# Alpine 5G Router – iptables rules (IPv4)
# Restored at boot by iptables-restore service. Generated/updated by connect-5g.sh or install.
# Ensure 5G WAN interface is eth1 and LAN is eth0.100; adjust if different.

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Allow web GUI (port 5000) from eth0 (management access)
-A INPUT -i eth0 -p tcp --dport 5000 -j ACCEPT
# Allow LAN -> WAN (5G)
-A FORWARD -i eth0.100 -o eth1 -j ACCEPT
# Allow established/related WAN -> LAN
-A FORWARD -i eth1 -o eth0.100 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# NAT LAN traffic going out 5G
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT