*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT DROP
# create custom built-in chains
:EOS_INPUT -
:EOS_OUTPUT -
:EOS_FORWARD -
-A INPUT -j EOS_INPUT
-A OUTPUT -j EOS_OUTPUT
-A FORWARD -j EOS_FORWARD
# accept incoming traffic on internal intfs.
-A EOS_INPUT -i lo -j ACCEPT
-A EOS_INPUT -i internal+ -j ACCEPT
-A EOS_INPUT -i usb+ -j ACCEPT
# disallow forwarding of packets to mgmt network
-A EOS_FORWARD -o ma+ -j DROP
# drop all routed NS packets
-A EOS_FORWARD -p icmpv6 --icmpv6-type neighbor-solicitation -j DROP
-A EOS_FORWARD -j ACCEPT
# No need to filter the output
-A EOS_OUTPUT -j ACCEPT
COMMIT
# disable conntrack reassembly for software-routed packets
*raw
:EOS_OUTPUT -
:EOS_PREROUTING -
-A OUTPUT -j EOS_OUTPUT
-A PREROUTING -j EOS_PREROUTING
-A EOS_PREROUTING -m mark --mark 13429 -j CT --notrack 
COMMIT
*mangle
:EOS_INPUT -
:EOS_OUTPUT -
:EOS_FORWARD -
:EOS_PREROUTING -
:EOS_POSTROUTING -
-A INPUT -j EOS_INPUT
-A OUTPUT -j EOS_OUTPUT
-A FORWARD -j EOS_FORWARD
-A PREROUTING -j EOS_PREROUTING
-A POSTROUTING -j EOS_POSTROUTING
COMMIT
*nat
:EOS_PREROUTING -
:EOS_OUTPUT -
:EOS_POSTROUTING -
:EOS_INPUT -
-A PREROUTING -j EOS_PREROUTING
-A OUTPUT -j EOS_OUTPUT
-A POSTROUTING -j EOS_POSTROUTING
-A INPUT -j EOS_INPUT
COMMIT
