# Generated by iptables-save v1.4.0 on Thu Mar 12 16:33:28 2009
*raw
:PREROUTING ACCEPT [1324597:1383167834]
:OUTPUT ACCEPT [1188654:1356499008]
COMMIT
# Completed on Thu Mar 12 16:33:28 2009
# Generated by iptables-save v1.4.0 on Thu Mar 12 16:33:28 2009
*nat
:PREROUTING ACCEPT [3964:324936]
:POSTROUTING ACCEPT [302:18663]
:OUTPUT ACCEPT [194:11729]
:dnat - [0:0]
:eth0_masq - [0:0]
:excl0 - [0:0]
:excl2 - [0:0]
:excl4 - [0:0]
:excl6 - [0:0]
:excl8 - [0:0]
:loc_dnat - [0:0]
:net_dnat - [0:0]
-A PREROUTING -j dnat 
-A POSTROUTING -o eth0 -j eth0_masq 
-A dnat -i eth0 -j net_dnat 
-A dnat -s 10.7.16.0/24 -i eth1 -j RETURN 
-A dnat -s 10.7.10.0/24 -i eth1 -j RETURN 
-A dnat -s 10.7.14.0/24 -i eth1 -j RETURN 
-A dnat -i eth1 -j loc_dnat 
-A eth0_masq -s 10.7.15.0/24 -j SNAT --to-source 77.70.16.217 
-A eth0_masq -s 10.7.14.0/24 -j SNAT --to-source 77.70.16.217 
-A eth0_masq -s 10.7.10.0/24 -j SNAT --to-source 77.70.16.217 
-A eth0_masq -s 10.7.16.0/24 -j SNAT --to-source 77.70.16.217 
-A excl0 -d 130.252.100.0/24 -m comment --comment "SQUID" -j RETURN 
-A excl0 -d 10.7.16.12/32 -m comment --comment "SQUID" -j RETURN 
-A excl0 -d 10.7.16.11/32 -m comment --comment "SQUID" -j RETURN 
-A excl0 -p tcp -m comment --comment "SQUID" -j REDIRECT --to-ports 8080 
-A excl2 -d 130.252.100.0/24 -m comment --comment "SQUID" -j RETURN 
-A excl2 -d 10.7.16.12/32 -m comment --comment "SQUID" -j RETURN 
-A excl2 -d 10.7.16.11/32 -m comment --comment "SQUID" -j RETURN 
-A excl2 -p tcp -m comment --comment "SQUID" -j REDIRECT --to-ports 8080 
-A excl4 -d 130.252.100.0/24 -m comment --comment "SQUID" -j RETURN 
-A excl4 -d 10.7.16.12/32 -m comment --comment "SQUID" -j RETURN 
-A excl4 -d 10.7.16.11/32 -m comment --comment "SQUID" -j RETURN 
-A excl4 -p tcp -m comment --comment "SQUID" -j REDIRECT --to-ports 8080 
-A excl6 -d 130.252.100.0/24 -m comment --comment "SQUID" -j RETURN 
-A excl6 -d 10.7.16.12/32 -m comment --comment "SQUID" -j RETURN 
-A excl6 -d 10.7.16.11/32 -m comment --comment "SQUID" -j RETURN 
-A excl6 -p tcp -m comment --comment "SQUID" -j REDIRECT --to-ports 8080 
-A excl8 -d 130.252.100.0/24 -m comment --comment "SQUID" -j RETURN 
-A excl8 -d 10.7.16.12/32 -m comment --comment "SQUID" -j RETURN 
-A excl8 -d 10.7.16.11/32 -m comment --comment "SQUID" -j RETURN 
-A excl8 -p tcp -m comment --comment "SQUID" -j REDIRECT --to-ports 8080 
-A loc_dnat -s ! 10.7.15.13/32 -p tcp -m tcp --dport 80 -m comment --comment "SQUID" -j excl0 
-A loc_dnat -s ! 10.7.15.13/32 -p tcp -m tcp --dport 8080 -m comment --comment "SQUID" -j excl2 
-A loc_dnat -s ! 10.7.15.13/32 -p tcp -m tcp --dport 3128 -m comment --comment "SQUID" -j excl4 
-A loc_dnat -s ! 10.7.15.13/32 -p tcp -m tcp --dport 81 -m comment --comment "SQUID" -j excl6 
-A loc_dnat -s ! 10.7.15.13/32 -p tcp -m tcp --dport 1080 -m comment --comment "SQUID" -j excl8 
-A net_dnat -s 77.70.99.103/32 -p tcp -m tcp --dport 22 -m comment --comment "SSHN" -j DNAT --to-destination 10.7.15.12:722 
COMMIT
# Completed on Thu Mar 12 16:33:28 2009
# Generated by iptables-save v1.4.0 on Thu Mar 12 16:33:28 2009
*mangle
