diff -Nru arno-iptables-firewall-2.0.3/debian/changelog arno-iptables-firewall-2.0.3/debian/changelog
--- arno-iptables-firewall-2.0.3/debian/changelog	2019-01-13 21:28:41.000000000 +0000
+++ arno-iptables-firewall-2.0.3/debian/changelog	2019-01-19 12:40:04.000000000 +0000
@@ -1,3 +1,11 @@
+arno-iptables-firewall (2.0.3-2) unstable; urgency=medium
+
+  * d/tests/*: Update test to run successfully with different
+    kernel and iptables versions.
+  * d/control: Update debhelper Build-Depends from 12 to 12~.
+
+ -- Sven Geuer <debmaint@g-e-u-e-r.de>  Sat, 19 Jan 2019 13:40:04 +0100
+
 arno-iptables-firewall (2.0.3-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru arno-iptables-firewall-2.0.3/debian/control arno-iptables-firewall-2.0.3/debian/control
--- arno-iptables-firewall-2.0.3/debian/control	2019-01-13 21:28:41.000000000 +0000
+++ arno-iptables-firewall-2.0.3/debian/control	2019-01-19 12:40:04.000000000 +0000
@@ -8,7 +8,7 @@
 # but Lintian on mentors.debian.net complains about it.
 #Build-Depends: debhelper-compat (= 11),
 # Thus we stay with the traditional approach.
-Build-Depends: debhelper (>= 12),
+Build-Depends: debhelper (>= 12~),
                po-debconf
 Standards-Version: 4.3.0
 Vcs-Browser: https://salsa.debian.org/pkg-security-team/arno-iptables-firewall
diff -Nru arno-iptables-firewall-2.0.3/debian/tests/test1 arno-iptables-firewall-2.0.3/debian/tests/test1
--- arno-iptables-firewall-2.0.3/debian/tests/test1	2019-01-13 21:28:41.000000000 +0000
+++ arno-iptables-firewall-2.0.3/debian/tests/test1	2019-01-19 12:40:04.000000000 +0000
@@ -5,6 +5,10 @@
 echo checking the config file for expected content
 diff /etc/arno-iptables-firewall/conf.d/00debconf.conf debian/tests/test1_00debconf.conf
 
-echo checking for expected iptables/ip6tables rules
-iptables -S 2>&1 | diff - debian/tests/test1_iptables_-S
-ip6tables -S 2>&1 | diff - debian/tests/test1_ip6tables_-S
+echo checking for expected iptables rules
+# LC_ALL=C to make sure to sort by native byte values
+LC_ALL=C iptables -S 2>/dev/null | sort | diff - debian/tests/test1_iptables_-S_sorted
+
+echo checking for expected ip6tables rules
+# LC_ALL=C to make sure to sort by native byte values
+LC_ALL=C ip6tables -S 2>/dev/null | sort | diff - debian/tests/test1_ip6tables_-S_sorted
diff -Nru arno-iptables-firewall-2.0.3/debian/tests/test1_ip6tables_-S arno-iptables-firewall-2.0.3/debian/tests/test1_ip6tables_-S
--- arno-iptables-firewall-2.0.3/debian/tests/test1_ip6tables_-S	2019-01-13 21:28:41.000000000 +0000
+++ arno-iptables-firewall-2.0.3/debian/tests/test1_ip6tables_-S	1970-01-01 00:00:00.000000000 +0000
@@ -1,9 +0,0 @@
--P INPUT DROP
--P FORWARD DROP
--P OUTPUT DROP
--A INPUT -i lo -j ACCEPT
--A INPUT -j DROP
--A FORWARD -i lo -j ACCEPT
--A FORWARD -j DROP
--A OUTPUT -o lo -j ACCEPT
--A OUTPUT -j DROP
diff -Nru arno-iptables-firewall-2.0.3/debian/tests/test1_ip6tables_-S_sorted arno-iptables-firewall-2.0.3/debian/tests/test1_ip6tables_-S_sorted
--- arno-iptables-firewall-2.0.3/debian/tests/test1_ip6tables_-S_sorted	1970-01-01 00:00:00.000000000 +0000
+++ arno-iptables-firewall-2.0.3/debian/tests/test1_ip6tables_-S_sorted	2019-01-19 12:40:04.000000000 +0000
