# Generated by ip6tables-save v1.4.4 on Tue Apr 13 16:49:18 2010                                                                                                                                
*ips                                                                                                                                                                                            
:PREROUTING ACCEPT [81278:7224374]                                                                                                                                                              
:INPUT ACCEPT [3:426]                                                                                                                                                                           
:FORWARD ACCEPT [0:0]                                                                                                                                                                           
:OUTPUT ACCEPT [14327:1393004]                                                                                                                                                                  
:POSTROUTING ACCEPT [137781:173328080]                                                                                                                                                          
:AFC_ACTION - [0:0]                                                                                                                                                                             
:AFC_IM_IRC - [0:0]                                                                                                                                                                             
:AFC_IM_MSN - [0:0]                                                                                                                                                                             
:AFC_IM_OSCAR - [0:0]                                                                                                                                                                           
:AFC_IM_SKYPE - [0:0]                                                                                                                                                                           
:AFC_IM_TENCENT_QQ - [0:0]                                                                                                                                                                      
:AFC_IM_XMPP - [0:0]                                                                                                                                                                            
:AFC_IM_YAHOO - [0:0]                                                                                                                                                                           
:AFC_P2P_APPLEJUICE - [0:0]                                                                                                                                                                     
:AFC_P2P_ARES - [0:0]                                                                                                                                                                           
:AFC_P2P_BITTORRENT - [0:0]                                                                                                                                                                     
:AFC_P2P_DIRECT_CONNECT - [0:0]                                                                                                                                                                 
:AFC_P2P_EDONKEY - [0:0]                                                                                                                                                                        
:AFC_P2P_GNUTELLA - [0:0]                                                                                                                                                                       
:AFC_P2P_IMESH - [0:0]                                                                                                                                                                          
:AFC_P2P_MANOLITO - [0:0]                                                                                                                                                                       
:AFC_P2P_MUTE - [0:0]                                                                                                                                                                           
:AFC_P2P_PANDO - [0:0]                                                                                                                                                                          
:AFC_P2P_SHARE - [0:0]                                                                                                                                                                          
:AFC_P2P_WINMX - [0:0]                                                                                                                                                                          
:AFC_P2P_WINNY - [0:0]                                                                                                                                                                          
:QOSMARK - [0:0]                                                                                                                                                                                
-A INPUT -m mark ! --mark 0x0/0xffff -j AFC_ACTION                                                                                                                                              
-A INPUT -s 2002:xxxx:xxxx:31::/64 -p tcp -m tcp --sport 1:65535 --dport 22 -j ACCEPT                                                                                                           
-A INPUT -s 2002:xxxx:xxxx:30::/64 -p tcp -m tcp --sport 1:65535 --dport 22 -j ACCEPT                                                                                                           
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 4444 -j ACCEPT                                                                                                                                
-A INPUT -s 2002:xxxx:xxxx:31::/64 -p tcp -m tcp --sport 1024:65535 --dport 4444 -j ACCEPT                                                                                                      
-A INPUT -s 2002:xxxx:xxxx:30::/64 -p tcp -m tcp --sport 1024:65535 --dport 4444 -j ACCEPT                                                                                                      
-A INPUT -p tcp -m tcp --sport 1:65535 --dport 443 -j ACCEPT                                                                                                                                    
-A INPUT -i lo -j ACCEPT                                                                                                                                                                        
-A INPUT -m connmark --mark 0x20000/0x20000 -j ACCEPT                                                                                                                                           
-A INPUT -i eth3 -j ACCEPT                                                                                                                                                                      
-A INPUT -p esp -j ACCEPT                                                                                                                                                                       
-A INPUT -m connmark ! --mark 0x20000/0x20000 -m condition --condition "snort-takeover" -j NFQUEUE --queue-num 64000                                                                            
-A INPUT -m connmark ! --mark 0x20000/0x20000 -j NFQUEUE --queue-num 0                                                                                                                          
-A FORWARD -m connmark --mark 0x20000/0x20000 -j ACCEPT                                                                                                                                         
-A FORWARD -p esp -j ACCEPT                                                                                                                                                                     
-A FORWARD -m connmark ! --mark 0x20000/0x20000 -m condition --condition "snort-takeover" -j NFQUEUE --queue-num 64000                                                                          
-A FORWARD -m connmark ! --mark 0x20000/0x20000 -j NFQUEUE --queue-num 0                                                                                                                        
-A OUTPUT -d 2002:xxxx:xxxx:31::/64 -p tcp -m tcp --sport 22 --dport 1:65535 -j ACCEPT                                                                                                          
