dest='Wan_Zone'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[0].src='Wan_Zone'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[1].src='Wan_Zone'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[2].src='Wan_Zone'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[3].src='Wan_Zone'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[4].src='Wan_Zone'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[5].src='Wan_Zone'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[6].src='Wan_Zone'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[7].dest='Adults_Zone'
firewall.@rule[7].src='Wan_Zone'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[8].dest='Adults_Zone'
firewall.@rule[8].src='Wan_Zone'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@zone[2]=zone
firewall.@zone[2].input='ACCEPT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='ACCEPT'
firewall.@zone[2].network='Kids_Lan'
firewall.@zone[2].name='Kids_Zone'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='Kids_Zone'
firewall.@forwarding[1].dest='Wan_Zone'
firewall.@rule[9]=rule
firewall.@rule[9].name='Mr_Sparkle_in'
firewall.@rule[9].dest_ip='192.168.1.10'
firewall.@rule[9].target='ACCEPT'
firewall.@rule[9].proto='all'
firewall.@rule[9].src='Kids_Zone'
firewall.@rule[9].dest='Adults_Zone'
firewall.@rule[9].family='ipv4'
firewall.@rule[10]=rule
firewall.@rule[10].proto='all'
firewall.@rule[10].name='Mr_Sparkle_out'
firewall.@rule[10].src_ip='192.168.1.10'
firewall.@rule[10].target='ACCEPT'
firewall.@rule[10].src='Adults_Zone'
firewall.@rule[10].dest='Kids_Zone'
firewall.@rule[10].family='ipv4'
firewall.@rule[11]=rule
firewall.@rule[11].src='Kids_Zone'
firewall.@rule[11].dest='Adults_Zone'
firewall.@rule[11].target='ACCEPT'
firewall.@rule[11].name='Mr_Sparkle_in_wireless'
firewall.@rule[11].dest_ip='192.168.1.11'
firewall.@rule[11].family='ipv4'
firewall.@rule[12]=rule
firewall.@rule[12].name='Mr_Sparkle_out_wireless'
firewall.@rule[12].src='Adults_Zone'
firewall.@rule[12].src_ip='192.168.1.11'
firewall.@rule[12].dest='Kids_Zone'
firewall.@rule[12].target='ACCEPT'
firewall.@rule[12].family='ipv4'
firewall.@redirect[0]=redirect
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].name='Adblock_Adult_dns_53'
firewall.@redirect[0].src_dport='53'
firewall.@redirect[0].src='Adults_Zone'
firewall.@redirect[1]=redirect
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].name='Adblock_Kids_dns_53'
firewall.@redirect[1].src_dport='53'
firewall.@redirect[1].src='Kids_Zone'
firewall.@rule[13]=rule
firewall.@rule[13].name='Kids_Block'
firewall.@rule[13].src='Wan_Zone'
firewall.@rule[13].dest='Kids_Zone'
firewall.@rule[13].target='REJECT'
firewall.@rule[13].stop_time='06:30:00'
firewall.@rule[13].start_time='02:30:00'
firewall.@rule[14]=rule
firewall.@rule[14].name='ps4-wired-block'
firewall.@rule[14].proto='all'
firewall.@rule[14].src='Adults_Zone'
firewall.@rule[14].src_ip='192.168.1.177'
firewall.@rule[14].dest='Wan_Zone'
firewall.@rule[14].target='REJECT'
firewall.@rule[14].start_time='01:00:00'
firewall.@rule[14].stop_time='07:00:00'
firewall.@rule[14].family='ipv4'
firewall.estab=include
firewall.estab.path='/etc/firewall.estab'
firewall.estab.reload='1'

root@OpenWrt:~# iptables-legacy-save
# Generated by iptables-save v1.8.7 on Tue Mar  1 23:08:07 2022
*nat
:PREROUTING ACCEPT [427:92855]
:INPUT ACCEPT [101:8234]
:OUTPUT ACCEPT [188:14100]
