# Generated by iptables-save v1.4.21 on Fri Sep 12 15:58:36 2014
*nat
:PREROUTING ACCEPT [52528:3309822]
:INPUT ACCEPT [17164:1285352]
:OUTPUT ACCEPT [24483:2418536]
:POSTROUTING ACCEPT [23174:2070496]
:lup_masq - [0:0]
-A POSTROUTING -o lup -j lup_masq
-A lup_masq -s 10.13.42.0/23 -j MASQUERADE
COMMIT
# Completed on Fri Sep 12 15:58:36 2014
# Generated by iptables-save v1.4.21 on Fri Sep 12 15:58:36 2014
*mangle
:PREROUTING ACCEPT [12372787:11033273245]
:INPUT ACCEPT [5927056:6364134411]
:FORWARD ACCEPT [6444905:4669077669]
:OUTPUT ACCEPT [4331909:2273684339]
:POSTROUTING ACCEPT [10779499:6943248611]
:tcfor - [0:0]
:tcin - [0:0]
:tcout - [0:0]
:tcpost - [0:0]
:tcpre - [0:0]
-A PREROUTING -j tcpre
-A INPUT -j tcin
-A FORWARD -j MARK --set-xmark 0x0/0xff
-A FORWARD -j tcfor
-A OUTPUT -j tcout
-A POSTROUTING -j tcpost
-A tcpost -o vocb -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Fri Sep 12 15:58:36 2014
# Generated by iptables-save v1.4.21 on Fri Sep 12 15:58:36 2014
*raw
:PREROUTING ACCEPT [12372787:11033273245]
:OUTPUT ACCEPT [4331909:2273684339]
-A PREROUTING -p udp -m udp --dport 10080 -j CT --helper amanda
-A PREROUTING -p tcp -m tcp --dport 21 -j CT --helper ftp
-A PREROUTING -p udp -m udp --dport 1719 -j CT --helper RAS
-A PREROUTING -p tcp -m tcp --dport 1720 -j CT --helper Q.931
-A PREROUTING -p tcp -m tcp --dport 6667 -j CT --helper irc
-A PREROUTING -p udp -m udp --dport 137 -j CT --helper netbios-ns
-A PREROUTING -p tcp -m tcp --dport 1723 -j CT --helper pptp
-A PREROUTING -p tcp -m tcp --dport 6566 -j CT --helper sane
-A PREROUTING -p udp -m udp --dport 5060 -j CT --helper sip
-A PREROUTING -p udp -m udp --dport 161 -j CT --helper snmp
-A PREROUTING -p udp -m udp --dport 69 -j CT --helper tftp
-A OUTPUT -p udp -m udp --dport 10080 -j CT --helper amanda
-A OUTPUT -p tcp -m tcp --dport 21 -j CT --helper ftp
-A OUTPUT -p udp -m udp --dport 1719 -j CT --helper RAS
-A OUTPUT -p tcp -m tcp --dport 1720 -j CT --helper Q.931
-A OUTPUT -p tcp -m tcp --dport 6667 -j CT --helper irc
-A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns
-A OUTPUT -p tcp -m tcp --dport 1723 -j CT --helper pptp
-A OUTPUT -p tcp -m tcp --dport 6566 -j CT --helper sane
-A OUTPUT -p udp -m udp --dport 5060 -j CT --helper sip
-A OUTPUT -p udp -m udp --dport 161 -j CT --helper snmp
-A OUTPUT -p udp -m udp --dport 69 -j CT --helper tftp
COMMIT
# Completed on Fri Sep 12 15:58:36 2014
# Generated by iptables-save v1.4.21 on Fri Sep 12 15:58:36 2014
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:Broadcast - [0:0]
:Drop - [0:0]
:Limit - [0:0]
:Reject - [0:0]
:dynamic - [0:0]
:fw-gst - [0:0]
:fw-loc - [0:0]
:fw-net - [0:0]
:fw-pvpn - [0:0]
:fw-utvm - [0:0]
:gst-fw - [0:0]
:gst-loc - [0:0]
:gst-net - [0:0]
:gst-pvpn - [0:0]
:gst-utvm - [0:0]
:gst_frwd - [0:0]
:ldit_fwd - [0:0]
:ldit_in - [0:0]
:lmd_fwd - [0:0]
:lmd_in - [0:0]
:loben_fwd - [0:0]
:loben_in - [0:0]
:loc-fw - [0:0]
:loc-gst - [0:0]
:loc-net - [0:0]
:loc-pvpn - [0:0]
:loc-utvm - [0:0]
:loc_frwd - [0:0]
:logdrop - [0:0]
:logflags - [0:0]
:logreject - [0:0]
:lua_fwd - [0:0]
:lua_in - [0:0]
:net-fw - [0:0]
:net-gst - [0:0]
:net-loc - [0:0]
:net-pvpn - [0:0]
:net-utvm - [0:0]
:net_frwd - [0:0]
:pvpn-fw - [0:0]
:pvpn-gst - [0:0]
:pvpn-loc - [0:0]
:pvpn-net - [0:0]
:pvpn-utvm - [0:0]
:pvpn_frwd - [0:0]