-A OUTPUT -d 2002:xxxx:xxxx:30::/64 -p tcp -m tcp --sport 22 --dport 1:65535 -j ACCEPT                                                                                                          
-A OUTPUT -p tcp -m tcp --sport 4444 --dport 1024:65535 -j ACCEPT                                                                                                                               
-A OUTPUT -d 2002:xxxx:xxxx:31::/64 -p tcp -m tcp --sport 4444 --dport 1024:65535 -j ACCEPT                                                                                                     
-A OUTPUT -d 2002:xxxx:xxxx:30::/64 -p tcp -m tcp --sport 4444 --dport 1024:65535 -j ACCEPT                                                                                                     
-A OUTPUT -p tcp -m tcp --sport 443 --dport 1:65535 -j ACCEPT                                                                                                                                   
-A OUTPUT -o lo -j ACCEPT                                                                                                                                                                       
-A OUTPUT -m connmark --mark 0x20000/0x20000 -j ACCEPT                                                                                                                                          
-A OUTPUT -o eth3 -j ACCEPT                                                                                                                                                                     
-A OUTPUT -p esp -j ACCEPT                                                                                                                                                                      
-A OUTPUT -p tcp -m tcp --sport 53:65535 --dport 53 -j ACCEPT                                                                                                                                   
-A OUTPUT -p udp -m udp --sport 53:65535 --dport 53 -j ACCEPT                                                                                                                                   
-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 6000 -j ACCEPT                                                                                                                               
-A OUTPUT -d 2002:xxxx:xxxx:131::/64 -j ACCEPT                                                                                                                                                  
-A OUTPUT -d 2002:xxxx:xxxx:31::/64 -j ACCEPT                                                                                                                                                   
-A OUTPUT -d 2002:xxxx:xxxx:30::/64 -j ACCEPT                                                                                                                                                   
-A OUTPUT -m connmark ! --mark 0x20000/0x20000 -m condition --condition "snort-takeover" -j NFQUEUE --queue-num 64000                                                                           
-A OUTPUT -m connmark ! --mark 0x20000/0x20000 -j NFQUEUE --queue-num 0                                                                                                                         
-A POSTROUTING -m mark ! --mark 0x0/0xffff -j AFC_ACTION                                                                                                                                        
-A AFC_ACTION -m mark --mark 0x80/0xc0 -j CONNMARK --set-xmark 0x10000/0x10000                                                                                                                  
-A AFC_ACTION -m connmark --mark 0x10000/0x10000 -j RETURN                                                                                                                                      
-A AFC_ACTION -m mark --mark 0xcf00/0xff00 -g AFC_P2P_GNUTELLA                                                                                                                                  
-A AFC_ACTION -m mark --mark 0x6600/0xff00 -g AFC_IM_OSCAR                                                                                                                                      
-A AFC_ACTION -m mark --mark 0xc900/0xff00 -g AFC_P2P_ARES                                                                                                                                      
-A AFC_ACTION -m mark --mark 0xd000/0xff00 -g AFC_P2P_IMESH                                                                                                                                     
-A AFC_ACTION -m mark --mark 0xc800/0xff00 -g AFC_P2P_APPLEJUICE                                                                                                                                
-A AFC_ACTION -m mark --mark 0xd400/0xff00 -g AFC_P2P_PANDO                                                                                                                                     
-A AFC_ACTION -m mark --mark 0xd500/0xff00 -g AFC_P2P_WINMX                                                                                                                                     
-A AFC_ACTION -m mark --mark 0x6500/0xff00 -g AFC_IM_MSN                                                                                                                                        
-A AFC_ACTION -m mark --mark 0x6400/0xff00 -g AFC_IM_IRC                                                                                                                                        
-A AFC_ACTION -m mark --mark 0xd800/0xff00 -g AFC_P2P_SHARE                                                                                                                                     
-A AFC_ACTION -m mark --mark 0x6a00/0xff00 -g AFC_IM_YAHOO                                                                                                                                      
-A AFC_ACTION -m mark --mark 0xcc00/0xff00 -g AFC_P2P_EDONKEY                                                                                                                                   
-A AFC_ACTION -m mark --mark 0x6900/0xff00 -g AFC_IM_XMPP                                                                                                                                       
-A AFC_ACTION -m mark --mark 0xd200/0xff00 -g AFC_P2P_MUTE                                                                                                                                      
-A AFC_ACTION -m mark --mark 0xca00/0xff00 -g AFC_P2P_BITTORRENT                                                                                                                                
-A AFC_ACTION -m mark --mark 0xd100/0xff00 -g AFC_P2P_MANOLITO                                                                                                                                  
-A AFC_ACTION -m mark --mark 0xcb00/0xff00 -g AFC_P2P_DIRECT_CONNECT                                                                                                                            
-A AFC_ACTION -m mark --mark 0x6800/0xff00 -g AFC_IM_TENCENT_QQ                                                                                                                                 
-A AFC_ACTION -m mark --mark 0x6700/0xff00 -g AFC_IM_SKYPE                                                                                                                                      
-A AFC_ACTION -m mark --mark 0xd600/0xff00 -g AFC_P2P_WINNY                                                                                                                                     
-A AFC_ACTION -m limit --limit 1/min --limit-burst 100 -j NFLOG --nflog-prefix "AFC Error - Unknown MARK: "                                                                                     
-A AFC_ACTION -j RETURN                                                                                                                                                                         
-A AFC_IM_IRC -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 3 --hashlimit-mode srcip,dstip --hashlimit-name afc_limit_host -m connmark ! --mark 0x8000/0x8000 -m logmark --logmark 60100 -j NFLOG --nflog-prefix "AFC_ALERT IM-IRC: "                                                                                                                                                   
-A AFC_IM_IRC -m connmark ! --mark 0x8000/0x8000 -j CONNMARK --set-xmark 0x8000/0x8000                                                                                                          
-A AFC_IM_IRC -j RETURN                                                                                                                                                                         
-A AFC_IM_MSN -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 3 --hashlimit-mode srcip,dstip --hashlimit-name afc_limit_host -m connmark ! --mark 0x8000/0x8000 -m logmark --logmark 60101 -j NFLOG --nflog-prefix "AFC_ALERT IM-MSN: "                                                                                                                                                   
