Character limit
table inet fw4 {
set voice-traffic {
type ipv4_addr
}
set bypassvpn {
type ipv4_addr
}
chain mangle_ttl_out {
type filter hook postrouting priority mangle; policy accept;
oifname "usb0" ip ttl set 64
}
chain input {
type filter hook input priority filter; policy drop;
iifname "lo" accept comment "!fw4: Accept traffic from loopback"
ct state established,related accept comment "!fw4: Allow inbound established and related flows"
ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state"
tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
ip saddr 10.44.0.0/8 ip daddr 10.44.53.2 tcp dport { 53, 123, 547 } counter packets 0 bytes 0 accept comment "!fw4: Allow DNS"
ip6 saddr fd00::/8 ip6 daddr hhhh:jjjj:53:1::2 tcp dport { 53, 123, 547 } counter packets 5 bytes 420 accept comment "!fw4: Allow DNS"
ip saddr 10.44.0.0/8 ip daddr 10.44.53.2 udp dport { 53, 123, 547 } counter packets 13797 bytes 948463 accept comment "!fw4: Allow DNS"
ip6 saddr fd00::/8 ip6 daddr hhhh:jjjj:53:1::2 udp dport { 53, 123, 547 } counter packets 18881 bytes 1616596 accept comment "!fw4: Allow DNS"
tcp dport 5353 counter packets 0 bytes 0 accept comment "!fw4: mdns"
udp dport 5353 counter packets 0 bytes 0 accept comment "!fw4: mdns"
udp dport 67 counter packets 39 bytes 14908 accept comment "!fw4: Allow DHCP"
iifname { "wan", "usb0", "wwan1", "tap-easytether" } jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
iifname { "vbond0", "dummy0", "vbond1", "vbond2" } jump input_sdwan_bond comment "!fw4: Handle sdwan_bond IPv4/IPv6 input traffic"
iifname "br-admin" jump input_admin comment "!fw4: Handle admin IPv4/IPv6 input traffic"
iifname "tun0" jump input_ovpn comment "!fw4: Handle ovpn IPv4/IPv6 input traffic"
iifname { "pv", "cs1" } jump input_sdwan_vpn comment "!fw4: Handle sdwan_vpn IPv4/IPv6 input traffic"
iifname "dummy1" jump input_domain comment "!fw4: Handle domain IPv4/IPv6 input traffic"
iifname "br-resident" jump input_resident comment "!fw4: Handle resident IPv4/IPv6 input traffic"
iifname "br-devices" jump input_devices comment "!fw4: Handle devices IPv4/IPv6 input traffic"
iifname "br-guest" jump input_guest comment "!fw4: Handle guest IPv4/IPv6 input traffic"
}
chain forward {
type filter hook forward priority filter; policy drop;
ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state"
ip saddr { 10.44.2.0/24, 10.44.18.0/24, 10.44.1.0-10.44.3.255 } ip daddr 192.168.0.0/16 counter packets 1823 bytes 132348 accept comment "!fw4: Allow VPNGW"
ip6 saddr { hhhh:jjjj:0:2::/64, hhhh:jjjj:0:42::/64, hhhh:jjjj:fffd::/64, hhhh:jjjj:fffe::/64, hhhh:jjjj:ffff::/64 } ip6 daddr ddb4:f0e0:b048::/64 counter packets 0 bytes 0 accept comment "!fw4: Allow VPNGW"
ip daddr 192.168.0.0/16 counter packets 0 bytes 0 jump handle_reject comment "!fw4: Deny VPNGW net"
ip6 daddr ddb4:f0e0:b048::/64 counter packets 0 bytes 0 jump handle_reject comment "!fw4: Deny VPNGW net"
iifname { "wan", "usb0", "wwan1", "tap-easytether" } jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
iifname { "vbond0", "dummy0", "vbond1", "vbond2" } jump forward_sdwan_bond comment "!fw4: Handle sdwan_bond IPv4/IPv6 forward traffic"
iifname "br-admin" jump forward_admin comment "!fw4: Handle admin IPv4/IPv6 forward traffic"
iifname "tun0" jump forward_ovpn comment "!fw4: Handle ovpn IPv4/IPv6 forward traffic"
iifname { "pv", "cs1" } jump forward_sdwan_vpn comment "!fw4: Handle sdwan_vpn IPv4/IPv6 forward traffic"
iifname "dummy1" jump forward_domain comment "!fw4: Handle domain IPv4/IPv6 forward traffic"
iifname "br-resident" jump forward_resident comment "!fw4: Handle resident IPv4/IPv6 forward traffic"
iifname "br-devices" jump forward_devices comment "!fw4: Handle devices IPv4/IPv6 forward traffic"
iifname "br-guest" jump forward_guest comment "!fw4: Handle guest IPv4/IPv6 forward traffic"
}
chain output {
type filter hook output priority filter; policy accept;
oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
ct state established,related accept comment "!fw4: Allow outbound established and related flows"
ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state"
oifname "wan" ip daddr { 180.33.26.15, 170.36.24.99 } udp dport { 24681, 24682 } counter packets 0 bytes 0 jump handle_reject comment "!fw4: w sdwan"
oifname "wwan1" ip daddr { 180.33.26.15, 170.36.24.99 } udp dport { 24680, 24682 } counter packets 0 bytes 0 jump handle_reject comment "!fw4: ww sdwan"
oifname "tap-easytether" ip daddr { 180.33.26.15, 170.36.24.99 } udp dport { 24680, 24681 } counter packets 12445 bytes 2083640 jump handle_reject comment "!fw4: et sdwan"
oifname "vbond0" ip daddr { 180.33.26.15, 170.36.24.99 } udp dport 24680-24682 counter packets 0 bytes 0 jump handle_reject comment "!fw4: @rule[43]"
oifname "vbond1" ip daddr { 180.33.26.15, 170.36.24.99 } udp dport 24680-24682 counter packets 0 bytes 0 jump handle_reject comment "!fw4: @rule[44]"
oifname "vbond2" ip daddr { 180.33.26.15, 170.36.24.99 } udp dport 24680-24682 counter packets 22 bytes 3032 jump handle_reject comment "!fw4: @rule[45]"
oifname { "wan", "usb0", "wwan1", "tap-easytether" } jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
oifname { "vbond0", "dummy0", "vbond1", "vbond2" } jump output_sdwan_bond comment "!fw4: Handle sdwan_bond IPv4/IPv6 output traffic"
oifname "br-admin" jump output_admin comment "!fw4: Handle admin IPv4/IPv6 output traffic"
oifname "tun0" jump output_ovpn comment "!fw4: Handle ovpn IPv4/IPv6 output traffic"
oifname { "pv", "cs1" } jump output_sdwan_vpn comment "!fw4: Handle sdwan_vpn IPv4/IPv6 output traffic"
oifname "dummy1" jump output_domain comment "!fw4: Handle domain IPv4/IPv6 output traffic"
oifname "br-resident" jump output_resident comment "!fw4: Handle resident IPv4/IPv6 output traffic"
oifname "br-devices" jump output_devices comment "!fw4: Handle devices IPv4/IPv6 output traffic"
oifname "br-guest" jump output_guest comment "!fw4: Handle guest IPv4/IPv6 output traffic"
}
chain prerouting {
type filter hook prerouting priority filter; policy accept;
iifname { "wan", "usb0", "wwan1", "tap-easytether" } jump helper_wan comment "!fw4: Handle wan IPv4/IPv6 helper assignment"
iifname { "vbond0", "dummy0", "vbond1", "vbond2" } jump helper_sdwan_bond comment "!fw4: Handle sdwan_bond IPv4/IPv6 helper assignment"
iifname "br-admin" jump helper_admin comment "!fw4: Handle admin IPv4/IPv6 helper assignment"
iifname "tun0" jump helper_ovpn comment "!fw4: Handle ovpn IPv4/IPv6 helper assignment"
iifname { "pv", "cs1" } jump helper_sdwan_vpn comment "!fw4: Handle sdwan_vpn IPv4/IPv6 helper assignment"
iifname "dummy1" jump helper_domain comment "!fw4: Handle domain IPv4/IPv6 helper assignment"
iifname "br-resident" jump helper_resident comment "!fw4: Handle resident IPv4/IPv6 helper assignment"
