head -n -0 /etc/firewall.user;
iptables-save -c; ip6tables-save -c;
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru;
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru;
ls -l /etc/resolv.* /tmp/resolv.; head -n -0 /etc/resolv. /tmp/resolv.*
*nat
:PREROUTING ACCEPT [4187:899287]
:INPUT ACCEPT [463:29702]
:OUTPUT ACCEPT [617:42613]
:POSTROUTING ACCEPT [848:35476]
:postrouting_lan_rule - [0:0]
:postrouting_lan_vpn_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:postrouting_wan_vpn_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_lan_vpn_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:prerouting_wan_vpn_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_lan_vpn_postrouting - [0:0]
:zone_lan_vpn_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
:zone_wan_vpn_postrouting - [0:0]
:zone_wan_vpn_prerouting - [0:0]
[4187:899287] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[1400:358226] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[1777:350497] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[1010:190564] -A PREROUTING -i br-LAN_VPN -m comment --comment "!fw3" -j zone_lan_vpn_prerouting
[0:0] -A PREROUTING -i tun3 -m comment --comment "!fw3" -j zone_wan_vpn_prerouting
[2078:352865] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[814:32856] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[649:159431] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o br-LAN_VPN -m comment --comment "!fw3" -j zone_lan_vpn_postrouting
[581:157958] -A POSTROUTING -o tun3 -m comment --comment "!fw3" -j zone_wan_vpn_postrouting
[814:32856] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[1400:358226] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_vpn_postrouting -m comment --comment "!fw3: Custom lan_vpn postrouting rule chain" -j postrouting_lan_vpn_rule
[1010:190564] -A zone_lan_vpn_prerouting -m comment --comment "!fw3: Custom lan_vpn prerouting rule chain" -j prerouting_lan_vpn_rule
[649:159431] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[649:159431] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[1777:350497] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[581:157958] -A zone_wan_vpn_postrouting -m comment --comment "!fw3: Custom wan_vpn postrouting rule chain" -j postrouting_wan_vpn_rule
[581:157958] -A zone_wan_vpn_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_wan_vpn_prerouting -m comment --comment "!fw3: Custom wan_vpn prerouting rule chain" -j prerouting_wan_vpn_rule
COMMIT
# Completed on Fri May 1 09:19:57 2020
# Generated by iptables-save v1.8.3 on Fri May 1 09:19:57 2020
*mangle
:PREROUTING ACCEPT [426803:457696774]
:INPUT ACCEPT [80988:103230661]
:FORWARD ACCEPT [343929:354088890]
:OUTPUT ACCEPT [35610:8192693]
:POSTROUTING ACCEPT [378565:362086529]
[52:2704] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[1255:65260] -A FORWARD -o tun3 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan_vpn MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Fri May 1 09:19:57 2020
# Generated by iptables-save v1.8.3 on Fri May 1 09:19:57 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_lan_vpn_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:forwarding_wan_vpn_rule - [0:0]
:input_lan_rule - [0:0]
:input_lan_vpn_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:input_wan_vpn_rule - [0:0]
:output_lan_rule - [0:0]
:output_lan_vpn_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:output_wan_vpn_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_lan_vpn_dest_ACCEPT - [0:0]
:zone_lan_vpn_dest_REJECT - [0:0]
:zone_lan_vpn_forward - [0:0]
:zone_lan_vpn_input - [0:0]
:zone_lan_vpn_output - [0:0]
:zone_lan_vpn_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
:zone_wan_vpn_dest_ACCEPT - [0:0]
:zone_wan_vpn_dest_REJECT - [0:0]
:zone_wan_vpn_forward - [0:0]
:zone_wan_vpn_input - [0:0]
:zone_wan_vpn_output - [0:0]
:zone_wan_vpn_src_REJECT - [0:0]
[497:54335] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[80493:103176406] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[79376:103098135] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[94:4888] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[178:15597] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[274:20103] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[654:42019] -A INPUT -i br-LAN_VPN -m comment --comment "!fw3" -j zone_lan_vpn_input
[11:552] -A INPUT -i tun3 -m comment --comment "!fw3" -j zone_wan_vpn_input