-A AFC_IM_MSN -m connmark ! --mark 0x8000/0x8000 -j CONNMARK --set-xmark 0x8000/0x8000                                                                                                          
-A AFC_IM_MSN -j RETURN                                                                                                                                                                         
-A AFC_IM_OSCAR -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 3 --hashlimit-mode srcip,dstip --hashlimit-name afc_limit_host -m connmark ! --mark 0x8000/0x8000 -m logmark --logmark 60102 -j NFLOG --nflog-prefix "AFC_ALERT IM-OSCAR: "                                                                                                                                               
-A AFC_IM_OSCAR -m connmark ! --mark 0x8000/0x8000 -j CONNMARK --set-xmark 0x8000/0x8000                                                                                                        
-A AFC_IM_OSCAR -j RETURN                                                                                                                                                                       
-A AFC_IM_SKYPE -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 3 --hashlimit-mode srcip,dstip --hashlimit-name afc_limit_host -m connmark ! --mark 0x8000/0x8000 -m logmark --logmark 60103 -j NFLOG --nflog-prefix "AFC_ALERT IM-SKYPE: "                                                                                                                                               
-A AFC_IM_SKYPE -m connmark ! --mark 0x8000/0x8000 -j CONNMARK --set-xmark 0x8000/0x8000                                                                                                        
-A AFC_IM_SKYPE -j RETURN                                                                                                                                                                       
-A AFC_IM_TENCENT_QQ -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 3 --hashlimit-mode srcip,dstip --hashlimit-name afc_limit_host -m connmark ! --mark 0x8000/0x8000 -m logmark --logmark 60104 -j NFLOG --nflog-prefix "AFC_BLOCK IM-TENCENT_QQ: "                                                                                                                                     
-A AFC_IM_TENCENT_QQ -m connmark ! --mark 0x8000/0x8000 -j CONNMARK --set-xmark 0x8000/0x8000                                                                                                   
-A AFC_IM_TENCENT_QQ -j DROP                                                                                                                                                                    
-A AFC_IM_XMPP -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 3 --hashlimit-mode srcip,dstip --hashlimit-name afc_limit_host -m connmark ! --mark 0x8000/0x8000 -m logmark --logmark 60105 -j NFLOG --nflog-prefix "AFC_BLOCK IM-XMPP: "                                                                                                                                                 
-A AFC_IM_XMPP -m connmark ! --mark 0x8000/0x8000 -j CONNMARK --set-xmark 0x8000/0x8000                                                                                                         
-A AFC_IM_XMPP -j DROP                                                                                                                                                                          
-A AFC_IM_YAHOO -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 3 --hashlimit-mode srcip,dstip --hashlimit-name afc_limit_host -m connmark ! --mark 0x8000/0x8000 -m logmark --logmark 60106 -j NFLOG --nflog-prefix "AFC_BLOCK IM-YAHOO: "                                                                                                                                               
-A AFC_IM_YAHOO -m connmark ! --mark 0x8000/0x8000 -j CONNMARK --set-xmark 0x8000/0x8000                                                                                                        
-A AFC_IM_YAHOO -j DROP                                                                                                                                                                         
-A AFC_P2P_APPLEJUICE -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 3 --hashlimit-mode srcip,dstip --hashlimit-name afc_limit_host -m connmark ! --mark 0x8000/0x8000 -m logmark --logmark 60200 -j NFLOG --nflog-prefix "AFC_BLOCK P2P-APPLEJUICE: "                                                                                                                                   
-A AFC_P2P_APPLEJUICE -m connmark ! --mark 0x8000/0x8000 -j CONNMARK --set-xmark 0x8000/0x8000                                                                                                  
-A AFC_P2P_APPLEJUICE -j DROP                                                                                                                                                                   
-A AFC_P2P_ARES -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 3 --hashlimit-mode srcip,dstip --hashlimit-name afc_limit_host -m connmark ! --mark 0x8000/0x8000 -m logmark --logmark 60201 -j NFLOG --nflog-prefix "AFC_BLOCK P2P-ARES: "                                                                                                                                               
-A AFC_P2P_ARES -m connmark ! --mark 0x8000/0x8000 -j CONNMARK --set-xmark 0x8000/0x8000                                                                                                        
-A AFC_P2P_ARES -j DROP                                                                                                                                                                         
-A AFC_P2P_BITTORRENT -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 3 --hashlimit-mode srcip,dstip --hashlimit-name afc_limit_host -m connmark ! --mark 0x8000/0x8000 -m logmark --logmark 60202 -j NFLOG --nflog-prefix "AFC_BLOCK P2P-BITTORRENT: "                                                                                                                                   
-A AFC_P2P_BITTORRENT -m connmark ! --mark 0x8000/0x8000 -j CONNMARK --set-xmark 0x8000/0x8000                                                                                                  
-A AFC_P2P_BITTORRENT -j DROP                                                                                                                                                                   
-A AFC_P2P_DIRECT_CONNECT -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 3 --hashlimit-mode srcip,dstip --hashlimit-name afc_limit_host -m connmark ! --mark 0x8000/0x8000 -m logmark --logmark 60203 -j NFLOG --nflog-prefix "AFC_BLOCK P2P-DIRECT_CON...: "                                                                                                                            
-A AFC_P2P_DIRECT_CONNECT -m connmark ! --mark 0x8000/0x8000 -j CONNMARK --set-xmark 0x8000/0x8000                                                                                              
-A AFC_P2P_DIRECT_CONNECT -j DROP                                                                                                                                                               
-A AFC_P2P_EDONKEY -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 3 --hashlimit-mode srcip,dstip --hashlimit-name afc_limit_host -m connmark ! --mark 0x8000/0x8000 -m logmark --logmark 60204 -j NFLOG --nflog-prefix "AFC_BLOCK P2P-EDONKEY: "                                                                                                                                         
-A AFC_P2P_EDONKEY -m connmark ! --mark 0x8000/0x8000 -j CONNMARK --set-xmark 0x8000/0x8000                                                                                                     
-A AFC_P2P_EDONKEY -j DROP                                                                                                                                                                      
-A AFC_P2P_GNUTELLA -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 3 --hashlimit-mode srcip,dstip --hashlimit-name afc_limit_host -m connmark ! --mark 0x8000/0x8000 -m logmark --logmark 60207 -j NFLOG --nflog-prefix "AFC_BLOCK P2P-GNUTELLA: "                                                                                                                                       
-A AFC_P2P_GNUTELLA -m connmark ! --mark 0x8000/0x8000 -j CONNMARK --set-xmark 0x8000/0x8000                                                                                                    
-A AFC_P2P_GNUTELLA -j DROP                                                                                                                                                                     