iifname "br-devices" jump helper_devices comment "!fw4: Handle devices IPv4/IPv6 helper assignment"
iifname "br-guest" jump helper_guest comment "!fw4: Handle guest IPv4/IPv6 helper assignment"
}
chain handle_reject {
meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
reject comment "!fw4: Reject any other traffic"
}
chain syn_flood {
limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
drop comment "!fw4: Drop excess packets"
}
chain input_wan {
meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew"
icmp type echo-request counter packets 0 bytes 0 accept comment "!fw4: Allow-Ping"
meta nfproto ipv4 meta l4proto igmp counter packets 260 bytes 9360 accept comment "!fw4: Allow-IGMP"
meta nfproto ipv6 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6"
ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter packets 260 bytes 19760 accept comment "!fw4: Allow-MLD"
meta nfproto ipv4 udp dport 33434-33689 counter packets 0 bytes 0 jump handle_reject comment "!fw4: Support-UDP-Traceroute"
jump drop_from_wan
}
chain output_wan {
jump accept_to_wan
}
chain forward_wan {
jump drop_to_wan
}
chain helper_wan {
}
chain accept_to_wan {
oifname { "wan", "usb0", "wwan1", "tap-easytether" } counter packets 10317 bytes 11039288 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
}
chain drop_from_wan {
iifname { "wan", "usb0", "wwan1", "tap-easytether" } counter packets 155 bytes 31128 drop comment "!fw4: drop wan IPv4/IPv6 traffic"
}
chain drop_to_wan {
oifname { "wan", "usb0", "wwan1", "tap-easytether" } counter packets 0 bytes 0 drop comment "!fw4: drop wan IPv4/IPv6 traffic"
}
chain input_sdwan_bond {
meta l4proto ospf counter packets 28804 bytes 2420180 accept comment "!fw4: OSPF WAN"
jump reject_from_sdwan_bond
}
chain output_sdwan_bond {
jump accept_to_sdwan_bond
}
chain forward_sdwan_bond {
jump reject_to_sdwan_bond
log prefix "drop sdwan_bond forward: "
}
chain helper_sdwan_bond {
}
chain accept_to_sdwan_bond {
oifname { "vbond0", "dummy0", "vbond1", "vbond2" } counter packets 228785 bytes 18204003 accept comment "!fw4: accept sdwan_bond IPv4/IPv6 traffic"
}
chain reject_from_sdwan_bond {
iifname { "vbond0", "dummy0", "vbond1", "vbond2" } counter packets 133 bytes 5708 log prefix "reject sdwan_bond in: " jump handle_reject comment "!fw4: reject sdwan_bond IPv4/IPv6 traffic"
}
chain reject_to_sdwan_bond {
oifname { "vbond0", "dummy0", "vbond1", "vbond2" } counter packets 0 bytes 0 log prefix "reject sdwan_bond out: " jump handle_reject comment "!fw4: reject sdwan_bond IPv4/IPv6 traffic"
}
chain input_admin {
jump accept_from_admin
}
chain output_admin {
jump accept_to_admin
}
chain forward_admin {
jump accept_to_guest comment "!fw4: Accept admin to guest forwarding"
jump accept_to_resident comment "!fw4: Accept admin to resident forwarding"
jump accept_to_sdwan_vpn comment "!fw4: Accept admin to sdwan_vpn forwarding"
jump accept_to_ovpn comment "!fw4: Accept admin to ovpn forwarding"
jump accept_to_wan comment "!fw4: Accept admin to wan forwarding"
jump accept_to_domain comment "!fw4: Accept admin to domain forwarding"
jump accept_to_devices comment "!fw4: Accept admin to devices forwarding"
jump accept_to_sdwan_bond comment "!fw4: Accept admin to sdwan_bond forwarding"
jump accept_to_dummy comment "!fw4: Accept admin to dummy forwarding"
jump accept_to_admin
}
chain helper_admin {
}
chain accept_from_admin {