[343929:354088890] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[342013:353438501] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1217:389605] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[699:260784] -A FORWARD -i br-LAN_VPN -m comment --comment "!fw3" -j zone_lan_vpn_forward
[0:0] -A FORWARD -i tun3 -m comment --comment "!fw3" -j zone_wan_vpn_forward
[967:195943] -A FORWARD -m comment --comment "!fw3" -j reject
[497:54335] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[35120:8139678] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[34326:8085454] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[5:1377] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[704:46783] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o br-LAN_VPN -m comment --comment "!fw3" -j zone_lan_vpn_output
[85:6064] -A OUTPUT -o tun3 -m comment --comment "!fw3" -j zone_wan_vpn_output
[823:42776] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[377:172366] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[94:4888] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[5:1377] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[1217:389605] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[1217:389605] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[967:195943] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[178:15597] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[178:15597] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[5:1377] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[5:1377] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[178:15597] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_vpn_dest_ACCEPT -o br-LAN_VPN -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_vpn_dest_REJECT -o br-LAN_VPN -m comment --comment "!fw3" -j reject
[699:260784] -A zone_lan_vpn_forward -m comment --comment "!fw3: Custom lan_vpn forwarding rule chain" -j forwarding_lan_vpn_rule
[699:260784] -A zone_lan_vpn_forward -m comment --comment "!fw3: Zone lan_vpn to wan_vpn forwarding policy" -j zone_wan_vpn_dest_ACCEPT
[0:0] -A zone_lan_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_vpn_forward -m comment --comment "!fw3" -j zone_lan_vpn_dest_REJECT
[654:42019] -A zone_lan_vpn_input -m comment --comment "!fw3: Custom lan_vpn input rule chain" -j input_lan_vpn_rule
[0:0] -A zone_lan_vpn_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[654:42019] -A zone_lan_vpn_input -m comment --comment "!fw3" -j zone_lan_vpn_src_ACCEPT
[0:0] -A zone_lan_vpn_output -m comment --comment "!fw3: Custom lan_vpn output rule chain" -j output_lan_vpn_rule
[0:0] -A zone_lan_vpn_output -m comment --comment "!fw3" -j zone_lan_vpn_dest_ACCEPT
[654:42019] -A zone_lan_vpn_src_ACCEPT -i br-LAN_VPN -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[954:240445] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[274:20103] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[52:1456] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[222:18647] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[704:46783] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[704:46783] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[222:18647] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
[11:440] -A zone_wan_vpn_dest_ACCEPT -o tun3 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[773:266408] -A zone_wan_vpn_dest_ACCEPT -o tun3 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_vpn_dest_REJECT -o tun3 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_vpn_forward -m comment --comment "!fw3: Custom wan_vpn forwarding rule chain" -j forwarding_wan_vpn_rule
[0:0] -A zone_wan_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_vpn_forward -m comment --comment "!fw3" -j zone_wan_vpn_dest_REJECT
[11:552] -A zone_wan_vpn_input -m comment --comment "!fw3: Custom wan_vpn input rule chain" -j input_wan_vpn_rule
[0:0] -A zone_wan_vpn_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[11:552] -A zone_wan_vpn_input -m comment --comment "!fw3" -j zone_wan_vpn_src_REJECT
[85:6064] -A zone_wan_vpn_output -m comment --comment "!fw3: Custom wan_vpn output rule chain" -j output_wan_vpn_rule
[85:6064] -A zone_wan_vpn_output -m comment --comment "!fw3" -j zone_wan_vpn_dest_ACCEPT
[11:552] -A zone_wan_vpn_src_REJECT -i tun3 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Fri May 1 09:19:57 2020
# Generated by ip6tables-save v1.8.3 on Fri May 1 09:19:57 2020
*mangle
:PREROUTING ACCEPT [11968:5342181]
:INPUT ACCEPT [717:80460]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [988:118567]
:POSTROUTING ACCEPT [988:118567]
[0:0] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o tun3 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan_vpn MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Fri May 1 09:19:57 2020
# Generated by ip6tables-save v1.8.3 on Fri May 1 09:19:57 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_lan_vpn_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:forwarding_wan_vpn_rule - [0:0]
:input_lan_rule - [0:0]
:input_lan_vpn_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:input_wan_vpn_rule - [0:0]
:output_lan_rule - [0:0]
:output_lan_vpn_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:output_wan_vpn_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_lan_vpn_dest_ACCEPT - [0:0]
:zone_lan_vpn_dest_REJECT - [0:0]
:zone_lan_vpn_forward - [0:0]
:zone_lan_vpn_input - [0:0]
:zone_lan_vpn_output - [0:0]
:zone_lan_vpn_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
:zone_wan_vpn_dest_ACCEPT - [0:0]
:zone_wan_vpn_dest_REJECT - [0:0]
:zone_wan_vpn_forward - [0:0]
:zone_wan_vpn_input - [0:0]
:zone_wan_vpn_output - [0:0]
:zone_wan_vpn_src_REJECT - [0:0]
[0:0] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[717:80460] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[274:46091] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[263:21273] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[180:13096] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i br-LAN_VPN -m comment --comment "!fw3" -j zone_lan_vpn_input
[0:0] -A INPUT -i tun3 -m comment --comment "!fw3" -j zone_wan_vpn_input
[0:0] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i br-LAN_VPN -m comment --comment "!fw3" -j zone_lan_vpn_forward
[0:0] -A FORWARD -i tun3 -m comment --comment "!fw3" -j zone_wan_vpn_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[0:0] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[988:118567] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[371:67330] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[111:8782] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[506:42455] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o br-LAN_VPN -m comment --comment "!fw3" -j zone_lan_vpn_output
[0:0] -A OUTPUT -o tun3 -m comment --comment "!fw3" -j zone_wan_vpn_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
[0:0] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[111:8782] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[263:21273] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[263:21273] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[111:8782] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[111:8782] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[263:21273] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_vpn_dest_ACCEPT -o br-LAN_VPN -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_vpn_dest_REJECT -o br-LAN_VPN -m comment --comment "!fw3" -j reject
[0:0] -A zone_lan_vpn_forward -m comment --comment "!fw3: Custom lan_vpn forwarding rule chain" -j forwarding_lan_vpn_rule
[0:0] -A zone_lan_vpn_forward -m comment --comment "!fw3: Zone lan_vpn to wan_vpn forwarding policy" -j zone_wan_vpn_dest_ACCEPT
[0:0] -A zone_lan_vpn_forward -m comment --comment "!fw3" -j zone_lan_vpn_dest_REJECT
[0:0] -A zone_lan_vpn_input -m comment --comment "!fw3: Custom lan_vpn input rule chain" -j input_lan_vpn_rule
[0:0] -A zone_lan_vpn_input -m comment --comment "!fw3" -j zone_lan_vpn_src_ACCEPT
[0:0] -A zone_lan_vpn_output -m comment --comment "!fw3: Custom lan_vpn output rule chain" -j output_lan_vpn_rule
[0:0] -A zone_lan_vpn_output -m comment --comment "!fw3" -j zone_lan_vpn_dest_ACCEPT
[0:0] -A zone_lan_vpn_src_ACCEPT -i br-LAN_VPN -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[506:42455] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[180:13096] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[5:256] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[75:5400] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[12:1728] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[88:5712] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[506:42455] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[506:42455] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_vpn_dest_ACCEPT -o tun3 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_vpn_dest_ACCEPT -o tun3 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_vpn_dest_REJECT -o tun3 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_vpn_forward -m comment --comment "!fw3: Custom wan_vpn forwarding rule chain" -j forwarding_wan_vpn_rule
[0:0] -A zone_wan_vpn_forward -m comment --comment "!fw3" -j zone_wan_vpn_dest_REJECT
