From 4a93d93e437b67eea57020ccd6f0e7228a849969 Mon Sep 17 00:00:00 2001
From: HynoR <20227709+HynoR@users.noreply.github.com>
Date: Thu, 30 Oct 2025 18:45:19 +0800
Subject: [PATCH 01/16] feat: support iptables control

---
 agent/app/api/v2/entry.go                     |  11 +-
 agent/app/api/v2/firewall.go                  | 111 +++++
 agent/app/dto/firewall.go                     |  49 ++
 agent/app/model/firewall.go                   |  26 +
 agent/app/repo/iptables_filter_rule.go        |  67 +++
 agent/app/service/iptables_filter.go          | 434 +++++++++++++++++
 agent/init/migration/migrations/init.go       |   1 +
 agent/router/ro_host.go                       |   5 +
 agent/utils/docker/compose.go                 |   7 +-
 agent/utils/firewall/client.go                |   6 +
 agent/utils/firewall/client/iptables.go       | 322 ++++++++++++
 agent/utils/firewall/client/iptables_fw.go    | 461 ++++++++++++++++++
 frontend/src/api/interface/host.ts            |  43 ++
 frontend/src/api/modules/host.ts              |  14 +
 frontend/src/lang/modules/en.ts               |   1 +
 frontend/src/lang/modules/zh.ts               |  26 +
 frontend/src/routers/modules/host.ts          |  10 +
 frontend/src/views/host/filter/index.vue      | 358 ++++++++++++++
 .../src/views/host/filter/operate/index.vue   | 165 +++++++
 19 files changed, 2109 insertions(+), 8 deletions(-)
 create mode 100644 agent/app/repo/iptables_filter_rule.go
 create mode 100644 agent/app/service/iptables_filter.go
 create mode 100644 agent/utils/firewall/client/iptables_fw.go
 create mode 100644 frontend/src/views/host/filter/index.vue
 create mode 100644 frontend/src/views/host/filter/operate/index.vue

diff --git a/agent/app/api/v2/entry.go b/agent/app/api/v2/entry.go
index aa403c95cbe8..47fedc28fd66 100644
--- a/agent/app/api/v2/entry.go
+++ b/agent/app/api/v2/entry.go
@@ -35,11 +35,12 @@ var (
 
 	cronjobService = service.NewICronjobService()
 
-	fileService     = service.NewIFileService()
-	sshService      = service.NewISSHService()
-	firewallService = service.NewIFirewallService()
-	monitorService  = service.NewIMonitorService()
-	systemService   = service.NewISystemService()
+	fileService            = service.NewIFileService()
+	sshService             = service.NewISSHService()
+	firewallService        = service.NewIFirewallService()
+	iptablesFilterService  = service.NewIIptablesFilterService()
+	monitorService         = service.NewIMonitorService()
+	systemService          = service.NewISystemService()
 
 	deviceService   = service.NewIDeviceService()
 	fail2banService = service.NewIFail2BanService()
diff --git a/agent/app/api/v2/firewall.go b/agent/app/api/v2/firewall.go
index 62e2a44a740d..9bfb315ef332 100644
--- a/agent/app/api/v2/firewall.go
+++ b/agent/app/api/v2/firewall.go
@@ -221,3 +221,114 @@ func (b *BaseApi) UpdateAddrRule(c *gin.Context) {
 	}
 	helper.Success(c)
 }
+
+// @Tags Firewall
+// @Summary Get iptables filter rules
+// @Accept json
+// @Param request body dto.IptablesFilterRuleSearch true "request"
+// @Success 200 {object} []dto.IptablesChainInfo
+// @Security ApiKeyAuth
+// @Security Timestamp
+// @Router /hosts/firewall/filter/rules [post]
+func (b *BaseApi) GetFilterRules(c *gin.Context) {
+	var req dto.IptablesFilterRuleSearch
+	if err := helper.CheckBindAndValidate(&req, c); err != nil {
+		return
+	}
+
+	data, err := iptablesFilterService.GetFilterRules(req.Chains)
+	if err != nil {
+		helper.InternalServer(c, err)
+		return
+	}
+
+	helper.SuccessWithData(c, data)
+}
+
+// @Tags Firewall
+// @Summary Operate iptables filter rule
+// @Accept json
+// @Param request body dto.IptablesFilterRuleOperate true "request"
+// @Success 200
+// @Security ApiKeyAuth
+// @Security Timestamp
+// @Router /hosts/firewall/filter/rule [post]
+// @x-panel-log {"bodyKeys":["operation","chain"],"paramKeys":[],"BeforeFunctions":[],"formatZH":"[operation] filter规则到 [chain]","formatEN":"[operation] filter rule to [chain]"}
+func (b *BaseApi) OperateFilterRule(c *gin.Context) {
+	var req dto.IptablesFilterRuleOperate
+	if err := helper.CheckBindAndValidate(&req, c); err != nil {
+		return
+	}
+
+	if req.Operation == "add" {
+		if err := iptablesFilterService.AddRule(req); err != nil {
+			helper.InternalServer(c, err)
+			return
+		}
+	} else if req.Operation == "remove" {
+		if err := iptablesFilterService.RemoveRule(req.ID); err != nil {
+			helper.InternalServer(c, err)
+			return
+		}
+	}
+
+	helper.Success(c)
+}
+
+// @Tags Firewall
+// @Summary Batch operate iptables filter rules
+// @Accept json
+// @Param request body dto.IptablesFilterBatchOperate true "request"
+// @Success 200
+// @Security ApiKeyAuth
+// @Security Timestamp
+// @Router /hosts/firewall/filter/batch [post]
+func (b *BaseApi) BatchOperateFilterRule(c *gin.Context) {
+	var req dto.IptablesFilterBatchOperate
+	if err := helper.CheckBindAndValidate(&req, c); err != nil {
+		return
+	}
+
+	if err := iptablesFilterService.BatchOperate(req); err != nil {
+		helper.InternalServer(c, err)
+		return
+	}
+
+	helper.Success(c)
+}
+
+// @Tags Firewall
+// @Summary Apply/Unload/Init iptables filter
+// @Accept json
+// @Param request body dto.IptablesFilterApply true "request"
+// @Success 200
+// @Security ApiKeyAuth
+// @Security Timestamp
+// @Router /hosts/firewall/filter/apply [post]
+// @x-panel-log {"bodyKeys":["operation"],"paramKeys":[],"BeforeFunctions":[],"formatZH":"[operation] iptables filter防火墙","formatEN":"[operation] iptables filter firewall"}
+func (b *BaseApi) ApplyFilterFirewall(c *gin.Context) {
+	var req dto.IptablesFilterApply
+	if err := helper.CheckBindAndValidate(&req, c); err != nil {
+		return
+	}
+
+	switch req.Operation {
+	case "init":
+		if err := iptablesFilterService.InitChains(); err != nil {
+			helper.InternalServer(c, err)
+			return
+		}
+	case "apply":
+		if err := iptablesFilterService.ApplyFirewall(); err != nil {
+			helper.InternalServer(c, err)
+			return
+		}
+	case "unload":
+		if err := iptablesFilterService.UnloadFirewall(); err != nil {
+			helper.InternalServer(c, err)
+			return
+		}
+	}
+
+	helper.Success(c)
+}
diff --git a/agent/app/dto/firewall.go b/agent/app/dto/firewall.go
index 99920d929232..40e33db44888 100644
--- a/agent/app/dto/firewall.go
+++ b/agent/app/dto/firewall.go
@@ -76,3 +76,52 @@ type BatchRuleOperate struct {
 	Type  string            `json:"type" validate:"required"`
 	Rules []PortRuleOperate `json:"rules"`
 }
+
+// Iptables Filter DTO
+
+type IptablesFilterRuleSearch struct {
+	Chains []string `json:"chains"`
+}
+
+type IptablesChainInfo struct {
+	Version       string                   `json:"version"`
+	Name          string                   `json:"name"`
+	DefaultPolicy string                   `json:"defaultPolicy"`
+	Rules         []IptablesFilterRuleInfo `json:"rules"`
+	IsApplied     bool                     `json:"isApplied"`
+}
+
+type IptablesFilterRuleInfo struct {
+	ID          uint   `json:"id"`
+	Protocol    string `json:"protocol"`
+	SourceIP    string `json:"sourceIP"`
+	SourcePort  uint16 `json:"sourcePort"`
+	DestIP      string `json:"destIP"`
+	DestPort    uint16 `json:"destPort"`
+	Action      string `json:"action"`
+	Comment     string `json:"comment"`
+	Description string `json:"description"`
+	RuleOrder   int    `json:"ruleOrder"`
+	IsActive    bool   `json:"isActive"`
+}
+
+type IptablesFilterRuleOperate struct {
+	Operation   string `json:"operation" validate:"required,oneof=add remove"`
+	ID          uint   `json:"id"`
+	Chain       string `json:"chain" validate:"required,oneof=1PANEL_INPUT 1PANEL_OUTPUT"`
+	Protocol    string `json:"protocol"`
+	SourceIP    string `json:"sourceIP"`
+	SourcePort  uint16 `json:"sourcePort"`
+	DestIP      string `json:"destIP"`
+	DestPort    uint16 `json:"destPort"`
+	Action      string `json:"action" validate:"required,oneof=ACCEPT DROP REJECT"`
+	Description string `json:"description"`
+}
+
+type IptablesFilterApply struct {
+	Operation string `json:"operation" validate:"required,oneof=apply unload init"`
+}
+
+type IptablesFilterBatchOperate struct {
+	Rules []IptablesFilterRuleOperate `json:"rules"`
+}
diff --git a/agent/app/model/firewall.go b/agent/app/model/firewall.go
index 622203d058c9..358dd2ad16c4 100644
--- a/agent/app/model/firewall.go
+++ b/agent/app/model/firewall.go
@@ -20,3 +20,29 @@ type Forward struct {
 	TargetPort string `gorm:"not null" json:"targetPort"`
 	Interface  string `json:"interface"`
 }
+
+type IptablesFilterRule struct {
+	BaseModel
+
+	Chain       string `gorm:"not null;index:idx_chain" json:"chain"`
+	Protocol    string `json:"protocol"`
+	SourceIP    string `json:"sourceIP"`
+	SourcePort  uint16 `json:"sourcePort"`
+	DestIP      string `json:"destIP"`
+	DestPort    uint16 `json:"destPort"`
+	Action      string `gorm:"not null" json:"action"`
+	Comment     string `json:"comment"`
+	Description string `json:"description"`
+	RuleOrder   int    `gorm:"default:0;index:idx_chain_order" json:"ruleOrder"`
+}
+
+type IptablesRule struct {
+	BaseModel
+
+	RuleType string `gorm:"not null" json:"ruleType"` // port, address
+	Protocol string `json:"protocol"`
+	Port     string `json:"port"`
+	Strategy string `gorm:"not null" json:"strategy"` // accept, drop, reject
+	Address  string `json:"address"`
+	Family   string `json:"family"` // ipv4, ipv6
+}
diff --git a/agent/app/repo/iptables_filter_rule.go b/agent/app/repo/iptables_filter_rule.go
new file mode 100644
index 000000000000..207ef5d252eb
--- /dev/null
+++ b/agent/app/repo/iptables_filter_rule.go
@@ -0,0 +1,67 @@
+package repo
+
+import (
+	"context"
+
+	"github.com/1Panel-dev/1Panel/agent/app/model"
+	"github.com/1Panel-dev/1Panel/agent/global"
+)
+
+type IIptablesFilterRuleRepo interface {
+	Create(ctx context.Context, rule *model.IptablesFilterRule) error
+	Delete(ctx context.Context, id uint) error
+	DeleteByChain(ctx context.Context, chain string) error
+	GetByID(ctx context.Context, id uint) (model.IptablesFilterRule, error)
+	List(ctx context.Context, chains []string) ([]model.IptablesFilterRule, error)
+	ListByChain(ctx context.Context, chain string) ([]model.IptablesFilterRule, error)
+	GetMaxRuleOrder(ctx context.Context, chain string) (int, error)
+}
+
+type IptablesFilterRuleRepo struct{}
+
+func NewIIptablesFilterRuleRepo() IIptablesFilterRuleRepo {
+	return &IptablesFilterRuleRepo{}
+}
+
+func (r *IptablesFilterRuleRepo) Create(ctx context.Context, rule *model.IptablesFilterRule) error {
+	return global.DB.WithContext(ctx).Create(rule).Error
+}
+
+func (r *IptablesFilterRuleRepo) Delete(ctx context.Context, id uint) error {
+	return global.DB.WithContext(ctx).Where("id = ?", id).Delete(&model.IptablesFilterRule{}).Error
+}
+
+func (r *IptablesFilterRuleRepo) DeleteByChain(ctx context.Context, chain string) error {
+	return global.DB.WithContext(ctx).Where("chain = ?", chain).Delete(&model.IptablesFilterRule{}).Error
+}
+
+func (r *IptablesFilterRuleRepo) GetByID(ctx context.Context, id uint) (model.IptablesFilterRule, error) {
+	var rule model.IptablesFilterRule
+	err := global.DB.WithContext(ctx).Where("id = ?", id).First(&rule).Error
+	return rule, err
+}
+
+func (r *IptablesFilterRuleRepo) List(ctx context.Context, chains []string) ([]model.IptablesFilterRule, error) {
+	var rules []model.IptablesFilterRule
+	query := global.DB.WithContext(ctx)
+	if len(chains) > 0 {
+		query = query.Where("chain IN ?", chains)
+	}
+	err := query.Order("chain ASC, rule_order ASC, id ASC").Find(&rules).Error
+	return rules, err
+}
+
+func (r *IptablesFilterRuleRepo) ListByChain(ctx context.Context, chain string) ([]model.IptablesFilterRule, error) {
+	var rules []model.IptablesFilterRule
+	err := global.DB.WithContext(ctx).Where("chain = ?", chain).Order("rule_order ASC, id ASC").Find(&rules).Error
+	return rules, err
+}
+
+func (r *IptablesFilterRuleRepo) GetMaxRuleOrder(ctx context.Context, chain string) (int, error) {
+	var maxOrder int
+	err := global.DB.WithContext(ctx).Model(&model.IptablesFilterRule{}).
+		Where("chain = ?", chain).
+		Select("COALESCE(MAX(rule_order), 0)").
+		Scan(&maxOrder).Error
+	return maxOrder, err
+}
diff --git a/agent/app/service/iptables_filter.go b/agent/app/service/iptables_filter.go
new file mode 100644
index 000000000000..9e4d9df2785a
--- /dev/null
+++ b/agent/app/service/iptables_filter.go
@@ -0,0 +1,434 @@
+package service
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/1Panel-dev/1Panel/agent/app/dto"
+	"github.com/1Panel-dev/1Panel/agent/app/model"
+	"github.com/1Panel-dev/1Panel/agent/app/repo"
+	"github.com/1Panel-dev/1Panel/agent/global"
+	"github.com/1Panel-dev/1Panel/agent/utils/firewall/client"
+)
+
+type IIptablesFilterService interface {
+	GetFilterRules(chains []string) ([]dto.IptablesChainInfo, error)
+	AddRule(req dto.IptablesFilterRuleOperate) error
+	RemoveRule(id uint) error
+	BatchOperate(req dto.IptablesFilterBatchOperate) error
+	InitChains() error
+	ApplyFirewall() error
+	UnloadFirewall() error
+	ReloadRules() error
+}
+
+type IptablesFilterService struct {
+	repo           repo.IIptablesFilterRuleRepo
+	iptablesClient *client.Iptables
+}
+
+func NewIIptablesFilterService() IIptablesFilterService {
+	iptablesClient, _ := client.NewIptables()
+	return &IptablesFilterService{
+		repo:           repo.NewIIptablesFilterRuleRepo(),
+		iptablesClient: iptablesClient,
+	}
+}
+
+const (
+	ChainInput        = "INPUT"
+	ChainOutput       = "OUTPUT"
+	Chain1PanelInput  = "1PANEL_INPUT"
+	Chain1PanelOutput = "1PANEL_OUTPUT"
+)
+
+func (s *IptablesFilterService) GetFilterRules(chains []string) ([]dto.IptablesChainInfo, error) {
+	if len(chains) == 0 {
+		chains = []string{ChainInput, ChainOutput, Chain1PanelInput, Chain1PanelOutput}
+	}
+
+	// 获取 iptables 版本
+	version, err := s.iptablesClient.GetVersion()
+	if err != nil {
+		global.LOG.Warnf("failed to get iptables version: %v", err)
+		version = "unknown"
+	}
+
+	// 读取 iptables 规则
+	iptablesChains, err := s.iptablesClient.ReadFilter(chains)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read iptables rules: %w", err)
+	}
+
+	// 从数据库读取规则描述
+	ctx := context.Background()
+	dbRules, _ := s.repo.List(ctx, []string{Chain1PanelInput, Chain1PanelOutput})
+	descMap := make(map[uint]string)
+	for _, rule := range dbRules {
+		descMap[rule.ID] = rule.Description
+	}
+
+	var result []dto.IptablesChainInfo
+	for _, chainName := range chains {
+		chain, ok := iptablesChains[chainName]
+		if !ok {
+			continue
+		}
+
+		chainInfo := dto.IptablesChainInfo{
+			Version:       version,
+			Name:          chainName,
+			DefaultPolicy: chain.DefaultPolicy,
+			Rules:         []dto.IptablesFilterRuleInfo{},
+			IsApplied:     false,
+		}
+
+		// 检查是否已应用（INPUT/OUTPUT 链包含跳转规则）
+		if chainName == ChainInput || chainName == ChainOutput {
+			item := chain.FirstRule
+			targetChain := Chain1PanelInput
+			if chainName == ChainOutput {
+				targetChain = Chain1PanelOutput
+			}
+			for item != nil {
+				if item.P.Action == targetChain {
+					chainInfo.IsApplied = true
+					break
+				}
+				item = item.Next()
+			}
+		}
+
+		// 转换规则
+		item := chain.FirstRule
+		order := 0
+		for item != nil {
+			p := item.P
+			ruleInfo := dto.IptablesFilterRuleInfo{
+				Protocol:   p.Protocol,
+				SourceIP:   p.SourceIP,
+				SourcePort: p.SrcPort,
+				DestIP:     p.DestIP,
+				DestPort:   p.DstPort,
+				Action:     p.Action,
+				Comment:    p.Comment,
+				RuleOrder:  order,
+			}
+
+			// 从 comment 中提取 ID（格式：1Panel_FilterRule_<ID>）
+			if p.Comment != "" {
+				var id uint
+				fmt.Sscanf(p.Comment, "1Panel_FilterRule_%d", &id)
+				ruleInfo.ID = id
+				if desc, ok := descMap[id]; ok {
+					ruleInfo.Description = desc
+				}
+			}
+
+			chainInfo.Rules = append(chainInfo.Rules, ruleInfo)
+			order++
+			item = item.Next()
+		}
+
+		result = append(result, chainInfo)
+	}
+
+	return result, nil
+}
+
+func (s *IptablesFilterService) AddRule(req dto.IptablesFilterRuleOperate) error {
+	if req.Chain != Chain1PanelInput && req.Chain != Chain1PanelOutput {
+		return fmt.Errorf("只允许操作 %s 或 %s 链", Chain1PanelInput, Chain1PanelOutput)
+	}
+
+	// 安全检查：防止无条件 DROP/REJECT
+	if (req.Action == "DROP" || req.Action == "REJECT") &&
+		req.Protocol == "" && req.SourceIP == "" && req.DestIP == "" &&
+		req.SourcePort == 0 && req.DestPort == 0 {
+		return fmt.Errorf("不允许添加无条件 %s 规则，这会锁定系统", req.Action)
+	}
+
+	ctx := context.Background()
+
+	// 获取最大规则顺序
+	maxOrder, err := s.repo.GetMaxRuleOrder(ctx, req.Chain)
+	if err != nil {
+		return fmt.Errorf("failed to get max rule order: %w", err)
+	}
+
+	// 创建数据库记录
+	rule := &model.IptablesFilterRule{
+		Chain:       req.Chain,
+		Protocol:    req.Protocol,
+		SourceIP:    req.SourceIP,
+		SourcePort:  req.SourcePort,
+		DestIP:      req.DestIP,
+		DestPort:    req.DestPort,
+		Action:      req.Action,
+		Description: req.Description,
+		RuleOrder:   maxOrder + 1,
+	}
+
+	if err := s.repo.Create(ctx, rule); err != nil {
+		return fmt.Errorf("failed to save rule to database: %w", err)
+	}
+
+	// 生成 comment
+	rule.Comment = fmt.Sprintf("1Panel_FilterRule_%d", rule.ID)
+
+	// 添加 iptables 规则
+	policy := client.IptablesPolicy{
+		Protocol: req.Protocol,
+		SourceIP: req.SourceIP,
+		SrcPort:  req.SourcePort,
+		DestIP:   req.DestIP,
+		DstPort:  req.DestPort,
+		Action:   req.Action,
+		Comment:  rule.Comment,
+	}
+
+	if err := s.iptablesClient.AddPolicy(req.Chain, policy); err != nil {
+		// 回滚数据库
+		_ = s.repo.Delete(ctx, rule.ID)
+		return fmt.Errorf("failed to add iptables rule: %w", err)
+	}
+
+	// 更新数据库 comment
+	rule.Comment = fmt.Sprintf("1Panel_FilterRule_%d", rule.ID)
+	return global.DB.Model(rule).Update("comment", rule.Comment).Error
+}
+
+func (s *IptablesFilterService) RemoveRule(id uint) error {
+	ctx := context.Background()
+
+	// 从数据库查询规则
+	rule, err := s.repo.GetByID(ctx, id)
+	if err != nil {
+		return fmt.Errorf("rule not found: %w", err)
+	}
+
+	// 按 comment 删除 iptables 规则
+	if rule.Comment != "" {
+		if err := s.iptablesClient.RemovePolicyByComment(rule.Chain, rule.Comment); err != nil {
+			global.LOG.Warnf("failed to remove iptables rule by comment: %v, trying to delete by policy", err)
+			// 如果按 comment 删除失败，尝试按规则内容删除
+			policy := client.IptablesPolicy{
+				Protocol: rule.Protocol,
+				SourceIP: rule.SourceIP,
+				SrcPort:  rule.SourcePort,
+				DestIP:   rule.DestIP,
+				DstPort:  rule.DestPort,
+				Action:   rule.Action,
+				Comment:  rule.Comment,
+			}
+			if err := s.iptablesClient.DeletePolicy(rule.Chain, policy); err != nil {
+				return fmt.Errorf("failed to remove iptables rule: %w", err)
+			}
+		}
+	}
+
+	// 删除数据库记录
+	return s.repo.Delete(ctx, id)
+}
+
+func (s *IptablesFilterService) BatchOperate(req dto.IptablesFilterBatchOperate) error {
+	for _, ruleReq := range req.Rules {
+		if ruleReq.Operation == "add" {
+			if err := s.AddRule(ruleReq); err != nil {
+				return err
+			}
+		} else if ruleReq.Operation == "remove" {
+			if err := s.RemoveRule(ruleReq.ID); err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+func (s *IptablesFilterService) InitChains() error {
+	// 检查并创建 1PANEL_INPUT
+	exists, err := s.iptablesClient.ChainExists(client.FilterTab, Chain1PanelInput)
+	if err != nil {
+		return fmt.Errorf("failed to check chain %s: %w", Chain1PanelInput, err)
+	}
+
+	if !exists {
+		if err := s.iptablesClient.NewChain(client.FilterTab, Chain1PanelInput); err != nil {
+			return fmt.Errorf("failed to create chain %s: %w", Chain1PanelInput, err)
+		}
+	} else {
+		// 清空已存在的链
+		if err := s.iptablesClient.FlushChain(client.FilterTab, Chain1PanelInput); err != nil {
+			return err
+		}
+	}
+
+	// 检查并创建 1PANEL_OUTPUT
+	exists, err = s.iptablesClient.ChainExists(client.FilterTab, Chain1PanelOutput)
+	if err != nil {
+		return fmt.Errorf("failed to check chain %s: %w", Chain1PanelOutput, err)
+	}
+
+	if !exists {
+		if err := s.iptablesClient.NewChain(client.FilterTab, Chain1PanelOutput); err != nil {
+			return fmt.Errorf("failed to create chain %s: %w", Chain1PanelOutput, err)
+		}
+	} else {
+		if err := s.iptablesClient.FlushChain(client.FilterTab, Chain1PanelOutput); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (s *IptablesFilterService) ApplyFirewall() error {
+	// 安全检查
+	chains, err := s.iptablesClient.ReadFilter([]string{Chain1PanelInput, Chain1PanelOutput})
+	if err != nil {
+		return fmt.Errorf("failed to read filter chains: %w", err)
+	}
+
+	// 检查 1PANEL_INPUT 安全性
+	if inputChain, ok := chains[Chain1PanelInput]; ok {
+		item := inputChain.FirstRule
+		for item != nil {
+			p := item.P
+			if (p.Action == "DROP" || p.Action == "REJECT") &&
+				p.Protocol == "" && p.SourceIP == "" && p.DestIP == "" &&
+				p.SrcPort == 0 && p.DstPort == 0 {
+				return fmt.Errorf("链 %s 包含无条件 %s 规则，不允许应用", Chain1PanelInput, p.Action)
+			}
+			item = item.Next()
+		}
+	}
+
+	// 检查 1PANEL_OUTPUT 安全性
+	if outputChain, ok := chains[Chain1PanelOutput]; ok {
+		item := outputChain.FirstRule
+		for item != nil {
+			p := item.P
+			if (p.Action == "DROP" || p.Action == "REJECT") &&
+				p.Protocol == "" && p.SourceIP == "" && p.DestIP == "" &&
+				p.SrcPort == 0 && p.DstPort == 0 {
+				return fmt.Errorf("链 %s 包含无条件 %s 规则，不允许应用", Chain1PanelOutput, p.Action)
+			}
+			item = item.Next()
+		}
+	}
+
+	// 检查 INPUT 链是否已有跳转规则
+	inputChains, _ := s.iptablesClient.ReadFilter([]string{ChainInput})
+	hasInputRule := false
+	if inputChain, ok := inputChains[ChainInput]; ok {
+		item := inputChain.FirstRule
+		for item != nil {
+			if item.P.Action == Chain1PanelInput {
+				hasInputRule = true
+				break
+			}
+			item = item.Next()
+		}
+	}
+
+	// 应用到 INPUT 链
+	if !hasInputRule {
+		if err := s.iptablesClient.Run(client.FilterTab, fmt.Sprintf("-I %s 1 -j %s", ChainInput, Chain1PanelInput)); err != nil {
+			return fmt.Errorf("failed to apply %s to %s: %w", Chain1PanelInput, ChainInput, err)
+		}
+		global.LOG.Infof("Applied %s to %s chain", Chain1PanelInput, ChainInput)
+	} else {
+		global.LOG.Infof("%s already applied to %s chain", Chain1PanelInput, ChainInput)
+	}
+
+	// 检查 OUTPUT 链是否已有跳转规则
+	outputChains, _ := s.iptablesClient.ReadFilter([]string{ChainOutput})
+	hasOutputRule := false
+	if outputChain, ok := outputChains[ChainOutput]; ok {
+		item := outputChain.FirstRule
+		for item != nil {
+			if item.P.Action == Chain1PanelOutput {
+				hasOutputRule = true
+				break
+			}
+			item = item.Next()
+		}
+	}
+
+	// 应用到 OUTPUT 链
+	if !hasOutputRule {
+		if err := s.iptablesClient.Run(client.FilterTab, fmt.Sprintf("-I %s 1 -j %s", ChainOutput, Chain1PanelOutput)); err != nil {
+			return fmt.Errorf("failed to apply %s to %s: %w", Chain1PanelOutput, ChainOutput, err)
+		}
+		global.LOG.Infof("Applied %s to %s chain", Chain1PanelOutput, ChainOutput)
+	} else {
+		global.LOG.Infof("%s already applied to %s chain", Chain1PanelOutput, ChainOutput)
+	}
+
+	return nil
+}
+
+func (s *IptablesFilterService) UnloadFirewall() error {
+	// 从 INPUT 链删除跳转规则
+	ruleNum, err := s.iptablesClient.FindRuleNum(ChainInput, Chain1PanelInput)
+	if err == nil {
+		if err := s.iptablesClient.RemovePolicyByNum(ChainInput, ruleNum); err != nil {
+			return fmt.Errorf("failed to unload %s from %s: %w", Chain1PanelInput, ChainInput, err)
+		}
+		global.LOG.Infof("Unloaded %s from %s chain", Chain1PanelInput, ChainInput)
+	} else {
+		global.LOG.Warnf("%s not found in %s chain: %v", Chain1PanelInput, ChainInput, err)
+	}
+
+	// 从 OUTPUT 链删除跳转规则
+	ruleNum, err = s.iptablesClient.FindRuleNum(ChainOutput, Chain1PanelOutput)
+	if err == nil {
+		if err := s.iptablesClient.RemovePolicyByNum(ChainOutput, ruleNum); err != nil {
+			return fmt.Errorf("failed to unload %s from %s: %w", Chain1PanelOutput, ChainOutput, err)
+		}
+		global.LOG.Infof("Unloaded %s from %s chain", Chain1PanelOutput, ChainOutput)
+	} else {
+		global.LOG.Warnf("%s not found in %s chain: %v", Chain1PanelOutput, ChainOutput, err)
+	}
+
+	return nil
+}
+
+func (s *IptablesFilterService) ReloadRules() error {
+	// 清空自定义链
+	if err := s.iptablesClient.FlushChain(client.FilterTab, Chain1PanelInput); err != nil {
+		return fmt.Errorf("failed to flush chain %s: %w", Chain1PanelInput, err)
+	}
+	if err := s.iptablesClient.FlushChain(client.FilterTab, Chain1PanelOutput); err != nil {
+		return fmt.Errorf("failed to flush chain %s: %w", Chain1PanelOutput, err)
+	}
+
+	// 从数据库读取规则
+	ctx := context.Background()
+	rules, err := s.repo.List(ctx, []string{Chain1PanelInput, Chain1PanelOutput})
+	if err != nil {
+		return fmt.Errorf("failed to load rules from database: %w", err)
+	}
+
+	// 逐条恢复规则
+	for _, rule := range rules {
+		policy := client.IptablesPolicy{
+			Protocol: rule.Protocol,
+			SourceIP: rule.SourceIP,
+			SrcPort:  rule.SourcePort,
+			DestIP:   rule.DestIP,
+			DstPort:  rule.DestPort,
+			Action:   rule.Action,
+			Comment:  rule.Comment,
+		}
+
+		if err := s.iptablesClient.AddPolicy(rule.Chain, policy); err != nil {
+			global.LOG.Errorf("failed to reload rule %d: %v", rule.ID, err)
+			continue
+		}
+	}
+
+	global.LOG.Infof("Reloaded %d firewall rules from database", len(rules))
+	return nil
+}
diff --git a/agent/init/migration/migrations/init.go b/agent/init/migration/migrations/init.go
index 9763b498a384..60e7c8e5c0dc 100644
--- a/agent/init/migration/migrations/init.go
+++ b/agent/init/migration/migrations/init.go
@@ -50,6 +50,7 @@ var AddTable = &gormigrate.Migration{
 			&model.Favorite{},
 			&model.Forward{},
 			&model.Firewall{},
+			&model.IptablesFilterRule{},
 			&model.Ftp{},
 			&model.ImageRepo{},
 			&model.ScriptLibrary{},
diff --git a/agent/router/ro_host.go b/agent/router/ro_host.go
index 7a5a845c23a0..cdccc0d2741b 100644
--- a/agent/router/ro_host.go
+++ b/agent/router/ro_host.go
@@ -22,6 +22,11 @@ func (s *HostRouter) InitRouter(Router *gin.RouterGroup) {
 		hostRouter.POST("/firewall/update/addr", baseApi.UpdateAddrRule)
 		hostRouter.POST("/firewall/update/description", baseApi.UpdateFirewallDescription)
 
+		hostRouter.POST("/firewall/filter/rules", baseApi.GetFilterRules)
+		hostRouter.POST("/firewall/filter/rule", baseApi.OperateFilterRule)
+		hostRouter.POST("/firewall/filter/batch", baseApi.BatchOperateFilterRule)
+		hostRouter.POST("/firewall/filter/apply", baseApi.ApplyFilterFirewall)
+
 		hostRouter.POST("/monitor/search", baseApi.LoadMonitor)
 		hostRouter.POST("/monitor/clean", baseApi.CleanMonitor)
 		hostRouter.GET("/monitor/netoptions", baseApi.GetNetworkOptions)
diff --git a/agent/utils/docker/compose.go b/agent/utils/docker/compose.go
index 2f12d36eb13e..a2e43ac7ec19 100644
--- a/agent/utils/docker/compose.go
+++ b/agent/utils/docker/compose.go
@@ -5,14 +5,15 @@ import (
 	"bytes"
 	"context"
 	"fmt"
+	"path"
+	"regexp"
+	"strings"
+
 	"github.com/compose-spec/compose-go/v2/loader"
 	"github.com/compose-spec/compose-go/v2/types"
 	"github.com/docker/compose/v2/pkg/api"
 	"github.com/joho/godotenv"
 	"gopkg.in/yaml.v3"
-	"path"
-	"regexp"
-	"strings"
 )
 
 type ComposeService struct {
diff --git a/agent/utils/firewall/client.go b/agent/utils/firewall/client.go
index 447cd8697572..f10ac7b2f7ae 100644
--- a/agent/utils/firewall/client.go
+++ b/agent/utils/firewall/client.go
@@ -41,5 +41,11 @@ func NewFirewallClient() (FirewallClient, error) {
 	if ufw {
 		return client.NewUfw()
 	}
+
+	iptables := cmd.Which("iptables")
+	if iptables {
+		return client.NewIptablesFw()
+	}
+
 	return nil, errors.New("No system firewalld or ufw service detected, please check and try again!")
 }
diff --git a/agent/utils/firewall/client/iptables.go b/agent/utils/firewall/client/iptables.go
index dc3610a0b301..58ba96d282fe 100644
--- a/agent/utils/firewall/client/iptables.go
+++ b/agent/utils/firewall/client/iptables.go
@@ -2,6 +2,7 @@ package client
 
 import (
 	"fmt"
+	"os/exec"
 	"regexp"
 	"strings"
 	"time"
@@ -17,6 +18,12 @@ const (
 	ForwardChain     = "1PANEL_FORWARD"
 )
 
+const (
+	ACCEPT = "ACCEPT"
+	DROP   = "DROP"
+	REJECT = "REJECT"
+)
+
 const (
 	FilterTab = "filter"
 	NatTab    = "nat"
@@ -55,6 +62,11 @@ func (iptables *Iptables) run(tab, rule string) error {
 	return nil
 }
 
+// Run 导出的 run 方法供外部调用
+func (iptables *Iptables) Run(tab, rule string) error {
+	return iptables.run(tab, rule)
+}
+
 func (iptables *Iptables) Check() error {
 	stdout, err := cmd.RunDefaultWithStdoutBashC("cat /proc/sys/net/ipv4/ip_forward")
 	if err != nil {
@@ -75,6 +87,19 @@ func (iptables *Iptables) Check() error {
 	return nil
 }
 
+func (iptables *Iptables) GetVersion() (string, error) {
+	stdout, err := cmd.RunDefaultWithStdoutBashC("iptables --version")
+	if err != nil {
+		return "", fmt.Errorf("failed to get iptables version: %w", err)
+	}
+	// 提取版本号，例如 "iptables v1.8.7 (nf_tables)"
+	parts := strings.Fields(stdout)
+	if len(parts) >= 2 {
+		return strings.TrimPrefix(parts[1], "v"), nil
+	}
+	return strings.TrimSpace(stdout), nil
+}
+
 func (iptables *Iptables) NewChain(tab, chain string) error {
 	return iptables.run(tab, "-N "+chain)
 }
@@ -232,6 +257,55 @@ func (iptables *Iptables) NatRemove(num string, protocol, srcPort, dest, destPor
 	return nil
 }
 