:reject - [0:0]
:shorewall - [0:0]
:smurflog - [0:0]
:smurfs - [0:0]
:tcpflags - [0:0]
:utvm-fw - [0:0]
:utvm-gst - [0:0]
:utvm-loc - [0:0]
:utvm-net - [0:0]
:utvm-pvpn - [0:0]
:utvm_frwd - [0:0]
:vshit_fwd - [0:0]
:vshit_in - [0:0]
:wg_fwd - [0:0]
:wg_in - [0:0]
:wt_fwd - [0:0]
:wt_in - [0:0]
-A INPUT -i lup -j net-fw
-A INPUT -i lmd -j lmd_in
-A INPUT -i ldit -j ldit_in
-A INPUT -i loben -j loben_in
-A INPUT -i wt -j wt_in
-A INPUT -i vshit -j vshit_in
-A INPUT -i lua -j lua_in
-A INPUT -i wg -j wg_in
-A INPUT -i vpriv -j pvpn-fw
-A INPUT -i vocb -j utvm-fw
-A INPUT -i lo -j ACCEPT
-A INPUT -j Reject
-A INPUT -j LOG --log-prefix "Shorewall:INPUT:REJECT:" --log-level 6
-A INPUT -g reject
-A FORWARD -i lup -j net_frwd
-A FORWARD -i lmd -j lmd_fwd
-A FORWARD -i ldit -j ldit_fwd
-A FORWARD -i loben -j loben_fwd
-A FORWARD -i wt -j wt_fwd
-A FORWARD -i vshit -j vshit_fwd
-A FORWARD -i lua -j lua_fwd
-A FORWARD -i wg -j wg_fwd
-A FORWARD -i vpriv -j pvpn_frwd
-A FORWARD -i vocb -j utvm_frwd
-A FORWARD -j Reject
-A FORWARD -j LOG --log-prefix "Shorewall:FORWARD:REJECT:" --log-level 6
-A FORWARD -g reject
-A OUTPUT -o lup -j fw-net
-A OUTPUT -o lmd -j fw-loc
-A OUTPUT -o ldit -j fw-loc
-A OUTPUT -o loben -j fw-loc
-A OUTPUT -o wt -j fw-loc
-A OUTPUT -o vshit -j fw-loc
-A OUTPUT -o lua -j fw-gst
-A OUTPUT -o wg -j fw-gst
-A OUTPUT -o vpriv -j fw-pvpn
-A OUTPUT -o vocb -j fw-utvm
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j Reject
-A OUTPUT -j LOG --log-prefix "Shorewall:OUTPUT:REJECT:" --log-level 6
-A OUTPUT -g reject
-A Broadcast -m addrtype --dst-type BROADCAST -j DROP
-A Broadcast -m addrtype --dst-type MULTICAST -j DROP
-A Broadcast -m addrtype --dst-type ANYCAST -j DROP
-A Drop
-A Drop -j Broadcast
-A Drop -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP types" -j ACCEPT
-A Drop -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types" -j ACCEPT
-A Drop -m conntrack --ctstate INVALID -j DROP
-A Drop -p udp -m multiport --dports 135,445 -m comment --comment SMB -j DROP
-A Drop -p udp -m udp --dport 137:139 -m comment --comment SMB -j DROP
-A Drop -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment SMB -j DROP
-A Drop -p tcp -m multiport --dports 135,139,445 -m comment --comment SMB -j DROP
-A Drop -p udp -m udp --dport 1900 -m comment --comment UPnP -j DROP
-A Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A Drop -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -j DROP
-A Limit -m recent --set --name SSHA --mask 255.255.255.255 --rsource
-A Limit -m recent --update --seconds 60 --hitcount 2 --name SSHA --mask 255.255.255.255 --rsource -j DROP
-A Limit -j ACCEPT
-A Reject
-A Reject -j Broadcast
-A Reject -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP types" -j ACCEPT
-A Reject -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types" -j ACCEPT
-A Reject -m conntrack --ctstate INVALID -j DROP
-A Reject -p udp -m multiport --dports 135,445 -m comment --comment SMB -j reject
-A Reject -p udp -m udp --dport 137:139 -m comment --comment SMB -j reject
-A Reject -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment SMB -j reject
-A Reject -p tcp -m multiport --dports 135,139,445 -m comment --comment SMB -j reject
-A Reject -p udp -m udp --dport 1900 -m comment --comment UPnP -j DROP