:PREROUTING ACCEPT [1324597:1383167834]
:INPUT ACCEPT [1275949:1361001452]
:FORWARD ACCEPT [46728:22082497]
:OUTPUT ACCEPT [1188654:1356499008]
:POSTROUTING ACCEPT [1235339:1378577484]
:tcfor - [0:0]
:tcout - [0:0]
:tcpost - [0:0]
:tcpre - [0:0]
-A PREROUTING -j tcpre 
-A FORWARD -j tcfor 
-A OUTPUT -j tcout 
-A POSTROUTING -j tcpost 
COMMIT
# Completed on Thu Mar 12 16:33:28 2009
# Generated by iptables-save v1.4.0 on Thu Mar 12 16:33:28 2009
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:Drop - [0:0]
:Reject - [0:0]
:dmz2fw - [0:0]
:dmz2gur - [0:0]
:dmz2loc - [0:0]
:dmz2net - [0:0]
:dmz2var - [0:0]
:dmz2vpn - [0:0]
:dmz_frwd - [0:0]
:dropBcast - [0:0]
:dropInvalid - [0:0]
:dropNotSyn - [0:0]
:dynamic - [0:0]
:eth1_fwd - [0:0]
:eth1_in - [0:0]
:eth1_out - [0:0]
:excl1 - [0:0]
:excl3 - [0:0]
:excl5 - [0:0]
:excl7 - [0:0]
:excl9 - [0:0]
:fw2dmz - [0:0]
:fw2gur - [0:0]
:fw2loc - [0:0]
:fw2net - [0:0]
:fw2var - [0:0]
:fw2vpn - [0:0]
:gur2dmz - [0:0]
:gur2fw - [0:0]
:gur2loc - [0:0]
:gur2net - [0:0]
:gur2var - [0:0]
:gur2vpn - [0:0]
:gur_frwd - [0:0]
:loc2dmz - [0:0]
:loc2fw - [0:0]
:loc2gur - [0:0]
:loc2net - [0:0]
:loc2var - [0:0]
:loc2vpn - [0:0]
:loc_frwd - [0:0]
:logdrop - [0:0]
:logflags - [0:0]
:logreject - [0:0]
:net2dmz - [0:0]
:net2fw - [0:0]
:net2gur - [0:0]
:net2loc - [0:0]
:net2var - [0:0]
:net2vpn - [0:0]
:net_frwd - [0:0]
:reject - [0:0]
:shorewall - [0:0]
:smurfs - [0:0]
:tcpflags - [0:0]
:var2dmz - [0:0]
:var2fw - [0:0]
:var2gur - [0:0]
:var2loc - [0:0]
:var2net - [0:0]
:var2vpn - [0:0]
:var_frwd - [0:0]
:vpn2dmz - [0:0]
:vpn2fw - [0:0]
:vpn2gur - [0:0]
:vpn2loc - [0:0]
:vpn2net - [0:0]
:vpn2var - [0:0]
:vpn_frwd - [0:0]
-A INPUT -m state --state INVALID,NEW -j dynamic 
-A INPUT -i eth0 -j net2fw 
-A INPUT -i tun0 -j vpn2fw 
-A INPUT -i eth1 -j eth1_in 
-A INPUT -i lo -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -j Drop 
-A INPUT -j LOG --log-prefix "Shorewall:INPUT:DROP:" --log-level 6 
-A INPUT -j DROP 
-A FORWARD -m state --state INVALID,NEW -j dynamic 
-A FORWARD -i eth0 -j net_frwd 
-A FORWARD -i tun0 -j vpn_frwd 
-A FORWARD -i eth1 -j eth1_fwd 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -j Reject 
-A FORWARD -j LOG --log-prefix "Shorewall:FORWARD:REJECT:" --log-level 6 
-A FORWARD -g reject 
-A OUTPUT -o eth0 -j fw2net 
-A OUTPUT -o tun0 -j fw2vpn 
-A OUTPUT -o eth1 -j eth1_out 
-A OUTPUT -o lo -j ACCEPT 
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -j Reject 
-A OUTPUT -j LOG --log-prefix "Shorewall:OUTPUT:REJECT:" --log-level 6 
-A OUTPUT -g reject 
-A Drop 
-A Drop -p tcp -m tcp --dport 113 -m comment --comment "Auth" -j reject 
-A Drop -j dropBcast 
-A Drop -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP types" -j ACCEPT 
-A Drop -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types" -j ACCEPT 
-A Drop -j dropInvalid 
-A Drop -p udp -m multiport --dports 135,445 -m comment --comment "SMB" -j DROP 
-A Drop -p udp -m udp --dport 137:139 -m comment --comment "SMB" -j DROP 
-A Drop -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment "SMB" -j DROP 
