Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 IPSBYPASS all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0xc0000000/0xc0000000 3700 203K BADTCP tcp -- * * 0.0.0.0/0 0.0.0.0/0 3869 215K CUSTOMINPUT all -- * * 0.0.0.0/0 0.0.0.0/0 3869 215K GUARDIAN all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 OVPNBLOCK all -- tun+ * 0.0.0.0/0 0.0.0.0/0 3869 215K IPS_INPUT all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0xc0000000 3869 215K IPTVINPUT all -- * * 0.0.0.0/0 0.0.0.0/0 3869 215K ICMPINPUT all -- * * 0.0.0.0/0 0.0.0.0/0 3869 215K LOOPBACK all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 CAPTIVE_PORTAL all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 CONNTRACK all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DHCPGREENINPUT all -- green0 * 0.0.0.0/0 0.0.0.0/0 0 0 DHCPBLUEINPUT all -- blue0 * 0.0.0.0/0 0.0.0.0/0 0 0 HOSTILE all -- red0 * 0.0.0.0/0 0.0.0.0/0 0 0 TOR_INPUT all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOCATIONBLOCK all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 IPSECINPUT all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 GUIINPUT all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 WIRELESSINPUT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW 0 0 OVPNINPUT all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 INPUTFW all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 REDINPUT all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 POLICYIN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 IPSBYPASS all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0xc0000000/0xc0000000 0 0 BADTCP tcp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU 0 0 CUSTOMFORWARD all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 GUARDIAN all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 IPSECBLOCK all -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none 0 0 OVPNBLOCK all -- tun+ * 0.0.0.0/0 0.0.0.0/0 0 0 OVPNBLOCK all -- * tun+ 0.0.0.0/0 0.0.0.0/0 0 0 IPS_FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0xc0000000 0 0 IPTVFORWARD all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOOPBACK all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 CAPTIVE_PORTAL all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 CONNTRACK all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 HOSTILE all -- red0 * 0.0.0.0/0 0.0.0.0/0 0 0 HOSTILE all -- * red0 0.0.0.0/0 0.0.0.0/0 0 0 LOCATIONBLOCK all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 IPSECFORWARD all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 WIRELESSFORWARD all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW 0 0 FORWARDFW all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 REDFORWARD all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 POLICYFWD all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 IPSBYPASS all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0xc0000000/0xc0000000 3984 225K CUSTOMOUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0 3984 225K IPSECBLOCK all -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none 3984 225K IPS_OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0xc0000000 3984 225K LOOPBACK all -- * * 0.0.0.0/0 0.0.0.0/0 115 9398 CONNTRACK all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DHCPGREENOUTPUT all -- * green0 0.0.0.0/0 0.0.0.0/0 0 0 DHCPBLUEOUTPUT all -- * blue0 0.0.0.0/0 0.0.0.0/0 115 9398 HOSTILE all -- * red0 0.0.0.0/0 0.0.0.0/0 0 0 IPSECOUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 TOR_OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 OUTGOINGFW all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 POLICYOUT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain BADTCP (2 references) pkts bytes target prot opt in out source destination 3700 203K RETURN all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29 0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x37 0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F 0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x01 0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06 0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03 0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 0 0 NEWNOTSYN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 ctstate NEW Chain CAPTIVE_PORTAL (2 references) pkts bytes target prot opt in out source destination Chain CAPTIVE_PORTAL_CLIENTS (0 references) pkts bytes target prot opt in out source destination 0 0 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 limit: up to 3kb/s burst 1mb mode srcip 0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 limit: up to 3kb/s burst 1mb mode srcip 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain CONNTRACK (3 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate ESTABLISHED 0 0 CTINVALID all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED Chain CTINVALID (1 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5 LOG flags 0 level 4 prefix "DROP_CTINVALID " 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* DROP_CTINVALID */ Chain CUSTOMFORWARD (1 references) pkts bytes target prot opt in out source destination Chain CUSTOMINPUT (1 references) pkts bytes target prot opt in out source destination Chain CUSTOMOUTPUT (1 references) pkts bytes target prot opt in out source destination Chain DHCPBLUEINPUT (1 references) pkts bytes target prot opt in out source destination Chain DHCPBLUEOUTPUT (1 references) pkts bytes target prot opt in out source destination Chain DHCPGREENINPUT (1 references) pkts bytes target prot opt in out source destination 0 0 DHCPINPUT all -- green0 * 0.0.0.0/0 0.0.0.0/0 Chain DHCPGREENOUTPUT (1 references) pkts bytes target prot opt in out source destination 0 0 DHCPOUTPUT all -- * green0 0.0.0.0/0 0.0.0.0/0 Chain