*filter -P INPUT DROP -P FORWARD DROP -P OUTPUT DROP -N drop_guest_invalid_ipv4 -N drop_guest_ipv4_prefix -N egress_port_firewall -N ingress_port_firewall -N vpn_accept -N vpn_egress_filters -N vpn_lockdown -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT -A INPUT -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT -A INPUT -j ingress_port_firewall -A INPUT -i vmtap+ -p tcp -m tcp --dport 8889 -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A FORWARD -j drop_guest_invalid_ipv4 -A FORWARD -j vpn_egress_filters -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o arc_ns0 -j ACCEPT -A FORWARD -i arc_ns0 -j ACCEPT -A FORWARD -o arc_ns1 -j ACCEPT -A FORWARD -i arc_ns1 -j ACCEPT -A FORWARD -o arc_mlan0 -j ACCEPT -A FORWARD -i arc_mlan0 -j ACCEPT -A FORWARD -o arc_ns2 -j ACCEPT -A FORWARD -i arc_ns2 -j ACCEPT -A OUTPUT -j drop_guest_ipv4_prefix -A OUTPUT -j vpn_egress_filters -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -j egress_port_firewall -A OUTPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT -A drop_guest_invalid_ipv4 -s 100.115.92.0/23 -o rmnet+ -p tcp -m tcp --tcp-flags FIN,PSH FIN,PSH -j DROP -A drop_guest_invalid_ipv4 -s 100.115.92.0/23 -o wwan+ -p tcp -m tcp --tcp-flags FIN,PSH FIN,PSH -j DROP -A drop_guest_invalid_ipv4 -m mark --mark 0x1/0x1 -m state --state INVALID -j DROP -A drop_guest_ipv4_prefix -s 100.115.92.0/23 -o rmnet+ -j DROP -A drop_guest_ipv4_prefix -s 100.115.92.0/23 -o wwan+ -j DROP -A drop_guest_ipv4_prefix -s 100.115.92.0/23 -o usb+ -j DROP -A drop_guest_ipv4_prefix -s 100.115.92.0/23 -o mlan+ -j DROP -A drop_guest_ipv4_prefix -s 100.115.92.0/23 -o wlan+ -j DROP -A drop_guest_ipv4_prefix -s 100.115.92.0/23 -o eth+ -j DROP -A ingress_port_firewall -i mlan0 -p tcp -m tcp --dport 5555 -j ACCEPT -A vpn_egress_filters -j vpn_accept -A vpn_egress_filters -j vpn_lockdown COMMIT