+// test struct
+/*
+🧩 规则解释
+
+-A INPUT / -A OUTPUT：追加规则到对应链。
+
+-p tcp / -p udp：指定协议。
+
+--dport / --sport：目标端口 / 源端口。
+
+-d / -s：目标 IP / 源 IP。
+
+-j DROP：丢弃数据包（不回应）。
+
+若改成 -j REJECT，则会主动返回一个拒绝报文（对调试有用）。*
+*/
+type IptablesPolicy struct {
+	Protocol string
+	SrcPort  uint16
+	DstPort  uint16
+	SourceIP string
+	DestIP   string
+	Action   string // ACCEPT, DROP, REJECT
+	Comment  string
+}
+
+func (iptables *Iptables) AddPolicy(chain string, policy IptablesPolicy) error {
+	iptablesArg := fmt.Sprintf("-A %s", chain)
+	if policy.Protocol != "" {
+		iptablesArg += fmt.Sprintf(" -p %s", policy.Protocol)
+	}
+	if policy.SrcPort != 0 {
+		iptablesArg += fmt.Sprintf(" --sport %d", policy.SrcPort)
+	}
+	if policy.DstPort != 0 {
+		iptablesArg += fmt.Sprintf(" --dport %d", policy.DstPort)
+	}
+	if policy.SourceIP != "" {
+		iptablesArg += fmt.Sprintf(" -s %s", policy.SourceIP)
+	}
+	if policy.DestIP != "" {
+		iptablesArg += fmt.Sprintf(" -d %s", policy.DestIP)
+	}
+	iptablesArg += fmt.Sprintf(" -j %s", policy.Action)
+	iptablesArg += fmt.Sprintf(" -m comment --comment \"%s\"", policy.Comment)
+
+	return iptables.run(FilterTab, iptablesArg)
+}
+
 func (iptables *Iptables) Reload() error {
 	if err := iptables.run(NatTab, "-F "+PreRoutingChain); err != nil {
 		return err
@@ -252,3 +326,251 @@ func (iptables *Iptables) Reload() error {
 	}
 	return nil
 }
+
+// IptablesChain
+type IptablesChain struct {
+	Name          string
+	DefaultPolicy string
+	FirstRule     *IptablesPolicyChainItem
+	LastRule      *IptablesPolicyChainItem
+}
+
+type IptablesPolicyChainItem struct {
+	next *IptablesPolicyChainItem
+	P    IptablesPolicy
+}
+
+func (item *IptablesPolicyChainItem) SetNext(next *IptablesPolicyChainItem) {
+	item.next = next
+}
+
+func (item *IptablesPolicyChainItem) Next() *IptablesPolicyChainItem {
+	return item.next
+}
+
+func (c *IptablesChain) ParseLine(line string) error {
+	cmd := strings.Split(line, " ")
+
+	if cmd[0] == "-P" {
+		c.Name = cmd[1]
+		c.DefaultPolicy = cmd[2]
+		return nil
+	}
+	if cmd[0] == "-A" {
+		if cmd[1] != c.Name {
+			return fmt.Errorf("invalid chain name in rule line: %s", line)
+		}
+		policy := IptablesPolicy{}
+		for i := 2; i < len(cmd); i++ {
+			switch cmd[i] {
+			case "-p":
+				i++
+				policy.Protocol = cmd[i]
+			case "--dport":
+				i++
+				// parse port
+				var port uint16
+				fmt.Sscanf(cmd[i], "%d", &port)
+				policy.DstPort = port
+			case "--sport":
+				i++
+				var port uint16
+				fmt.Sscanf(cmd[i], "%d", &port)
+				policy.SrcPort = port
+			case "-s":
+				i++
+				policy.SourceIP = cmd[i]
+			case "-d":
+				i++
+				policy.DestIP = cmd[i]
+			case "-j":
+				i++
+				policy.Action = cmd[i]
+			case "-m":
+				// skip
+				i++
+			case "--comment":
+				i++
+				policy.Comment = strings.Trim(cmd[i], "\"")
+			}
+		}
+		newItem := &IptablesPolicyChainItem{
+			P: policy,
+		}
+		if c.FirstRule == nil {
+			c.FirstRule = newItem
+			c.LastRule = newItem
+		} else {
+			current := c.LastRule
+			current.SetNext(newItem)
+			c.LastRule = newItem
+		}
+		return nil
+	}
+	return fmt.Errorf("invalid iptables rule line: %s", line)
+}
+
+// iptables filter 解析
+func (iptables *Iptables) ReadFilter(chainName []string) (map[string]IptablesChain, error) {
+	// iptables -S
+	cmdMgr := cmd.NewCommandMgr(cmd.WithIgnoreExist1(), cmd.WithTimeout(20*time.Second))
+	stdout, err := cmdMgr.RunWithStdoutBashCf("%s iptables -S", iptables.CmdStr)
+	if err != nil {
+		global.LOG.Errorf("iptables failed, %v", err)
+	}
+	// 解析内容
+	chains := make(map[string]IptablesChain)
+	for _, line := range strings.Split(stdout, "\n") {
+		line = strings.TrimSpace(line)
+		if strings.HasPrefix(line, "-P") || strings.HasPrefix(line, "-A") {
+			parts := strings.SplitN(line, " ", 3)
+			chain := parts[1]
+			if len(chainName) > 0 {
+				found := false
+				for _, name := range chainName {
+					if chain == name {
+						found = true
+						break
+					}
+				}
+				if !found {
+					continue
+				}
+			}
+			if _, exists := chains[chain]; !exists {
+				chains[chain] = IptablesChain{
+					Name: chain,
+				}
+			}
+			chainStruct := chains[chain]
+			if err := chainStruct.ParseLine(line); err != nil {
+				return nil, err
+			}
+			chains[chain] = chainStruct
+		}
+	}
+	return chains, nil
+}
+
+// 检查链中是否有无条件 DROP/REJECT 规则
+func checkChainSafety(chain IptablesChain) error {
+	item := chain.FirstRule
+	for item != nil {
+		policy := item.P
+		if policy.Action == "DROP" || policy.Action == "REJECT" {
+			// 检查是否为无条件规则(所有字段都为空)
+			if policy.Protocol == "" && policy.SrcPort == 0 && policy.DstPort == 0 &&
+				policy.SourceIP == "" && policy.DestIP == "" {
+				return fmt.Errorf("发现无条件 %s 规则,不允许应用", policy.Action)
+			}
+		}
+		item = item.Next()
+	}
+	return nil
+}
+
+// 执行 iptables 命令
+func runIptables(args ...string) error {
+	cmd := exec.Command("iptables", args...)
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("执行 iptables 失败: %v, 输出: %s", err, string(output))
+	}
+	return nil
+}
+
+// RemovePolicyByComment 按 comment 删除规则
+func (iptables *Iptables) RemovePolicyByComment(chain, comment string) error {
+	stdout, err := iptables.out(FilterTab, fmt.Sprintf("-S %s", chain))
+	if err != nil {
+		return err
+	}
+
+	// 解析规则找到匹配 comment 的行
+	lines := strings.Split(stdout, "\n")
+	for _, line := range lines {
+		if strings.Contains(line, comment) && strings.HasPrefix(line, "-A") {
+			// 替换 -A 为 -D 执行删除
+			deleteRule := strings.Replace(line, "-A", "-D", 1)
+			if err := iptables.run(FilterTab, deleteRule); err != nil {
+				return err
+			}
+			return nil
+		}
+	}
+	return fmt.Errorf("rule with comment '%s' not found in chain %s", comment, chain)
+}
+
+// RemovePolicyByNum 按规则编号删除
+func (iptables *Iptables) RemovePolicyByNum(chain string, num int) error {
+	return iptables.run(FilterTab, fmt.Sprintf("-D %s %d", chain, num))
+}
+
+// FindRuleNum 查找规则编号（返回第一个匹配的行号）
+func (iptables *Iptables) FindRuleNum(chain, matchStr string) (int, error) {
+	stdout, err := iptables.out(FilterTab, fmt.Sprintf("-L %s --line-numbers -n", chain))
+	if err != nil {
+		return 0, err
+	}
+
+	lines := strings.Split(stdout, "\n")
+	for _, line := range lines {
+		if strings.Contains(line, matchStr) {
+			// 提取行号（第一列）
+			fields := strings.Fields(line)
+			if len(fields) > 0 {
+				num, err := fmt.Sscanf(fields[0], "%d", new(int))
+				if err == nil && num == 1 {
+					var ruleNum int
+					fmt.Sscanf(fields[0], "%d", &ruleNum)
+					return ruleNum, nil
+				}
+			}
+		}
+	}
+	return 0, fmt.Errorf("rule not found in chain %s", chain)
+}
+
+// ChainExists 检查链是否存在
+func (iptables *Iptables) ChainExists(tab, chain string) (bool, error) {
+	// iptables -t filter -S | grep 'N 1PANEL'
+	stdout, err := iptables.out(tab, fmt.Sprintf("-S | grep 'N %s'", chain))
+	if err != nil {
+		return false, err
+	}
+	if strings.TrimSpace(stdout) == "" {
+		return false, nil
+	}
+	return true, nil
+}
+
+// FlushChain 清空链（保留链结构）
+func (iptables *Iptables) FlushChain(tab, chain string) error {
+	return iptables.run(tab, fmt.Sprintf("-F %s", chain))
+}
+
+// DeletePolicy 删除指定策略规则
+func (iptables *Iptables) DeletePolicy(chain string, policy IptablesPolicy) error {
+	iptablesArg := fmt.Sprintf("-D %s", chain)
+	if policy.Protocol != "" {
+		iptablesArg += fmt.Sprintf(" -p %s", policy.Protocol)
+	}
+	if policy.SrcPort != 0 {
+		iptablesArg += fmt.Sprintf(" --sport %d", policy.SrcPort)
+	}
+	if policy.DstPort != 0 {
+		iptablesArg += fmt.Sprintf(" --dport %d", policy.DstPort)
+	}
+	if policy.SourceIP != "" {
+		iptablesArg += fmt.Sprintf(" -s %s", policy.SourceIP)
+	}
+	if policy.DestIP != "" {
+		iptablesArg += fmt.Sprintf(" -d %s", policy.DestIP)
+	}
+	iptablesArg += fmt.Sprintf(" -j %s", policy.Action)
+	if policy.Comment != "" {
+		iptablesArg += fmt.Sprintf(" -m comment --comment \"%s\"", policy.Comment)
+	}
+
+	return iptables.run(FilterTab, iptablesArg)
+}
diff --git a/agent/utils/firewall/client/iptables_fw.go b/agent/utils/firewall/client/iptables_fw.go
new file mode 100644
index 000000000000..d63f84fbd7ff
--- /dev/null
+++ b/agent/utils/firewall/client/iptables_fw.go
@@ -0,0 +1,461 @@
+package client
+
+import (
+	"fmt"
+	"regexp"
+	"strconv"
+	"strings"
+
+	"github.com/1Panel-dev/1Panel/agent/app/model"
+	"github.com/1Panel-dev/1Panel/agent/buserr"
+	"github.com/1Panel-dev/1Panel/agent/global"
+	"github.com/1Panel-dev/1Panel/agent/utils/cmd"
+)
+
+const (
+	Chain1PanelInput  = "1PFW-INPUT"
+	Chain1PanelOutput = "1PFW-OUTPUT"
+)
+
+var (
+	// 匹配 iptables 规则的正则表达式
+	filterListRegex = regexp.MustCompile(`^(\d+)\s+(.+?)\s+(.+?)\s+(.+?)\s+(.+?)\s+(.+?)\s+(.+?)(?:\s+(.+?))?(?:\s+(.+?))?`)
+)
+
+type IptablesFw struct {
+	iptables *Iptables
+}
+
+func NewIptablesFw() (*IptablesFw, error) {
+	iptables, err := NewIptables()
+	if err != nil {
+		return nil, err
+	}
+	return &IptablesFw{
+		iptables: iptables,
+	}, nil
+}
+
+func (f *IptablesFw) Name() string {
+	return "iptables"
+}
+
+func (f *IptablesFw) Status() (bool, error) {
+	// 检查自定义链是否存在来判断防火墙是否启用
+	exists, err := f.iptables.ChainExists(FilterTab, Chain1PanelInput)
+	if err != nil {
+		return false, err
+	}
+	return exists, nil
+}
+
+func (f *IptablesFw) Version() (string, error) {
+	stdout, err := cmd.RunDefaultWithStdoutBashC("iptables --version")
+	if err != nil {
+		return "", fmt.Errorf("load the firewall version failed, %v", err)
+	}
+	// 提取版本号，例如 "iptables v1.8.7 (nf_tables)"
+	parts := strings.Fields(stdout)
+	if len(parts) >= 2 {
+		return strings.TrimPrefix(parts[1], "v"), nil
+	}
+	return strings.TrimSpace(stdout), nil
+}
+
+func (f *IptablesFw) Start() error {
+	// 创建自定义链
+	if err := f.iptables.NewChain(FilterTab, Chain1PanelInput); err != nil {
+		global.LOG.Debugf("chain %s may already exist: %v", Chain1PanelInput, err)
+	}
+	if err := f.iptables.NewChain(FilterTab, Chain1PanelOutput); err != nil {
+		global.LOG.Debugf("chain %s may already exist: %v", Chain1PanelOutput, err)
+	}
+
+	// 将自定义链附加到 INPUT 和 OUTPUT 链
+	if err := f.ensureChainAttached("INPUT", Chain1PanelInput); err != nil {
+		return fmt.Errorf("failed to attach %s to INPUT: %v", Chain1PanelInput, err)
+	}
+	if err := f.ensureChainAttached("OUTPUT", Chain1PanelOutput); err != nil {
+		return fmt.Errorf("failed to attach %s to OUTPUT: %v", Chain1PanelOutput, err)
+	}
+
+	// 重载规则（从数据库恢复）
+	return f.Reload()
+}
+
+func (f *IptablesFw) Stop() error {
+	// 从 INPUT 和 OUTPUT 链中移除跳转规则
+	_ = f.iptables.Run(FilterTab, fmt.Sprintf("-D INPUT -j %s", Chain1PanelInput))
+	_ = f.iptables.Run(FilterTab, fmt.Sprintf("-D OUTPUT -j %s", Chain1PanelOutput))
+
+	// 清空并删除自定义链
+	_ = f.iptables.FlushChain(FilterTab, Chain1PanelInput)
+	_ = f.iptables.FlushChain(FilterTab, Chain1PanelOutput)
+	_ = f.iptables.Run(FilterTab, fmt.Sprintf("-X %s", Chain1PanelInput))
+	_ = f.iptables.Run(FilterTab, fmt.Sprintf("-X %s", Chain1PanelOutput))
+
+	return nil
+}
+
+func (f *IptablesFw) Restart() error {
+	if err := f.Stop(); err != nil {
+		return err
+	}
+	return f.Start()
+}
+
+func (f *IptablesFw) Reload() error {
+	// 清空链但保留链结构
+	if err := f.iptables.FlushChain(FilterTab, Chain1PanelInput); err != nil {
+		return err
+	}
+	if err := f.iptables.FlushChain(FilterTab, Chain1PanelOutput); err != nil {
+		return err
+	}
+
+	// 从数据库加载规则并恢复
+	var rules []model.IptablesRule
+	if err := global.DB.Find(&rules).Error; err != nil {
+		return fmt.Errorf("failed to load rules from database: %v", err)
+	}
+
+	for _, rule := range rules {
+		fireInfo := FireInfo{
+			Protocol: rule.Protocol,
+			Port:     rule.Port,
+			Strategy: rule.Strategy,
+			Address:  rule.Address,
+			Family:   rule.Family,
+		}
+		if rule.RuleType == "port" {
+			if err := f.Port(fireInfo, "add"); err != nil {
+				global.LOG.Errorf("failed to restore port rule %+v: %v", rule, err)
+			}
+		} else if rule.RuleType == "address" {
+			if err := f.RichRules(fireInfo, "add"); err != nil {
+				global.LOG.Errorf("failed to restore address rule %+v: %v", rule, err)
+			}
+		}
+	}
+
+	return nil
+}
+
+func (f *IptablesFw) ListPort() ([]FireInfo, error) {
+	return f.listRules(Chain1PanelInput, "port")
+}
+
+func (f *IptablesFw) ListAddress() ([]FireInfo, error) {
+	return f.listRules(Chain1PanelInput, "address")
+}
+
+func (f *IptablesFw) ListForward() ([]FireInfo, error) {
+	// 复用 ufw 的转发实现
+	if err := f.EnableForward(); err != nil {
+		global.LOG.Errorf("init port forward failed, err: %v", err)
+	}
+
+	rules, err := f.iptables.NatList()
+	if err != nil {
+		return nil, err
+	}
+
+	var list []FireInfo
+	for _, rule := range rules {
+		dest := strings.Split(rule.DestPort, ":")
+		if len(dest) < 2 {
+			continue
+		}
+		if len(dest[0]) == 0 {
+			dest[0] = "127.0.0.1"
+		}
+		list = append(list, FireInfo{
+			Num:        rule.Num,
+			Protocol:   rule.Protocol,
+			Interface:  rule.InIface,
+			Port:       rule.SrcPort,
+			TargetIP:   dest[0],
+			TargetPort: dest[1],
+		})
+	}
+	return list, nil
+}
+
+func (f *IptablesFw) Port(port FireInfo, operation string) error {
+	if cmd.CheckIllegal(operation, port.Protocol, port.Port) {
+		return buserr.New("ErrCmdIllegal")
+	}
+
+	// 转换策略
+	strategy := f.convertStrategy(port.Strategy)
+	if strategy == "" {
+		return fmt.Errorf("unsupported strategy %s", port.Strategy)
+	}
+
+	// 构建规则的唯一标识
+	comment := fmt.Sprintf("1Panel_Port_%s_%s_%s", port.Protocol, port.Port, strategy)
+
+	if operation == "add" {
+		// 添加到 INPUT 链
+		policy := IptablesPolicy{
+			Protocol: port.Protocol,
+			DstPort:  f.parsePort(port.Port),
+			Action:   strategy,
+			Comment:  comment,
+		}
+		if err := f.iptables.AddPolicy(Chain1PanelInput, policy); err != nil {
+			return fmt.Errorf("add port rule to INPUT failed: %v", err)
+		}
+
+		// 保存到数据库
+		rule := model.IptablesRule{
+			RuleType: "port",
+			Protocol: port.Protocol,
+			Port:     port.Port,
+			Strategy: port.Strategy,
+			Family:   "ipv4",
+		}
+		if err := global.DB.Create(&rule).Error; err != nil {
+			return fmt.Errorf("save rule to database failed: %v", err)
+		}
+	} else if operation == "remove" {
+		// 从 INPUT 链删除
+		if err := f.iptables.RemovePolicyByComment(Chain1PanelInput, comment); err != nil {
+			return fmt.Errorf("remove port rule from INPUT failed: %v", err)
+		}
+
+		// 从数据库删除
+		global.DB.Where("rule_type = ? AND protocol = ? AND port = ? AND strategy = ?",
+			"port", port.Protocol, port.Port, port.Strategy).Delete(&model.IptablesRule{})
+	}
+
+	return nil
+}
+
+func (f *IptablesFw) RichRules(rule FireInfo, operation string) error {
+	if cmd.CheckIllegal(operation, rule.Address, rule.Protocol, rule.Port) {
+		return buserr.New("ErrCmdIllegal")
+	}
+
+	strategy := f.convertStrategy(rule.Strategy)
+	if strategy == "" {
+		return fmt.Errorf("unsupported strategy %s", rule.Strategy)
+	}
+
+	// 构建规则的唯一标识
+	comment := fmt.Sprintf("1Panel_Addr_%s_%s_%s_%s", rule.Address, rule.Protocol, rule.Port, strategy)
+
+	if operation == "add" {
+		policy := IptablesPolicy{
+			Protocol: rule.Protocol,
+			SourceIP: rule.Address,
+			Action:   strategy,
+			Comment:  comment,
+		}
+		if len(rule.Port) > 0 {
+			policy.DstPort = f.parsePort(rule.Port)
+		}
+
+		if err := f.iptables.AddPolicy(Chain1PanelInput, policy); err != nil {
+			return fmt.Errorf("add address rule failed: %v", err)
+		}
+
+		// 保存到数据库
+		dbRule := model.IptablesRule{
+			RuleType: "address",
+			Protocol: rule.Protocol,
+			Port:     rule.Port,
+			Strategy: rule.Strategy,
+			Address:  rule.Address,
+			Family:   rule.Family,
+		}
+		if dbRule.Family == "" {
+			dbRule.Family = "ipv4"
+		}
+		if err := global.DB.Create(&dbRule).Error; err != nil {
+			return fmt.Errorf("save rule to database failed: %v", err)
+		}
+	} else if operation == "remove" {
+		if err := f.iptables.RemovePolicyByComment(Chain1PanelInput, comment); err != nil {
+			return fmt.Errorf("remove address rule failed: %v", err)
+		}
+
+		// 从数据库删除
+		global.DB.Where("rule_type = ? AND address = ? AND protocol = ? AND port = ? AND strategy = ?",
+			"address", rule.Address, rule.Protocol, rule.Port, rule.Strategy).Delete(&model.IptablesRule{})
+	}
+
+	return nil
+}
+
+func (f *IptablesFw) PortForward(info Forward, operation string) error {
+	// 直接复用 iptables 的 NAT 功能
+	if operation == "add" {
+		err := f.iptables.NatAdd(info.Protocol, info.Port, info.TargetIP, info.TargetPort, info.Interface, true)
+		if err != nil {
+			return fmt.Errorf("add port forward failed: %v", err)
+		}
+	} else if operation == "remove" {
+		err := f.iptables.NatRemove(info.Num, info.Protocol, info.Port, info.TargetIP, info.TargetPort, info.Interface)
+		if err != nil {
+			return fmt.Errorf("remove port forward failed: %v", err)
+		}
+	}
+	return nil
+}
+
+func (f *IptablesFw) EnableForward() error {
+	// 复用 ufw 的转发初始化逻辑
+	if err := f.iptables.Check(); err != nil {
+		return err
+	}
+
+	_ = f.iptables.NewChain(NatTab, PreRoutingChain)
+	_ = f.iptables.NewChain(NatTab, PostRoutingChain)
+	_ = f.iptables.NewChain(FilterTab, ForwardChain)
+
+	if err := f.enableForwardChain(); err != nil {
+		return err
+	}
+	return f.iptables.Reload()
+}
+
+// 辅助方法：确保链已附加到目标链
+func (f *IptablesFw) ensureChainAttached(targetChain, customChain string) error {
+	// 检查是否已经附加
+	rules, err := f.iptables.NatList(targetChain)
+	if err == nil {
+		for _, rule := range rules {
+			if rule.Target == customChain {
+				return nil
+			}
+		}
+	}
+
+	// 附加链
+	return f.iptables.AppendChain(FilterTab, targetChain, customChain)
+}
+
+// 辅助方法：启用转发链
+func (f *IptablesFw) enableForwardChain() error {
+	rules, err := f.iptables.NatList("PREROUTING")
+	if err != nil {
+		return err
+	}
+	for _, rule := range rules {
+		if rule.Target == PreRoutingChain {
+			return nil
+		}
+	}
+
+	_ = f.iptables.AppendChain(NatTab, "PREROUTING", PreRoutingChain)
+	_ = f.iptables.AppendChain(NatTab, "POSTROUTING", PostRoutingChain)
+	_ = f.iptables.AppendChain(FilterTab, "FORWARD", ForwardChain)
+	return nil
+}
+
+// 辅助方法：列出规则
+func (f *IptablesFw) listRules(chain, ruleType string) ([]FireInfo, error) {
+	stdout, err := cmd.RunDefaultWithStdoutBashCf("%s iptables -t filter -L %s -n -v --line-numbers", f.iptables.CmdStr, chain)
+	if err != nil {
+		return nil, fmt.Errorf("list rules failed: %v", err)
+	}
+
+	var datas []FireInfo
+	lines := strings.Split(stdout, "\n")
+	for i, line := range lines {
+		// 跳过表头
+		if i < 2 || strings.TrimSpace(line) == "" {
+			continue
+		}
+
+		fields := strings.Fields(line)
+		if len(fields) < 7 {
+			continue
+		}
+
+		// 解析规则字段
+		// num pkts bytes target prot opt in out source destination [extra]
+		num := fields[0]
+		target := fields[3]
+		protocol := fields[4]
+		source := fields[8]
+
+		// 提取端口信息（从 extra 字段）
+		var port string
+		if len(fields) > 10 {
+			for j := 10; j < len(fields); j++ {
+				if strings.HasPrefix(fields[j], "dpt:") {
+					port = strings.TrimPrefix(fields[j], "dpt:")
+				} else if strings.HasPrefix(fields[j], "spt:") {
+					port = strings.TrimPrefix(fields[j], "spt:")
+				}
+			}
+		}
+
+		// 根据类型过滤
+		if ruleType == "port" {
+			// 端口规则：有端口信息，源地址为 0.0.0.0/0
+			if len(port) > 0 && (source == "0.0.0.0/0" || source == "anywhere") {
+				datas = append(datas, FireInfo{
+					Num:      num,
+					Protocol: protocol,
+					Port:     port,
+					Strategy: f.convertStrategyReverse(target),
+					Family:   "ipv4",
+				})
+			}
+		} else if ruleType == "address" {
+			// 地址规则：有源地址限制
+			if source != "0.0.0.0/0" && source != "anywhere" {
+				datas = append(datas, FireInfo{
+					Num:      num,
+					Protocol: protocol,
+					Port:     port,
+					Address:  source,
+					Strategy: f.convertStrategyReverse(target),
+					Family:   "ipv4",
+				})
+			}
+		}
+	}
+
+	return datas, nil
+}
+
+// 辅助方法：转换策略名称 (accept/drop -> ACCEPT/DROP)
+func (f *IptablesFw) convertStrategy(strategy string) string {
+	switch strategy {
+	case "accept":
+		return "ACCEPT"
+	case "drop":
+		return "DROP"
+	case "reject":
+		return "REJECT"
+	default:
+		return ""
+	}
+}
+
+// 辅助方法：反向转换策略名称 (ACCEPT/DROP -> accept/drop)
+func (f *IptablesFw) convertStrategyReverse(strategy string) string {
+	switch strategy {
+	case "ACCEPT":
+		return "accept"
+	case "DROP":
+		return "drop"
+	case "REJECT":
+		return "reject"
+	default:
+		return strategy
+	}
+}
+
+// 辅助方法：解析端口字符串为 uint16
+func (f *IptablesFw) parsePort(portStr string) uint16 {
+	port, err := strconv.ParseUint(portStr, 10, 16)
+	if err != nil {
+		return 0
+	}
+	return uint16(port)
+}
diff --git a/frontend/src/api/interface/host.ts b/frontend/src/api/interface/host.ts
index a39fcd95dea7..e3c6a1447bed 100644
--- a/frontend/src/api/interface/host.ts
+++ b/frontend/src/api/interface/host.ts
@@ -263,4 +263,47 @@ export namespace Host {
         path: string;
         error: string;
     }
+
+    // Iptables Filter
+    export interface IptablesFilterRuleSearch {
+        chains?: string[];
+    }
+
+    export interface IptablesChainInfo {
+        version: string;
+        name: string;
+        defaultPolicy: string;
+        rules: IptablesFilterRuleInfo[];
+        isApplied: boolean;
+    }
+
+    export interface IptablesFilterRuleInfo {
+        id: number;
+        protocol: string;
+        sourceIP: string;
+        sourcePort: number;
+        destIP: string;
+        destPort: number;
+        action: string;
+        comment: string;
+        description: string;
+        ruleOrder: number;
+    }
+
+    export interface IptablesFilterRuleOperate {
+        operation: string;
+        id?: number;
+        chain: string;
+        protocol: string;
+        sourceIP?: string;
+        sourcePort?: number;
+        destIP?: string;
+        destPort?: number;
+        action: string;
+        description?: string;
+    }
+
+    export interface IptablesFilterApply {
+        operation: string;
+    }
 }
diff --git a/frontend/src/api/modules/host.ts b/frontend/src/api/modules/host.ts
index f394e38859d5..bac8c8c4da9a 100644
--- a/frontend/src/api/modules/host.ts
+++ b/frontend/src/api/modules/host.ts
@@ -44,6 +44,20 @@ export const batchOperateRule = (params: Host.BatchRule) => {
     return http.post(`/hosts/firewall/batch`, params, TimeoutEnum.T_60S);
 };
 
+// Iptables Filter
+export const getFilterRules = (params: Host.IptablesFilterRuleSearch) => {
+    return http.post<Host.IptablesChainInfo[]>(`/hosts/firewall/filter/rules`, params);
+};
+export const operateFilterRule = (params: Host.IptablesFilterRuleOperate) => {
+    return http.post(`/hosts/firewall/filter/rule`, params, TimeoutEnum.T_40S);
+};
+export const batchOperateFilterRule = (params: { rules: Host.IptablesFilterRuleOperate[] }) => {
+    return http.post(`/hosts/firewall/filter/batch`, params, TimeoutEnum.T_40S);
+};
+export const applyFilterFirewall = (params: Host.IptablesFilterApply) => {
+    return http.post(`/hosts/firewall/filter/apply`, params, TimeoutEnum.T_60S);
+};
+
 // monitors
 export const loadMonitor = (param: Host.MonitorSearch) => {
     return http.post<Array<Host.MonitorData>>(`/hosts/monitor/search`, param);
diff --git a/frontend/src/lang/modules/en.ts b/frontend/src/lang/modules/en.ts
index 278cd3ec9e3a..0089c2f735af 100644
--- a/frontend/src/lang/modules/en.ts
+++ b/frontend/src/lang/modules/en.ts
@@ -374,6 +374,7 @@ const message = {
         config: 'Configuration | Configurations',
         ssh: 'SSH Settings',
         firewall: 'Firewall',
+        filter: 'Filter',
         ssl: 'Certificate | Certificates',
         database: 'Database | Databases',
         aiTools: 'AI',
diff --git a/frontend/src/lang/modules/zh.ts b/frontend/src/lang/modules/zh.ts
index 250652d8afab..fb9e9d47ccf7 100644
--- a/frontend/src/lang/modules/zh.ts
+++ b/frontend/src/lang/modules/zh.ts
@@ -362,6 +362,7 @@ const message = {
         config: '配置',
         ssh: 'SSH 管理',
         firewall: '防火墙',
+        filter: '过滤器',
         ssl: '证书',
         database: '数据库',
         aiTools: 'AI',
@@ -2704,6 +2705,31 @@ const message = {
         exportHelper: '即将导出 {0} 条防火墙规则，是否继续？',
         importSuccess: '成功导入 {0} 条规则',
         importPartialSuccess: '导入完成：成功 {0} 条，失败 {1} 条',
+        filterRule: 'Filter 规则',
+        filterHelper: 'Filter 规则允许您在 INPUT/OUTPUT 级别控制网络流量。请谨慎配置，避免锁定系统。',
+        chain: '链',
+        targetChain: '目标链',
+        chainHelper: '仅允许修改 1PANEL_INPUT 和 1PANEL_OUTPUT 自定义链',
+        ruleOrder: '顺序',
+        sourceIP: '源 IP',
+        sourcePort: '源端口',
+        destIP: '目标 IP',
+        destPort: '目标端口',
+        action: '动作',
+        reject: '拒绝',
+        defaultPolicy: '默认策略',
+        applied: '已应用',
+        notApplied: '未应用',
+        initChains: '初始化链',
+        applyFirewall: '应用防火墙',
+        unloadFirewall: '卸载防火墙',
+        sourceIPHelper: 'CIDR 格式，如 192.168.1.0/24，留空表示任意',
+        destIPHelper: 'CIDR 格式，如 10.0.0.0/8，留空表示任意',
+        portHelper: '0 表示任意端口',
+        deleteRuleConfirm: '将删除 {0} 条规则，是否继续？',
+        initChainsConfirm: '将重置 1PANEL_INPUT 和 1PANEL_OUTPUT 链为默认 ACCEPT 规则，是否继续？',
+        applyConfirm: '将应用自定义链到 INPUT/OUTPUT，请确保 SSH 端口（22）已放行，是否继续？',
+        unloadConfirm: '将从 INPUT/OUTPUT 移除自定义链，是否继续？',
     },
     runtime: {
         runtime: '运行环境',
diff --git a/frontend/src/routers/modules/host.ts b/frontend/src/routers/modules/host.ts
index eab0284102df..a86d8ef389b8 100644
--- a/frontend/src/routers/modules/host.ts
+++ b/frontend/src/routers/modules/host.ts
@@ -80,6 +80,16 @@ const hostRouter = {
                 requiresAuth: false,
             },
         },
+        {
+            path: '/hosts/filter',
+            name: 'Filter',
+            component: () => import('@/views/host/filter/index.vue'),
+            meta: {
+                icon: 'p-filter-menu',
+                title: 'menu.filter',
+                requiresAuth: false,
+            },
+        },
         {
             path: '/hosts/disk',
             name: 'Disk',
diff --git a/frontend/src/views/host/filter/index.vue b/frontend/src/views/host/filter/index.vue
new file mode 100644
index 000000000000..8c613dbd9d6e
--- /dev/null
+++ b/frontend/src/views/host/filter/index.vue
@@ -0,0 +1,358 @@
+<template>
+    <div>
+        <div v-loading="loading">
+            <el-card>
+                <div class="flex w-full flex-col gap-4 md:flex-row">
+                    <div class="flex flex-wrap gap-4 ml-3">
+                        <el-tag effect="dark" type="success">{{ 'iptables v' + iptablesVersion }}</el-tag>
+                    </div>
+                </div>
+            </el-card>
+            <div>
+                <LayoutContent :title="$t('firewall.filterRule')">
+                    <template #prompt>
+                        <el-alert type="info" :closable="false">
+                            <span>{{ $t('firewall.filterHelper') }}</span>
+                        </el-alert>
+                    </template>
+
+                    <template #leftToolBar>
+                        <el-button type="primary" @click="onOpenDialog('create')" :disabled="!isCustomChain">
+                            {{ $t('commons.button.create') }}{{ $t('firewall.filterRule') }}
+                        </el-button>
+                        <el-button @click="onDelete(null)" plain :disabled="selects.length === 0 || !isCustomChain">
+                            {{ $t('commons.button.delete') }}
+                        </el-button>
+                        <el-button @click="onInitChains" plain>
+                            {{ $t('firewall.initChains') }}
+                        </el-button>
+                        <el-button @click="onApplyFirewall('apply')" plain type="success" :disabled="!canApply">
+                            {{ $t('firewall.applyFirewall') }}
+                        </el-button>
+                        <el-button @click="onApplyFirewall('unload')" plain type="warning" :disabled="!isApplied">
+                            {{ $t('firewall.unloadFirewall') }}
+                        </el-button>
+                    </template>
+
+                    <template #rightToolBar>
+                        <el-select v-model="selectedChain" @change="search()" clearable class="p-w-200">
+                            <template #prefix>{{ $t('firewall.chain') }}</template>
+                            <el-option label="INPUT" value="INPUT"></el-option>
+                            <el-option label="OUTPUT" value="OUTPUT"></el-option>
+                            <el-option label="1PANEL_INPUT" value="1PANEL_INPUT"></el-option>
+                            <el-option label="1PANEL_OUTPUT" value="1PANEL_OUTPUT"></el-option>
+                        </el-select>
+                        <TableRefresh @search="search()" />
+                        <TableSetting title="firewall-filter-refresh" @search="search()" />
+                    </template>
+
+                    <template #main>
+                        <!-- Chain Status Cards -->
+                        <el-row :gutter="20" class="mb-4">
+                            <el-col :span="12">
+                                <el-card>
+                                    <div class="chain-card">
+                                        <div class="chain-title">
+                                            INPUT {{ $t('firewall.chain') }}
+                                            <el-tag :type="inputChainInfo?.isApplied ? 'success' : 'info'" size="small">
+                                                {{
+                                                    inputChainInfo?.isApplied
+                                                        ? $t('firewall.applied')
+                                                        : $t('firewall.notApplied')
+                                                }}
+                                            </el-tag>
+                                        </div>
+                                        <div class="chain-policy">
+                                            {{ $t('firewall.defaultPolicy') }}:
+                                            {{ inputChainInfo?.defaultPolicy || 'ACCEPT' }}
+                                        </div>
+                                    </div>
+                                </el-card>
+                            </el-col>
+                            <el-col :span="12">
+                                <el-card>
+                                    <div class="chain-card">
+                                        <div class="chain-title">
+                                            OUTPUT {{ $t('firewall.chain') }}
+                                            <el-tag
+                                                :type="outputChainInfo?.isApplied ? 'success' : 'info'"
+                                                size="small"
+                                            >
+                                                {{
+                                                    outputChainInfo?.isApplied
+                                                        ? $t('firewall.applied')
+                                                        : $t('firewall.notApplied')
+                                                }}
+                                            </el-tag>
+                                        </div>
+                                        <div class="chain-policy">
+                                            {{ $t('firewall.defaultPolicy') }}:
+                                            {{ outputChainInfo?.defaultPolicy || 'ACCEPT' }}
+                                        </div>
+                                    </div>
+                                </el-card>
+                            </el-col>
+                        </el-row>
+
+                        <ComplexTable
+                            :pagination-config="paginationConfig"
+                            v-model:selects="selects"
+                            @search="search"
+                            :data="data"
+                            :heightDiff="520"
+                        >
+                            <el-table-column v-if="isCustomChain" type="selection" fix />
+                            <el-table-column :label="$t('firewall.ruleOrder')" :min-width="80" prop="ruleOrder" />
+                            <el-table-column :label="$t('commons.table.protocol')" :min-width="80" prop="protocol" />
+                            <el-table-column :label="$t('firewall.sourceIP')" :min-width="120" prop="sourceIP">
+                                <template #default="{ row }">
+                                    <span>{{ row.sourceIP || '-' }}</span>
+                                </template>
+                            </el-table-column>
+                            <el-table-column :label="$t('firewall.sourcePort')" :min-width="100" prop="sourcePort">
+                                <template #default="{ row }">
+                                    <span>{{ row.sourcePort || '-' }}</span>
+                                </template>
+                            </el-table-column>
+                            <el-table-column :label="$t('firewall.destIP')" :min-width="120" prop="destIP">
+                                <template #default="{ row }">
+                                    <span>{{ row.destIP || '-' }}</span>
+                                </template>
+                            </el-table-column>
+                            <el-table-column :label="$t('firewall.destPort')" :min-width="100" prop="destPort">
+                                <template #default="{ row }">
+                                    <span>{{ row.destPort || '-' }}</span>
+                                </template>
+                            </el-table-column>
+                            <el-table-column :min-width="100" :label="$t('firewall.action')" prop="action">
+                                <template #default="{ row }">
+                                    <el-tag v-if="row.action === 'ACCEPT'" type="success">{{ row.action }}</el-tag>
+                                    <el-tag v-else-if="row.action === 'DROP'" type="danger">{{ row.action }}</el-tag>
+                                    <el-tag v-else-if="row.action === 'REJECT'" type="warning">{{ row.action }}</el-tag>
+                                    <el-tag v-else type="info">{{ row.action }}</el-tag>
+                                </template>
+                            </el-table-column>
+                            <el-table-column
+                                :min-width="150"
+                                :label="$t('commons.table.description')"
+                                prop="description"
+                                show-overflow-tooltip
+                            />
+                            <fu-table-operations
+                                v-if="isCustomChain"
+                                width="120px"
+                                :buttons="buttons"
+                                :ellipsis="10"
+                                :label="$t('commons.table.operate')"
+                                fix
+                            />
+                        </ComplexTable>
+                    </template>
+                </LayoutContent>
+            </div>
+        </div>
+
+        <OpDialog ref="opRef" @search="search" />
+        <OperateDialog @search="search" ref="dialogRef" />
+    </div>
+</template>
+
+<script lang="ts" setup>
+import OperateDialog from '@/views/host/filter/operate/index.vue';
+import { computed, onMounted, reactive, ref } from 'vue';
+import { getFilterRules, applyFilterFirewall, batchOperateFilterRule } from '@/api/modules/host';
+import { Host } from '@/api/interface/host';
+import i18n from '@/lang';
+import { MsgSuccess } from '@/utils/message';
+import { ElMessageBox } from 'element-plus';
+
+const loading = ref();
+const selects = ref<any>([]);
+const selectedChain = ref('1PANEL_INPUT');
+const iptablesVersion = ref('');
+
+const opRef = ref();
+
+const chainInfoMap = ref<Map<string, Host.IptablesChainInfo>>(new Map());
+const data = computed(() => {
+    const chainInfo = chainInfoMap.value.get(selectedChain.value);
+    return chainInfo?.rules || [];
+});
+
+const inputChainInfo = computed(() => chainInfoMap.value.get('INPUT'));
+const outputChainInfo = computed(() => chainInfoMap.value.get('OUTPUT'));
+
+const isCustomChain = computed(() => {
+    return selectedChain.value === '1PANEL_INPUT' || selectedChain.value === '1PANEL_OUTPUT';
+});
+
+const canApply = computed(() => {
+    const inputInfo = chainInfoMap.value.get('1PANEL_INPUT');
+    const outputInfo = chainInfoMap.value.get('1PANEL_OUTPUT');
+    return (inputInfo && !inputInfo.isApplied) || (outputInfo && !outputInfo.isApplied);
+});
+
+const isApplied = computed(() => {
+    const inputInfo = chainInfoMap.value.get('INPUT');
+    const outputInfo = chainInfoMap.value.get('OUTPUT');
+    return inputInfo?.isApplied || outputInfo?.isApplied;
+});
+
+const paginationConfig = reactive({
+    cacheSizeKey: 'firewall-filter-page-size',
+    currentPage: 1,
+    pageSize: Number(localStorage.getItem('firewall-filter-page-size')) || 20,
+    total: 0,
+});
+
+const search = async () => {
+    const params: Host.IptablesFilterRuleSearch = {
+        chains: ['INPUT', 'OUTPUT', '1PANEL_INPUT', '1PANEL_OUTPUT'],
+    };
+    loading.value = true;
+    await getFilterRules(params)
+        .then((res) => {
+            loading.value = false;
+            chainInfoMap.value.clear();
+            res.data.forEach((chainInfo: Host.IptablesChainInfo) => {
+                chainInfoMap.value.set(chainInfo.name, chainInfo);
+            });
+            const currentChainData = data.value || [];
+            iptablesVersion.value = chainInfoMap.value.get('INPUT')?.version || '';
+            paginationConfig.total = currentChainData.length;
+        })
+        .catch(() => {
+            loading.value = false;
+        });
+};
+
+const dialogRef = ref();
+const onOpenDialog = async (title: string, rowData?: Host.IptablesFilterRuleOperate) => {
+    if (!isCustomChain.value) {
+        return;
+    }
+    const params = {
+        title,
+        rowData: rowData || {
+            chain: selectedChain.value,
+            protocol: 'all',
+            action: 'ACCEPT',
+            sourcePort: 0,
+            destPort: 0,
+        },
+    };
+    dialogRef.value!.acceptParams(params);
+};
+
+const onInitChains = async () => {
+    ElMessageBox.confirm(i18n.global.t('firewall.initChainsConfirm'), i18n.global.t('firewall.initChains'), {
+        confirmButtonText: i18n.global.t('commons.button.confirm'),
+        cancelButtonText: i18n.global.t('commons.button.cancel'),
+    }).then(async () => {
+        loading.value = true;
+        await applyFilterFirewall({ operation: 'init' })
+            .then(() => {
+                loading.value = false;
+                MsgSuccess(i18n.global.t('commons.msg.operationSuccess'));
+                search();
+            })
+            .catch(() => {
+                loading.value = false;
+            });
+    });
+};
+
+const onApplyFirewall = async (operation: string) => {
+    const confirmMsg =
+        operation === 'apply' ? i18n.global.t('firewall.applyConfirm') : i18n.global.t('firewall.unloadConfirm');
+    const title =
+        operation === 'apply' ? i18n.global.t('firewall.applyFirewall') : i18n.global.t('firewall.unloadFirewall');
+
+    ElMessageBox.confirm(confirmMsg, title, {
+        confirmButtonText: i18n.global.t('commons.button.confirm'),
+        cancelButtonText: i18n.global.t('commons.button.cancel'),
+    }).then(async () => {
+        loading.value = true;
+        await applyFilterFirewall({ operation })
+            .then(() => {
+                loading.value = false;
+                MsgSuccess(i18n.global.t('commons.msg.operationSuccess'));
+                search();
+            })
+            .catch(() => {
+                loading.value = false;
+            });
+    });
+};
+
+const onDelete = async (row: Host.IptablesFilterRuleInfo | null) => {
+    let names = [];
+    let rules = [];
+    if (row) {
+        rules.push({
+            operation: 'remove',
+            id: row.id,
+            chain: selectedChain.value,
+            protocol: row.protocol,
+            action: row.action,
+        });
+        names = [
+            `${row.protocol} ${row.sourceIP || '*'}:${row.sourcePort || '*'} -> ${row.destIP || '*'}:${
+                row.destPort || '*'
+            }`,
+        ];
+    } else {
+        for (const item of selects.value) {
+            names.push(
+                `${item.protocol} ${item.sourceIP || '*'}:${item.sourcePort || '*'} -> ${item.destIP || '*'}:${
+                    item.destPort || '*'
+                }`,
+            );
+            rules.push({
+                operation: 'remove',
+                id: item.id,
+                chain: selectedChain.value,
+                protocol: item.protocol,
+                action: item.action,
+            });
+        }
+    }
+    opRef.value.acceptParams({
+        title: i18n.global.t('commons.button.delete'),
+        names: names,
+        msg: i18n.global.t('firewall.deleteRuleConfirm', [rules.length]),
+        api: batchOperateFilterRule,
+        params: { rules: rules },
+    });
+};
+
+const buttons = [
+    {
+        label: i18n.global.t('commons.button.delete'),
+        click: (row: Host.IptablesFilterRuleInfo) => {
+            onDelete(row);
+        },
+    },
+];
+
+onMounted(() => {
+    search();
+});
+</script>
+
+<style lang="scss" scoped>
+.chain-card {
+    .chain-title {
+        font-size: 16px;
+        font-weight: 500;
+        margin-bottom: 8px;
+        display: flex;
+        align-items: center;
+        gap: 8px;
+    }
+    .chain-policy {
+        font-size: 14px;
+        color: var(--el-text-color-secondary);
+    }
+}
+</style>
diff --git a/frontend/src/views/host/filter/operate/index.vue b/frontend/src/views/host/filter/operate/index.vue
new file mode 100644
index 000000000000..2af02e8d314f
--- /dev/null
+++ b/frontend/src/views/host/filter/operate/index.vue
@@ -0,0 +1,165 @@
+<template>
+    <DrawerPro v-model="drawerVisible" :header="title" @close="handleClose" size="large">
+        <el-form ref="formRef" label-position="top" :model="dialogData.rowData" :rules="rules" v-loading="loading">
+            <el-form-item :label="$t('firewall.targetChain')" prop="chain">
+                <el-select class="w-full" v-model="dialogData.rowData!.chain">
+                    <el-option value="1PANEL_INPUT" label="1PANEL_INPUT" />
+                    <el-option value="1PANEL_OUTPUT" label="1PANEL_OUTPUT" />
+                </el-select>
+            </el-form-item>
+
+            <el-form-item :label="$t('commons.table.protocol')" prop="protocol">
+                <el-select class="w-full" v-model="dialogData.rowData!.protocol">
+                    <el-option value="all" label="all" />
+                    <el-option value="tcp" label="tcp" />
+                    <el-option value="udp" label="udp" />
+                    <el-option value="icmp" label="icmp" />
+                </el-select>
+            </el-form-item>
+
+            <el-form-item :label="$t('firewall.sourceIP')" prop="sourceIP">
+                <el-input clearable v-model.trim="dialogData.rowData!.sourceIP" />
+                <span class="input-help">{{ $t('firewall.sourceIPHelper') }}</span>
+            </el-form-item>
+
+            <el-form-item :label="$t('firewall.sourcePort')" prop="sourcePort">
+                <el-input-number
+                    class="w-full"
+                    v-model="dialogData.rowData!.sourcePort"
+                    :min="0"
+                    :max="65535"
+                    controls-position="right"
+                />
+                <span class="input-help">{{ $t('firewall.portHelper') }}</span>
+            </el-form-item>
+
+            <el-form-item :label="$t('firewall.destIP')" prop="destIP">
+                <el-input clearable v-model.trim="dialogData.rowData!.destIP" />
+                <span class="input-help">{{ $t('firewall.destIPHelper') }}</span>
+            </el-form-item>
+
+            <el-form-item :label="$t('firewall.destPort')" prop="destPort">
+                <el-input-number
+                    class="w-full"
+                    v-model="dialogData.rowData!.destPort"
+                    :min="0"
+                    :max="65535"
+                    controls-position="right"
+                />
+                <span class="input-help">{{ $t('firewall.portHelper') }}</span>
+            </el-form-item>
+
+            <el-form-item :label="$t('firewall.action')" prop="action">
+                <el-radio-group v-model="dialogData.rowData!.action">
+                    <el-radio value="ACCEPT">{{ $t('firewall.accept') }}</el-radio>
+                    <el-radio value="DROP">阻止</el-radio>
+                    <el-radio value="REJECT">{{ $t('firewall.reject') }}</el-radio>
+                </el-radio-group>
+            </el-form-item>
+
+            <el-form-item :label="$t('commons.table.description')" prop="description">
+                <el-input clearable v-model.trim="dialogData.rowData!.description" />
+            </el-form-item>
+        </el-form>
+        <template #footer>
+            <span class="dialog-footer">
+                <el-button @click="drawerVisible = false">{{ $t('commons.button.cancel') }}</el-button>
+                <el-button type="primary" @click="onSubmit(formRef)">
+                    {{ $t('commons.button.confirm') }}
+                </el-button>
+            </span>
+        </template>
+    </DrawerPro>
+</template>
+
+<script lang="ts" setup>
+import { reactive, ref } from 'vue';
+import { Rules } from '@/global/form-rules';
+import i18n from '@/lang';
+import { ElForm } from 'element-plus';
+import { MsgSuccess } from '@/utils/message';
+import { Host } from '@/api/interface/host';
+import { operateFilterRule } from '@/api/modules/host';
+import { checkCidr, checkCidrV6, checkIpV4V6 } from '@/utils/util';
+
+const loading = ref();
+
+interface DialogProps {
+    title: string;
+    rowData?: Host.IptablesFilterRuleOperate;
+    getTableList?: () => Promise<any>;
+}
+const title = ref<string>('');
+const drawerVisible = ref(false);
+const dialogData = ref<DialogProps>({
+    title: '',
+});
+const acceptParams = (params: DialogProps): void => {
+    dialogData.value = params;
+    title.value = i18n.global.t('firewall.' + dialogData.value.title);
+    drawerVisible.value = true;
+};
+const emit = defineEmits<{ (e: 'search'): void }>();
+
+const handleClose = () => {
+    drawerVisible.value = false;
+};
+
+const rules = reactive({
+    chain: [Rules.requiredSelect],
+    protocol: [Rules.requiredSelect],
+    action: [Rules.requiredSelect],
+    sourceIP: [{ validator: checkIPAddress, trigger: 'blur' }],
+    destIP: [{ validator: checkIPAddress, trigger: 'blur' }],
+});
+
+function checkIPAddress(_rule: any, value: any, callback: any) {
+    if (!value) {
+        return callback();
+    }
+    if (value.indexOf('/') !== -1) {
+        if (value.indexOf(':') !== -1) {
+            if (checkCidrV6(value)) {
+                return callback(new Error(i18n.global.t('firewall.addressFormatError')));
+            }
+        } else {
+            if (checkCidr(value)) {
+                return callback(new Error(i18n.global.t('firewall.addressFormatError')));
+            }
+        }
+    } else {
+        if (checkIpV4V6(value)) {
+            return callback(new Error(i18n.global.t('firewall.addressFormatError')));
+        }
+    }
+    callback();
+}
+
+type FormInstance = InstanceType<typeof ElForm>;
+const formRef = ref<FormInstance>();
+
+const onSubmit = async (formEl: FormInstance | undefined) => {
+    if (!formEl) return;
+    formEl.validate(async (valid) => {
+        if (!valid) return;
+        dialogData.value.rowData.operation = 'add';
+        if (!dialogData.value.rowData) return;
+
+        loading.value = true;
+        await operateFilterRule(dialogData.value.rowData)
+            .then(() => {
+                loading.value = false;
+                MsgSuccess(i18n.global.t('commons.msg.operationSuccess'));
+                emit('search');
+                drawerVisible.value = false;
+            })
+            .catch(() => {
+                loading.value = false;
+            });
+    });
+};
+
+defineExpose({
+    acceptParams,
+});
+</script>

From 955123bf49085c9b5660e912f862e78ad88fb250 Mon Sep 17 00:00:00 2001
From: HynoR <20227709+HynoR@users.noreply.github.com>
Date: Thu, 30 Oct 2025 18:59:50 +0800
Subject: [PATCH 02/16] chore: clean up

---
 agent/utils/firewall/client.go                |   6 -
 agent/utils/firewall/client/iptables.go       | 142 ------
 agent/utils/firewall/client/iptables_fw.go    | 461 ------------------
 .../utils/firewall/client/iptables_policy.go  |  99 ++++
 4 files changed, 99 insertions(+), 609 deletions(-)
 delete mode 100644 agent/utils/firewall/client/iptables_fw.go
 create mode 100644 agent/utils/firewall/client/iptables_policy.go

diff --git a/agent/utils/firewall/client.go b/agent/utils/firewall/client.go
index f10ac7b2f7ae..447cd8697572 100644
--- a/agent/utils/firewall/client.go
+++ b/agent/utils/firewall/client.go
@@ -41,11 +41,5 @@ func NewFirewallClient() (FirewallClient, error) {
 	if ufw {
 		return client.NewUfw()
 	}
-
-	iptables := cmd.Which("iptables")
-	if iptables {
-		return client.NewIptablesFw()
-	}
-
 	return nil, errors.New("No system firewalld or ufw service detected, please check and try again!")
 }
diff --git a/agent/utils/firewall/client/iptables.go b/agent/utils/firewall/client/iptables.go
index 58ba96d282fe..b9aa6636a5e7 100644
--- a/agent/utils/firewall/client/iptables.go
+++ b/agent/utils/firewall/client/iptables.go
@@ -2,7 +2,6 @@ package client
 
 import (
 	"fmt"
-	"os/exec"
 	"regexp"
 	"strings"
 	"time"
@@ -62,11 +61,6 @@ func (iptables *Iptables) run(tab, rule string) error {
 	return nil
 }
 
-// Run 导出的 run 方法供外部调用
-func (iptables *Iptables) Run(tab, rule string) error {
-	return iptables.run(tab, rule)
-}
-
 func (iptables *Iptables) Check() error {
 	stdout, err := cmd.RunDefaultWithStdoutBashC("cat /proc/sys/net/ipv4/ip_forward")
 	if err != nil {
@@ -257,32 +251,6 @@ func (iptables *Iptables) NatRemove(num string, protocol, srcPort, dest, destPor
 	return nil
 }
 
-// test struct
-/*
-🧩 规则解释
-
--A INPUT / -A OUTPUT：追加规则到对应链。
-
--p tcp / -p udp：指定协议。
-
---dport / --sport：目标端口 / 源端口。
-
--d / -s：目标 IP / 源 IP。
-
--j DROP：丢弃数据包（不回应）。
-
-若改成 -j REJECT，则会主动返回一个拒绝报文（对调试有用）。*
-*/
-type IptablesPolicy struct {
-	Protocol string
-	SrcPort  uint16
-	DstPort  uint16
-	SourceIP string
-	DestIP   string
-	Action   string // ACCEPT, DROP, REJECT
-	Comment  string
-}
-
 func (iptables *Iptables) AddPolicy(chain string, policy IptablesPolicy) error {
 	iptablesArg := fmt.Sprintf("-A %s", chain)
 	if policy.Protocol != "" {
@@ -327,89 +295,6 @@ func (iptables *Iptables) Reload() error {
 	return nil
 }
 
-// IptablesChain
-type IptablesChain struct {
-	Name          string
-	DefaultPolicy string
-	FirstRule     *IptablesPolicyChainItem
-	LastRule      *IptablesPolicyChainItem
-}
-
-type IptablesPolicyChainItem struct {
-	next *IptablesPolicyChainItem
-	P    IptablesPolicy
-}
-
-func (item *IptablesPolicyChainItem) SetNext(next *IptablesPolicyChainItem) {
-	item.next = next
-}
-
-func (item *IptablesPolicyChainItem) Next() *IptablesPolicyChainItem {
-	return item.next
-}
-
-func (c *IptablesChain) ParseLine(line string) error {
-	cmd := strings.Split(line, " ")
-
-	if cmd[0] == "-P" {
-		c.Name = cmd[1]
-		c.DefaultPolicy = cmd[2]
-		return nil
-	}
-	if cmd[0] == "-A" {
-		if cmd[1] != c.Name {
-			return fmt.Errorf("invalid chain name in rule line: %s", line)
-		}
-		policy := IptablesPolicy{}
-		for i := 2; i < len(cmd); i++ {
-			switch cmd[i] {
-			case "-p":
-				i++
-				policy.Protocol = cmd[i]
-			case "--dport":
-				i++
-				// parse port
-				var port uint16
-				fmt.Sscanf(cmd[i], "%d", &port)
-				policy.DstPort = port
-			case "--sport":
-				i++
-				var port uint16
-				fmt.Sscanf(cmd[i], "%d", &port)
-				policy.SrcPort = port
-			case "-s":
-				i++
-				policy.SourceIP = cmd[i]
-			case "-d":
-				i++
-				policy.DestIP = cmd[i]
-			case "-j":
-				i++
-				policy.Action = cmd[i]
-			case "-m":
-				// skip
-				i++
-			case "--comment":
-				i++
-				policy.Comment = strings.Trim(cmd[i], "\"")
-			}
-		}
-		newItem := &IptablesPolicyChainItem{
-			P: policy,
-		}
-		if c.FirstRule == nil {
-			c.FirstRule = newItem
-			c.LastRule = newItem
-		} else {
-			current := c.LastRule
-			current.SetNext(newItem)
-			c.LastRule = newItem
-		}
-		return nil
-	}
-	return fmt.Errorf("invalid iptables rule line: %s", line)
-}
-
 // iptables filter 解析
 func (iptables *Iptables) ReadFilter(chainName []string) (map[string]IptablesChain, error) {
 	// iptables -S
@@ -452,33 +337,6 @@ func (iptables *Iptables) ReadFilter(chainName []string) (map[string]IptablesCha
 	return chains, nil
 }
 
