*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DIVERT - [0:0]
# insert rules here to bypass KZorp 
# jump to KZorp and mark the packet 
-A DIVERT -j KZORP --tproxy-mark 0x80000000/0x80000000

-A PREROUTING -s 11.22.33.1 -p tcp --sport 1234 -j ACCEPT
# mark connection already handled by Zorp 
-A PREROUTING -m socket --transparent -j MARK --set-mark 0x80000000/0x80000000
-A PREROUTING -j DIVERT

-A INPUT -j DIVERT

-A FORWARD -j DIVERT


-A POSTROUTING -j DIVERT

COMMIT

*filter
:INPUT DROP
-A INPUT -s 11.22.33.1 -p tcp --sport 1234 -j ACCEPT
-A INPUT -s 44.55.66.253/32 -p tcp -m tcp --sport 4567 -j ACCEPT
# accept earlier marked packet 
-A INPUT -m mark --mark 0x80000000/0x80000000 -j ACCEPT

:FORWARD DROP
# accept connection relates to a packet filter service 
-A FORWARD -m conntrack ! --ctstate INVALID -m service --service-type forward -j ACCEPT

:OUTPUT ACCEPT
COMMIT
