+ iptables -A BADTCP -p tcp ! --syn -m conntrack --ctstate NEW -j NEWNOTSYN
+
+ iptables -A INPUT -p tcp -j BADTCP
+ iptables -A FORWARD -p tcp -j BADTCP
+
+ # Connection tracking chain
+ iptables -N CONNTRACK
+ iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+
+ # Fix for braindead ISP's
+ iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+
+ # CUSTOM chains, can be used by the users themselves
+ iptables -N CUSTOMINPUT
+ iptables -A INPUT -j CUSTOMINPUT
+ iptables -N CUSTOMFORWARD
+ iptables -A FORWARD -j CUSTOMFORWARD
+ iptables -N CUSTOMOUTPUT
+ iptables -A OUTPUT -j CUSTOMOUTPUT
+ iptables -t nat -N CUSTOMPREROUTING
+ iptables -t nat -A PREROUTING -j CUSTOMPREROUTING
+ iptables -t nat -N CUSTOMPOSTROUTING
+ iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
+
+ # Guardian (IPS) chains
+ iptables -N GUARDIAN
+ iptables -A INPUT -j GUARDIAN
+ iptables -A FORWARD -j GUARDIAN
+
+ # Block OpenVPN transfer networks
+ iptables -N OVPNBLOCK
+ iptables -A INPUT -i tun+ -j OVPNBLOCK
+ iptables -A FORWARD -i tun+ -j OVPNBLOCK
+ iptables -A FORWARD -o tun+ -j OVPNBLOCK
+
+ # OpenVPN transfer network translation
+ iptables -t nat -N OVPNNAT
+ iptables -t nat -A POSTROUTING -j OVPNNAT
+
+ # IPTV chains for IGMPPROXY
+ iptables -N IPTVINPUT
+ iptables -A INPUT -j IPTVINPUT
+ iptables -N IPTVFORWARD
+ iptables -A FORWARD -j IPTVFORWARD
+
+ # Allow to ping the firewall.
+ iptables -N ICMPINPUT
+ iptables -A INPUT -j ICMPINPUT
+ iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT
+
+ # Accept everything on loopback
+ iptables -N LOOPBACK
+ iptables -A LOOPBACK -i lo -j ACCEPT
+ iptables -A LOOPBACK -o lo -j ACCEPT
+
+ # Filter all packets with loopback addresses on non-loopback interfaces.
+ iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP
+ iptables -A LOOPBACK -d 127.0.0.0/8 -j DROP
+
+ for i in INPUT FORWARD OUTPUT; do
+ iptables -A ${i} -j LOOPBACK
+ done
+
+ # Accept everything connected
+ for i in INPUT FORWARD OUTPUT; do
+ iptables -A ${i} -j CONNTRACK
+ done
+
+ # Allow DHCP
+ iptables -N DHCPINPUT
+ iptables -A DHCPINPUT -p udp --sport 68 --dport 67 -j ACCEPT
+ iptables -A DHCPINPUT -p tcp --sport 68 --dport 67 -j ACCEPT
+
+ iptables -N DHCPOUTPUT
+ iptables -A DHCPOUTPUT -p udp --sport 67 --dport 68 -j ACCEPT
+ iptables -A DHCPOUTPUT -p tcp --sport 67 --dport 68 -j ACCEPT
+
+ # Allow DHCP on GREEN
+ iptables -N DHCPGREENINPUT
+ iptables -N DHCPGREENOUTPUT
+ if [ -n "${GREEN_DEV}" ]; then
+ iptables -A INPUT -i "${GREEN_DEV}" -j DHCPGREENINPUT
+ iptables -A OUTPUT -o "${GREEN_DEV}" -j DHCPGREENOUTPUT
+ fi
+
+ # allow DHCP on BLUE to be turned on/off
+ iptables -N DHCPBLUEINPUT
+ iptables -N DHCPBLUEOUTPUT
+ if [ -n "${BLUE_DEV}" ]; then
+ iptables -A INPUT -i "${BLUE_DEV}" -j DHCPBLUEINPUT
+ iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT
+ fi
+
+ # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
+ iptables -N IPSECINPUT
+ iptables -N IPSECFORWARD
+ iptables -N IPSECOUTPUT
+ iptables -A INPUT -j IPSECINPUT
+ iptables -A FORWARD -j IPSECFORWARD
+ iptables -A OUTPUT -j IPSECOUTPUT
+ iptables -t nat -N IPSECNAT
+ iptables -t nat -A POSTROUTING -j IPSECNAT
+
+ # localhost and ethernet.
+ # Always allow accessing the web GUI from GREEN.
+ iptables -N GUIINPUT
+ iptables -A INPUT -j GUIINPUT
+ iptables -A GUIINPUT -i "${GREEN_DEV}" -p tcp --dport 444 -j ACCEPT
+
+ # WIRELESS chains
+ iptables -N WIRELESSINPUT
+ iptables -A INPUT -m conntrack --ctstate NEW -j WIRELESSINPUT
+ iptables -N WIRELESSFORWARD
+ iptables -A FORWARD -m conntrack --ctstate NEW -j WIRELESSFORWARD
+
+ # OpenVPN
+ iptables -N OVPNINPUT
+ iptables -A INPUT -j OVPNINPUT
+
+ # TOR
+ iptables -N TOR_INPUT
+ iptables -A INPUT -j TOR_INPUT
+
+ # Jump into the actual firewall ruleset.
+ iptables -N INPUTFW
+ iptables -A INPUT -j INPUTFW
+
+ iptables -N OUTGOINGFW
+ iptables -A OUTPUT -j OUTGOINGFW
+
+ iptables -N FORWARDFW
+ iptables -A FORWARD -j FORWARDFW
+
+ # SNAT rules
+ iptables -t nat -N NAT_SOURCE
+ iptables -t nat -A POSTROUTING -j NAT_SOURCE
+
+ # Custom prerouting chains (for transparent proxy)
+ iptables -t nat -N SQUID
+ iptables -t nat -A PREROUTING -j SQUID
+
+ # DNAT rules
+ iptables -t nat -N NAT_DESTINATION
+ iptables -t nat -A PREROUTING -j NAT_DESTINATION
+ iptables -t nat -A OUTPUT -j NAT_DESTINATION
+
+ iptables -t mangle -N NAT_DESTINATION
+ iptables -t mangle -A PREROUTING -j NAT_DESTINATION
+
+ iptables -t nat -N NAT_DESTINATION_FIX
+ iptables -t nat -A POSTROUTING -j NAT_DESTINATION_FIX
+
+ iptables -t nat -A NAT_DESTINATION_FIX \
+ -m mark --mark 1 -j SNAT --to-source "${GREEN_ADDRESS}"
+
+ if [ -n "${BLUE_ADDRESS}" ]; then
+ iptables -t nat -A NAT_DESTINATION_FIX \
+ -m mark --mark 2 -j SNAT --to-source "${BLUE_ADDRESS}"
+ fi
+
+ if [ -n "${ORANGE_ADDRESS}" ]; then
+ iptables -t nat -A NAT_DESTINATION_FIX \
+ -m mark --mark 3 -j SNAT --to-source "${ORANGE_ADDRESS}"
+ fi
+
+ # upnp chain for our upnp daemon
+ iptables -t nat -N UPNPFW
+ iptables -t nat -A PREROUTING -j UPNPFW
+ iptables -N UPNPFW
+ iptables -A FORWARD -m conntrack --ctstate NEW -j UPNPFW