-// 检查链中是否有无条件 DROP/REJECT 规则
-func checkChainSafety(chain IptablesChain) error {
-	item := chain.FirstRule
-	for item != nil {
-		policy := item.P
-		if policy.Action == "DROP" || policy.Action == "REJECT" {
-			// 检查是否为无条件规则(所有字段都为空)
-			if policy.Protocol == "" && policy.SrcPort == 0 && policy.DstPort == 0 &&
-				policy.SourceIP == "" && policy.DestIP == "" {
-				return fmt.Errorf("发现无条件 %s 规则,不允许应用", policy.Action)
-			}
-		}
-		item = item.Next()
-	}
-	return nil
-}
-
-// 执行 iptables 命令
-func runIptables(args ...string) error {
-	cmd := exec.Command("iptables", args...)
-	output, err := cmd.CombinedOutput()
-	if err != nil {
-		return fmt.Errorf("执行 iptables 失败: %v, 输出: %s", err, string(output))
-	}
-	return nil
-}
-
 // RemovePolicyByComment 按 comment 删除规则
 func (iptables *Iptables) RemovePolicyByComment(chain, comment string) error {
 	stdout, err := iptables.out(FilterTab, fmt.Sprintf("-S %s", chain))
diff --git a/agent/utils/firewall/client/iptables_fw.go b/agent/utils/firewall/client/iptables_fw.go
deleted file mode 100644
index d63f84fbd7ff..000000000000
--- a/agent/utils/firewall/client/iptables_fw.go
+++ /dev/null
@@ -1,461 +0,0 @@
-package client
-
-import (
-	"fmt"
-	"regexp"
-	"strconv"
-	"strings"
-
-	"github.com/1Panel-dev/1Panel/agent/app/model"
-	"github.com/1Panel-dev/1Panel/agent/buserr"
-	"github.com/1Panel-dev/1Panel/agent/global"
-	"github.com/1Panel-dev/1Panel/agent/utils/cmd"
-)
-
-const (
-	Chain1PanelInput  = "1PFW-INPUT"
-	Chain1PanelOutput = "1PFW-OUTPUT"
-)
-
-var (
-	// 匹配 iptables 规则的正则表达式
-	filterListRegex = regexp.MustCompile(`^(\d+)\s+(.+?)\s+(.+?)\s+(.+?)\s+(.+?)\s+(.+?)\s+(.+?)(?:\s+(.+?))?(?:\s+(.+?))?`)
-)
-
-type IptablesFw struct {
-	iptables *Iptables
-}
-
-func NewIptablesFw() (*IptablesFw, error) {
-	iptables, err := NewIptables()
-	if err != nil {
-		return nil, err
-	}
-	return &IptablesFw{
-		iptables: iptables,
-	}, nil
-}
-
-func (f *IptablesFw) Name() string {
-	return "iptables"
-}
-
-func (f *IptablesFw) Status() (bool, error) {
-	// 检查自定义链是否存在来判断防火墙是否启用
-	exists, err := f.iptables.ChainExists(FilterTab, Chain1PanelInput)
-	if err != nil {
-		return false, err
-	}
-	return exists, nil
-}
-
-func (f *IptablesFw) Version() (string, error) {
-	stdout, err := cmd.RunDefaultWithStdoutBashC("iptables --version")
-	if err != nil {
-		return "", fmt.Errorf("load the firewall version failed, %v", err)
-	}
-	// 提取版本号，例如 "iptables v1.8.7 (nf_tables)"
-	parts := strings.Fields(stdout)
-	if len(parts) >= 2 {
-		return strings.TrimPrefix(parts[1], "v"), nil
-	}
-	return strings.TrimSpace(stdout), nil
-}
-
-func (f *IptablesFw) Start() error {
-	// 创建自定义链
-	if err := f.iptables.NewChain(FilterTab, Chain1PanelInput); err != nil {
-		global.LOG.Debugf("chain %s may already exist: %v", Chain1PanelInput, err)
-	}
-	if err := f.iptables.NewChain(FilterTab, Chain1PanelOutput); err != nil {
-		global.LOG.Debugf("chain %s may already exist: %v", Chain1PanelOutput, err)
-	}
-
-	// 将自定义链附加到 INPUT 和 OUTPUT 链
-	if err := f.ensureChainAttached("INPUT", Chain1PanelInput); err != nil {
-		return fmt.Errorf("failed to attach %s to INPUT: %v", Chain1PanelInput, err)
-	}
-	if err := f.ensureChainAttached("OUTPUT", Chain1PanelOutput); err != nil {
-		return fmt.Errorf("failed to attach %s to OUTPUT: %v", Chain1PanelOutput, err)
-	}
-
-	// 重载规则（从数据库恢复）
-	return f.Reload()
-}
-
-func (f *IptablesFw) Stop() error {
-	// 从 INPUT 和 OUTPUT 链中移除跳转规则
-	_ = f.iptables.Run(FilterTab, fmt.Sprintf("-D INPUT -j %s", Chain1PanelInput))
-	_ = f.iptables.Run(FilterTab, fmt.Sprintf("-D OUTPUT -j %s", Chain1PanelOutput))
-
-	// 清空并删除自定义链
-	_ = f.iptables.FlushChain(FilterTab, Chain1PanelInput)
-	_ = f.iptables.FlushChain(FilterTab, Chain1PanelOutput)
-	_ = f.iptables.Run(FilterTab, fmt.Sprintf("-X %s", Chain1PanelInput))
-	_ = f.iptables.Run(FilterTab, fmt.Sprintf("-X %s", Chain1PanelOutput))
-
-	return nil
-}
-
-func (f *IptablesFw) Restart() error {
-	if err := f.Stop(); err != nil {
-		return err
-	}
-	return f.Start()
-}
-
-func (f *IptablesFw) Reload() error {
-	// 清空链但保留链结构
-	if err := f.iptables.FlushChain(FilterTab, Chain1PanelInput); err != nil {
-		return err
-	}
-	if err := f.iptables.FlushChain(FilterTab, Chain1PanelOutput); err != nil {
-		return err
-	}
-
-	// 从数据库加载规则并恢复
-	var rules []model.IptablesRule
-	if err := global.DB.Find(&rules).Error; err != nil {
-		return fmt.Errorf("failed to load rules from database: %v", err)
-	}
-
-	for _, rule := range rules {
-		fireInfo := FireInfo{
-			Protocol: rule.Protocol,
-			Port:     rule.Port,
-			Strategy: rule.Strategy,
-			Address:  rule.Address,
-			Family:   rule.Family,
-		}
-		if rule.RuleType == "port" {
-			if err := f.Port(fireInfo, "add"); err != nil {
-				global.LOG.Errorf("failed to restore port rule %+v: %v", rule, err)
-			}
-		} else if rule.RuleType == "address" {
-			if err := f.RichRules(fireInfo, "add"); err != nil {
-				global.LOG.Errorf("failed to restore address rule %+v: %v", rule, err)
-			}
-		}
-	}
-
-	return nil
-}
-
-func (f *IptablesFw) ListPort() ([]FireInfo, error) {
-	return f.listRules(Chain1PanelInput, "port")
-}
-
-func (f *IptablesFw) ListAddress() ([]FireInfo, error) {
-	return f.listRules(Chain1PanelInput, "address")
-}
-
-func (f *IptablesFw) ListForward() ([]FireInfo, error) {
-	// 复用 ufw 的转发实现
-	if err := f.EnableForward(); err != nil {
-		global.LOG.Errorf("init port forward failed, err: %v", err)
-	}
-
-	rules, err := f.iptables.NatList()
-	if err != nil {
-		return nil, err
-	}
-
-	var list []FireInfo
-	for _, rule := range rules {
-		dest := strings.Split(rule.DestPort, ":")
-		if len(dest) < 2 {
-			continue
-		}
-		if len(dest[0]) == 0 {
-			dest[0] = "127.0.0.1"
-		}
-		list = append(list, FireInfo{
-			Num:        rule.Num,
-			Protocol:   rule.Protocol,
-			Interface:  rule.InIface,
-			Port:       rule.SrcPort,
-			TargetIP:   dest[0],
-			TargetPort: dest[1],
-		})
-	}
-	return list, nil
-}
-
-func (f *IptablesFw) Port(port FireInfo, operation string) error {
-	if cmd.CheckIllegal(operation, port.Protocol, port.Port) {
-		return buserr.New("ErrCmdIllegal")
-	}
-
-	// 转换策略
-	strategy := f.convertStrategy(port.Strategy)
-	if strategy == "" {
-		return fmt.Errorf("unsupported strategy %s", port.Strategy)
-	}
-
-	// 构建规则的唯一标识
-	comment := fmt.Sprintf("1Panel_Port_%s_%s_%s", port.Protocol, port.Port, strategy)
-
-	if operation == "add" {
-		// 添加到 INPUT 链
-		policy := IptablesPolicy{
-			Protocol: port.Protocol,
-			DstPort:  f.parsePort(port.Port),
-			Action:   strategy,
-			Comment:  comment,
-		}
-		if err := f.iptables.AddPolicy(Chain1PanelInput, policy); err != nil {
-			return fmt.Errorf("add port rule to INPUT failed: %v", err)
-		}
-
-		// 保存到数据库
-		rule := model.IptablesRule{
-			RuleType: "port",
-			Protocol: port.Protocol,
-			Port:     port.Port,
-			Strategy: port.Strategy,
-			Family:   "ipv4",
-		}
-		if err := global.DB.Create(&rule).Error; err != nil {
-			return fmt.Errorf("save rule to database failed: %v", err)
-		}
-	} else if operation == "remove" {
-		// 从 INPUT 链删除
-		if err := f.iptables.RemovePolicyByComment(Chain1PanelInput, comment); err != nil {
-			return fmt.Errorf("remove port rule from INPUT failed: %v", err)
-		}
-
-		// 从数据库删除
-		global.DB.Where("rule_type = ? AND protocol = ? AND port = ? AND strategy = ?",
-			"port", port.Protocol, port.Port, port.Strategy).Delete(&model.IptablesRule{})
-	}
-
-	return nil
-}
-
-func (f *IptablesFw) RichRules(rule FireInfo, operation string) error {
-	if cmd.CheckIllegal(operation, rule.Address, rule.Protocol, rule.Port) {
-		return buserr.New("ErrCmdIllegal")
-	}
-
-	strategy := f.convertStrategy(rule.Strategy)
-	if strategy == "" {
-		return fmt.Errorf("unsupported strategy %s", rule.Strategy)
-	}
-
-	// 构建规则的唯一标识
-	comment := fmt.Sprintf("1Panel_Addr_%s_%s_%s_%s", rule.Address, rule.Protocol, rule.Port, strategy)
-
-	if operation == "add" {
-		policy := IptablesPolicy{
-			Protocol: rule.Protocol,
-			SourceIP: rule.Address,
-			Action:   strategy,
-			Comment:  comment,
-		}
-		if len(rule.Port) > 0 {
-			policy.DstPort = f.parsePort(rule.Port)
-		}
-
-		if err := f.iptables.AddPolicy(Chain1PanelInput, policy); err != nil {
-			return fmt.Errorf("add address rule failed: %v", err)
-		}
-
-		// 保存到数据库
-		dbRule := model.IptablesRule{
-			RuleType: "address",
-			Protocol: rule.Protocol,
-			Port:     rule.Port,
-			Strategy: rule.Strategy,
-			Address:  rule.Address,
-			Family:   rule.Family,
-		}
-		if dbRule.Family == "" {
-			dbRule.Family = "ipv4"
-		}
-		if err := global.DB.Create(&dbRule).Error; err != nil {
-			return fmt.Errorf("save rule to database failed: %v", err)
-		}
-	} else if operation == "remove" {
-		if err := f.iptables.RemovePolicyByComment(Chain1PanelInput, comment); err != nil {
-			return fmt.Errorf("remove address rule failed: %v", err)
-		}
-
-		// 从数据库删除
-		global.DB.Where("rule_type = ? AND address = ? AND protocol = ? AND port = ? AND strategy = ?",
-			"address", rule.Address, rule.Protocol, rule.Port, rule.Strategy).Delete(&model.IptablesRule{})
-	}
-
-	return nil
-}
-
-func (f *IptablesFw) PortForward(info Forward, operation string) error {
-	// 直接复用 iptables 的 NAT 功能
-	if operation == "add" {
-		err := f.iptables.NatAdd(info.Protocol, info.Port, info.TargetIP, info.TargetPort, info.Interface, true)
-		if err != nil {
-			return fmt.Errorf("add port forward failed: %v", err)
-		}
-	} else if operation == "remove" {
-		err := f.iptables.NatRemove(info.Num, info.Protocol, info.Port, info.TargetIP, info.TargetPort, info.Interface)
-		if err != nil {
-			return fmt.Errorf("remove port forward failed: %v", err)
-		}
-	}
-	return nil
-}
-
-func (f *IptablesFw) EnableForward() error {
-	// 复用 ufw 的转发初始化逻辑
-	if err := f.iptables.Check(); err != nil {
-		return err
-	}
-
-	_ = f.iptables.NewChain(NatTab, PreRoutingChain)
-	_ = f.iptables.NewChain(NatTab, PostRoutingChain)
-	_ = f.iptables.NewChain(FilterTab, ForwardChain)
-
-	if err := f.enableForwardChain(); err != nil {
-		return err
-	}
-	return f.iptables.Reload()
-}
-
-// 辅助方法：确保链已附加到目标链
-func (f *IptablesFw) ensureChainAttached(targetChain, customChain string) error {
-	// 检查是否已经附加
-	rules, err := f.iptables.NatList(targetChain)
-	if err == nil {
-		for _, rule := range rules {
-			if rule.Target == customChain {
-				return nil
-			}
-		}
-	}
-
-	// 附加链
-	return f.iptables.AppendChain(FilterTab, targetChain, customChain)
-}
-
-// 辅助方法：启用转发链
-func (f *IptablesFw) enableForwardChain() error {
-	rules, err := f.iptables.NatList("PREROUTING")
-	if err != nil {
-		return err
-	}
-	for _, rule := range rules {
-		if rule.Target == PreRoutingChain {
-			return nil
-		}
-	}
-
-	_ = f.iptables.AppendChain(NatTab, "PREROUTING", PreRoutingChain)
-	_ = f.iptables.AppendChain(NatTab, "POSTROUTING", PostRoutingChain)
-	_ = f.iptables.AppendChain(FilterTab, "FORWARD", ForwardChain)
-	return nil
-}
-
-// 辅助方法：列出规则
-func (f *IptablesFw) listRules(chain, ruleType string) ([]FireInfo, error) {
-	stdout, err := cmd.RunDefaultWithStdoutBashCf("%s iptables -t filter -L %s -n -v --line-numbers", f.iptables.CmdStr, chain)
-	if err != nil {
-		return nil, fmt.Errorf("list rules failed: %v", err)
-	}
-
-	var datas []FireInfo
-	lines := strings.Split(stdout, "\n")
-	for i, line := range lines {
-		// 跳过表头
-		if i < 2 || strings.TrimSpace(line) == "" {
-			continue
-		}
-
-		fields := strings.Fields(line)
-		if len(fields) < 7 {
-			continue
-		}
-
-		// 解析规则字段
-		// num pkts bytes target prot opt in out source destination [extra]
-		num := fields[0]
-		target := fields[3]
-		protocol := fields[4]
-		source := fields[8]
-
-		// 提取端口信息（从 extra 字段）
-		var port string
-		if len(fields) > 10 {
-			for j := 10; j < len(fields); j++ {
-				if strings.HasPrefix(fields[j], "dpt:") {
-					port = strings.TrimPrefix(fields[j], "dpt:")
-				} else if strings.HasPrefix(fields[j], "spt:") {
-					port = strings.TrimPrefix(fields[j], "spt:")
-				}
-			}
-		}
-
-		// 根据类型过滤
-		if ruleType == "port" {
-			// 端口规则：有端口信息，源地址为 0.0.0.0/0
-			if len(port) > 0 && (source == "0.0.0.0/0" || source == "anywhere") {
-				datas = append(datas, FireInfo{
-					Num:      num,
-					Protocol: protocol,
-					Port:     port,
-					Strategy: f.convertStrategyReverse(target),
-					Family:   "ipv4",
-				})
-			}
-		} else if ruleType == "address" {
-			// 地址规则：有源地址限制
-			if source != "0.0.0.0/0" && source != "anywhere" {
-				datas = append(datas, FireInfo{
-					Num:      num,
-					Protocol: protocol,
-					Port:     port,
-					Address:  source,
-					Strategy: f.convertStrategyReverse(target),
-					Family:   "ipv4",
-				})
-			}
-		}
-	}
-
-	return datas, nil
-}
-
-// 辅助方法：转换策略名称 (accept/drop -> ACCEPT/DROP)
-func (f *IptablesFw) convertStrategy(strategy string) string {
-	switch strategy {
-	case "accept":
-		return "ACCEPT"
-	case "drop":
-		return "DROP"
-	case "reject":
-		return "REJECT"
-	default:
-		return ""
-	}
-}
-
-// 辅助方法：反向转换策略名称 (ACCEPT/DROP -> accept/drop)
-func (f *IptablesFw) convertStrategyReverse(strategy string) string {
-	switch strategy {
-	case "ACCEPT":
-		return "accept"
-	case "DROP":
-		return "drop"
-	case "REJECT":
-		return "reject"
-	default:
-		return strategy
-	}
-}
-
-// 辅助方法：解析端口字符串为 uint16
-func (f *IptablesFw) parsePort(portStr string) uint16 {
-	port, err := strconv.ParseUint(portStr, 10, 16)
-	if err != nil {
-		return 0
-	}
-	return uint16(port)
-}
diff --git a/agent/utils/firewall/client/iptables_policy.go b/agent/utils/firewall/client/iptables_policy.go
new file mode 100644
index 000000000000..edce0c3b4955
--- /dev/null
+++ b/agent/utils/firewall/client/iptables_policy.go
@@ -0,0 +1,99 @@
+package client
+
+import (
+	"fmt"
+	"strings"
+)
+
+// IptablesChain
+type IptablesChain struct {
+	Name          string
+	DefaultPolicy string
+	FirstRule     *IptablesPolicyChainItem
+	LastRule      *IptablesPolicyChainItem
+}
+
+func (c *IptablesChain) ParseLine(line string) error {
+	cmd := strings.Split(line, " ")
+
+	if cmd[0] == "-P" {
+		c.Name = cmd[1]
+		c.DefaultPolicy = cmd[2]
+		return nil
+	}
+	if cmd[0] == "-A" {
+		if cmd[1] != c.Name {
+			return fmt.Errorf("invalid chain name in rule line: %s", line)
+		}
+		policy := IptablesPolicy{}
+		for i := 2; i < len(cmd); i++ {
+			switch cmd[i] {
+			case "-p":
+				i++
+				policy.Protocol = cmd[i]
+			case "--dport":
+				i++
+				// parse port
+				var port uint16
+				fmt.Sscanf(cmd[i], "%d", &port)
+				policy.DstPort = port
+			case "--sport":
+				i++
+				var port uint16
+				fmt.Sscanf(cmd[i], "%d", &port)
+				policy.SrcPort = port
+			case "-s":
+				i++
+				policy.SourceIP = cmd[i]
+			case "-d":
+				i++
+				policy.DestIP = cmd[i]
+			case "-j":
+				i++
+				policy.Action = cmd[i]
+			case "-m":
+				// skip
+				i++
+			case "--comment":
+				i++
+				policy.Comment = strings.Trim(cmd[i], "\"")
+			}
+		}
+		newItem := &IptablesPolicyChainItem{
+			P: policy,
+		}
+		if c.FirstRule == nil {
+			c.FirstRule = newItem
+			c.LastRule = newItem
+		} else {
+			current := c.LastRule
+			current.SetNext(newItem)
+			c.LastRule = newItem
+		}
+		return nil
+	}
+	return fmt.Errorf("invalid iptables rule line: %s", line)
+}
+
+type IptablesPolicyChainItem struct {
+	next *IptablesPolicyChainItem
+	P    IptablesPolicy
+}
+
+func (item *IptablesPolicyChainItem) SetNext(next *IptablesPolicyChainItem) {
+	item.next = next
+}
+
+func (item *IptablesPolicyChainItem) Next() *IptablesPolicyChainItem {
+	return item.next
+}
+
+type IptablesPolicy struct {
+	Protocol string
+	SrcPort  uint16
+	DstPort  uint16
+	SourceIP string
+	DestIP   string
+	Action   string // ACCEPT, DROP, REJECT
+	Comment  string
+}

From 6177d40d3b2bac9946ee87bd696c578b29bf18d7 Mon Sep 17 00:00:00 2001
From: HynoR <20227709+HynoR@users.noreply.github.com>
Date: Fri, 31 Oct 2025 18:14:37 +0800
Subject: [PATCH 03/16] feat: improve iptables firewall

---
 agent/app/service/iptables_filter.go          |  58 ++------
 agent/utils/firewall/client/iptables.go       |  64 ++++++++-
 frontend/src/lang/modules/en.ts               |   5 +
 frontend/src/lang/modules/es-es.ts            |   5 +
 frontend/src/lang/modules/ja.ts               |   5 +
 frontend/src/lang/modules/ko.ts               |   5 +
 frontend/src/lang/modules/ms.ts               |   5 +
 frontend/src/lang/modules/pt-br.ts            |   5 +
 frontend/src/lang/modules/ru.ts               |   5 +
 frontend/src/lang/modules/tr.ts               |   4 +
 frontend/src/lang/modules/zh-Hant.ts          |   4 +
 frontend/src/lang/modules/zh.ts               |   9 +-
 frontend/src/views/host/filter/index.vue      |  64 ++++-----
 .../src/views/host/filter/operate/index.vue   | 135 ++++++++++++++----
 14 files changed, 257 insertions(+), 116 deletions(-)

diff --git a/agent/app/service/iptables_filter.go b/agent/app/service/iptables_filter.go
index 9e4d9df2785a..6cfbe941a179 100644
--- a/agent/app/service/iptables_filter.go
+++ b/agent/app/service/iptables_filter.go
@@ -138,14 +138,14 @@ func (s *IptablesFilterService) GetFilterRules(chains []string) ([]dto.IptablesC
 
 func (s *IptablesFilterService) AddRule(req dto.IptablesFilterRuleOperate) error {
 	if req.Chain != Chain1PanelInput && req.Chain != Chain1PanelOutput {
-		return fmt.Errorf("只允许操作 %s 或 %s 链", Chain1PanelInput, Chain1PanelOutput)
+		return fmt.Errorf("Only %s or %s chains are allowed", Chain1PanelInput, Chain1PanelOutput)
 	}
 
 	// 安全检查：防止无条件 DROP/REJECT
 	if (req.Action == "DROP" || req.Action == "REJECT") &&
 		req.Protocol == "" && req.SourceIP == "" && req.DestIP == "" &&
 		req.SourcePort == 0 && req.DestPort == 0 {
-		return fmt.Errorf("不允许添加无条件 %s 规则，这会锁定系统", req.Action)
+		return fmt.Errorf("Iptables Rule Security Check: unconditional %s rules are not allowed, this may lock you out of the system", req.Action)
 	}
 
 	ctx := context.Background()
@@ -298,7 +298,7 @@ func (s *IptablesFilterService) ApplyFirewall() error {
 			if (p.Action == "DROP" || p.Action == "REJECT") &&
 				p.Protocol == "" && p.SourceIP == "" && p.DestIP == "" &&
 				p.SrcPort == 0 && p.DstPort == 0 {
-				return fmt.Errorf("链 %s 包含无条件 %s 规则，不允许应用", Chain1PanelInput, p.Action)
+				return fmt.Errorf("Chain %s includes unconditional %s rule, not allowed to apply", Chain1PanelInput, p.Action)
 			}
 			item = item.Next()
 		}
@@ -312,59 +312,21 @@ func (s *IptablesFilterService) ApplyFirewall() error {
 			if (p.Action == "DROP" || p.Action == "REJECT") &&
 				p.Protocol == "" && p.SourceIP == "" && p.DestIP == "" &&
 				p.SrcPort == 0 && p.DstPort == 0 {
-				return fmt.Errorf("链 %s 包含无条件 %s 规则，不允许应用", Chain1PanelOutput, p.Action)
+				return fmt.Errorf("Chain %s includes unconditional %s rule, not allowed to apply", Chain1PanelOutput, p.Action)
 			}
 			item = item.Next()
 		}
 	}
 
-	// 检查 INPUT 链是否已有跳转规则
-	inputChains, _ := s.iptablesClient.ReadFilter([]string{ChainInput})
-	hasInputRule := false
-	if inputChain, ok := inputChains[ChainInput]; ok {
-		item := inputChain.FirstRule
-		for item != nil {
-			if item.P.Action == Chain1PanelInput {
-				hasInputRule = true
-				break
-			}
-			item = item.Next()
-		}
-	}
-
-	// 应用到 INPUT 链
-	if !hasInputRule {
-		if err := s.iptablesClient.Run(client.FilterTab, fmt.Sprintf("-I %s 1 -j %s", ChainInput, Chain1PanelInput)); err != nil {
-			return fmt.Errorf("failed to apply %s to %s: %w", Chain1PanelInput, ChainInput, err)
-		}
-		global.LOG.Infof("Applied %s to %s chain", Chain1PanelInput, ChainInput)
-	} else {
-		global.LOG.Infof("%s already applied to %s chain", Chain1PanelInput, ChainInput)
+	if err := s.iptablesClient.Setup1PanelFirewallChains("input"); err != nil {
+		return fmt.Errorf("failed to apply %s to %s: %w", Chain1PanelInput, ChainInput, err)
 	}
+	global.LOG.Infof("Applied %s to %s chain", Chain1PanelInput, ChainInput)
 
-	// 检查 OUTPUT 链是否已有跳转规则
-	outputChains, _ := s.iptablesClient.ReadFilter([]string{ChainOutput})
-	hasOutputRule := false
-	if outputChain, ok := outputChains[ChainOutput]; ok {
-		item := outputChain.FirstRule
-		for item != nil {
-			if item.P.Action == Chain1PanelOutput {
-				hasOutputRule = true
-				break
-			}
-			item = item.Next()
-		}
-	}
-
-	// 应用到 OUTPUT 链
-	if !hasOutputRule {
-		if err := s.iptablesClient.Run(client.FilterTab, fmt.Sprintf("-I %s 1 -j %s", ChainOutput, Chain1PanelOutput)); err != nil {
-			return fmt.Errorf("failed to apply %s to %s: %w", Chain1PanelOutput, ChainOutput, err)
-		}
-		global.LOG.Infof("Applied %s to %s chain", Chain1PanelOutput, ChainOutput)
-	} else {
-		global.LOG.Infof("%s already applied to %s chain", Chain1PanelOutput, ChainOutput)
+	if err := s.iptablesClient.Setup1PanelFirewallChains("output"); err != nil {
+		return fmt.Errorf("failed to apply %s to %s: %w", Chain1PanelInput, ChainInput, err)
 	}
+	global.LOG.Infof("Applied %s to %s chain", Chain1PanelInput, ChainInput)
 
 	return nil
 }
diff --git a/agent/utils/firewall/client/iptables.go b/agent/utils/firewall/client/iptables.go
index b9aa6636a5e7..9202770b7630 100644
--- a/agent/utils/firewall/client/iptables.go
+++ b/agent/utils/firewall/client/iptables.go
@@ -12,9 +12,13 @@ import (
 )
 
 const (
-	PreRoutingChain  = "1PANEL_PREROUTING"
-	PostRoutingChain = "1PANEL_POSTROUTING"
-	ForwardChain     = "1PANEL_FORWARD"
+	PreRoutingChain   = "1PANEL_PREROUTING"
+	PostRoutingChain  = "1PANEL_POSTROUTING"
+	ForwardChain      = "1PANEL_FORWARD"
+	ChainInput        = "INPUT"
+	ChainOutput       = "OUTPUT"
+	Chain1PanelInput  = "1PANEL_INPUT"
+	Chain1PanelOutput = "1PANEL_OUTPUT"
 )
 
 const (
@@ -432,3 +436,57 @@ func (iptables *Iptables) DeletePolicy(chain string, policy IptablesPolicy) erro
 
 	return iptables.run(FilterTab, iptablesArg)
 }
+
+// CheckPolicyExists 检查策略是否存在
+func (iptables *Iptables) CheckPolicyExists(chain string, policyStr string) bool {
+	err := iptables.run(FilterTab, fmt.Sprintf("-C %s %s", chain, policyStr))
+	if err != nil {
+		return false
+	}
+	return true
+}
+
+const (
+	establishedRule = "-m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"
+	ioRuleIn        = "-i lo -j ACCEPT"
+	ioRuleOut       = "-o lo -j ACCEPT"
+)
+
+func (iptables *Iptables) setupEstablishedRules(direction string) {
+	if direction == "input" {
+		if !iptables.CheckPolicyExists("INPUT", ioRuleIn) {
+			iptables.run(FilterTab, fmt.Sprintf("-I INPUT 1 %s", ioRuleIn))
+		}
+
+		if !iptables.CheckPolicyExists("INPUT", establishedRule) {
+			iptables.run(FilterTab, fmt.Sprintf("-I INPUT 2 %s", establishedRule))
+		}
+	}
+
+	if direction == "output" {
+		if !iptables.CheckPolicyExists("OUTPUT", ioRuleOut) {
+			iptables.run(FilterTab, fmt.Sprintf("-I OUTPUT 1 %s", ioRuleOut))
+		}
+		if !iptables.CheckPolicyExists("OUTPUT", establishedRule) {
+			iptables.run(FilterTab, fmt.Sprintf("-I OUTPUT 2 %s", establishedRule))
+		}
+	}
+}
+
+func (iptables *Iptables) Setup1PanelFirewallChains(direction string) error {
+	iptables.setupEstablishedRules(direction)
+	if direction == "input" {
+		if !iptables.CheckPolicyExists(ChainInput, fmt.Sprintf("-j %s", Chain1PanelInput)) {
+			if err := iptables.run(FilterTab, fmt.Sprintf("-I %s 3 -j %s", ChainInput, Chain1PanelInput)); err != nil {
+				return err
+			}
+		}
+	} else if direction == "output" {
+		if !iptables.CheckPolicyExists(ChainOutput, fmt.Sprintf("-j %s", Chain1PanelOutput)) {
+			if err := iptables.run(FilterTab, fmt.Sprintf("-I %s 3 -j %s", ChainOutput, Chain1PanelOutput)); err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
diff --git a/frontend/src/lang/modules/en.ts b/frontend/src/lang/modules/en.ts
index 0089c2f735af..8920d7802f67 100644
--- a/frontend/src/lang/modules/en.ts
+++ b/frontend/src/lang/modules/en.ts
@@ -2887,6 +2887,9 @@ const message = {
         changeStrategyHelper:
             'Change [{1}] {0} strategy to [{2}]. After setting, {0} will access {2} externally. Do you want to continue?',
         portHelper: 'Multiple ports can be entered, e.g. 80,81, or range ports, e.g. 80-88',
+        allPorts: 'All Ports',
+        ruleTemplate: 'Rule template',
+
         strategy: 'Strategy',
         accept: 'Accept',
         drop: 'Drop',
@@ -2907,6 +2910,8 @@ const message = {
         createIpRule: '@:commons.button.create @:firewall.ipRule',
         userAgent: 'User-Agent filter',
         sourcePort: 'Source port',
+        inboundDirection: 'Inbound',
+        outboundDirection: 'Outbound',
         targetIP: 'Destination IP',
         targetPort: 'Destination port',
         forwardHelper1: 'If you want to forward to the local port, the destination IP should be set to "127.0.0.1".',
diff --git a/frontend/src/lang/modules/es-es.ts b/frontend/src/lang/modules/es-es.ts
index 26436be7397d..8dc84a1b4cb6 100644
--- a/frontend/src/lang/modules/es-es.ts
+++ b/frontend/src/lang/modules/es-es.ts
@@ -2862,6 +2862,9 @@ const message = {
         changeStrategyHelper:
             'Cambiar estrategia de {0} [{1}] a [{2}]. Después de configurarla, {0} tendrá acceso externo como {2}. ¿Deseas continuar?',
         portHelper: 'Se pueden ingresar múltiples puertos, ej. 80,81, o rangos, ej. 80-88',
+        allPorts: 'Todos los puertos',
+        ruleTemplate: 'Plantilla de regla',
+
         strategy: 'Estrategia',
         accept: 'Aceptar',
         drop: 'Rechazar',
@@ -2882,6 +2885,8 @@ const message = {
         createIpRule: '@:commons.button.create @:firewall.ipRule',
         userAgent: 'Filtro User-Agent',
         sourcePort: 'Puerto de origen',
+        inboundDirection: 'Entrada',
+        outboundDirection: 'Salida',
         targetIP: 'IP de destino',
         targetPort: 'Puerto de destino',
         forwardHelper1: 'Si quieres reenviar al puerto local, la IP de destino debe ser "127.0.0.1".',
diff --git a/frontend/src/lang/modules/ja.ts b/frontend/src/lang/modules/ja.ts
index 8ccfcc80c982..28e2bd229d73 100644
--- a/frontend/src/lang/modules/ja.ts
+++ b/frontend/src/lang/modules/ja.ts
@@ -2805,6 +2805,9 @@ const message = {
         changeStrategyHelper:
             '[{1}] {0}戦略を[{2}]に変更します。設定後、{0}は外部から{2}にアクセスします。続けたいですか？',
         portHelper: '複数のポートを入力できます。80,81、または範囲ポート、例えば80-88',
+        allPorts: 'すべてのポート',
+        ruleTemplate: 'ルールテンプレート',
+
         strategy: '戦略',
         accept: '受け入れる',
         drop: '落とす',
@@ -2825,6 +2828,8 @@ const message = {
         createIpRule: '@:commons.button.create @:firewall.iprule',
         userAgent: 'ユーザーエージェントフィルター',
         sourcePort: 'ソースポート',
+        inboundDirection: '受信方向',
+        outboundDirection: '送信方向',
         targetIP: '宛先IP',
         targetPort: '宛先ポート',
         forwardHelper1: 'ローカルポートに転送する場合は、宛先IPを「127.0.0.1」に設定する必要があります。',
diff --git a/frontend/src/lang/modules/ko.ts b/frontend/src/lang/modules/ko.ts
index dcbe63902a40..efe2b8aea333 100644
--- a/frontend/src/lang/modules/ko.ts
+++ b/frontend/src/lang/modules/ko.ts
@@ -2756,6 +2756,9 @@ const message = {
         changeStrategyHelper:
             '[{1}] {0} 전략을 [{2}]로 변경합니다. 설정 후 {0}은(는) {2}로 외부 접근을 허용합니다. 계속하시겠습니까?',
         portHelper: '여러 포트를 입력할 수 있습니다. 예: 80, 81 또는 포트 범위, 예: 80-88',
+        allPorts: '모든 포트',
+        ruleTemplate: '규칙 템플릿',
+
         strategy: '전략',
         accept: '허용',
         drop: '차단',
@@ -2776,6 +2779,8 @@ const message = {
         createIpRule: '@:commons.button.create @:firewall.ipRule',
         userAgent: 'User-Agent 필터',
         sourcePort: '소스 포트',
+        inboundDirection: '인바운드',
+        outboundDirection: '아웃바운드',
         targetIP: '대상 IP',
         targetPort: '대상 포트',
         forwardHelper1: "로컬 포트로 전달하려면, 대상 IP 를 '127.0.0.1'로 설정해야 합니다.",
diff --git a/frontend/src/lang/modules/ms.ts b/frontend/src/lang/modules/ms.ts
index 8d820c3ac819..bce3029bcb1a 100644
--- a/frontend/src/lang/modules/ms.ts
+++ b/frontend/src/lang/modules/ms.ts
@@ -2870,6 +2870,9 @@ const message = {
         changeStrategyHelper:
             'Tukar strategi {0} [{1}] kepada [{2}]. Selepas tetapan, {0} akan mengakses {2} secara luaran. Adakah anda mahu meneruskan?',
         portHelper: 'Pelbagai port boleh dimasukkan, contohnya 80,81, atau rentang port, contohnya 80-88',
+        allPorts: 'Semua port',
+        ruleTemplate: 'Templat peraturan',
+
         strategy: 'Strategi',
         accept: 'Terima',
         drop: 'Lumpuhkan',
@@ -2890,6 +2893,8 @@ const message = {
         createIpRule: '@:commons.button.create @:firewall.ipRule',
         userAgent: 'Penapis User-Agent',
         sourcePort: 'Port sumber',
+        inboundDirection: 'Masuk',
+        outboundDirection: 'Keluar',
         targetIP: 'IP sasaran',
         targetPort: 'Port sasaran',
         forwardHelper1: 'Jika anda ingin memajukan ke port tempatan, IP sasaran harus ditetapkan kepada "127.0.0.1".',
diff --git a/frontend/src/lang/modules/pt-br.ts b/frontend/src/lang/modules/pt-br.ts
index 5ef88e7124ac..889cd3dd8872 100644
--- a/frontend/src/lang/modules/pt-br.ts
+++ b/frontend/src/lang/modules/pt-br.ts
@@ -2875,6 +2875,9 @@ const message = {
         changeStrategyHelper:
             'Alterar a estratégia [{1}] {0} para [{2}]. Após a definição, {0} acessará {2} externamente. Deseja continuar?',
         portHelper: 'Várias portas podem ser inseridas, ex.: 80,81, ou faixas de portas, ex.: 80-88',
+        allPorts: 'Todas as portas',
+        ruleTemplate: 'Modelo de regra',
+
         strategy: 'Estratégia',
         accept: 'Aceitar',
         drop: 'Bloquear',
@@ -2895,6 +2898,8 @@ const message = {
         createIpRule: '@:commons.button.create @:firewall.ipRule',
         userAgent: 'Filtro User-Agent',
         sourcePort: 'Porta de origem',
+        inboundDirection: 'Entrada',
+        outboundDirection: 'Saída',
         targetIP: 'IP de destino',
         targetPort: 'Porta de destino',
         forwardHelper1:
diff --git a/frontend/src/lang/modules/ru.ts b/frontend/src/lang/modules/ru.ts
index f7f9290c7d93..e52c3ca82d8e 100644
--- a/frontend/src/lang/modules/ru.ts
+++ b/frontend/src/lang/modules/ru.ts
@@ -2869,6 +2869,9 @@ const message = {
         changeStrategyHelper:
             'Изменить стратегию {0} [{1}] на [{2}]. После установки {0} будет иметь внешний доступ {2}. Хотите продолжить?',
         portHelper: 'Можно ввести несколько портов, например 80,81, или диапазон портов, например 80-88',
+        allPorts: 'Все порты',
+        ruleTemplate: 'Шаблон правила',
+
         strategy: 'Стратегия',
         accept: 'Принять',
         drop: 'Отбросить',
@@ -2889,6 +2892,8 @@ const message = {
         createIpRule: '@:commons.button.create @:firewall.ipRule',
         userAgent: 'Фильтр User-Agent',
         sourcePort: 'Исходный порт',
+        inboundDirection: 'Входящий',
+        outboundDirection: 'Исходящий',
         targetIP: 'Целевой IP',
         targetPort: 'Целевой порт',
         forwardHelper1:
diff --git a/frontend/src/lang/modules/tr.ts b/frontend/src/lang/modules/tr.ts
index b08f4f3501af..643271e6963a 100644
--- a/frontend/src/lang/modules/tr.ts
+++ b/frontend/src/lang/modules/tr.ts
@@ -2928,6 +2928,8 @@ const message = {
         changeStrategyHelper:
             '[{1}] {0} stratejisini [{2}] olarak değiştirin. Ayar yapıldıktan sonra {0}, dışarıdan {2} erişimi sağlayacak. Devam etmek istiyor musunuz?',
         portHelper: 'Birden fazla port girilebilir, ör. 80,81 veya aralık portları, ör. 80-88',
+        allPorts: 'Tüm portlar',
+        ruleTemplate: 'Kural şablonu',
         strategy: 'Strateji',
         accept: 'Kabul Et',
         drop: 'Reddet',
@@ -2948,6 +2950,8 @@ const message = {
         createIpRule: '@:commons.button.create @:firewall.ipRule',
         userAgent: 'Kullanıcı-Aracısı filtresi',
         sourcePort: 'Kaynak port',
+        inboundDirection: 'Gelen',
+        outboundDirection: 'Giden',
         targetIP: 'Hedef IP',
         targetPort: 'Hedef port',
         forwardHelper1: 'Yerel porta yönlendirmek istiyorsanız, hedef IP "127.0.0.1" olarak ayarlanmalıdır.',
diff --git a/frontend/src/lang/modules/zh-Hant.ts b/frontend/src/lang/modules/zh-Hant.ts
index 7846a019b566..69eccdae0911 100644
--- a/frontend/src/lang/modules/zh-Hant.ts
+++ b/frontend/src/lang/modules/zh-Hant.ts
@@ -2679,6 +2679,8 @@ const message = {
         portFormatError: '請輸入正確的埠資訊！',
         portHelper1: '多個埠，如：8080,8081',
         portHelper2: '範圍埠，如：8080-8089',
+        allPorts: '所有埠',
+        ruleTemplate: '規則模板',
         strategy: '策略',
         accept: '允許',
         drop: '拒絕',
@@ -2699,6 +2701,8 @@ const message = {
         createIpRule: '@:commons.button.create @:firewall.ipRule',
         userAgent: 'User-Agent 過濾',
         sourcePort: '來源埠',
+        inboundDirection: '入站方向',
+        outboundDirection: '出站方向',
         targetIP: '目標 IP',
         targetPort: '目標埠',
         forwardHelper1: '如果是本機埠轉發，目標 IP 為：127.0.0.1',
diff --git a/frontend/src/lang/modules/zh.ts b/frontend/src/lang/modules/zh.ts
index fb9e9d47ccf7..b2613704d29b 100644
--- a/frontend/src/lang/modules/zh.ts
+++ b/frontend/src/lang/modules/zh.ts
@@ -2712,8 +2712,9 @@ const message = {
         chainHelper: '仅允许修改 1PANEL_INPUT 和 1PANEL_OUTPUT 自定义链',
         ruleOrder: '顺序',
         sourceIP: '源 IP',
-        sourcePort: '源端口',
         destIP: '目标 IP',
+        inboundDirection: '入站方向',
+        outboundDirection: '出站方向',
         destPort: '目标端口',
         action: '动作',
         reject: '拒绝',
@@ -2723,9 +2724,11 @@ const message = {
         initChains: '初始化链',
         applyFirewall: '应用防火墙',
         unloadFirewall: '卸载防火墙',
-        sourceIPHelper: 'CIDR 格式，如 192.168.1.0/24，留空表示任意',
-        destIPHelper: 'CIDR 格式，如 10.0.0.0/8，留空表示任意',
+        sourceIPHelper: 'CIDR 格式，如 192.168.1.0/24，留空表所有地址',
+        destIPHelper: 'CIDR 格式，如 10.0.0.0/留空表所有地址',
         portHelper: '0 表示任意端口',
+        allPorts: '所有端口',
+        ruleTemplate: '规则模板',
         deleteRuleConfirm: '将删除 {0} 条规则，是否继续？',
         initChainsConfirm: '将重置 1PANEL_INPUT 和 1PANEL_OUTPUT 链为默认 ACCEPT 规则，是否继续？',
         applyConfirm: '将应用自定义链到 INPUT/OUTPUT，请确保 SSH 端口（22）已放行，是否继续？',
diff --git a/frontend/src/views/host/filter/index.vue b/frontend/src/views/host/filter/index.vue
index 8c613dbd9d6e..df46693b818c 100644
--- a/frontend/src/views/host/filter/index.vue
+++ b/frontend/src/views/host/filter/index.vue
@@ -5,17 +5,14 @@
                 <div class="flex w-full flex-col gap-4 md:flex-row">
                     <div class="flex flex-wrap gap-4 ml-3">
                         <el-tag effect="dark" type="success">{{ 'iptables v' + iptablesVersion }}</el-tag>
+                        <el-tag :type="inputChainInfo?.isApplied ? 'success' : 'info'" size="small">
+                            {{ inputChainInfo?.isApplied ? $t('firewall.applied') : $t('firewall.notApplied') }}
+                        </el-tag>
                     </div>
                 </div>
             </el-card>
             <div>
                 <LayoutContent :title="$t('firewall.filterRule')">
-                    <template #prompt>
-                        <el-alert type="info" :closable="false">
-                            <span>{{ $t('firewall.filterHelper') }}</span>
-                        </el-alert>
-                    </template>
-
                     <template #leftToolBar>
                         <el-button type="primary" @click="onOpenDialog('create')" :disabled="!isCustomChain">
                             {{ $t('commons.button.create') }}{{ $t('firewall.filterRule') }}
@@ -37,10 +34,10 @@
                     <template #rightToolBar>
                         <el-select v-model="selectedChain" @change="search()" clearable class="p-w-200">
                             <template #prefix>{{ $t('firewall.chain') }}</template>
+                            <el-option :label="$t('firewall.inboundDirection')" value="1PANEL_INPUT"></el-option>
+                            <el-option :label="$t('firewall.outboundDirection')" value="1PANEL_OUTPUT"></el-option>
                             <el-option label="INPUT" value="INPUT"></el-option>
                             <el-option label="OUTPUT" value="OUTPUT"></el-option>
-                            <el-option label="1PANEL_INPUT" value="1PANEL_INPUT"></el-option>
-                            <el-option label="1PANEL_OUTPUT" value="1PANEL_OUTPUT"></el-option>
                         </el-select>
                         <TableRefresh @search="search()" />
                         <TableSetting title="firewall-filter-refresh" @search="search()" />
@@ -52,16 +49,7 @@
                             <el-col :span="12">
                                 <el-card>
                                     <div class="chain-card">
-                                        <div class="chain-title">
-                                            INPUT {{ $t('firewall.chain') }}
-                                            <el-tag :type="inputChainInfo?.isApplied ? 'success' : 'info'" size="small">
-                                                {{
-                                                    inputChainInfo?.isApplied
-                                                        ? $t('firewall.applied')
-                                                        : $t('firewall.notApplied')
-                                                }}
-                                            </el-tag>
-                                        </div>
+                                        <div class="chain-title">{{ $t('firewall.inboundDirection') }}</div>
                                         <div class="chain-policy">
                                             {{ $t('firewall.defaultPolicy') }}:
                                             {{ inputChainInfo?.defaultPolicy || 'ACCEPT' }}
@@ -72,19 +60,7 @@
                             <el-col :span="12">
                                 <el-card>
                                     <div class="chain-card">
-                                        <div class="chain-title">
-                                            OUTPUT {{ $t('firewall.chain') }}
-                                            <el-tag
-                                                :type="outputChainInfo?.isApplied ? 'success' : 'info'"
-                                                size="small"
-                                            >
-                                                {{
-                                                    outputChainInfo?.isApplied
-                                                        ? $t('firewall.applied')
-                                                        : $t('firewall.notApplied')
-                                                }}
-                                            </el-tag>
-                                        </div>
+                                        <div class="chain-title">{{ $t('firewall.outboundDirection') }}</div>
                                         <div class="chain-policy">
                                             {{ $t('firewall.defaultPolicy') }}:
                                             {{ outputChainInfo?.defaultPolicy || 'ACCEPT' }}
@@ -101,27 +77,31 @@
                             :data="data"
                             :heightDiff="520"
                         >
-                            <el-table-column v-if="isCustomChain" type="selection" fix />
+                            <el-table-column type="selection" fix />
                             <el-table-column :label="$t('firewall.ruleOrder')" :min-width="80" prop="ruleOrder" />
-                            <el-table-column :label="$t('commons.table.protocol')" :min-width="80" prop="protocol" />
+                            <el-table-column :label="$t('commons.table.protocol')" :min-width="80" prop="protocol">
+                                <template #default="{ row }">
+                                    <span>{{ row.protocol === '' ? 'ALL' : row.protocol.toUpperCase() }}</span>
+                                </template>
+                            </el-table-column>
                             <el-table-column :label="$t('firewall.sourceIP')" :min-width="120" prop="sourceIP">
                                 <template #default="{ row }">
-                                    <span>{{ row.sourceIP || '-' }}</span>
+                                    <span>{{ row.sourceIP || $t('firewall.anyWhere') }}</span>
                                 </template>
                             </el-table-column>
                             <el-table-column :label="$t('firewall.sourcePort')" :min-width="100" prop="sourcePort">
                                 <template #default="{ row }">
-                                    <span>{{ row.sourcePort || '-' }}</span>
+                                    <span>{{ formatPort(row.sourcePort) }}</span>
                                 </template>
                             </el-table-column>
                             <el-table-column :label="$t('firewall.destIP')" :min-width="120" prop="destIP">
                                 <template #default="{ row }">
-                                    <span>{{ row.destIP || '-' }}</span>
+                                    <span>{{ row.destIP || $t('firewall.anyWhere') }}</span>
                                 </template>
                             </el-table-column>
                             <el-table-column :label="$t('firewall.destPort')" :min-width="100" prop="destPort">
                                 <template #default="{ row }">
-                                    <span>{{ row.destPort || '-' }}</span>
+                                    <span>{{ formatPort(row.destPort) }}</span>
                                 </template>
                             </el-table-column>
                             <el-table-column :min-width="100" :label="$t('firewall.action')" prop="action">
@@ -179,6 +159,16 @@ const data = computed(() => {
     return chainInfo?.rules || [];
 });
 
