Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 2850 3064K lan2fw all -- enp7s0 * 0.0.0.0/0 0.0.0.0/0 5 196 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "Shorewall:INPUT:REJECT:" 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "Shorewall:FORWARD:REJECT:" 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 2325 270K fw2lan all -- * enp7s0 0.0.0.0/0 0.0.0.0/0 5 196 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 15 2055 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "Shorewall:OUTPUT:REJECT:" 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] Chain @fw2lan (1 references) pkts bytes target prot opt in out source destination 79 4740 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 6/sec burst 15 13 780 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain @lan2fw (1 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 15 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 4 prefix "Shorewall:lan2fw:DROP:" 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain Broadcast (1 references) pkts bytes target prot opt in out source destination 15 2055 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type ANYCAST Chain Limit (1 references) pkts bytes target prot opt in out source destination 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: SSH side: source mask: 255.255.255.255 0 0 Limit% all -- * * 0.0.0.0/0 0.0.0.0/0 recent: UPDATE seconds: 600 hit_count: 6 name: SSH side: source mask: 255.255.255.255 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain Limit% (1 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "Shorewall:SSH:DROP:" 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain Reject (4 references) pkts bytes target prot opt in out source destination 15 2055 all -- * * 0.0.0.0/0 0.0.0.0/0 15 2055 Broadcast all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3 code 4 /* Needed ICMP types */ 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11 /* Needed ICMP types */ 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,445 /* SMB */ 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 /* SMB */ 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:65535 /* SMB */ 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,139,445 /* SMB */ 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 /* UPnP */ 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 /* Late DNS Replies */ Chain dynamic (1 references) pkts bytes target prot opt in out source destination Chain fw2lan (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68 2030 229K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 92 5520 @fw2lan tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.0/24 multiport dports 135,445 /* SMBBI */ 4 801 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.0/24 udp dpts:137:139 /* SMBBI */ 0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.0/24 udp spt:137 dpts:1024:65535 /* SMBBI */ 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.0/24 multiport dports 135,139,445 /* SMBBI */ 44 23691 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353 /* mDNSbi */ 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:5353 dpts:1024:65535 /* mDNSbi */ 3 96 ACCEPT 2 -- * * 0.0.0.0/0 224.0.0.251 /* mDNSbi */ 0 0 ACCEPT udp -- * * 224.0.0.0/4 0.0.0.0/0 0 0 ACCEPT 2 -- * * 224.0.0.0/4 0.0.0.0/0 0 0 ACCEPT udplite-- * * 224.0.0.0/4 0.0.0.0/0 231 16216 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain lan2fw (1 references) pkts bytes target prot opt in out source destination 69 26953 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68 2628 3015K tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 139 20184 ACCEPT udp -- enp7s0 * 192.168.1.1 0.0.0.0/0 2644 3017K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 @lan2fw tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 0 0 ACCEPT udp -- * * 192.168.1.0/24 0.0.0.0/0 multiport dports 135,445 /* SMBBI */ 4 801 ACCEPT udp -- * * 192.168.1.0/24 0.0.0.0/0 udp dpts:137:139 /* SMBBI */ 0 0 ACCEPT udp -- * * 192.168.1.0/24 0.0.0.0/0 udp spt:137 dpts:1024:65535 /* SMBBI */ 0 0 ACCEPT tcp -- * * 192.168.1.0/24 0.0.0.0/0 multiport dports 135,139,445 /* SMBBI */ 0 0 ACCEPT icmp -- * * 192.168.1.0/24 0.0.0.0/0 icmptype 8 /* Ping */ 0 0 ACCEPT icmp -- * * 192.168.1.0/24 0.0.0.0/0 icmptype 3 code 4 /* Needed ICMP types */ 0 0 ACCEPT icmp -- * * 192.168.1.0/24 0.0.0.0/0 icmptype 11 /* Needed ICMP types */ 0 0 ACCEPT tcp -- * * 192.168.1.0/24 0.0.0.0/0 tcp dpt:9418 /* Git */ 0 0 ACCEPT tcp -- * * 192.168.1.0/24 0.0.0.0/0 tcp dpts:1024:65535 57 25490 ACCEPT udp -- * * 192.168.1.0/24 0.0.0.0/0 udp dpts:1024:65535 0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353 /* mDNSbi */ 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:5353 dpts:1024:65535 /* mDNSbi */ 3 96 ACCEPT 2 -- * * 0.0.0.0/0 224.0.0.251 /* mDNSbi */ 0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.0/4 3 96 ACCEPT 2 -- * * 0.0.0.0/0 224.0.0.0/4 0 0 ACCEPT udplite-- * * 0.0.0.0/0 224.0.0.0/4 0 0 ~log0 all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] -m geoip ! --source-country US,CA 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 /* DNS */ 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 /* DNS */ 0 0 Limit tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 0 0 RETURN all -- * * 0.0.0.0/0 224.0.0.0/4 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "Shorewall:lan2fw:REJECT:" 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] Chain logdrop (0 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain logflags (5 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 4 level 6 prefix "Shorewall:logflags:DROP:" 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain logreject (0 references) pkts bytes target prot opt in out source destination 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain reject (9 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match src-type BROADCAST 0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0 0 0 DROP 2 -- * * 0.0.0.0/0 0.0.0.0/0 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-unreachable 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain shorewall (0 references) pkts bytes target prot opt in out source destination 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: %CURRENTTIME side: source mask: 255.255.255.255 Chain tcpflags (1 references) pkts bytes target prot opt in out source destination 0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] tcp flags:0x3F/0x29 0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] tcp flags:0x3F/0x00 0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] tcp flags:0x06/0x06 0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] tcp flags:0x03/0x03 0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] tcp spt:0 flags:0x17/0x02 Chain ~log0 (1 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "Shorewall:lan2fw:DROP:" 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0