:POSTROUTING ACCEPT [107:7033]
:postrouting_Adults_Zone_rule - [0:0]
:postrouting_Kids_Zone_rule - [0:0]
:postrouting_Wan_Zone_rule - [0:0]
:postrouting_rule - [0:0]
:prerouting_Adults_Zone_rule - [0:0]
:prerouting_Kids_Zone_rule - [0:0]
:prerouting_Wan_Zone_rule - [0:0]
:prerouting_rule - [0:0]
:zone_Adults_Zone_postrouting - [0:0]
:zone_Adults_Zone_prerouting - [0:0]
:zone_Kids_Zone_postrouting - [0:0]
:zone_Kids_Zone_prerouting - [0:0]
:zone_Wan_Zone_postrouting - [0:0]
:zone_Wan_Zone_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-Adults_Lan -m comment --comment "!fw3" -j zone_Adults_Zone_prerouting
-A PREROUTING -i wan -m comment --comment "!fw3" -j zone_Wan_Zone_prerouting
-A PREROUTING -i br-Kids_Lan -m comment --comment "!fw3" -j zone_Kids_Zone_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-Adults_Lan -m comment --comment "!fw3" -j zone_Adults_Zone_postrouting
-A POSTROUTING -o wan -m comment --comment "!fw3" -j zone_Wan_Zone_postrouting
-A POSTROUTING -o br-Kids_Lan -m comment --comment "!fw3" -j zone_Kids_Zone_postrouting
-A zone_Adults_Zone_postrouting -m comment --comment "!fw3: Custom Adults_Zone postrouting rule chain" -j postrouting_Adults_Zone_rule
-A zone_Adults_Zone_prerouting -m comment --comment "!fw3: Custom Adults_Zone prerouting rule chain" -j prerouting_Adults_Zone_rule
-A zone_Adults_Zone_prerouting -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Adblock_Adult_dns_53" -j REDIRECT --to-ports 53
-A zone_Adults_Zone_prerouting -p udp -m udp --dport 53 -m comment --comment "!fw3: Adblock_Adult_dns_53" -j REDIRECT --to-ports 53
-A zone_Kids_Zone_postrouting -m comment --comment "!fw3: Custom Kids_Zone postrouting rule chain" -j postrouting_Kids_Zone_rule
-A zone_Kids_Zone_prerouting -m comment --comment "!fw3: Custom Kids_Zone prerouting rule chain" -j prerouting_Kids_Zone_rule
-A zone_Kids_Zone_prerouting -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Adblock_Kids_dns_53" -j REDIRECT --to-ports 53
-A zone_Kids_Zone_prerouting -p udp -m udp --dport 53 -m comment --comment "!fw3: Adblock_Kids_dns_53" -j REDIRECT --to-ports 53
-A zone_Wan_Zone_postrouting -m comment --comment "!fw3: Custom Wan_Zone postrouting rule chain" -j postrouting_Wan_Zone_rule
-A zone_Wan_Zone_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_Wan_Zone_prerouting -m comment --comment "!fw3: Custom Wan_Zone prerouting rule chain" -j prerouting_Wan_Zone_rule
COMMIT
# Completed on Tue Mar  1 23:08:07 2022
# Generated by iptables-save v1.8.7 on Tue Mar  1 23:08:07 2022
*raw
:PREROUTING ACCEPT [9036:2370439]
:OUTPUT ACCEPT [2558:1808566]
:zone_Adults_Zone_helper - [0:0]
:zone_Kids_Zone_helper - [0:0]
-A PREROUTING -i br-Adults_Lan -m comment --comment "!fw3: Adults_Zone CT helper assignment" -j zone_Adults_Zone_helper
-A PREROUTING -i br-Kids_Lan -m comment --comment "!fw3: Kids_Zone CT helper assignment" -j zone_Kids_Zone_helper
COMMIT
# Completed on Tue Mar  1 23:08:07 2022
# Generated by iptables-save v1.8.7 on Tue Mar  1 23:08:07 2022
*mangle
:PREROUTING ACCEPT [9036:2370439]
:INPUT ACCEPT [2572:381421]
:FORWARD ACCEPT [6193:1939857]
:OUTPUT ACCEPT [2559:1809678]
:POSTROUTING ACCEPT [8687:3746287]
-A FORWARD -o wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone Wan_Zone MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone Wan_Zone MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Tue Mar  1 23:08:07 2022