@@ -0,0 +1,9 @@
+-A FORWARD -i lo -j ACCEPT
+-A FORWARD -j DROP
+-A INPUT -i lo -j ACCEPT
+-A INPUT -j DROP
+-A OUTPUT -j DROP
+-A OUTPUT -o lo -j ACCEPT
+-P FORWARD DROP
+-P INPUT DROP
+-P OUTPUT DROP
diff -Nru arno-iptables-firewall-2.0.3/debian/tests/test1_iptables_-S arno-iptables-firewall-2.0.3/debian/tests/test1_iptables_-S
--- arno-iptables-firewall-2.0.3/debian/tests/test1_iptables_-S	2019-01-13 21:28:41.000000000 +0000
+++ arno-iptables-firewall-2.0.3/debian/tests/test1_iptables_-S	1970-01-01 00:00:00.000000000 +0000
@@ -1,164 +0,0 @@
--P INPUT DROP
--P FORWARD DROP
--P OUTPUT DROP
--N BASE_INPUT_CHAIN
--N BASE_FORWARD_CHAIN
--N BASE_OUTPUT_CHAIN
--N CONNTRACK_HELPER
--N HOST_BLOCK_SRC
--N HOST_BLOCK_DST
--N HOST_BLOCK_SRC_DROP
--N HOST_BLOCK_DST_DROP
--N VALID_CHK
--N RESERVED_NET_CHK
--N SPOOF_CHK
--N INPUT_CHAIN
--N FORWARD_CHAIN
--N OUTPUT_CHAIN
--N POST_INPUT_DROP_CHAIN
--N POST_INPUT_CHAIN
--N POST_FORWARD_CHAIN
--N POST_OUTPUT_CHAIN
--N DMZ_LAN_FORWARD_CHAIN
--N INET_DMZ_FORWARD_CHAIN
--N DMZ_INET_FORWARD_CHAIN
--N LAN_LAN_FORWARD_CHAIN
--N LAN_INET_FORWARD_CHAIN
--N EXT_MULTICAST_CHAIN
--N EXT_BROADCAST_CHAIN
--N EXT_ICMP_FLOOD_CHAIN
--N EXT_INPUT_CHAIN
--N EXT_FORWARD_IN_CHAIN
--N EXT_FORWARD_OUT_CHAIN
--N EXT_OUTPUT_CHAIN
--N INT_INPUT_CHAIN
--N INT_OUTPUT_CHAIN
--N DMZ_INPUT_CHAIN
--N DMZ_FORWARD_IN_CHAIN
--N DMZ_FORWARD_OUT_CHAIN
--N DMZ_OUTPUT_CHAIN
--A INPUT -j BASE_INPUT_CHAIN
--A INPUT -j INPUT_CHAIN
--A INPUT -j HOST_BLOCK_SRC
--A INPUT -j SPOOF_CHK
--A INPUT -i ppp+ -j VALID_CHK
--A INPUT -i ppp+ ! -p icmp -m conntrack --ctstate NEW -j EXT_INPUT_CHAIN
--A INPUT -i ppp+ -p icmp -m conntrack --ctstate NEW -m limit --limit 60/sec --limit-burst 100 -j EXT_INPUT_CHAIN
--A INPUT -i ppp+ -p icmp -m conntrack --ctstate NEW -j EXT_ICMP_FLOOD_CHAIN
--A INPUT -j POST_INPUT_CHAIN
--A INPUT -m limit --limit 1/sec -j LOG --log-prefix "AIF:Dropped INPUT packet: " --log-level 6
--A INPUT -j DROP
--A FORWARD -j BASE_FORWARD_CHAIN
--A FORWARD -o ppp+ -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
--A FORWARD -j FORWARD_CHAIN
--A FORWARD -j HOST_BLOCK_SRC
--A FORWARD -j HOST_BLOCK_DST
--A FORWARD -i ppp+ -j EXT_FORWARD_IN_CHAIN
--A FORWARD -o ppp+ -j EXT_FORWARD_OUT_CHAIN
--A FORWARD -j SPOOF_CHK
--A FORWARD -j POST_FORWARD_CHAIN
--A FORWARD -m limit --limit 1/min --limit-burst 3 -j LOG --log-prefix "AIF:Dropped FORWARD packet: " --log-level 6
--A FORWARD -j DROP
--A OUTPUT -j BASE_OUTPUT_CHAIN
--A OUTPUT -o ppp+ -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
--A OUTPUT -j OUTPUT_CHAIN
--A OUTPUT -j HOST_BLOCK_DST
--A OUTPUT -f -m limit --limit 3/min -j LOG --log-prefix "AIF:Fragment packet: " --log-level 6
--A OUTPUT -f -j DROP
--A OUTPUT -o ppp+ -j EXT_OUTPUT_CHAIN
--A OUTPUT -j POST_OUTPUT_CHAIN
--A OUTPUT -j ACCEPT
--A BASE_INPUT_CHAIN -m conntrack --ctstate ESTABLISHED -j ACCEPT
--A BASE_INPUT_CHAIN -p icmp -m conntrack --ctstate RELATED -j ACCEPT
--A BASE_INPUT_CHAIN -j CONNTRACK_HELPER
--A BASE_INPUT_CHAIN -i lo -j ACCEPT
--A BASE_FORWARD_CHAIN -m conntrack --ctstate ESTABLISHED -j ACCEPT
--A BASE_FORWARD_CHAIN -p icmp -m conntrack --ctstate RELATED -j ACCEPT
--A BASE_FORWARD_CHAIN -j CONNTRACK_HELPER
