table ip filter {
	chain SYNFLOOD {
		limit rate 100/second burst 150 packets counter packets 20 bytes 1200 return
		limit rate 30/minute burst 5 packets counter packets 0 bytes 0 log prefix "Firewall: *SYNFLOOD Blocked* "
		counter packets 0 bytes 0 drop
	}

	chain UDPFLOOD {
		ip protocol udp skuid 0 counter packets 0 bytes 0 return
		oifname != "lo" ip protocol udp limit rate 100/second burst 500 packets counter packets 8 bytes 608 return
		limit rate 30/minute burst 5 packets counter packets 0 bytes 0 log prefix "Firewall: *UDPFLOOD* " flags skuid
		oifname != "lo" ip protocol udp counter packets 0 bytes 0 reject
	}

	chain LOGDROPIN {
		tcp dport 23 counter packets 0 bytes 0 drop
		udp dport 23 counter packets 0 bytes 0 drop
		tcp dport 67 counter packets 0 bytes 0 drop
		udp dport 67 counter packets 1 bytes 348 drop
		tcp dport 68 counter packets 0 bytes 0 drop
		udp dport 68 counter packets 1 bytes 576 drop
		tcp dport 111 counter packets 0 bytes 0 drop
		udp dport 111 counter packets 0 bytes 0 drop
		tcp dport 113 counter packets 0 bytes 0 drop
		udp dport 113 counter packets 0 bytes 0 drop
		tcp dport 135-139 counter packets 0 bytes 0 drop
		udp dport 135-139 counter packets 5 bytes 523 drop
		tcp dport 445 counter packets 0 bytes 0 drop
		udp dport 445 counter packets 0 bytes 0 drop
		tcp dport 500 counter packets 0 bytes 0 drop
		udp dport 500 counter packets 0 bytes 0 drop
		tcp dport 513 counter packets 0 bytes 0 drop
		udp dport 513 counter packets 0 bytes 0 drop
		tcp dport 520 counter packets 0 bytes 0 drop
		udp dport 520 counter packets 0 bytes 0 drop
		ip protocol tcp limit rate 30/minute burst 5 packets counter packets 0 bytes 0 log prefix "Firewall: *TCP_IN Blocked* "
		ip protocol udp limit rate 30/minute burst 5 packets counter packets 38 bytes 20336 log prefix "Firewall: *UDP_IN Blocked* "
		ip protocol icmp limit rate 30/minute burst 5 packets counter packets 0 bytes 0 log prefix "Firewall: *ICMP_IN Blocked* "
		counter packets 54 bytes 27790 drop
	}

	chain LOGDROPOUT {
		tcp flags syn / fin,syn,rst,ack limit rate 30/minute burst 5 packets counter packets 0 bytes 0 log prefix "Firewall: *TCP_OUT Blocked* " flags skuid
		ip protocol udp limit rate 30/minute burst 5 packets counter packets 0 bytes 0 log prefix "Firewall: *UDP_OUT Blocked* " flags skuid
		ip protocol icmp limit rate 30/minute burst 5 packets counter packets 0 bytes 0 log prefix "Firewall: *ICMP_OUT Blocked* " flags skuid
		counter packets 0 bytes 0 reject
	}

	chain DENYIN {
	}

	chain DENYOUT {
	}

	chain ALLOWIN {
		iifname != "lo" tcp dport 2222 counter packets 123 bytes 25711 accept
		ip saddr 192.168.55.122 iifname != "lo" tcp dport 2222 counter packets 0 bytes 0 accept
		ip saddr 192.168.55.122 iifname != "lo" udp dport 5201 counter packets 0 bytes 0 accept
		ip saddr 192.168.55.122 iifname != "lo" tcp dport 5201 counter packets 0 bytes 0 accept
		ip saddr 192.168.55.122 iifname != "lo" tcp dport 80 counter packets 0 bytes 0 accept
		ip saddr 192.168.55.118 iifname != "lo" tcp dport 9100 counter packets 917 bytes 105146 accept
		ip saddr 192.168.55.118 iifname != "lo" tcp dport 9100 counter packets 0 bytes 0 accept
		ip saddr 192.168.55.118 iifname != "lo" counter packets 0 bytes 0 accept
		ip saddr 192.168.48.1 iifname != "lo" counter packets 7 bytes 760 accept
	}

	chain ALLOWOUT {
		ip daddr 192.168.55.118 oifname != "lo" counter packets 760 bytes 2755583 accept
		ip daddr 192.168.48.1 oifname != "lo" counter packets 4 bytes 292 accept
	}

	chain LOCALINPUT {
		iifname != "lo" counter packets 1565 bytes 261110 jump ALLOWIN
		iifname != "lo" counter packets 518 bytes 129493 jump DENYIN
	}