+const formatPort = (port?: number | null | string) => {
+    if (port === 0 || port === '0') {
+        return i18n.global.t('firewall.allPorts');
+    }
+    if (port === undefined || port === null || port === '') {
+        return '-';
+    }
+    return port;
+};
+
 const inputChainInfo = computed(() => chainInfoMap.value.get('INPUT'));
 const outputChainInfo = computed(() => chainInfoMap.value.get('OUTPUT'));
 
diff --git a/frontend/src/views/host/filter/operate/index.vue b/frontend/src/views/host/filter/operate/index.vue
index 2af02e8d314f..23ac0c1b284c 100644
--- a/frontend/src/views/host/filter/operate/index.vue
+++ b/frontend/src/views/host/filter/operate/index.vue
@@ -3,38 +3,38 @@
         <el-form ref="formRef" label-position="top" :model="dialogData.rowData" :rules="rules" v-loading="loading">
             <el-form-item :label="$t('firewall.targetChain')" prop="chain">
                 <el-select class="w-full" v-model="dialogData.rowData!.chain">
-                    <el-option value="1PANEL_INPUT" label="1PANEL_INPUT" />
-                    <el-option value="1PANEL_OUTPUT" label="1PANEL_OUTPUT" />
+                    <el-option value="1PANEL_INPUT" :label="$t('firewall.inboundDirection')" />
+                    <el-option value="1PANEL_OUTPUT" :label="$t('firewall.outboundDirection')" />
+                </el-select>
+            </el-form-item>
+
+            <el-form-item :label="$t('firewall.ruleTemplate')">
+                <el-select class="w-full" v-model="templateValue" clearable>
+                    <el-option
+                        v-for="item in ruleTemplates"
+                        :key="item.value"
+                        :label="$t(item.label)"
+                        :value="item.value"
+                    />
                 </el-select>
             </el-form-item>
 
             <el-form-item :label="$t('commons.table.protocol')" prop="protocol">
                 <el-select class="w-full" v-model="dialogData.rowData!.protocol">
-                    <el-option value="all" label="all" />
-                    <el-option value="tcp" label="tcp" />
-                    <el-option value="udp" label="udp" />
-                    <el-option value="icmp" label="icmp" />
+                    <el-option value="all" label="ALL" />
+                    <el-option value="tcp" label="TCP" />
+                    <el-option value="udp" label="UDP" />
+                    <el-option value="icmp" label="ICMP" />
                 </el-select>
             </el-form-item>
 
-            <el-form-item :label="$t('firewall.sourceIP')" prop="sourceIP">
-                <el-input clearable v-model.trim="dialogData.rowData!.sourceIP" />
+            <el-form-item v-if="!isOutbound" :label="$t('firewall.sourceIP')" prop="sourceIP">
+                <el-input clearable v-model.trim="dialogData.rowData!.sourceIP" placeholder="0.0.0.0/0" />
                 <span class="input-help">{{ $t('firewall.sourceIPHelper') }}</span>
             </el-form-item>
 
-            <el-form-item :label="$t('firewall.sourcePort')" prop="sourcePort">
-                <el-input-number
-                    class="w-full"
-                    v-model="dialogData.rowData!.sourcePort"
-                    :min="0"
-                    :max="65535"
-                    controls-position="right"
-                />
-                <span class="input-help">{{ $t('firewall.portHelper') }}</span>
-            </el-form-item>
-
-            <el-form-item :label="$t('firewall.destIP')" prop="destIP">
-                <el-input clearable v-model.trim="dialogData.rowData!.destIP" />
+            <el-form-item v-if="!isInbound" :label="$t('firewall.destIP')" prop="destIP">
+                <el-input clearable v-model.trim="dialogData.rowData!.destIP" placeholder="0.0.0.0/0" />
                 <span class="input-help">{{ $t('firewall.destIPHelper') }}</span>
             </el-form-item>
 
@@ -45,6 +45,7 @@
                     :min="0"
                     :max="65535"
                     controls-position="right"
+                    :disabled="isProtocolAll"
                 />
                 <span class="input-help">{{ $t('firewall.portHelper') }}</span>
             </el-form-item>
@@ -52,8 +53,7 @@
             <el-form-item :label="$t('firewall.action')" prop="action">
                 <el-radio-group v-model="dialogData.rowData!.action">
                     <el-radio value="ACCEPT">{{ $t('firewall.accept') }}</el-radio>
-                    <el-radio value="DROP">阻止</el-radio>
-                    <el-radio value="REJECT">{{ $t('firewall.reject') }}</el-radio>
+                    <el-radio value="DROP">{{ $t('firewall.drop') }}</el-radio>
                 </el-radio-group>
             </el-form-item>
 
@@ -64,7 +64,7 @@
         <template #footer>
             <span class="dialog-footer">
                 <el-button @click="drawerVisible = false">{{ $t('commons.button.cancel') }}</el-button>
-                <el-button type="primary" @click="onSubmit(formRef)">
+                <el-button type="primary" @click="onSubmit(formRef)" :disabled="isDangerousRule">
                     {{ $t('commons.button.confirm') }}
                 </el-button>
             </span>
@@ -73,7 +73,7 @@
 </template>
 
 <script lang="ts" setup>
-import { reactive, ref } from 'vue';
+import { computed, reactive, ref, watch } from 'vue';
 import { Rules } from '@/global/form-rules';
 import i18n from '@/lang';
 import { ElForm } from 'element-plus';
@@ -94,9 +94,36 @@ const drawerVisible = ref(false);
 const dialogData = ref<DialogProps>({
     title: '',
 });
+const templateValue = ref<string>('');
+const ruleTemplates = [
+    { value: 'http', label: 'HTTP(80)', protocol: 'tcp', port: 80 },
+    { value: 'https', label: 'HTTPS(443)', protocol: 'tcp', port: 443 },
+    { value: 'mysql', label: 'MYSQL(3306)', protocol: 'tcp', port: 3306 },
+] as const;
+
+const isInbound = computed(() => dialogData.value.rowData?.chain === '1PANEL_INPUT');
+const isOutbound = computed(() => dialogData.value.rowData?.chain === '1PANEL_OUTPUT');
+
+const isDangerousRule = computed(() => {
+    const rowData = dialogData.value.rowData;
+    if (!rowData) return false;
+
+    // 当规则为拒绝、端口为0、且IP留空时认为是危险规则
+    if (rowData.action === 'DROP' && rowData.destPort === 0) {
+        const isSourceIPEmpty = !rowData.sourceIP || rowData.sourceIP.trim() === '';
+        const isDestIPEmpty = !rowData.destIP || rowData.destIP.trim() === '';
+
+        if ((isInbound.value && isSourceIPEmpty) || (isOutbound.value && isDestIPEmpty)) {
+            return true;
+        }
+    }
+    return false;
+});
+
 const acceptParams = (params: DialogProps): void => {
     dialogData.value = params;
     title.value = i18n.global.t('firewall.' + dialogData.value.title);
+    templateValue.value = detectTemplate(dialogData.value.rowData);
     drawerVisible.value = true;
 };
 const emit = defineEmits<{ (e: 'search'): void }>();
@@ -113,6 +140,56 @@ const rules = reactive({
     destIP: [{ validator: checkIPAddress, trigger: 'blur' }],
 });
 
+const isProtocolAll = computed(() => dialogData.value.rowData?.protocol === 'all');
+
+watch(
+    () => dialogData.value.rowData?.chain,
+    (chain) => {
+        const rowData = dialogData.value.rowData;
+        if (!rowData) return;
+        if (chain === '1PANEL_INPUT') {
+            rowData.destIP = '';
+        } else if (chain === '1PANEL_OUTPUT') {
+            rowData.sourceIP = '';
+        }
+    },
+    { immediate: true },
+);
+
+watch(
+    () => dialogData.value.rowData?.protocol,
+    (protocol) => {
+        if (protocol === 'all' && dialogData.value.rowData) {
+            dialogData.value.rowData.sourcePort = 0;
+            dialogData.value.rowData.destPort = 0;
+        }
+    },
+    { immediate: true },
+);
+
+watch(templateValue, (value) => {
+    const rowData = dialogData.value.rowData;
+    if (!rowData || !value) {
+        return;
+    }
+    const template = ruleTemplates.find((item) => item.value === value);
+    if (!template) return;
+    rowData.protocol = template.protocol;
+    rowData.destPort = template.port;
+});
+
+watch(
+    () => [dialogData.value.rowData?.protocol, dialogData.value.rowData?.destPort],
+    ([protocol, port]) => {
+        const matched = ruleTemplates.find((item) => item.protocol === protocol && item.port === Number(port));
+        const nextValue = matched?.value || '';
+        if (templateValue.value !== nextValue) {
+            templateValue.value = nextValue;
+        }
+    },
+    { immediate: true },
+);
+
 function checkIPAddress(_rule: any, value: any, callback: any) {
     if (!value) {
         return callback();
@@ -162,4 +239,12 @@ const onSubmit = async (formEl: FormInstance | undefined) => {
 defineExpose({
     acceptParams,
 });
+
+function detectTemplate(rowData?: Host.IptablesFilterRuleOperate) {
+    if (!rowData) return '';
+    const match = ruleTemplates.find(
+        (item) => item.protocol === rowData.protocol && item.port === Number(rowData.destPort),
+    );
+    return match?.value || '';
+}
 </script>

From f2300ac7b3889733981369c926ebbf4f763a4eea Mon Sep 17 00:00:00 2001
From: HynoR <20227709+HynoR@users.noreply.github.com>
Date: Fri, 31 Oct 2025 20:45:27 +0800
Subject: [PATCH 04/16] fix

---
 frontend/src/views/host/filter/index.vue | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frontend/src/views/host/filter/index.vue b/frontend/src/views/host/filter/index.vue
index df46693b818c..9362eb667f7a 100644
--- a/frontend/src/views/host/filter/index.vue
+++ b/frontend/src/views/host/filter/index.vue
@@ -15,7 +15,7 @@
                 <LayoutContent :title="$t('firewall.filterRule')">
                     <template #leftToolBar>
                         <el-button type="primary" @click="onOpenDialog('create')" :disabled="!isCustomChain">
-                            {{ $t('commons.button.create') }}{{ $t('firewall.filterRule') }}
+                            {{ $t('firewall.create') }}
                         </el-button>
                         <el-button @click="onDelete(null)" plain :disabled="selects.length === 0 || !isCustomChain">
                             {{ $t('commons.button.delete') }}

From a8592da72edf0c2df247903921e9dab2667f856d Mon Sep 17 00:00:00 2001
From: HynoR <20227709+HynoR@users.noreply.github.com>
Date: Fri, 31 Oct 2025 20:52:11 +0800
Subject: [PATCH 05/16] fix: change-mode

---
 agent/server/server.go |  6 +++++-
 core/server/server.go  | 10 ++++++++--
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/agent/server/server.go b/agent/server/server.go
index 2bf3ed917ac2..660003633436 100644
--- a/agent/server/server.go
+++ b/agent/server/server.go
@@ -4,11 +4,12 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
-	"github.com/gin-gonic/gin"
 	"net"
 	"net/http"
 	"os"
 
+	"github.com/gin-gonic/gin"
+
 	"github.com/1Panel-dev/1Panel/agent/app/repo"
 	"github.com/1Panel-dev/1Panel/agent/constant"
 	"github.com/1Panel-dev/1Panel/agent/cron"
@@ -40,6 +41,9 @@ func Start() {
 	app.Init()
 	lang.Init()
 	validator.Init()
+	if os.Getenv("GIN_MODE") == "" {
+		gin.SetMode(gin.ReleaseMode)
+	}
 	cron.Run()
 	hook.Init()
 	InitOthers()
diff --git a/core/server/server.go b/core/server/server.go
index 2f691aaa5004..a37e906ba91d 100644
--- a/core/server/server.go
+++ b/core/server/server.go
@@ -4,13 +4,16 @@ import (
 	"crypto/tls"
 	"encoding/gob"
 	"fmt"
-	"github.com/1Panel-dev/1Panel/core/init/proxy"
-	"github.com/gin-gonic/gin"
 	"net"
 	"net/http"
 	"os"
 	"path"
 
+	"github.com/1Panel-dev/1Panel/core/init/proxy"
+	"github.com/gin-gonic/gin"
+
+	"github.com/1Panel-dev/1Panel/core/init/proxy"
+
 	"github.com/1Panel-dev/1Panel/core/init/db"
 	"github.com/1Panel-dev/1Panel/core/init/geo"
 	"github.com/1Panel-dev/1Panel/core/init/log"
@@ -40,6 +43,9 @@ func Start() {
 	gob.Register(psession.SessionUser{})
 	cron.Init()
 	session.Init()
+	if os.Getenv("GIN_MODE") == "" {
+		gin.SetMode(gin.ReleaseMode)
+	}
 	hook.Init()
 	InitOthers()
 

From 5ae2135f5f0f16f30b1c53db0723fa081d048e37 Mon Sep 17 00:00:00 2001
From: HynoR <20227709+HynoR@users.noreply.github.com>
Date: Sat, 1 Nov 2025 11:51:30 +0800
Subject: [PATCH 06/16] fix: v1

---
 agent/app/service/iptables_filter.go    | 91 ++++++++++++-------------
 agent/utils/firewall/client/iptables.go |  3 +
 2 files changed, 45 insertions(+), 49 deletions(-)

diff --git a/agent/app/service/iptables_filter.go b/agent/app/service/iptables_filter.go
index 6cfbe941a179..5dacce21fe43 100644
--- a/agent/app/service/iptables_filter.go
+++ b/agent/app/service/iptables_filter.go
@@ -35,16 +35,9 @@ func NewIIptablesFilterService() IIptablesFilterService {
 	}
 }
 
-const (
-	ChainInput        = "INPUT"
-	ChainOutput       = "OUTPUT"
-	Chain1PanelInput  = "1PANEL_INPUT"
-	Chain1PanelOutput = "1PANEL_OUTPUT"
-)
-
 func (s *IptablesFilterService) GetFilterRules(chains []string) ([]dto.IptablesChainInfo, error) {
 	if len(chains) == 0 {
-		chains = []string{ChainInput, ChainOutput, Chain1PanelInput, Chain1PanelOutput}
+		chains = []string{client.ChainInput, client.ChainOutput, client.Chain1PanelInput, client.Chain1PanelOutput}
 	}
 
 	// 获取 iptables 版本
@@ -62,7 +55,7 @@ func (s *IptablesFilterService) GetFilterRules(chains []string) ([]dto.IptablesC
 
 	// 从数据库读取规则描述
 	ctx := context.Background()
-	dbRules, _ := s.repo.List(ctx, []string{Chain1PanelInput, Chain1PanelOutput})
+	dbRules, _ := s.repo.List(ctx, []string{client.Chain1PanelInput, client.Chain1PanelOutput})
 	descMap := make(map[uint]string)
 	for _, rule := range dbRules {
 		descMap[rule.ID] = rule.Description
@@ -84,11 +77,11 @@ func (s *IptablesFilterService) GetFilterRules(chains []string) ([]dto.IptablesC
 		}
 
 		// 检查是否已应用（INPUT/OUTPUT 链包含跳转规则）
-		if chainName == ChainInput || chainName == ChainOutput {
+		if chainName == client.ChainInput || chainName == client.ChainOutput {
 			item := chain.FirstRule
-			targetChain := Chain1PanelInput
-			if chainName == ChainOutput {
-				targetChain = Chain1PanelOutput
+			targetChain := client.Chain1PanelInput
+			if chainName == client.ChainOutput {
+				targetChain = client.Chain1PanelOutput
 			}
 			for item != nil {
 				if item.P.Action == targetChain {
@@ -137,8 +130,8 @@ func (s *IptablesFilterService) GetFilterRules(chains []string) ([]dto.IptablesC
 }
 
 func (s *IptablesFilterService) AddRule(req dto.IptablesFilterRuleOperate) error {
-	if req.Chain != Chain1PanelInput && req.Chain != Chain1PanelOutput {
-		return fmt.Errorf("Only %s or %s chains are allowed", Chain1PanelInput, Chain1PanelOutput)
+	if req.Chain != client.Chain1PanelInput && req.Chain != client.Chain1PanelOutput {
+		return fmt.Errorf("Only %s or %s chains are allowed", client.Chain1PanelInput, client.Chain1PanelOutput)
 	}
 
 	// 安全检查：防止无条件 DROP/REJECT
@@ -248,34 +241,34 @@ func (s *IptablesFilterService) BatchOperate(req dto.IptablesFilterBatchOperate)
 
 func (s *IptablesFilterService) InitChains() error {
 	// 检查并创建 1PANEL_INPUT
-	exists, err := s.iptablesClient.ChainExists(client.FilterTab, Chain1PanelInput)
+	exists, err := s.iptablesClient.ChainExists(client.FilterTab, client.Chain1PanelInput)
 	if err != nil {
-		return fmt.Errorf("failed to check chain %s: %w", Chain1PanelInput, err)
+		return fmt.Errorf("failed to check chain %s: %w", client.Chain1PanelInput, err)
 	}
 
 	if !exists {
-		if err := s.iptablesClient.NewChain(client.FilterTab, Chain1PanelInput); err != nil {
-			return fmt.Errorf("failed to create chain %s: %w", Chain1PanelInput, err)
+		if err := s.iptablesClient.NewChain(client.FilterTab, client.Chain1PanelInput); err != nil {
+			return fmt.Errorf("failed to create chain %s: %w", client.Chain1PanelInput, err)
 		}
 	} else {
 		// 清空已存在的链
-		if err := s.iptablesClient.FlushChain(client.FilterTab, Chain1PanelInput); err != nil {
+		if err := s.iptablesClient.FlushChain(client.FilterTab, client.Chain1PanelInput); err != nil {
 			return err
 		}
 	}
 
 	// 检查并创建 1PANEL_OUTPUT
-	exists, err = s.iptablesClient.ChainExists(client.FilterTab, Chain1PanelOutput)
+	exists, err = s.iptablesClient.ChainExists(client.FilterTab, client.Chain1PanelOutput)
 	if err != nil {
-		return fmt.Errorf("failed to check chain %s: %w", Chain1PanelOutput, err)
+		return fmt.Errorf("failed to check chain %s: %w", client.Chain1PanelOutput, err)
 	}
 
 	if !exists {
-		if err := s.iptablesClient.NewChain(client.FilterTab, Chain1PanelOutput); err != nil {
-			return fmt.Errorf("failed to create chain %s: %w", Chain1PanelOutput, err)
+		if err := s.iptablesClient.NewChain(client.FilterTab, client.Chain1PanelOutput); err != nil {
+			return fmt.Errorf("failed to create chain %s: %w", client.Chain1PanelOutput, err)
 		}
 	} else {
-		if err := s.iptablesClient.FlushChain(client.FilterTab, Chain1PanelOutput); err != nil {
+		if err := s.iptablesClient.FlushChain(client.FilterTab, client.Chain1PanelOutput); err != nil {
 			return err
 		}
 	}
@@ -285,73 +278,73 @@ func (s *IptablesFilterService) InitChains() error {
 
 func (s *IptablesFilterService) ApplyFirewall() error {
 	// 安全检查
-	chains, err := s.iptablesClient.ReadFilter([]string{Chain1PanelInput, Chain1PanelOutput})
+	chains, err := s.iptablesClient.ReadFilter([]string{client.Chain1PanelInput, client.Chain1PanelOutput})
 	if err != nil {
 		return fmt.Errorf("failed to read filter chains: %w", err)
 	}
 
 	// 检查 1PANEL_INPUT 安全性
-	if inputChain, ok := chains[Chain1PanelInput]; ok {
+	if inputChain, ok := chains[client.Chain1PanelInput]; ok {
 		item := inputChain.FirstRule
 		for item != nil {
 			p := item.P
 			if (p.Action == "DROP" || p.Action == "REJECT") &&
 				p.Protocol == "" && p.SourceIP == "" && p.DestIP == "" &&
 				p.SrcPort == 0 && p.DstPort == 0 {
-				return fmt.Errorf("Chain %s includes unconditional %s rule, not allowed to apply", Chain1PanelInput, p.Action)
+				return fmt.Errorf("Chain %s includes unconditional %s rule, not allowed to apply", client.Chain1PanelInput, p.Action)
 			}
 			item = item.Next()
 		}
 	}
 
 	// 检查 1PANEL_OUTPUT 安全性
-	if outputChain, ok := chains[Chain1PanelOutput]; ok {
+	if outputChain, ok := chains[client.Chain1PanelOutput]; ok {
 		item := outputChain.FirstRule
 		for item != nil {
 			p := item.P
 			if (p.Action == "DROP" || p.Action == "REJECT") &&
 				p.Protocol == "" && p.SourceIP == "" && p.DestIP == "" &&
 				p.SrcPort == 0 && p.DstPort == 0 {
-				return fmt.Errorf("Chain %s includes unconditional %s rule, not allowed to apply", Chain1PanelOutput, p.Action)
+				return fmt.Errorf("Chain %s includes unconditional %s rule, not allowed to apply", client.Chain1PanelOutput, p.Action)
 			}
 			item = item.Next()
 		}
 	}
 
 	if err := s.iptablesClient.Setup1PanelFirewallChains("input"); err != nil {
-		return fmt.Errorf("failed to apply %s to %s: %w", Chain1PanelInput, ChainInput, err)
+		return fmt.Errorf("failed to apply %s to %s: %w", client.Chain1PanelInput, client.ChainInput, err)
 	}
-	global.LOG.Infof("Applied %s to %s chain", Chain1PanelInput, ChainInput)
+	global.LOG.Infof("Applied %s to %s chain", client.Chain1PanelInput, client.ChainInput)
 
 	if err := s.iptablesClient.Setup1PanelFirewallChains("output"); err != nil {
-		return fmt.Errorf("failed to apply %s to %s: %w", Chain1PanelInput, ChainInput, err)
+		return fmt.Errorf("failed to apply %s to %s: %w", client.Chain1PanelOutput, client.ChainOutput, err)
 	}
-	global.LOG.Infof("Applied %s to %s chain", Chain1PanelInput, ChainInput)
+	global.LOG.Infof("Applied %s to %s chain", client.Chain1PanelOutput, client.ChainOutput, err)
 
 	return nil
 }
 
 func (s *IptablesFilterService) UnloadFirewall() error {
 	// 从 INPUT 链删除跳转规则
-	ruleNum, err := s.iptablesClient.FindRuleNum(ChainInput, Chain1PanelInput)
+	ruleNum, err := s.iptablesClient.FindRuleNum(client.ChainInput, client.Chain1PanelInput)
 	if err == nil {
-		if err := s.iptablesClient.RemovePolicyByNum(ChainInput, ruleNum); err != nil {
-			return fmt.Errorf("failed to unload %s from %s: %w", Chain1PanelInput, ChainInput, err)
+		if err := s.iptablesClient.RemovePolicyByNum(client.ChainInput, ruleNum); err != nil {
+			return fmt.Errorf("failed to unload %s from %s: %w", client.Chain1PanelInput, client.ChainInput, err)
 		}
-		global.LOG.Infof("Unloaded %s from %s chain", Chain1PanelInput, ChainInput)
+		global.LOG.Infof("Unloaded %s from %s chain", client.Chain1PanelInput, client.ChainInput)
 	} else {
-		global.LOG.Warnf("%s not found in %s chain: %v", Chain1PanelInput, ChainInput, err)
+		global.LOG.Warnf("%s not found in %s chain: %v", client.Chain1PanelInput, client.ChainInput, err)
 	}
 
 	// 从 OUTPUT 链删除跳转规则
-	ruleNum, err = s.iptablesClient.FindRuleNum(ChainOutput, Chain1PanelOutput)
+	ruleNum, err = s.iptablesClient.FindRuleNum(client.ChainOutput, client.Chain1PanelOutput)
 	if err == nil {
-		if err := s.iptablesClient.RemovePolicyByNum(ChainOutput, ruleNum); err != nil {
-			return fmt.Errorf("failed to unload %s from %s: %w", Chain1PanelOutput, ChainOutput, err)
+		if err := s.iptablesClient.RemovePolicyByNum(client.ChainOutput, ruleNum); err != nil {
+			return fmt.Errorf("failed to unload %s from %s: %w", client.Chain1PanelOutput, client.ChainOutput, err)
 		}
-		global.LOG.Infof("Unloaded %s from %s chain", Chain1PanelOutput, ChainOutput)
+		global.LOG.Infof("Unloaded %s from %s chain", client.Chain1PanelOutput, client.ChainOutput)
 	} else {
-		global.LOG.Warnf("%s not found in %s chain: %v", Chain1PanelOutput, ChainOutput, err)
+		global.LOG.Warnf("%s not found in %s chain: %v", client.Chain1PanelOutput, client.ChainOutput, err)
 	}
 
 	return nil
@@ -359,16 +352,16 @@ func (s *IptablesFilterService) UnloadFirewall() error {
 
 func (s *IptablesFilterService) ReloadRules() error {
 	// 清空自定义链
-	if err := s.iptablesClient.FlushChain(client.FilterTab, Chain1PanelInput); err != nil {
-		return fmt.Errorf("failed to flush chain %s: %w", Chain1PanelInput, err)
+	if err := s.iptablesClient.FlushChain(client.FilterTab, client.Chain1PanelInput); err != nil {
+		return fmt.Errorf("failed to flush chain %s: %w", client.Chain1PanelInput, err)
 	}
-	if err := s.iptablesClient.FlushChain(client.FilterTab, Chain1PanelOutput); err != nil {
-		return fmt.Errorf("failed to flush chain %s: %w", Chain1PanelOutput, err)
+	if err := s.iptablesClient.FlushChain(client.FilterTab, client.Chain1PanelOutput); err != nil {
+		return fmt.Errorf("failed to flush chain %s: %w", client.Chain1PanelOutput, err)
 	}
 
 	// 从数据库读取规则
 	ctx := context.Background()
-	rules, err := s.repo.List(ctx, []string{Chain1PanelInput, Chain1PanelOutput})
+	rules, err := s.repo.List(ctx, []string{client.Chain1PanelInput, client.Chain1PanelOutput})
 	if err != nil {
 		return fmt.Errorf("failed to load rules from database: %w", err)
 	}
diff --git a/agent/utils/firewall/client/iptables.go b/agent/utils/firewall/client/iptables.go
index 9202770b7630..8272ce9b84ef 100644
--- a/agent/utils/firewall/client/iptables.go
+++ b/agent/utils/firewall/client/iptables.go
@@ -52,6 +52,7 @@ func NewIptables() (*Iptables, error) {
 func (iptables *Iptables) out(tab, rule string) (string, error) {
 	cmdMgr := cmd.NewCommandMgr(cmd.WithIgnoreExist1(), cmd.WithTimeout(20*time.Second))
 	stdout, err := cmdMgr.RunWithStdoutBashCf("%s iptables -t %s %s", iptables.CmdStr, tab, rule)
+	global.LOG.Infof("iptables -t %s %s || output: %s", tab, rule, stdout)
 	if err != nil {
 		global.LOG.Errorf("iptables failed, %v", err)
 	}
@@ -441,8 +442,10 @@ func (iptables *Iptables) DeletePolicy(chain string, policy IptablesPolicy) erro
 func (iptables *Iptables) CheckPolicyExists(chain string, policyStr string) bool {
 	err := iptables.run(FilterTab, fmt.Sprintf("-C %s %s", chain, policyStr))
 	if err != nil {
+		global.LOG.Info("Rule Not Exist", err)
 		return false
 	}
+	global.LOG.Info("Rule  Exist", chain, policyStr)
 	return true
 }
 

From 568c43ba5f28f9ab8af9e71dd4c4d359607383d3 Mon Sep 17 00:00:00 2001
From: HynoR <20227709+HynoR@users.noreply.github.com>
Date: Sat, 1 Nov 2025 13:08:55 +0800
Subject: [PATCH 07/16] fix: enhance iptables apply method

---
 agent/utils/firewall/client/iptables.go | 27 ++++++++++++++-----------
 1 file changed, 15 insertions(+), 12 deletions(-)

diff --git a/agent/utils/firewall/client/iptables.go b/agent/utils/firewall/client/iptables.go
index 8272ce9b84ef..29718c702d9f 100644
--- a/agent/utils/firewall/client/iptables.go
+++ b/agent/utils/firewall/client/iptables.go
@@ -52,7 +52,6 @@ func NewIptables() (*Iptables, error) {
 func (iptables *Iptables) out(tab, rule string) (string, error) {
 	cmdMgr := cmd.NewCommandMgr(cmd.WithIgnoreExist1(), cmd.WithTimeout(20*time.Second))
 	stdout, err := cmdMgr.RunWithStdoutBashCf("%s iptables -t %s %s", iptables.CmdStr, tab, rule)
-	global.LOG.Infof("iptables -t %s %s || output: %s", tab, rule, stdout)
 	if err != nil {
 		global.LOG.Errorf("iptables failed, %v", err)
 	}
@@ -440,37 +439,41 @@ func (iptables *Iptables) DeletePolicy(chain string, policy IptablesPolicy) erro
 
 // CheckPolicyExists 检查策略是否存在
 func (iptables *Iptables) CheckPolicyExists(chain string, policyStr string) bool {
-	err := iptables.run(FilterTab, fmt.Sprintf("-C %s %s", chain, policyStr))
+	line, err := iptables.FindRuleNum(chain, policyStr)
 	if err != nil {
-		global.LOG.Info("Rule Not Exist", err)
 		return false
 	}
-	global.LOG.Info("Rule  Exist", chain, policyStr)
-	return true
+	if line > 0 {
+		return true
+	}
+	return false
 }
 
 const (
-	establishedRule = "-m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"
-	ioRuleIn        = "-i lo -j ACCEPT"
-	ioRuleOut       = "-o lo -j ACCEPT"
+	establishedRule        = "-m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment \"ESTABLISHED Whitelist\""
+	ioRuleIn               = "-i lo -j ACCEPT -m comment --comment \"Loopback Whitelist\""
+	ioRuleOut              = "-o lo -j ACCEPT -m comment --comment \"Loopback Whitelist\""
+	establishedRuleComment = "ESTABLISHED Whitelist"
+	ioRuleInComment        = "Loopback Whitelist"
+	ioRuleOutComment       = "Loopback Whitelist"
 )
 
 func (iptables *Iptables) setupEstablishedRules(direction string) {
 	if direction == "input" {
-		if !iptables.CheckPolicyExists("INPUT", ioRuleIn) {
+		if !iptables.CheckPolicyExists("INPUT", ioRuleInComment) {
 			iptables.run(FilterTab, fmt.Sprintf("-I INPUT 1 %s", ioRuleIn))
 		}
 
-		if !iptables.CheckPolicyExists("INPUT", establishedRule) {
+		if !iptables.CheckPolicyExists("INPUT", establishedRuleComment) {
 			iptables.run(FilterTab, fmt.Sprintf("-I INPUT 2 %s", establishedRule))
 		}
 	}
 
 	if direction == "output" {
-		if !iptables.CheckPolicyExists("OUTPUT", ioRuleOut) {
+		if !iptables.CheckPolicyExists("OUTPUT", ioRuleOutComment) {
 			iptables.run(FilterTab, fmt.Sprintf("-I OUTPUT 1 %s", ioRuleOut))
 		}
-		if !iptables.CheckPolicyExists("OUTPUT", establishedRule) {
+		if !iptables.CheckPolicyExists("OUTPUT", establishedRuleComment) {
 			iptables.run(FilterTab, fmt.Sprintf("-I OUTPUT 2 %s", establishedRule))
 		}
 	}

From 04259e22234df6173b938132ab6cb2d739689301 Mon Sep 17 00:00:00 2001
From: HynoR <20227709+HynoR@users.noreply.github.com>
Date: Sat, 1 Nov 2025 13:38:03 +0800
Subject: [PATCH 08/16] fix: enhance iptables rule handle logic

---
 agent/app/service/iptables_filter.go    | 239 +++++++++++++++++++++++-
 agent/utils/firewall/client/iptables.go |  34 ++--
 2 files changed, 253 insertions(+), 20 deletions(-)

diff --git a/agent/app/service/iptables_filter.go b/agent/app/service/iptables_filter.go
index 5dacce21fe43..79f93bbda27f 100644
--- a/agent/app/service/iptables_filter.go
+++ b/agent/app/service/iptables_filter.go
@@ -3,6 +3,9 @@ package service
 import (
 	"context"
 	"fmt"
+	"net"
+	"strings"
+	"sync"
 
 	"github.com/1Panel-dev/1Panel/agent/app/dto"
 	"github.com/1Panel-dev/1Panel/agent/app/model"
@@ -25,10 +28,15 @@ type IIptablesFilterService interface {
 type IptablesFilterService struct {
 	repo           repo.IIptablesFilterRuleRepo
 	iptablesClient *client.Iptables
+	mu             sync.Mutex
 }
 
 func NewIIptablesFilterService() IIptablesFilterService {
-	iptablesClient, _ := client.NewIptables()
+	iptablesClient, err := client.NewIptables()
+	if err != nil {
+		global.LOG.Errorf("failed to create iptables client: %v", err)
+		return nil
+	}
 	return &IptablesFilterService{
 		repo:           repo.NewIIptablesFilterRuleRepo(),
 		iptablesClient: iptablesClient,
@@ -129,7 +137,68 @@ func (s *IptablesFilterService) GetFilterRules(chains []string) ([]dto.IptablesC
 	return result, nil
 }
 
+func (s *IptablesFilterService) validateRuleInput(req *dto.IptablesFilterRuleOperate) error {
+	// 验证协议
+	if req.Protocol != "" {
+		validProtocols := map[string]bool{"tcp": true, "udp": true, "icmp": true, "all": true}
+		if !validProtocols[strings.ToLower(req.Protocol)] {
+			return fmt.Errorf("invalid protocol: %s, must be tcp, udp, icmp or all", req.Protocol)
+		}
+	}
+
+	// 验证源 IP
+	if req.SourceIP != "" {
+		if err := s.validateIPOrCIDR(req.SourceIP); err != nil {
+			return fmt.Errorf("invalid source IP: %w", err)
+		}
+	}
+
+	// 验证目标 IP
+	if req.DestIP != "" {
+		if err := s.validateIPOrCIDR(req.DestIP); err != nil {
+			return fmt.Errorf("invalid destination IP: %w", err)
+		}
+	}
+
+	// 验证端口范围（1-65535）
+	if req.SourcePort > 65535 {
+		return fmt.Errorf("invalid source port: %d, must be between 1 and 65535", req.SourcePort)
+	}
+	if req.DestPort > 65535 {
+		return fmt.Errorf("invalid destination port: %d, must be between 1 and 65535", req.DestPort)
+	}
+
+	// 端口必须配合协议使用
+	if (req.SourcePort > 0 || req.DestPort > 0) && req.Protocol == "" {
+		return fmt.Errorf("port specification requires protocol (tcp/udp)")
+	}
+
+	return nil
+}
+
+func (s *IptablesFilterService) validateIPOrCIDR(ipStr string) error {
+	// 检查是否为 CIDR 格式
+	if strings.Contains(ipStr, "/") {
+		_, _, err := net.ParseCIDR(ipStr)
+		if err != nil {
+			return fmt.Errorf("invalid CIDR format: %w", err)
+		}
+		return nil
+	}
+
+	// 检查是否为有效 IP 地址
+	ip := net.ParseIP(ipStr)
+	if ip == nil {
+		return fmt.Errorf("invalid IP address format")
+	}
+
+	return nil
+}
+
 func (s *IptablesFilterService) AddRule(req dto.IptablesFilterRuleOperate) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
 	if req.Chain != client.Chain1PanelInput && req.Chain != client.Chain1PanelOutput {
 		return fmt.Errorf("Only %s or %s chains are allowed", client.Chain1PanelInput, client.Chain1PanelOutput)
 	}
@@ -141,6 +210,11 @@ func (s *IptablesFilterService) AddRule(req dto.IptablesFilterRuleOperate) error
 		return fmt.Errorf("Iptables Rule Security Check: unconditional %s rules are not allowed, this may lock you out of the system", req.Action)
 	}
 
+	// 验证输入格式
+	if err := s.validateRuleInput(&req); err != nil {
+		return err
+	}
+
 	ctx := context.Background()
 
 	// 获取最大规则顺序
@@ -187,11 +261,13 @@ func (s *IptablesFilterService) AddRule(req dto.IptablesFilterRuleOperate) error
 	}
 
 	// 更新数据库 comment
-	rule.Comment = fmt.Sprintf("1Panel_FilterRule_%d", rule.ID)
 	return global.DB.Model(rule).Update("comment", rule.Comment).Error
 }
 
 func (s *IptablesFilterService) RemoveRule(id uint) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
 	ctx := context.Background()
 
 	// 从数据库查询规则
@@ -224,22 +300,164 @@ func (s *IptablesFilterService) RemoveRule(id uint) error {
 	return s.repo.Delete(ctx, id)
 }
 
+type operationRecord struct {
+	operation string
+	id        uint
+	rule      *model.IptablesFilterRule
+}
+
 func (s *IptablesFilterService) BatchOperate(req dto.IptablesFilterBatchOperate) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	// 记录成功的操作以便回滚
+	var executed []operationRecord
+
+	// 执行批量操作
 	for _, ruleReq := range req.Rules {
 		if ruleReq.Operation == "add" {
-			if err := s.AddRule(ruleReq); err != nil {
+			// 不再调用 AddRule，直接在这里执行（避免重复加锁）
+			if ruleReq.Chain != client.Chain1PanelInput && ruleReq.Chain != client.Chain1PanelOutput {
+				// 回滚已执行的操作
+				s.rollbackBatchOperations(executed)
+				return fmt.Errorf("Only %s or %s chains are allowed", client.Chain1PanelInput, client.Chain1PanelOutput)
+			}
+
+			// 安全检查
+			if (ruleReq.Action == "DROP" || ruleReq.Action == "REJECT") &&
+				ruleReq.Protocol == "" && ruleReq.SourceIP == "" && ruleReq.DestIP == "" &&
+				ruleReq.SourcePort == 0 && ruleReq.DestPort == 0 {
+				s.rollbackBatchOperations(executed)
+				return fmt.Errorf("Iptables Rule Security Check: unconditional %s rules are not allowed", ruleReq.Action)
+			}
+
+			// 验证输入格式
+			if err := s.validateRuleInput(&ruleReq); err != nil {
+				s.rollbackBatchOperations(executed)
 				return err
 			}
+
+			ctx := context.Background()
+			maxOrder, err := s.repo.GetMaxRuleOrder(ctx, ruleReq.Chain)
+			if err != nil {
+				s.rollbackBatchOperations(executed)
+				return fmt.Errorf("failed to get max rule order: %w", err)
+			}
+
+			rule := &model.IptablesFilterRule{
+				Chain:       ruleReq.Chain,
+				Protocol:    ruleReq.Protocol,
+				SourceIP:    ruleReq.SourceIP,
+				SourcePort:  ruleReq.SourcePort,
+				DestIP:      ruleReq.DestIP,
+				DestPort:    ruleReq.DestPort,
+				Action:      ruleReq.Action,
+				Description: ruleReq.Description,
+				RuleOrder:   maxOrder + 1,
+			}
+
+			if err := s.repo.Create(ctx, rule); err != nil {
+				s.rollbackBatchOperations(executed)
+				return fmt.Errorf("failed to save rule to database: %w", err)
+			}
+
+			rule.Comment = fmt.Sprintf("1Panel_FilterRule_%d", rule.ID)
+			policy := client.IptablesPolicy{
+				Protocol: ruleReq.Protocol,
+				SourceIP: ruleReq.SourceIP,
+				SrcPort:  ruleReq.SourcePort,
+				DestIP:   ruleReq.DestIP,
+				DstPort:  ruleReq.DestPort,
+				Action:   ruleReq.Action,
+				Comment:  rule.Comment,
+			}
+
+			if err := s.iptablesClient.AddPolicy(ruleReq.Chain, policy); err != nil {
+				_ = s.repo.Delete(ctx, rule.ID)
+				s.rollbackBatchOperations(executed)
+				return fmt.Errorf("failed to add iptables rule: %w", err)
+			}
+
+			if err := global.DB.Model(rule).Update("comment", rule.Comment).Error; err != nil {
+				_ = s.iptablesClient.RemovePolicyByComment(ruleReq.Chain, rule.Comment)
+				_ = s.repo.Delete(ctx, rule.ID)
+				s.rollbackBatchOperations(executed)
+				return fmt.Errorf("failed to update comment: %w", err)
+			}
+
+			executed = append(executed, operationRecord{operation: "add", id: rule.ID, rule: rule})
+
 		} else if ruleReq.Operation == "remove" {
-			if err := s.RemoveRule(ruleReq.ID); err != nil {
-				return err
+			ctx := context.Background()
+			rule, err := s.repo.GetByID(ctx, ruleReq.ID)
+			if err != nil {
+				s.rollbackBatchOperations(executed)
+				return fmt.Errorf("rule not found: %w", err)
 			}
+
+			if rule.Comment != "" {
+				if err := s.iptablesClient.RemovePolicyByComment(rule.Chain, rule.Comment); err != nil {
+					global.LOG.Warnf("failed to remove iptables rule by comment: %v, trying to delete by policy", err)
+					policy := client.IptablesPolicy{
+						Protocol: rule.Protocol,
+						SourceIP: rule.SourceIP,
+						SrcPort:  rule.SourcePort,
+						DestIP:   rule.DestIP,
+						DstPort:  rule.DestPort,
+						Action:   rule.Action,
+						Comment:  rule.Comment,
+					}
+					if err := s.iptablesClient.DeletePolicy(rule.Chain, policy); err != nil {
+						s.rollbackBatchOperations(executed)
+						return fmt.Errorf("failed to remove iptables rule: %w", err)
+					}
+				}
+			}
+
+			if err := s.repo.Delete(ctx, ruleReq.ID); err != nil {
+				s.rollbackBatchOperations(executed)
+				return fmt.Errorf("failed to delete rule from database: %w", err)
+			}
+
+			executed = append(executed, operationRecord{operation: "remove", id: ruleReq.ID, rule: &rule})
 		}
 	}
 	return nil
 }
 
+func (s *IptablesFilterService) rollbackBatchOperations(executed []operationRecord) {
+	ctx := context.Background()
+	for i := len(executed) - 1; i >= 0; i-- {
+		record := executed[i]
+		if record.operation == "add" {
+			// 回滚添加操作：删除规则
+			if record.rule.Comment != "" {
+				_ = s.iptablesClient.RemovePolicyByComment(record.rule.Chain, record.rule.Comment)
+			}
+			_ = s.repo.Delete(ctx, record.id)
+			global.LOG.Warnf("Rolled back add operation for rule %d", record.id)
+		} else if record.operation == "remove" {
+			// 回滚删除操作：重新添加规则
+			policy := client.IptablesPolicy{
+				Protocol: record.rule.Protocol,
+				SourceIP: record.rule.SourceIP,
+				SrcPort:  record.rule.SourcePort,
+				DestIP:   record.rule.DestIP,
+				DstPort:  record.rule.DestPort,
+				Action:   record.rule.Action,
+				Comment:  record.rule.Comment,
+			}
+			_ = s.iptablesClient.AddPolicy(record.rule.Chain, policy)
+			_ = s.repo.Create(ctx, record.rule)
+			global.LOG.Warnf("Rolled back remove operation for rule %d", record.id)
+		}
+	}
+}
+
 func (s *IptablesFilterService) InitChains() error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
 	// 检查并创建 1PANEL_INPUT
 	exists, err := s.iptablesClient.ChainExists(client.FilterTab, client.Chain1PanelInput)
 	if err != nil {
@@ -277,6 +495,9 @@ func (s *IptablesFilterService) InitChains() error {
 }
 
 func (s *IptablesFilterService) ApplyFirewall() error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
 	// 安全检查
 	chains, err := s.iptablesClient.ReadFilter([]string{client.Chain1PanelInput, client.Chain1PanelOutput})
 	if err != nil {
@@ -319,12 +540,15 @@ func (s *IptablesFilterService) ApplyFirewall() error {
 	if err := s.iptablesClient.Setup1PanelFirewallChains("output"); err != nil {
 		return fmt.Errorf("failed to apply %s to %s: %w", client.Chain1PanelOutput, client.ChainOutput, err)
 	}
-	global.LOG.Infof("Applied %s to %s chain", client.Chain1PanelOutput, client.ChainOutput, err)
+	global.LOG.Infof("Applied %s to %s chain", client.Chain1PanelOutput, client.ChainOutput)
 
 	return nil
 }
 
 func (s *IptablesFilterService) UnloadFirewall() error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
 	// 从 INPUT 链删除跳转规则
 	ruleNum, err := s.iptablesClient.FindRuleNum(client.ChainInput, client.Chain1PanelInput)
 	if err == nil {
@@ -351,6 +575,9 @@ func (s *IptablesFilterService) UnloadFirewall() error {
 }
 
 func (s *IptablesFilterService) ReloadRules() error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
 	// 清空自定义链
 	if err := s.iptablesClient.FlushChain(client.FilterTab, client.Chain1PanelInput); err != nil {
 		return fmt.Errorf("failed to flush chain %s: %w", client.Chain1PanelInput, err)
diff --git a/agent/utils/firewall/client/iptables.go b/agent/utils/firewall/client/iptables.go
index 29718c702d9f..80f512853487 100644
--- a/agent/utils/firewall/client/iptables.go
+++ b/agent/utils/firewall/client/iptables.go
@@ -53,7 +53,8 @@ func (iptables *Iptables) out(tab, rule string) (string, error) {
 	cmdMgr := cmd.NewCommandMgr(cmd.WithIgnoreExist1(), cmd.WithTimeout(20*time.Second))
 	stdout, err := cmdMgr.RunWithStdoutBashCf("%s iptables -t %s %s", iptables.CmdStr, tab, rule)
 	if err != nil {
-		global.LOG.Errorf("iptables failed, %v", err)
+		global.LOG.Errorf("iptables command failed [table=%s, rule=%s]: %v", tab, rule, err)
+		return stdout, err
 	}
 	return stdout, nil
 }
@@ -345,22 +346,27 @@ func (iptables *Iptables) ReadFilter(chainName []string) (map[string]IptablesCha
 func (iptables *Iptables) RemovePolicyByComment(chain, comment string) error {
 	stdout, err := iptables.out(FilterTab, fmt.Sprintf("-S %s", chain))
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to list rules in chain %s: %w", chain, err)
 	}
 
