#*mangle #:PREROUTING ACCEPT [0:0] #:INPUT ACCEPT [0:0] #:FORWARD ACCEPT [0:0] #:OUTPUT ACCEPT [0:0] #:POSTROUTING ACCEPT [0:0] #COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] # Keep all established connections -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # Allow loopback interface (lo0) and drop all traffic to 127/8 that doesn't use lo0 -A INPUT -i lo -j ACCEPT -A OUTPUT -o lo -j ACCEPT # Drop Invalid Packets -A INPUT -m conntrack --ctstate INVALID -j DROP # Allow Established and Related Incoming Connections -A INPUT -i ppp0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # Allow Established Outgoing Connections -A OUTPUT -o ppp0 -m conntrack --ctstate ESTABLISHED -j ACCEPT # Clamp mss to pmtu for pppoe -A FORWARD -o ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # Forward internal and external -A FORWARD -i ppp0 -o br0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i br0 -o ppp0 -j ACCEPT # Forward for wireguard -A FORWARD -i ppp0 -o wg0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i wg0 -o ppp0 -j ACCEPT # Allow ping and ICMP error returns. -A INPUT -p icmp -m conntrack --ctstate NEW --icmp-type 8 -j ACCEPT -A INPUT -p icmp -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A OUTPUT -p icmp -j ACCEPT # Allow ssh #-A INPUT -i ppp0 -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT #-A OUTPUT -o ppp0 -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT # Allow HTTP -A INPUT -i ppp0 -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A OUTPUT -o ppp0 -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT # Allow HTTPS -A INPUT -i ppp0 -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A OUTPUT -o ppp0 -p tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT # Allow gost proxy -A INPUT -i ppp0 -p tcp --dport 8388 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A OUTPUT -o ppp0 -p tcp --sport 8388 -m conntrack --ctstate ESTABLISHED -j ACCEPT # Allow Transmission Port -A INPUT -i ppp0 -p tcp --dport 51413 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A OUTPUT -o ppp0 -p tcp --sport 51413 -m conntrack --ctstate ESTABLISHED -j ACCEPT # Allow WireGuard port -A INPUT -i ppp0 -p udp --dport 51820 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A OUTPUT -o ppp0 -p udp --sport 51820 -m conntrack --ctstate ESTABLISHED -j ACCEPT # ydc #-A INPUT -i ppp0 -p tcp -m multiport --dport 1896,6881,6882,38894 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT #-A INPUT -i ppp0 -p udp -m multiport --dport 1896,6881,6882,38894 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT #-A OUTPUT -o ppp0 -p tcp -m multiport --sport 1896,6881,6882,38894 -m conntrack --ctstate ESTABLISHED -j ACCEPT #-A OUTPUT -o ppp0 -p udp -m multiport --sport 1896,6881,6882,38894 -m conntrack --ctstate ESTABLISHED -j ACCEPT #-A INPUT -i ppp0 -p tcp -m multiport --dport 9092 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT #-A OUTPUT -o ppp0 -p tcp -m multiport --sport 9092 -m conntrack --ctstate ESTABLISHED -j ACCEPT #-A INPUT -i ppp0 -p tcp --dport 51414 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT #-A OUTPUT -o ppp0 -p tcp --sport 51414 -m conntrack --ctstate ESTABLISHED -j ACCEPT # Drop all other traffic for external -A INPUT -i ppp0 -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o ppp0 -j MASQUERADE -A PREROUTING -d 127.0.0.1/24 -j RETURN -A PREROUTING -d 255.255.0.0/8 -j RETURN -A PREROUTING -d 224.0.0.0/4 -j RETURN -A PREROUTING -d 192.168.1.0/24 -j RETURN -A PREROUTING -d 10.8.0.0/24 -j RETURN # GFW list -A PREROUTING -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-ports 1080 -A OUTPUT -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-ports 1080 # ydc #-A PREROUTING -p tcp --dport 1896 -j DNAT --to-destination 192.168.1.107:1896 #-A PREROUTING -p tcp --dport 6881 -j DNAT --to-destination 192.168.1.107:6881 #-A PREROUTING -p tcp --dport 6882 -j DNAT --to-destination 192.168.1.107:6882 #-A PREROUTING -p tcp --dport 38894 -j DNAT --to-destination 192.168.1.107:38894 COMMIT