*filter
:INPUT ACCEPT [1009:192504]
:FORWARD ACCEPT [25:3510]
:OUTPUT ACCEPT [1111:239704]
-A INPUT -m string --string "torrent" --algo kmp --to 65535 -j LOG --log-prefix "iptables DHT: " --log-level 7
-A INPUT -m string --string "BitTorrent" --algo kmp --to 65535 -j LOG --log-prefix "iptables DHT: " --log-level 7
-A INPUT -m string --string "peer_id=" --algo kmp --to 65535 -j LOG --log-prefix "iptables DHT: " --log-level 7
-A INPUT -m string --string "info_hash" --algo kmp --to 65535 -j LOG --log-prefix "iptables DHT: " --log-level 7
-A INPUT -m string --string "find_node" --algo kmp --to 65535 -j LOG --log-prefix "iptables DHT: " --log-level 7
-A INPUT -m string --string "get_peers" --algo kmp --to 65535 -j LOG --log-prefix "iptables DHT: " --log-level 7
-A INPUT -m string --string "announce" --algo kmp --to 65535 -j LOG --log-prefix "iptables DHT: " --log-level 7
-A INPUT -m string --string "announce_peers" --algo kmp --to 65535 -j LOG --log-prefix "iptables DHT: " --log-level 7
-A INPUT -m string --string "torrent" --algo kmp --to 65535 -j DROP
-A INPUT -m string --string "BitTorrent" --algo kmp --to 65535 -j DROP
-A INPUT -m string --string "peer_id=" --algo kmp --to 65535 -j DROP
-A INPUT -m string --string "info_hash" --algo kmp --to 65535 -j DROP
-A INPUT -m string --string "find_node" --algo kmp --to 65535 -j DROP
-A INPUT -m string --string "get_peers" --algo kmp --to 65535 -j DROP
-A INPUT -m string --string "announce" --algo kmp --to 65535 -j DROP
-A INPUT -m string --string "announce_peers" --algo kmp --to 65535 -j DROP
-A FORWARD -m string --string "torrent" --algo kmp --to 65535 -j LOG --log-prefix "iptables DHT: " --log-level 7
-A FORWARD -m string --string "BitTorrent" --algo kmp --to 65535 -j LOG --log-prefix "iptables DHT: " --log-level 7
-A FORWARD -m string --string "peer_id=" --algo kmp --to 65535 -j LOG --log-prefix "iptables DHT: " --log-level 7
-A FORWARD -m string --string "info_hash" --algo kmp --to 65535 -j LOG --log-prefix "iptables DHT: " --log-level 7
-A FORWARD -m string --string "find_node" --algo kmp --to 65535 -j LOG --log-prefix "iptables DHT: " --log-level 7
-A FORWARD -m string --string "get_peers" --algo kmp --to 65535 -j LOG --log-prefix "iptables DHT: " --log-level 7
-A FORWARD -m string --string "announce" --algo kmp --to 65535 -j LOG --log-prefix "iptables DHT: " --log-level 7
-A FORWARD -m string --string "announce_peers" --algo kmp --to 65535 -j LOG --log-prefix "iptables DHT: " --log-level 7
-A FORWARD -m string --string "torrent" --algo kmp --to 65535 -j DROP
-A FORWARD -m string --string "BitTorrent" --algo kmp --to 65535 -j DROP
-A FORWARD -m string --string "peer_id=" --algo kmp --to 65535 -j DROP
-A FORWARD -m string --string "info_hash" --algo kmp --to 65535 -j DROP
-A FORWARD -m string --string "find_node" --algo kmp --to 65535 -j DROP
-A FORWARD -m string --string "get_peers" --algo kmp --to 65535 -j DROP
-A FORWARD -m string --string "announce" --algo kmp --to 65535 -j DROP
-A FORWARD -m string --string "announce_peers" --algo kmp --to 65535 -j DROP
COMMIT
# Completed on Thu Feb  4 08:05:19 2016
# Generated by iptables-save v1.4.21 on Thu Feb  4 08:05:19 2016
*nat
-A POSTROUTING -s 172.16.0.0/12 ! -o docker0 -j MASQUERADE
-A PREROUTING -p tcp -m set --match-set block_ip src -j REDIRECT --to-ports 3101
-A PREROUTING -i ${RAILGUN_INTERFACE} -p tcp -m addrtype --dst-type LOCAL -m multiport --dports 22,443,3000,1723,5001,5201 -j ACCEPT
-A PREROUTING -i ${RAILGUN_INTERFACE} -p tcp -m addrtype --dst-type LOCAL -m set --match-set ports1 dst -j REDIRECT --to-ports 3128
-A PREROUTING -i ${RAILGUN_INTERFACE} -p tcp -m addrtype --dst-type LOCAL -m set --match-set ports2 dst -j REDIRECT --to-ports 3129
-A PREROUTING -i ${RAILGUN_INTERFACE} -p tcp -m addrtype --dst-type LOCAL -m set --match-set ports3 dst -j REDIRECT --to-ports 1080
-A PREROUTING -i ${RAILGUN_INTERFACE} -p tcp -m addrtype --dst-type LOCAL -m set --match-set ports4 dst -j ACCEPT 
-A PREROUTING -i ${RAILGUN_INTERFACE} -p tcp -m addrtype --dst-type LOCAL -j REDIRECT --to-ports 3100
# socks5 dns hack
-A OUTPUT -o ${RAILGUN_INTERFACE} -p udp --dport 53 -m owner --uid-owner proxy -j REDIRECT --to-ports 53
-A POSTROUTING -o ${RAILGUN_INTERFACE} -s 10.0.0.0/8 -j SNAT --to-source ${RAILGUN_PRIVATE_ADDRESS}
COMMIT
*mangle
-A FORWARD -s 172.16.0.0/12 -j ACCEPT
-A PREROUTING -s ${RAILGUN_ADDRESS}/16 ! -d 10.0.0.0/8 -p tcp -m multiport --dports 9300,9301,9400 -j MARK --set-xmark 0x1/0xffffffff
-A PREROUTING -s ${RAILGUN_ADDRESS}/16 ! -d 10.0.0.0/8 -p tcp -m multiport --dports 9300,9301,9400 -j ACCEPT
-A PREROUTING -s ${RAILGUN_ADDRESS}/16 -p tcp -m addrtype ! --dst-type LOCAL -j TPROXY --on-port 5000 --on-ip 0.0.0.0 --tproxy-mark 0x3
-A PREROUTING -s ${RAILGUN_ADDRESS}/16 ! -p tcp -j MARK --set-mark 0x1
-A INPUT -s ${RAILGUN_ADDRESS}/16 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1301:1536 -j TCPMSS --set-mss 1300
-A OUTPUT -d ${RAILGUN_ADDRESS}/16 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1301:1536 -j TCPMSS --set-mss 1300
-A POSTROUTING -o ${RAILGUN_INTERFACE} -j TOS --set-tos 0x3c
COMMIT
