ranger:/root # iptables-save 
# Generated by iptables-save v1.4.12.1 on Mon Mar 19 23:04:25 2012
*ips
:PREROUTING ACCEPT [142119:71500483]
:INPUT ACCEPT [106218:12713875]
:FORWARD ACCEPT [35879:58784681]
:OUTPUT ACCEPT [105825:16134303]
:POSTROUTING ACCEPT [141731:74921954]
:AFC_ACTION - [0:0]
:AFC_ALERT - [0:0]
:AFC_BLOCK - [0:0]
:AFC_EXCEPTION - [0:0]
:AFC_LOG - [0:0]
:AFC_POSTROUTING - [0:0]
:IPS_AUTO_OUTPUT - [0:0]
:IPS_USR_FORWARD - [0:0]
:IPS_USR_OUTPUT - [0:0]
:QOS_0x1:0x2 - [0:0]
:QOS_AUTO_PRIO - [0:0]
:QOS_ITF00000000 - [0:0]
:QOS_ITF00000001 - [0:0]
-A OUTPUT -j IPS_AUTO_OUTPUT
-A OUTPUT -j IPS_USR_OUTPUT
-A POSTROUTING -j CLASSIFY --set-class 0000:0000
-A QOS_0x1:0x2 -j CLASSIFY --set-class 0001:0002
-A QOS_AUTO_PRIO -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m length2 --layer4  --length 20:40  -j CLASSIFY --set-class 0002:0001
-A QOS_AUTO_PRIO -p tcp -m tcp --tcp-flags FIN,RST,ACK ACK -m length2 --layer4  --length 20:40  -j CLASSIFY --set-class 0002:0001
-A QOS_AUTO_PRIO -p tcp -m tcp --sport 1:65535 --dport 53 -j CLASSIFY --set-class 0002:0001
-A QOS_AUTO_PRIO -p udp -m udp --sport 1:65535 --dport 53 -j CLASSIFY --set-class 0002:0001
-A QOS_ITF00000000 -m connmark --mark 0xf7/0xfff -g QOS_0x1:0x2
-A QOS_ITF00000000 -g QOS_AUTO_PRIO
-A QOS_ITF00000001 -m connmark --mark 0xf7/0xfff -g QOS_0x1:0x2
-A QOS_ITF00000001 -g QOS_AUTO_PRIO
COMMIT
# Completed on Mon Mar 19 23:04:25 2012
# Generated by iptables-save v1.4.12.1 on Mon Mar 19 23:04:25 2012
*mangle
:PREROUTING ACCEPT [142171:71506357]
:INPUT ACCEPT [106292:12721676]
:FORWARD ACCEPT [35879:58784681]
:OUTPUT ACCEPT [181293:22357837]
:POSTROUTING ACCEPT [141793:74930236]
:AFC_CLUSTER_POSTROUTING - [0:0]
:AFC_DETECT - [0:0]
:AFC_EXCEPTIONS_ALL - [0:0]
:AFC_EXCEPTIONS_IN - [0:0]
:AFC_EXCEPTIONS_OUT - [0:0]
:CLUSTER_INPUT - [0:0]
:FLOW_MONITOR - [0:0]
:GEOIP_DROP - [0:0]
:GEOIP_FORWARD - [0:0]
:GEOIP_IN - [0:0]
:HOTSPOT_CUTOFF_POST - [0:0]
:HOTSPOT_CUTOFF_PRE - [0:0]
:HOTSPOT_POST - [0:0]
:HOTSPOT_PRE - [0:0]
:POLICY_ROUTING_OUT - [0:0]
:POLICY_ROUTING_PRE - [0:0]
:SANITYCHECK_FORWARD - [0:0]
:SANITYCHECK_IN - [0:0]
:TPROXY_DIVERT - [0:0]
:TPROXY_DIVERT_HTTP - [0:0]
:TPROXY_HOOK - [0:0]
:TPROXY_HOOK_HTTP - [0:0]
-A PREROUTING -j HOTSPOT_PRE
-A PREROUTING -j TPROXY_HOOK
-A PREROUTING -j POLICY_ROUTING_PRE
-A PREROUTING -j FLOW_MONITOR
-A FORWARD -o eth1 -m conntrack --ctstate NEW -j CONNMARK --set-xmark 0x100000/0x100000
-A FORWARD -i eth1 -m conntrack --ctstate NEW -j CONNMARK --set-xmark 0x80000/0x80000
-A OUTPUT -m conntrack --ctstate NEW -m mark --mark 0x80000/0x80000 -j CONNMARK --set-xmark 0x40000/0x40000
-A OUTPUT -j POLICY_ROUTING_OUT
-A POSTROUTING -j HOTSPOT_POST
-A POSTROUTING -j FLOW_MONITOR
-A GEOIP_DROP -j DROP
