{%- from "pppoe/map.jinja" import pppoe with context -%}
*filter
--append INPUT --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
--append INPUT --in-interface {{ pppoe.interfaces.lan }} --jump ACCEPT
--append INPUT --in-interface lo --jump ACCEPT
--append INPUT --in-interface {{ pppoe.interfaces.ppp }} --protocol icmp --icmp-type echo-request --match limit --limit 1/second --jump ACCEPT
--append INPUT --in-interface {{ pppoe.interfaces.ppp }} --protocol icmp --icmp-type fragmentation-needed --jump ACCEPT
--append INPUT --in-interface {{ pppoe.interfaces.ppp }} --protocol icmp --icmp-type time-exceeded --jump ACCEPT
--append INPUT --jump REJECT

{% for item in pppoe.ip_forwards -%}
--append FORWARD -p tcp -d {{ item.dst_ip }} --dport {{ item.dst_port }} -j ACCEPT
{% endfor %}
--append FORWARD --match conntrack --ctstate ESTABLISHED,RELATED,DNAT --jump ACCEPT
--append FORWARD --in-interface {{ pppoe.interfaces.lan }} --jump ACCEPT
--append FORWARD --jump REJECT
COMMIT

*nat
--append POSTROUTING --out-interface {{ pppoe.interfaces.ppp }} --jump MASQUERADE

{% for item in pppoe.ip_forwards -%}
# {{ item.desc }}
--append PREROUTING -i {{ pppoe.interfaces.ppp }} -p tcp --dport {{ item.src_port }} -j DNAT --to-destination {{ item.dst_ip }}:{{ item.dst_port }}
{% endfor %}
COMMIT

*mangle
--append FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu
COMMIT