-A AFC_P2P_IMESH -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 3 --hashlimit-mode srcip,dstip --hashlimit-name afc_limit_host -m connmark ! --mark 0x8000/0x8000 -m logmark --logmark 60208 -j NFLOG --nflog-prefix "AFC_BLOCK P2P-IMESH: "                                                                                                                                             
-A AFC_P2P_IMESH -m connmark ! --mark 0x8000/0x8000 -j CONNMARK --set-xmark 0x8000/0x8000                                                                                                       
-A AFC_P2P_IMESH -j DROP                                                                                                                                                                        
-A AFC_P2P_MANOLITO -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 3 --hashlimit-mode srcip,dstip --hashlimit-name afc_limit_host -m connmark ! --mark 0x8000/0x8000 -m logmark --logmark 60209 -j NFLOG --nflog-prefix "AFC_BLOCK P2P-MANOLITO: "                                                                                                                                       
-A AFC_P2P_MANOLITO -m connmark ! --mark 0x8000/0x8000 -j CONNMARK --set-xmark 0x8000/0x8000                                                                                                    
-A AFC_P2P_MANOLITO -j DROP                                                                                                                                                                     
-A AFC_P2P_MUTE -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 3 --hashlimit-mode srcip,dstip --hashlimit-name afc_limit_host -m connmark ! --mark 0x8000/0x8000 -m logmark --logmark 60210 -j NFLOG --nflog-prefix "AFC_BLOCK P2P-MUTE: "                                                                                                                                               
-A AFC_P2P_MUTE -m connmark ! --mark 0x8000/0x8000 -j CONNMARK --set-xmark 0x8000/0x8000                                                                                                        
-A AFC_P2P_MUTE -j DROP                                                                                                                                                                         
-A AFC_P2P_PANDO -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 3 --hashlimit-mode srcip,dstip --hashlimit-name afc_limit_host -m connmark ! --mark 0x8000/0x8000 -m logmark --logmark 60212 -j NFLOG --nflog-prefix "AFC_BLOCK P2P-PANDO: "                                                                                                                                             
-A AFC_P2P_PANDO -m connmark ! --mark 0x8000/0x8000 -j CONNMARK --set-xmark 0x8000/0x8000                                                                                                       
-A AFC_P2P_PANDO -j DROP                                                                                                                                                                        
-A AFC_P2P_SHARE -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 3 --hashlimit-mode srcip,dstip --hashlimit-name afc_limit_host -m connmark ! --mark 0x8000/0x8000 -m logmark --logmark 60216 -j NFLOG --nflog-prefix "AFC_BLOCK P2P-SHARE: "                                                                                                                                             
-A AFC_P2P_SHARE -m connmark ! --mark 0x8000/0x8000 -j CONNMARK --set-xmark 0x8000/0x8000                                                                                                       
-A AFC_P2P_SHARE -j DROP                                                                                                                                                                        
-A AFC_P2P_WINMX -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 3 --hashlimit-mode srcip,dstip --hashlimit-name afc_limit_host -m connmark ! --mark 0x8000/0x8000 -m logmark --logmark 60213 -j NFLOG --nflog-prefix "AFC_BLOCK P2P-WINMX: "                                                                                                                                             
-A AFC_P2P_WINMX -m connmark ! --mark 0x8000/0x8000 -j CONNMARK --set-xmark 0x8000/0x8000                                                                                                       
-A AFC_P2P_WINMX -j DROP                                                                                                                                                                        
-A AFC_P2P_WINNY -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 3 --hashlimit-mode srcip,dstip --hashlimit-name afc_limit_host -m connmark ! --mark 0x8000/0x8000 -m logmark --logmark 60214 -j NFLOG --nflog-prefix "AFC_BLOCK P2P-WINNY: "                                                                                                                                             
-A AFC_P2P_WINNY -m connmark ! --mark 0x8000/0x8000 -j CONNMARK --set-xmark 0x8000/0x8000                                                                                                       
-A AFC_P2P_WINNY -j DROP                                                                                                                                                                        
COMMIT                                                                                                                                                                                          
# Completed on Tue Apr 13 16:49:18 2010                                                                                                                                                         
# Generated by ip6tables-save v1.4.4 on Tue Apr 13 16:49:18 2010                                                                                                                                
*mangle                                                                                                                                                                                         
:PREROUTING ACCEPT [81278:7224374]                                                                                                                                                              
:INPUT ACCEPT [945:94239]                                                                                                                                                                       
:FORWARD ACCEPT [317:28336]                                                                                                                                                                     
:OUTPUT ACCEPT [150784:174561643]                                                                                                                                                               
:POSTROUTING ACCEPT [553:53815]                                                                                                                                                                 
:AFC_DETECT - [0:0]                                                                                                                                                                             
:AFC_EXCEPTIONS_ALL - [0:0]                                                                                                                                                                     
:AFC_EXCEPTIONS_IN - [0:0]                                                                                                                                                                      
:AFC_EXCEPTIONS_OUT - [0:0]                                                                                                                                                                     
:POLICY_ROUTING_OUT - [0:0]                                                                                                                                                                     
:POLICY_ROUTING_PRE - [0:0]                                                                                                                                                                     
:SANITYCHECK_FORWARD - [0:0]                                                                                                                                                                    
:SANITYCHECK_IN - [0:0]                                                                                                                                                                         
-A PREROUTING -j POLICY_ROUTING_PRE                                                                                                                                                             
-A INPUT -j AFC_EXCEPTIONS_IN                                                                                                                                                                   