	chain LOCALOUTPUT {
		oifname != "lo" counter packets 1264 bytes 3038514 jump ALLOWOUT
		oifname != "lo" counter packets 500 bytes 282639 jump DENYOUT
		oifname != "lo" ip protocol udp counter packets 8 bytes 608 jump UDPFLOOD
	}

	chain INVDROP {
		counter packets 0 bytes 0 drop
	}

	chain INVALID {
		ct state invalid counter packets 0 bytes 0 jump INVDROP
		tcp flags ! fin,syn,rst,psh,ack,urg counter packets 0 bytes 0 jump INVDROP
		tcp flags fin,syn,rst,psh,ack,urg / fin,syn,rst,psh,ack,urg counter packets 0 bytes 0 jump INVDROP
		tcp flags fin,syn / fin,syn counter packets 0 bytes 0 jump INVDROP
		tcp flags syn,rst / syn,rst counter packets 0 bytes 0 jump INVDROP
		tcp flags fin,rst / fin,rst counter packets 0 bytes 0 jump INVDROP
		tcp flags fin / fin,ack counter packets 0 bytes 0 jump INVDROP
		tcp flags psh / psh,ack counter packets 0 bytes 0 jump INVDROP
		tcp flags urg / ack,urg counter packets 0 bytes 0 jump INVDROP
		tcp flags != syn / fin,syn,rst,ack ct state new counter packets 0 bytes 0 jump INVDROP
	}

	chain INPUT {
		type filter hook input priority filter; policy drop;
		iifname != "lo" counter packets 1565 bytes 261110 jump LOCALINPUT
		iifname "lo" counter packets 204 bytes 10704 accept
		iifname != "lo" tcp flags syn / fin,syn,rst,ack counter packets 20 bytes 1200 jump SYNFLOOD
		iifname != "lo" ip protocol tcp counter packets 462 bytes 100324 jump INVALID
		iifname != "lo" ip protocol icmp icmp type echo-request limit rate 1/second burst 5 packets counter packets 0 bytes 0 accept
		iifname != "lo" ip protocol icmp icmp type echo-request counter packets 0 bytes 0 jump LOGDROPIN
		iifname != "lo" ip protocol icmp counter packets 0 bytes 0 accept
		iifname != "lo" ct state related,established counter packets 442 bytes 99316 accept
		iifname != "lo" ip protocol tcp ct state new tcp dport 22 counter packets 20 bytes 1200 accept
		iifname != "lo" ip protocol tcp ct state new tcp dport 2222 counter packets 0 bytes 0 accept
		iifname != "lo" ip protocol tcp ct state new tcp dport 80 counter packets 0 bytes 0 accept
		iifname != "lo" ip protocol tcp ct state new tcp dport 9100 counter packets 0 bytes 0 accept
		iifname != "lo" ip protocol tcp ct state new tcp dport 5201 counter packets 0 bytes 0 accept
		iifname != "lo" ip protocol udp ct state new udp dport 5201 counter packets 0 bytes 0 accept
		iifname != "lo" counter packets 61 bytes 29237 jump LOGDROPIN
	}

	chain OUTPUT {
		type filter hook output priority filter; policy drop;
		oifname != "lo" counter packets 1264 bytes 3038514 jump LOCALOUTPUT
		oifname != "lo" tcp dport 53 counter packets 0 bytes 0 accept
		oifname != "lo" udp dport 53 counter packets 0 bytes 0 accept
		oifname != "lo" tcp sport 53 counter packets 0 bytes 0 accept
		oifname != "lo" udp sport 53 counter packets 0 bytes 0 accept
		oifname "lo" counter packets 204 bytes 10704 accept
		oifname != "lo" ip protocol tcp counter packets 515 bytes 285895 jump INVALID
		oifname != "lo" ip protocol icmp counter packets 0 bytes 0 accept
		oifname != "lo" ct state related,established counter packets 500 bytes 283255 accept
		oifname != "lo" ip protocol tcp ct state new tcp dport 1-65535 counter packets 0 bytes 0 accept
		oifname != "lo" ip protocol udp ct state new udp dport 1-65535 counter packets 8 bytes 608 accept
		oifname != "lo" counter packets 0 bytes 0 jump LOGDROPOUT
	}

	chain FORWARD {
		type filter hook forward priority filter; policy drop;
	}
}
table ip6 filter {
	chain INPUT {
		type filter hook input priority filter; policy accept;
	}

	chain OUTPUT {
		type filter hook output priority filter; policy accept;
	}

	chain FORWARD {
		type filter hook forward priority filter; policy accept;
	}
}
table ip nat {
}
table ip raw {
}
table ip mangle {
}