-A Drop -p tcp -m multiport --dports 135,139,445 -m comment --comment "SMB" -j DROP 
-A Drop -p udp -m udp --dport 1900 -m comment --comment "UPnP" -j DROP 
-A Drop -p tcp -j dropNotSyn 
-A Drop -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -j DROP 
-A Reject 
-A Reject -p tcp -m tcp --dport 113 -m comment --comment "Auth" -j reject 
-A Reject -j dropBcast 
-A Reject -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP types" -j ACCEPT 
-A Reject -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types" -j ACCEPT 
-A Reject -j dropInvalid 
-A Reject -p udp -m multiport --dports 135,445 -m comment --comment "SMB" -j reject 
-A Reject -p udp -m udp --dport 137:139 -m comment --comment "SMB" -j reject 
-A Reject -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment "SMB" -j reject 
-A Reject -p tcp -m multiport --dports 135,139,445 -m comment --comment "SMB" -j reject 
-A Reject -p udp -m udp --dport 1900 -m comment --comment "UPnP" -j DROP 
-A Reject -p tcp -j dropNotSyn 
-A Reject -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -j DROP 
-A dmz2fw -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A dmz2fw -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A dmz2fw -p tcp -m tcp --dport 722 -m comment --comment "SSH" -j ACCEPT 
-A dmz2fw -j ACCEPT 
-A dmz2gur -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A dmz2gur -j Drop 
-A dmz2gur -j LOG --log-prefix "Shorewall:dmz2gur:DROP:" --log-level 6 
-A dmz2gur -j DROP 
-A dmz2loc -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A dmz2loc -j ACCEPT 
-A dmz2net -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A dmz2net -j Drop 
-A dmz2net -j LOG --log-prefix "Shorewall:dmz2net:DROP:" --log-level 6 
-A dmz2net -j DROP 
-A dmz2var -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A dmz2var -j Drop 
-A dmz2var -j LOG --log-prefix "Shorewall:dmz2var:DROP:" --log-level 6 
-A dmz2var -j DROP 
-A dmz2vpn -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A dmz2vpn -j ACCEPT 
-A dmz_frwd -o eth0 -j dmz2net 
-A dmz_frwd -d 10.7.10.0/24 -o eth1 -j dmz2gur 
-A dmz_frwd -d 10.7.14.0/24 -o eth1 -j dmz2var 
-A dmz_frwd -o eth1 -j dmz2loc 
-A dmz_frwd -o tun0 -j dmz2vpn 
-A dropBcast -m addrtype --dst-type BROADCAST -j DROP 
-A dropBcast -d 224.0.0.0/4 -j DROP 
-A dropInvalid -m state --state INVALID -j DROP 
-A dropNotSyn -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP 
-A eth1_fwd -m state --state INVALID,NEW -j smurfs 
-A eth1_fwd -p tcp -j tcpflags 
-A eth1_fwd -s 10.7.16.0/24 -j dmz_frwd 
-A eth1_fwd -s 10.7.10.0/24 -j gur_frwd 
-A eth1_fwd -s 10.7.14.0/24 -j var_frwd 
-A eth1_fwd -j loc_frwd 
-A eth1_in -m state --state INVALID,NEW -j smurfs 
-A eth1_in -p tcp -j tcpflags 
-A eth1_in -s 10.7.16.0/24 -j dmz2fw 
-A eth1_in -s 10.7.10.0/24 -j gur2fw 
-A eth1_in -s 10.7.14.0/24 -j var2fw 
-A eth1_in -j loc2fw 
-A eth1_out -d 10.7.16.0/24 -j fw2dmz 
-A eth1_out -d 10.7.10.0/24 -j fw2gur 
-A eth1_out -d 10.7.14.0/24 -j fw2var 
-A eth1_out -j fw2loc 
-A excl1 -m conntrack --ctorigdst 130.252.100.0/24 -m comment --comment "SQUID" -j RETURN 