iifname "br-admin" counter packets 71470 bytes 7726524 accept comment "!fw4: accept admin IPv4/IPv6 traffic"
}
chain accept_to_admin {
oifname "br-admin" counter packets 5361 bytes 421912 accept comment "!fw4: accept admin IPv4/IPv6 traffic"
}
chain input_ovpn {
ip saddr { 10.44.3.200, 10.44.3.201 } counter packets 0 bytes 0 accept comment "!fw4: Admin OVPN Input"
ip6 saddr { hhhh:jjjj:fffd::2000, hhhh:jjjj:fffd::2001 } counter packets 21 bytes 1680 accept comment "!fw4: Admin OVPN Input"
jump accept_from_ovpn
}
chain output_ovpn {
jump accept_to_ovpn
}
chain forward_ovpn {
ip saddr { 10.44.3.200, 10.44.3.201 } counter packets 5073 bytes 312302 accept comment "!fw4: Admin OVPN"
ip6 saddr { hhhh:jjjj:fffd::2000, hhhh:jjjj:fffd::2001 } counter packets 24 bytes 1954 accept comment "!fw4: Admin OVPN"
jump accept_to_resident comment "!fw4: Accept ovpn to resident forwarding"
jump accept_to_sdwan_vpn comment "!fw4: Accept ovpn to sdwan_vpn forwarding"
jump accept_to_devices comment "!fw4: Accept ovpn to devices forwarding"
jump accept_to_sdwan_bond comment "!fw4: Accept ovpn to sdwan_bond forwarding"
jump accept_to_dummy comment "!fw4: Accept ovpn to dummy forwarding"
jump accept_to_ovpn
log prefix "drop ovpn forward: "
}
chain helper_ovpn {
}
chain accept_from_ovpn {
iifname "tun0" counter packets 0 bytes 0 accept comment "!fw4: accept ovpn IPv4/IPv6 traffic"
}
chain accept_to_ovpn {
oifname "tun0" counter packets 4 bytes 304 accept comment "!fw4: accept ovpn IPv4/IPv6 traffic"
}
chain input_sdwan_vpn {
tcp dport 179 counter packets 125 bytes 9960 accept comment "!fw4: BGP SDWAN"
ip saddr 10.44.2.0/24 counter packets 0 bytes 0 accept comment "!fw4: ADMIN SDWAN"
ip6 saddr hhhh:jjjj:0:2::/64 counter packets 0 bytes 0 accept comment "!fw4: ADMIN SDWAN"
ip saddr { 10.44.1.200, 10.44.1.201, 10.44.1.202, 10.44.1.203, 10.44.1.204, 10.44.1.205, 10.44.1.206, 10.44.1.207, 10.44.1.208, 10.44.1.209, 10.44.1.210, 10.44.2.200, 10.44.2.201, 10.44.2.202, 10.44.2.203, 10.44.2.204, 10.44.2.205, 10.44.2.206, 10.44.2.207, 10.44.2.208, 10.44.2.209, 10.44.2.210 } counter packets 0 bytes 0 accept comment "!fw4: ADMIN SDWAN Input"
ip6 saddr { hhhh:jjjj:fffe::2000, hhhh:jjjj:fffe::2001, hhhh:jjjj:fffe::2002, hhhh:jjjj:fffe::2003, hhhh:jjjj:fffe::2004, hhhh:jjjj:fffe::2005, hhhh:jjjj:fffe::2006, hhhh:jjjj:fffe::2007, hhhh:jjjj:fffe::2008, hhhh:jjjj:fffe::2009, hhhh:jjjj:fffe::2010, hhhh:jjjj:ffff::2000, hhhh:jjjj:ffff::2001, hhhh:jjjj:ffff::2002, hhhh:jjjj:ffff::2003, hhhh:jjjj:ffff::2004, hhhh:jjjj:ffff::2005, hhhh:jjjj:ffff::2006, hhhh:jjjj:ffff::2007, hhhh:jjjj:ffff::2008, hhhh:jjjj:ffff::2009, hhhh:jjjj:ffff::2010 } counter packets 0 bytes 0 accept comment "!fw4: ADMIN SDWAN Input"
jump reject_from_sdwan_vpn
}
chain output_sdwan_vpn {
jump accept_to_sdwan_vpn
}
chain forward_sdwan_vpn {
ip saddr { 10.44.1.200, 10.44.1.201, 10.44.1.202, 10.44.2.200, 10.44.2.201, 10.44.2.202 } ip daddr { 10.44.0.0/8, 192.168.0.0/16 } counter packets 0 bytes 0 accept comment "!fw4: VPN Admin"
ip6 saddr { hhhh:jjjj:fffe::2000, hhhh:jjjj:fffe::2001, hhhh:jjjj:fffe::2002, hhhh:jjjj:ffff::2000, hhhh:jjjj:ffff::2001, hhhh:jjjj:ffff::2002 } ip6 daddr fd00::/8 counter packets 0 bytes 0 accept comment "!fw4: VPN Admin"
ip saddr 10.44.2.0/24 counter packets 0 bytes 0 accept comment "!fw4: Admin SDWAN"
ip6 saddr hhhh:jjjj:0:2::/64 counter packets 0 bytes 0 accept comment "!fw4: Admin SDWAN"