 	// 解析规则找到匹配 comment 的行
 	lines := strings.Split(stdout, "\n")
+	found := false
 	for _, line := range lines {
 		if strings.Contains(line, comment) && strings.HasPrefix(line, "-A") {
 			// 替换 -A 为 -D 执行删除
 			deleteRule := strings.Replace(line, "-A", "-D", 1)
 			if err := iptables.run(FilterTab, deleteRule); err != nil {
-				return err
+				return fmt.Errorf("failed to delete rule: %w", err)
 			}
-			return nil
+			found = true
+			break
 		}
 	}
-	return fmt.Errorf("rule with comment '%s' not found in chain %s", comment, chain)
+	if !found {
+		return fmt.Errorf("rule with comment '%s' not found in chain %s", comment, chain)
+	}
+	return nil
 }
 
 // RemovePolicyByNum 按规则编号删除
@@ -372,7 +378,7 @@ func (iptables *Iptables) RemovePolicyByNum(chain string, num int) error {
 func (iptables *Iptables) FindRuleNum(chain, matchStr string) (int, error) {
 	stdout, err := iptables.out(FilterTab, fmt.Sprintf("-L %s --line-numbers -n", chain))
 	if err != nil {
-		return 0, err
+		return 0, fmt.Errorf("failed to list rules in chain %s: %w", chain, err)
 	}
 
 	lines := strings.Split(stdout, "\n")
@@ -381,24 +387,24 @@ func (iptables *Iptables) FindRuleNum(chain, matchStr string) (int, error) {
 			// 提取行号（第一列）
 			fields := strings.Fields(line)
 			if len(fields) > 0 {
-				num, err := fmt.Sscanf(fields[0], "%d", new(int))
-				if err == nil && num == 1 {
-					var ruleNum int
-					fmt.Sscanf(fields[0], "%d", &ruleNum)
+				var ruleNum int
+				n, err := fmt.Sscanf(fields[0], "%d", &ruleNum)
+				if err == nil && n == 1 && ruleNum > 0 {
 					return ruleNum, nil
 				}
 			}
 		}
 	}
-	return 0, fmt.Errorf("rule not found in chain %s", chain)
+	return 0, fmt.Errorf("rule matching '%s' not found in chain %s", matchStr, chain)
 }
 
 // ChainExists 检查链是否存在
 func (iptables *Iptables) ChainExists(tab, chain string) (bool, error) {
 	// iptables -t filter -S | grep 'N 1PANEL'
-	stdout, err := iptables.out(tab, fmt.Sprintf("-S | grep 'N %s'", chain))
-	if err != nil {
-		return false, err
+	stdout, err := iptables.out(tab, fmt.Sprintf("-S | grep -w 'N %s'", chain))
+	// grep 未找到会返回错误，这是正常情况
+	if err != nil && strings.TrimSpace(stdout) == "" {
+		return false, nil
 	}
 	if strings.TrimSpace(stdout) == "" {
 		return false, nil

From de6ba78328353c788635677311ce6478174bc6e6 Mon Sep 17 00:00:00 2001
From: HynoR <20227709+HynoR@users.noreply.github.com>
Date: Tue, 4 Nov 2025 17:07:57 +0800
Subject: [PATCH 09/16] feat: merge iptables firewall

---
 agent/app/service/iptables_filter.go          |  27 ++
 agent/utils/firewall/client.go                |  11 +-
 agent/utils/firewall/client/iptables.go       |  73 ++-
 agent/utils/firewall/client/iptables_fw.go    | 447 ++++++++++++++++++
 frontend/src/lang/modules/en.ts               |   2 +
 frontend/src/lang/modules/zh.ts               |   2 +
 frontend/src/routers/modules/host.ts          |  12 +-
 .../host/{ => firewall}/filter/index.vue      |  40 +-
 .../{ => firewall}/filter/operate/index.vue   |   0
 frontend/src/views/host/firewall/index.vue    |   4 +
 .../src/views/host/firewall/status/index.vue  |  26 +-
 11 files changed, 616 insertions(+), 28 deletions(-)
 create mode 100644 agent/utils/firewall/client/iptables_fw.go
 rename frontend/src/views/host/{ => firewall}/filter/index.vue (91%)
 rename frontend/src/views/host/{ => firewall}/filter/operate/index.vue (100%)

diff --git a/agent/app/service/iptables_filter.go b/agent/app/service/iptables_filter.go
index 79f93bbda27f..4d809d46a1f3 100644
--- a/agent/app/service/iptables_filter.go
+++ b/agent/app/service/iptables_filter.go
@@ -491,6 +491,22 @@ func (s *IptablesFilterService) InitChains() error {
 		}
 	}
 
+	// 检查并创建 1PANEL_BASIC
+	exists, err = s.iptablesClient.ChainExists(client.FilterTab, client.Chain1PanelBasic)
+	if err != nil {
+		return fmt.Errorf("failed to check chain %s: %w", client.Chain1PanelBasic, err)
+	}
+
+	if !exists {
+		if err := s.iptablesClient.NewChain(client.FilterTab, client.Chain1PanelBasic); err != nil {
+			return fmt.Errorf("failed to create chain %s: %w", client.Chain1PanelBasic, err)
+		}
+	} else {
+		if err := s.iptablesClient.FlushChain(client.FilterTab, client.Chain1PanelBasic); err != nil {
+			return err
+		}
+	}
+
 	return nil
 }
 
@@ -560,6 +576,17 @@ func (s *IptablesFilterService) UnloadFirewall() error {
 		global.LOG.Warnf("%s not found in %s chain: %v", client.Chain1PanelInput, client.ChainInput, err)
 	}
 
+	// 从 INPUT 链删除 1PANEL_BASIC 跳转规则
+	ruleNum, err = s.iptablesClient.FindRuleNum(client.ChainInput, client.Chain1PanelBasic)
+	if err == nil {
+		if err := s.iptablesClient.RemovePolicyByNum(client.ChainInput, ruleNum); err != nil {
+			return fmt.Errorf("failed to unload %s from %s: %w", client.Chain1PanelBasic, client.ChainInput, err)
+		}
+		global.LOG.Infof("Unloaded %s from %s chain", client.Chain1PanelBasic, client.ChainInput)
+	} else {
+		global.LOG.Warnf("%s not found in %s chain: %v", client.Chain1PanelBasic, client.ChainInput, err)
+	}
+
 	// 从 OUTPUT 链删除跳转规则
 	ruleNum, err = s.iptablesClient.FindRuleNum(client.ChainOutput, client.Chain1PanelOutput)
 	if err == nil {
diff --git a/agent/utils/firewall/client.go b/agent/utils/firewall/client.go
index 447cd8697572..d7de20e6ddf3 100644
--- a/agent/utils/firewall/client.go
+++ b/agent/utils/firewall/client.go
@@ -31,15 +31,16 @@ func NewFirewallClient() (FirewallClient, error) {
 	firewalld := cmd.Which("firewalld")
 	ufw := cmd.Which("ufw")
 
-	if firewalld && ufw {
-		return nil, errors.New("It is detected that the system has both firewalld and ufw services. To avoid conflicts, please uninstall and try again!")
-	}
-
 	if firewalld {
 		return client.NewFirewalld()
 	}
 	if ufw {
 		return client.NewUfw()
 	}
-	return nil, errors.New("No system firewalld or ufw service detected, please check and try again!")
+
+	iptables := cmd.Which("iptables")
+	if iptables {
+		return client.NewIptablesFirewall()
+	}
+	return nil, errors.New("No system firewall service detected (firewalld/ufw/iptables), please check and try again!")
 }
diff --git a/agent/utils/firewall/client/iptables.go b/agent/utils/firewall/client/iptables.go
index 80f512853487..50bfcd34972a 100644
--- a/agent/utils/firewall/client/iptables.go
+++ b/agent/utils/firewall/client/iptables.go
@@ -19,6 +19,7 @@ const (
 	ChainOutput       = "OUTPUT"
 	Chain1PanelInput  = "1PANEL_INPUT"
 	Chain1PanelOutput = "1PANEL_OUTPUT"
+	Chain1PanelBasic  = "1PANEL_BASIC"
 )
 
 const (
@@ -412,6 +413,47 @@ func (iptables *Iptables) ChainExists(tab, chain string) (bool, error) {
 	return true, nil
 }
 
+// ensureChain creates a chain if it doesn't exist
+func (iptables *Iptables) ensureChain(tab, chain string) error {
+	exists, err := iptables.ChainExists(tab, chain)
+	if err != nil {
+		return fmt.Errorf("failed to check chain %s: %w", chain, err)
+	}
+	if !exists {
+		if err := iptables.NewChain(tab, chain); err != nil {
+			return fmt.Errorf("failed to create chain %s: %w", chain, err)
+		}
+	}
+	return nil
+}
+
+// ensureJumpRule adds a jump rule to targetChain at specified position if it doesn't exist
+func (iptables *Iptables) ensureJumpRule(chain, targetChain string, position int) error {
+	if !iptables.CheckPolicyExists(chain, fmt.Sprintf("-j %s", targetChain)) {
+		return iptables.run(FilterTab, fmt.Sprintf("-I %s %d -j %s", chain, position, targetChain))
+	}
+	return nil
+}
+
+// ensureChainWithJump creates a custom chain and adds jump rule from parent chain if not exists
+func (iptables *Iptables) ensureChainWithJump(tab, parentChain, customChain string) error {
+	// Ensure custom chain exists
+	exists, err := iptables.ChainExists(tab, customChain)
+	if err != nil {
+		return fmt.Errorf("failed to check chain %s: %w", customChain, err)
+	}
+	if !exists {
+		if err := iptables.NewChain(tab, customChain); err != nil {
+			return fmt.Errorf("failed to create chain %s: %w", customChain, err)
+		}
+		// Add jump rule from parent chain
+		if err := iptables.AppendChain(tab, parentChain, customChain); err != nil {
+			return fmt.Errorf("failed to append %s to %s: %w", customChain, parentChain, err)
+		}
+	}
+	return nil
+}
+
 // FlushChain 清空链（保留链结构）
 func (iptables *Iptables) FlushChain(tab, chain string) error {
 	return iptables.run(tab, fmt.Sprintf("-F %s", chain))
@@ -487,17 +529,32 @@ func (iptables *Iptables) setupEstablishedRules(direction string) {
 
 func (iptables *Iptables) Setup1PanelFirewallChains(direction string) error {
 	iptables.setupEstablishedRules(direction)
+
 	if direction == "input" {
-		if !iptables.CheckPolicyExists(ChainInput, fmt.Sprintf("-j %s", Chain1PanelInput)) {
-			if err := iptables.run(FilterTab, fmt.Sprintf("-I %s 3 -j %s", ChainInput, Chain1PanelInput)); err != nil {
-				return err
-			}
+		// Ensure custom chains exist
+		if err := iptables.ensureChain(FilterTab, Chain1PanelInput); err != nil {
+			return err
+		}
+		if err := iptables.ensureChain(FilterTab, Chain1PanelBasic); err != nil {
+			return err
+		}
+
+		// Add jump rules to INPUT chain
+		if err := iptables.ensureJumpRule(ChainInput, Chain1PanelInput, 3); err != nil {
+			return err
+		}
+		if err := iptables.ensureJumpRule(ChainInput, Chain1PanelBasic, 4); err != nil {
+			return err
 		}
 	} else if direction == "output" {
-		if !iptables.CheckPolicyExists(ChainOutput, fmt.Sprintf("-j %s", Chain1PanelOutput)) {
-			if err := iptables.run(FilterTab, fmt.Sprintf("-I %s 3 -j %s", ChainOutput, Chain1PanelOutput)); err != nil {
-				return err
-			}
+		// Ensure custom chain exists
+		if err := iptables.ensureChain(FilterTab, Chain1PanelOutput); err != nil {
+			return err
+		}
+
+		// Add jump rule to OUTPUT chain
+		if err := iptables.ensureJumpRule(ChainOutput, Chain1PanelOutput, 3); err != nil {
+			return err
 		}
 	}
 	return nil
diff --git a/agent/utils/firewall/client/iptables_fw.go b/agent/utils/firewall/client/iptables_fw.go
new file mode 100644
index 000000000000..2e3a46044327
--- /dev/null
+++ b/agent/utils/firewall/client/iptables_fw.go
@@ -0,0 +1,447 @@
+package client
+
+import (
+	"fmt"
+	"regexp"
+	"strconv"
+	"strings"
+
+	"github.com/1Panel-dev/1Panel/agent/buserr"
+	"github.com/1Panel-dev/1Panel/agent/global"
+	"github.com/1Panel-dev/1Panel/agent/utils/cmd"
+	"github.com/1Panel-dev/1Panel/agent/utils/controller"
+)
+
+var portRuleRegex = regexp.MustCompile(`-A\s+INPUT\s+-p\s+(\w+)(?:\s+-m\s+\w+)*\s+--dport\s+(\d+(?::\d+)?)\s+-j\s+(\w+)`)
+var addressRuleRegex = regexp.MustCompile(`-A\s+(INPUT|OUTPUT)\s+-s\s+(\S+)\s+-j\s+(\w+)`)
+
+// IptablesFirewall wraps Iptables to implement FirewallClient interface
+type IptablesFirewall struct {
+	iptables *Iptables
+}
+
+// NewIptablesFirewall creates a new IptablesFirewall instance
+func NewIptablesFirewall() (*IptablesFirewall, error) {
+	iptables, err := NewIptables()
+	if err != nil {
+		return nil, err
+	}
+	return &IptablesFirewall{
+		iptables: iptables,
+	}, nil
+}
+
+func (ifw *IptablesFirewall) Name() string {
+	return "iptables"
+}
+
+func (ifw *IptablesFirewall) Status() (bool, error) {
+	// Check if iptables has any rules (indicates it's running)
+	stdout, err := cmd.RunDefaultWithStdoutBashC("iptables -L -n | head -1")
+	if err != nil {
+		return false, err
+	}
+	// If we can list rules, iptables is functional
+	return strings.Contains(stdout, "Chain"), nil
+}
+
+func (ifw *IptablesFirewall) Start() error {
+	// Try different service names
+	services := []string{"iptables", "iptables-services"}
+	var lastErr error
+
+	for _, svc := range services {
+		if err := controller.HandleStart(svc); err == nil {
+			break
+		} else {
+			lastErr = err
+		}
+	}
+
+	// If systemd service doesn't work, try loading kernel modules
+	if err := cmd.RunDefaultBashC("modprobe ip_tables"); err != nil {
+		global.LOG.Warnf("failed to load ip_tables module: %v", err)
+	}
+
+	if lastErr != nil {
+		global.LOG.Warnf("iptables service management not available: %v", lastErr)
+	}
+
+	// Use unified chain setup method
+	if err := ifw.iptables.Setup1PanelFirewallChains("input"); err != nil {
+		return fmt.Errorf("failed to setup 1Panel firewall chains: %w", err)
+	}
+
+	global.LOG.Infof("1Panel firewall chains setup completed")
+	return nil
+}
+
+func (ifw *IptablesFirewall) Stop() error {
+	global.LOG.Info("Stopping 1Panel firewall - removing chains from INPUT")
+
+	// Remove jump rule from INPUT to 1PANEL_INPUT
+	err := ifw.iptables.run(FilterTab, fmt.Sprintf("-D INPUT -j %s", Chain1PanelInput))
+	if err != nil {
+		global.LOG.Warnf("failed to detach 1PANEL_INPUT from INPUT: %v", err)
+	}
+
+	// Remove jump rule from INPUT to 1PANEL_BASIC
+	err = ifw.iptables.run(FilterTab, fmt.Sprintf("-D INPUT -j %s", Chain1PanelBasic))
+	if err != nil {
+		global.LOG.Warnf("failed to detach 1PANEL_BASIC from INPUT: %v", err)
+	}
+
+	// Flush the 1PANEL_INPUT chain (clear all rules but keep chain)
+	err = ifw.iptables.run(FilterTab, fmt.Sprintf("-F %s", Chain1PanelInput))
+	if err != nil {
+		global.LOG.Warnf("failed to flush 1PANEL_INPUT chain: %v", err)
+	}
+
+	// Flush the 1PANEL_BASIC chain (clear all rules but keep chain)
+	err = ifw.iptables.run(FilterTab, fmt.Sprintf("-F %s", Chain1PanelBasic))
+	if err != nil {
+		global.LOG.Warnf("failed to flush 1PANEL_BASIC chain: %v", err)
+	}
+
+	// Keep chains (do not delete) so data can still be read from them
+	global.LOG.Info("1Panel firewall chains flushed and detached")
+
+	return nil
+}
+
+func (ifw *IptablesFirewall) Restart() error {
+	// Restart is disabled - frontend will remove this functionality
+	// No operation needed for iptables
+	global.LOG.Info("Restart is a no-op for iptables")
+	return nil
+}
+
+func (ifw *IptablesFirewall) Reload() error {
+	return ifw.iptables.Reload()
+}
+
+func (ifw *IptablesFirewall) Version() (string, error) {
+	return ifw.iptables.GetVersion()
+}
+
+func (ifw *IptablesFirewall) ListPort() ([]FireInfo, error) {
+	stdout, err := ifw.iptables.out(FilterTab, fmt.Sprintf("-S %s", Chain1PanelBasic))
+	if err != nil {
+		return nil, fmt.Errorf("failed to list 1PANEL_BASIC rules: %w", err)
+	}
+
+	var datas []FireInfo
+	lines := strings.Split(stdout, "\n")
+
+	// Updated regex to match 1PANEL_BASIC chain
+	chainPortRegex := regexp.MustCompile(fmt.Sprintf(`-A\s+%s\s+(?:-s\s+(\S+)\s+)?-p\s+(\w+)(?:\s+-m\s+\w+)*\s+--dport\s+(\d+(?::\d+)?)\s+-j\s+(\w+)`, Chain1PanelBasic))
+
+	for _, line := range lines {
+		line = strings.TrimSpace(line)
+		if !strings.HasPrefix(line, fmt.Sprintf("-A %s", Chain1PanelBasic)) {
+			continue
+		}
+
+		// Parse rules like: -A 1PANEL_BASIC -p tcp --dport 80 -j ACCEPT
+		if matches := chainPortRegex.FindStringSubmatch(line); len(matches) == 5 {
+			address := matches[1]
+			protocol := matches[2]
+			port := strings.ReplaceAll(matches[3], ":", "-")
+			action := strings.ToLower(matches[4])
+
+			strategy := "accept"
+			if action == "drop" || action == "reject" {
+				strategy = "drop"
+			}
+
+			datas = append(datas, FireInfo{
+				Address:  address,
+				Protocol: protocol,
+				Port:     port,
+				Strategy: strategy,
+				Family:   "ipv4",
+			})
+		}
+	}
+
+	return datas, nil
+}
+
+func (ifw *IptablesFirewall) ListForward() ([]FireInfo, error) {
+	natList, err := ifw.iptables.NatList(PreRoutingChain)
+	if err != nil {
+		return nil, fmt.Errorf("failed to list NAT rules: %w", err)
+	}
+
+	var datas []FireInfo
+	for _, nat := range natList {
+		datas = append(datas, FireInfo{
+			Num:        nat.Num,
+			Protocol:   nat.Protocol,
+			Port:       strings.TrimPrefix(nat.SrcPort, ":"),
+			TargetIP:   nat.Destination,
+			TargetPort: strings.TrimPrefix(nat.DestPort, ":"),
+			Interface:  nat.InIface,
+		})
+	}
+
+	return datas, nil
+}
+
+func (ifw *IptablesFirewall) ListAddress() ([]FireInfo, error) {
+	stdout, err := ifw.iptables.out(FilterTab, fmt.Sprintf("-S %s", Chain1PanelBasic))
+	if err != nil {
+		return nil, fmt.Errorf("failed to list 1PANEL_BASIC address rules: %w", err)
+	}
+
+	var datas []FireInfo
+	lines := strings.Split(stdout, "\n")
+	addressMap := make(map[string]FireInfo) // Deduplicate by address
+
+	// Updated regex to match both source and destination addresses in 1PANEL_BASIC chain
+	chainAddressRegex := regexp.MustCompile(fmt.Sprintf(`-A\s+%s\s+(?:-s\s+(\S+)|(?:-d\s+(\S+)))?\s+-j\s+(\w+)`, Chain1PanelBasic))
+
+	for _, line := range lines {
+		line = strings.TrimSpace(line)
+		if !strings.HasPrefix(line, fmt.Sprintf("-A %s", Chain1PanelBasic)) {
+			continue
+		}
+
+		// Parse rules like: -A 1PANEL_BASIC -s 192.168.1.1 -j DROP
+		if matches := chainAddressRegex.FindStringSubmatch(line); len(matches) >= 4 {
+			// matches[1] is source address (-s), matches[2] is dest address (-d), matches[3] is action
+			address := matches[1]
+			if address == "" {
+				address = matches[2]
+			}
+			if address == "" {
+				continue
+			}
+			action := strings.ToLower(matches[3])
+
+			strategy := "accept"
+			if action == "drop" || action == "reject" {
+				strategy = "drop"
+			}
+
+			// Use address as key to deduplicate
+			if _, exists := addressMap[address]; !exists {
+				addressMap[address] = FireInfo{
+					Address:  address,
+					Strategy: strategy,
+					Family:   "ipv4",
+				}
+			}
+		}
+	}
+
+	// Convert map to slice
+	for _, info := range addressMap {
+		datas = append(datas, info)
+	}
+
+	return datas, nil
+}
+
+func (ifw *IptablesFirewall) Port(port FireInfo, operation string) error {
+	if operation != "add" && operation != "remove" {
+		return buserr.New("ErrCmdIllegal")
+	}
+
+	// Validate port
+	portSpec, err := normalizePortSpec(port.Port)
+	if err != nil {
+		return err
+	}
+
+	protocol := port.Protocol
+	if protocol == "" {
+		protocol = "tcp"
+	}
+
+	action := "ACCEPT"
+	if port.Strategy == "drop" {
+		action = "DROP"
+	}
+
+	opFlag := "-A"
+	if operation == "remove" {
+		opFlag = "-D"
+	}
+
+	args := []string{fmt.Sprintf("%s %s", opFlag, Chain1PanelBasic), fmt.Sprintf("-p %s", protocol)}
+	if protocol == "tcp" || protocol == "udp" {
+		args = append(args, fmt.Sprintf("-m %s", protocol))
+	}
+	args = append(args, fmt.Sprintf("--dport %s", portSpec), fmt.Sprintf("-j %s", action))
+
+	return ifw.iptables.run(FilterTab, strings.Join(args, " "))
+}
+
+func (ifw *IptablesFirewall) RichRules(rule FireInfo, operation string) error {
+	if operation != "add" && operation != "remove" {
+		return buserr.New("ErrCmdIllegal")
+	}
+
+	address := strings.TrimSpace(rule.Address)
+	if strings.EqualFold(address, "Anywhere") {
+		address = ""
+	}
+
+	action := "ACCEPT"
+	if rule.Strategy == "drop" {
+		action = "DROP"
+	}
+
+	var ruleStr string
+	opFlag := "-A"
+	if operation == "remove" {
+		opFlag = "-D"
+	}
+
+	args := []string{fmt.Sprintf("%s %s", opFlag, Chain1PanelBasic)}
+	if address != "" {
+		args = append(args, fmt.Sprintf("-s %s", address))
+	}
+
+	protocol := strings.TrimSpace(rule.Protocol)
+	if rule.Port != "" && protocol == "" {
+		protocol = "tcp"
+	}
+
+	if protocol != "" {
+		args = append(args, fmt.Sprintf("-p %s", protocol))
+	}
+
+	if rule.Port != "" {
+		portSegment, err := normalizePortSpec(rule.Port)
+		if err != nil {
+			return err
+		}
+		if protocol == "" {
+			return fmt.Errorf("protocol is required when specifying a port")
+		}
+		if protocol == "tcp" || protocol == "udp" {
+			args = append(args, fmt.Sprintf("-m %s", protocol))
+		}
+		args = append(args, fmt.Sprintf("--dport %s", portSegment))
+	}
+
+	args = append(args, fmt.Sprintf("-j %s", action))
+	ruleStr = strings.Join(args, " ")
+	return ifw.iptables.run(FilterTab, ruleStr)
+}
+
+func (ifw *IptablesFirewall) PortForward(info Forward, operation string) error {
+	if operation != "add" && operation != "remove" {
+		return buserr.New("ErrCmdIllegal")
+	}
+
+	// Validate inputs
+	if info.Protocol == "" || info.Port == "" || info.TargetPort == "" {
+		return fmt.Errorf("protocol, port, and target port are required")
+	}
+
+	if operation == "add" {
+		// Use existing NatAdd method
+		return ifw.iptables.NatAdd(info.Protocol, info.Port, info.TargetIP, info.TargetPort, info.Interface, true)
+	} else {
+		// For remove, we need to find the rule number first
+		natList, err := ifw.iptables.NatList(PreRoutingChain)
+		if err != nil {
+			return fmt.Errorf("failed to list NAT rules: %w", err)
+		}
+
+		// Find matching rule
+		for _, nat := range natList {
+			if nat.Protocol == info.Protocol &&
+				strings.TrimPrefix(nat.SrcPort, ":") == info.Port &&
+				strings.TrimPrefix(nat.DestPort, ":") == info.TargetPort {
+
+				targetIP := info.TargetIP
+				if targetIP == "" {
+					targetIP = "127.0.0.1"
+				}
+
+				return ifw.iptables.NatRemove(nat.Num, info.Protocol, info.Port, targetIP, info.TargetPort, info.Interface)
+			}
+		}
+
+		return fmt.Errorf("forward rule not found")
+	}
+}
+
+func (ifw *IptablesFirewall) EnableForward() error {
+	// Enable IP forwarding
+	if err := cmd.RunDefaultBashC("echo 1 > /proc/sys/net/ipv4/ip_forward"); err != nil {
+		return fmt.Errorf("failed to enable IP forwarding: %w", err)
+	}
+
+	// Make it persistent (if sysctl.conf exists)
+	_ = cmd.RunDefaultBashC("grep -q '^net.ipv4.ip_forward' /etc/sysctl.conf || echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf")
+	_ = cmd.RunDefaultBashC("sysctl -p")
+
+	// Setup NAT and Forward chains
+	if err := ifw.iptables.ensureChainWithJump(NatTab, "PREROUTING", PreRoutingChain); err != nil {
+		return err
+	}
+	if err := ifw.iptables.ensureChainWithJump(NatTab, "POSTROUTING", PostRoutingChain); err != nil {
+		return err
+	}
+	if err := ifw.iptables.ensureChainWithJump(FilterTab, "FORWARD", ForwardChain); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// Helper function to parse port number
+func parsePort(portStr string) (int, error) {
+	port, err := strconv.Atoi(portStr)
+	if err != nil {
+		return 0, fmt.Errorf("invalid port number: %s", portStr)
+	}
+	if port < 1 || port > 65535 {
+		return 0, fmt.Errorf("port out of range: %d", port)
+	}
+	return port, nil
+}
+
+func normalizePortSpec(port string) (string, error) {
+	value := strings.TrimSpace(port)
+	if value == "" {
+		return "", fmt.Errorf("port is required")
+	}
+
+	separator := ""
+	if strings.Contains(value, "-") {
+		separator = "-"
+	} else if strings.Contains(value, ":") {
+		separator = ":"
+	}
+
+	if separator != "" {
+		parts := strings.Split(value, separator)
+		if len(parts) != 2 {
+			return "", fmt.Errorf("invalid port range: %s", port)
+		}
+		start, err := parsePort(strings.TrimSpace(parts[0]))
+		if err != nil {
+			return "", err
+		}
+		end, err := parsePort(strings.TrimSpace(parts[1]))
+		if err != nil {
+			return "", err
+		}
+		if start > end {
+			return "", fmt.Errorf("invalid port range: %d-%d", start, end)
+		}
+		return fmt.Sprintf("%d:%d", start, end), nil
+	}
+
+	single, err := parsePort(value)
+	if err != nil {
+		return "", err
+	}
+	return fmt.Sprintf("%d", single), nil
+}
diff --git a/frontend/src/lang/modules/en.ts b/frontend/src/lang/modules/en.ts
index 8920d7802f67..551fe1b6149c 100644
--- a/frontend/src/lang/modules/en.ts
+++ b/frontend/src/lang/modules/en.ts
@@ -2846,6 +2846,8 @@ const message = {
     firewall: {
         create: 'Create rule',
         edit: 'Edit rule',
+        advancedControl: 'Advanced Control',
+        advancedControlNotAvailable: 'Currently using {0} firewall, advanced rules only support iptables',
         ccDeny: 'CC Protection',
         ipWhiteList: 'IP allowlist',
         ipBlockList: 'IP blocklist',
diff --git a/frontend/src/lang/modules/zh.ts b/frontend/src/lang/modules/zh.ts
index b2613704d29b..aa177fa1a74d 100644
--- a/frontend/src/lang/modules/zh.ts
+++ b/frontend/src/lang/modules/zh.ts
@@ -2642,6 +2642,8 @@ const message = {
     firewall: {
         create: '创建规则',
         edit: '编辑规则',
+        advancedControl: '高级控制',
+        advancedControlNotAvailable: '当前使用 {0} 防火墙，高级规则仅支持 iptables',
         ccDeny: 'CC 防护',
         ipWhiteList: 'IP 白名单',
         ipBlockList: 'IP 黑名单',
diff --git a/frontend/src/routers/modules/host.ts b/frontend/src/routers/modules/host.ts
index a86d8ef389b8..2ecd27623e69 100644
--- a/frontend/src/routers/modules/host.ts
+++ b/frontend/src/routers/modules/host.ts
@@ -81,12 +81,14 @@ const hostRouter = {
             },
         },
         {
-            path: '/hosts/filter',
-            name: 'Filter',
-            component: () => import('@/views/host/filter/index.vue'),
+            path: '/hosts/firewall/filter',
+            name: 'FirewallFilter',
+            component: () => import('@/views/host/firewall/filter/index.vue'),
+            hidden: true,
             meta: {
-                icon: 'p-filter-menu',
-                title: 'menu.filter',
+                activeMenu: '/hosts/firewall/port',
+                parent: 'menu.firewall',
+                title: 'firewall.advancedControl',
                 requiresAuth: false,
             },
         },
diff --git a/frontend/src/views/host/filter/index.vue b/frontend/src/views/host/firewall/filter/index.vue
similarity index 91%
rename from frontend/src/views/host/filter/index.vue
rename to frontend/src/views/host/firewall/filter/index.vue
index 9362eb667f7a..903fbf0d3054 100644
--- a/frontend/src/views/host/filter/index.vue
+++ b/frontend/src/views/host/firewall/filter/index.vue
@@ -1,6 +1,23 @@
 <template>
     <div>
-        <div v-loading="loading">
+        <FireRouter />
+
+        <div v-if="!isIptables">
+            <LayoutContent :divider="true">
+                <template #main>
+                    <div class="app-warn">
+                        <div class="flex flex-col gap-2 items-center justify-center w-full sm:flex-row">
+                            <span>{{ $t('firewall.advancedControlNotAvailable', [firewallName]) }}</span>
+                        </div>
+                        <div>
+                            <img src="@/assets/images/no_app.svg" />
+                        </div>
+                    </div>
+                </template>
+            </LayoutContent>
+        </div>
+
+        <div v-else v-loading="loading">
             <el-card>
                 <div class="flex w-full flex-col gap-4 md:flex-row">
                     <div class="flex flex-wrap gap-4 ml-3">
@@ -138,9 +155,10 @@
 </template>
 
 <script lang="ts" setup>
-import OperateDialog from '@/views/host/filter/operate/index.vue';
+import FireRouter from '@/views/host/firewall/index.vue';
+import OperateDialog from '@/views/host/firewall/filter/operate/index.vue';
 import { computed, onMounted, reactive, ref } from 'vue';
-import { getFilterRules, applyFilterFirewall, batchOperateFilterRule } from '@/api/modules/host';
+import { getFilterRules, applyFilterFirewall, batchOperateFilterRule, loadFireBaseInfo } from '@/api/modules/host';
 import { Host } from '@/api/interface/host';
 import i18n from '@/lang';
 import { MsgSuccess } from '@/utils/message';
@@ -150,6 +168,8 @@ const loading = ref();
 const selects = ref<any>([]);
 const selectedChain = ref('1PANEL_INPUT');
 const iptablesVersion = ref('');
+const firewallName = ref('');
+const isIptables = ref(true);
 
 const opRef = ref();
 
@@ -325,8 +345,18 @@ const buttons = [
     },
 ];
 
-onMounted(() => {
-    search();
+onMounted(async () => {
+    await loadFireBaseInfo()
+        .then((res) => {
+            firewallName.value = res.data.name;
+            isIptables.value = res.data.name === 'iptables';
+            if (isIptables.value) {
+                search();
+            }
+        })
+        .catch(() => {
+            isIptables.value = false;
+        });
 });
 </script>
 
diff --git a/frontend/src/views/host/filter/operate/index.vue b/frontend/src/views/host/firewall/filter/operate/index.vue
similarity index 100%
rename from frontend/src/views/host/filter/operate/index.vue
rename to frontend/src/views/host/firewall/filter/operate/index.vue
diff --git a/frontend/src/views/host/firewall/index.vue b/frontend/src/views/host/firewall/index.vue
index ec41d14bdb81..b94eb4b2d034 100644
--- a/frontend/src/views/host/firewall/index.vue
+++ b/frontend/src/views/host/firewall/index.vue
@@ -23,5 +23,9 @@ const buttons = [
         label: i18n.global.t('firewall.ipRule', 2),
         path: '/hosts/firewall/ip',
     },
+    {
+        label: i18n.global.t('firewall.advancedControl'),
+        path: '/hosts/firewall/filter',
+    },
 ];
 </script>
diff --git a/frontend/src/views/host/firewall/status/index.vue b/frontend/src/views/host/firewall/status/index.vue
index 253ff10537e6..f3c22c93fe5f 100644
--- a/frontend/src/views/host/firewall/status/index.vue
+++ b/frontend/src/views/host/firewall/status/index.vue
@@ -15,10 +15,12 @@
                         <el-button type="primary" v-if="!baseInfo.isActive" @click="onOperate('start')" link>
                             {{ $t('commons.button.start') }}
                         </el-button>
-                        <el-divider direction="vertical" />
-                        <el-button type="primary" @click="onOperate('restart')" link>
-                            {{ $t('commons.button.restart') }}
-                        </el-button>
+                        <template v-if="baseInfo.name !== 'iptables'">
+                            <el-divider direction="vertical" />
+                            <el-button type="primary" @click="onOperate('restart')" link>
+                                {{ $t('commons.button.restart') }}
+                            </el-button>
+                        </template>
                         <span v-if="onPing !== 'None'">
                             <el-divider direction="vertical" />
                             <el-button type="primary" link>{{ $t('firewall.noPing') }}</el-button>
@@ -94,7 +96,21 @@ const loadBaseInfo = async (search: boolean) => {
 
 const onOperate = async (op: string) => {
     operation.value = op;
-    dockerRef.value.acceptParams({ title: i18n.global.t('firewall.dockerRestart') });
+    // For iptables, skip docker restart warning and execute directly
+    if (baseInfo.value.name === 'iptables') {
+        emit('update:loading', true);
+        emit('update:maskShow', true);
+        await operateFire(operation.value, false)
+            .then(() => {
+                MsgSuccess(i18n.global.t('commons.msg.operationSuccess'));
+                loadBaseInfo(true);
+            })
+            .catch(() => {
+                loadBaseInfo(true);
+            });
+    } else {
+        dockerRef.value.acceptParams({ title: i18n.global.t('firewall.dockerRestart') });
+    }
 };
 
 const onSubmit = async () => {

From e8c0dbd34bc6a3d660584a10cc07ddd3d90a2f18 Mon Sep 17 00:00:00 2001
From: HynoR <20227709+HynoR@users.noreply.github.com>
Date: Wed, 5 Nov 2025 10:35:14 +0800
Subject: [PATCH 10/16] feat: add advanced controls for iptables management

---
 .../src/views/host/firewall/filter/index.vue  | 147 +++++++++---------
 .../src/views/host/firewall/status/index.vue  |  54 ++++++-
 2 files changed, 124 insertions(+), 77 deletions(-)

diff --git a/frontend/src/views/host/firewall/filter/index.vue b/frontend/src/views/host/firewall/filter/index.vue
index 903fbf0d3054..79b1297c3815 100644
--- a/frontend/src/views/host/firewall/filter/index.vue
+++ b/frontend/src/views/host/firewall/filter/index.vue
@@ -2,34 +2,54 @@
     <div>
         <FireRouter />
 
-        <div v-if="!isIptables">
-            <LayoutContent :divider="true">
-                <template #main>
-                    <div class="app-warn">
-                        <div class="flex flex-col gap-2 items-center justify-center w-full sm:flex-row">
-                            <span>{{ $t('firewall.advancedControlNotAvailable', [firewallName]) }}</span>
+        <div v-loading="loading">
+            <FireStatus
+                ref="fireStatusRef"
+                @search="search"
+                @advanced-operate="onApplyFirewall"
+                v-model:loading="loading"
+                v-model:mask-show="maskShow"
+                v-model:is-active="isActive"
+                v-model:name="fireName"
+                :show-advanced-controls="true"
+                :can-apply="canApply"
+                :is-applied="isApplied"
+            />
+            <div v-if="fireName === '-'">
+                <LayoutContent :divider="true">
+                    <template #main>
+                        <div class="app-warn">
+                            <div class="flex flex-col gap-2 items-center justify-center w-full sm:flex-row">
+                                <span>{{ $t('firewall.advancedControlNotAvailable', [firewallName]) }}</span>
+                            </div>
+                            <div>
+                                <img src="@/assets/images/no_app.svg" />
+                            </div>
                         </div>
-                        <div>
-                            <img src="@/assets/images/no_app.svg" />
+                    </template>
+                </LayoutContent>
+            </div>
+
+            <div v-else-if="!isIptablesComputed">
+                <LayoutContent :divider="true">
+                    <template #main>
+                        <div class="app-warn">
+                            <div class="flex flex-col gap-2 items-center justify-center w-full sm:flex-row">
+                                <span>{{ $t('firewall.advancedControlNotAvailable', [fireName]) }}</span>
+                            </div>
+                            <div>
+                                <img src="@/assets/images/no_app.svg" />
+                            </div>
                         </div>
-                    </div>
-                </template>
-            </LayoutContent>
-        </div>
+                    </template>
+                </LayoutContent>
+            </div>
 
-        <div v-else v-loading="loading">
-            <el-card>
-                <div class="flex w-full flex-col gap-4 md:flex-row">
-                    <div class="flex flex-wrap gap-4 ml-3">
-                        <el-tag effect="dark" type="success">{{ 'iptables v' + iptablesVersion }}</el-tag>
-                        <el-tag :type="inputChainInfo?.isApplied ? 'success' : 'info'" size="small">
-                            {{ inputChainInfo?.isApplied ? $t('firewall.applied') : $t('firewall.notApplied') }}
-                        </el-tag>
-                    </div>
-                </div>
-            </el-card>
-            <div>
-                <LayoutContent :title="$t('firewall.filterRule')">
+            <div v-else>
+                <el-card v-if="!isActive && maskShow" class="mask-prompt">
+                    <span>{{ $t('firewall.firewallNotStart') }}</span>
+                </el-card>
+                <LayoutContent :title="$t('firewall.filterRule')" :class="{ mask: !isActive }">
                     <template #leftToolBar>
                         <el-button type="primary" @click="onOpenDialog('create')" :disabled="!isCustomChain">
                             {{ $t('firewall.create') }}
@@ -37,15 +57,6 @@
                         <el-button @click="onDelete(null)" plain :disabled="selects.length === 0 || !isCustomChain">
                             {{ $t('commons.button.delete') }}
                         </el-button>
-                        <el-button @click="onInitChains" plain>
-                            {{ $t('firewall.initChains') }}
-                        </el-button>
-                        <el-button @click="onApplyFirewall('apply')" plain type="success" :disabled="!canApply">
-                            {{ $t('firewall.applyFirewall') }}
-                        </el-button>
-                        <el-button @click="onApplyFirewall('unload')" plain type="warning" :disabled="!isApplied">
-                            {{ $t('firewall.unloadFirewall') }}
-                        </el-button>
                     </template>
 
                     <template #rightToolBar>
@@ -156,9 +167,10 @@
 
 <script lang="ts" setup>
 import FireRouter from '@/views/host/firewall/index.vue';
+import FireStatus from '@/views/host/firewall/status/index.vue';
 import OperateDialog from '@/views/host/firewall/filter/operate/index.vue';
 import { computed, onMounted, reactive, ref } from 'vue';
-import { getFilterRules, applyFilterFirewall, batchOperateFilterRule, loadFireBaseInfo } from '@/api/modules/host';
+import { getFilterRules, applyFilterFirewall, batchOperateFilterRule } from '@/api/modules/host';
 import { Host } from '@/api/interface/host';
 import i18n from '@/lang';
 import { MsgSuccess } from '@/utils/message';
@@ -169,7 +181,11 @@ const selects = ref<any>([]);
 const selectedChain = ref('1PANEL_INPUT');
 const iptablesVersion = ref('');
 const firewallName = ref('');
-const isIptables = ref(true);
+
+const maskShow = ref(true);
+const isActive = ref(false);
+const fireName = ref();
+const fireStatusRef = ref();
 
 const opRef = ref();
 
@@ -189,6 +205,7 @@ const formatPort = (port?: number | null | string) => {
     return port;
 };
 
+const isIptablesComputed = computed(() => fireName.value === 'iptables');
 const inputChainInfo = computed(() => chainInfoMap.value.get('INPUT'));
 const outputChainInfo = computed(() => chainInfoMap.value.get('OUTPUT'));
 
@@ -216,6 +233,12 @@ const paginationConfig = reactive({
 });
 
 const search = async () => {
+    if (!isActive.value) {
+        loading.value = false;
+        chainInfoMap.value.clear();
+        paginationConfig.total = 0;
+        return;
+    }
     const params: Host.IptablesFilterRuleSearch = {
         chains: ['INPUT', 'OUTPUT', '1PANEL_INPUT', '1PANEL_OUTPUT'],
     };
@@ -254,29 +277,20 @@ const onOpenDialog = async (title: string, rowData?: Host.IptablesFilterRuleOper
     dialogRef.value!.acceptParams(params);
 };
 
-const onInitChains = async () => {
-    ElMessageBox.confirm(i18n.global.t('firewall.initChainsConfirm'), i18n.global.t('firewall.initChains'), {
-        confirmButtonText: i18n.global.t('commons.button.confirm'),
-        cancelButtonText: i18n.global.t('commons.button.cancel'),
-    }).then(async () => {
-        loading.value = true;
-        await applyFilterFirewall({ operation: 'init' })
-            .then(() => {
-                loading.value = false;
-                MsgSuccess(i18n.global.t('commons.msg.operationSuccess'));
-                search();
-            })
-            .catch(() => {
-                loading.value = false;
-            });
-    });
-};
-
 const onApplyFirewall = async (operation: string) => {
-    const confirmMsg =
-        operation === 'apply' ? i18n.global.t('firewall.applyConfirm') : i18n.global.t('firewall.unloadConfirm');
-    const title =
-        operation === 'apply' ? i18n.global.t('firewall.applyFirewall') : i18n.global.t('firewall.unloadFirewall');
+    let confirmMsg = '';
+    let title = '';
+
+    if (operation === 'init') {
+        confirmMsg = i18n.global.t('firewall.initChainsConfirm');
+        title = i18n.global.t('firewall.initChains');
+    } else if (operation === 'apply') {
+        confirmMsg = i18n.global.t('firewall.applyConfirm');
+        title = i18n.global.t('firewall.applyFirewall');
+    } else {
+        confirmMsg = i18n.global.t('firewall.unloadConfirm');
+        title = i18n.global.t('firewall.unloadFirewall');
+    }
 
     ElMessageBox.confirm(confirmMsg, title, {
         confirmButtonText: i18n.global.t('commons.button.confirm'),
@@ -345,18 +359,11 @@ const buttons = [
     },
 ];
 
-onMounted(async () => {
-    await loadFireBaseInfo()
-        .then((res) => {
-            firewallName.value = res.data.name;
-            isIptables.value = res.data.name === 'iptables';
-            if (isIptables.value) {
-                search();
-            }
-        })
-        .catch(() => {
-            isIptables.value = false;
-        });
+onMounted(() => {
+    if (fireName.value !== '-') {
+        loading.value = true;
+        fireStatusRef.value.acceptParams();
+    }
 });
 </script>
 
diff --git a/frontend/src/views/host/firewall/status/index.vue b/frontend/src/views/host/firewall/status/index.vue
index f3c22c93fe5f..54ece0659362 100644
--- a/frontend/src/views/host/firewall/status/index.vue
+++ b/frontend/src/views/host/firewall/status/index.vue
@@ -9,18 +9,32 @@
                         <el-tag>{{ $t('app.version') }}: {{ baseInfo.version }}</el-tag>
                     </div>
                     <div class="mt-0.5">
-                        <el-button type="primary" v-if="baseInfo.isActive" @click="onOperate('stop')" link>
-                            {{ $t('commons.button.stop') }}
-                        </el-button>
-                        <el-button type="primary" v-if="!baseInfo.isActive" @click="onOperate('start')" link>
-                            {{ $t('commons.button.start') }}
-                        </el-button>
                         <template v-if="baseInfo.name !== 'iptables'">
+                            <el-button type="primary" v-if="baseInfo.isActive" @click="onOperate('stop')" link>
+                                {{ $t('commons.button.stop') }}
+                            </el-button>
+                            <el-button type="primary" v-if="!baseInfo.isActive" @click="onOperate('start')" link>
+                                {{ $t('commons.button.start') }}
+                            </el-button>
                             <el-divider direction="vertical" />
                             <el-button type="primary" @click="onOperate('restart')" link>
                                 {{ $t('commons.button.restart') }}
                             </el-button>
                         </template>
+                        <template v-if="baseInfo.name === 'iptables' && showAdvancedControls">
+                            <el-divider direction="vertical" />
+                            <el-button type="primary" @click="onAdvancedOperate('init')" link>
+                                {{ $t('firewall.initChains') }}
+                            </el-button>
+                            <el-divider direction="vertical" />
+                            <el-button type="success" @click="onAdvancedOperate('apply')" link :disabled="!canApply">
+                                {{ $t('firewall.applyFirewall') }}
+                            </el-button>
+                            <el-divider direction="vertical" />
+                            <el-button type="warning" @click="onAdvancedOperate('unload')" link :disabled="!isApplied">
+                                {{ $t('firewall.unloadFirewall') }}
+                            </el-button>
+                        </template>
                         <span v-if="onPing !== 'None'">
                             <el-divider direction="vertical" />
                             <el-button type="primary" link>{{ $t('firewall.noPing') }}</el-button>
@@ -61,6 +75,21 @@ import { MsgSuccess } from '@/utils/message';
 import { ElMessageBox } from 'element-plus';
 import { ref } from 'vue';
 