-A excl1 -m conntrack --ctorigdst 10.7.16.12 -m comment --comment "SQUID" -j RETURN 
-A excl1 -m conntrack --ctorigdst 10.7.16.11 -m comment --comment "SQUID" -j RETURN 
-A excl1 -m comment --comment "SQUID" -j ACCEPT 
-A excl3 -m conntrack --ctorigdst 130.252.100.0/24 -m comment --comment "SQUID" -j RETURN 
-A excl3 -m conntrack --ctorigdst 10.7.16.12 -m comment --comment "SQUID" -j RETURN 
-A excl3 -m conntrack --ctorigdst 10.7.16.11 -m comment --comment "SQUID" -j RETURN 
-A excl3 -m comment --comment "SQUID" -j ACCEPT 
-A excl5 -m conntrack --ctorigdst 130.252.100.0/24 -m comment --comment "SQUID" -j RETURN 
-A excl5 -m conntrack --ctorigdst 10.7.16.12 -m comment --comment "SQUID" -j RETURN 
-A excl5 -m conntrack --ctorigdst 10.7.16.11 -m comment --comment "SQUID" -j RETURN 
-A excl5 -m comment --comment "SQUID" -j ACCEPT 
-A excl7 -m conntrack --ctorigdst 130.252.100.0/24 -m comment --comment "SQUID" -j RETURN 
-A excl7 -m conntrack --ctorigdst 10.7.16.12 -m comment --comment "SQUID" -j RETURN 
-A excl7 -m conntrack --ctorigdst 10.7.16.11 -m comment --comment "SQUID" -j RETURN 
-A excl7 -m comment --comment "SQUID" -j ACCEPT 
-A excl9 -m conntrack --ctorigdst 130.252.100.0/24 -m comment --comment "SQUID" -j RETURN 
-A excl9 -m conntrack --ctorigdst 10.7.16.12 -m comment --comment "SQUID" -j RETURN 
-A excl9 -m conntrack --ctorigdst 10.7.16.11 -m comment --comment "SQUID" -j RETURN 
-A excl9 -m comment --comment "SQUID" -j ACCEPT 
-A fw2dmz -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A fw2dmz -j ACCEPT 
-A fw2gur -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A fw2gur -j ACCEPT 
-A fw2loc -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A fw2loc -j ACCEPT 
-A fw2net -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A fw2net -j ACCEPT 
-A fw2var -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A fw2var -j ACCEPT 
-A fw2vpn -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A fw2vpn -j ACCEPT 
-A gur2dmz -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A gur2dmz -j Drop 
-A gur2dmz -j LOG --log-prefix "Shorewall:gur2dmz:DROP:" --log-level 6 
-A gur2dmz -j DROP 
-A gur2fw -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A gur2fw -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A gur2fw -p tcp -m tcp --dport 722 -m comment --comment "SSH" -j ACCEPT 
-A gur2fw -j ACCEPT 
-A gur2loc -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A gur2loc -j ACCEPT 
-A gur2net -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A gur2net -j Drop 
-A gur2net -j LOG --log-prefix "Shorewall:gur2net:DROP:" --log-level 6 
-A gur2net -j DROP 
-A gur2var -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A gur2var -j Drop 
-A gur2var -j LOG --log-prefix "Shorewall:gur2var:DROP:" --log-level 6 
-A gur2var -j DROP 
-A gur2vpn -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A gur2vpn -j ACCEPT 
-A gur_frwd -o eth0 -j gur2net 
-A gur_frwd -d 10.7.16.0/24 -o eth1 -j gur2dmz 
-A gur_frwd -d 10.7.14.0/24 -o eth1 -j gur2var 
-A gur_frwd -o eth1 -j gur2loc 