-A HOTSPOT_CUTOFF_POST -p tcp -m tcp --sport 53 --dport 1:65535 -j RETURN
-A HOTSPOT_CUTOFF_POST -p udp -m udp --sport 53 --dport 1:65535 -j RETURN
-A HOTSPOT_CUTOFF_POST -p icmp -m icmp --icmp-type 8/0 -j RETURN
-A HOTSPOT_CUTOFF_POST -p udp -m udp --sport 67 --dport 68 -j RETURN
-A HOTSPOT_CUTOFF_POST -p tcp -m tcp --sport 4444 --dport 1:65535 -m addrtype --src-type LOCAL -j RETURN
-A HOTSPOT_CUTOFF_POST -p tcp -m tcp --sport 4501 --dport 1:65535 -m addrtype --src-type LOCAL -j RETURN
-A HOTSPOT_CUTOFF_POST -j DROP
-A HOTSPOT_CUTOFF_PRE -p tcp -m tcp --sport 1:65535 --dport 53 -j RETURN
-A HOTSPOT_CUTOFF_PRE -p udp -m udp --sport 1:65535 --dport 53 -j RETURN
-A HOTSPOT_CUTOFF_PRE -p icmp -m icmp --icmp-type 0/0 -j RETURN
-A HOTSPOT_CUTOFF_PRE -p udp -m udp --sport 68 --dport 67 -j RETURN
-A HOTSPOT_CUTOFF_PRE -p tcp -m tcp --sport 1:65535 -m multiport --dports 4501,4444 -m addrtype --dst-type LOCAL -j RETURN
-A HOTSPOT_CUTOFF_PRE -p tcp -m tcp --sport 1:65535 --dport 80 -m conntrack --ctstate NEW,DNAT -j ACCEPT
-A HOTSPOT_CUTOFF_PRE -j DROP
-A HOTSPOT_POST -o wlan2 -m macset ! --dst-set REF_HotPorTolgaarde --count -j HOTSPOT_CUTOFF_POST
-A HOTSPOT_PRE -i wlan2 -m macset ! --src-set REF_HotPorTolgaarde --count -j HOTSPOT_CUTOFF_PRE
-A TPROXY_DIVERT -j MARK --set-xmark 0x40000/0xffffffff
-A TPROXY_DIVERT -j ACCEPT
-A TPROXY_HOOK ! -i lo -m conntrack --ctstate RELATED,ESTABLISHED -m connmark --mark 0x40000/0x40000 -j TPROXY_DIVERT
-A TPROXY_HOOK_HTTP -d 213.144.15.19/32 -j TPROXY_DIVERT_HTTP
-A TPROXY_HOOK_HTTP -d 213.144.15.19/32 -j RETURN
COMMIT
# Completed on Mon Mar 19 23:04:25 2012
# Generated by iptables-save v1.4.12.1 on Mon Mar 19 23:04:25 2012
*nat
:PREROUTING ACCEPT [161:14831]
:INPUT ACCEPT [117:9518]
:OUTPUT ACCEPT [81786:6743296]
:POSTROUTING ACCEPT [0:0]
:AUTO_OUTPUT - [0:0]
:AUTO_POST - [0:0]
:AUTO_PRE - [0:0]
:LOAD_BALANCING - [0:0]
:USR_OUTPUT - [0:0]
:USR_POST - [0:0]
:USR_PRE - [0:0]
-A PREROUTING -j AUTO_PRE
-A PREROUTING -j USR_PRE
-A PREROUTING -j LOAD_BALANCING
-A OUTPUT -j AUTO_OUTPUT
-A OUTPUT -j USR_OUTPUT
-A POSTROUTING -j AUTO_POST
-A POSTROUTING -j USR_POST
-A AUTO_POST -d 172.20.0.4/32 -o eth0 -p tcp -m tcp --sport 1:65535 --dport 1812 -m policy --dir out --pol none -m conntrack --ctorigsrcport 1024:65535 --ctorigdstport 414 -j MASQUERADE
-A AUTO_POST -d 172.20.0.4/32 -o eth0 -p udp -m udp --sport 1:65535 --dport 1812 -m policy --dir out --pol none -m conntrack --ctorigsrcport 1024:65535 --ctorigdstport 414 -j MASQUERADE
-A AUTO_PRE -d 1.2.3.4/32 -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 2712 -j REDIRECT --to-ports 2712
-A AUTO_PRE -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 414 -j DNAT --to-destination 172.20.0.4:1812
-A AUTO_PRE -i eth0 -p udp -m udp --sport 1024:65535 --dport 414 -j DNAT --to-destination 172.20.0.4:1812