[0:0] -A zone_wan_vpn_input -m comment --comment "!fw3: Custom wan_vpn input rule chain" -j input_wan_vpn_rule
[0:0] -A zone_wan_vpn_input -m comment --comment "!fw3" -j zone_wan_vpn_src_REJECT
[0:0] -A zone_wan_vpn_output -m comment --comment "!fw3: Custom wan_vpn output rule chain" -j output_wan_vpn_rule
[0:0] -A zone_wan_vpn_output -m comment --comment "!fw3" -j zone_wan_vpn_dest_ACCEPT
[0:0] -A zone_wan_vpn_src_REJECT -i tun3 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Fri May 1 09:19:57 2020
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
5: br-LAN_VPN: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.2.1/24 brd 192.168.2.255 scope global br-LAN_VPN
valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
9: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.0.97/24 brd 192.168.0.255 scope global eth0.2
valid_lft forever preferred_lft forever
default via 192.168.0.1 dev eth0.2 src 192.168.0.97
192.168.0.0/24 dev eth0.2 scope link src 192.168.0.97
192.168.1.0/24 dev br-lan scope link src 192.168.1.1
192.168.2.0/24 dev br-LAN_VPN scope link src 192.168.2.1
broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
broadcast 192.168.0.0 dev eth0.2 table local scope link src 192.168.0.97
local 192.168.0.97 dev eth0.2 table local scope host src 192.168.0.97
broadcast 192.168.0.255 dev eth0.2 table local scope link src 192.168.0.97
broadcast 192.168.1.0 dev br-lan table local scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local scope link src 192.168.1.1
broadcast 192.168.2.0 dev br-LAN_VPN table local scope link src 192.168.2.1
local 192.168.2.1 dev br-LAN_VPN table local scope host src 192.168.2.1
broadcast 192.168.2.255 dev br-LAN_VPN table local scope link src 192.168.2.1
0: from all lookup local
1: from 192.168.2.1/24 iif br-LAN_VPN lookup 100
32766: from all lookup main
32767: from all lookup default
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 1000
inet6 fe80::xxxx:xxxx:xxxx:xxxx/64 scope link
valid_lft forever preferred_lft forever
5: br-LAN_VPN: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::xxxx:xxxx:xxxx:xxxx/64 scope link
valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fd1f:bd69:bd00::1/60 scope global
valid_lft forever preferred_lft forever
inet6 fe80::xxxx:xxxx:xxxx:xxxx/64 scope link
valid_lft forever preferred_lft forever
9: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 2a00:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:65e3/64 scope global dynamic
valid_lft 604628sec preferred_lft 604628sec
inet6 fe80::4231:3cff:fe0b:xxxx/64 scope link
valid_lft forever preferred_lft forever
default from 2a00:xxxx:xxxx:xxxxx::/64 via fe80::xxxx:xxxx:xxxx:xxxxx dev eth0.2 metric 384
2a00:xxxx:xxxx:xxxx::/64 dev eth0.2 metric 256
fd1f:xxxx:xxxx::/64 dev br-lan metric 1024
unreachable fd1f:xxxx:xxxx::/48 dev lo metric 2147483647 error -148
fe80::/64 dev eth0 metric 256
fe80::/64 dev br-lan metric 256
fe80::/64 dev eth0.2 metric 256
fe80::/64 dev br-LAN_VPN metric 256
local ::1 dev lo table local metric 0
anycast 2a00:xxxx:xxxx:xxxx:: dev eth0.2 table local metric 0
local 2a00:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx dev eth0.2 table local metric 0
anycast fd1f:xxxx:xxxx:: dev br-lan table local metric 0
local fd1f:xxxx:xxxx::1 dev br-lan table local metric 0
anycast fe80:: dev br-lan table local metric 0
anycast fe80:: dev eth0 table local metric 0
anycast fe80:: dev eth0.2 table local metric 0
anycast fe80:: dev br-LAN_VPN table local metric 0
local fe80::4231:xxxx:xxxx:xxxx dev eth0 table local metric 0
local fe80::4231:xxxx:xxxx:xxxx dev eth0.2 table local metric 0
local fe80::4231:xxxx:xxxx:xxxx dev br-LAN_VPN table local metric 0
local fe80::4231:xxxx:xxxx:xxxx dev br-lan table local metric 0
ff00::/8 dev eth0 table local metric 256
ff00::/8 dev br-lan table local metric 256
ff00::/8 dev eth0.2 table local metric 256
ff00::/8 dev br-LAN_VPN table local metric 256
0: from all lookup local
32766: from all lookup main
4200000001: from all iif lo lookup unspec 12
4200000005: from all iif br-LAN_VPN lookup unspec 12
4200000007: from all iif br-lan lookup unspec 12
4200000009: from all iif eth0.2 lookup unspec 12
4200000009: from all iif eth0.2 lookup unspec 12
lrwxrwxrwx 1 root root 16 Feb 27 21:05 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r-- 1 root root 32 May 1 08:25 /tmp/resolv.conf
-rw-r--r-- 1 root root 90 May 1 08:26 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
==> /tmp/resolv.conf.auto <==
# Interface wan
nameserver 192.168.0.1
# Interface wan6
nameserver 2a00:xxxx:xxxx:xxxx::1
Thank you in advance.