# Generated by iptables-save v1.8.11 (nf_tables)

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# 阻断 UDP 443
-A FORWARD -i mlan0 -p udp -m udp --dport 443 -j DROP

# mlan0 与 enp1s0 互转许可
-A FORWARD -i mlan0 -o enp1s0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i enp1s0 -o mlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT

COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:REDSOCKS - [0:0]

# ==========================================
# [入口规则]
# 仅处理 mlan0 (hostapd热点) 的客户端流量
# ==========================================
-A PREROUTING -i mlan0 -p tcp -j REDSOCKS

# [出口 NAT]
-A POSTROUTING -o enp1s0 -j MASQUERADE

# ==========================================
# [REDSOCKS 链 - 内网直连区]
# ==========================================

# 1. 排除本地回环
-A REDSOCKS -d 127.0.0.0/8 -j RETURN

# 2. 排除 RFC1918 私有网段（内网直连）
-A REDSOCKS -d 10.0.0.0/8 -j RETURN
-A REDSOCKS -d 172.16.0.0/12 -j RETURN
-A REDSOCKS -d 192.168.0.0/16 -j RETURN

# 3. 排除链路本地地址 (APIPA)
-A REDSOCKS -d 169.254.0.0/16 -j RETURN

# 4. 排除组播地址
-A REDSOCKS -d 224.0.0.0/4 -j RETURN

# ==========================================
# [代理区]
# 其他流量（公网 + 240.0.0.0/8）走 redsocks
# ==========================================

-A REDSOCKS -p tcp -j REDIRECT --to-ports 12345

COMMIT