*filter
:DFWRS_FORWARD - [0:0]
:DFWRS_INPUT - [0:0]
:FORWARD - [0:0]
:INPUT - [0:0]
-F DFWRS_FORWARD
-A DFWRS_FORWARD -m state --state INVALID -j DROP
-A DFWRS_FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A DFWRS_FORWARD -d $dst_ip=ip -i eni -o $output=bridge -p tcp --dport 1010 -j ACCEPT
-A DFWRS_FORWARD -d $dst_ip=ip -i eni -o $output=bridge -p tcp --dport 2010 -j ACCEPT
-A DFWRS_FORWARD -s 192.0.2.2/32 -d $dst_ip=ip -i eni -o $output=bridge -p tcp --dport 1020 -j ACCEPT
-A DFWRS_FORWARD -s 192.0.2.3/32 -d $dst_ip=ip -i eni -o $output=bridge -p tcp --dport 1020 -j ACCEPT
-A DFWRS_FORWARD -s 192.0.2.2/32 -d $dst_ip=ip -i eni -o $output=bridge -p tcp --dport 2020 -j ACCEPT
-A DFWRS_FORWARD -s 192.0.2.3/32 -d $dst_ip=ip -i eni -o $output=bridge -p tcp --dport 2020 -j ACCEPT
-A DFWRS_FORWARD -i docker0 -o eni -j ACCEPT
-F DFWRS_INPUT
-A DFWRS_INPUT -m state --state INVALID -j DROP
-A DFWRS_INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A DFWRS_INPUT -i docker0 -j ACCEPT
-A FORWARD -j DFWRS_FORWARD
-A INPUT -j DFWRS_INPUT
COMMIT
*nat
:DFWRS_POSTROUTING - [0:0]
:DFWRS_PREROUTING - [0:0]
:POSTROUTING - [0:0]
:PREROUTING - [0:0]
-F DFWRS_POSTROUTING
-A DFWRS_POSTROUTING -o eni -j MASQUERADE
-F DFWRS_PREROUTING
-A DFWRS_PREROUTING -i eni -p tcp --dport 1010 -j DNAT --to-destination ${dst_ip=ip}:1010
-A DFWRS_PREROUTING -i eni -p tcp --dport 2010 -j DNAT --to-destination ${dst_ip=ip}:2010
-A DFWRS_PREROUTING -s 192.0.2.2/32 -i eni -p tcp --dport 1020 -j DNAT --to-destination ${dst_ip=ip}:1020
-A DFWRS_PREROUTING -s 192.0.2.3/32 -i eni -p tcp --dport 1020 -j DNAT --to-destination ${dst_ip=ip}:1020
-A DFWRS_PREROUTING -s 192.0.2.2/32 -i eni -p tcp --dport 2020 -j DNAT --to-destination ${dst_ip=ip}:2020
-A DFWRS_PREROUTING -s 192.0.2.3/32 -i eni -p tcp --dport 2020 -j DNAT --to-destination ${dst_ip=ip}:2020
-A POSTROUTING -j DFWRS_POSTROUTING
-A PREROUTING -j DFWRS_PREROUTING
COMMIT