--A BASE_FORWARD_CHAIN -i lo -j ACCEPT
--A BASE_OUTPUT_CHAIN -m conntrack --ctstate ESTABLISHED -j ACCEPT
--A BASE_OUTPUT_CHAIN -o lo -j ACCEPT
--A CONNTRACK_HELPER -p tcp -m conntrack --ctstate RELATED -m helper --helper ftp -m tcp --dport 1024:65535 -j ACCEPT
--A HOST_BLOCK_SRC_DROP -m limit --limit 1/min --limit-burst 1 -j LOG --log-prefix "AIF:Blocked inbound host: " --log-level 6
--A HOST_BLOCK_SRC_DROP -j DROP
--A HOST_BLOCK_DST_DROP -m limit --limit 1/min --limit-burst 1 -j LOG --log-prefix "AIF:Blocked outbound host: " --log-level 6
--A HOST_BLOCK_DST_DROP -j DROP
--A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth XMAS scan: " --log-level 6
--A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth XMAS-PSH scan: " --log-level 6
--A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth XMAS-ALL scan: " --log-level 6
--A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth FIN scan: " --log-level 6
--A VALID_CHK -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth SYN/RST scan: " --log-level 6
--A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth SYN/FIN scan?: " --log-level 6
--A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth Null scan: " --log-level 6
--A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j POST_INPUT_DROP_CHAIN
--A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j POST_INPUT_DROP_CHAIN
--A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j POST_INPUT_DROP_CHAIN
--A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j POST_INPUT_DROP_CHAIN
--A VALID_CHK -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j POST_INPUT_DROP_CHAIN
--A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j POST_INPUT_DROP_CHAIN
--A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j POST_INPUT_DROP_CHAIN
--A VALID_CHK -p tcp -m tcp --tcp-option 64 -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "AIF:Bad TCP flag(64): " --log-level 6
--A VALID_CHK -p tcp -m tcp --tcp-option 128 -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "AIF:Bad TCP flag(128): " --log-level 6
--A VALID_CHK -p tcp -m tcp --tcp-option 64 -j POST_INPUT_DROP_CHAIN
--A VALID_CHK -p tcp -m tcp --tcp-option 128 -j POST_INPUT_DROP_CHAIN
--A VALID_CHK -m conntrack --ctstate INVALID -j POST_INPUT_DROP_CHAIN
--A VALID_CHK -f -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "AIF:Fragment packet: "
--A VALID_CHK -f -j DROP
--A SPOOF_CHK -j RETURN
--A POST_INPUT_DROP_CHAIN -j DROP
--A EXT_MULTICAST_CHAIN -p tcp -m tcp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV TCP multicast: " --log-level 6
--A EXT_MULTICAST_CHAIN -p udp -m udp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV UDP multicast: " --log-level 6
--A EXT_MULTICAST_CHAIN -p tcp -m tcp --dport 1024:65535 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV TCP multicast: " --log-level 6
--A EXT_MULTICAST_CHAIN -p udp -m udp --dport 1024 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV UDP multicast: " --log-level 6
--A EXT_MULTICAST_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-multicast-request: " --log-level 6
--A EXT_MULTICAST_CHAIN -p icmp -m icmp ! --icmp-type 8 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-multicast-other: " --log-level 6