ip saddr 10.44.10.0/24 counter packets 0 bytes 0 jump accept_to_resident comment "!fw4: Resident SDWAN"
ip6 saddr hhhh:jjjj:0:10::/64 counter packets 0 bytes 0 jump accept_to_resident comment "!fw4: Resident SDWAN"
ip saddr 10.44.53.0/27 counter packets 0 bytes 0 jump accept_to_domain comment "!fw4: Domain"
ip6 saddr hhhh:jjjj:53::/62 counter packets 0 bytes 0 jump accept_to_domain comment "!fw4: Domain"
jump accept_to_sdwan_vpn
log prefix "drop sdwan_vpn forward: "
}
chain helper_sdwan_vpn {
}
chain accept_to_sdwan_vpn {
oifname { "pv", "cs1" } counter packets 6890 bytes 545045 accept comment "!fw4: accept sdwan_vpn IPv4/IPv6 traffic"
}
chain reject_from_sdwan_vpn {
iifname { "pv", "cs1" } counter packets 0 bytes 0 log prefix "reject sdwan_vpn in: " jump handle_reject comment "!fw4: reject sdwan_vpn IPv4/IPv6 traffic"
}
chain input_domain {
jump reject_from_domain
}
chain output_domain {
jump accept_to_domain
}
chain forward_domain {
jump accept_to_wan comment "!fw4: Accept domain to wan forwarding"
jump accept_to_sdwan_vpn comment "!fw4: Accept domain to sdwan_vpn forwarding"
jump accept_to_sdwan_bond comment "!fw4: Accept domain to sdwan_bond forwarding"
jump accept_to_dummy comment "!fw4: Accept domain to dummy forwarding"
jump accept_to_domain
}
chain helper_domain {
}
chain accept_to_domain {
oifname "dummy1" counter packets 0 bytes 0 accept comment "!fw4: accept domain IPv4/IPv6 traffic"
}
chain reject_from_domain {
iifname "dummy1" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject domain IPv4/IPv6 traffic"
}
chain input_resident {
udp dport 1194 counter packets 0 bytes 0 accept comment "!fw4: Openvpn"
jump reject_from_resident
}
chain output_resident {
jump accept_to_resident
}
chain forward_resident {
jump accept_to_wan comment "!fw4: Accept resident to wan forwarding"
jump accept_to_devices comment "!fw4: Accept resident to devices forwarding"
jump accept_to_admin comment "!fw4: Accept resident to admin forwarding"
jump accept_to_sdwan_vpn comment "!fw4: Accept resident to sdwan_vpn forwarding"
jump accept_to_sdwan_bond comment "!fw4: Accept resident to sdwan_bond forwarding"
jump accept_to_dummy comment "!fw4: Accept resident to dummy forwarding"
jump accept_to_resident
}
chain helper_resident {
}
chain accept_to_resident {
oifname "br-resident" counter packets 6607 bytes 541088 accept comment "!fw4: accept resident IPv4/IPv6 traffic"
}
chain reject_from_resident {
iifname "br-resident" counter packets 2062 bytes 159412 jump handle_reject comment "!fw4: reject resident IPv4/IPv6 traffic"
}
chain input_devices {
ip saddr 10.44.19.27 tcp dport 443 counter packets 48 bytes 2880 accept comment "!fw4: Home assistant input"
jump reject_from_devices
}
chain output_devices {
jump accept_to_devices
}
chain forward_devices {
ip saddr 10.44.19.27 ip daddr 192.168.100.1 tcp dport 9200 counter packets 0 bytes 0 jump accept_to_wan comment "!fw4: hassio dishy"
ip daddr 10.44.18.79 counter packets 0 bytes 0 jump accept_to_admin comment "!fw4: Devices to zabbix"
ip6 daddr hhhh:jjjj:0:42:5054:ff:fecb:aedf counter packets 151 bytes 12080 jump accept_to_admin comment "!fw4: Devices to zabbix"
jump accept_to_wan comment "!fw4: Accept devices to wan forwarding"
jump accept_to_sdwan_vpn comment "!fw4: Accept devices to sdwan_vpn forwarding"
jump accept_to_sdwan_bond comment "!fw4: Accept devices to sdwan_bond forwarding"