# Generated by iptables-save v1.8.7 on Tue Mar  1 23:08:07 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_Adults_Zone_rule - [0:0]
:forwarding_Kids_Zone_rule - [0:0]
:forwarding_Wan_Zone_rule - [0:0]
:forwarding_rule - [0:0]
:input_Adults_Zone_rule - [0:0]
:input_Kids_Zone_rule - [0:0]
:input_Wan_Zone_rule - [0:0]
:input_rule - [0:0]
:output_Adults_Zone_rule - [0:0]
:output_Kids_Zone_rule - [0:0]
:output_Wan_Zone_rule - [0:0]
:output_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_Adults_Zone_dest_ACCEPT - [0:0]
:zone_Adults_Zone_forward - [0:0]
:zone_Adults_Zone_input - [0:0]
:zone_Adults_Zone_output - [0:0]
:zone_Adults_Zone_src_ACCEPT - [0:0]
:zone_Kids_Zone_dest_ACCEPT - [0:0]
:zone_Kids_Zone_dest_REJECT - [0:0]
:zone_Kids_Zone_forward - [0:0]
:zone_Kids_Zone_input - [0:0]
:zone_Kids_Zone_output - [0:0]
:zone_Kids_Zone_src_ACCEPT - [0:0]
:zone_Wan_Zone_dest_ACCEPT - [0:0]
:zone_Wan_Zone_dest_REJECT - [0:0]
:zone_Wan_Zone_forward - [0:0]
:zone_Wan_Zone_input - [0:0]
:zone_Wan_Zone_output - [0:0]
:zone_Wan_Zone_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-Adults_Lan -m comment --comment "!fw3" -j zone_Adults_Zone_input
-A INPUT -i wan -m comment --comment "!fw3" -j zone_Wan_Zone_input
-A INPUT -i br-Kids_Lan -m comment --comment "!fw3" -j zone_Kids_Zone_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-Adults_Lan -m comment --comment "!fw3" -j zone_Adults_Zone_forward
-A FORWARD -i wan -m comment --comment "!fw3" -j zone_Wan_Zone_forward
-A FORWARD -i br-Kids_Lan -m comment --comment "!fw3" -j zone_Kids_Zone_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-Adults_Lan -m comment --comment "!fw3" -j zone_Adults_Zone_output
-A OUTPUT -o wan -m comment --comment "!fw3" -j zone_Wan_Zone_output
-A OUTPUT -o br-Kids_Lan -m comment --comment "!fw3" -j zone_Kids_Zone_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_Adults_Zone_dest_ACCEPT -o br-Adults_Lan -m comment --comment "!fw3" -j ACCEPT
-A zone_Adults_Zone_forward -m comment --comment "!fw3: Custom Adults_Zone forwarding rule chain" -j forwarding_Adults_Zone_rule
-A zone_Adults_Zone_forward -s 192.168.1.10/32 -m comment --comment "!fw3: Mr_Sparkle_out" -j zone_Kids_Zone_dest_ACCEPT
-A zone_Adults_Zone_forward -s 192.168.1.11/32 -p tcp -m comment --comment "!fw3: Mr_Sparkle_out_wireless" -j zone_Kids_Zone_dest_ACCEPT
-A zone_Adults_Zone_forward -s 192.168.1.11/32 -p udp -m comment --comment "!fw3: Mr_Sparkle_out_wireless" -j zone_Kids_Zone_dest_ACCEPT
-A zone_Adults_Zone_forward -s 192.168.1.177/32 -m time --timestart 01:00:00 --timestop 07:00:00 --kerneltz -m comment --comment "!fw3: ps4-wired-block" -j zone_Wan_Zone_dest_REJECT
-A zone_Adults_Zone_forward -m comment --comment "!fw3: Zone Adults_Zone to Wan_Zone forwarding policy" -j zone_Wan_Zone_dest_ACCEPT
-A zone_Adults_Zone_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_Adults_Zone_forward -m comment --comment "!fw3" -j zone_Adults_Zone_dest_ACCEPT
-A zone_Adults_Zone_input -m comment --comment "!fw3: Custom Adults_Zone input rule chain" -j input_Adults_Zone_rule
-A zone_Adults_Zone_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_Adults_Zone_input -m comment --comment "!fw3" -j zone_Adults_Zone_src_ACCEPT
-A zone_Adults_Zone_output -m comment --comment "!fw3: Custom Adults_Zone output rule chain" -j output_Adults_Zone_rule
