table ip filter {
	chain SYNFLOOD {
		limit rate 100/second burst 150 packets counter packets 20 bytes 1200 return
		limit rate 30/minute burst 5 packets counter packets 0 bytes 0 log prefix "Firewall: *SYNFLOOD Blocked* "
		counter packets 0 bytes 0 drop
	}

	chain UDPFLOOD {
		ip protocol udp skuid 0 counter packets 0 bytes 0 return
		oifname != "lo" ip protocol udp limit rate 100/second burst 500 packets counter packets 2 bytes 152 return
		limit rate 30/minute burst 5 packets counter packets 0 bytes 0 log prefix "Firewall: *UDPFLOOD* " flags skuid
		oifname != "lo" ip protocol udp counter packets 0 bytes 0 reject
	}

	chain LOGDROPIN {
		tcp dport 23 counter packets 0 bytes 0 drop
		udp dport 23 counter packets 0 bytes 0 drop
		tcp dport 67 counter packets 0 bytes 0 drop
		udp dport 67 counter packets 0 bytes 0 drop
		tcp dport 68 counter packets 0 bytes 0 drop
		udp dport 68 counter packets 0 bytes 0 drop
		tcp dport 111 counter packets 0 bytes 0 drop
		udp dport 111 counter packets 0 bytes 0 drop
		tcp dport 113 counter packets 0 bytes 0 drop
		udp dport 113 counter packets 0 bytes 0 drop
		tcp dport 135-139 counter packets 0 bytes 0 drop
		udp dport 135-139 counter packets 6 bytes 752 drop
		tcp dport 445 counter packets 0 bytes 0 drop
		udp dport 445 counter packets 0 bytes 0 drop
		tcp dport 500 counter packets 0 bytes 0 drop
		udp dport 500 counter packets 0 bytes 0 drop
		tcp dport 513 counter packets 0 bytes 0 drop
		udp dport 513 counter packets 0 bytes 0 drop
		tcp dport 520 counter packets 0 bytes 0 drop
		udp dport 520 counter packets 0 bytes 0 drop
		ip protocol tcp limit rate 30/minute burst 5 packets counter packets 0 bytes 0 log prefix "Firewall: *TCP_IN Blocked* "
		ip protocol udp limit rate 30/minute burst 5 packets counter packets 13 bytes 7016 log prefix "Firewall: *UDP_IN Blocked* "
		ip protocol icmp limit rate 30/minute burst 5 packets counter packets 0 bytes 0 log prefix "Firewall: *ICMP_IN Blocked* "
		counter packets 19 bytes 9494 drop
	}

	chain LOGDROPOUT {
		tcp flags syn / fin,syn,rst,ack limit rate 30/minute burst 5 packets counter packets 0 bytes 0 log prefix "Firewall: *TCP_OUT Blocked* " flags skuid
		ip protocol udp limit rate 30/minute burst 5 packets counter packets 0 bytes 0 log prefix "Firewall: *UDP_OUT Blocked* " flags skuid
		ip protocol icmp limit rate 30/minute burst 5 packets counter packets 0 bytes 0 log prefix "Firewall: *ICMP_OUT Blocked* " flags skuid
		counter packets 0 bytes 0 reject
	}

	chain DENYIN {
	}

	chain DENYOUT {
	}

	chain ALLOWIN {
		iifname != "lo" tcp dport 2222 counter packets 120 bytes 25439 accept
		ip saddr 192.168.55.122 iifname != "lo" tcp dport 2222 counter packets 0 bytes 0 accept
		ip saddr 192.168.55.122 iifname != "lo" udp dport 5201 counter packets 0 bytes 0 accept
		ip saddr 192.168.55.122 iifname != "lo" tcp dport 5201 counter packets 0 bytes 0 accept
		ip saddr 192.168.55.122 iifname != "lo" tcp dport 80 counter packets 0 bytes 0 accept
		ip saddr 192.168.55.118 iifname != "lo" tcp dport 9100 counter packets 392 bytes 44906 accept
		ip saddr 192.168.55.118 iifname != "lo" tcp dport 9100 counter packets 0 bytes 0 accept
		ip saddr 192.168.55.118 iifname != "lo" counter packets 0 bytes 0 accept
		ip saddr 192.168.48.1 iifname != "lo" counter packets 5 bytes 448 accept
	}

	chain ALLOWOUT {
		ip daddr 192.168.55.118 oifname != "lo" counter packets 325 bytes 1175426 accept
		ip daddr 192.168.48.1 oifname != "lo" counter packets 4 bytes 292 accept
	}

	chain LOCALINPUT {
		iifname != "lo" counter packets 992 bytes 180787 jump ALLOWIN
		iifname != "lo" counter packets 475 bytes 109994 jump DENYIN
	}