+defineProps({
+    showAdvancedControls: {
+        type: Boolean,
+        default: false,
+    },
+    canApply: {
+        type: Boolean,
+        default: false,
+    },
+    isApplied: {
+        type: Boolean,
+        default: false,
+    },
+});
+
 const baseInfo = ref<Host.FirewallBase>({ isActive: false, isExist: true, name: '', version: '', pingStatus: '' });
 const onPing = ref('Disable');
 const oldStatus = ref();
@@ -71,7 +100,14 @@ const withDockerRestart = ref(false);
 const acceptParams = (): void => {
     loadBaseInfo(true);
 };
-const emit = defineEmits(['search', 'update:is-active', 'update:loading', 'update:maskShow', 'update:name']);
+const emit = defineEmits([
+    'search',
+    'update:is-active',
+    'update:loading',
+    'update:maskShow',
+    'update:name',
+    'advanced-operate',
+]);
 
 const loadBaseInfo = async (search: boolean) => {
     await loadFireBaseInfo()
@@ -153,6 +189,10 @@ const onPingOperate = async (operation: string) => {
         });
 };
 
+const onAdvancedOperate = (operation: string) => {
+    emit('advanced-operate', operation);
+};
+
 defineExpose({
     acceptParams,
 });

From 402672d0c6df57a37f859db8ef0e6890177ba443 Mon Sep 17 00:00:00 2001
From: HynoR <20227709+HynoR@users.noreply.github.com>
Date: Wed, 5 Nov 2025 10:40:23 +0800
Subject: [PATCH 11/16] fix: remove unnecessary condition for iptables advanced
 controls display

---
 frontend/src/views/host/firewall/status/index.vue | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frontend/src/views/host/firewall/status/index.vue b/frontend/src/views/host/firewall/status/index.vue
index 54ece0659362..f0062a94214c 100644
--- a/frontend/src/views/host/firewall/status/index.vue
+++ b/frontend/src/views/host/firewall/status/index.vue
@@ -21,7 +21,7 @@
                                 {{ $t('commons.button.restart') }}
                             </el-button>
                         </template>
-                        <template v-if="baseInfo.name === 'iptables' && showAdvancedControls">
+                        <template v-if="baseInfo.name === 'iptables'">
                             <el-divider direction="vertical" />
                             <el-button type="primary" @click="onAdvancedOperate('init')" link>
                                 {{ $t('firewall.initChains') }}

From a3e0c8e2936d3dc4df2568c601b56593c989046c Mon Sep 17 00:00:00 2001
From: HynoR <20227709+HynoR@users.noreply.github.com>
Date: Wed, 5 Nov 2025 10:44:34 +0800
Subject: [PATCH 12/16] fix: update firewall status display logic and improve
 button states

---
 frontend/src/lang/modules/zh.ts                 |  2 +-
 .../src/views/host/firewall/status/index.vue    | 17 ++++++++++++++---
 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/frontend/src/lang/modules/zh.ts b/frontend/src/lang/modules/zh.ts
index aa177fa1a74d..dff67ae3ff19 100644
--- a/frontend/src/lang/modules/zh.ts
+++ b/frontend/src/lang/modules/zh.ts
@@ -2725,7 +2725,7 @@ const message = {
         notApplied: '未应用',
         initChains: '初始化链',
         applyFirewall: '应用防火墙',
-        unloadFirewall: '卸载防火墙',
+        unloadFirewall: '禁用防火墙',
         sourceIPHelper: 'CIDR 格式，如 192.168.1.0/24，留空表所有地址',
         destIPHelper: 'CIDR 格式，如 10.0.0.0/留空表所有地址',
         portHelper: '0 表示任意端口',
diff --git a/frontend/src/views/host/firewall/status/index.vue b/frontend/src/views/host/firewall/status/index.vue
index f0062a94214c..0292396481e0 100644
--- a/frontend/src/views/host/firewall/status/index.vue
+++ b/frontend/src/views/host/firewall/status/index.vue
@@ -5,7 +5,18 @@
                 <div class="flex w-full flex-col gap-4 md:flex-row">
                     <div class="flex flex-wrap gap-4 ml-3">
                         <el-tag effect="dark" type="success">{{ baseInfo.name }}</el-tag>
-                        <Status class="mt-0.5" :status="baseInfo.isActive ? 'enable' : 'disable'" />
+                        <Status
+                            class="mt-0.5"
+                            :status="
+                                baseInfo.name === 'iptables'
+                                    ? isApplied
+                                        ? 'enable'
+                                        : 'disable'
+                                    : baseInfo.isActive
+                                    ? 'enable'
+                                    : 'disable'
+                            "
+                        />
                         <el-tag>{{ $t('app.version') }}: {{ baseInfo.version }}</el-tag>
                     </div>
                     <div class="mt-0.5">
@@ -23,11 +34,11 @@
                         </template>
                         <template v-if="baseInfo.name === 'iptables'">
                             <el-divider direction="vertical" />
-                            <el-button type="primary" @click="onAdvancedOperate('init')" link>
+                            <el-button type="primary" @click="onAdvancedOperate('init')" link :disabled="isApplied">
                                 {{ $t('firewall.initChains') }}
                             </el-button>
                             <el-divider direction="vertical" />
-                            <el-button type="success" @click="onAdvancedOperate('apply')" link :disabled="!canApply">
+                            <el-button type="success" @click="onAdvancedOperate('apply')" link :disabled="isApplied">
                                 {{ $t('firewall.applyFirewall') }}
                             </el-button>
                             <el-divider direction="vertical" />

From 0575bcdf02c505d3794ac241c0362663cee7c227 Mon Sep 17 00:00:00 2001
From: HynoR <20227709+HynoR@users.noreply.github.com>
Date: Wed, 5 Nov 2025 10:51:15 +0800
Subject: [PATCH 13/16] refactor: simplify advanced operation handling and
 improve iptables chain info loading

---
 .../src/views/host/firewall/filter/index.vue  | 51 +----------
 .../src/views/host/firewall/status/index.vue  | 89 ++++++++++++++-----
 2 files changed, 69 insertions(+), 71 deletions(-)

diff --git a/frontend/src/views/host/firewall/filter/index.vue b/frontend/src/views/host/firewall/filter/index.vue
index 79b1297c3815..815df76dbb8c 100644
--- a/frontend/src/views/host/firewall/filter/index.vue
+++ b/frontend/src/views/host/firewall/filter/index.vue
@@ -6,14 +6,11 @@
             <FireStatus
                 ref="fireStatusRef"
                 @search="search"
-                @advanced-operate="onApplyFirewall"
                 v-model:loading="loading"
                 v-model:mask-show="maskShow"
                 v-model:is-active="isActive"
                 v-model:name="fireName"
                 :show-advanced-controls="true"
-                :can-apply="canApply"
-                :is-applied="isApplied"
             />
             <div v-if="fireName === '-'">
                 <LayoutContent :divider="true">
@@ -170,11 +167,9 @@ import FireRouter from '@/views/host/firewall/index.vue';
 import FireStatus from '@/views/host/firewall/status/index.vue';
 import OperateDialog from '@/views/host/firewall/filter/operate/index.vue';
 import { computed, onMounted, reactive, ref } from 'vue';
-import { getFilterRules, applyFilterFirewall, batchOperateFilterRule } from '@/api/modules/host';
+import { getFilterRules, batchOperateFilterRule } from '@/api/modules/host';
 import { Host } from '@/api/interface/host';
 import i18n from '@/lang';
-import { MsgSuccess } from '@/utils/message';
-import { ElMessageBox } from 'element-plus';
 
 const loading = ref();
 const selects = ref<any>([]);
@@ -213,18 +208,6 @@ const isCustomChain = computed(() => {
     return selectedChain.value === '1PANEL_INPUT' || selectedChain.value === '1PANEL_OUTPUT';
 });
 
-const canApply = computed(() => {
-    const inputInfo = chainInfoMap.value.get('1PANEL_INPUT');
-    const outputInfo = chainInfoMap.value.get('1PANEL_OUTPUT');
-    return (inputInfo && !inputInfo.isApplied) || (outputInfo && !outputInfo.isApplied);
-});
-
-const isApplied = computed(() => {
-    const inputInfo = chainInfoMap.value.get('INPUT');
-    const outputInfo = chainInfoMap.value.get('OUTPUT');
-    return inputInfo?.isApplied || outputInfo?.isApplied;
-});
-
 const paginationConfig = reactive({
     cacheSizeKey: 'firewall-filter-page-size',
     currentPage: 1,
@@ -277,38 +260,6 @@ const onOpenDialog = async (title: string, rowData?: Host.IptablesFilterRuleOper
     dialogRef.value!.acceptParams(params);
 };
 
-const onApplyFirewall = async (operation: string) => {
-    let confirmMsg = '';
-    let title = '';
-
-    if (operation === 'init') {
-        confirmMsg = i18n.global.t('firewall.initChainsConfirm');
-        title = i18n.global.t('firewall.initChains');
-    } else if (operation === 'apply') {
-        confirmMsg = i18n.global.t('firewall.applyConfirm');
-        title = i18n.global.t('firewall.applyFirewall');
-    } else {
-        confirmMsg = i18n.global.t('firewall.unloadConfirm');
-        title = i18n.global.t('firewall.unloadFirewall');
-    }
-
-    ElMessageBox.confirm(confirmMsg, title, {
-        confirmButtonText: i18n.global.t('commons.button.confirm'),
-        cancelButtonText: i18n.global.t('commons.button.cancel'),
-    }).then(async () => {
-        loading.value = true;
-        await applyFilterFirewall({ operation })
-            .then(() => {
-                loading.value = false;
-                MsgSuccess(i18n.global.t('commons.msg.operationSuccess'));
-                search();
-            })
-            .catch(() => {
-                loading.value = false;
-            });
-    });
-};
-
 const onDelete = async (row: Host.IptablesFilterRuleInfo | null) => {
     let names = [];
     let rules = [];
diff --git a/frontend/src/views/host/firewall/status/index.vue b/frontend/src/views/host/firewall/status/index.vue
index 0292396481e0..972178346466 100644
--- a/frontend/src/views/host/firewall/status/index.vue
+++ b/frontend/src/views/host/firewall/status/index.vue
@@ -78,27 +78,19 @@
 
 <script lang="ts" setup>
 import { Host } from '@/api/interface/host';
-import { loadFireBaseInfo, operateFire } from '@/api/modules/host';
+import { loadFireBaseInfo, operateFire, getFilterRules, applyFilterFirewall } from '@/api/modules/host';
 import i18n from '@/lang';
 import NoSuchService from '@/components/layout-content/no-such-service.vue';
 import DockerRestart from '@/components/docker-proxy/docker-restart.vue';
 import { MsgSuccess } from '@/utils/message';
 import { ElMessageBox } from 'element-plus';
-import { ref } from 'vue';
+import { ref, computed } from 'vue';
 
 defineProps({
     showAdvancedControls: {
         type: Boolean,
         default: false,
     },
-    canApply: {
-        type: Boolean,
-        default: false,
-    },
-    isApplied: {
-        type: Boolean,
-        default: false,
-    },
 });
 
 const baseInfo = ref<Host.FirewallBase>({ isActive: false, isExist: true, name: '', version: '', pingStatus: '' });
@@ -108,26 +100,37 @@ const dockerRef = ref();
 const operation = ref('restart');
 const withDockerRestart = ref(false);
 
+// Iptables specific state
+const chainInfoMap = ref<Map<string, Host.IptablesChainInfo>>(new Map());
+
+const isApplied = computed(() => {
+    if (baseInfo.value.name !== 'iptables') return false;
+    const inputInfo = chainInfoMap.value.get('INPUT');
+    const outputInfo = chainInfoMap.value.get('OUTPUT');
+    return inputInfo?.isApplied || outputInfo?.isApplied;
+});
+
 const acceptParams = (): void => {
     loadBaseInfo(true);
 };
-const emit = defineEmits([
-    'search',
-    'update:is-active',
-    'update:loading',
-    'update:maskShow',
-    'update:name',
-    'advanced-operate',
-]);
+const emit = defineEmits(['search', 'update:is-active', 'update:loading', 'update:maskShow', 'update:name']);
 
 const loadBaseInfo = async (search: boolean) => {
     await loadFireBaseInfo()
-        .then((res) => {
+        .then(async (res) => {
             baseInfo.value = res.data;
             onPing.value = baseInfo.value.pingStatus;
             oldStatus.value = onPing.value;
             emit('update:name', baseInfo.value.name);
             emit('update:is-active', baseInfo.value.isActive);
+
+            // Load iptables chain info if firewall is iptables
+            if (baseInfo.value.name === 'iptables' && baseInfo.value.isActive) {
+                await loadIptablesChainInfo();
+            } else {
+                chainInfoMap.value.clear();
+            }
+
             if (search) {
                 emit('search');
             } else {
@@ -141,6 +144,22 @@ const loadBaseInfo = async (search: boolean) => {
         });
 };
 
+const loadIptablesChainInfo = async () => {
+    const params: Host.IptablesFilterRuleSearch = {
+        chains: ['INPUT', 'OUTPUT', '1PANEL_INPUT', '1PANEL_OUTPUT'],
+    };
+    await getFilterRules(params)
+        .then((res) => {
+            chainInfoMap.value.clear();
+            res.data.forEach((chainInfo: Host.IptablesChainInfo) => {
+                chainInfoMap.value.set(chainInfo.name, chainInfo);
+            });
+        })
+        .catch(() => {
+            chainInfoMap.value.clear();
+        });
+};
+
 const onOperate = async (op: string) => {
     operation.value = op;
     // For iptables, skip docker restart warning and execute directly
@@ -200,8 +219,36 @@ const onPingOperate = async (operation: string) => {
         });
 };
 
-const onAdvancedOperate = (operation: string) => {
-    emit('advanced-operate', operation);
+const onAdvancedOperate = async (op: string) => {
+    let confirmMsg = '';
+    let title = '';
+
+    if (op === 'init') {
+        confirmMsg = i18n.global.t('firewall.initChainsConfirm');
+        title = i18n.global.t('firewall.initChains');
+    } else if (op === 'apply') {
+        confirmMsg = i18n.global.t('firewall.applyConfirm');
+        title = i18n.global.t('firewall.applyFirewall');
+    } else {
+        confirmMsg = i18n.global.t('firewall.unloadConfirm');
+        title = i18n.global.t('firewall.unloadFirewall');
+    }
+
+    ElMessageBox.confirm(confirmMsg, title, {
+        confirmButtonText: i18n.global.t('commons.button.confirm'),
+        cancelButtonText: i18n.global.t('commons.button.cancel'),
+    }).then(async () => {
+        emit('update:loading', true);
+        emit('update:maskShow', true);
+        await applyFilterFirewall({ operation: op })
+            .then(() => {
+                MsgSuccess(i18n.global.t('commons.msg.operationSuccess'));
+                loadBaseInfo(true);
+            })
+            .catch(() => {
+                loadBaseInfo(true);
+            });
+    });
 };
 
 defineExpose({

From 8dda3f0f75d3c40767ffb4d44b0cbf7e9cb13e86 Mon Sep 17 00:00:00 2001
From: ssongliu <songlius11@163.com>
Date: Mon, 10 Nov 2025 14:57:45 +0800
Subject: [PATCH 14/16] feat: adjust iptables code

---
 agent/app/api/v2/entry.go                     |  12 +-
 agent/app/api/v2/firewall.go                  | 105 +--
 agent/app/dto/firewall.go                     |  54 +-
 agent/app/model/firewall.go                   |  49 +-
 agent/app/repo/host.go                        |  40 +-
 agent/app/repo/iptables_filter_rule.go        |  67 --
 agent/app/service/firewall.go                 | 134 +++-
 agent/app/service/iptables.go                 | 319 ++++++++
 agent/app/service/iptables_filter.go          | 643 ----------------
 agent/global/config.go                        |   1 +
 agent/init/app/app.go                         |   5 -
 agent/init/dir/dir.go                         |   1 +
 agent/init/firewall/firwall.go                |  24 +
 agent/init/migration/migrate.go               |   1 +
 agent/init/migration/migrations/init.go       |  27 +-
 agent/router/ro_host.go                       |  11 +-
 agent/server/server.go                        |   2 +
 agent/utils/controller/controller.go          |   1 +
 agent/utils/firewall/client.go                |   5 +-
 agent/utils/firewall/client/info.go           |  23 +-
 agent/utils/firewall/client/iptables.go       | 699 +++++++-----------
 .../utils/firewall/client/iptables/common.go  | 198 +++++
 .../utils/firewall/client/iptables/filter.go  | 132 ++++
 .../utils/firewall/client/iptables/forward.go | 112 +++
 .../firewall/client/iptables/persistence.go   | 103 +++
 agent/utils/firewall/client/iptables_fw.go    | 447 -----------
 .../utils/firewall/client/iptables_policy.go  |  99 ---
 agent/utils/firewall/client/ufw.go            |  92 +--
 core/server/server.go                         |   7 +-
 frontend/src/api/interface/host.ts            |  54 +-
 frontend/src/api/modules/host.ts              |  23 +-
 frontend/src/lang/modules/en.ts               |  36 +-
 frontend/src/lang/modules/es-es.ts            |  38 +-
 frontend/src/lang/modules/ja.ts               |  37 +-
 frontend/src/lang/modules/ko.ts               |  35 +-
 frontend/src/lang/modules/ms.ts               |  36 +-
 frontend/src/lang/modules/pt-br.ts            |  38 +-
 frontend/src/lang/modules/ru.ts               |  37 +-
 frontend/src/lang/modules/tr.ts               |  37 +-
 frontend/src/lang/modules/zh-Hant.ts          |  31 +-
 frontend/src/lang/modules/zh.ts               |  23 +-
 frontend/src/routers/modules/host.ts          |   6 +-
 .../firewall/{filter => advance}/index.vue    | 219 +++---
 .../host/firewall/advance/operate/index.vue   | 166 +++++
 .../host/firewall/filter/operate/index.vue    | 250 -------
 .../src/views/host/firewall/forward/index.vue |   1 +
 frontend/src/views/host/firewall/index.vue    |   2 +-
 frontend/src/views/host/firewall/ip/index.vue |   1 +
 .../src/views/host/firewall/port/index.vue    |  25 +-
 .../src/views/host/firewall/status/index.vue  | 192 ++---
 50 files changed, 2182 insertions(+), 2518 deletions(-)
 delete mode 100644 agent/app/repo/iptables_filter_rule.go
 create mode 100644 agent/app/service/iptables.go
 delete mode 100644 agent/app/service/iptables_filter.go
 create mode 100644 agent/init/firewall/firwall.go
 create mode 100644 agent/utils/firewall/client/iptables/common.go
 create mode 100644 agent/utils/firewall/client/iptables/filter.go
 create mode 100644 agent/utils/firewall/client/iptables/forward.go
 create mode 100644 agent/utils/firewall/client/iptables/persistence.go
 delete mode 100644 agent/utils/firewall/client/iptables_fw.go
 delete mode 100644 agent/utils/firewall/client/iptables_policy.go
 rename frontend/src/views/host/firewall/{filter => advance}/index.vue (58%)
 create mode 100644 frontend/src/views/host/firewall/advance/operate/index.vue
 delete mode 100644 frontend/src/views/host/firewall/filter/operate/index.vue

diff --git a/agent/app/api/v2/entry.go b/agent/app/api/v2/entry.go
index 47fedc28fd66..ef1ee05dd589 100644
--- a/agent/app/api/v2/entry.go
+++ b/agent/app/api/v2/entry.go
@@ -35,12 +35,12 @@ var (
 
 	cronjobService = service.NewICronjobService()
 
-	fileService            = service.NewIFileService()
-	sshService             = service.NewISSHService()
-	firewallService        = service.NewIFirewallService()
-	iptablesFilterService  = service.NewIIptablesFilterService()
-	monitorService         = service.NewIMonitorService()
-	systemService          = service.NewISystemService()
+	fileService     = service.NewIFileService()
+	sshService      = service.NewISSHService()
+	firewallService = service.NewIFirewallService()
+	iptablesService = service.NewIIptablesService()
+	monitorService  = service.NewIMonitorService()
+	systemService   = service.NewISystemService()
 
 	deviceService   = service.NewIDeviceService()
 	fail2banService = service.NewIFail2BanService()
diff --git a/agent/app/api/v2/firewall.go b/agent/app/api/v2/firewall.go
index 9bfb315ef332..8c917f6a97d5 100644
--- a/agent/app/api/v2/firewall.go
+++ b/agent/app/api/v2/firewall.go
@@ -8,12 +8,19 @@ import (
 
 // @Tags Firewall
 // @Summary Load firewall base info
+// @Accept json
+// @Param request body dto.OperationWithName true "request"
 // @Success 200 {object} dto.FirewallBaseInfo
 // @Security ApiKeyAuth
 // @Security Timestamp
-// @Router /hosts/firewall/base [get]
+// @Router /hosts/firewall/base [post]
 func (b *BaseApi) LoadFirewallBaseInfo(c *gin.Context) {
-	data, err := firewallService.LoadBaseInfo()
+	var req dto.OperationWithName
+	if err := helper.CheckBindAndValidate(&req, c); err != nil {
+		return
+	}
+
+	data, err := firewallService.LoadBaseInfo(req.Name)
 	if err != nil {
 		helper.InternalServer(c, err)
 		return
@@ -223,53 +230,48 @@ func (b *BaseApi) UpdateAddrRule(c *gin.Context) {
 }
 
 // @Tags Firewall
-// @Summary Get iptables filter rules
+// @Summary search iptables filter rules
 // @Accept json
-// @Param request body dto.IptablesFilterRuleSearch true "request"
-// @Success 200 {object} []dto.IptablesChainInfo
+// @Param request body dto.SearchPageWithType true "request"
+// @Success 200 {object} dto.PageResult
 // @Security ApiKeyAuth
 // @Security Timestamp
-// @Router /hosts/firewall/filter/rules [post]
-func (b *BaseApi) GetFilterRules(c *gin.Context) {
-	var req dto.IptablesFilterRuleSearch
+// @Router /hosts/firewall/filter/search [post]
+func (b *BaseApi) SearchFilterRules(c *gin.Context) {
+	var req dto.SearchPageWithType
 	if err := helper.CheckBindAndValidate(&req, c); err != nil {
 		return
 	}
 
-	data, err := iptablesFilterService.GetFilterRules(req.Chains)
+	total, list, err := iptablesService.Search(req)
 	if err != nil {
 		helper.InternalServer(c, err)
 		return
 	}
 
-	helper.SuccessWithData(c, data)
+	helper.SuccessWithData(c, dto.PageResult{
+		Items: list,
+		Total: total,
+	})
 }
 
 // @Tags Firewall
 // @Summary Operate iptables filter rule
 // @Accept json
-// @Param request body dto.IptablesFilterRuleOperate true "request"
+// @Param request body dto.IptablesRuleOp true "request"
 // @Success 200
 // @Security ApiKeyAuth
 // @Security Timestamp
-// @Router /hosts/firewall/filter/rule [post]
+// @Router /hosts/firewall/filter/rule/operate [post]
 // @x-panel-log {"bodyKeys":["operation","chain"],"paramKeys":[],"BeforeFunctions":[],"formatZH":"[operation] filter规则到 [chain]","formatEN":"[operation] filter rule to [chain]"}
 func (b *BaseApi) OperateFilterRule(c *gin.Context) {
-	var req dto.IptablesFilterRuleOperate
+	var req dto.IptablesRuleOp
 	if err := helper.CheckBindAndValidate(&req, c); err != nil {
 		return
 	}
-
-	if req.Operation == "add" {
-		if err := iptablesFilterService.AddRule(req); err != nil {
-			helper.InternalServer(c, err)
-			return
-		}
-	} else if req.Operation == "remove" {
-		if err := iptablesFilterService.RemoveRule(req.ID); err != nil {
-			helper.InternalServer(c, err)
-			return
-		}
+	if err := iptablesService.OperateRule(req); err != nil {
+		helper.InternalServer(c, err)
+		return
 	}
 
 	helper.Success(c)
@@ -278,18 +280,18 @@ func (b *BaseApi) OperateFilterRule(c *gin.Context) {
 // @Tags Firewall
 // @Summary Batch operate iptables filter rules
 // @Accept json
-// @Param request body dto.IptablesFilterBatchOperate true "request"
+// @Param request body dto.IptablesBatchOperate true "request"
 // @Success 200
 // @Security ApiKeyAuth
 // @Security Timestamp
-// @Router /hosts/firewall/filter/batch [post]
+// @Router /hosts/firewall/filter/rule/batch [post]
 func (b *BaseApi) BatchOperateFilterRule(c *gin.Context) {
-	var req dto.IptablesFilterBatchOperate
+	var req dto.IptablesBatchOperate
 	if err := helper.CheckBindAndValidate(&req, c); err != nil {
 		return
 	}
 
-	if err := iptablesFilterService.BatchOperate(req); err != nil {
+	if err := iptablesService.BatchOperate(req); err != nil {
 		helper.InternalServer(c, err)
 		return
 	}
@@ -300,35 +302,38 @@ func (b *BaseApi) BatchOperateFilterRule(c *gin.Context) {
 // @Tags Firewall
 // @Summary Apply/Unload/Init iptables filter
 // @Accept json
-// @Param request body dto.IptablesFilterApply true "request"
+// @Param request body dto.IptablesOp true "request"
 // @Success 200
 // @Security ApiKeyAuth
 // @Security Timestamp
-// @Router /hosts/firewall/filter/apply [post]
-// @x-panel-log {"bodyKeys":["operation"],"paramKeys":[],"BeforeFunctions":[],"formatZH":"[operation] iptables filter防火墙","formatEN":"[operation] iptables filter firewall"}
-func (b *BaseApi) ApplyFilterFirewall(c *gin.Context) {
-	var req dto.IptablesFilterApply
+// @Router /hosts/firewall/filter/operate [post]
+// @x-panel-log {"bodyKeys":["operate"],"paramKeys":[],"BeforeFunctions":[],"formatZH":"[operate] iptables filter 防火墙","formatEN":"[operate] iptables filter firewall"}
+func (b *BaseApi) OperateFilterChain(c *gin.Context) {
+	var req dto.IptablesOp
 	if err := helper.CheckBindAndValidate(&req, c); err != nil {
 		return
 	}
-
-	switch req.Operation {
-	case "init":
-		if err := iptablesFilterService.InitChains(); err != nil {
-			helper.InternalServer(c, err)
-			return
-		}
-	case "apply":
-		if err := iptablesFilterService.ApplyFirewall(); err != nil {
-			helper.InternalServer(c, err)
-			return
-		}
-	case "unload":
-		if err := iptablesFilterService.UnloadFirewall(); err != nil {
-			helper.InternalServer(c, err)
-			return
-		}
+	if err := iptablesService.Operate(req); err != nil {
+		helper.InternalServer(c, err)
+		return
 	}
 
 	helper.Success(c)
 }
+
+// @Tags Firewall
+// @Summary load chain status with name
+// @Accept json
+// @Param request body dto.OperationWithName true "request"
+// @Success 200
+// @Security ApiKeyAuth
+// @Security Timestamp
+// @Router /hosts/firewall/filter/chain/status [post]
+func (b *BaseApi) LoadChainStatus(c *gin.Context) {
+	var req dto.OperationWithName
+	if err := helper.CheckBindAndValidate(&req, c); err != nil {
+		return
+	}
+
+	helper.SuccessWithData(c, iptablesService.LoadChainStatus(req))
+}
diff --git a/agent/app/dto/firewall.go b/agent/app/dto/firewall.go
index 40e33db44888..d819733d2ea6 100644
--- a/agent/app/dto/firewall.go
+++ b/agent/app/dto/firewall.go
@@ -4,6 +4,8 @@ type FirewallBaseInfo struct {
 	Name       string `json:"name"`
 	IsExist    bool   `json:"isExist"`
 	IsActive   bool   `json:"isActive"`
+	IsInit     bool   `json:"isInit"`
+	IsBind     bool   `json:"isBind"`
 	Version    string `json:"version"`
 	PingStatus string `json:"pingStatus"`
 }
@@ -22,6 +24,7 @@ type FirewallOperation struct {
 }
 
 type PortRuleOperate struct {
+	ID        uint   `json:"id"`
 	Operation string `json:"operation" validate:"required,oneof=add remove"`
 	Address   string `json:"address"`
 	Port      string `json:"port" validate:"required"`
@@ -55,6 +58,7 @@ type UpdateFirewallDescription struct {
 }
 
 type AddrRuleOperate struct {
+	ID        uint   `json:"id"`
 	Operation string `json:"operation" validate:"required,oneof=add remove"`
 	Address   string `json:"address"  validate:"required"`
 	Strategy  string `json:"strategy" validate:"required,oneof=accept drop"`
@@ -77,51 +81,29 @@ type BatchRuleOperate struct {
 	Rules []PortRuleOperate `json:"rules"`
 }
 
-// Iptables Filter DTO
-
-type IptablesFilterRuleSearch struct {
-	Chains []string `json:"chains"`
-}
-
-type IptablesChainInfo struct {
-	Version       string                   `json:"version"`
-	Name          string                   `json:"name"`
-	DefaultPolicy string                   `json:"defaultPolicy"`
-	Rules         []IptablesFilterRuleInfo `json:"rules"`
-	IsApplied     bool                     `json:"isApplied"`
-}
-
-type IptablesFilterRuleInfo struct {
-	ID          uint   `json:"id"`
-	Protocol    string `json:"protocol"`
-	SourceIP    string `json:"sourceIP"`
-	SourcePort  uint16 `json:"sourcePort"`
-	DestIP      string `json:"destIP"`
-	DestPort    uint16 `json:"destPort"`
-	Action      string `json:"action"`
-	Comment     string `json:"comment"`
-	Description string `json:"description"`
-	RuleOrder   int    `json:"ruleOrder"`
-	IsActive    bool   `json:"isActive"`
+type IptablesOp struct {
+	Name    string `json:"name" validate:"required,oneof=1PANEL_INPUT 1PANEL_OUTPUT 1PANEL_BASIC"`
+	Operate string `json:"operate" validate:"required,oneof=init-base init-forward init-advance bind-base unbind-base bind unbind"`
 }
 
-type IptablesFilterRuleOperate struct {
+type IptablesRuleOp struct {
 	Operation   string `json:"operation" validate:"required,oneof=add remove"`
 	ID          uint   `json:"id"`
 	Chain       string `json:"chain" validate:"required,oneof=1PANEL_INPUT 1PANEL_OUTPUT"`
 	Protocol    string `json:"protocol"`
-	SourceIP    string `json:"sourceIP"`
-	SourcePort  uint16 `json:"sourcePort"`
-	DestIP      string `json:"destIP"`
-	DestPort    uint16 `json:"destPort"`
-	Action      string `json:"action" validate:"required,oneof=ACCEPT DROP REJECT"`
+	SrcIP       string `json:"srcIP"`
+	SrcPort     uint   `json:"srcPort"`
+	DstIP       string `json:"dstIP"`
+	DstPort     uint   `json:"dstPort"`
+	Strategy    string `json:"strategy" validate:"required,oneof=ACCEPT DROP REJECT"`
 	Description string `json:"description"`
 }
 
-type IptablesFilterApply struct {
-	Operation string `json:"operation" validate:"required,oneof=apply unload init"`
+type IptablesBatchOperate struct {
+	Rules []IptablesRuleOp `json:"rules"`
 }
 
-type IptablesFilterBatchOperate struct {
-	Rules []IptablesFilterRuleOperate `json:"rules"`
+type IptablesChainStatus struct {
+	IsBind          bool   `json:"isBind"`
+	DefaultStrategy string `json:"defaultStrategy"`
 }
diff --git a/agent/app/model/firewall.go b/agent/app/model/firewall.go
index 358dd2ad16c4..7218d4238521 100644
--- a/agent/app/model/firewall.go
+++ b/agent/app/model/firewall.go
@@ -3,46 +3,17 @@ package model
 type Firewall struct {
 	BaseModel
 
-	Type        string `gorm:"not null" json:"type"`
-	Port        string `gorm:"not null" json:"port"`
-	Protocol    string `gorm:"not null" json:"protocol"`
-	Address     string `gorm:"not null" json:"address"`
-	Strategy    string `gorm:"not null" json:"strategy"`
-	Description string `gorm:"not null" json:"description"`
-}
-
-type Forward struct {
-	BaseModel
+	Type         string `gorm:"not null" json:"type"`
+	FirewallType string `gorm:"not null" json:"firewallType"`
+	Port         string `gorm:"not null" json:"port"`    // Deprecated
+	Address      string `gorm:"not null" json:"address"` // Deprecated
 
-	Protocol   string `gorm:"not null" json:"protocol"`
-	Port       string `gorm:"not null" json:"port"`
-	TargetIP   string `gorm:"not null" json:"targetIP"`
-	TargetPort string `gorm:"not null" json:"targetPort"`
-	Interface  string `json:"interface"`
-}
-
-type IptablesFilterRule struct {
-	BaseModel
-
-	Chain       string `gorm:"not null;index:idx_chain" json:"chain"`
+	Chain       string `json:"chain"`
 	Protocol    string `json:"protocol"`
-	SourceIP    string `json:"sourceIP"`
-	SourcePort  uint16 `json:"sourcePort"`
-	DestIP      string `json:"destIP"`
-	DestPort    uint16 `json:"destPort"`
-	Action      string `gorm:"not null" json:"action"`
-	Comment     string `json:"comment"`
+	SrcIP       string `json:"srcIP"`
+	SrcPort     string `json:"srcPort"`
+	DstIP       string `json:"dstIP"`
+	DstPort     string `json:"dstPort"`
+	Strategy    string `gorm:"not null" json:"strategy"`
 	Description string `json:"description"`
-	RuleOrder   int    `gorm:"default:0;index:idx_chain_order" json:"ruleOrder"`
-}
-
-type IptablesRule struct {
-	BaseModel
-
-	RuleType string `gorm:"not null" json:"ruleType"` // port, address
-	Protocol string `json:"protocol"`
-	Port     string `json:"port"`
-	Strategy string `gorm:"not null" json:"strategy"` // accept, drop, reject
-	Address  string `json:"address"`
-	Family   string `json:"family"` // ipv4, ipv6
 }
diff --git a/agent/app/repo/host.go b/agent/app/repo/host.go
index 3160a1ec3d94..66a2c69f03a3 100644
--- a/agent/app/repo/host.go
+++ b/agent/app/repo/host.go
@@ -4,16 +4,16 @@ import (
 	"github.com/1Panel-dev/1Panel/agent/app/model"
 	"github.com/1Panel-dev/1Panel/agent/global"
 	"github.com/1Panel-dev/1Panel/agent/utils/encrypt"
+	"gorm.io/gorm"
 )
 
 type HostRepo struct{}
 
 type IHostRepo interface {
 	GetFirewallRecord(opts ...DBOption) (model.Firewall, error)
-	ListFirewallRecord() ([]model.Firewall, error)
+	ListFirewallRecord(opts ...DBOption) ([]model.Firewall, error)
 	SaveFirewallRecord(firewall *model.Firewall) error
 	DeleteFirewallRecordByID(id uint) error
-	DeleteFirewallRecord(fType, port, protocol, address, strategy string) error
 
 	SyncCert(data []model.RootCert) error
 	GetCert(opts ...DBOption) (model.RootCert, error)
@@ -22,6 +22,9 @@ type IHostRepo interface {
 	SaveCert(cert *model.RootCert) error
 	UpdateCert(id uint, vars map[string]interface{}) error
 	DeleteCert(opts ...DBOption) error
+
+	WithByChain(chain string) DBOption
+	WithByFirewallType(fireType string) DBOption
 }
 
 func NewIHostRepo() IHostRepo {
@@ -38,12 +41,16 @@ func (h *HostRepo) GetFirewallRecord(opts ...DBOption) (model.Firewall, error) {
 	return firewall, err
 }
 
-func (h *HostRepo) ListFirewallRecord() ([]model.Firewall, error) {
-	var datas []model.Firewall
-	if err := global.DB.Find(&datas).Error; err != nil {
-		return datas, nil
+func (h *HostRepo) ListFirewallRecord(opts ...DBOption) ([]model.Firewall, error) {
+	var firewalls []model.Firewall
+	db := global.DB
+	for _, opt := range opts {
+		db = opt(db)
+	}
+	if err := global.DB.Find(&firewalls).Error; err != nil {
+		return firewalls, nil
 	}
-	return datas, nil
+	return firewalls, nil
 }
 
 func (h *HostRepo) SaveFirewallRecord(firewall *model.Firewall) error {
@@ -52,12 +59,12 @@ func (h *HostRepo) SaveFirewallRecord(firewall *model.Firewall) error {
 	}
 	var data model.Firewall
 	if firewall.Type == "port" {
-		_ = global.DB.Where("type = ? AND port = ? AND protocol = ? AND address = ? AND strategy = ?", "port", firewall.Port, firewall.Protocol, firewall.Address, firewall.Strategy).First(&data)
+		_ = global.DB.Where("type = ? AND dst_port = ? AND protocol = ? AND src_ip = ? AND strategy = ?", "port", firewall.DstPort, firewall.Protocol, firewall.SrcIP, firewall.Strategy).First(&data)
 		if data.ID != 0 {
 			firewall.ID = data.ID
 		}
 	} else {
-		_ = global.DB.Where("type = ? AND address = ? AND strategy = ?", "address", firewall.Address, firewall.Strategy).First(&data)
+		_ = global.DB.Where("type = ? AND src_ip = ? AND strategy = ?", "address", firewall.SrcIP, firewall.Strategy).First(&data)
 		if data.ID != 0 {
 			firewall.ID = data.ID
 		}
@@ -69,10 +76,6 @@ func (h *HostRepo) DeleteFirewallRecordByID(id uint) error {
 	return global.DB.Where("id = ?", id).Delete(&model.Firewall{}).Error
 }
 
-func (h *HostRepo) DeleteFirewallRecord(fType, port, protocol, address, strategy string) error {
-	return global.DB.Where("type = ? AND port = ? AND protocol = ? AND address = ? AND strategy = ?", fType, port, protocol, address, strategy).Delete(&model.Firewall{}).Error
-}
-
 func (u *HostRepo) GetCert(opts ...DBOption) (model.RootCert, error) {
 	var cert model.RootCert
 	db := global.DB
@@ -151,3 +154,14 @@ func (u *HostRepo) SyncCert(data []model.RootCert) error {
 	tx.Commit()
 	return nil
 }
+
+func (u *HostRepo) WithByFirewallType(fireType string) DBOption {
+	return func(g *gorm.DB) *gorm.DB {
+		return g.Where("firewall_type = ?", fireType)
+	}
+}
+func (u *HostRepo) WithByChain(chain string) DBOption {
+	return func(g *gorm.DB) *gorm.DB {
+		return g.Where("chain = ?", chain)
+	}
+}
diff --git a/agent/app/repo/iptables_filter_rule.go b/agent/app/repo/iptables_filter_rule.go
deleted file mode 100644
index 207ef5d252eb..000000000000
--- a/agent/app/repo/iptables_filter_rule.go
+++ /dev/null
@@ -1,67 +0,0 @@
-package repo
-
-import (
-	"context"
-
-	"github.com/1Panel-dev/1Panel/agent/app/model"
-	"github.com/1Panel-dev/1Panel/agent/global"
-)
-
-type IIptablesFilterRuleRepo interface {
-	Create(ctx context.Context, rule *model.IptablesFilterRule) error
-	Delete(ctx context.Context, id uint) error
-	DeleteByChain(ctx context.Context, chain string) error
-	GetByID(ctx context.Context, id uint) (model.IptablesFilterRule, error)
-	List(ctx context.Context, chains []string) ([]model.IptablesFilterRule, error)
-	ListByChain(ctx context.Context, chain string) ([]model.IptablesFilterRule, error)
-	GetMaxRuleOrder(ctx context.Context, chain string) (int, error)
-}
-
-type IptablesFilterRuleRepo struct{}
-
-func NewIIptablesFilterRuleRepo() IIptablesFilterRuleRepo {
-	return &IptablesFilterRuleRepo{}
-}
-
-func (r *IptablesFilterRuleRepo) Create(ctx context.Context, rule *model.IptablesFilterRule) error {
-	return global.DB.WithContext(ctx).Create(rule).Error
-}
-
-func (r *IptablesFilterRuleRepo) Delete(ctx context.Context, id uint) error {
-	return global.DB.WithContext(ctx).Where("id = ?", id).Delete(&model.IptablesFilterRule{}).Error
-}
-
-func (r *IptablesFilterRuleRepo) DeleteByChain(ctx context.Context, chain string) error {
-	return global.DB.WithContext(ctx).Where("chain = ?", chain).Delete(&model.IptablesFilterRule{}).Error
-}
-
-func (r *IptablesFilterRuleRepo) GetByID(ctx context.Context, id uint) (model.IptablesFilterRule, error) {
-	var rule model.IptablesFilterRule
-	err := global.DB.WithContext(ctx).Where("id = ?", id).First(&rule).Error
-	return rule, err
-}
-
-func (r *IptablesFilterRuleRepo) List(ctx context.Context, chains []string) ([]model.IptablesFilterRule, error) {
-	var rules []model.IptablesFilterRule
-	query := global.DB.WithContext(ctx)
-	if len(chains) > 0 {
-		query = query.Where("chain IN ?", chains)
-	}
-	err := query.Order("chain ASC, rule_order ASC, id ASC").Find(&rules).Error
-	return rules, err
-}
-
-func (r *IptablesFilterRuleRepo) ListByChain(ctx context.Context, chain string) ([]model.IptablesFilterRule, error) {
-	var rules []model.IptablesFilterRule
-	err := global.DB.WithContext(ctx).Where("chain = ?", chain).Order("rule_order ASC, id ASC").Find(&rules).Error
-	return rules, err
-}
-
-func (r *IptablesFilterRuleRepo) GetMaxRuleOrder(ctx context.Context, chain string) (int, error) {
-	var maxOrder int
-	err := global.DB.WithContext(ctx).Model(&model.IptablesFilterRule{}).
-		Where("chain = ?", chain).
-		Select("COALESCE(MAX(rule_order), 0)").
-		Scan(&maxOrder).Error
-	return maxOrder, err
-}
diff --git a/agent/app/service/firewall.go b/agent/app/service/firewall.go
index 679cc2377625..6f93b688d16a 100644
--- a/agent/app/service/firewall.go
+++ b/agent/app/service/firewall.go
@@ -19,6 +19,7 @@ import (
 	"github.com/1Panel-dev/1Panel/agent/utils/controller"
 	"github.com/1Panel-dev/1Panel/agent/utils/firewall"
 	fireClient "github.com/1Panel-dev/1Panel/agent/utils/firewall/client"
+	"github.com/1Panel-dev/1Panel/agent/utils/firewall/client/iptables"
 	"github.com/jinzhu/copier"
 )
 
@@ -27,7 +28,7 @@ const confPath = "/etc/sysctl.conf"
 type FirewallService struct{}
 
 type IFirewallService interface {
-	LoadBaseInfo() (dto.FirewallBaseInfo, error)
+	LoadBaseInfo(tab string) (dto.FirewallBaseInfo, error)
 	SearchWithPage(search dto.RuleSearch) (int64, interface{}, error)
 	OperateFirewall(req dto.FirewallOperation) error
 	OperatePortRule(req dto.PortRuleOperate, reload bool) error
@@ -43,7 +44,7 @@ func NewIFirewallService() IFirewallService {
 	return &FirewallService{}
 }
 
-func (u *FirewallService) LoadBaseInfo() (dto.FirewallBaseInfo, error) {
+func (u *FirewallService) LoadBaseInfo(tab string) (dto.FirewallBaseInfo, error) {
 	var baseInfo dto.FirewallBaseInfo
 	baseInfo.Version = "-"
 	baseInfo.Name = "-"
@@ -57,7 +58,7 @@ func (u *FirewallService) LoadBaseInfo() (dto.FirewallBaseInfo, error) {
 	baseInfo.Name = client.Name()
 
 	var wg sync.WaitGroup
-	wg.Add(3)
+	wg.Add(4)
 	go func() {
 		defer wg.Done()
 		baseInfo.PingStatus = u.pingStatus()
@@ -70,6 +71,10 @@ func (u *FirewallService) LoadBaseInfo() (dto.FirewallBaseInfo, error) {
 		defer wg.Done()
 		baseInfo.Version, _ = client.Version()
 	}()
+	go func() {
+		defer wg.Done()
+		baseInfo.IsInit, baseInfo.IsBind = loadInitStatus(baseInfo.Name, tab)
+	}()
 	wg.Wait()
 	return baseInfo, nil
 }
@@ -158,15 +163,17 @@ func (u *FirewallService) SearchWithPage(req dto.RuleSearch) (int64, interface{}
 			if req.Type != des.Type {
 				continue
 			}
-			if backDatas[i].Port == des.Port &&
+			if backDatas[i].Port == des.DstPort &&
 				req.Type == "port" &&
 				backDatas[i].Protocol == des.Protocol &&
 				backDatas[i].Strategy == des.Strategy &&
-				backDatas[i].Address == des.Address {
+				backDatas[i].Address == des.SrcIP {
+				backDatas[i].ID = des.ID
 				backDatas[i].Description = des.Description
 				break
 			}
-			if req.Type == "address" && backDatas[i].Strategy == des.Strategy && backDatas[i].Address == des.Address {
+			if req.Type == "address" && backDatas[i].Strategy == des.Strategy && backDatas[i].Address == des.SrcIP {
+				backDatas[i].ID = des.ID
 				backDatas[i].Description = des.Description
 				break
 			}
@@ -459,10 +466,16 @@ func (u *FirewallService) UpdateAddrRule(req dto.AddrRuleUpdate) error {
 }
 
 func (u *FirewallService) UpdateDescription(req dto.UpdateFirewallDescription) error {
-	var firewall model.Firewall
-	if err := copier.Copy(&firewall, &req); err != nil {
-		return buserr.WithDetail("ErrStructTransform", err.Error(), nil)
+	firewall := model.Firewall{
+		Type:        req.Type,
+		Chain:       iptables.Chain1PanelBasic,
+		SrcIP:       req.Address,
+		DstPort:     req.Port,
+		Protocol:    req.Protocol,
+		Strategy:    req.Strategy,
+		Description: req.Description,
 	}
+
 	return hostRepo.SaveFirewallRecord(&firewall)
 }
 