DHCPINPUT (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:68 dpt:67 Chain DHCPOUTPUT (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:67 dpt:68 Chain FORWARDFW (1 references) pkts bytes target prot opt in out source destination Chain GUARDIAN (2 references) pkts bytes target prot opt in out source destination Chain GUIINPUT (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- green0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:444 Chain HOSTILE (4 references) pkts bytes target prot opt in out source destination 39 3195 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5 LOG flags 0 level 4 prefix "DROP_HOSTILE " 115 9398 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* DROP_HOSTILE */ Chain ICMPINPUT (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 Chain INPUTFW (1 references) pkts bytes target prot opt in out source destination Chain IPSBYPASS (3 references) pkts bytes target prot opt in out source destination 0 0 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK save mask 0x7fffffff Chain IPSECBLOCK (2 references) pkts bytes target prot opt in out source destination Chain IPSECFORWARD (1 references) pkts bytes target prot opt in out source destination Chain IPSECINPUT (1 references) pkts bytes target prot opt in out source destination Chain IPSECOUTPUT (1 references) pkts bytes target prot opt in out source destination Chain IPS_FORWARD (1 references) pkts bytes target prot opt in out source destination Chain IPS_INPUT (1 references) pkts bytes target prot opt in out source destination Chain IPS_OUTPUT (1 references) pkts bytes target prot opt in out source destination Chain IPTVFORWARD (1 references) pkts bytes target prot opt in out source destination Chain IPTVINPUT (1 references) pkts bytes target prot opt in out source destination Chain LOCATIONBLOCK (2 references) pkts bytes target prot opt in out source destination Chain LOG_DROP (0 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5 LOG flags 0 level 4 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain LOG_REJECT (0 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5 LOG flags 0 level 4 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain LOOPBACK (3 references) pkts bytes target prot opt in out source destination 3869 215K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 3869 215K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 0 0 SPOOFED_MARTIAN all -- * * 127.0.0.0/8 0.0.0.0/0 0 0 SPOOFED_MARTIAN all -- * * 0.0.0.0/0 127.0.0.0/8 Chain NEWNOTSYN (1 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5 LOG flags 0 level 4 prefix "DROP_NEWNOTSYN " 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* DROP_NEWNOTSYN */ Chain OUTGOINGFW (1 references) pkts bytes target prot opt in out source destination Chain OVPNBLOCK (3 references) pkts bytes target prot opt in out source destination 0 0 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED Chain OVPNINPUT (1 references) pkts bytes target prot opt in out source destination Chain POLICYFWD (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- green0 * 192.168.2.0/24 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir in pol ipsec 0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- blue0 red0 192.168.3.0/24 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5 LOG flags 0 level 4 prefix "DROP_FORWARD " 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* DROP_FORWARD */ Chain POLICYIN (1 references) pkts bytes target prot opt in out source destination 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:514 0 0 ACCEPT all -- green0 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- blue0 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir in pol ipsec 0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5 LOG flags 0 level 4 prefix "DROP_INPUT " 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* DROP_INPUT */ Chain POLICYOUT (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* DROP_OUTPUT */ Chain PSCAN (7 references) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5 /* DROP_TCP PScan */ LOG flags 0 level 4 prefix "DROP_TCP Scan " 0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5 /* DROP_UDP PScan */ LOG flags 0 level 4 prefix "DROP_UDP Scan " 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5 /* DROP_ICMP PScan */ LOG flags 0 level 4 prefix "DROP_ICMP Scan " 0 0 LOG all -f * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5 /* DROP_FRAG PScan */ LOG flags 0 level 4 prefix "DROP_FRAG Scan " 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* DROP_PScan */ Chain REDFORWARD (1 references) pkts bytes target prot opt in out source destination Chain REDINPUT (1 references) pkts bytes target prot opt in out source destination 0 0 SPOOFED_MARTIAN all -- red0 * 192.168.1.131 0.0.0.0/0 0 0 ACCEPT tcp -- red0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:67 dpt:68 0 0 ACCEPT udp -- red0 * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68 Chain SPOOFED_MARTIAN (3 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5 LOG flags 0 level 4 prefix "DROP_SPOOFED_MARTIAN " 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* DROP_SPOOFED_MARTIAN */ Chain TOR_INPUT (1 references) pkts bytes target prot opt in out source destination Chain TOR_OUTPUT (1 references) pkts bytes target prot opt in out source destination Chain WIRELESSFORWARD (1 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- blue0 * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "DROP_Wirelessforward" 0 0 DROP all -- blue0 * 0.0.0.0/0 0.0.0.0/0 /* DROP_Wirelessforward */ Chain WIRELESSINPUT (1 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- blue0 * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "DROP_Wirelessinput" 0 0 DROP all -- blue0 * 0.0.0.0/0 0.0.0.0/0 /* DROP_Wirelessinput */