-A INPUT -j AFC_EXCEPTIONS_ALL                                                                                                                                                                  
-A INPUT -i lo -j MARK --set-xmark 0x0/0xffff                                                                                                                                                   
-A INPUT ! -i lo -p tcp -m connmark ! --mark 0x10000/0x10000 -j NFQUEUE --queue-num 256 --bypass                                                                                                
-A INPUT ! -i lo -p udp -m connmark ! --mark 0x10000/0x10000 -j NFQUEUE --queue-num 256 --bypass                                                                                                
-A OUTPUT -j AFC_EXCEPTIONS_OUT                                                                                                                                                                 
-A OUTPUT -j AFC_EXCEPTIONS_ALL                                                                                                                                                                 
-A OUTPUT -j POLICY_ROUTING_OUT                                                                                                                                                                 
-A POSTROUTING ! -o lo -m connmark ! --mark 0x10000/0x10000 -j AFC_DETECT                                                                                                                       
-A AFC_DETECT -p esp -j RETURN                                                                                                                                                                  
-A AFC_DETECT -s 2002:xxxx:xxxx:31::/64 -j NFQUEUE --queue-num 256 --bypass                                                                                                                     
-A AFC_DETECT -d 2002:xxxx:xxxx:31::/64 -j NFQUEUE --queue-num 256 --bypass                                                                                                                     
-A AFC_DETECT -s 2002:xxxx:xxxx:30::/64 -j NFQUEUE --queue-num 256 --bypass                                                                                                                     
-A AFC_DETECT -d 2002:xxxx:xxxx:30::/64 -j NFQUEUE --queue-num 256 --bypass                                                                                                                     
-A AFC_DETECT -m owner --socket-exists -j NFQUEUE --queue-num 256 --bypass                                                                                                                      
-A AFC_DETECT -j RETURN                                                                                                                                                                         
-A AFC_EXCEPTIONS_IN -p tcp -m tcp --sport 1:65535 --dport 443 -j CONNMARK --set-xmark 0x10000/0x10000                                                                                          
-A AFC_EXCEPTIONS_IN -p udp -m udp --sport 1:65535 --dport 443 -j CONNMARK --set-xmark 0x10000/0x10000                                                                                          
-A AFC_EXCEPTIONS_IN -p tcp -m tcp --sport 1:65535 -m multiport --dports 4444,22,25,465,587,110,8110,8111 -j CONNMARK --set-xmark 0x10000/0x10000                                               
-A AFC_EXCEPTIONS_IN -p udp -m udp --sport 500 --dport 500 -j CONNMARK --set-xmark 0x10000/0x10000                                                                                              
-A AFC_EXCEPTIONS_OUT -p udp -m udp --sport 500 --dport 500 -j CONNMARK --set-xmark 0x10000/0x10000                                                                                             
COMMIT                                                                                                                                                                                          
# Completed on Tue Apr 13 16:49:18 2010                                                                                                                                                         
# Generated by ip6tables-save v1.4.4 on Tue Apr 13 16:49:18 2010                                                                                                                                
*raw                                                                                                                                                                                            
:PREROUTING ACCEPT [7:842]                                                                                                                                                                      
:OUTPUT ACCEPT [150784:174561643]                                                                                                                                                               
:DOS_FLOOD_PROTECTION - [0:0]                                                                                                                                                                   
:ICMP_FLOOD - [0:0]                                                                                                                                                                             
:ICMP_FLOOD_DROP - [0:0]                                                                                                                                                                        
:ICMP_FLOOD_DST - [0:0]                                                                                                                                                                         
:ICMP_FLOOD_SRC - [0:0]                                                                                                                                                                         
:INVALID_PKT - [0:0]                                                                                                                                                                            
:LOCAL_TRAFFIC - [0:0]                                                                                                                                                                          
:SANITY_CHECKS - [0:0]                                                                                                                                                                          
:SPOOFING_PROTECTION - [0:0]                                                                                                                                                                    
:SPOOF_DROP - [0:0]                                                                                                                                                                             
:SYN_FLOOD - [0:0]                                                                                                                                                                              
:SYN_FLOOD_DROP - [0:0]                                                                                                                                                                         
:SYN_FLOOD_DST - [0:0]                                                                                                                                                                          
:SYN_FLOOD_SRC - [0:0]                                                                                                                                                                          
:UDP_FLOOD - [0:0]                                                                                                                                                                              
:UDP_FLOOD_DROP - [0:0]                                                                                                                                                                         
:UDP_FLOOD_DST - [0:0]                                                                                                                                                                          
:UDP_FLOOD_SRC - [0:0]                                                                                                                                                                          
-A PREROUTING -s ::1/128 -d ::1/128 -j LOCAL_TRAFFIC                                                                                                                                            
-A PREROUTING -j DOS_FLOOD_PROTECTION                                                                                                                                                           
-A PREROUTING -j SPOOFING_PROTECTION                                                                                                                                                            
-A OUTPUT -s ::1/128 -d ::1/128 -j LOCAL_TRAFFIC                                                                                                                                                
