table ip filter {
	chain SYNFLOOD {
		limit rate 100/second burst 150 packets counter packets 20 bytes 1200 return
		limit rate 30/minute burst 5 packets counter packets 0 bytes 0 log prefix "Firewall: *SYNFLOOD Blocked* "
		counter packets 0 bytes 0 drop
	}

	chain UDPFLOOD {
		ip protocol udp skuid 0 counter packets 0 bytes 0 return
		oifname != "lo" ip protocol udp limit rate 100/second burst 500 packets counter packets 8 bytes 608 return
		limit rate 30/minute burst 5 packets counter packets 0 bytes 0 log prefix "Firewall: *UDPFLOOD* " flags skuid
		oifname != "lo" ip protocol udp counter packets 0 bytes 0 reject
	}

	chain LOGDROPIN {
		tcp dport 23 counter packets 0 bytes 0 drop
		udp dport 23 counter packets 0 bytes 0 drop
		tcp dport 67 counter packets 0 bytes 0 drop
		udp dport 67 counter packets 0 bytes 0 drop
		tcp dport 68 counter packets 0 bytes 0 drop
		udp dport 68 counter packets 0 bytes 0 drop
		tcp dport 111 counter packets 0 bytes 0 drop
		udp dport 111 counter packets 0 bytes 0 drop
		tcp dport 113 counter packets 0 bytes 0 drop
		udp dport 113 counter packets 0 bytes 0 drop
		tcp dport 135-139 counter packets 0 bytes 0 drop
		udp dport 135-139 counter packets 18 bytes 2060 drop
		tcp dport 445 counter packets 0 bytes 0 drop
		udp dport 445 counter packets 0 bytes 0 drop
		tcp dport 500 counter packets 0 bytes 0 drop
		udp dport 500 counter packets 0 bytes 0 drop
		tcp dport 513 counter packets 0 bytes 0 drop
		udp dport 513 counter packets 0 bytes 0 drop
		tcp dport 520 counter packets 0 bytes 0 drop
		udp dport 520 counter packets 0 bytes 0 drop
		ip protocol tcp limit rate 30/minute burst 5 packets counter packets 0 bytes 0 log prefix "Firewall: *TCP_IN Blocked* "
		ip protocol udp limit rate 30/minute burst 5 packets counter packets 39 bytes 20534 log prefix "Firewall: *UDP_IN Blocked* "
		ip protocol icmp limit rate 30/minute burst 5 packets counter packets 0 bytes 0 log prefix "Firewall: *ICMP_IN Blocked* "
		counter packets 53 bytes 27776 drop
	}

	chain LOGDROPOUT {
		tcp flags syn / fin,syn,rst,ack limit rate 30/minute burst 5 packets counter packets 0 bytes 0 log prefix "Firewall: *TCP_OUT Blocked* " flags skuid
		ip protocol udp limit rate 30/minute burst 5 packets counter packets 0 bytes 0 log prefix "Firewall: *UDP_OUT Blocked* " flags skuid
		ip protocol icmp limit rate 30/minute burst 5 packets counter packets 0 bytes 0 log prefix "Firewall: *ICMP_OUT Blocked* " flags skuid
		counter packets 0 bytes 0 reject
	}

	chain DENYIN {
	}

	chain DENYOUT {
	}

	chain ALLOWIN {
		iifname != "lo" tcp dport 2222 counter packets 122 bytes 25619 accept
		ip saddr 192.168.55.122 iifname != "lo" tcp dport 2222 counter packets 0 bytes 0 accept
		ip saddr 192.168.55.122 iifname != "lo" udp dport 5201 counter packets 0 bytes 0 accept
		ip saddr 192.168.55.122 iifname != "lo" tcp dport 5201 counter packets 0 bytes 0 accept
		ip saddr 192.168.55.122 iifname != "lo" tcp dport 80 counter packets 0 bytes 0 accept
		ip saddr 192.168.55.118 iifname != "lo" tcp dport 9100 counter packets 921 bytes 105720 accept
		ip saddr 192.168.55.118 iifname != "lo" tcp dport 9100 counter packets 0 bytes 0 accept
		ip saddr 192.168.55.118 iifname != "lo" counter packets 0 bytes 0 accept
		ip saddr 192.168.48.1 iifname != "lo" counter packets 7 bytes 760 accept
	}

	chain ALLOWOUT {
		ip daddr 192.168.55.118 oifname != "lo" counter packets 763 bytes 2774572 accept
		ip daddr 192.168.48.1 oifname != "lo" counter packets 4 bytes 292 accept
	}

	chain LOCALINPUT {
		iifname != "lo" counter packets 1578 bytes 262191 jump ALLOWIN
		iifname != "lo" counter packets 528 bytes 130092 jump DENYIN
	}