-A AUTO_PRE -i wlan2 -p tcp -m tcp --sport 1:65535 --dport 80 -m macset ! --src-set REF_HotPorTolgaarde -j REDIRECT --to-ports 4501
-A AUTO_PRE -p tcp -m tcp --sport 1024:65535 --dport 4444 -m addrtype --dst-type LOCAL -j ACCEPT
-A AUTO_PRE -s 172.20.0.0/24 -d 1.2.3.4/32 -p tcp -m tcp --sport 1:65535 --dport 9980 -j REDIRECT --to-ports 9980
-A USR_POST -o eth1 -m policy --dir out --pol none -j MASQUERADE
-A USR_POST -s 172.20.0.0/24 -o eth0 -m policy --dir out --pol none -j MASQUERADE
-A USR_POST -s 172.20.0.0/24 -o eth3 -m policy --dir out --pol none -j MASQUERADE
COMMIT
# Completed on Mon Mar 19 23:04:25 2012
# Generated by iptables-save v1.4.12.1 on Mon Mar 19 23:04:25 2012
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:AUTO_FORWARD - [0:0]
:AUTO_INPUT - [0:0]
:AUTO_OUTPUT - [0:0]
:GEOIP_OUT - [0:0]
:GEOIP_REJECT - [0:0]
:HA - [0:0]
:INVALID_PKT - [0:0]
:IPS_AUTO_OUTPUT - [0:0]
:IPS_USR_OUTPUT - [0:0]
:LOGACCEPT - [0:0]
:LOGDROP - [0:0]
:LOGREJECT - [0:0]
:PSD_ACTION - [0:0]
:PSD_MATCH - [0:0]
:SANITY_CHECKS - [0:0]
:STRICT_TCP_STATE - [0:0]
:USR_FORWARD - [0:0]
:USR_INPUT - [0:0]
:USR_OUTPUT - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m udp --sport 1:65535 --dport 3400 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 1:65535 --dport 3400 -j ACCEPT
-A INPUT -m confirmed -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED -j CONFIRMED
-A INPUT -j HA
-A INPUT -j PSD_MATCH
-A INPUT -j SANITY_CHECKS
-A INPUT -j AUTO_INPUT
-A INPUT -j USR_INPUT
-A INPUT -m logmark --logmark 60001  -j LOGDROP
-A FORWARD -m confirmed -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED -j CONFIRMED
-A FORWARD -j PSD_MATCH
-A FORWARD -j SANITY_CHECKS
-A FORWARD -j AUTO_FORWARD
-A FORWARD -j USR_FORWARD
-A FORWARD -m logmark --logmark 60002  -j LOGDROP
-A OUTPUT ! -s 127.0.0.0/8 -o lo -p tcp -m tcp --sport 1024:65535 --dport 4444 -m logmark --logmark 60005  -j LOGDROP
-A OUTPUT ! -s 127.0.0.0/8 -o lo -p tcp -m tcp --sport 1:65535 --dport 10443 -m logmark --logmark 60005  -j LOGDROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p udp -m udp --sport 1:65535 --dport 3400 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 1:65535 --dport 3400 -j ACCEPT
-A OUTPUT -m confirmed -j ACCEPT
-A OUTPUT -m conntrack --ctstate RELATED -j CONFIRMED
-A OUTPUT -m condition --condition "OUTPUT_ACCEPT_ALL"  -m owner --uid-owner 0 --gid-owner 0 -j CONFIRMED
-A OUTPUT -j HA
-A OUTPUT -j SANITY_CHECKS
-A OUTPUT -j AUTO_OUTPUT
-A OUTPUT -j USR_OUTPUT
-A OUTPUT -m logmark --logmark 60003  -j LOGDROP
-A AUTO_FORWARD -d 172.20.0.4/32 -i eth0 -o eth0 -p tcp -m tcp --sport 1:65535 --dport 1812 -m policy --dir out --pol none -j CONFIRMED