jump accept_to_dummy comment "!fw4: Accept devices to dummy forwarding"
jump accept_to_devices
}
chain helper_devices {
}
chain accept_to_devices {
oifname "br-devices" counter packets 25323 bytes 2103215 accept comment "!fw4: accept devices IPv4/IPv6 traffic"
}
chain reject_from_devices {
iifname "br-devices" counter packets 42048 bytes 3413403 jump handle_reject comment "!fw4: reject devices IPv4/IPv6 traffic"
}
chain input_guest {
tcp dport { 53, 123 } counter packets 0 bytes 0 accept comment "!fw4: DNS in guest"
udp dport { 53, 123 } counter packets 1087 bytes 75052 accept comment "!fw4: DNS in guest"
udp dport 1194 counter packets 0 bytes 0 accept comment "!fw4: Guest OpenVPN"
tcp dport 5353 counter packets 0 bytes 0 drop comment "!fw4: @rule[21]"
udp dport 5353 counter packets 0 bytes 0 drop comment "!fw4: @rule[21]"
meta nfproto ipv6 udp dport 547-548 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-IPV6"
jump reject_from_guest
}
chain output_guest {
tcp sport 5353 counter packets 0 bytes 0 jump drop_to_guest comment "!fw4: @rule[20]"
udp sport 5353 counter packets 0 bytes 0 jump drop_to_guest comment "!fw4: @rule[20]"
jump accept_to_guest
}
chain forward_guest {
jump accept_to_wan comment "!fw4: Accept guest to wan forwarding"
jump accept_to_sdwan_bond comment "!fw4: Accept guest to sdwan_bond forwarding"
jump accept_to_dummy comment "!fw4: Accept guest to dummy forwarding"
jump accept_to_guest
}
chain helper_guest {
}
chain accept_to_guest {
oifname "br-guest" counter packets 503 bytes 42728 accept comment "!fw4: accept guest IPv4/IPv6 traffic"
}
chain reject_from_guest {
iifname "br-guest" counter packets 2304 bytes 165888 jump handle_reject comment "!fw4: reject guest IPv4/IPv6 traffic"
}
chain drop_to_guest {
oifname "br-guest" counter packets 0 bytes 0 drop comment "!fw4: drop guest IPv4/IPv6 traffic"
}
chain input_dummy {
jump drop_from_dummy
}
chain output_dummy {
jump accept_to_dummy
}
chain forward_dummy {
jump accept_to_wan comment "!fw4: Accept dummy to wan forwarding"
jump accept_to_sdwan_bond comment "!fw4: Accept dummy to sdwan_bond forwarding"
jump drop_to_dummy
}
chain helper_dummy {
}
chain accept_to_dummy {
}
chain drop_from_dummy {
}
chain drop_to_dummy {
}
chain dstnat {
type nat hook prerouting priority dstnat; policy accept;
}
chain srcnat {
type nat hook postrouting priority srcnat; policy accept;
oifname { "wan", "usb0", "wwan1", "tap-easytether" } jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
}
chain srcnat_wan {
ip daddr 192.168.100.1 counter packets 1296 bytes 89208 masquerade comment "!fw4: StarlinkModem"
ip daddr 192.168.1.1 counter packets 48 bytes 3148 masquerade comment "!fw4: StarlinkRouter"
ip daddr 192.168.117.1 counter packets 478 bytes 40152 masquerade comment "!fw4: ATTPhone"
}
chain raw_prerouting {
type filter hook prerouting priority raw; policy accept;
}
chain raw_output {
type filter hook output priority raw; policy accept;
}
chain mangle_prerouting {
type filter hook prerouting priority mangle; policy accept;
}
chain mangle_postrouting {
type filter hook postrouting priority mangle; policy accept;
oifname { "wan", "usb0", "wwan1", "tap-easytether" } ip daddr 130.5.77.2 tcp dport 443 counter packets 0 bytes 0 ip dscp set af13 comment "!fw4: DSCP 0xCBF"
