# VPN Gateway IPTables Rules Template
# This is a template - actual rules are generated by killswitch.sh

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

# Loopback
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

# Established connections
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# LAN (will be replaced with actual interface/network)
-A INPUT -i eth0 -s 192.168.1.0/24 -j ACCEPT
-A OUTPUT -o eth0 -d 192.168.1.0/24 -j ACCEPT

# DNS for root only (for initial VPN connection)
-A OUTPUT -p udp --dport 53 -m owner --uid-owner 0 -j ACCEPT
-A OUTPUT -p tcp --dport 53 -m owner --uid-owner 0 -j ACCEPT

# VPN Forward
-A FORWARD -i eth0 -s 192.168.1.0/24 -j ACCEPT

# Log dropped packets (optional)
# -A INPUT -j LOG --log-prefix "DROP-IN: " --log-level 4
# -A OUTPUT -j LOG --log-prefix "DROP-OUT: " --log-level 4
# -A FORWARD -j LOG --log-prefix "DROP-FWD: " --log-level 4

COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

# NAT will be added dynamically when VPN connects
# -A POSTROUTING -o wg0 -j MASQUERADE

COMMIT

*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

COMMIT