Mark StevensExplanation of IP Tables Rules
The INPUT chain determines how to treat an IP packet coming in to the network adapter from the network. The OUTPUT chain determines how to treat an IP packet coming from with the device
The Chain will list each rule by protocol, source and destination address & port The target is a list of criteria to determine if the message should be handled by that target
graph LR;
INPUT-->bw_input;
INPUT-->fw_INPUT;
FORWARD-->oem_fwd;
FORWARD-->fw_FORWARD;
FORWARD-->natctrl_FORWARD;
OUTPUT-->oem_out;
OUTPUT-->fw_OUTPUT;
OUTPUT-->st_OUTPUT;
OUTPUT-->bw_OUTPUT;Chain INPUT (policy ACCEPT)
target prot opt source destination
bw_INPUT all -- anywhere anywhere
fw_INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT)
target prot opt source destination
oem_fwd all -- anywhere anywhere
fw_FORWARD all -- anywhere anywhere
fw_FORWARD all -- anywhere anywhere
natctrl_FORWARD all -- anywhere anywhere Chain OUTPUT (policy ACCEPT)
target prot opt source destination
oem_out all -- anywhere anywhere
fw_OUTPUT all -- anywhere anywhere
st_OUTPUT all -- anywhere anywhere
bw_OUTPUT all -- anywhere anywhere Chain bw_FORWARD (1 references)
target prot opt source destination Chain bw_INPUT (1 references)
target prot opt source destination
all -- anywhere anywhere ! quota globalAlert: 2097152 bytes
all -- anywhere anywhere owner socket existsChain bw_OUTPUT (1 references)
target prot opt source destination
all -- anywhere anywhere ! quota globalAlert: 2097152 bytes
all -- anywhere anywhere owner socket existsChain bw_costly_shared (0 references)
target prot opt source destination
bw_penalty_box all -- anywhere anywhere Chain bw_happy_box (0 references)
target prot opt source destination Chain bw_penalty_box (1 references)
target prot opt source destination Chain fw_FORWARD (1 references)
target prot opt source destination Chain fw_INPUT (1 references)
target prot opt source destination
fw_standby all -- anywhere anywhere Chain fw_OUTPUT (1 references)
target prot opt source destination
fw_standby all -- anywhere anywhere Chain fw_dozable (0 references)
target prot opt source destination
RETURN all -- anywhere anywhere owner UID match 0-9999
DROP all -- anywhere anywhere Chain fw_standby (2 references)
target prot opt source destination Chain natctrl_FORWARD (1 references)
target prot opt source destination
DROP all -- anywhere anywhere Chain natctrl_tether_counters (0 references)
target prot opt source destination Chain oem_fwd (1 references)
target prot opt source destination Chain oem_out (1 references)
target prot opt source destination Chain st_OUTPUT (1 references)
target prot opt source destination Chain st_clear_caught (2 references)
target prot opt source destination Chain st_clear_detect (0 references)
target prot opt source destination
REJECT all -- anywhere anywhere connmark match 0x2000000/0x2000000 reject-with icmp-port-unreachable
RETURN all -- anywhere anywhere connmark match 0x1000000/0x1000000
CONNMARK tcp -- anywhere anywhere u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x0&0xffff0000=0x16030000&&0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x4&0xff0000=0x10000" CONNMARK or 0x1000000
CONNMARK udp -- anywhere anywhere u32 "0x0>>0x16&0x3c@0x8&0xffff0000=0x16fe0000&&0x0>>0x16&0x3c@0x14&0xff0000=0x10000" CONNMARK or 0x1000000
RETURN all -- anywhere anywhere connmark match 0x1000000/0x1000000
st_clear_caught tcp -- anywhere anywhere state ESTABLISHED u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x0&0x0=0x0"
st_clear_caught udp -- anywhere anywhere Chain st_penalty_log (0 references)
target prot opt source destination
CONNMARK all -- anywhere anywhere CONNMARK or 0x1000000
NFLOG all -- anywhere anywhere Chain st_penalty_reject (0 references)
target prot opt source destination
CONNMARK all -- anywhere anywhere CONNMARK or 0x2000000
NFLOG all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
root@rk312x:/ #