@@ -562,7 +575,7 @@ func (u *FirewallService) cleanUnUsedData(client firewall.FirewallClient) {
 	}
 	for _, item := range list {
 		for i := 0; i < len(records); i++ {
-			if records[i].Port == item.Port && records[i].Protocol == item.Protocol && records[i].Strategy == item.Strategy && records[i].Address == item.Address {
+			if records[i].DstPort == item.Port && records[i].Protocol == item.Protocol && records[i].Strategy == item.Strategy && records[i].SrcIP == item.Address {
 				records = append(records[:i], records[i+1:]...)
 			}
 		}
@@ -661,14 +674,16 @@ func (u *FirewallService) addPortsBeforeStart(client firewall.FirewallClient) er
 
 func (u *FirewallService) addPortRecord(req dto.PortRuleOperate) error {
 	if req.Operation == "remove" {
-		return hostRepo.DeleteFirewallRecord("port", req.Port, req.Protocol, req.Address, req.Strategy)
+		if req.ID != 0 {
+			return hostRepo.DeleteFirewallRecordByID(req.ID)
+		}
 	}
 
 	if err := hostRepo.SaveFirewallRecord(&model.Firewall{
 		Type:        "port",
-		Port:        req.Port,
+		DstPort:     req.Port,
 		Protocol:    req.Protocol,
-		Address:     req.Address,
+		SrcIP:       req.Address,
 		Strategy:    req.Strategy,
 		Description: req.Description,
 	}); err != nil {
@@ -680,11 +695,13 @@ func (u *FirewallService) addPortRecord(req dto.PortRuleOperate) error {
 
 func (u *FirewallService) addAddressRecord(req dto.AddrRuleOperate) error {
 	if req.Operation == "remove" {
-		return hostRepo.DeleteFirewallRecord("address", "", "", req.Address, req.Strategy)
+		if req.ID != 0 {
+			return hostRepo.DeleteFirewallRecordByID(req.ID)
+		}
 	}
 	if err := hostRepo.SaveFirewallRecord(&model.Firewall{
 		Type:        "address",
-		Address:     req.Address,
+		SrcIP:       req.Address,
 		Strategy:    req.Strategy,
 		Description: req.Description,
 	}); err != nil {
@@ -751,3 +768,90 @@ func checkPortUsed(ports, proto string, apps []portOfApp) string {
 	}
 	return ""
 }
+
+func loadInitStatus(clientName, tab string) (bool, bool) {
+	if clientName != "iptables" && tab != "forward" {
+		return true, true
+	}
+	switch tab {
+	case "base":
+		if isExist, _ := iptables.CheckChainExist(iptables.FilterTab, iptables.Chain1PanelBasicBefore); !isExist {
+			return false, false
+		}
+		if exist := iptables.CheckRuleExist(iptables.FilterTab, iptables.Chain1PanelBasicBefore, iptables.IoRuleIn); !exist {
+			return false, false
+		}
+		if exist := iptables.CheckRuleExist(iptables.FilterTab, iptables.Chain1PanelBasicBefore, iptables.EstablishedRule); !exist {
+			return false, false
+		}
+		if exist, _ := iptables.CheckChainExist(iptables.FilterTab, iptables.Chain1PanelBasic); !exist {
+			return false, false
+		}
+		if exist, _ := iptables.CheckChainExist(iptables.FilterTab, iptables.Chain1PanelBasicAfter); !exist {
+			return false, false
+		}
+		if exist := iptables.CheckRuleExist(iptables.FilterTab, iptables.Chain1PanelBasicAfter, iptables.DropAll); !exist {
+			return false, false
+		}
+		if bind, _ := iptables.CheckChainBind(iptables.FilterTab, iptables.ChainInput, iptables.Chain1PanelBasicBefore); !bind {
+			return true, false
+		}
+		if bind, _ := iptables.CheckChainBind(iptables.FilterTab, iptables.ChainInput, iptables.Chain1PanelBasic); !bind {
+			return true, false
+		}
+		if bind, _ := iptables.CheckChainBind(iptables.FilterTab, iptables.ChainInput, iptables.Chain1PanelBasicAfter); !bind {
+			return true, false
+		}
+		return true, true
+	case "advance":
+		isExist, _ := iptables.CheckChainExist(iptables.FilterTab, iptables.Chain1PanelInput)
+		if !isExist {
+			return false, false
+		}
+		isExist, _ = iptables.CheckChainExist(iptables.FilterTab, iptables.Chain1PanelOutput)
+		if !isExist {
+			return false, false
+		}
+
+		isBind, _ := iptables.CheckChainBind(iptables.FilterTab, iptables.ChainInput, iptables.Chain1PanelInput)
+		if !isBind {
+			return true, false
+		}
+		isBind, _ = iptables.CheckChainBind(iptables.FilterTab, iptables.ChainOutput, iptables.Chain1PanelOutput)
+		return true, isBind
+	case "forward":
+		stdout, err := cmd.RunDefaultWithStdoutBashC("cat /proc/sys/net/ipv4/ip_forward")
+		if err != nil {
+			global.LOG.Errorf("check /proc/sys/net/ipv4/ip_forward failed, err: %v", err)
+			return false, false
+		}
+		if strings.TrimSpace(stdout) == "0" {
+			return false, false
+		}
+
+		exist, _ := iptables.CheckChainExist(iptables.NatTab, iptables.Chain1PanelPreRouting)
+		if !exist {
+			return false, false
+		}
+		exist, _ = iptables.CheckChainExist(iptables.NatTab, iptables.Chain1PanelPostRouting)
+		if !exist {
+			return false, false
+		}
+		exist, _ = iptables.CheckChainExist(iptables.FilterTab, iptables.Chain1PanelForward)
+		if !exist {
+			return false, false
+		}
+		isBind, _ := iptables.CheckChainBind(iptables.NatTab, "PREROUTING", iptables.Chain1PanelPreRouting)
+		if !isBind {
+			return false, false
+		}
+		isBind, _ = iptables.CheckChainBind(iptables.NatTab, "POSTROUTING", iptables.Chain1PanelPostRouting)
+		if !isBind {
+			return false, false
+		}
+		isBind, _ = iptables.CheckChainBind(iptables.FilterTab, "FORWARD", iptables.Chain1PanelForward)
+		return true, isBind
+	default:
+		return false, false
+	}
+}
diff --git a/agent/app/service/iptables.go b/agent/app/service/iptables.go
new file mode 100644
index 000000000000..28ea50d71ef4
--- /dev/null
+++ b/agent/app/service/iptables.go
@@ -0,0 +1,319 @@
+package service
+
+import (
+	"errors"
+	"fmt"
+	"net"
+	"strings"
+
+	"github.com/1Panel-dev/1Panel/agent/app/dto"
+	"github.com/1Panel-dev/1Panel/agent/app/model"
+	"github.com/1Panel-dev/1Panel/agent/global"
+	"github.com/1Panel-dev/1Panel/agent/utils/cmd"
+	"github.com/1Panel-dev/1Panel/agent/utils/firewall/client"
+	"github.com/1Panel-dev/1Panel/agent/utils/firewall/client/iptables"
+)
+
+type IIptablesService interface {
+	Search(req dto.SearchPageWithType) (int64, interface{}, error)
+	OperateRule(req dto.IptablesRuleOp) error
+	BatchOperate(req dto.IptablesBatchOperate) error
+	LoadChainStatus(req dto.OperationWithName) dto.IptablesChainStatus
+
+	Operate(req dto.IptablesOp) error
+}
+
+type IptablesService struct{}
+
+func NewIIptablesService() IIptablesService {
+	return &IptablesService{}
+}
+
+func (s *IptablesService) Search(req dto.SearchPageWithType) (int64, interface{}, error) {
+	rules, err := iptables.ReadFilterRulesByChain(req.Type)
+	if err != nil {
+		return 0, nil, fmt.Errorf("failed to read iptables rules: %w", err)
+	}
+	var records []iptables.FilterRules
+	total, start, end := len(rules), (req.Page-1)*req.PageSize, req.Page*req.PageSize
+	if start > total {
+		records = make([]iptables.FilterRules, 0)
+	} else {
+		if end >= total {
+			end = total
+		}
+		records = rules[start:end]
+	}
+
+	rulesInDB, _ := hostRepo.ListFirewallRecord(hostRepo.WithByFirewallType("iptables"), hostRepo.WithByChain(req.Type))
+
+	for i := 0; i < len(records); i++ {
+		for _, item := range rulesInDB {
+			if records[i].Strategy == item.Strategy &&
+				records[i].DstIP == item.DstIP &&
+				fmt.Sprintf("%v", records[i].DstPort) == item.DstPort &&
+				records[i].Protocol == item.Protocol &&
+				records[i].SrcIP == item.SrcIP &&
+				fmt.Sprintf("%v", records[i].SrcPort) == item.SrcPort {
+				records[i].ID = item.ID
+				records[i].Description = item.Description
+			}
+		}
+	}
+	return int64(total), records, nil
+}
+
+func (s *IptablesService) OperateRule(req dto.IptablesRuleOp) error {
+	policy := iptables.FilterRules{
+		Protocol: req.Protocol,
+		SrcIP:    req.SrcIP,
+		SrcPort:  req.SrcPort,
+		DstIP:    req.DstIP,
+		DstPort:  req.DstPort,
+		Strategy: req.Strategy,
+	}
+
+	if req.Operation == "add" {
+		if err := s.validateRuleInput(&req); err != nil {
+			return err
+		}
+
+		if err := iptables.AddFilterRule(req.Chain, policy); err != nil {
+			return fmt.Errorf("failed to add iptables rule: %w", err)
+		}
+
+		rule := &model.Firewall{
+			Chain:       req.Chain,
+			Protocol:    req.Protocol,
+			SrcIP:       req.SrcIP,
+			SrcPort:     fmt.Sprintf("%v", req.SrcPort),
+			DstIP:       req.DstIP,
+			DstPort:     fmt.Sprintf("%v", req.DstPort),
+			Strategy:    req.Strategy,
+			Description: req.Description,
+		}
+
+		if err := hostRepo.SaveFirewallRecord(rule); err != nil {
+			return fmt.Errorf("failed to save rule to database: %w", err)
+		}
+		return nil
+	}
+	if err := iptables.DeleteFilterRule(req.Chain, policy); err != nil {
+		return fmt.Errorf("failed to remove iptables rule: %w", err)
+	}
+	name := iptables.InputFileName
+	if req.Chain == iptables.Chain1PanelOutput {
+		name = iptables.OutputFileName
+	}
+	if err := iptables.SaveRulesToFile(iptables.FilterTab, req.Chain, name); err != nil {
+		global.LOG.Errorf("persistence for %s failed, err: %v", iptables.Chain1PanelBasic, err)
+	}
+	if req.ID != 0 {
+		if err := hostRepo.DeleteFirewallRecordByID(req.ID); err != nil {
+			return fmt.Errorf("failed to delete rule from database: %w", err)
+		}
+	}
+	return nil
+}
+
+func (s *IptablesService) BatchOperate(req dto.IptablesBatchOperate) error {
+	for _, rule := range req.Rules {
+		if err := s.OperateRule(rule); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (s *IptablesService) Operate(req dto.IptablesOp) error {
+	targetChain := "INPUT"
+	if req.Name == "1PANEL_OUTPUT" {
+		targetChain = "OUTPUT"
+	}
+	switch req.Operate {
+	case "init-base":
+		if err := cmd.RunDefaultBashC("modprobe ip_tables"); err != nil {
+			return fmt.Errorf("failed to load ip_tables module: %v", err)
+		}
+		if err := iptables.AddChain(iptables.FilterTab, iptables.Chain1PanelBasicBefore); err != nil {
+			return err
+		}
+		if err := iptables.AddChain(iptables.FilterTab, iptables.Chain1PanelBasic); err != nil {
+			return err
+		}
+		if err := iptables.AddChain(iptables.FilterTab, iptables.Chain1PanelBasicAfter); err != nil {
+			return err
+		}
+		if err := initPreRules(); err != nil {
+			return err
+		}
+		if err := iptables.BindChain(iptables.FilterTab, iptables.ChainInput, iptables.Chain1PanelBasicBefore, 1); err != nil {
+			return err
+		}
+		if err := iptables.BindChain(iptables.FilterTab, iptables.ChainInput, iptables.Chain1PanelBasic, 2); err != nil {
+			return err
+		}
+		if err := iptables.BindChain(iptables.FilterTab, iptables.ChainInput, iptables.Chain1PanelBasicAfter, 3); err != nil {
+			return err
+		}
+		return nil
+	case "init-forward":
+		return client.EnableIptablesForward()
+	case "init-advance":
+		if err := iptables.AddChain(iptables.FilterTab, iptables.Chain1PanelInput); err != nil {
+			return err
+		}
+		if err := iptables.AddChain(iptables.FilterTab, iptables.Chain1PanelOutput); err != nil {
+			return err
+		}
+		number := loadBindNumber()
+		if err := iptables.BindChain(iptables.FilterTab, iptables.ChainOutput, iptables.Chain1PanelOutput, number); err != nil {
+			return err
+		}
+		if err := iptables.BindChain(iptables.FilterTab, iptables.ChainInput, iptables.Chain1PanelInput, number); err != nil {
+			return err
+		}
+	case "bind-base":
+		if err := initPreRules(); err != nil {
+			return err
+		}
+		if err := iptables.BindChain(iptables.FilterTab, iptables.ChainInput, iptables.Chain1PanelBasicBefore, 1); err != nil {
+			return err
+		}
+		if err := iptables.BindChain(iptables.FilterTab, iptables.ChainInput, iptables.Chain1PanelBasic, 2); err != nil {
+			return err
+		}
+		if err := iptables.BindChain(iptables.FilterTab, iptables.ChainInput, iptables.Chain1PanelBasicAfter, 3); err != nil {
+			return err
+		}
+	case "unbind-base":
+		if err := iptables.UnbindChain(iptables.FilterTab, iptables.ChainInput, iptables.Chain1PanelBasicAfter); err != nil {
+			return err
+		}
+		if err := iptables.UnbindChain(iptables.FilterTab, iptables.ChainInput, iptables.Chain1PanelBasicBefore); err != nil {
+			return err
+		}
+		if err := iptables.UnbindChain(iptables.FilterTab, iptables.ChainInput, iptables.Chain1PanelBasic); err != nil {
+			return err
+		}
+	case "bind":
+		if err := iptables.BindChain(iptables.FilterTab, targetChain, req.Name, loadBindNumber()); err != nil {
+			return err
+		}
+	case "unbind":
+		if err := iptables.UnbindChain(iptables.FilterTab, targetChain, req.Name); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (s *IptablesService) LoadChainStatus(req dto.OperationWithName) dto.IptablesChainStatus {
+	var data dto.IptablesChainStatus
+	var err error
+	data.DefaultStrategy, err = iptables.LoadDefaultStrategy(req.Name)
+	if err != nil {
+		global.LOG.Error(err)
+	}
+	switch req.Name {
+	case iptables.Chain1PanelBasic:
+		data.IsBind, err = iptables.CheckChainBind(iptables.FilterTab, iptables.ChainInput, req.Name)
+	case iptables.Chain1PanelInput:
+		data.IsBind, err = iptables.CheckChainBind(iptables.FilterTab, iptables.ChainInput, req.Name)
+	case iptables.Chain1PanelOutput:
+		data.IsBind, err = iptables.CheckChainBind(iptables.FilterTab, iptables.ChainOutput, req.Name)
+	}
+	return data
+}
+
+func (s *IptablesService) validateRuleInput(req *dto.IptablesRuleOp) error {
+	if req.Protocol != "" {
+		validProtocols := map[string]bool{"tcp": true, "udp": true, "icmp": true, "all": true}
+		if !validProtocols[strings.ToLower(req.Protocol)] {
+			return fmt.Errorf("invalid protocol: %s, must be tcp, udp, icmp or all", req.Protocol)
+		}
+	}
+	if req.SrcIP != "" {
+		if err := s.validateIPOrCIDR(req.SrcIP); err != nil {
+			return fmt.Errorf("invalid source IP: %w", err)
+		}
+	}
+	if req.DstIP != "" {
+		if err := s.validateIPOrCIDR(req.DstIP); err != nil {
+			return fmt.Errorf("invalid destination IP: %w", err)
+		}
+	}
+	if req.SrcPort > 65535 {
+		return fmt.Errorf("invalid source port: %d, must be between 1 and 65535", req.SrcPort)
+	}
+	if req.DstPort > 65535 {
+		return fmt.Errorf("invalid destination port: %d, must be between 1 and 65535", req.DstPort)
+	}
+	if (req.SrcPort > 0 || req.DstPort > 0) && req.Protocol == "" {
+		return fmt.Errorf("port specification requires protocol (tcp/udp)")
+	}
+
+	return nil
+}
+
+func (s *IptablesService) validateIPOrCIDR(ipStr string) error {
+	if strings.Contains(ipStr, "/") {
+		_, _, err := net.ParseCIDR(ipStr)
+		if err != nil {
+			return fmt.Errorf("invalid CIDR format: %w", err)
+		}
+		return nil
+	}
+	ip := net.ParseIP(ipStr)
+	if ip == nil {
+		return fmt.Errorf("invalid IP address format")
+	}
+
+	return nil
+}
+
+func loadBindNumber() int {
+	number := 1
+	if exist, _ := iptables.CheckChainExist(iptables.FilterTab, iptables.Chain1PanelBasicBefore); exist {
+		number++
+	}
+	if exist, _ := iptables.CheckChainExist(iptables.FilterTab, iptables.Chain1PanelBasic); exist {
+		number++
+	}
+	if exist, _ := iptables.CheckChainExist(iptables.FilterTab, iptables.Chain1PanelBasicAfter); exist {
+		number++
+	}
+	return number
+}
+
+func initPreRules() error {
+	if err := iptables.AddRule(iptables.FilterTab, iptables.Chain1PanelBasicBefore, iptables.IoRuleIn); err != nil {
+		return err
+	}
+	if err := iptables.AddRule(iptables.FilterTab, iptables.Chain1PanelBasicBefore, iptables.EstablishedRule); err != nil {
+		return err
+	}
+	panelPort := ""
+	if !global.IsMaster {
+		panelPort = global.CONF.Base.Port
+	} else {
+		var portSetting model.Setting
+		_ = global.CoreDB.Where("key = ?", "ServerPort").First(&portSetting).Error
+		if len(portSetting.Value) != 0 {
+			panelPort = portSetting.Value
+		}
+	}
+	if len(panelPort) == 0 {
+		return errors.New("find 1panel service port failed")
+	}
+	if err := iptables.AddRule(iptables.FilterTab, iptables.Chain1PanelBasicBefore, iptables.AllowSSH); err != nil {
+		return err
+	}
+	if err := iptables.AddRule(iptables.FilterTab, iptables.Chain1PanelBasicBefore, fmt.Sprintf("-p tcp -m tcp --dport %s -j ACCEPT", panelPort)); err != nil {
+		return err
+	}
+	if err := iptables.AddRule(iptables.FilterTab, iptables.Chain1PanelBasicAfter, iptables.DropAll); err != nil {
+		return err
+	}
+	return nil
+}
diff --git a/agent/app/service/iptables_filter.go b/agent/app/service/iptables_filter.go
deleted file mode 100644
index 4d809d46a1f3..000000000000
--- a/agent/app/service/iptables_filter.go
+++ /dev/null
@@ -1,643 +0,0 @@
-package service
-
-import (
-	"context"
-	"fmt"
-	"net"
-	"strings"
-	"sync"
-
-	"github.com/1Panel-dev/1Panel/agent/app/dto"
-	"github.com/1Panel-dev/1Panel/agent/app/model"
-	"github.com/1Panel-dev/1Panel/agent/app/repo"
-	"github.com/1Panel-dev/1Panel/agent/global"
-	"github.com/1Panel-dev/1Panel/agent/utils/firewall/client"
-)
-
-type IIptablesFilterService interface {
-	GetFilterRules(chains []string) ([]dto.IptablesChainInfo, error)
-	AddRule(req dto.IptablesFilterRuleOperate) error
-	RemoveRule(id uint) error
-	BatchOperate(req dto.IptablesFilterBatchOperate) error
-	InitChains() error
-	ApplyFirewall() error
-	UnloadFirewall() error
-	ReloadRules() error
-}
-
-type IptablesFilterService struct {
-	repo           repo.IIptablesFilterRuleRepo
-	iptablesClient *client.Iptables
-	mu             sync.Mutex
-}
-
-func NewIIptablesFilterService() IIptablesFilterService {
-	iptablesClient, err := client.NewIptables()
-	if err != nil {
-		global.LOG.Errorf("failed to create iptables client: %v", err)
-		return nil
-	}
-	return &IptablesFilterService{
-		repo:           repo.NewIIptablesFilterRuleRepo(),
-		iptablesClient: iptablesClient,
-	}
-}
-
-func (s *IptablesFilterService) GetFilterRules(chains []string) ([]dto.IptablesChainInfo, error) {
-	if len(chains) == 0 {
-		chains = []string{client.ChainInput, client.ChainOutput, client.Chain1PanelInput, client.Chain1PanelOutput}
-	}
-
-	// 获取 iptables 版本
-	version, err := s.iptablesClient.GetVersion()
-	if err != nil {
-		global.LOG.Warnf("failed to get iptables version: %v", err)
-		version = "unknown"
-	}
-
-	// 读取 iptables 规则
-	iptablesChains, err := s.iptablesClient.ReadFilter(chains)
-	if err != nil {
-		return nil, fmt.Errorf("failed to read iptables rules: %w", err)
-	}
-
-	// 从数据库读取规则描述
-	ctx := context.Background()
-	dbRules, _ := s.repo.List(ctx, []string{client.Chain1PanelInput, client.Chain1PanelOutput})
-	descMap := make(map[uint]string)
-	for _, rule := range dbRules {
-		descMap[rule.ID] = rule.Description
-	}
-
-	var result []dto.IptablesChainInfo
-	for _, chainName := range chains {
-		chain, ok := iptablesChains[chainName]
-		if !ok {
-			continue
-		}
-
-		chainInfo := dto.IptablesChainInfo{
-			Version:       version,
-			Name:          chainName,
-			DefaultPolicy: chain.DefaultPolicy,
-			Rules:         []dto.IptablesFilterRuleInfo{},
-			IsApplied:     false,
-		}
-
-		// 检查是否已应用（INPUT/OUTPUT 链包含跳转规则）
-		if chainName == client.ChainInput || chainName == client.ChainOutput {
-			item := chain.FirstRule
-			targetChain := client.Chain1PanelInput
-			if chainName == client.ChainOutput {
-				targetChain = client.Chain1PanelOutput
-			}
-			for item != nil {
-				if item.P.Action == targetChain {
-					chainInfo.IsApplied = true
-					break
-				}
-				item = item.Next()
-			}
-		}
-
-		// 转换规则
-		item := chain.FirstRule
-		order := 0
-		for item != nil {
-			p := item.P
-			ruleInfo := dto.IptablesFilterRuleInfo{
-				Protocol:   p.Protocol,
-				SourceIP:   p.SourceIP,
-				SourcePort: p.SrcPort,
-				DestIP:     p.DestIP,
-				DestPort:   p.DstPort,
-				Action:     p.Action,
-				Comment:    p.Comment,
-				RuleOrder:  order,
-			}
-
-			// 从 comment 中提取 ID（格式：1Panel_FilterRule_<ID>）
-			if p.Comment != "" {
-				var id uint
-				fmt.Sscanf(p.Comment, "1Panel_FilterRule_%d", &id)
-				ruleInfo.ID = id
-				if desc, ok := descMap[id]; ok {
-					ruleInfo.Description = desc
-				}
-			}
-
-			chainInfo.Rules = append(chainInfo.Rules, ruleInfo)
-			order++
-			item = item.Next()
-		}
-
-		result = append(result, chainInfo)
-	}
-
-	return result, nil
-}
-
-func (s *IptablesFilterService) validateRuleInput(req *dto.IptablesFilterRuleOperate) error {
-	// 验证协议
-	if req.Protocol != "" {
-		validProtocols := map[string]bool{"tcp": true, "udp": true, "icmp": true, "all": true}
-		if !validProtocols[strings.ToLower(req.Protocol)] {
-			return fmt.Errorf("invalid protocol: %s, must be tcp, udp, icmp or all", req.Protocol)
-		}
-	}
-
-	// 验证源 IP
-	if req.SourceIP != "" {
-		if err := s.validateIPOrCIDR(req.SourceIP); err != nil {
-			return fmt.Errorf("invalid source IP: %w", err)
-		}
-	}
-
-	// 验证目标 IP
-	if req.DestIP != "" {
-		if err := s.validateIPOrCIDR(req.DestIP); err != nil {
-			return fmt.Errorf("invalid destination IP: %w", err)
-		}
-	}
-
-	// 验证端口范围（1-65535）
-	if req.SourcePort > 65535 {
-		return fmt.Errorf("invalid source port: %d, must be between 1 and 65535", req.SourcePort)
-	}
-	if req.DestPort > 65535 {
-		return fmt.Errorf("invalid destination port: %d, must be between 1 and 65535", req.DestPort)
-	}
-
-	// 端口必须配合协议使用
-	if (req.SourcePort > 0 || req.DestPort > 0) && req.Protocol == "" {
-		return fmt.Errorf("port specification requires protocol (tcp/udp)")
-	}
-
-	return nil
-}
-
-func (s *IptablesFilterService) validateIPOrCIDR(ipStr string) error {
-	// 检查是否为 CIDR 格式
-	if strings.Contains(ipStr, "/") {
-		_, _, err := net.ParseCIDR(ipStr)
-		if err != nil {
-			return fmt.Errorf("invalid CIDR format: %w", err)
-		}
-		return nil
-	}
-
-	// 检查是否为有效 IP 地址
-	ip := net.ParseIP(ipStr)
-	if ip == nil {
-		return fmt.Errorf("invalid IP address format")
-	}
-
-	return nil
-}
-
-func (s *IptablesFilterService) AddRule(req dto.IptablesFilterRuleOperate) error {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
-	if req.Chain != client.Chain1PanelInput && req.Chain != client.Chain1PanelOutput {
-		return fmt.Errorf("Only %s or %s chains are allowed", client.Chain1PanelInput, client.Chain1PanelOutput)
-	}
-
-	// 安全检查：防止无条件 DROP/REJECT
-	if (req.Action == "DROP" || req.Action == "REJECT") &&
-		req.Protocol == "" && req.SourceIP == "" && req.DestIP == "" &&
-		req.SourcePort == 0 && req.DestPort == 0 {
-		return fmt.Errorf("Iptables Rule Security Check: unconditional %s rules are not allowed, this may lock you out of the system", req.Action)
-	}
-
-	// 验证输入格式
-	if err := s.validateRuleInput(&req); err != nil {
-		return err
-	}
-
-	ctx := context.Background()
-
-	// 获取最大规则顺序
-	maxOrder, err := s.repo.GetMaxRuleOrder(ctx, req.Chain)
-	if err != nil {
-		return fmt.Errorf("failed to get max rule order: %w", err)
-	}
-
-	// 创建数据库记录
-	rule := &model.IptablesFilterRule{
-		Chain:       req.Chain,
-		Protocol:    req.Protocol,
-		SourceIP:    req.SourceIP,
-		SourcePort:  req.SourcePort,
-		DestIP:      req.DestIP,
-		DestPort:    req.DestPort,
-		Action:      req.Action,
-		Description: req.Description,
-		RuleOrder:   maxOrder + 1,
-	}
-
-	if err := s.repo.Create(ctx, rule); err != nil {
-		return fmt.Errorf("failed to save rule to database: %w", err)
-	}
-
-	// 生成 comment
-	rule.Comment = fmt.Sprintf("1Panel_FilterRule_%d", rule.ID)
-
-	// 添加 iptables 规则
-	policy := client.IptablesPolicy{
-		Protocol: req.Protocol,
-		SourceIP: req.SourceIP,
-		SrcPort:  req.SourcePort,
-		DestIP:   req.DestIP,
-		DstPort:  req.DestPort,
-		Action:   req.Action,
-		Comment:  rule.Comment,
-	}
-
-	if err := s.iptablesClient.AddPolicy(req.Chain, policy); err != nil {
-		// 回滚数据库
-		_ = s.repo.Delete(ctx, rule.ID)
-		return fmt.Errorf("failed to add iptables rule: %w", err)
-	}
-
-	// 更新数据库 comment
-	return global.DB.Model(rule).Update("comment", rule.Comment).Error
-}
-
-func (s *IptablesFilterService) RemoveRule(id uint) error {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
-	ctx := context.Background()
-
-	// 从数据库查询规则
-	rule, err := s.repo.GetByID(ctx, id)
-	if err != nil {
-		return fmt.Errorf("rule not found: %w", err)
-	}
-
-	// 按 comment 删除 iptables 规则
-	if rule.Comment != "" {
-		if err := s.iptablesClient.RemovePolicyByComment(rule.Chain, rule.Comment); err != nil {
-			global.LOG.Warnf("failed to remove iptables rule by comment: %v, trying to delete by policy", err)
-			// 如果按 comment 删除失败，尝试按规则内容删除
-			policy := client.IptablesPolicy{
-				Protocol: rule.Protocol,
-				SourceIP: rule.SourceIP,
-				SrcPort:  rule.SourcePort,
-				DestIP:   rule.DestIP,
-				DstPort:  rule.DestPort,
-				Action:   rule.Action,
-				Comment:  rule.Comment,
-			}
-			if err := s.iptablesClient.DeletePolicy(rule.Chain, policy); err != nil {
-				return fmt.Errorf("failed to remove iptables rule: %w", err)
-			}
-		}
-	}
-
-	// 删除数据库记录
-	return s.repo.Delete(ctx, id)
-}
-
-type operationRecord struct {
-	operation string
-	id        uint
-	rule      *model.IptablesFilterRule
-}
-
-func (s *IptablesFilterService) BatchOperate(req dto.IptablesFilterBatchOperate) error {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
-	// 记录成功的操作以便回滚
-	var executed []operationRecord
-
-	// 执行批量操作
-	for _, ruleReq := range req.Rules {
-		if ruleReq.Operation == "add" {
-			// 不再调用 AddRule，直接在这里执行（避免重复加锁）
-			if ruleReq.Chain != client.Chain1PanelInput && ruleReq.Chain != client.Chain1PanelOutput {
-				// 回滚已执行的操作
-				s.rollbackBatchOperations(executed)
-				return fmt.Errorf("Only %s or %s chains are allowed", client.Chain1PanelInput, client.Chain1PanelOutput)
-			}
-
-			// 安全检查
-			if (ruleReq.Action == "DROP" || ruleReq.Action == "REJECT") &&
-				ruleReq.Protocol == "" && ruleReq.SourceIP == "" && ruleReq.DestIP == "" &&
-				ruleReq.SourcePort == 0 && ruleReq.DestPort == 0 {
-				s.rollbackBatchOperations(executed)
-				return fmt.Errorf("Iptables Rule Security Check: unconditional %s rules are not allowed", ruleReq.Action)
-			}
-
-			// 验证输入格式
-			if err := s.validateRuleInput(&ruleReq); err != nil {
-				s.rollbackBatchOperations(executed)
-				return err
-			}
-
-			ctx := context.Background()
-			maxOrder, err := s.repo.GetMaxRuleOrder(ctx, ruleReq.Chain)
-			if err != nil {
-				s.rollbackBatchOperations(executed)
-				return fmt.Errorf("failed to get max rule order: %w", err)
-			}
-
-			rule := &model.IptablesFilterRule{
-				Chain:       ruleReq.Chain,
-				Protocol:    ruleReq.Protocol,
-				SourceIP:    ruleReq.SourceIP,
-				SourcePort:  ruleReq.SourcePort,
-				DestIP:      ruleReq.DestIP,
-				DestPort:    ruleReq.DestPort,
-				Action:      ruleReq.Action,
-				Description: ruleReq.Description,
-				RuleOrder:   maxOrder + 1,
-			}
-
-			if err := s.repo.Create(ctx, rule); err != nil {
-				s.rollbackBatchOperations(executed)
-				return fmt.Errorf("failed to save rule to database: %w", err)
-			}
-
-			rule.Comment = fmt.Sprintf("1Panel_FilterRule_%d", rule.ID)
-			policy := client.IptablesPolicy{
-				Protocol: ruleReq.Protocol,
-				SourceIP: ruleReq.SourceIP,
-				SrcPort:  ruleReq.SourcePort,
-				DestIP:   ruleReq.DestIP,
-				DstPort:  ruleReq.DestPort,
-				Action:   ruleReq.Action,
-				Comment:  rule.Comment,
-			}
-
-			if err := s.iptablesClient.AddPolicy(ruleReq.Chain, policy); err != nil {
-				_ = s.repo.Delete(ctx, rule.ID)
-				s.rollbackBatchOperations(executed)
-				return fmt.Errorf("failed to add iptables rule: %w", err)
-			}
-
-			if err := global.DB.Model(rule).Update("comment", rule.Comment).Error; err != nil {
-				_ = s.iptablesClient.RemovePolicyByComment(ruleReq.Chain, rule.Comment)
-				_ = s.repo.Delete(ctx, rule.ID)
-				s.rollbackBatchOperations(executed)
-				return fmt.Errorf("failed to update comment: %w", err)
-			}
-
-			executed = append(executed, operationRecord{operation: "add", id: rule.ID, rule: rule})
-
-		} else if ruleReq.Operation == "remove" {
-			ctx := context.Background()
-			rule, err := s.repo.GetByID(ctx, ruleReq.ID)
-			if err != nil {
-				s.rollbackBatchOperations(executed)
-				return fmt.Errorf("rule not found: %w", err)
-			}
-
-			if rule.Comment != "" {
-				if err := s.iptablesClient.RemovePolicyByComment(rule.Chain, rule.Comment); err != nil {
-					global.LOG.Warnf("failed to remove iptables rule by comment: %v, trying to delete by policy", err)
-					policy := client.IptablesPolicy{
-						Protocol: rule.Protocol,
-						SourceIP: rule.SourceIP,
-						SrcPort:  rule.SourcePort,
-						DestIP:   rule.DestIP,
-						DstPort:  rule.DestPort,
-						Action:   rule.Action,
-						Comment:  rule.Comment,
-					}
-					if err := s.iptablesClient.DeletePolicy(rule.Chain, policy); err != nil {
-						s.rollbackBatchOperations(executed)
-						return fmt.Errorf("failed to remove iptables rule: %w", err)
-					}
-				}
-			}
-
-			if err := s.repo.Delete(ctx, ruleReq.ID); err != nil {
-				s.rollbackBatchOperations(executed)
-				return fmt.Errorf("failed to delete rule from database: %w", err)
-			}
-
-			executed = append(executed, operationRecord{operation: "remove", id: ruleReq.ID, rule: &rule})
-		}
-	}
-	return nil
-}
-
-func (s *IptablesFilterService) rollbackBatchOperations(executed []operationRecord) {
-	ctx := context.Background()
-	for i := len(executed) - 1; i >= 0; i-- {
-		record := executed[i]
-		if record.operation == "add" {
-			// 回滚添加操作：删除规则
-			if record.rule.Comment != "" {
-				_ = s.iptablesClient.RemovePolicyByComment(record.rule.Chain, record.rule.Comment)
-			}
-			_ = s.repo.Delete(ctx, record.id)
-			global.LOG.Warnf("Rolled back add operation for rule %d", record.id)
-		} else if record.operation == "remove" {
-			// 回滚删除操作：重新添加规则
-			policy := client.IptablesPolicy{
-				Protocol: record.rule.Protocol,
-				SourceIP: record.rule.SourceIP,
-				SrcPort:  record.rule.SourcePort,
-				DestIP:   record.rule.DestIP,
-				DstPort:  record.rule.DestPort,
-				Action:   record.rule.Action,
-				Comment:  record.rule.Comment,
-			}
-			_ = s.iptablesClient.AddPolicy(record.rule.Chain, policy)
-			_ = s.repo.Create(ctx, record.rule)
-			global.LOG.Warnf("Rolled back remove operation for rule %d", record.id)
-		}
-	}
-}
-
-func (s *IptablesFilterService) InitChains() error {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
-	// 检查并创建 1PANEL_INPUT
-	exists, err := s.iptablesClient.ChainExists(client.FilterTab, client.Chain1PanelInput)
-	if err != nil {
-		return fmt.Errorf("failed to check chain %s: %w", client.Chain1PanelInput, err)
-	}
-
-	if !exists {
-		if err := s.iptablesClient.NewChain(client.FilterTab, client.Chain1PanelInput); err != nil {
-			return fmt.Errorf("failed to create chain %s: %w", client.Chain1PanelInput, err)
-		}
-	} else {
-		// 清空已存在的链
-		if err := s.iptablesClient.FlushChain(client.FilterTab, client.Chain1PanelInput); err != nil {
-			return err
-		}
-	}
-
-	// 检查并创建 1PANEL_OUTPUT
-	exists, err = s.iptablesClient.ChainExists(client.FilterTab, client.Chain1PanelOutput)
-	if err != nil {
-		return fmt.Errorf("failed to check chain %s: %w", client.Chain1PanelOutput, err)
-	}
-
-	if !exists {
-		if err := s.iptablesClient.NewChain(client.FilterTab, client.Chain1PanelOutput); err != nil {
-			return fmt.Errorf("failed to create chain %s: %w", client.Chain1PanelOutput, err)
-		}
-	} else {
-		if err := s.iptablesClient.FlushChain(client.FilterTab, client.Chain1PanelOutput); err != nil {
-			return err
-		}
-	}
-
-	// 检查并创建 1PANEL_BASIC
-	exists, err = s.iptablesClient.ChainExists(client.FilterTab, client.Chain1PanelBasic)
-	if err != nil {
-		return fmt.Errorf("failed to check chain %s: %w", client.Chain1PanelBasic, err)
-	}
-
-	if !exists {
-		if err := s.iptablesClient.NewChain(client.FilterTab, client.Chain1PanelBasic); err != nil {
-			return fmt.Errorf("failed to create chain %s: %w", client.Chain1PanelBasic, err)
-		}
-	} else {
-		if err := s.iptablesClient.FlushChain(client.FilterTab, client.Chain1PanelBasic); err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-func (s *IptablesFilterService) ApplyFirewall() error {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
-	// 安全检查
-	chains, err := s.iptablesClient.ReadFilter([]string{client.Chain1PanelInput, client.Chain1PanelOutput})
-	if err != nil {
-		return fmt.Errorf("failed to read filter chains: %w", err)
-	}
-
-	// 检查 1PANEL_INPUT 安全性
-	if inputChain, ok := chains[client.Chain1PanelInput]; ok {
-		item := inputChain.FirstRule
-		for item != nil {
-			p := item.P
-			if (p.Action == "DROP" || p.Action == "REJECT") &&
-				p.Protocol == "" && p.SourceIP == "" && p.DestIP == "" &&
-				p.SrcPort == 0 && p.DstPort == 0 {
-				return fmt.Errorf("Chain %s includes unconditional %s rule, not allowed to apply", client.Chain1PanelInput, p.Action)
-			}
-			item = item.Next()
-		}
-	}
-
-	// 检查 1PANEL_OUTPUT 安全性
-	if outputChain, ok := chains[client.Chain1PanelOutput]; ok {
-		item := outputChain.FirstRule
-		for item != nil {
-			p := item.P
-			if (p.Action == "DROP" || p.Action == "REJECT") &&
-				p.Protocol == "" && p.SourceIP == "" && p.DestIP == "" &&
-				p.SrcPort == 0 && p.DstPort == 0 {
-				return fmt.Errorf("Chain %s includes unconditional %s rule, not allowed to apply", client.Chain1PanelOutput, p.Action)
-			}
-			item = item.Next()
-		}
-	}
-
-	if err := s.iptablesClient.Setup1PanelFirewallChains("input"); err != nil {
-		return fmt.Errorf("failed to apply %s to %s: %w", client.Chain1PanelInput, client.ChainInput, err)
-	}
-	global.LOG.Infof("Applied %s to %s chain", client.Chain1PanelInput, client.ChainInput)
-
-	if err := s.iptablesClient.Setup1PanelFirewallChains("output"); err != nil {
-		return fmt.Errorf("failed to apply %s to %s: %w", client.Chain1PanelOutput, client.ChainOutput, err)
-	}
-	global.LOG.Infof("Applied %s to %s chain", client.Chain1PanelOutput, client.ChainOutput)
-
-	return nil
-}
-
-func (s *IptablesFilterService) UnloadFirewall() error {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
-	// 从 INPUT 链删除跳转规则
-	ruleNum, err := s.iptablesClient.FindRuleNum(client.ChainInput, client.Chain1PanelInput)
-	if err == nil {
-		if err := s.iptablesClient.RemovePolicyByNum(client.ChainInput, ruleNum); err != nil {
-			return fmt.Errorf("failed to unload %s from %s: %w", client.Chain1PanelInput, client.ChainInput, err)
-		}
-		global.LOG.Infof("Unloaded %s from %s chain", client.Chain1PanelInput, client.ChainInput)
-	} else {
-		global.LOG.Warnf("%s not found in %s chain: %v", client.Chain1PanelInput, client.ChainInput, err)
-	}
-
-	// 从 INPUT 链删除 1PANEL_BASIC 跳转规则
-	ruleNum, err = s.iptablesClient.FindRuleNum(client.ChainInput, client.Chain1PanelBasic)
-	if err == nil {
-		if err := s.iptablesClient.RemovePolicyByNum(client.ChainInput, ruleNum); err != nil {
-			return fmt.Errorf("failed to unload %s from %s: %w", client.Chain1PanelBasic, client.ChainInput, err)
-		}
-		global.LOG.Infof("Unloaded %s from %s chain", client.Chain1PanelBasic, client.ChainInput)
-	} else {
-		global.LOG.Warnf("%s not found in %s chain: %v", client.Chain1PanelBasic, client.ChainInput, err)
-	}
-
-	// 从 OUTPUT 链删除跳转规则
-	ruleNum, err = s.iptablesClient.FindRuleNum(client.ChainOutput, client.Chain1PanelOutput)
-	if err == nil {
-		if err := s.iptablesClient.RemovePolicyByNum(client.ChainOutput, ruleNum); err != nil {
-			return fmt.Errorf("failed to unload %s from %s: %w", client.Chain1PanelOutput, client.ChainOutput, err)
-		}
-		global.LOG.Infof("Unloaded %s from %s chain", client.Chain1PanelOutput, client.ChainOutput)
-	} else {
-		global.LOG.Warnf("%s not found in %s chain: %v", client.Chain1PanelOutput, client.ChainOutput, err)
-	}
-
-	return nil
-}
-
-func (s *IptablesFilterService) ReloadRules() error {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
-	// 清空自定义链
-	if err := s.iptablesClient.FlushChain(client.FilterTab, client.Chain1PanelInput); err != nil {
-		return fmt.Errorf("failed to flush chain %s: %w", client.Chain1PanelInput, err)
-	}
-	if err := s.iptablesClient.FlushChain(client.FilterTab, client.Chain1PanelOutput); err != nil {
-		return fmt.Errorf("failed to flush chain %s: %w", client.Chain1PanelOutput, err)
-	}
-
-	// 从数据库读取规则
-	ctx := context.Background()
-	rules, err := s.repo.List(ctx, []string{client.Chain1PanelInput, client.Chain1PanelOutput})
-	if err != nil {
-		return fmt.Errorf("failed to load rules from database: %w", err)
-	}
-
-	// 逐条恢复规则
-	for _, rule := range rules {
-		policy := client.IptablesPolicy{
-			Protocol: rule.Protocol,
-			SourceIP: rule.SourceIP,
-			SrcPort:  rule.SourcePort,
-			DestIP:   rule.DestIP,
-			DstPort:  rule.DestPort,
-			Action:   rule.Action,
-			Comment:  rule.Comment,
-		}
-
-		if err := s.iptablesClient.AddPolicy(rule.Chain, policy); err != nil {
-			global.LOG.Errorf("failed to reload rule %d: %v", rule.ID, err)
-			continue
-		}
-	}
-
-	global.LOG.Infof("Reloaded %d firewall rules from database", len(rules))
-	return nil
-}
diff --git a/agent/global/config.go b/agent/global/config.go
index 20d1dad627e2..27fbe4c34657 100644
--- a/agent/global/config.go
+++ b/agent/global/config.go
@@ -47,6 +47,7 @@ type SystemDir struct {
 	McpDir                string
 	ConvertLogDir         string
 	TensorRTLLMDir        string
+	FirewallDir           string
 }
 
 type LogConfig struct {
diff --git a/agent/init/app/app.go b/agent/init/app/app.go
index a8aae80ee51b..800eabe4614e 100644
--- a/agent/init/app/app.go
+++ b/agent/init/app/app.go
@@ -2,15 +2,10 @@ package app
 
 import (
 	"github.com/1Panel-dev/1Panel/agent/utils/docker"
-	"github.com/1Panel-dev/1Panel/agent/utils/firewall"
 )
 
 func Init() {
 	go func() {
 		_ = docker.CreateDefaultDockerNetwork()
-
-		if f, err := firewall.NewFirewallClient(); err == nil {
-			_ = f.EnableForward()
-		}
 	}()
 }
diff --git a/agent/init/dir/dir.go b/agent/init/dir/dir.go
index fe2dc51ba178..651f78601639 100644
--- a/agent/init/dir/dir.go
+++ b/agent/init/dir/dir.go
@@ -34,4 +34,5 @@ func Init() {
 	global.Dir.McpDir, _ = fileOp.CreateDirWithPath(true, path.Join(baseDir, "1panel/mcp"))
 	global.Dir.ConvertLogDir, _ = fileOp.CreateDirWithPath(true, path.Join(baseDir, "1panel/log/convert"))
 	global.Dir.TensorRTLLMDir, _ = fileOp.CreateDirWithPath(true, path.Join(baseDir, "1panel/ai/tensorrt_llm"))
+	global.Dir.FirewallDir, _ = fileOp.CreateDirWithPath(true, path.Join(baseDir, "1panel/firewall"))
 }
diff --git a/agent/init/firewall/firwall.go b/agent/init/firewall/firwall.go
new file mode 100644
index 000000000000..e1d1ab9e9d51
--- /dev/null
+++ b/agent/init/firewall/firwall.go
@@ -0,0 +1,24 @@
+package firewall
+
+import (
+	"github.com/1Panel-dev/1Panel/agent/utils/firewall"
+	"github.com/1Panel-dev/1Panel/agent/utils/firewall/client/iptables"
+)
+
+func Init() {
+	client, err := firewall.NewFirewallClient()
+	if err != nil {
+		return
+	}
+	clientName := client.Name()
+	if clientName == "ufw" || clientName == "iptables" {
+		_ = iptables.LoadRulesFromFile(iptables.FilterTab, iptables.Chain1PanelForward, iptables.ForwardFileName)
+		_ = iptables.LoadRulesFromFile(iptables.NatTab, iptables.Chain1PanelPreRouting, iptables.ForwardFileName1)
+		_ = iptables.LoadRulesFromFile(iptables.NatTab, iptables.Chain1PanelPostRouting, iptables.ForwardFileName2)
+	}
+	if clientName == "iptables" {
+		_ = iptables.LoadRulesFromFile(iptables.FilterTab, iptables.Chain1PanelBasic, iptables.BasicFileName)
+		_ = iptables.LoadRulesFromFile(iptables.FilterTab, iptables.Chain1PanelInput, iptables.InputFileName)
+		_ = iptables.LoadRulesFromFile(iptables.FilterTab, iptables.Chain1PanelOutput, iptables.OutputFileName)
+	}
+}
diff --git a/agent/init/migration/migrate.go b/agent/init/migration/migrate.go
index 66d1085b3828..208dee79674e 100644
--- a/agent/init/migration/migrate.go
+++ b/agent/init/migration/migrate.go
@@ -51,6 +51,7 @@ func InitAgentDB() {
 		migrations.AddMonitorProcess,
 		migrations.UpdateCronJob,
 		migrations.UpdateTensorrtLLM,
+		migrations.AddIptablesFilterRuleTable,
 	})
 	if err := m.Migrate(); err != nil {
 		global.LOG.Error(err)
diff --git a/agent/init/migration/migrations/init.go b/agent/init/migration/migrations/init.go
index 60e7c8e5c0dc..ed28d5c20a8e 100644
--- a/agent/init/migration/migrations/init.go
+++ b/agent/init/migration/migrations/init.go
@@ -19,6 +19,7 @@ import (
 	"github.com/1Panel-dev/1Panel/agent/utils/common"
 	"github.com/1Panel-dev/1Panel/agent/utils/copier"
 	"github.com/1Panel-dev/1Panel/agent/utils/encrypt"
+	"github.com/1Panel-dev/1Panel/agent/utils/firewall"
 	"github.com/1Panel-dev/1Panel/agent/utils/ssh"
 	"github.com/1Panel-dev/1Panel/agent/utils/xpack"
 