-A AUTO_FORWARD -d 172.20.0.4/32 -i eth0 -o eth0 -p udp -m udp --sport 1:65535 --dport 1812 -m policy --dir out --pol none -j CONFIRMED
-A AUTO_FORWARD -i eth1 -p icmp -j LOGDROP
-A AUTO_FORWARD -p icmp -j CONFIRMED
-A AUTO_FORWARD -i eth1 -p icmp -m icmp --icmp-type 8/0 -j LOGDROP
-A AUTO_FORWARD -p icmp -m icmp --icmp-type 8/0 -j CONFIRMED
-A AUTO_FORWARD -i eth1 -p icmp -m icmp --icmp-type 0/0 -j LOGDROP
-A AUTO_FORWARD -p icmp -m icmp --icmp-type 0/0 -j CONFIRMED
-A AUTO_FORWARD -i eth1 -p udp -m udp --sport 1024:65535 -m multiport --dports 33000:34000,44444:55555 -j LOGDROP
-A AUTO_FORWARD -p udp -m udp --sport 1024:65535 -m multiport --dports 33000:34000,44444:55555 -j CONFIRMED
-A AUTO_FORWARD -i eth1 -p icmp -m icmp --icmp-type 11/0 -j LOGDROP
-A AUTO_FORWARD -p icmp -m icmp --icmp-type 11/0 -j CONFIRMED
-A AUTO_INPUT -i eth0 -p udp -m udp --sport 1024:65535 -m multiport --dports 415,3401 -j CONFIRMED
-A AUTO_INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 2712 -j CONFIRMED
-A AUTO_INPUT -i wlan2 -p tcp -m tcp --sport 1:65535 --dport 4501 -j CONFIRMED
-A AUTO_INPUT -p tcp -m tcp --sport 1:65535 --dport 22 -j CONFIRMED
-A AUTO_INPUT -p tcp -m tcp --sport 1:65535 --dport 22 -m logmark --logmark 60004  -j LOGDROP
-A AUTO_INPUT -p tcp -m tcp --sport 1024:65535 --dport 4444 -j CONFIRMED
-A AUTO_INPUT -p tcp -m tcp --sport 1024:65535 --dport 4444 -m logmark --logmark 60005  -j LOGDROP
-A AUTO_INPUT -p tcp -m tcp --sport 1:65535 --dport 3400 -j CONFIRMED
-A AUTO_INPUT -p tcp -m tcp --sport 1:65535 --dport 10443 -j CONFIRMED
-A AUTO_INPUT -i eth1 -p udp -m udp --sport 67 --dport 68 -j CONFIRMED
-A AUTO_INPUT -i eth2 -p udp -m udp --sport 67:68 --dport 67 -j CONFIRMED
-A AUTO_INPUT -i wlan2 -p udp -m udp --sport 67:68 --dport 67 -j CONFIRMED
-A AUTO_INPUT -i wlan1 -p udp -m udp --sport 67:68 --dport 67 -j CONFIRMED
-A AUTO_INPUT -i eth3 -p udp -m udp --sport 67:68 --dport 67 -j CONFIRMED
-A AUTO_INPUT -p tcp -m set --match-set h2U6+IyrovpkEh86jBzgyg src -m tcp --sport 53:65535 --dport 53 -j CONFIRMED
-A AUTO_INPUT -p udp -m set --match-set h2U6+IyrovpkEh86jBzgyg src -m udp --sport 53:65535 --dport 53 -j CONFIRMED
-A AUTO_INPUT -p icmp -j CONFIRMED
-A AUTO_INPUT -p icmp -m icmp --icmp-type 8/0 -j CONFIRMED
-A AUTO_INPUT -p udp -m udp --sport 1024:65535 -m multiport --dports 33000:34000,44444:55555 -j CONFIRMED
-A AUTO_INPUT -s 77.222.76.132/32 -d 82.72.157.240/32 -i eth1 -p esp -m esp --espspi 256:4294967295 -m policy --dir in --pol none -j CONFIRMED
-A AUTO_INPUT -s 77.222.76.132/32 -d 82.72.157.240/32 -i eth1 -p ip -m policy --dir in --pol ipsec --mode transport -j CONFIRMED
-A AUTO_INPUT -s 77.222.76.132/32 -d 82.72.157.240/32 -i eth1 -p ipv6 -m policy --dir in --pol ipsec --mode transport -j CONFIRMED