-A Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A Reject -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -j DROP
-A fw-gst -p udp -m udp --dport 67:68 -j ACCEPT
-A fw-gst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A fw-gst -d 224.0.0.0/4 -j RETURN
-A fw-gst -j Reject
-A fw-gst -j LOG --log-prefix "Shorewall:fw-gst:REJECT:" --log-level 6
-A fw-gst -g reject
-A fw-loc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A fw-loc -p icmp -j ACCEPT
-A fw-loc -j ACCEPT
-A fw-net -p udp -m udp --dport 67:68 -j ACCEPT
-A fw-net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A fw-net -p udp -m udp --dport 53 -m comment --comment DNS -j ACCEPT
-A fw-net -p tcp -m tcp --dport 53 -m comment --comment DNS -j ACCEPT
-A fw-net -p icmp -j ACCEPT
-A fw-net -j ACCEPT
-A fw-pvpn -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A fw-pvpn -j ACCEPT
-A fw-utvm -p udp -m udp --dport 67:68 -j ACCEPT
-A fw-utvm -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A fw-utvm -d 224.0.0.0/4 -j RETURN
-A fw-utvm -j Reject
-A fw-utvm -j LOG --log-prefix "Shorewall:fw-utvm:REJECT:" --log-level 6
-A fw-utvm -g reject
-A gst-fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A gst-fw -p udp -m udp --dport 53 -m comment --comment DNS -j ACCEPT
-A gst-fw -p tcp -m tcp --dport 53 -m comment --comment DNS -j ACCEPT
-A gst-fw -d 224.0.0.0/4 -j RETURN
-A gst-fw -j Reject
-A gst-fw -j LOG --log-prefix "Shorewall:gst-fw:REJECT:" --log-level 6
-A gst-fw -g reject
-A gst-loc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A gst-loc -d 224.0.0.0/4 -j RETURN
-A gst-loc -j Reject
-A gst-loc -j LOG --log-prefix "Shorewall:gst-loc:REJECT:" --log-level 6
-A gst-loc -g reject
-A gst-net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A gst-net -j ACCEPT
-A gst-pvpn -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A gst-pvpn -d 224.0.0.0/4 -j RETURN
-A gst-pvpn -j Reject
-A gst-pvpn -j LOG --log-prefix "Shorewall:gst-pvpn:REJECT:" --log-level 6
-A gst-pvpn -g reject
-A gst-utvm -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A gst-utvm -d 224.0.0.0/4 -j RETURN
-A gst-utvm -j Reject
-A gst-utvm -j LOG --log-prefix "Shorewall:gst-utvm:REJECT:" --log-level 6
-A gst-utvm -g reject
-A gst_frwd -o lup -j gst-net
-A gst_frwd -o lmd -j gst-loc
-A gst_frwd -o ldit -j gst-loc
-A gst_frwd -o loben -j gst-loc
-A gst_frwd -o wt -j gst-loc
-A gst_frwd -o vshit -j gst-loc
-A gst_frwd -o lua -j ACCEPT
-A gst_frwd -o wg -j ACCEPT
-A gst_frwd -o vpriv -j gst-pvpn
-A gst_frwd -o vocb -j gst-utvm
-A ldit_fwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A ldit_fwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs
-A ldit_fwd -p tcp -j tcpflags
-A ldit_fwd -j loc_frwd
-A ldit_in -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A ldit_in -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs
-A ldit_in -p tcp -j tcpflags
-A ldit_in -j loc-fw
-A lmd_fwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A lmd_fwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs
-A lmd_fwd -p tcp -j tcpflags
-A lmd_fwd -j loc_frwd
-A lmd_in -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A lmd_in -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs
-A lmd_in -p tcp -j tcpflags
-A lmd_in -j loc-fw