--A EXT_MULTICAST_CHAIN -j DROP
--A EXT_BROADCAST_CHAIN -p tcp -m tcp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV TCP broadcast: " --log-level 6
--A EXT_BROADCAST_CHAIN -p udp -m udp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV UDP broadcast: " --log-level 6
--A EXT_BROADCAST_CHAIN -p tcp -m tcp --dport 1024:65535 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV TCP broadcast: " --log-level 6
--A EXT_BROADCAST_CHAIN -p udp -m udp --dport 1024 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV UDP broadcast: " --log-level 6
--A EXT_BROADCAST_CHAIN -j DROP
--A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 3 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-unreachable flood: " --log-level 6
--A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 3 -j POST_INPUT_DROP_CHAIN
--A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 11 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-time-exceeded fld: " --log-level 6
--A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 11 -j POST_INPUT_DROP_CHAIN
--A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 12 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-param-problem fld: " --log-level 6
--A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 12 -j POST_INPUT_DROP_CHAIN
--A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-request(ping) fld: " --log-level 6
--A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 8 -j POST_INPUT_DROP_CHAIN
--A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-# Warning: iptables-legacy tables present, use iptables-legacy to see them
-type 0 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-reply(pong) flood: " --log-level 6
--A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 0 -j POST_INPUT_DROP_CHAIN
--A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 4 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-source-quench fld: " --log-level 6
--A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 4 -j POST_INPUT_DROP_CHAIN
--A EXT_ICMP_FLOOD_CHAIN -p icmp -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP(other) flood: " --log-level 6
--A EXT_ICMP_FLOOD_CHAIN -p icmp -j POST_INPUT_DROP_CHAIN
--A EXT_INPUT_CHAIN -p tcp -m tcp --dport 0 -m limit --limit 6/hour --limit-burst 1 -j LOG --log-prefix "AIF:Port 0 OS fingerprint: " --log-level 6
--A EXT_INPUT_CHAIN -p udp -m udp --dport 0 -m limit --limit 6/hour --limit-burst 1 -j LOG --log-prefix "AIF:Port 0 OS fingerprint: " --log-level 6
--A EXT_INPUT_CHAIN -p tcp -m tcp --dport 0 -j POST_INPUT_DROP_CHAIN
--A EXT_INPUT_CHAIN -p udp -m udp --dport 0 -j POST_INPUT_DROP_CHAIN
--A EXT_INPUT_CHAIN -p tcp -m tcp --sport 0 -m limit --limit 6/hour -j LOG --log-prefix "AIF:TCP source port 0: " --log-level 6
--A EXT_INPUT_CHAIN -p udp -m udp --sport 0 -m limit --limit 6/hour -j LOG --log-prefix "AIF:UDP source port 0: " --log-level 6
--A EXT_INPUT_CHAIN -p tcp -m tcp --sport 0 -j POST_INPUT_DROP_CHAIN
--A EXT_INPUT_CHAIN -p udp -m udp --sport 0 -j POST_INPUT_DROP_CHAIN
--A EXT_INPUT_CHAIN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