-A AUTO_INPUT -s 77.222.76.132/32 -d 82.72.157.240/32 -i eth1 -p udp -m udp --sport 1:65535 -m multiport --dports 500,4500 -m policy --dir in --pol none -j CONFIRMED
-A AUTO_INPUT -d 82.72.157.240/32 -p esp -m esp --espspi 256:4294967295 -j CONFIRMED
-A AUTO_INPUT -d 82.72.157.240/32 -p ip -m policy --dir in --pol ipsec --mode transport -j CONFIRMED
-A AUTO_INPUT -d 82.72.157.240/32 -p ipv6 -m policy --dir in --pol ipsec --mode transport -j CONFIRMED
-A AUTO_INPUT -d 82.72.157.240/32 -p udp -m udp --sport 1:65535 -m multiport --dports 500,4500 -j CONFIRMED
-A AUTO_INPUT -d 82.72.157.240/32 -p udp -m udp --sport 1024:65535 --dport 1701 -m policy --dir in --pol ipsec --mode transport -j CONFIRMED
-A AUTO_INPUT -p tcp -m tcp --sport 1:65535 --dport 443 -j CONFIRMED
-A AUTO_INPUT -s 172.16.0.0/12 -p udp -m udp --sport 123:65535 --dport 123 -j CONFIRMED
-A AUTO_INPUT -p tcp -m tcp --sport 1:65535 -m multiport --dports 25,465,587 -j CONFIRMED
-A AUTO_INPUT -s 172.20.0.0/24 -p tcp -m tcp --sport 1:65535 --dport 9980 -j CONFIRMED
-A AUTO_INPUT -m mark --mark 0x40000/0x40000 -j CONFIRMED
-A AUTO_OUTPUT -m owner --uid-owner 0 -m logmark --logmark 60022  -j NFLOG --nflog-prefix  "HTML5VPN: "
-A AUTO_OUTPUT -m owner --uid-owner 0 -j REJECT --reject-with icmp-port-unreachable
-A AUTO_OUTPUT -o eth1 -p udp -m udp --sport 68 --dport 67 -j CONFIRMED
-A AUTO_OUTPUT -o eth2 -p udp -m udp --sport 67 --dport 67:68 -j CONFIRMED
-A AUTO_OUTPUT -o wlan2 -p udp -m udp --sport 67 --dport 67:68 -j CONFIRMED
-A AUTO_OUTPUT -o wlan1 -p udp -m udp --sport 67 --dport 67:68 -j CONFIRMED
-A AUTO_OUTPUT -o eth3 -p udp -m udp --sport 67 --dport 67:68 -j CONFIRMED
-A AUTO_OUTPUT -p icmp -m icmp --icmp-type 8/0 -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 53:65535 --dport 53 -j CONFIRMED
-A AUTO_OUTPUT -p udp -m udp --sport 53:65535 --dport 53 -j CONFIRMED
-A AUTO_OUTPUT -p udp -m udp --sport 53 --dport 53:65535 -j CONFIRMED
-A AUTO_OUTPUT -p icmp -m icmp --icmp-type 11/0 -j CONFIRMED
-A AUTO_OUTPUT -p udp -m udp --sport 1024:65535 -m multiport --dports 33000:34000,44444:55555 -j CONFIRMED
-A AUTO_OUTPUT -s 82.72.157.240/32 -d 77.222.76.132/32 -o eth1 -p esp -m esp --espspi 256:4294967295 -m policy --dir out --pol none -j CONFIRMED
-A AUTO_OUTPUT -s 82.72.157.240/32 -d 77.222.76.132/32 -o eth1 -p udp -m udp --sport 4500 --dport 1:65535 -m policy --dir out --pol none -j CONFIRMED
-A AUTO_OUTPUT -s 82.72.157.240/32 -d 77.222.76.132/32 -o eth1 -p udp -m udp --sport 500 --dport 1:65535 -m policy --dir out --pol none -j CONFIRMED
-A AUTO_OUTPUT -s 82.72.157.240/32 -p esp -m esp --espspi 256:4294967295 -j CONFIRMED
-A AUTO_OUTPUT -s 82.72.157.240/32 -p udp -m udp --sport 4500 --dport 1:65535 -j CONFIRMED
-A AUTO_OUTPUT -s 82.72.157.240/32 -p udp -m udp --sport 500 --dport 1:65535 -j CONFIRMED
