root@ubnt:/home/matze# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination UBNT_VPN_IPSEC_FW_HOOK all -- anywhere anywhere VYATTA_FW_LOCAL_HOOK all -- anywhere anywhere VYATTA_POST_FW_IN_HOOK all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination MINIUPNPD all -- anywhere anywhere UBNT_VPN_IPSEC_FW_IN_HOOK all -- anywhere anywhere UBNT_PFOR_FW_HOOK all -- anywhere anywhere VYATTA_FW_IN_HOOK all -- anywhere anywhere VYATTA_FW_OUT_HOOK all -- anywhere anywhere VYATTA_POST_FW_FWD_HOOK all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination VYATTA_POST_FW_OUT_HOOK all -- anywhere anywhere Chain AUTHORIZED_GUESTS (0 references) target prot opt source destination RETURN all -- anywhere anywhere /* AUTHORIZED_GUESTS-10000 default-action accept */ Chain GUEST_IN (0 references) target prot opt source destination RETURN tcp -- anywhere anywhere /* GUEST_IN-3001 */ tcp dpt:domain RETURN udp -- anywhere anywhere /* GUEST_IN-3001 */ udp dpt:domain RETURN tcp -- anywhere anywhere /* GUEST_IN-3002 */ tcp dpt:https match-set captive_portal_subnets dst RETURN all -- anywhere anywhere /* GUEST_IN-3003 */ match-set guest_pre_allow dst DROP all -- anywhere anywhere /* GUEST_IN-3004 */ match-set guest_restricted dst DROP all -- anywhere anywhere /* GUEST_IN-3005 */ match-set corporate_network dst DROP all -- anywhere anywhere /* GUEST_IN-3006 */ match-set remote_user_vpn_network dst DROP all -- anywhere anywhere /* GUEST_IN-3007 */ match-set authorized_guests dst RETURN all -- anywhere anywhere /* GUEST_IN-10000 default-action accept */ Chain GUEST_LOCAL (0 references) target prot opt source destination RETURN tcp -- anywhere anywhere /* GUEST_LOCAL-3001 */ tcp dpt:domain RETURN udp -- anywhere anywhere /* GUEST_LOCAL-3001 */ udp dpt:domain RETURN icmp -- anywhere anywhere /* GUEST_LOCAL-3002 */ RETURN udp -- anywhere anywhere /* GUEST_LOCAL-3003 */ udp spt:bootpc dpt:bootps DROP all -- anywhere anywhere /* GUEST_LOCAL-10000 default-action drop */ Chain GUEST_OUT (0 references) target prot opt source destination RETURN all -- anywhere anywhere /* GUEST_OUT-10000 default-action accept */ Chain LAN_IN (1 references) target prot opt source destination RETURN all -- 192.168.56.0/24 anywhere /* LAN_IN-6001 */ RETURN all -- 192.168.156.0/24 anywhere /* LAN_IN-6002 */ RETURN all -- anywhere anywhere /* LAN_IN-10000 default-action accept */ Chain LAN_LOCAL (1 references) target prot opt source destination RETURN all -- anywhere anywhere /* LAN_LOCAL-10000 default-action accept */ Chain LAN_OUT (1 references) target prot opt source destination RETURN all -- anywhere 192.168.56.0/24 /* LAN_OUT-6001 */ RETURN all -- anywhere 192.168.156.0/24 /* LAN_OUT-6002 */ RETURN all -- anywhere anywhere /* LAN_OUT-10000 default-action accept */ Chain MINIUPNPD (1 references) target prot opt source destination Chain UBNT_PFOR_FW_HOOK (1 references) target prot opt source destination Chain UBNT_PFOR_FW_RULES (0 references) target prot opt source destination Chain UBNT_VPN_IPSEC_FW_HOOK (1 references) target prot opt source destination Chain UBNT_VPN_IPSEC_FW_IN_HOOK (1 references) target prot opt source destination Chain VYATTA_FW_IN_HOOK (1 references) target prot opt source destination WAN_IN all -- anywhere anywhere WAN_IN all -- anywhere anywhere LAN_IN all -- anywhere anywhere Chain VYATTA_FW_LOCAL_HOOK (1 references) target prot opt source destination WAN_LOCAL all -- anywhere anywhere WAN_LOCAL all -- anywhere anywhere LAN_LOCAL all -- anywhere anywhere Chain VYATTA_FW_OUT_HOOK (1 references) target prot opt source destination WAN_OUT all -- anywhere anywhere WAN_OUT all -- anywhere anywhere LAN_OUT all -- anywhere anywhere Chain VYATTA_POST_FW_FWD_HOOK (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain VYATTA_POST_FW_IN_HOOK (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain VYATTA_POST_FW_OUT_HOOK (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain WAN_IN (2 references) target prot opt source destination RETURN all -- anywhere anywhere /* WAN_IN-3001 */ state RELATED,ESTABLISHED DROP all -- anywhere anywhere /* WAN_IN-3002 */ state INVALID DROP all -- anywhere anywhere /* WAN_IN-10000 default-action drop */ Chain WAN_LOCAL (2 references) target prot opt source destination RETURN all -- anywhere anywhere /* WAN_LOCAL-3001 */ state RELATED,ESTABLISHED DROP all -- anywhere anywhere /* WAN_LOCAL-3002 */ state INVALID DROP all -- anywhere anywhere /* WAN_LOCAL-10000 default-action drop */ Chain WAN_OUT (2 references) target prot opt source destination RETURN all -- anywhere anywhere /* WAN_OUT-10000 default-action accept */ root@ubnt:/home/matze# root@ubnt:/home/matze# iptables -L -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination MINIUPNPD all -- anywhere anywhere UBNT_PFOR_DNAT_HOOK all -- anywhere anywhere VYATTA_PRE_DNAT_HOOK all -- anywhere anywhere Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination UBNT_VPN_IPSEC_SNAT_HOOK all -- anywhere anywhere MINIUPNPD-POSTROUTING all -- anywhere anywhere UBNT_PFOR_SNAT_HOOK all -- anywhere anywhere MASQUERADE all -- anywhere anywhere match-set corporate_network src /* NAT-6001 */ MASQUERADE all -- anywhere anywhere match-set remote_user_vpn_network src /* NAT-6002 */ MASQUERADE all -- anywhere anywhere match-set guest_network src /* NAT-6003 */ VYATTA_PRE_SNAT_HOOK all -- anywhere anywhere Chain MINIUPNPD (1 references) target prot opt source destination Chain MINIUPNPD-POSTROUTING (1 references) target prot opt source destination Chain UBNT_PFOR_DNAT_HOOK (1 references) target prot opt source destination UBNT_PFOR_DNAT_RULES all -- anywhere anywhere match-set ADDRv4_pppoe2 dst UBNT_PFOR_DNAT_RULES all -- anywhere anywhere match-set ADDRv4_pppoe2 dst Chain UBNT_PFOR_DNAT_RULES (2 references) target prot opt source destination Chain UBNT_PFOR_SNAT_HOOK (1 references) target prot opt source destination UBNT_PFOR_SNAT_RULES all -- anywhere anywhere Chain UBNT_PFOR_SNAT_RULES (1 references) target prot opt source destination Chain UBNT_VPN_IPSEC_SNAT_HOOK (1 references) target prot opt source destination Chain VYATTA_PRE_DNAT_HOOK (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain VYATTA_PRE_SNAT_HOOK (1 references) target prot opt source destination RETURN all -- anywhere anywhere root@ubnt:/home/matze# root@ubnt:/home/matze# iptables -L -t mangle Chain PREROUTING (policy ACCEPT) target prot opt source destination MINIUPNPD all -- anywhere anywhere VYATTA_FW_IN_HOOK all -- anywhere anywhere Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination UBNT_FW_MSS_CLAMP all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination VYATTA_FW_OUT_HOOK all -- anywhere anywhere UBNT_QOS_FW_OUT_HOOK all -- anywhere anywhere Chain MINIUPNPD (1 references) target prot opt source destination Chain UBNT_FW_MSS_CLAMP (1 references) target prot opt source destination TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS set 1452 TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS set 1452 TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS set 1452 TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS set 1452 TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS set 1452 TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS set 1452 Chain UBNT_QOS_FW_OUT_HOOK (1 references) target prot opt source destination Chain VYATTA_FW_IN_HOOK (1 references) target prot opt source destination Chain VYATTA_FW_OUT_HOOK (1 references) target prot opt source destination root@ubnt:/home/matze# root@ubnt:/home/matze# ip link 1: lo: mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: eth0: mtu 1500 qdisc noqueue state UP mode DEFAULT link/ether 70:a7:41:f7:6e:5c brd ff:ff:ff:ff:ff:ff alias WAN 3: eth1: mtu 1500 qdisc noqueue state UP mode DEFAULT link/ether 70:a7:41:f7:6e:5d brd ff:ff:ff:ff:ff:ff alias LAN 4: eth2: mtu 1500 qdisc noqueue state DOWN mode DEFAULT link/ether 70:a7:41:f7:6e:5e brd ff:ff:ff:ff:ff:ff 5: imq0: mtu 16000 qdisc pfifo_fast state UNKNOWN mode DEFAULT qlen 11000 link/void 13: eth0.7@eth0: mtu 1500 qdisc noqueue state UP mode DEFAULT link/ether 70:a7:41:f7:6e:5c brd ff:ff:ff:ff:ff:ff alias WAN 14: pppoe2: mtu 1492 qdisc pfifo_fast state UNKNOWN mode DEFAULT qlen 100 link/ppp