	chain LOCALOUTPUT {
		oifname != "lo" counter packets 1265 bytes 3057567 jump ALLOWOUT
		oifname != "lo" counter packets 498 bytes 282703 jump DENYOUT
		oifname != "lo" ip protocol udp counter packets 8 bytes 608 jump UDPFLOOD
	}

	chain INVDROP {
		counter packets 0 bytes 0 drop
	}

	chain INVALID {
		ct state invalid counter packets 0 bytes 0 jump INVDROP
		tcp flags ! fin,syn,rst,psh,ack,urg counter packets 0 bytes 0 jump INVDROP
		tcp flags fin,syn,rst,psh,ack,urg / fin,syn,rst,psh,ack,urg counter packets 0 bytes 0 jump INVDROP
		tcp flags fin,syn / fin,syn counter packets 0 bytes 0 jump INVDROP
		tcp flags syn,rst / syn,rst counter packets 0 bytes 0 jump INVDROP
		tcp flags fin,rst / fin,rst counter packets 0 bytes 0 jump INVDROP
		tcp flags fin / fin,ack counter packets 0 bytes 0 jump INVDROP
		tcp flags psh / psh,ack counter packets 0 bytes 0 jump INVDROP
		tcp flags urg / ack,urg counter packets 0 bytes 0 jump INVDROP
		tcp flags != syn / fin,syn,rst,ack ct state new counter packets 0 bytes 0 jump INVDROP
	}

	chain INPUT {
		type filter hook input priority filter; policy drop;
		iifname != "lo" counter packets 1578 bytes 262191 jump LOCALINPUT
		iifname "lo" counter packets 202 bytes 10604 accept
		iifname != "lo" tcp flags syn / fin,syn,rst,ack counter packets 20 bytes 1200 jump SYNFLOOD
		iifname != "lo" ip protocol tcp counter packets 474 bytes 100948 jump INVALID
		iifname != "lo" ip protocol icmp icmp type echo-request limit rate 1/second burst 5 packets counter packets 0 bytes 0 accept
		iifname != "lo" ip protocol icmp icmp type echo-request counter packets 0 bytes 0 jump LOGDROPIN
		iifname != "lo" ip protocol icmp counter packets 0 bytes 0 accept
		iifname != "lo" ct state related,established counter packets 447 bytes 99576 accept
		iifname != "lo" ip protocol tcp ct state new tcp dport 22 counter packets 20 bytes 1200 accept
		iifname != "lo" ip protocol tcp ct state new tcp dport 2222 counter packets 0 bytes 0 accept
		iifname != "lo" ip protocol tcp ct state new tcp dport 80 counter packets 0 bytes 0 accept
		iifname != "lo" ip protocol tcp ct state new tcp dport 9100 counter packets 0 bytes 0 accept
		iifname != "lo" ip protocol tcp ct state new tcp dport 5201 counter packets 0 bytes 0 accept
		iifname != "lo" ip protocol udp ct state new udp dport 5201 counter packets 0 bytes 0 accept
		iifname != "lo" counter packets 71 bytes 29836 jump LOGDROPIN
	}

	chain OUTPUT {
		type filter hook output priority filter; policy drop;
		oifname != "lo" counter packets 1265 bytes 3057567 jump LOCALOUTPUT
		oifname != "lo" tcp dport 53 counter packets 0 bytes 0 accept
		oifname != "lo" udp dport 53 counter packets 0 bytes 0 accept
		oifname != "lo" tcp sport 53 counter packets 0 bytes 0 accept
		oifname != "lo" udp sport 53 counter packets 0 bytes 0 accept
		oifname "lo" counter packets 202 bytes 10604 accept
		oifname != "lo" ip protocol tcp counter packets 513 bytes 285959 jump INVALID
		oifname != "lo" ip protocol icmp counter packets 0 bytes 0 accept
		oifname != "lo" ct state related,established counter packets 498 bytes 283319 accept
		oifname != "lo" ip protocol tcp ct state new tcp dport 1-65535 counter packets 0 bytes 0 accept
		oifname != "lo" ip protocol udp ct state new udp dport 1-65535 counter packets 8 bytes 608 accept
		oifname != "lo" counter packets 0 bytes 0 jump LOGDROPOUT
	}

	chain FORWARD {
		type filter hook forward priority filter; policy drop;
	}
}
table ip6 filter {
	chain INPUT {
		type filter hook input priority filter; policy accept;
	}

	chain OUTPUT {
		type filter hook output priority filter; policy accept;
	}

	chain FORWARD {
		type filter hook forward priority filter; policy accept;
	}
}
table ip nat {
}
table ip raw {
}
table ip mangle {
}