-A AUTO_OUTPUT -p udp -m set --match-set jGuRuVc9K69DnoLoqcH35Q dst -m udp --sport 123:65535 --dport 123 -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 -m multiport --dports 25,465,587,587 -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 80 -j CONFIRMED
-A AUTO_OUTPUT -d 172.20.0.50/32 -p udp -m udp --sport 1:65535 --dport 514 -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 443 -j CONFIRMED
-A AUTO_OUTPUT -d 172.20.0.4/32 -o eth0 -p tcp -m tcp --sport 1:65535 --dport 389 -m policy --dir out --pol none -j CONFIRMED
-A AUTO_OUTPUT -d 172.20.0.4/32 -o eth0 -p udp -m udp --sport 1:65535 --dport 389 -m policy --dir out --pol none -j CONFIRMED
-A GEOIP_REJECT -p tcp -j REJECT --reject-with tcp-reset
-A GEOIP_REJECT -j REJECT --reject-with icmp-port-unreachable
-A INVALID_PKT -m logmark --logmark 60007  -j NFLOG --nflog-prefix  "INVALID_PKT: "
-A INVALID_PKT -j DROP
-A LOGACCEPT -m addrtype --src-type BROADCAST -j ACCEPT
-A LOGACCEPT -m addrtype --dst-type BROADCAST -j ACCEPT
-A LOGACCEPT -j NFLOG --nflog-prefix  "ACCEPT: "
-A LOGACCEPT -j CONFIRMED
-A LOGDROP -m addrtype --src-type BROADCAST -j DROP
-A LOGDROP -m addrtype --dst-type BROADCAST -j DROP
-A LOGDROP -j NFLOG --nflog-prefix  "DROP: "
-A LOGDROP -j DROP
-A LOGREJECT -m addrtype --src-type BROADCAST -j REJECT --reject-with icmp-port-unreachable
-A LOGREJECT -m addrtype --dst-type BROADCAST -j REJECT --reject-with icmp-port-unreachable
-A LOGREJECT -j NFLOG --nflog-prefix  "REJECT: "
-A LOGREJECT -j REJECT --reject-with icmp-port-unreachable
-A USR_FORWARD -s 192.168.2.0/24 -o eth1 -p tcp -m tcp --sport 1:65535 -m multiport --dports 123,53 -m policy --dir out --pol none -m logmark --logmark 2  -j LOGACCEPT
-A USR_FORWARD -s 192.168.2.0/24 -o eth1 -p udp -m udp --sport 1:65535 -m multiport --dports 123,53 -m policy --dir out --pol none -m logmark --logmark 2  -j LOGACCEPT
-A USR_FORWARD -s 192.168.2.0/24 -o eth1 -p tcp -m tcp --sport 1:65535 -m multiport --dports 5222,443,80,5223 -m policy --dir out --pol none -m logmark --logmark 2  -j LOGACCEPT
-A USR_FORWARD -s 192.168.1.0/24 -o eth1 -m policy --dir out --pol none -m logmark --logmark 4  -j LOGACCEPT
-A USR_FORWARD -m set --match-set 4_NetAaaFirezUsersUser src -m logmark --logmark 5  -j LOGACCEPT
-A USR_FORWARD -i eth0 -o eth0 -m policy --dir out --pol none -m logmark --logmark 6  -j LOGACCEPT
-A USR_FORWARD -m set --match-set 4_NetAaaFirewAdminUser src -m logmark --logmark 7  -j LOGACCEPT
-A USR_FORWARD -m set --match-set 4_NetAaaFirezUsersUser src -m logmark --logmark 8  -j LOGACCEPT
-A USR_FORWARD -s 172.20.0.0/24 -m logmark --logmark 9  -j LOGACCEPT
-A USR_FORWARD -s 172.16.99.73/32 -d 172.20.0.6/32 -o eth0 -p tcp -m tcp --sport 1:65535 --dport 21 -m policy --dir out --pol none -m logmark --logmark 10  -j LOGACCEPT