-A zone_Adults_Zone_output -m comment --comment "!fw3" -j zone_Adults_Zone_dest_ACCEPT
-A zone_Adults_Zone_src_ACCEPT -i br-Adults_Lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_Kids_Zone_dest_ACCEPT -o br-Kids_Lan -m comment --comment "!fw3" -j ACCEPT
-A zone_Kids_Zone_dest_REJECT -o br-Kids_Lan -m comment --comment "!fw3" -j reject
-A zone_Kids_Zone_forward -m comment --comment "!fw3: Custom Kids_Zone forwarding rule chain" -j forwarding_Kids_Zone_rule
-A zone_Kids_Zone_forward -d 192.168.1.10/32 -m comment --comment "!fw3: Mr_Sparkle_in" -j zone_Adults_Zone_dest_ACCEPT
-A zone_Kids_Zone_forward -d 192.168.1.11/32 -p tcp -m comment --comment "!fw3: Mr_Sparkle_in_wireless" -j zone_Adults_Zone_dest_ACCEPT
-A zone_Kids_Zone_forward -d 192.168.1.11/32 -p udp -m comment --comment "!fw3: Mr_Sparkle_in_wireless" -j zone_Adults_Zone_dest_ACCEPT
-A zone_Kids_Zone_forward -m comment --comment "!fw3: Zone Kids_Zone to Wan_Zone forwarding policy" -j zone_Wan_Zone_dest_ACCEPT
-A zone_Kids_Zone_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_Kids_Zone_forward -m comment --comment "!fw3" -j zone_Kids_Zone_dest_ACCEPT
-A zone_Kids_Zone_input -m comment --comment "!fw3: Custom Kids_Zone input rule chain" -j input_Kids_Zone_rule
-A zone_Kids_Zone_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_Kids_Zone_input -m comment --comment "!fw3" -j zone_Kids_Zone_src_ACCEPT
-A zone_Kids_Zone_output -m comment --comment "!fw3: Custom Kids_Zone output rule chain" -j output_Kids_Zone_rule
-A zone_Kids_Zone_output -m comment --comment "!fw3" -j zone_Kids_Zone_dest_ACCEPT
-A zone_Kids_Zone_src_ACCEPT -i br-Kids_Lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_Wan_Zone_dest_ACCEPT -o wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_Wan_Zone_dest_ACCEPT -o wan -m comment --comment "!fw3" -j ACCEPT
-A zone_Wan_Zone_dest_REJECT -o wan -m comment --comment "!fw3" -j reject
-A zone_Wan_Zone_forward -m comment --comment "!fw3: Custom Wan_Zone forwarding rule chain" -j forwarding_Wan_Zone_rule
-A zone_Wan_Zone_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_Adults_Zone_dest_ACCEPT
-A zone_Wan_Zone_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_Adults_Zone_dest_ACCEPT
-A zone_Wan_Zone_forward -p tcp -m time --timestart 02:30:00 --timestop 06:30:00 --kerneltz -m comment --comment "!fw3: Kids_Block" -j zone_Kids_Zone_dest_REJECT
-A zone_Wan_Zone_forward -p udp -m time --timestart 02:30:00 --timestop 06:30:00 --kerneltz -m comment --comment "!fw3: Kids_Block" -j zone_Kids_Zone_dest_REJECT
-A zone_Wan_Zone_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_Wan_Zone_forward -m comment --comment "!fw3" -j zone_Wan_Zone_dest_REJECT
-A zone_Wan_Zone_input -m comment --comment "!fw3: Custom Wan_Zone input rule chain" -j input_Wan_Zone_rule
-A zone_Wan_Zone_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_Wan_Zone_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_Wan_Zone_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_Wan_Zone_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_Wan_Zone_input -m comment --comment "!fw3" -j zone_Wan_Zone_src_REJECT
-A zone_Wan_Zone_output -m comment --comment "!fw3: Custom Wan_Zone output rule chain" -j output_Wan_Zone_rule
-A zone_Wan_Zone_output -m comment --comment "!fw3" -j zone_Wan_Zone_dest_ACCEPT
-A zone_Wan_Zone_src_REJECT -i wan -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Tue Mar  1 23:08:07 2022