-A DOS_FLOOD_PROTECTION -p tcp -j SYN_FLOOD                                                                                                                                                     
-A DOS_FLOOD_PROTECTION -p udp -j UDP_FLOOD                                                                                                                                                     
-A DOS_FLOOD_PROTECTION -p icmp -j ICMP_FLOOD                                                                                                                                                   
-A ICMP_FLOOD -j ICMP_FLOOD_SRC                                                                                                                                                                 
-A ICMP_FLOOD_DROP -m limit --limit 5/sec -m logmark --logmark 60014 -j NFLOG --nflog-prefix "ICMP_FLOOD: "                                                                                     
-A ICMP_FLOOD_DROP -j DROP                                                                                                                                                                      
-A ICMP_FLOOD_DST -m hashlimit --hashlimit-upto 20/sec --hashlimit-burst 20 --hashlimit-mode dstip --hashlimit-name ICMP_FLOOD_DST -j SPOOFING_PROTECTION                                       
-A ICMP_FLOOD_DST -j ICMP_FLOOD_DROP                                                                                                                                                            
-A ICMP_FLOOD_SRC -m hashlimit --hashlimit-upto 10/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name ICMP_FLOOD_SRC -j ICMP_FLOOD_DST                                            
-A ICMP_FLOOD_SRC -j ICMP_FLOOD_DROP                                                                                                                                                            
-A INVALID_PKT -m logmark --logmark 60007 -j NFLOG --nflog-prefix "INVALID_PKT: "                                                                                                               
-A INVALID_PKT -j DROP                                                                                                                                                                          
-A LOCAL_TRAFFIC -j NOTRACK                                                                                                                                                                     
-A LOCAL_TRAFFIC -j ACCEPT                                                                                                                                                                      
-A SPOOFING_PROTECTION -j ACCEPT                                                                                                                                                                
-A SPOOF_DROP -m logmark --logmark 60008 -j NFLOG --nflog-prefix "IP-SPOOFING DROP: "                                                                                                           
-A SPOOF_DROP -j DROP                                                                                                                                                                           
-A SYN_FLOOD -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j SPOOFING_PROTECTION                                                                                                                 
-A SYN_FLOOD -j SYN_FLOOD_SRC                                                                                                                                                                   
-A SYN_FLOOD_DROP -m limit --limit 5/sec -m logmark --logmark 60012 -j NFLOG --nflog-prefix "SYN_FLOOD: "                                                                                       
-A SYN_FLOOD_DROP -j DROP                                                                                                                                                                       
-A SYN_FLOOD_DST -m hashlimit --hashlimit-upto 200/sec --hashlimit-burst 200 --hashlimit-mode dstip --hashlimit-name SYN_FLOOD_DST -j SPOOFING_PROTECTION                                       
-A SYN_FLOOD_DST -j SYN_FLOOD_DROP                                                                                                                                                              
-A SYN_FLOOD_SRC -m hashlimit --hashlimit-upto 100/sec --hashlimit-burst 100 --hashlimit-mode srcip --hashlimit-name SYN_FLOOD_SRC -j SYN_FLOOD_DST                                             
-A SYN_FLOOD_SRC -j SYN_FLOOD_DROP                                                                                                                                                              
-A UDP_FLOOD -j UDP_FLOOD_SRC                                                                                                                                                                   
-A UDP_FLOOD_DROP -m limit --limit 5/sec -m logmark --logmark 60013 -j NFLOG --nflog-prefix "UDP_FLOOD: "                                                                                       
-A UDP_FLOOD_DROP -j DROP                                                                                                                                                                       
-A UDP_FLOOD_DST -m hashlimit --hashlimit-upto 303/sec --hashlimit-burst 300 --hashlimit-mode dstip --hashlimit-name UDP_FLOOD_DST -j SPOOFING_PROTECTION                                       
-A UDP_FLOOD_DST -j UDP_FLOOD_DROP                                                                                                                                                              
-A UDP_FLOOD_SRC -m hashlimit --hashlimit-upto 200/sec --hashlimit-burst 200 --hashlimit-mode srcip --hashlimit-name UDP_FLOOD_SRC -j UDP_FLOOD_DST                                             
-A UDP_FLOOD_SRC -j UDP_FLOOD_DROP                                                                                                                                                              
COMMIT                                                                                                                                                                                          
# Completed on Tue Apr 13 16:49:18 2010                                                                                                                                                         
# Generated by ip6tables-save v1.4.4 on Tue Apr 13 16:49:18 2010                                                                                                                                
*filter                                                                                                                                                                                         
:INPUT DROP [0:0]                                                                                                                                                                               
:FORWARD DROP [0:0]                                                                                                                                                                             
:OUTPUT DROP [0:0]                                                                                                                                                                              
:AUTO_FORWARD - [0:0]                                                                                                                                                                           
:AUTO_INPUT - [0:0]                                                                                                                                                                             
:AUTO_OUTPUT - [0:0]                                                                                                                                                                            
:HA - [0:0]                                                                                                                                                                                     
:INVALID_PKT - [0:0]                                                                                                                                                                            
:LOGACCEPT - [0:0]                                                                                                                                                                              
:LOGDROP - [0:0]                                                                                                                                                                                
:LOGREJECT - [0:0]                                                                                                                                                                              