-A gur_frwd -o tun0 -j gur2vpn 
-A loc2dmz -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A loc2dmz -j ACCEPT 
-A loc2fw -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A loc2fw -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A loc2fw -p tcp -m tcp --dport 722 -m comment --comment "SSH" -j ACCEPT 
-A loc2fw -p udp -m udp --dport 53 -m comment --comment "DNS" -j ACCEPT 
-A loc2fw -p tcp -m tcp --dport 53 -m comment --comment "DNS" -j ACCEPT 
-A loc2fw -s ! 10.7.15.13/32 -p tcp -m tcp --dport 8080 -m comment --comment "SQUID" -j excl1 
-A loc2fw -s ! 10.7.15.13/32 -p tcp -m tcp --dport 8080 -m comment --comment "SQUID" -j excl3 
-A loc2fw -s ! 10.7.15.13/32 -p tcp -m tcp --dport 8080 -m comment --comment "SQUID" -j excl5 
-A loc2fw -s ! 10.7.15.13/32 -p tcp -m tcp --dport 8080 -m comment --comment "SQUID" -j excl7 
-A loc2fw -s ! 10.7.15.13/32 -p tcp -m tcp --dport 8080 -m comment --comment "SQUID" -j excl9 
-A loc2fw -j ACCEPT 
-A loc2gur -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A loc2gur -j ACCEPT 
-A loc2net -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A loc2net -j ACCEPT 
-A loc2var -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A loc2var -j ACCEPT 
-A loc2vpn -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A loc2vpn -j ACCEPT 
-A loc_frwd -o eth0 -j loc2net 
-A loc_frwd -d 10.7.16.0/24 -o eth1 -j loc2dmz 
-A loc_frwd -d 10.7.10.0/24 -o eth1 -j loc2gur 
-A loc_frwd -d 10.7.14.0/24 -o eth1 -j loc2var 
-A loc_frwd -o tun0 -j loc2vpn 
-A logdrop -j DROP 
-A logflags -j LOG --log-prefix "Shorewall:logflags:DROP:" --log-level 6 --log-ip-options 
-A logflags -j DROP 
-A logreject -j reject 
-A net2dmz -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A net2dmz -j Drop 
-A net2dmz -j LOG --log-prefix "Shorewall:net2dmz:DROP:" --log-level 6 
-A net2dmz -j DROP 
-A net2fw -m state --state INVALID,NEW -j smurfs 
-A net2fw -p tcp -j tcpflags 
-A net2fw -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A net2fw -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A net2fw -p tcp -m tcp --dport 722 -m comment --comment "SSH" -j ACCEPT 
-A net2fw -p udp -m udp --dport 1194 -j ACCEPT 
-A net2fw -j Drop 
-A net2fw -j LOG --log-prefix "Shorewall:net2fw:DROP:" --log-level 6 
-A net2fw -j DROP 
-A net2gur -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A net2gur -j Drop 
-A net2gur -j LOG --log-prefix "Shorewall:net2gur:DROP:" --log-level 6 
-A net2gur -j DROP 
-A net2loc -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A net2loc -s 77.70.99.103/32 -d 10.7.15.12/32 -p tcp -m tcp --dport 722 -m comment --comment "SSHN" -j ACCEPT 
-A net2loc -j Drop 
-A net2loc -j LOG --log-prefix "Shorewall:net2loc:DROP:" --log-level 6 
-A net2loc -j DROP 
-A net2var -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A net2var -j Drop 
-A net2var -j LOG --log-prefix "Shorewall:net2var:DROP:" --log-level 6 
-A net2var -j DROP 
-A net2vpn -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A net2vpn -j ACCEPT 
-A net_frwd -m state --state INVALID,NEW -j smurfs 
-A net_frwd -p tcp -j tcpflags 