-A loben_fwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A loben_fwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs
-A loben_fwd -p tcp -j tcpflags
-A loben_fwd -j loc_frwd
-A loben_in -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A loben_in -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs
-A loben_in -p tcp -j tcpflags
-A loben_in -j loc-fw
-A loc-fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A loc-fw -p tcp -m tcp --dport 22 -m comment --comment SSH -j ACCEPT
-A loc-fw -p icmp -m icmp --icmp-type 8 -m comment --comment Ping -j ACCEPT
-A loc-fw -j ACCEPT
-A loc-gst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A loc-gst -d 224.0.0.0/4 -j RETURN
-A loc-gst -j Reject
-A loc-gst -j LOG --log-prefix "Shorewall:loc-gst:REJECT:" --log-level 6
-A loc-gst -g reject
-A loc-net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A loc-net -j ACCEPT
-A loc-pvpn -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A loc-pvpn -d 224.0.0.0/4 -j RETURN
-A loc-pvpn -j Reject
-A loc-pvpn -j LOG --log-prefix "Shorewall:loc-pvpn:REJECT:" --log-level 6
-A loc-pvpn -g reject
-A loc-utvm -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A loc-utvm -d 224.0.0.0/4 -j RETURN
-A loc-utvm -j Reject
-A loc-utvm -j LOG --log-prefix "Shorewall:loc-utvm:REJECT:" --log-level 6
-A loc-utvm -g reject
-A loc_frwd -o lup -j loc-net
-A loc_frwd -o lmd -j ACCEPT
-A loc_frwd -o ldit -j ACCEPT
-A loc_frwd -o loben -j ACCEPT
-A loc_frwd -o wt -j ACCEPT
-A loc_frwd -o vshit -j ACCEPT
-A loc_frwd -o lua -j loc-gst
-A loc_frwd -o wg -j loc-gst
-A loc_frwd -o vpriv -j loc-pvpn
-A loc_frwd -o vocb -j loc-utvm
-A logdrop -j DROP
-A logflags -j LOG --log-prefix "Shorewall:logflags:DROP:" --log-level 6 --log-ip-options
-A logflags -j DROP
-A logreject -j reject
-A lua_fwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A lua_fwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs
-A lua_fwd -p tcp -j tcpflags
-A lua_fwd -j gst_frwd
-A lua_in -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A lua_in -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs
-A lua_in -p udp -m udp --dport 67:68 -j ACCEPT
-A lua_in -p tcp -j tcpflags
-A lua_in -j gst-fw
-A net-fw -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A net-fw -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs
-A net-fw -p udp -m udp --dport 67:68 -j ACCEPT
-A net-fw -p tcp -j tcpflags
-A net-fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A net-fw -p tcp -m conntrack --ctstate INVALID -j DROP
-A net-fw -p icmp -m icmp --icmp-type 8 -m comment --comment Ping -j DROP
-A net-fw -p tcp -m tcp --dport 22 -j Limit
-A net-fw -d 224.0.0.0/4 -j RETURN
-A net-fw -j Drop
-A net-fw -j LOG --log-prefix "Shorewall:net-fw:DROP:" --log-level 6
-A net-fw -j DROP
-A net-gst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A net-gst -p tcp -m conntrack --ctstate INVALID -j DROP
-A net-gst -d 224.0.0.0/4 -j RETURN
-A net-gst -j Drop
-A net-gst -j LOG --log-prefix "Shorewall:net-gst:DROP:" --log-level 6
-A net-gst -j DROP
-A net-loc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A net-loc -p tcp -m conntrack --ctstate INVALID -j DROP
-A net-loc -d 224.0.0.0/4 -j RETURN
-A net-loc -j Drop
-A net-loc -j LOG --log-prefix "Shorewall:net-loc:DROP:" --log-level 6
-A net-loc -j DROP
