table inet filter { chain reject-rl { limit rate over 1000 / second burst 1000 packets counter drop } chain forward { type filter hook forward priority filter policy drop iifname eno1 oifname dsl counter accept iifname dsl oifname eno1 ct state {established, related} counter accept meta l4proto ipv6-icmp counter accept meta l4proto icmp counter accept meta l4proto igmp counter accept log prefix "reject forward: " counter jump reject-rl meta l4proto tcp ct state new counter reject with tcp reset ct state new counter reject } chain input { type filter hook input priority filter policy drop iifname lo counter accept iif != lo ip daddr 127.0.0.1/8 counter reject iif != lo ip6 daddr ::1/128 counter reject ct state {established, related} counter accept tcp dport 22 counter accept ip version 4 udp dport 51820 counter accept udp dport 60000-61000 counter accept iifname "dsl" ip6 version 6 udp dport 546 udp sport 547 counter accept meta l4proto ipv6-icmp counter accept meta l4proto icmp counter accept meta l4proto igmp counter accept log prefix "reject input: " counter jump reject-rl meta l4proto tcp ct state new counter reject with tcp reset ct state new counter reject } chain output { type filter hook output priority filter policy accept counter } } table ip nat { chain postrouting { type nat hook postrouting priority srcnat policy accept oifname dsl counter masquerade counter } } table inet mangle { chain postrouting { type filter hook postrouting priority mangle policy accept oifname dsl meta l4proto tcp tcp flags & (syn|rst) == syn counter tcp option maxseg size set rt mtu counter } }