	chain LOCALOUTPUT {
		oifname != "lo" counter packets 820 bytes 1458325 jump ALLOWOUT
		oifname != "lo" counter packets 491 bytes 282607 jump DENYOUT
		oifname != "lo" ip protocol udp counter packets 2 bytes 152 jump UDPFLOOD
	}

	chain INVDROP {
		counter packets 0 bytes 0 drop
	}

	chain INVALID {
		ct state invalid counter packets 0 bytes 0 jump INVDROP
		tcp flags ! fin,syn,rst,psh,ack,urg counter packets 0 bytes 0 jump INVDROP
		tcp flags fin,syn,rst,psh,ack,urg / fin,syn,rst,psh,ack,urg counter packets 0 bytes 0 jump INVDROP
		tcp flags fin,syn / fin,syn counter packets 0 bytes 0 jump INVDROP
		tcp flags syn,rst / syn,rst counter packets 0 bytes 0 jump INVDROP
		tcp flags fin,rst / fin,rst counter packets 0 bytes 0 jump INVDROP
		tcp flags fin / fin,ack counter packets 0 bytes 0 jump INVDROP
		tcp flags psh / psh,ack counter packets 0 bytes 0 jump INVDROP
		tcp flags urg / ack,urg counter packets 0 bytes 0 jump INVDROP
		tcp flags != syn / fin,syn,rst,ack ct state new counter packets 0 bytes 0 jump INVDROP
	}

	chain INPUT {
		type filter hook input priority filter; policy drop;
		iifname != "lo" counter packets 992 bytes 180787 jump LOCALINPUT
		iifname "lo" counter packets 108 bytes 5884 accept
		iifname != "lo" tcp flags syn / fin,syn,rst,ack counter packets 20 bytes 1200 jump SYNFLOOD
		iifname != "lo" ip protocol tcp counter packets 479 bytes 101574 jump INVALID
		iifname != "lo" ip protocol icmp icmp type echo-request limit rate 1/second burst 5 packets counter packets 0 bytes 0 accept
		iifname != "lo" ip protocol icmp icmp type echo-request counter packets 0 bytes 0 jump LOGDROPIN
		iifname != "lo" ip protocol icmp counter packets 0 bytes 0 accept
		iifname != "lo" ct state related,established counter packets 445 bytes 99328 accept
		iifname != "lo" ip protocol tcp ct state new tcp dport 22 counter packets 20 bytes 1200 accept
		iifname != "lo" ip protocol tcp ct state new tcp dport 2222 counter packets 0 bytes 0 accept
		iifname != "lo" ip protocol tcp ct state new tcp dport 80 counter packets 0 bytes 0 accept
		iifname != "lo" ip protocol tcp ct state new tcp dport 9100 counter packets 0 bytes 0 accept
		iifname != "lo" ip protocol tcp ct state new tcp dport 5201 counter packets 0 bytes 0 accept
		iifname != "lo" ip protocol udp ct state new udp dport 5201 counter packets 0 bytes 0 accept
		iifname != "lo" counter packets 25 bytes 10246 jump LOGDROPIN
	}

	chain OUTPUT {
		type filter hook output priority filter; policy drop;
		oifname != "lo" counter packets 820 bytes 1458325 jump LOCALOUTPUT
		oifname != "lo" tcp dport 53 counter packets 0 bytes 0 accept
		oifname != "lo" udp dport 53 counter packets 0 bytes 0 accept
		oifname != "lo" tcp sport 53 counter packets 0 bytes 0 accept
		oifname != "lo" udp sport 53 counter packets 0 bytes 0 accept
		oifname "lo" counter packets 108 bytes 5884 accept
		oifname != "lo" ip protocol tcp counter packets 517 bytes 303905 jump INVALID
		oifname != "lo" ip protocol icmp counter packets 0 bytes 0 accept
		oifname != "lo" ct state related,established counter packets 502 bytes 301265 accept
		oifname != "lo" ip protocol tcp ct state new tcp dport 1-65535 counter packets 0 bytes 0 accept
		oifname != "lo" ip protocol udp ct state new udp dport 1-65535 counter packets 2 bytes 152 accept
		oifname != "lo" counter packets 0 bytes 0 jump LOGDROPOUT
	}

	chain FORWARD {
		type filter hook forward priority filter; policy drop;
	}
}
table ip6 filter {
	chain INPUT {
		type filter hook input priority filter; policy accept;
	}

	chain OUTPUT {
		type filter hook output priority filter; policy accept;
	}

	chain FORWARD {
		type filter hook forward priority filter; policy accept;
	}
}
table ip nat {
}
table ip raw {
}
table ip mangle {
}