meta nfproto ipv4 meta l4proto tcp oifname { "wan", "usb0", "wwan1", "tap-easytether" } counter packets 152924 bytes 24595274 ip dscp set af11 comment "!fw4: DSCP ALL"
meta nfproto ipv6 meta l4proto tcp oifname { "wan", "usb0", "wwan1", "tap-easytether" } counter packets 0 bytes 0 ip6 dscp set af11 comment "!fw4: DSCP ALL"
meta nfproto ipv4 meta l4proto udp oifname { "wan", "usb0", "wwan1", "tap-easytether" } counter packets 2493781 bytes 419859052 ip dscp set af11 comment "!fw4: DSCP ALL"
meta nfproto ipv6 meta l4proto udp oifname { "wan", "usb0", "wwan1", "tap-easytether" } counter packets 0 bytes 0 ip6 dscp set af11 comment "!fw4: DSCP ALL"
}
chain mangle_input {
type filter hook input priority mangle; policy accept;
}
chain mangle_output {
type route hook output priority mangle; policy accept;
}
chain mangle_forward {
type filter hook forward priority mangle; policy accept;
meta nfproto ipv4 iifname "dummy1" oifname { "wan", "usb0", "wwan1", "tap-easytether" } tcp dport 53 counter packets 0 bytes 0 ip dscp set ef comment "!fw4: DSCP DNS"
meta nfproto ipv6 iifname "dummy1" oifname { "wan", "usb0", "wwan1", "tap-easytether" } tcp dport 53 counter packets 0 bytes 0 ip6 dscp set ef comment "!fw4: DSCP DNS"
meta nfproto ipv4 iifname "dummy1" oifname { "wan", "usb0", "wwan1", "tap-easytether" } udp dport 53 counter packets 0 bytes 0 ip dscp set ef comment "!fw4: DSCP DNS"
meta nfproto ipv6 iifname "dummy1" oifname { "wan", "usb0", "wwan1", "tap-easytether" } udp dport 53 counter packets 0 bytes 0 ip6 dscp set ef comment "!fw4: DSCP DNS"
meta nfproto ipv4 tcp dport { 20645, 32400 } counter packets 7620 bytes 532860 ip dscp set af31 comment "!fw4: DSCP Plex1"
meta nfproto ipv6 tcp dport { 20645, 32400 } counter packets 0 bytes 0 ip6 dscp set af31 comment "!fw4: DSCP Plex1"
meta nfproto ipv4 meta l4proto tcp counter packets 5151104 bytes 819045955 ip dscp set af11 comment "!fw4: DSCP ALL"
meta nfproto ipv6 meta l4proto tcp counter packets 4622 bytes 369696 ip6 dscp set af11 comment "!fw4: DSCP ALL"
meta nfproto ipv4 meta l4proto udp counter packets 142249 bytes 122183377 ip dscp set af11 comment "!fw4: DSCP ALL"
meta nfproto ipv6 meta l4proto udp counter packets 151 bytes 14208 ip6 dscp set af11 comment "!fw4: DSCP ALL"
iifname { "wan", "usb0", "wwan1", "tap-easytether" } tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
oifname { "wan", "usb0", "wwan1", "tap-easytether" } tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
iifname { "vbond0", "dummy0", "vbond1", "vbond2" } tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone sdwan_bond IPv4/IPv6 ingress MTU fixing"
oifname { "vbond0", "dummy0", "vbond1", "vbond2" } tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone sdwan_bond IPv4/IPv6 egress MTU fixing"
iifname "tun0" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone ovpn IPv4/IPv6 ingress MTU fixing"
oifname "tun0" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone ovpn IPv4/IPv6 egress MTU fixing"
iifname { "pv", "cs1" } tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone sdwan_vpn IPv4/IPv6 ingress MTU fixing"
oifname { "pv", "cs1" } tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone sdwan_vpn IPv4/IPv6 egress MTU fixing"
iifname "dummy1" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone domain IPv4/IPv6 ingress MTU fixing"
oifname "dummy1" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone domain IPv4/IPv6 egress MTU fixing"
}
}