:PSD_ACTION - [0:0]                                                                                                                                                                             
:PSD_MATCH - [0:0]                                                                                                                                                                              
:SANITY_CHECKS - [0:0]                                                                                                                                                                          
:STRICT_TCP_STATE - [0:0]                                                                                                                                                                       
:USR_FORWARD - [0:0]                                                                                                                                                                            
:USR_INPUT - [0:0]                                                                                                                                                                              
:USR_OUTPUT - [0:0]                                                                                                                                                                             
-A INPUT -i lo -j ACCEPT                                                                                                                                                                        
-A INPUT -m confirmed -j ACCEPT                                                                                                                                                                 
-A INPUT -m conntrack --ctstate RELATED -j CONFIRMED                                                                                                                                            
-A INPUT -j PSD_MATCH                                                                                                                                                                           
-A INPUT -j SANITY_CHECKS                                                                                                                                                                       
-A INPUT -j AUTO_INPUT                                                                                                                                                                          
-A INPUT -j USR_INPUT                                                                                                                                                                           
-A INPUT -m logmark --logmark 60001 -j LOGDROP                                                                                                                                                  
-A FORWARD -m confirmed -j ACCEPT                                                                                                                                                               
-A FORWARD -m conntrack --ctstate RELATED -j CONFIRMED                                                                                                                                          
-A FORWARD -j PSD_MATCH                                                                                                                                                                         
-A FORWARD -j SANITY_CHECKS                                                                                                                                                                     
-A FORWARD -j AUTO_FORWARD                                                                                                                                                                      
-A FORWARD -j USR_FORWARD                                                                                                                                                                       
-A FORWARD -m logmark --logmark 60002 -j LOGDROP                                                                                                                                                
-A OUTPUT ! -s ::1/128 -o lo -p tcp -m tcp --sport 1024:65535 --dport 4444 -m logmark --logmark 60005 -j LOGDROP                                                                                
-A OUTPUT ! -s ::1/128 -o lo -p tcp -m tcp --sport 1:65535 --dport 443 -m logmark --logmark 60005 -j LOGDROP                                                                                    
-A OUTPUT -o lo -j ACCEPT                                                                                                                                                                       
-A OUTPUT -m confirmed -j ACCEPT                                                                                                                                                                
-A OUTPUT -m conntrack --ctstate RELATED -j CONFIRMED                                                                                                                                           
-A OUTPUT -j SANITY_CHECKS                                                                                                                                                                      
-A OUTPUT -j AUTO_OUTPUT                                                                                                                                                                        
-A OUTPUT -j USR_OUTPUT                                                                                                                                                                         
-A OUTPUT -m logmark --logmark 60003 -j LOGDROP                                                                                                                                                 
-A AUTO_FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 128/0 -j CONFIRMED                                                                                                                          
-A AUTO_FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 129/0 -j CONFIRMED                                                                                                                          
-A AUTO_INPUT -s 2002:xxxx:xxxx:31::/64 -p tcp -m tcp --sport 1:65535 --dport 22 -j CONFIRMED                                                                                                   
-A AUTO_INPUT -s 2002:xxxx:xxxx:30::/64 -p tcp -m tcp --sport 1:65535 --dport 22 -j CONFIRMED                                                                                                   
-A AUTO_INPUT -p tcp -m tcp --sport 1:65535 --dport 22 -m logmark --logmark 60004 -j LOGDROP                                                                                                    
-A AUTO_INPUT -p tcp -m tcp --sport 1024:65535 --dport 4444 -m logmark --logmark 60006 -j LOGACCEPT                                                                                             
-A AUTO_INPUT -s 2002:xxxx:xxxx:31::/64 -p tcp -m tcp --sport 1024:65535 --dport 4444 -m logmark --logmark 60006 -j LOGACCEPT                                                                   
-A AUTO_INPUT -s 2002:xxxx:xxxx:30::/64 -p tcp -m tcp --sport 1024:65535 --dport 4444 -m logmark --logmark 60006 -j LOGACCEPT                                                                   
-A AUTO_INPUT -p tcp -m tcp --sport 1024:65535 --dport 4444 -m logmark --logmark 60005 -j LOGDROP                                                                                               
-A AUTO_INPUT -p tcp -m tcp --sport 1:65535 --dport 443 -j CONFIRMED                                                                                                                            
-A AUTO_INPUT -i eth4 -p udp -m udp --sport 1:65535 --dport 547 -j CONFIRMED                                                                                                                    
-A AUTO_INPUT -i eth0 -p udp -m udp --sport 1:65535 --dport 547 -j CONFIRMED                                                                                                                    
-A AUTO_INPUT -s 2002:xxxx:xxxx:131::/64 -p tcp -m tcp --sport 53:65535 --dport 53 -j CONFIRMED                                                                                                 
-A AUTO_INPUT -s 2002:xxxx:xxxx:131::/64 -p udp -m udp --sport 53:65535 --dport 53 -j CONFIRMED                                                                                                 
-A AUTO_INPUT -s 2002:xxxx:xxxx:31::/64 -p tcp -m tcp --sport 53:65535 --dport 53 -j CONFIRMED                                                                                                  
-A AUTO_INPUT -s 2002:xxxx:xxxx:31::/64 -p udp -m udp --sport 53:65535 --dport 53 -j CONFIRMED                                                                                                  