--A EXT_INPUT_CHAIN -p tcp -m tcp --dport 1024:65535 ! --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth scan? (UNPRIV): " --log-level 6
--A EXT_INPUT_CHAIN -p tcp -m tcp --dport 0:1023 ! --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth scan? (PRIV): " --log-level 6
--A EXT_INPUT_CHAIN -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j POST_INPUT_DROP_CHAIN
--A EXT_INPUT_CHAIN -d 255.255.255.255/32 -j EXT_BROADCAST_CHAIN
--A EXT_INPUT_CHAIN -d 224.0.0.0/4 -j EXT_MULTICAST_CHAIN
--A EXT_INPUT_CHAIN -p tcp -m tcp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV TCP packet: " --log-level 6
--A EXT_INPUT_CHAIN -p udp -m udp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV UDP packet: " --log-level 6
--A EXT_INPUT_CHAIN -p tcp -m tcp --dport 1024:65535 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV TCP packet: " --log-level 6
--A EXT_INPUT_CHAIN -p udp -m udp --dport 1024:65535 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV UDP packet: " --log-level 6
--A EXT_INPUT_CHAIN -p igmp -m limit --limit 1/min -j LOG --log-prefix "AIF:IGMP packet: " --log-level 6
--A EXT_INPUT_CHAIN -j POST_INPUT_CHAIN
--A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-request: " --log-level 6
--A EXT_INPUT_CHAIN -p icmp -m icmp ! --icmp-type 8 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-other: " --log-level 6
--A EXT_INPUT_CHAIN -p tcp -j POST_INPUT_DROP_CHAIN
--A EXT_INPUT_CHAIN -p udp -j POST_INPUT_DROP_CHAIN
--A EXT_INPUT_CHAIN -p igmp -j POST_INPUT_DROP_CHAIN
--A EXT_INPUT_CHAIN -p icmp -j POST_INPUT_DROP_CHAIN
--A EXT_INPUT_CHAIN -m limit --limit 1/min -j LOG --log-prefix "AIF:Other connect: " --log-level 6
--A EXT_INPUT_CHAIN -j POST_INPUT_DROP_CHAIN
--A EXT_FORWARD_IN_CHAIN -j VALID_CHK
diff -Nru arno-iptables-firewall-2.0.3/debian/tests/test1_iptables_-S_sorted arno-iptables-firewall-2.0.3/debian/tests/test1_iptables_-S_sorted
--- arno-iptables-firewall-2.0.3/debian/tests/test1_iptables_-S_sorted	1970-01-01 00:00:00.000000000 +0000
+++ arno-iptables-firewall-2.0.3/debian/tests/test1_iptables_-S_sorted	2019-01-19 12:40:04.000000000 +0000
@@ -0,0 +1,163 @@
+-A BASE_FORWARD_CHAIN -i lo -j ACCEPT
+-A BASE_FORWARD_CHAIN -j CONNTRACK_HELPER
+-A BASE_FORWARD_CHAIN -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A BASE_FORWARD_CHAIN -p icmp -m conntrack --ctstate RELATED -j ACCEPT
+-A BASE_INPUT_CHAIN -i lo -j ACCEPT
+-A BASE_INPUT_CHAIN -j CONNTRACK_HELPER
+-A BASE_INPUT_CHAIN -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A BASE_INPUT_CHAIN -p icmp -m conntrack --ctstate RELATED -j ACCEPT
+-A BASE_OUTPUT_CHAIN -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A BASE_OUTPUT_CHAIN -o lo -j ACCEPT
+-A CONNTRACK_HELPER -p tcp -m conntrack --ctstate RELATED -m helper --helper ftp -m tcp --dport 1024:65535 -j ACCEPT
+-A EXT_BROADCAST_CHAIN -j DROP
+-A EXT_BROADCAST_CHAIN -p tcp -m tcp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV TCP broadcast: " --log-level 6
+-A EXT_BROADCAST_CHAIN -p tcp -m tcp --dport 1024:65535 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV TCP broadcast: " --log-level 6
+-A EXT_BROADCAST_CHAIN -p udp -m udp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV UDP broadcast: " --log-level 6
+-A EXT_BROADCAST_CHAIN -p udp -m udp --dport 1024 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV UDP broadcast: " --log-level 6
+-A EXT_FORWARD_IN_CHAIN -j VALID_CHK
+-A EXT_ICMP_FLOOD_CHAIN -p icmp -j POST_INPUT_DROP_CHAIN
+-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 0 -j POST_INPUT_DROP_CHAIN
+-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 0 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-reply(pong) flood: " --log-level 6
+-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 11 -j POST_INPUT_DROP_CHAIN
+-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 11 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-time-exceeded fld: " --log-level 6
+-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 12 -j POST_INPUT_DROP_CHAIN
+-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 12 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-param-problem fld: " --log-level 6
+-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 3 -j POST_INPUT_DROP_CHAIN
+-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 3 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-unreachable flood: " --log-level 6
+-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 4 -j POST_INPUT_DROP_CHAIN
+-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 4 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-source-quench fld: " --log-level 6
+-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 8 -j POST_INPUT_DROP_CHAIN
+-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-request(ping) fld: " --log-level 6
+-A EXT_ICMP_FLOOD_CHAIN -p icmp -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP(other) flood: " --log-level 6
+-A EXT_INPUT_CHAIN -d 224.0.0.0/4 -j EXT_MULTICAST_CHAIN
+-A EXT_INPUT_CHAIN -d 255.255.255.255/32 -j EXT_BROADCAST_CHAIN
+-A EXT_INPUT_CHAIN -j POST_INPUT_CHAIN
+-A EXT_INPUT_CHAIN -j POST_INPUT_DROP_CHAIN
+-A EXT_INPUT_CHAIN -m limit --limit 1/min -j LOG --log-prefix "AIF:Other connect: " --log-level 6
+-A EXT_INPUT_CHAIN -p icmp -j POST_INPUT_DROP_CHAIN
+-A EXT_INPUT_CHAIN -p icmp -m icmp ! --icmp-type 8 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-other: " --log-level 6
+-A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-request: " --log-level 6
+-A EXT_INPUT_CHAIN -p igmp -j POST_INPUT_DROP_CHAIN
+-A EXT_INPUT_CHAIN -p igmp -m limit --limit 1/min -j LOG --log-prefix "AIF:IGMP packet: " --log-level 6
+-A EXT_INPUT_CHAIN -p tcp -j POST_INPUT_DROP_CHAIN
+-A EXT_INPUT_CHAIN -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j POST_INPUT_DROP_CHAIN
+-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 0 -j POST_INPUT_DROP_CHAIN
+-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 0 -m limit --limit 6/hour --limit-burst 1 -j LOG --log-prefix "AIF:Port 0 OS fingerprint: " --log-level 6
+-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 0:1023 ! --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth scan? (PRIV): " --log-level 6
+-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV TCP packet: " --log-level 6
+-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 1024:65535 ! --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth scan? (UNPRIV): " --log-level 6
