*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT DROP
# create custom built-in chains
:EOS_INPUT -
:EOS_OUTPUT -
:EOS_FORWARD -
-A INPUT -j EOS_INPUT
-A OUTPUT -j EOS_OUTPUT
-A FORWARD -j EOS_FORWARD
# accept incoming traffic on internal intfs.
-A EOS_INPUT -i lo -j ACCEPT
-A EOS_INPUT -i internal+ -j ACCEPT
-A EOS_INPUT -i usb+ -j ACCEPT
# disallow forwarding of packets to mgmt network
-A EOS_FORWARD -o ma+ -j DROP
-A EOS_FORWARD ! -s 127.0.0.0/255.0.0.0 ! -d 127.0.0.0/255.0.0.0 -j ACCEPT
# accept all outgoing traffic on internal intfs.
-A EOS_OUTPUT -o lo -j ACCEPT
-A EOS_OUTPUT -o internal+ -j ACCEPT
-A EOS_OUTPUT ! -s 127.0.0.0/255.0.0.0 ! -d 127.0.0.0/255.0.0.0 -j ACCEPT
COMMIT
# disable conntrack reassembly for software-routed packets
*raw
:EOS_OUTPUT -
:EOS_PREROUTING -
-A OUTPUT -j EOS_OUTPUT
-A PREROUTING -j EOS_PREROUTING
-A EOS_PREROUTING -m mark --mark 13429 -j CT --notrack
# Disable connection tracking for software-forwarded multicast packets
-A EOS_PREROUTING -d 224.0.0.0/4 -j CT --notrack
COMMIT
*mangle
:EOS_INPUT -
:EOS_OUTPUT -
:EOS_FORWARD -
:EOS_PREROUTING -
:EOS_POSTROUTING -
-A INPUT -j EOS_INPUT
-A OUTPUT -j EOS_OUTPUT
-A FORWARD -j EOS_FORWARD
-A PREROUTING -j EOS_PREROUTING
-A POSTROUTING -j EOS_POSTROUTING
COMMIT
*nat
:EOS_PREROUTING -
:EOS_OUTPUT -
:EOS_POSTROUTING -
:EOS_INPUT -
-A PREROUTING -j EOS_PREROUTING
-A OUTPUT -j EOS_OUTPUT
-A POSTROUTING -j EOS_POSTROUTING
-A INPUT -j EOS_INPUT
COMMIT