-A AUTO_INPUT -s 2002:xxxx:xxxx:30::/64 -p tcp -m tcp --sport 53:65535 --dport 53 -j CONFIRMED                                                                                                  
-A AUTO_INPUT -s 2002:xxxx:xxxx:30::/64 -p udp -m udp --sport 53:65535 --dport 53 -j CONFIRMED                                                                                                  
-A AUTO_INPUT -s 2002:xxxx:xxxx:131::/64 -p tcp -m tcp --sport 1:65535 --dport 8080 -j CONFIRMED                                                                                                
-A AUTO_INPUT -s 2002:xxxx:xxxx:31::/64 -p tcp -m tcp --sport 1:65535 --dport 8080 -j CONFIRMED                                                                                                 
-A AUTO_INPUT -s 2002:xxxx:xxxx:30::/64 -p tcp -m tcp --sport 1:65535 --dport 8080 -j CONFIRMED                                                                                                 
-A AUTO_INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT                                                                                                                                   
-A AUTO_INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 2/0 -j ACCEPT                                                                                                                                 
-A AUTO_INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT                                                                                                                                   
-A AUTO_INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT                                                                                                                                   
-A AUTO_INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135/0 -j CONFIRMED                                                                                                                            
-A AUTO_INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136/0 -j CONFIRMED                                                                                                                            
-A AUTO_INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -j DROP                                                                                                                                 
-A AUTO_INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134/0 -j ACCEPT                                                                                                                               
-A AUTO_INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 133/0 -j ACCEPT                                                                                                                               
-A AUTO_INPUT -s 2002:xxxx:xxxx:131::/64 -p udp -m udp --sport 123:65535 --dport 123 -j CONFIRMED                                                                                               
-A AUTO_INPUT -s 2002:xxxx:xxxx:31::/64 -p udp -m udp --sport 123:65535 --dport 123 -j CONFIRMED                                                                                                
-A AUTO_INPUT -s 2002:xxxx:xxxx:30::/64 -p udp -m udp --sport 123:65535 --dport 123 -j CONFIRMED                                                                                                
-A AUTO_INPUT -s 2002:xxxx:xxxx:31::/64 -p tcp -m tcp --sport 1:65535 --dport 8110 -m conntrack --ctstate DNAT -j CONFIRMED                                                                     
-A AUTO_INPUT -s 2002:xxxx:xxxx:30::/64 -p tcp -m tcp --sport 1:65535 --dport 8110 -m conntrack --ctstate DNAT -j CONFIRMED                                                                     
-A AUTO_INPUT -s 2002:xxxx:xxxx:131::/64 -p tcp -m tcp --sport 1:65535 --dport 2121 -m conntrack --ctstate DNAT -j CONFIRMED                                                                    
-A AUTO_INPUT -s 2002:xxxx:xxxx:31::/64 -p tcp -m tcp --sport 1:65535 --dport 2121 -m conntrack --ctstate DNAT -j CONFIRMED                                                                     
-A AUTO_INPUT -s 2002:xxxx:xxxx:30::/64 -p tcp -m tcp --sport 1:65535 --dport 2121 -m conntrack --ctstate DNAT -j CONFIRMED                                                                     
-A AUTO_INPUT -p tcp -m tcp --sport 1:65535 -m multiport --dports 25,465,587 -j CONFIRMED                                                                                                       
-A AUTO_INPUT -p ipv6 -j CONFIRMED                                                                                                                                                              
-A AUTO_INPUT -s 2002:xxxx:xxxx:31::/64 -p tcp -m tcp --sport 1:65535 --dport 3840 -j CONFIRMED                                                                                                 
-A AUTO_OUTPUT -o eth4 -p udp -m udp --sport 1:65535 --dport 546 -j CONFIRMED                                                                                                                   
-A AUTO_OUTPUT -o eth0 -p udp -m udp --sport 1:65535 --dport 546 -j CONFIRMED                                                                                                                   
-A AUTO_OUTPUT -p tcp -m tcp --sport 53:65535 --dport 53 -j CONFIRMED                                                                                                                           
-A AUTO_OUTPUT -p udp -m udp --sport 53:65535 --dport 53 -j CONFIRMED                                                                                                                           
-A AUTO_OUTPUT -p udp -m udp --sport 53 --dport 53:65535 -j CONFIRMED                                                                                                                           
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 3840:4840 -j CONFIRMED                                                                                                                     
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 4444 -j CONFIRMED                                                                                                                          
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 21 -j CONFIRMED                                                                                                                            
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 80 -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 8080 -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 443 -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 8333 -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 389 -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 636 -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 49152 -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 8222 -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 8333 -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 7071 -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 80 -j CONFIRMED
-A AUTO_OUTPUT -p udp -m udp --sport 1024:65535 --dport 33000:34000 -j CONFIRMED
-A AUTO_OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A AUTO_OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type 2/0 -j ACCEPT
-A AUTO_OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
-A AUTO_OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
-A AUTO_OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135/0 -j CONFIRMED
-A AUTO_OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136/0 -j CONFIRMED
-A AUTO_OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -j DROP
-A AUTO_OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type 133/0 -j ACCEPT
-A AUTO_OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134/0 -j ACCEPT
-A AUTO_OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128/0 -j CONFIRMED
-A AUTO_OUTPUT -p udp -m udp --sport 123:65535 --dport 123 -j CONFIRMED
-A AUTO_OUTPUT -p udp -m udp --sport 123:65535 --dport 123 -j CONFIRMED
-A AUTO_OUTPUT -p udp -m udp --sport 123:65535 --dport 123 -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 110 -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 80 -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1:65535 -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 -m multiport --dports 25,465,587 -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 -m multiport --dports 11371,80 -j CONFIRMED
-A AUTO_OUTPUT -p ipv6 -j CONFIRMED
-A AUTO_OUTPUT -m owner --uid-owner snort --gid-owner snort -j CONFIRMED
-A INVALID_PKT -m logmark --logmark 60007 -j NFLOG --nflog-prefix "INVALID_PKT: "
-A INVALID_PKT -j DROP
-A LOGACCEPT -j NFLOG --nflog-prefix "ACCEPT: "
-A LOGACCEPT -j CONFIRMED
-A LOGDROP -j NFLOG --nflog-prefix "DROP: "
-A LOGDROP -j DROP
-A LOGREJECT -j NFLOG --nflog-prefix "REJECT: "
-A LOGREJECT -j REJECT --reject-with icmp6-port-unreachable
COMMIT
# Completed on Tue Apr 13 16:49:18 2010
 