+-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 1024:65535 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV TCP packet: " --log-level 6
+-A EXT_INPUT_CHAIN -p tcp -m tcp --sport 0 -j POST_INPUT_DROP_CHAIN
+-A EXT_INPUT_CHAIN -p tcp -m tcp --sport 0 -m limit --limit 6/hour -j LOG --log-prefix "AIF:TCP source port 0: " --log-level 6
+-A EXT_INPUT_CHAIN -p udp -j POST_INPUT_DROP_CHAIN
+-A EXT_INPUT_CHAIN -p udp -m udp --dport 0 -j POST_INPUT_DROP_CHAIN
+-A EXT_INPUT_CHAIN -p udp -m udp --dport 0 -m limit --limit 6/hour --limit-burst 1 -j LOG --log-prefix "AIF:Port 0 OS fingerprint: " --log-level 6
+-A EXT_INPUT_CHAIN -p udp -m udp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV UDP packet: " --log-level 6
+-A EXT_INPUT_CHAIN -p udp -m udp --dport 1024:65535 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV UDP packet: " --log-level 6
+-A EXT_INPUT_CHAIN -p udp -m udp --sport 0 -j POST_INPUT_DROP_CHAIN
+-A EXT_INPUT_CHAIN -p udp -m udp --sport 0 -m limit --limit 6/hour -j LOG --log-prefix "AIF:UDP source port 0: " --log-level 6
+-A EXT_INPUT_CHAIN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
+-A EXT_MULTICAST_CHAIN -j DROP
+-A EXT_MULTICAST_CHAIN -p icmp -m icmp ! --icmp-type 8 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-multicast-other: " --log-level 6
+-A EXT_MULTICAST_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-multicast-request: " --log-level 6
+-A EXT_MULTICAST_CHAIN -p tcp -m tcp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV TCP multicast: " --log-level 6
+-A EXT_MULTICAST_CHAIN -p tcp -m tcp --dport 1024:65535 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV TCP multicast: " --log-level 6
+-A EXT_MULTICAST_CHAIN -p udp -m udp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV UDP multicast: " --log-level 6
+-A EXT_MULTICAST_CHAIN -p udp -m udp --dport 1024 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV UDP multicast: " --log-level 6
+-A FORWARD -i ppp+ -j EXT_FORWARD_IN_CHAIN
+-A FORWARD -j BASE_FORWARD_CHAIN
+-A FORWARD -j DROP
+-A FORWARD -j FORWARD_CHAIN
+-A FORWARD -j HOST_BLOCK_DST
+-A FORWARD -j HOST_BLOCK_SRC
+-A FORWARD -j POST_FORWARD_CHAIN
+-A FORWARD -j SPOOF_CHK
+-A FORWARD -m limit --limit 1/min --limit-burst 3 -j LOG --log-prefix "AIF:Dropped FORWARD packet: " --log-level 6
+-A FORWARD -o ppp+ -j EXT_FORWARD_OUT_CHAIN
+-A FORWARD -o ppp+ -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+-A HOST_BLOCK_DST_DROP -j DROP
+-A HOST_BLOCK_DST_DROP -m limit --limit 1/min --limit-burst 1 -j LOG --log-prefix "AIF:Blocked outbound host: " --log-level 6
+-A HOST_BLOCK_SRC_DROP -j DROP
+-A HOST_BLOCK_SRC_DROP -m limit --limit 1/min --limit-burst 1 -j LOG --log-prefix "AIF:Blocked inbound host: " --log-level 6
+-A INPUT -i ppp+ ! -p icmp -m conntrack --ctstate NEW -j EXT_INPUT_CHAIN
+-A INPUT -i ppp+ -j VALID_CHK
+-A INPUT -i ppp+ -p icmp -m conntrack --ctstate NEW -j EXT_ICMP_FLOOD_CHAIN
+-A INPUT -i ppp+ -p icmp -m conntrack --ctstate NEW -m limit --limit 60/sec --limit-burst 100 -j EXT_INPUT_CHAIN
+-A INPUT -j BASE_INPUT_CHAIN
+-A INPUT -j DROP
+-A INPUT -j HOST_BLOCK_SRC
+-A INPUT -j INPUT_CHAIN
+-A INPUT -j POST_INPUT_CHAIN
+-A INPUT -j SPOOF_CHK