-A net-pvpn -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A net-pvpn -p tcp -m conntrack --ctstate INVALID -j DROP
-A net-pvpn -d 224.0.0.0/4 -j RETURN
-A net-pvpn -j Drop
-A net-pvpn -j LOG --log-prefix "Shorewall:net-pvpn:DROP:" --log-level 6
-A net-pvpn -j DROP
-A net-utvm -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A net-utvm -p tcp -m conntrack --ctstate INVALID -j DROP
-A net-utvm -d 224.0.0.0/4 -j RETURN
-A net-utvm -j Drop
-A net-utvm -j LOG --log-prefix "Shorewall:net-utvm:DROP:" --log-level 6
-A net-utvm -j DROP
-A net_frwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A net_frwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs
-A net_frwd -p tcp -j tcpflags
-A net_frwd -o lmd -j net-loc
-A net_frwd -o ldit -j net-loc
-A net_frwd -o loben -j net-loc
-A net_frwd -o wt -j net-loc
-A net_frwd -o vshit -j net-loc
-A net_frwd -o lua -j net-gst
-A net_frwd -o wg -j net-gst
-A net_frwd -o vpriv -j net-pvpn
-A net_frwd -o vocb -j net-utvm
-A pvpn-fw -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A pvpn-fw -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs
-A pvpn-fw -p tcp -j tcpflags
-A pvpn-fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A pvpn-fw -j ACCEPT
-A pvpn-gst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A pvpn-gst -d 224.0.0.0/4 -j RETURN
-A pvpn-gst -j Reject
-A pvpn-gst -j LOG --log-prefix "Shorewall:pvpn-gst:REJECT:" --log-level 6
-A pvpn-gst -g reject
-A pvpn-loc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A pvpn-loc -d 224.0.0.0/4 -j RETURN
-A pvpn-loc -j Reject
-A pvpn-loc -j LOG --log-prefix "Shorewall:pvpn-loc:REJECT:" --log-level 6
-A pvpn-loc -g reject
-A pvpn-net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A pvpn-net -d 224.0.0.0/4 -j RETURN
-A pvpn-net -j Reject
-A pvpn-net -j LOG --log-prefix "Shorewall:pvpn-net:REJECT:" --log-level 6
-A pvpn-net -g reject
-A pvpn-utvm -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A pvpn-utvm -d 224.0.0.0/4 -j RETURN
-A pvpn-utvm -j Reject
-A pvpn-utvm -j LOG --log-prefix "Shorewall:pvpn-utvm:REJECT:" --log-level 6
-A pvpn-utvm -g reject
-A pvpn_frwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A pvpn_frwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs
-A pvpn_frwd -p tcp -j tcpflags
-A pvpn_frwd -o lup -j pvpn-net
-A pvpn_frwd -o lmd -j pvpn-loc
-A pvpn_frwd -o ldit -j pvpn-loc
-A pvpn_frwd -o loben -j pvpn-loc
-A pvpn_frwd -o wt -j pvpn-loc
-A pvpn_frwd -o vshit -j pvpn-loc
-A pvpn_frwd -o lua -j pvpn-gst
-A pvpn_frwd -o wg -j pvpn-gst
-A pvpn_frwd -o vocb -j pvpn-utvm
-A reject -m addrtype --src-type BROADCAST -j DROP
-A reject -s 224.0.0.0/4 -j DROP
-A reject -p igmp -j DROP
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A reject -j REJECT --reject-with icmp-host-prohibited
-A shorewall -m recent --set --name %CURRENTTIME --mask 255.255.255.255 --rsource
-A smurflog -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6
-A smurflog -j DROP
-A smurfs -s 0.0.0.0/32 -j RETURN
-A smurfs -m addrtype --src-type BROADCAST -g smurflog
-A smurfs -s 224.0.0.0/4 -g smurflog
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g logflags
-A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g logflags
-A utvm-fw -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A utvm-fw -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs
-A utvm-fw -p udp -m udp --dport 67:68 -j ACCEPT
-A utvm-fw -p tcp -j tcpflags
-A utvm-fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A utvm-fw -p udp -m udp --dport 53 -m comment --comment DNS -j ACCEPT
-A utvm-fw -p tcp -m tcp --dport 53 -m comment --comment DNS -j ACCEPT
-A utvm-fw -d 224.0.0.0/4 -j RETURN
-A utvm-fw -j Reject
-A utvm-fw -j LOG --log-prefix "Shorewall:utvm-fw:REJECT:" --log-level 6
-A utvm-fw -g reject
-A utvm-gst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A utvm-gst -d 224.0.0.0/4 -j RETURN
-A utvm-gst -j Reject
-A utvm-gst -j LOG --log-prefix "Shorewall:utvm-gst:REJECT:" --log-level 6
-A utvm-gst -g reject
-A utvm-loc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A utvm-loc -d 224.0.0.0/4 -j RETURN
-A utvm-loc -j Reject
-A utvm-loc -j LOG --log-prefix "Shorewall:utvm-loc:REJECT:" --log-level 6
-A utvm-loc -g reject
-A utvm-net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A utvm-net -d 81.169.168.252/32 -p udp -m udp --dport 1194 -j ACCEPT
-A utvm-net -d 81.169.168.252/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A utvm-net -d 8.8.8.8/32 -p udp -m udp --dport 53 -m comment --comment DNS -j ACCEPT
-A utvm-net -d 8.8.8.8/32 -p tcp -m tcp --dport 53 -m comment --comment DNS -j ACCEPT
-A utvm-net -d 141.76.2.4/32 -p tcp -j ACCEPT
-A utvm-net -d 224.0.0.0/4 -j RETURN
-A utvm-net -j Reject
-A utvm-net -g reject
-A utvm-pvpn -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A utvm-pvpn -d 224.0.0.0/4 -j RETURN
-A utvm-pvpn -j Reject
-A utvm-pvpn -j LOG --log-prefix "Shorewall:utvm-pvpn:REJECT:" --log-level 6
-A utvm-pvpn -g reject
-A utvm_frwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A utvm_frwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs
-A utvm_frwd -o vocb -p udp -m udp --dport 67:68 -j ACCEPT
-A utvm_frwd -p tcp -j tcpflags
-A utvm_frwd -o lup -j utvm-net
-A utvm_frwd -o lmd -j utvm-loc
-A utvm_frwd -o ldit -j utvm-loc
-A utvm_frwd -o loben -j utvm-loc
-A utvm_frwd -o wt -j utvm-loc
-A utvm_frwd -o vshit -j utvm-loc
-A utvm_frwd -o lua -j utvm-gst
-A utvm_frwd -o wg -j utvm-gst
-A utvm_frwd -o vpriv -j utvm-pvpn
-A utvm_frwd -o vocb -j ACCEPT
-A vshit_fwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A vshit_fwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs
-A vshit_fwd -p tcp -j tcpflags
-A vshit_fwd -j loc_frwd
-A vshit_in -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A vshit_in -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs
-A vshit_in -p tcp -j tcpflags
-A vshit_in -j loc-fw
-A wg_fwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A wg_fwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs
-A wg_fwd -p tcp -j tcpflags
-A wg_fwd -j gst_frwd
-A wg_in -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A wg_in -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs
-A wg_in -p udp -m udp --dport 67:68 -j ACCEPT
-A wg_in -p tcp -j tcpflags
-A wg_in -j gst-fw
-A wt_fwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A wt_fwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs
-A wt_fwd -p tcp -j tcpflags
-A wt_fwd -j loc_frwd
-A wt_in -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A wt_in -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs
-A wt_in -p tcp -j tcpflags
-A wt_in -j loc-fw
COMMIT
# Completed on Fri Sep 12 15:58:36 2014