-A net_frwd -d 10.7.16.0/24 -o eth1 -j net2dmz 
-A net_frwd -d 10.7.10.0/24 -o eth1 -j net2gur 
-A net_frwd -d 10.7.14.0/24 -o eth1 -j net2var 
-A net_frwd -o eth1 -j net2loc 
-A net_frwd -o tun0 -j net2vpn 
-A reject -m addrtype --src-type BROADCAST -j DROP 
-A reject -s 224.0.0.0/4 -j DROP 
-A reject -p igmp -j DROP 
-A reject -p tcp -j REJECT --reject-with tcp-reset 
-A reject -j REJECT --reject-with icmp-port-unreachable 
-A smurfs -s 0.0.0.0/32 -j RETURN 
-A smurfs -m addrtype --src-type BROADCAST -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6 
-A smurfs -m addrtype --src-type BROADCAST -j DROP 
-A smurfs -s 224.0.0.0/4 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6 
-A smurfs -s 224.0.0.0/4 -j DROP 
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j logflags 
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j logflags 
-A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j logflags 
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j logflags 
-A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -j logflags 
-A var2dmz -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A var2dmz -j Drop 
-A var2dmz -j LOG --log-prefix "Shorewall:var2dmz:DROP:" --log-level 6 
-A var2dmz -j DROP 
-A var2fw -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A var2fw -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A var2fw -p tcp -m tcp --dport 722 -m comment --comment "SSH" -j ACCEPT 
-A var2fw -j ACCEPT 
-A var2gur -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A var2gur -j Drop 
-A var2gur -j LOG --log-prefix "Shorewall:var2gur:DROP:" --log-level 6 
-A var2gur -j DROP 
-A var2loc -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A var2loc -j ACCEPT 
-A var2net -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A var2net -j Drop 
-A var2net -j LOG --log-prefix "Shorewall:var2net:DROP:" --log-level 6 
-A var2net -j DROP 
-A var2vpn -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A var2vpn -j ACCEPT 
-A var_frwd -o eth0 -j var2net 
-A var_frwd -d 10.7.16.0/24 -o eth1 -j var2dmz 
-A var_frwd -d 10.7.10.0/24 -o eth1 -j var2gur 
-A var_frwd -o eth1 -j var2loc 
-A var_frwd -o tun0 -j var2vpn 
-A vpn2dmz -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A vpn2dmz -j ACCEPT 
-A vpn2fw -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A vpn2fw -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A vpn2fw -p tcp -m tcp --dport 722 -m comment --comment "SSH" -j ACCEPT 
-A vpn2fw -j ACCEPT 
-A vpn2gur -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A vpn2gur -j ACCEPT 
-A vpn2loc -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A vpn2loc -j ACCEPT 
-A vpn2net -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A vpn2net -j ACCEPT 
-A vpn2var -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A vpn2var -j ACCEPT 
-A vpn_frwd -o eth0 -j vpn2net 
-A vpn_frwd -d 10.7.16.0/24 -o eth1 -j vpn2dmz 
-A vpn_frwd -d 10.7.10.0/24 -o eth1 -j vpn2gur 
-A vpn_frwd -d 10.7.14.0/24 -o eth1 -j vpn2var 
-A vpn_frwd -o eth1 -j vpn2loc 
COMMIT
# Completed on Thu Mar 12 16:33:28 2009