+-A INPUT -m limit --limit 1/sec -j LOG --log-prefix "AIF:Dropped INPUT packet: " --log-level 6
+-A OUTPUT -f -j DROP
+-A OUTPUT -f -m limit --limit 3/min -j LOG --log-prefix "AIF:Fragment packet: " --log-level 6
+-A OUTPUT -j ACCEPT
+-A OUTPUT -j BASE_OUTPUT_CHAIN
+-A OUTPUT -j HOST_BLOCK_DST
+-A OUTPUT -j OUTPUT_CHAIN
+-A OUTPUT -j POST_OUTPUT_CHAIN
+-A OUTPUT -o ppp+ -j EXT_OUTPUT_CHAIN
+-A OUTPUT -o ppp+ -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+-A POST_INPUT_DROP_CHAIN -j DROP
+-A SPOOF_CHK -j RETURN
+-A VALID_CHK -f -j DROP
+-A VALID_CHK -f -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "AIF:Fragment packet: "
+-A VALID_CHK -m conntrack --ctstate INVALID -j POST_INPUT_DROP_CHAIN
+-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j POST_INPUT_DROP_CHAIN
+-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth SYN/FIN scan?: " --log-level 6
+-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j POST_INPUT_DROP_CHAIN
+-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth FIN scan: " --log-level 6
+-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j POST_INPUT_DROP_CHAIN
+-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth XMAS scan: " --log-level 6
+-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j POST_INPUT_DROP_CHAIN
+-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth XMAS-PSH scan: " --log-level 6
+-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j POST_INPUT_DROP_CHAIN
+-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth XMAS-ALL scan: " --log-level 6
+-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j POST_INPUT_DROP_CHAIN
+-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth Null scan: " --log-level 6
+-A VALID_CHK -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j POST_INPUT_DROP_CHAIN
+-A VALID_CHK -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 3/min -j LOG --log-prefix "AIF:Stealth SYN/RST scan: " --log-level 6
+-A VALID_CHK -p tcp -m tcp --tcp-option 128 -j POST_INPUT_DROP_CHAIN
+-A VALID_CHK -p tcp -m tcp --tcp-option 128 -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "AIF:Bad TCP flag(128): " --log-level 6
+-A VALID_CHK -p tcp -m tcp --tcp-option 64 -j POST_INPUT_DROP_CHAIN
+-A VALID_CHK -p tcp -m tcp --tcp-option 64 -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "AIF:Bad TCP flag(64): " --log-level 6
+-N BASE_FORWARD_CHAIN
+-N BASE_INPUT_CHAIN
+-N BASE_OUTPUT_CHAIN
+-N CONNTRACK_HELPER
+-N DMZ_FORWARD_IN_CHAIN
+-N DMZ_FORWARD_OUT_CHAIN
+-N DMZ_INET_FORWARD_CHAIN
+-N DMZ_INPUT_CHAIN
+-N DMZ_LAN_FORWARD_CHAIN
+-N DMZ_OUTPUT_CHAIN
+-N EXT_BROADCAST_CHAIN
+-N EXT_FORWARD_IN_CHAIN
+-N EXT_FORWARD_OUT_CHAIN
+-N EXT_ICMP_FLOOD_CHAIN
+-N EXT_INPUT_CHAIN
+-N EXT_MULTICAST_CHAIN
+-N EXT_OUTPUT_CHAIN
+-N FORWARD_CHAIN
+-N HOST_BLOCK_DST
+-N HOST_BLOCK_DST_DROP
+-N HOST_BLOCK_SRC
+-N HOST_BLOCK_SRC_DROP
+-N INET_DMZ_FORWARD_CHAIN
+-N INPUT_CHAIN
+-N INT_INPUT_CHAIN
+-N INT_OUTPUT_CHAIN
+-N LAN_INET_FORWARD_CHAIN
+-N LAN_LAN_FORWARD_CHAIN
+-N OUTPUT_CHAIN
+-N POST_FORWARD_CHAIN
+-N POST_INPUT_CHAIN
+-N POST_INPUT_DROP_CHAIN
+-N POST_OUTPUT_CHAIN
+-N RESERVED_NET_CHK
+-N SPOOF_CHK
+-N VALID_CHK
+-P FORWARD DROP
+-P INPUT DROP
+-P OUTPUT DROP