#*mangle
#:PREROUTING ACCEPT [0:0]
#:INPUT ACCEPT [0:0]
#:FORWARD ACCEPT [0:0]
#:OUTPUT ACCEPT [0:0]
#:POSTROUTING ACCEPT [0:0]
#COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Keep all established connections
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Allow loopback interface (lo0) and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
#-A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT
#-A OUTPUT ! -o lo -s 127.0.0.0/8 -j REJECT

# Drop Invalid Packets
-A INPUT -m conntrack --ctstate INVALID -j DROP

# Allow Established and Related Incoming Connections
-A INPUT -i ppp0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Allow Established Outgoing Connections
-A OUTPUT -o ppp0 -m conntrack --ctstate ESTABLISHED -j ACCEPT

# Clamp mss to pmtu for pppoe
-A FORWARD -o ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

# Forward internal and external
-A FORWARD -i ppp0 -o br0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i br0 -o ppp0 -j ACCEPT

# Forward for openvpn
-A FORWARD -i ppp0 -o tun+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun+ -o ppp0 -j ACCEPT

# Allow ping and ICMP error returns.
-A INPUT -p icmp -m conntrack --ctstate NEW --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT

# Allow OpenVPN
-A INPUT -i ppp0 -p udp --dport 1194 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o ppp0 -p udp --sport 1194 -m conntrack --ctstate ESTABLISHED -j ACCEPT

# Allow ssh
-A INPUT -i ppp0 -p tcp --dport 10022 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o ppp0 -p tcp --sport 10022 -m conntrack --ctstate ESTABLISHED -j ACCEPT

# Allow HTTP
-A INPUT -i ppp0 -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o ppp0 -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT

# Allow HTTPS
-A INPUT -i ppp0 -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o ppp0 -p tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT

# Allow Transmission Port
-A INPUT -i ppp0 -p tcp --dport 51413 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o ppp0 -p tcp --sport 51413 -m conntrack --ctstate ESTABLISHED -j ACCEPT

# Drop all other traffic for external
-A INPUT -i ppp0 -j DROP
COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o ppp0 -j MASQUERADE
-A PREROUTING -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-ports 10800
-A OUTPUT -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-ports 10800
COMMIT