-A USR_FORWARD -s 172.16.99.71/32 -d 172.20.0.6/32 -o eth0 -p tcp -m tcp --sport 1:65535 --dport 21 -m policy --dir out --pol none -m logmark --logmark 11  -j LOGACCEPT
-A USR_FORWARD -d 172.20.0.0/24 -m set --match-set h8d6Zi1X1CzhcjZ5cObAAA src -m logmark --logmark 12  -j LOGACCEPT
-A USR_FORWARD -s 172.16.99.6/32 -d 172.20.0.6/32 -o eth0 -p tcp -m tcp --sport 1:65535 --dport 873 -m policy --dir out --pol none -m logmark --logmark 13  -j LOGACCEPT
-A USR_FORWARD -s 192.168.0.0/24 -o eth1 -m policy --dir out --pol none -m logmark --logmark 14  -j LOGACCEPT
-A USR_FORWARD -s 172.20.1.0/24 -m logmark --logmark 15  -j LOGACCEPT
-A USR_FORWARD -m set --match-set 4_NetAaaL2tpUserNetwo src -m logmark --logmark 16  -j LOGACCEPT
-A USR_FORWARD -m set --match-set 4_NetAaaBertUserNetwo src -m logmark --logmark 17  -j LOGACCEPT
-A USR_FORWARD -m set --match-set 4_DefaultSuperAdminNetwork src -m logmark --logmark 18  -j LOGACCEPT
-A USR_OUTPUT -s 82.72.157.240/32 -j CONFIRMED
-A USR_OUTPUT -s 172.20.0.1/32 -d 172.20.0.0/24 -p tcp -m tcp --sport 1:65535 --dport 2502 -m logmark --logmark 3  -j LOGACCEPT
COMMIT
# Completed on Mon Mar 19 23:04:25 2012
# Generated by iptables-save v1.4.12.1 on Mon Mar 19 23:04:25 2012
*raw
:PREROUTING ACCEPT [75406:8326620]
:OUTPUT ACCEPT [152799:18218479]
:DOS_FLOOD_PROTECTION - [0:0]
:ICMP_FLOOD - [0:0]
:ICMP_FLOOD_DROP - [0:0]
:ICMP_FLOOD_DST - [0:0]
:ICMP_FLOOD_SRC - [0:0]
:INVALID_PKT - [0:0]
:LOCAL_TRAFFIC - [0:0]
:SANITY_CHECKS - [0:0]
:SPOOFING_PROTECTION - [0:0]
:SPOOF_DROP - [0:0]
:SYN_FLOOD - [0:0]
:SYN_FLOOD_DROP - [0:0]
:SYN_FLOOD_DST - [0:0]
:SYN_FLOOD_SRC - [0:0]
:UDP_FLOOD - [0:0]
:UDP_FLOOD_DROP - [0:0]
:UDP_FLOOD_DST - [0:0]
:UDP_FLOOD_SRC - [0:0]
-A PREROUTING -s 127.0.0.0/8 -d 127.0.0.0/8 -j LOCAL_TRAFFIC
-A PREROUTING ! -i lo -j DOS_FLOOD_PROTECTION
-A PREROUTING ! -i lo -j SPOOFING_PROTECTION
-A OUTPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -j LOCAL_TRAFFIC
-A INVALID_PKT -m logmark --logmark 60007  -j NFLOG --nflog-prefix  "INVALID_PKT: "
-A INVALID_PKT -j DROP
-A LOCAL_TRAFFIC -j NOTRACK
-A LOCAL_TRAFFIC -j ACCEPT
-A SPOOFING_PROTECTION -j ACCEPT
-A SPOOF_DROP -m logmark --logmark 60008  -j NFLOG --nflog-prefix  "IP-SPOOFING DROP: "
-A SPOOF_DROP -j DROP
-A UDP_FLOOD -p udp -m udp --sport 1024:65535 --dport 1701 -m policy --dir in --pol ipsec --mode transport -j SPOOFING_PROTECTION
-A UDP_FLOOD -p udp -m udp --sport 3401 --dport 1:65535 -j SPOOFING_PROTECTION
-A UDP_FLOOD -p udp -m udp --sport 1:65535 --dport 3401 -j SPOOFING_PROTECTION
-A UDP_FLOOD -p udp -m udp --sport 1:65535 --dport 3400 -j SPOOFING_PROTECTION
-A UDP_FLOOD -p udp -m udp --sport 3400 --dport 1:65535 -j SPOOFING_PROTECTION
COMMIT
# Completed on Mon Mar 19 23:04:25 2012