The Perl Toolchain Summit needs more sponsors. If your company depends on Perl, please support this very important event.
MAMAWE / App-Iptables2Dot-v0.2.4 / t / iptables-save / bug-120616.txt 
# Generated by iptables-save v1.4.21 on Tue Mar 14 21:33:23 2017
*nat
:PREROUTING ACCEPT [1795:233177]
:INPUT ACCEPT [2:104]
:OUTPUT ACCEPT [99:25953]
:POSTROUTING ACCEPT [96:24969]
:delegate_postrouting - [0:0]
:delegate_prerouting - [0:0]
:postrouting_client_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_local_node_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_client_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_local_node_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_client_postrouting - [0:0]
:zone_client_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_local_node_postrouting - [0:0]
:zone_local_node_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -j delegate_prerouting
-A OUTPUT -d 127.0.0.1/32 -o lo -p udp -m owner --gid-owner 800 -m udp --dport 53 -j DNAT --to-destination :54
-A POSTROUTING -j delegate_postrouting
-A delegate_postrouting -m comment --comment "user chain for postrouting" -j postrouting_rule
-A delegate_postrouting -o br-wan -j zone_wan_postrouting
-A delegate_postrouting -o br-client -j zone_client_postrouting
-A delegate_postrouting -o local-node -j zone_local_node_postrouting
-A delegate_prerouting -m comment --comment "user chain for prerouting" -j prerouting_rule
-A delegate_prerouting -i br-wan -j zone_wan_prerouting
-A delegate_prerouting -i br-client -j zone_client_prerouting
-A delegate_prerouting -i local-node -j zone_local_node_prerouting
-A zone_client_postrouting -m comment --comment "user chain for postrouting" -j postrouting_client_rule
-A zone_client_prerouting -m comment --comment "user chain for prerouting" -j prerouting_client_rule
-A zone_lan_postrouting -m comment --comment "user chain for postrouting" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "user chain for prerouting" -j prerouting_lan_rule
-A zone_local_node_postrouting -m comment --comment "user chain for postrouting" -j postrouting_local_node_rule
-A zone_local_node_prerouting -m comment --comment "user chain for prerouting" -j prerouting_local_node_rule
-A zone_wan_postrouting -m comment --comment "user chain for postrouting" -j postrouting_wan_rule
-A zone_wan_postrouting -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "user chain for prerouting" -j prerouting_wan_rule
COMMIT
# Completed on Tue Mar 14 21:33:23 2017
# Generated by iptables-save v1.4.21 on Tue Mar 14 21:33:23 2017
*raw
:PREROUTING ACCEPT [23134630:3424434508]
:OUTPUT ACCEPT [1886876:535285827]
:delegate_notrack - [0:0]
:zone_client_notrack - [0:0]
:zone_local_node_notrack - [0:0]
-A PREROUTING -j delegate_notrack
-A delegate_notrack -i br-client -j zone_client_notrack
-A delegate_notrack -i local-node -j zone_local_node_notrack
-A zone_client_notrack -j CT --notrack
-A zone_local_node_notrack -j CT --notrack
COMMIT
# Completed on Tue Mar 14 21:33:23 2017
# Generated by iptables-save v1.4.21 on Tue Mar 14 21:33:23 2017
*mangle
:PREROUTING ACCEPT [23134630:3424434508]
:INPUT ACCEPT [21388488:3356230145]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1886876:535285827]
:POSTROUTING ACCEPT [1886876:535285827]
:fwmark - [0:0]
:mssfix - [0:0]
-A PREROUTING -j fwmark
-A FORWARD -j mssfix
-A mssfix -o br-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Tue Mar 14 21:33:23 2017
# Generated by iptables-save v1.4.21 on Tue Mar 14 21:33:23 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:delegate_forward - [0:0]
:delegate_input - [0:0]
:delegate_output - [0:0]
:forwarding_client_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_local_node_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_client_rule - [0:0]
:input_lan_rule - [0:0]
:input_local_node_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_client_rule - [0:0]
:output_lan_rule - [0:0]
:output_local_node_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_client_dest_ACCEPT - [0:0]
:zone_client_dest_REJECT - [0:0]
:zone_client_forward - [0:0]
:zone_client_input - [0:0]
:zone_client_output - [0:0]
:zone_client_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_local_node_dest_ACCEPT - [0:0]
:zone_local_node_dest_REJECT - [0:0]
:zone_local_node_forward - [0:0]
:zone_local_node_input - [0:0]
:zone_local_node_output - [0:0]
:zone_local_node_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -j delegate_input
