*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT DROP
# accept incoming traffic on internal intfs.
-A INPUT -i lo -j ACCEPT
-A INPUT -i internal+ -j ACCEPT
-A INPUT -i usb+ -j ACCEPT
# disallow forwarding of packets to mgmt network
-A FORWARD -o ma+ -j DROP
-A FORWARD ! -s 127.0.0.0/255.0.0.0 ! -d 127.0.0.0/255.0.0.0 -j ACCEPT
# accept all outgoing traffic on internal intfs.
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o internal+ -j ACCEPT
-A OUTPUT ! -s 127.0.0.0/255.0.0.0 ! -d 127.0.0.0/255.0.0.0 -j ACCEPT
COMMIT
# disable conntrack reassembly for software-routed packets
*raw
-A PREROUTING -m mark --mark 13429 -j CT --notrack
# Disable connection tracking for software-forwarded multicast packets
-A PREROUTING -d 224.0.0.0/4 -j CT --notrack
COMMIT