-A FORWARD -j delegate_forward
-A OUTPUT -j delegate_output
-A delegate_forward -m comment --comment "user chain for forwarding" -j forwarding_rule
-A delegate_forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_forward -i br-wan -j zone_wan_forward
-A delegate_forward -i br-client -j zone_client_forward
-A delegate_forward -i local-node -j zone_local_node_forward
-A delegate_forward -j reject
-A delegate_input -i lo -j ACCEPT
-A delegate_input -m comment --comment "user chain for input" -j input_rule
-A delegate_input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_input -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
-A delegate_input -i br-wan -j zone_wan_input
-A delegate_input -i br-client -j zone_client_input
-A delegate_input -i local-node -j zone_local_node_input
-A delegate_output -o lo -j ACCEPT
-A delegate_output -m comment --comment "user chain for output" -j output_rule
-A delegate_output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_output -o br-wan -j zone_wan_output
-A delegate_output -o br-client -j zone_client_output
-A delegate_output -o local-node -j zone_local_node_output
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -j RETURN
-A syn_flood -j DROP
-A zone_client_dest_ACCEPT -o br-client -j ACCEPT
-A zone_client_dest_REJECT -o br-client -j reject
-A zone_client_forward -m comment --comment "user chain for forwarding" -j forwarding_client_rule
-A zone_client_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_client_forward -j zone_client_dest_REJECT
-A zone_client_input -m comment --comment "user chain for input" -j input_client_rule
-A zone_client_input -p tcp -m tcp --dport 53 -m comment --comment client_dns -j reject
-A zone_client_input -p udp -m udp --dport 53 -m comment --comment client_dns -j reject
-A zone_client_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_client_input -j zone_client_src_ACCEPT
-A zone_client_output -m comment --comment "user chain for output" -j output_client_rule
-A zone_client_output -j zone_client_dest_ACCEPT
-A zone_client_src_ACCEPT -i br-client -j ACCEPT
-A zone_lan_forward -m comment --comment "user chain for forwarding" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "forwarding lan -> wan" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_lan_forward -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "user chain for input" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_lan_input -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "user chain for output" -j output_lan_rule
-A zone_lan_output -j zone_lan_dest_ACCEPT
-A zone_local_node_dest_ACCEPT -o local-node -j ACCEPT
-A zone_local_node_dest_REJECT -o local-node -j reject
-A zone_local_node_forward -m comment --comment "user chain for forwarding" -j forwarding_local_node_rule
-A zone_local_node_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_local_node_forward -j zone_local_node_dest_REJECT
-A zone_local_node_input -m comment --comment "user chain for input" -j input_local_node_rule
-A zone_local_node_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_local_node_input -j zone_local_node_src_ACCEPT
-A zone_local_node_output -m comment --comment "user chain for output" -j output_local_node_rule
-A zone_local_node_output -j zone_local_node_dest_ACCEPT
-A zone_local_node_src_ACCEPT -i local-node -j ACCEPT
-A zone_wan_dest_ACCEPT -o br-wan -j ACCEPT
-A zone_wan_dest_REJECT -o br-wan -j reject
-A zone_wan_forward -m comment --comment "user chain for forwarding" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "@rule[7]" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "@rule[8]" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_wan_forward -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "user chain for input" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment Allow-DHCP-Renew -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment Allow-Ping -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment Allow-IGMP -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 22 -m comment --comment wan_ssh -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment Allow-IGMP -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_wan_input -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "user chain for output" -j output_wan_rule
-A zone_wan_output -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i br-wan -j reject
COMMIT
# Completed on Tue Mar 14 21:33:23 2017