@@ -48,9 +49,7 @@ var AddTable = &gormigrate.Migration{
 			&model.DatabaseMysql{},
 			&model.DatabasePostgresql{},
 			&model.Favorite{},
-			&model.Forward{},
 			&model.Firewall{},
-			&model.IptablesFilterRule{},
 			&model.Ftp{},
 			&model.ImageRepo{},
 			&model.ScriptLibrary{},
@@ -661,6 +660,30 @@ var UpdateMonitorInterval = &gormigrate.Migration{
 	},
 }
 
+var AddIptablesFilterRuleTable = &gormigrate.Migration{
+	ID: "20251106-add-iptables-filter-rule-table",
+	Migrate: func(tx *gorm.DB) error {
+		if err := tx.AutoMigrate(&model.Firewall{}); err != nil {
+			return err
+		}
+		var firewalls []model.Firewall
+		_ = tx.Where("1 = 1").Find(&firewalls).Error
+
+		firewallType := ""
+		client, err := firewall.NewFirewallClient()
+		if err == nil {
+			firewallType = client.Name()
+		}
+		for _, item := range firewalls {
+			if err := tx.Model(&model.Firewall{}).
+				Updates(map[string]interface{}{"dst_port": item.Port, "src_ip": item.Address, "firewall_type": firewallType}); err != nil {
+				global.LOG.Errorf("update firewall failed, err: %v", err)
+			}
+		}
+		return nil
+	},
+}
+
 var AddMonitorProcess = &gormigrate.Migration{
 	ID: "20251030-add-monitor-process",
 	Migrate: func(tx *gorm.DB) error {
diff --git a/agent/router/ro_host.go b/agent/router/ro_host.go
index cdccc0d2741b..5ac8d30f8ae1 100644
--- a/agent/router/ro_host.go
+++ b/agent/router/ro_host.go
@@ -11,7 +11,7 @@ func (s *HostRouter) InitRouter(Router *gin.RouterGroup) {
 	hostRouter := Router.Group("hosts")
 	baseApi := v2.ApiGroupApp.BaseApi
 	{
-		hostRouter.GET("/firewall/base", baseApi.LoadFirewallBaseInfo)
+		hostRouter.POST("/firewall/base", baseApi.LoadFirewallBaseInfo)
 		hostRouter.POST("/firewall/search", baseApi.SearchFirewallRule)
 		hostRouter.POST("/firewall/operate", baseApi.OperateFirewall)
 		hostRouter.POST("/firewall/port", baseApi.OperatePortRule)
@@ -22,10 +22,11 @@ func (s *HostRouter) InitRouter(Router *gin.RouterGroup) {
 		hostRouter.POST("/firewall/update/addr", baseApi.UpdateAddrRule)
 		hostRouter.POST("/firewall/update/description", baseApi.UpdateFirewallDescription)
 
-		hostRouter.POST("/firewall/filter/rules", baseApi.GetFilterRules)
-		hostRouter.POST("/firewall/filter/rule", baseApi.OperateFilterRule)
-		hostRouter.POST("/firewall/filter/batch", baseApi.BatchOperateFilterRule)
-		hostRouter.POST("/firewall/filter/apply", baseApi.ApplyFilterFirewall)
+		hostRouter.POST("/firewall/filter/rule/search", baseApi.SearchFilterRules)
+		hostRouter.POST("/firewall/filter/rule/operate", baseApi.OperateFilterRule)
+		hostRouter.POST("/firewall/filter/rule/batch", baseApi.BatchOperateFilterRule)
+		hostRouter.POST("/firewall/filter/operate", baseApi.OperateFilterChain)
+		hostRouter.POST("/firewall/filter/chain/status", baseApi.LoadChainStatus)
 
 		hostRouter.POST("/monitor/search", baseApi.LoadMonitor)
 		hostRouter.POST("/monitor/clean", baseApi.CleanMonitor)
diff --git a/agent/server/server.go b/agent/server/server.go
index 660003633436..63b96512af16 100644
--- a/agent/server/server.go
+++ b/agent/server/server.go
@@ -20,6 +20,7 @@ import (
 	"github.com/1Panel-dev/1Panel/agent/init/cache"
 	"github.com/1Panel-dev/1Panel/agent/init/db"
 	"github.com/1Panel-dev/1Panel/agent/init/dir"
+	"github.com/1Panel-dev/1Panel/agent/init/firewall"
 	"github.com/1Panel-dev/1Panel/agent/init/hook"
 	"github.com/1Panel-dev/1Panel/agent/init/lang"
 	"github.com/1Panel-dev/1Panel/agent/init/log"
@@ -39,6 +40,7 @@ func Start() {
 	i18n.Init()
 	cache.Init()
 	app.Init()
+	firewall.Init()
 	lang.Init()
 	validator.Init()
 	if os.Getenv("GIN_MODE") == "" {
diff --git a/agent/utils/controller/controller.go b/agent/utils/controller/controller.go
index 605adbee37e2..f16031868725 100644
--- a/agent/utils/controller/controller.go
+++ b/agent/utils/controller/controller.go
@@ -185,6 +185,7 @@ func loadFromPredefined(mgr Controller, keyword string) string {
 		"1panel-core":  {"1panel-core.service"},
 		"1panel-agent": {"1panel-agent.service"},
 		"docker":       {"docker.service", "dockerd"},
+		"iptables":     {"iptables", "iptables-services"},
 	}
 	if val, ok := predefinedMap[keyword]; ok {
 		for _, item := range val {
diff --git a/agent/utils/firewall/client.go b/agent/utils/firewall/client.go
index d7de20e6ddf3..97b481b8c72f 100644
--- a/agent/utils/firewall/client.go
+++ b/agent/utils/firewall/client.go
@@ -31,6 +31,9 @@ func NewFirewallClient() (FirewallClient, error) {
 	firewalld := cmd.Which("firewalld")
 	ufw := cmd.Which("ufw")
 
+	if firewalld && ufw {
+		return nil, errors.New("It is detected that the system has both firewalld and ufw services. To avoid conflicts, please uninstall and try again!")
+	}
 	if firewalld {
 		return client.NewFirewalld()
 	}
@@ -40,7 +43,7 @@ func NewFirewallClient() (FirewallClient, error) {
 
 	iptables := cmd.Which("iptables")
 	if iptables {
-		return client.NewIptablesFirewall()
+		return client.NewIptables()
 	}
 	return nil, errors.New("No system firewall service detected (firewalld/ufw/iptables), please check and try again!")
 }
diff --git a/agent/utils/firewall/client/info.go b/agent/utils/firewall/client/info.go
index ba1603738018..76069b8c5cbd 100644
--- a/agent/utils/firewall/client/info.go
+++ b/agent/utils/firewall/client/info.go
@@ -1,6 +1,7 @@
 package client
 
 type FireInfo struct {
+	ID       uint   `json:"uint"`
 	Family   string `json:"family"`  // ipv4 ipv6
 	Address  string `json:"address"` // Anywhere
 	Port     string `json:"port"`
@@ -24,25 +25,3 @@ type Forward struct {
 	TargetPort string `json:"targetPort"`
 	Interface  string `json:"interface"`
 }
-
-type IptablesNatInfo struct {
-	Num         string `json:"num"`
-	Target      string `json:"target"`
-	Protocol    string `json:"protocol"`
-	InIface     string `json:"inIface"`
-	OutIface    string `json:"outIface"`
-	Opt         string `json:"opt"`
-	Source      string `json:"source"`
-	Destination string `json:"destination"`
-	SrcPort     string `json:"srcPort"`
-	DestPort    string `json:"destPort"`
-}
-
-type IptablesFilterInfo struct {
-	Num         string `json:"num"`
-	Target      string `json:"target"`
-	Protocol    string `json:"protocol"`
-	Opt         string `json:"opt"`
-	Source      string `json:"source"`
-	Destination string `json:"destination"`
-}
diff --git a/agent/utils/firewall/client/iptables.go b/agent/utils/firewall/client/iptables.go
index 50bfcd34972a..cb1718a88754 100644
--- a/agent/utils/firewall/client/iptables.go
+++ b/agent/utils/firewall/client/iptables.go
@@ -3,96 +3,57 @@ package client
 import (
 	"fmt"
 	"regexp"
+	"strconv"
 	"strings"
-	"time"
 
-	"github.com/1Panel-dev/1Panel/agent/app/model"
+	"github.com/1Panel-dev/1Panel/agent/buserr"
 	"github.com/1Panel-dev/1Panel/agent/global"
 	"github.com/1Panel-dev/1Panel/agent/utils/cmd"
+	"github.com/1Panel-dev/1Panel/agent/utils/firewall/client/iptables"
 )
 
-const (
-	PreRoutingChain   = "1PANEL_PREROUTING"
-	PostRoutingChain  = "1PANEL_POSTROUTING"
-	ForwardChain      = "1PANEL_FORWARD"
-	ChainInput        = "INPUT"
-	ChainOutput       = "OUTPUT"
-	Chain1PanelInput  = "1PANEL_INPUT"
-	Chain1PanelOutput = "1PANEL_OUTPUT"
-	Chain1PanelBasic  = "1PANEL_BASIC"
-)
-
-const (
-	ACCEPT = "ACCEPT"
-	DROP   = "DROP"
-	REJECT = "REJECT"
-)
+var portRuleRegex = regexp.MustCompile(`-A\s+INPUT\s+-p\s+(\w+)(?:\s+-m\s+\w+)*\s+--dport\s+(\d+(?::\d+)?)\s+-j\s+(\w+)`)
+var addressRuleRegex = regexp.MustCompile(`-A\s+(INPUT|OUTPUT)\s+-s\s+(\S+)\s+-j\s+(\w+)`)
 
-const (
-	FilterTab = "filter"
-	NatTab    = "nat"
-)
-
-const NatChain = "1PANEL"
-
-var (
-	natListRegex = regexp.MustCompile(`^(\d+)\s+(.+?)\s+(.+?)\s+(.+?)\s+(.+?)\s+(.+?)\s+(.+?)\s+(.+?)\s+(.+?)\s+(.+?)(?:\s+(.+?) .+?:(\d{1,5}(?::\d+)?).+?[ :](.+-.+|(?:.+:)?\d{1,5}(?:-\d{1,5})?))?$`)
-)
-
-type Iptables struct {
-	CmdStr string
-}
+type Iptables struct{}
 
 func NewIptables() (*Iptables, error) {
-	iptables := new(Iptables)
-	iptables.CmdStr = cmd.SudoHandleCmd()
+	return &Iptables{}, nil
+}
 
-	return iptables, nil
+func (i *Iptables) Name() string {
+	return "iptables"
 }
 
-func (iptables *Iptables) out(tab, rule string) (string, error) {
-	cmdMgr := cmd.NewCommandMgr(cmd.WithIgnoreExist1(), cmd.WithTimeout(20*time.Second))
-	stdout, err := cmdMgr.RunWithStdoutBashCf("%s iptables -t %s %s", iptables.CmdStr, tab, rule)
+func (i *Iptables) Status() (bool, error) {
+	stdout, err := cmd.RunDefaultWithStdoutBashC("iptables -L -n | head -1")
 	if err != nil {
-		global.LOG.Errorf("iptables command failed [table=%s, rule=%s]: %v", tab, rule, err)
-		return stdout, err
+		return false, err
 	}
-	return stdout, nil
+	return strings.Contains(stdout, "Chain"), nil
 }
 
-func (iptables *Iptables) run(tab, rule string) error {
-	if _, err := iptables.out(tab, rule); err != nil {
-		return err
-	}
+func (i *Iptables) Start() error {
 	return nil
 }
 
-func (iptables *Iptables) Check() error {
-	stdout, err := cmd.RunDefaultWithStdoutBashC("cat /proc/sys/net/ipv4/ip_forward")
-	if err != nil {
-		return fmt.Errorf("check ip_forward failed, %v", err)
-	}
-	if strings.TrimSpace(stdout) == "0" {
-		return fmt.Errorf("ipv4 forward disabled")
-	}
+func (i *Iptables) Stop() error {
+	return nil
+}
 
-	chain, err := iptables.out(NatTab, fmt.Sprintf("-L -n | grep 'Chain %s'", PreRoutingChain))
-	if err != nil {
-		return fmt.Errorf("failed to check chain: %w", err)
-	}
-	if strings.TrimSpace(chain) != "" {
-		return fmt.Errorf("chain %s already exists", PreRoutingChain)
-	}
+func (i *Iptables) Restart() error {
+	return nil
+}
 
+func (i *Iptables) Reload() error {
 	return nil
 }
 
-func (iptables *Iptables) GetVersion() (string, error) {
+func (i *Iptables) Version() (string, error) {
 	stdout, err := cmd.RunDefaultWithStdoutBashC("iptables --version")
 	if err != nil {
 		return "", fmt.Errorf("failed to get iptables version: %w", err)
 	}
-	// 提取版本号，例如 "iptables v1.8.7 (nf_tables)"
 	parts := strings.Fields(stdout)
 	if len(parts) >= 2 {
 		return strings.TrimPrefix(parts[1], "v"), nil
@@ -100,462 +61,346 @@ func (iptables *Iptables) GetVersion() (string, error) {
 	return strings.TrimSpace(stdout), nil
 }
 
-func (iptables *Iptables) NewChain(tab, chain string) error {
-	return iptables.run(tab, "-N "+chain)
-}
-
-func (iptables *Iptables) AppendChain(tab string, chain, chain1 string) error {
-	return iptables.run(tab, fmt.Sprintf("-A %s -j %s", chain, chain1))
-}
-
-func (iptables *Iptables) NatList(chain ...string) ([]IptablesNatInfo, error) {
-	if len(chain) == 0 {
-		chain = append(chain, PreRoutingChain)
-	}
-	stdout, err := iptables.out(NatTab, fmt.Sprintf("-nvL %s --line-numbers", chain[0]))
+func (i *Iptables) ListPort() ([]FireInfo, error) {
+	stdout, err := iptables.RunWithStd(iptables.FilterTab, fmt.Sprintf("-S %s", iptables.Chain1PanelBasic))
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("failed to list 1PANEL_BASIC rules: %w", err)
 	}
 
-	var forwardList []IptablesNatInfo
-	for _, line := range strings.Split(stdout, "\n") {
-		line = strings.TrimFunc(line, func(r rune) bool {
-			return r <= 32
-		})
-		if natListRegex.MatchString(line) {
-			match := natListRegex.FindStringSubmatch(line)
-			if !strings.Contains(match[13], ":") {
-				match[13] = fmt.Sprintf(":%s", match[13])
+	var datas []FireInfo
+	lines := strings.Split(stdout, "\n")
+
+	chainPortRegex := regexp.MustCompile(fmt.Sprintf(`-A\s+%s\s+(?:-s\s+(\S+)\s+)?-p\s+(\w+)(?:\s+-m\s+\w+)*\s+--dport\s+(\d+(?::\d+)?)\s+-j\s+(\w+)`, iptables.Chain1PanelBasic))
+	for _, line := range lines {
+		line = strings.TrimSpace(line)
+		if !strings.HasPrefix(line, fmt.Sprintf("-A %s", iptables.Chain1PanelBasic)) {
+			continue
+		}
+
+		if matches := chainPortRegex.FindStringSubmatch(line); len(matches) == 5 {
+			address := matches[1]
+			protocol := matches[2]
+			port := strings.ReplaceAll(matches[3], ":", "-")
+			action := strings.ToLower(matches[4])
+
+			strategy := "accept"
+			if action == "drop" || action == "reject" {
+				strategy = "drop"
 			}
-			forwardList = append(forwardList, IptablesNatInfo{
-				Num:         match[1],
-				Target:      match[4],
-				Protocol:    match[11],
-				InIface:     match[7],
-				OutIface:    match[8],
-				Opt:         match[6],
-				Source:      match[9],
-				Destination: match[10],
-				SrcPort:     match[12],
-				DestPort:    match[13],
+
+			datas = append(datas, FireInfo{
+				Address:  address,
+				Protocol: protocol,
+				Port:     port,
+				Strategy: strategy,
+				Family:   "ipv4",
 			})
 		}
 	}
 
-	return forwardList, nil
+	return datas, nil
 }
 
-func (iptables *Iptables) NatAdd(protocol, srcPort, dest, destPort, iface string, save bool) error {
-	if dest != "" && dest != "127.0.0.1" && dest != "localhost" {
-		iptablesArg := fmt.Sprintf("-A %s", PreRoutingChain)
-		if iface != "" {
-			iptablesArg += fmt.Sprintf(" -i %s", iface)
-		}
-		iptablesArg += fmt.Sprintf(" -p %s --dport %s -j DNAT --to-destination %s:%s", protocol, srcPort, dest, destPort)
-		if err := iptables.run(NatTab, iptablesArg); err != nil {
-			return err
-		}
+func (i *Iptables) ListAddress() ([]FireInfo, error) {
+	stdout, err := iptables.RunWithStd(iptables.FilterTab, fmt.Sprintf("-S %s", iptables.Chain1PanelBasic))
+	if err != nil {
+		return nil, fmt.Errorf("failed to list 1PANEL_BASIC address rules: %w", err)
+	}
 
-		if err := iptables.run(NatTab, fmt.Sprintf(
-			"-A %s -d %s -p %s --dport %s -j MASQUERADE",
-			PostRoutingChain,
-			dest,
-			protocol,
-			destPort,
-		)); err != nil {
-			return err
-		}
+	var datas []FireInfo
+	lines := strings.Split(stdout, "\n")
+	addressMap := make(map[string]FireInfo)
 
-		if err := iptables.run(FilterTab, fmt.Sprintf(
-			"-A %s -d %s -p %s --dport %s -j ACCEPT",
-			ForwardChain,
-			dest,
-			protocol,
-			destPort,
-		)); err != nil {
-			return err
-		}
+	chainAddressRegex := regexp.MustCompile(fmt.Sprintf(`-A\s+%s\s+(?:-s\s+(\S+)|(?:-d\s+(\S+)))?\s+-j\s+(\w+)`, iptables.Chain1PanelBasic))
 
-		if err := iptables.run(FilterTab, fmt.Sprintf(
-			"-A %s -s %s -p %s --sport %s -j ACCEPT",
-			ForwardChain,
-			dest,
-			protocol,
-			destPort,
-		)); err != nil {
-			return err
-		}
-	} else {
-		iptablesArg := fmt.Sprintf("-A %s", PreRoutingChain)
-		if iface != "" {
-			iptablesArg += fmt.Sprintf(" -i %s", iface)
+	for _, line := range lines {
+		line = strings.TrimSpace(line)
+		if !strings.HasPrefix(line, fmt.Sprintf("-A %s", iptables.Chain1PanelBasic)) {
+			continue
 		}
-		iptablesArg += fmt.Sprintf(" -p %s --dport %s -j REDIRECT --to-port %s", protocol, srcPort, destPort)
-		if err := iptables.run(NatTab, iptablesArg); err != nil {
-			return err
+
+		if matches := chainAddressRegex.FindStringSubmatch(line); len(matches) >= 4 {
+			address := matches[1]
+			if address == "" {
+				address = matches[2]
+			}
+			if address == "" {
+				continue
+			}
+			action := strings.ToLower(matches[3])
+
+			strategy := "accept"
+			if action == "drop" || action == "reject" {
+				strategy = "drop"
+			}
+
+			if _, exists := addressMap[address]; !exists {
+				addressMap[address] = FireInfo{
+					Address:  address,
+					Strategy: strategy,
+					Family:   "ipv4",
+				}
+			}
 		}
 	}
 
-	if save {
-		return global.DB.Save(&model.Forward{
-			Protocol:   protocol,
-			Port:       srcPort,
-			TargetIP:   dest,
-			TargetPort: destPort,
-			Interface:  iface,
-		}).Error
+	for _, info := range addressMap {
+		datas = append(datas, info)
 	}
-	return nil
+
+	return datas, nil
 }
 
-func (iptables *Iptables) NatRemove(num string, protocol, srcPort, dest, destPort, iface string) error {
-	if err := iptables.run(NatTab, fmt.Sprintf("-D %s %s", PreRoutingChain, num)); err != nil {
+func (i *Iptables) Port(port FireInfo, operation string) error {
+	if operation != "add" && operation != "remove" {
+		return buserr.New("ErrCmdIllegal")
+	}
+
+	portSpec, err := normalizePortSpec(port.Port)
+	if err != nil {
 		return err
 	}
 
-	if dest != "" && dest != "127.0.0.1" && dest != "localhost" {
-		if err := iptables.run(NatTab, fmt.Sprintf(
-			"-D %s -d %s -p %s --dport %s -j MASQUERADE",
-			PostRoutingChain,
-			dest,
-			protocol,
-			destPort,
-		)); err != nil {
-			return err
-		}
+	protocol := port.Protocol
+	if protocol == "" {
+		protocol = "tcp"
+	}
 
-		if err := iptables.run(FilterTab, fmt.Sprintf(
-			"-D %s -d %s -p %s --dport %s -j ACCEPT",
-			ForwardChain,
-			dest,
-			protocol,
-			destPort,
-		)); err != nil {
+	action := "ACCEPT"
+	if port.Strategy == "drop" {
+		action = "DROP"
+	}
+
+	ruleArgs := []string{fmt.Sprintf("-p %s", protocol)}
+	if protocol == "tcp" || protocol == "udp" {
+		ruleArgs = append(ruleArgs, fmt.Sprintf("-m %s", protocol))
+	}
+	ruleArgs = append(ruleArgs, fmt.Sprintf("--dport %s", portSpec), fmt.Sprintf("-j %s", action))
+	ruleSpec := strings.Join(ruleArgs, " ")
+	if operation == "add" {
+		if err := iptables.AddRule(iptables.FilterTab, iptables.Chain1PanelBasic, ruleSpec); err != nil {
 			return err
 		}
-
-		if err := iptables.run(FilterTab, fmt.Sprintf(
-			"-D %s -s %s -p %s --sport %s -j ACCEPT",
-			ForwardChain,
-			dest,
-			protocol,
-			destPort,
-		)); err != nil {
+	} else {
+		if err := iptables.DeleteRule(iptables.FilterTab, iptables.Chain1PanelBasic, ruleSpec); err != nil {
 			return err
 		}
 	}
 
-	global.DB.Where(
-		"protocol = ? AND port = ? AND target_ip = ? AND target_port = ? AND (interface = ? OR (interface IS NULL AND ? = ''))",
-		protocol,
-		srcPort,
-		dest,
-		destPort,
-		iface,
-		iface,
-	).Delete(&model.Forward{})
+	if err := iptables.SaveRulesToFile(iptables.FilterTab, iptables.Chain1PanelBasic, iptables.BasicFileName); err != nil {
+		global.LOG.Errorf("persistence for %s failed, err: %v", iptables.Chain1PanelBasic, err)
+	}
 	return nil
 }
 
-func (iptables *Iptables) AddPolicy(chain string, policy IptablesPolicy) error {
-	iptablesArg := fmt.Sprintf("-A %s", chain)
-	if policy.Protocol != "" {
-		iptablesArg += fmt.Sprintf(" -p %s", policy.Protocol)
-	}
-	if policy.SrcPort != 0 {
-		iptablesArg += fmt.Sprintf(" --sport %d", policy.SrcPort)
-	}
-	if policy.DstPort != 0 {
-		iptablesArg += fmt.Sprintf(" --dport %d", policy.DstPort)
+func (i *Iptables) RichRules(rule FireInfo, operation string) error {
+	if operation != "add" && operation != "remove" {
+		return buserr.New("ErrCmdIllegal")
 	}
-	if policy.SourceIP != "" {
-		iptablesArg += fmt.Sprintf(" -s %s", policy.SourceIP)
-	}
-	if policy.DestIP != "" {
-		iptablesArg += fmt.Sprintf(" -d %s", policy.DestIP)
+
+	address := strings.TrimSpace(rule.Address)
+	if strings.EqualFold(address, "Anywhere") {
+		address = ""
 	}
-	iptablesArg += fmt.Sprintf(" -j %s", policy.Action)
-	iptablesArg += fmt.Sprintf(" -m comment --comment \"%s\"", policy.Comment)
 
-	return iptables.run(FilterTab, iptablesArg)
-}
+	action := "ACCEPT"
+	if rule.Strategy == "drop" {
+		action = "DROP"
+	}
 
-func (iptables *Iptables) Reload() error {
-	if err := iptables.run(NatTab, "-F "+PreRoutingChain); err != nil {
-		return err
+	var ruleArgs []string
+	if address != "" {
+		ruleArgs = append(ruleArgs, fmt.Sprintf("-s %s", address))
 	}
-	if err := iptables.run(NatTab, "-F "+PostRoutingChain); err != nil {
-		return err
+
+	protocol := strings.TrimSpace(rule.Protocol)
+	if rule.Port != "" && protocol == "" {
+		protocol = "tcp"
 	}
-	if err := iptables.run(FilterTab, "-F "+ForwardChain); err != nil {
-		return err
+
+	if protocol != "" {
+		ruleArgs = append(ruleArgs, fmt.Sprintf("-p %s", protocol))
 	}
 
-	var rules []model.Forward
-	global.DB.Find(&rules)
-	for _, forward := range rules {
-		if err := iptables.NatAdd(forward.Protocol, forward.Port, forward.TargetIP, forward.TargetPort, forward.Interface, false); err != nil {
+	if rule.Port != "" {
+		portSegment, err := normalizePortSpec(rule.Port)
+		if err != nil {
 			return err
 		}
-	}
-	return nil
-}
-
-// iptables filter 解析
-func (iptables *Iptables) ReadFilter(chainName []string) (map[string]IptablesChain, error) {
-	// iptables -S
-	cmdMgr := cmd.NewCommandMgr(cmd.WithIgnoreExist1(), cmd.WithTimeout(20*time.Second))
-	stdout, err := cmdMgr.RunWithStdoutBashCf("%s iptables -S", iptables.CmdStr)
-	if err != nil {
-		global.LOG.Errorf("iptables failed, %v", err)
-	}
-	// 解析内容
-	chains := make(map[string]IptablesChain)
-	for _, line := range strings.Split(stdout, "\n") {
-		line = strings.TrimSpace(line)
-		if strings.HasPrefix(line, "-P") || strings.HasPrefix(line, "-A") {
-			parts := strings.SplitN(line, " ", 3)
-			chain := parts[1]
-			if len(chainName) > 0 {
-				found := false
-				for _, name := range chainName {
-					if chain == name {
-						found = true
-						break
-					}
-				}
-				if !found {
-					continue
-				}
-			}
-			if _, exists := chains[chain]; !exists {
-				chains[chain] = IptablesChain{
-					Name: chain,
-				}
-			}
-			chainStruct := chains[chain]
-			if err := chainStruct.ParseLine(line); err != nil {
-				return nil, err
-			}
-			chains[chain] = chainStruct
+		if protocol == "" {
+			return fmt.Errorf("protocol is required when specifying a port")
 		}
-	}
-	return chains, nil
-}
-
-// RemovePolicyByComment 按 comment 删除规则
-func (iptables *Iptables) RemovePolicyByComment(chain, comment string) error {
-	stdout, err := iptables.out(FilterTab, fmt.Sprintf("-S %s", chain))
-	if err != nil {
-		return fmt.Errorf("failed to list rules in chain %s: %w", chain, err)
+		if protocol == "tcp" || protocol == "udp" {
+			ruleArgs = append(ruleArgs, fmt.Sprintf("-m %s", protocol))
+		}
+		ruleArgs = append(ruleArgs, fmt.Sprintf("--dport %s", portSegment))
 	}
 
-	// 解析规则找到匹配 comment 的行
-	lines := strings.Split(stdout, "\n")
-	found := false
-	for _, line := range lines {
-		if strings.Contains(line, comment) && strings.HasPrefix(line, "-A") {
-			// 替换 -A 为 -D 执行删除
-			deleteRule := strings.Replace(line, "-A", "-D", 1)
-			if err := iptables.run(FilterTab, deleteRule); err != nil {
-				return fmt.Errorf("failed to delete rule: %w", err)
-			}
-			found = true
-			break
+	ruleArgs = append(ruleArgs, fmt.Sprintf("-j %s", action))
+	ruleSpec := strings.Join(ruleArgs, " ")
+	if operation == "add" {
+		if err := iptables.AddRule(iptables.FilterTab, iptables.Chain1PanelBasic, ruleSpec); err != nil {
+			return err
+		}
+	} else {
+		if err := iptables.DeleteRule(iptables.FilterTab, iptables.Chain1PanelBasic, ruleSpec); err != nil {
+			return err
 		}
 	}
-	if !found {
-		return fmt.Errorf("rule with comment '%s' not found in chain %s", comment, chain)
+
+	if err := iptables.SaveRulesToFile(iptables.FilterTab, iptables.Chain1PanelBasic, iptables.BasicFileName); err != nil {
+		global.LOG.Errorf("persistence for %s failed, err: %v", iptables.Chain1PanelBasic, err)
 	}
 	return nil
 }
 
-// RemovePolicyByNum 按规则编号删除
-func (iptables *Iptables) RemovePolicyByNum(chain string, num int) error {
-	return iptables.run(FilterTab, fmt.Sprintf("-D %s %d", chain, num))
+func (i *Iptables) PortForward(info Forward, operation string) error {
+	return iptablesPortForward(info, operation)
 }
 
-// FindRuleNum 查找规则编号（返回第一个匹配的行号）
-func (iptables *Iptables) FindRuleNum(chain, matchStr string) (int, error) {
-	stdout, err := iptables.out(FilterTab, fmt.Sprintf("-L %s --line-numbers -n", chain))
-	if err != nil {
-		return 0, fmt.Errorf("failed to list rules in chain %s: %w", chain, err)
-	}
+func (i *Iptables) EnableForward() error {
+	return EnableIptablesForward()
+}
 
-	lines := strings.Split(stdout, "\n")
-	for _, line := range lines {
-		if strings.Contains(line, matchStr) {
-			// 提取行号（第一列）
-			fields := strings.Fields(line)
-			if len(fields) > 0 {
-				var ruleNum int
-				n, err := fmt.Sscanf(fields[0], "%d", &ruleNum)
-				if err == nil && n == 1 && ruleNum > 0 {
-					return ruleNum, nil
-				}
-			}
-		}
-	}
-	return 0, fmt.Errorf("rule matching '%s' not found in chain %s", matchStr, chain)
+func (i *Iptables) ListForward() ([]FireInfo, error) {
+	return iptablesListForward()
 }
 
-// ChainExists 检查链是否存在
-func (iptables *Iptables) ChainExists(tab, chain string) (bool, error) {
-	// iptables -t filter -S | grep 'N 1PANEL'
-	stdout, err := iptables.out(tab, fmt.Sprintf("-S | grep -w 'N %s'", chain))
-	// grep 未找到会返回错误，这是正常情况
-	if err != nil && strings.TrimSpace(stdout) == "" {
-		return false, nil
-	}
-	if strings.TrimSpace(stdout) == "" {
-		return false, nil
+func EnableIptablesForward() error {
+	if err := cmd.RunDefaultBashC("echo 1 > /proc/sys/net/ipv4/ip_forward"); err != nil {
+		return fmt.Errorf("failed to enable IP forwarding: %w", err)
 	}
-	return true, nil
-}
+	_ = cmd.RunDefaultBashC("grep -q '^net.ipv4.ip_forward' /etc/sysctl.conf || echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf")
+	_ = cmd.RunDefaultBashC("sysctl -p")
 
-// ensureChain creates a chain if it doesn't exist
-func (iptables *Iptables) ensureChain(tab, chain string) error {
-	exists, err := iptables.ChainExists(tab, chain)
-	if err != nil {
-		return fmt.Errorf("failed to check chain %s: %w", chain, err)
+	if err := iptables.AddChainWithAppend(iptables.NatTab, "PREROUTING", iptables.Chain1PanelPreRouting); err != nil {
+		return err
 	}
-	if !exists {
-		if err := iptables.NewChain(tab, chain); err != nil {
-			return fmt.Errorf("failed to create chain %s: %w", chain, err)
-		}
+	if err := iptables.AddChainWithAppend(iptables.NatTab, "POSTROUTING", iptables.Chain1PanelPostRouting); err != nil {
+		return err
 	}
-	return nil
-}
-
-// ensureJumpRule adds a jump rule to targetChain at specified position if it doesn't exist
-func (iptables *Iptables) ensureJumpRule(chain, targetChain string, position int) error {
-	if !iptables.CheckPolicyExists(chain, fmt.Sprintf("-j %s", targetChain)) {
-		return iptables.run(FilterTab, fmt.Sprintf("-I %s %d -j %s", chain, position, targetChain))
+	if err := iptables.AddChainWithAppend(iptables.FilterTab, "FORWARD", iptables.Chain1PanelForward); err != nil {
+		return err
 	}
+
 	return nil
 }
 
-// ensureChainWithJump creates a custom chain and adds jump rule from parent chain if not exists
-func (iptables *Iptables) ensureChainWithJump(tab, parentChain, customChain string) error {
-	// Ensure custom chain exists
-	exists, err := iptables.ChainExists(tab, customChain)
-	if err != nil {
-		return fmt.Errorf("failed to check chain %s: %w", customChain, err)
+func iptablesPortForward(info Forward, operation string) error {
+	if operation != "add" && operation != "remove" {
+		return buserr.New("ErrCmdIllegal")
 	}
-	if !exists {
-		if err := iptables.NewChain(tab, customChain); err != nil {
-			return fmt.Errorf("failed to create chain %s: %w", customChain, err)
-		}
-		// Add jump rule from parent chain
-		if err := iptables.AppendChain(tab, parentChain, customChain); err != nil {
-			return fmt.Errorf("failed to append %s to %s: %w", customChain, parentChain, err)
+	if info.Protocol == "" || info.Port == "" || info.TargetPort == "" {
+		return fmt.Errorf("protocol, port, and target port are required")
+	}
+	if operation == "add" {
+		if err := iptables.AddForward(info.Protocol, info.Port, info.TargetIP, info.TargetPort, info.Interface, true); err != nil {
+			return err
 		}
+		forwardPersistence()
+	}
+	natList, err := iptables.ListForward(iptables.Chain1PanelPreRouting)
+	if err != nil {
+		return fmt.Errorf("failed to list NAT rules: %w", err)
 	}
-	return nil
-}
 
-// FlushChain 清空链（保留链结构）
-func (iptables *Iptables) FlushChain(tab, chain string) error {
-	return iptables.run(tab, fmt.Sprintf("-F %s", chain))
-}
+	for _, nat := range natList {
+		if nat.Protocol == info.Protocol &&
+			strings.TrimPrefix(nat.SrcPort, ":") == info.Port &&
+			strings.TrimPrefix(nat.DestPort, ":") == info.TargetPort {
+			targetIP := info.TargetIP
+			if targetIP == "" {
+				targetIP = "127.0.0.1"
+			}
 
-// DeletePolicy 删除指定策略规则
-func (iptables *Iptables) DeletePolicy(chain string, policy IptablesPolicy) error {
-	iptablesArg := fmt.Sprintf("-D %s", chain)
-	if policy.Protocol != "" {
-		iptablesArg += fmt.Sprintf(" -p %s", policy.Protocol)
-	}
-	if policy.SrcPort != 0 {
-		iptablesArg += fmt.Sprintf(" --sport %d", policy.SrcPort)
+			if err := iptables.DeleteForward(nat.Num, info.Protocol, info.Port, targetIP, info.TargetPort, info.Interface); err != nil {
+				return err
+			}
+			forwardPersistence()
+		}
 	}
-	if policy.DstPort != 0 {
-		iptablesArg += fmt.Sprintf(" --dport %d", policy.DstPort)
+	return fmt.Errorf("forward rule not found")
+}
+
+func forwardPersistence() {
+	if err := iptables.SaveRulesToFile(iptables.FilterTab, iptables.Chain1PanelForward, iptables.ForwardFileName); err != nil {
+		global.LOG.Errorf("persistence for %s failed, err: %v", iptables.Chain1PanelForward, err)
 	}
-	if policy.SourceIP != "" {
-		iptablesArg += fmt.Sprintf(" -s %s", policy.SourceIP)
+	if err := iptables.SaveRulesToFile(iptables.NatTab, iptables.Chain1PanelPreRouting, iptables.ForwardFileName1); err != nil {
+		global.LOG.Errorf("persistence for %s failed, err: %v", iptables.Chain1PanelPreRouting, err)
 	}
-	if policy.DestIP != "" {
-		iptablesArg += fmt.Sprintf(" -d %s", policy.DestIP)
+	if err := iptables.SaveRulesToFile(iptables.NatTab, iptables.Chain1PanelPostRouting, iptables.ForwardFileName2); err != nil {
+		global.LOG.Errorf("persistence for %s failed, err: %v", iptables.Chain1PanelPostRouting, err)
 	}
-	iptablesArg += fmt.Sprintf(" -j %s", policy.Action)
-	if policy.Comment != "" {
-		iptablesArg += fmt.Sprintf(" -m comment --comment \"%s\"", policy.Comment)
+}
+
+func iptablesListForward() ([]FireInfo, error) {
+	natList, err := iptables.ListForward(iptables.Chain1PanelPreRouting)
+	if err != nil {
+		return nil, fmt.Errorf("failed to list NAT rules: %w", err)
+	}
+
+	var datas []FireInfo
+	for _, nat := range natList {
+		datas = append(datas, FireInfo{
+			Num:        nat.Num,
+			Protocol:   nat.Protocol,
+			Port:       strings.TrimPrefix(nat.SrcPort, ":"),
+			TargetIP:   nat.Destination,
+			TargetPort: strings.TrimPrefix(nat.DestPort, ":"),
+			Interface:  nat.InIface,
+		})
 	}
 
-	return iptables.run(FilterTab, iptablesArg)
+	return datas, nil
 }
 
-// CheckPolicyExists 检查策略是否存在
-func (iptables *Iptables) CheckPolicyExists(chain string, policyStr string) bool {
-	line, err := iptables.FindRuleNum(chain, policyStr)
+func parsePort(portStr string) (int, error) {
+	port, err := strconv.Atoi(portStr)
 	if err != nil {
-		return false
+		return 0, fmt.Errorf("invalid port number: %s", portStr)
 	}
-	if line > 0 {
-		return true
+	if port < 1 || port > 65535 {
+		return 0, fmt.Errorf("port out of range: %d", port)
 	}
-	return false
+	return port, nil
 }
 
-const (
-	establishedRule        = "-m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment \"ESTABLISHED Whitelist\""
-	ioRuleIn               = "-i lo -j ACCEPT -m comment --comment \"Loopback Whitelist\""
-	ioRuleOut              = "-o lo -j ACCEPT -m comment --comment \"Loopback Whitelist\""
-	establishedRuleComment = "ESTABLISHED Whitelist"
-	ioRuleInComment        = "Loopback Whitelist"
-	ioRuleOutComment       = "Loopback Whitelist"
-)
-
-func (iptables *Iptables) setupEstablishedRules(direction string) {
-	if direction == "input" {
-		if !iptables.CheckPolicyExists("INPUT", ioRuleInComment) {
-			iptables.run(FilterTab, fmt.Sprintf("-I INPUT 1 %s", ioRuleIn))
-		}
-
-		if !iptables.CheckPolicyExists("INPUT", establishedRuleComment) {
-			iptables.run(FilterTab, fmt.Sprintf("-I INPUT 2 %s", establishedRule))
-		}
+func normalizePortSpec(port string) (string, error) {
+	value := strings.TrimSpace(port)
+	if value == "" {
+		return "", fmt.Errorf("port is required")
 	}
 
-	if direction == "output" {
-		if !iptables.CheckPolicyExists("OUTPUT", ioRuleOutComment) {
-			iptables.run(FilterTab, fmt.Sprintf("-I OUTPUT 1 %s", ioRuleOut))
-		}
-		if !iptables.CheckPolicyExists("OUTPUT", establishedRuleComment) {
-			iptables.run(FilterTab, fmt.Sprintf("-I OUTPUT 2 %s", establishedRule))
-		}
+	separator := ""
+	if strings.Contains(value, "-") {
+		separator = "-"
+	} else if strings.Contains(value, ":") {
+		separator = ":"
 	}
-}
-
-func (iptables *Iptables) Setup1PanelFirewallChains(direction string) error {
-	iptables.setupEstablishedRules(direction)
 
-	if direction == "input" {
-		// Ensure custom chains exist
-		if err := iptables.ensureChain(FilterTab, Chain1PanelInput); err != nil {
-			return err
+	if separator != "" {
+		parts := strings.Split(value, separator)
+		if len(parts) != 2 {
+			return "", fmt.Errorf("invalid port range: %s", port)
 		}
-		if err := iptables.ensureChain(FilterTab, Chain1PanelBasic); err != nil {
-			return err
+		start, err := parsePort(strings.TrimSpace(parts[0]))
+		if err != nil {
+			return "", err
 		}
-
-		// Add jump rules to INPUT chain
-		if err := iptables.ensureJumpRule(ChainInput, Chain1PanelInput, 3); err != nil {
-			return err
+		end, err := parsePort(strings.TrimSpace(parts[1]))
+		if err != nil {
+			return "", err
 		}
-		if err := iptables.ensureJumpRule(ChainInput, Chain1PanelBasic, 4); err != nil {
-			return err
-		}
-	} else if direction == "output" {
-		// Ensure custom chain exists
-		if err := iptables.ensureChain(FilterTab, Chain1PanelOutput); err != nil {
-			return err
+		if start > end {
+			return "", fmt.Errorf("invalid port range: %d-%d", start, end)
 		}
+		return fmt.Sprintf("%d:%d", start, end), nil
+	}
 
-		// Add jump rule to OUTPUT chain
-		if err := iptables.ensureJumpRule(ChainOutput, Chain1PanelOutput, 3); err != nil {
-			return err
-		}
+	single, err := parsePort(value)
+	if err != nil {
+		return "", err
 	}
-	return nil
+	return fmt.Sprintf("%d", single), nil
 }
diff --git a/agent/utils/firewall/client/iptables/common.go b/agent/utils/firewall/client/iptables/common.go
new file mode 100644
index 000000000000..742c0f1cc1d7
--- /dev/null
+++ b/agent/utils/firewall/client/iptables/common.go
@@ -0,0 +1,198 @@
+package iptables
+
+import (
+	"fmt"
+	"regexp"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/1Panel-dev/1Panel/agent/global"
+	"github.com/1Panel-dev/1Panel/agent/utils/cmd"
+)
+
+const (
+	Chain1PanelPreRouting  = "1PANEL_PREROUTING"
+	Chain1PanelPostRouting = "1PANEL_POSTROUTING"
+	Chain1PanelForward     = "1PANEL_FORWARD"
+	ChainInput             = "INPUT"
+	ChainOutput            = "OUTPUT"
+	Chain1PanelInput       = "1PANEL_INPUT"
+	Chain1PanelOutput      = "1PANEL_OUTPUT"
+	Chain1PanelBasicBefore = "1PANEL_BASIC_BEFORE"
+	Chain1PanelBasic       = "1PANEL_BASIC"
+	Chain1PanelBasicAfter  = "1PANEL_BASIC_AFTER"
+)
+
+const (
+	EstablishedRule = "-m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment 'ESTABLISHED Whitelist'"
+	IoRuleIn        = "-i lo -j ACCEPT -m comment --comment 'Loopback Whitelist'"
+	DropAll         = "-j DROP"
+	AllowSSH        = "-p tcp --dport ssh -j ACCEPT"
+)
+
+var (
+	natListRegex = regexp.MustCompile(`^(\d+)\s+(.+?)\s+(.+?)\s+(.+?)\s+(.+?)\s+(.+?)\s+(.+?)\s+(.+?)\s+(.+?)\s+(.+?)(?:\s+(.+?) .+?:(\d{1,5}(?::\d+)?).+?[ :](.+-.+|(?:.+:)?\d{1,5}(?:-\d{1,5})?))?$`)
+)
+
+const (
+	ACCEPT   = "ACCEPT"
+	DROP     = "DROP"
+	REJECT   = "REJECT"
+	ANYWHERE = "anywhere"
+)
+
+const (
+	FilterTab = "filter"
+	NatTab    = "nat"
+)
+
+func RunWithStd(tab, rule string) (string, error) {
+	cmdMgr := cmd.NewCommandMgr(cmd.WithIgnoreExist1(), cmd.WithTimeout(20*time.Second))
+	stdout, err := cmdMgr.RunWithStdoutBashCf("%s iptables -t %s %s", cmd.SudoHandleCmd(), tab, rule)
+	if err != nil {
+		global.LOG.Errorf("iptables command failed [table=%s, rule=%s]: %v", tab, rule, err)
+		return stdout, err
+	}
+	return stdout, nil
+}
+func RunWithoutIgnrore(tab, rule string) (string, error) {
+	cmdMgr := cmd.NewCommandMgr(cmd.WithTimeout(20 * time.Second))
+	stdout, err := cmdMgr.RunWithStdoutBashCf("%s iptables -t %s %s", cmd.SudoHandleCmd(), tab, rule)
+	if err != nil {
+		return stdout, err
+	}
+	return stdout, nil
+}
+func Run(tab, rule string) error {
+	if _, err := RunWithStd(tab, rule); err != nil {
+		return err
+	}
+	return nil
+}
+
+func NewChain(tab, chain string) error {
+	return Run(tab, "-N "+chain)
+}
+
+func ClearChain(tab, chain string) error {
+	return Run(tab, "-F "+chain)
+}
+
+func AddRule(tab, chain, rule string) error {
+	if CheckRuleExist(tab, chain, rule) {
+		return nil
+	}
+	return Run(tab, fmt.Sprintf("-A %s %s", chain, rule))
+}
+func DeleteRule(tab, chain, rule string) error {
+	return Run(tab, fmt.Sprintf("-D %s %s", chain, rule))
+}
+
+func CheckChainExist(tab, chain string) (bool, error) {
+	stdout, err := RunWithStd(tab, fmt.Sprintf("-S | grep -w 'N %s'", chain))
+	if err != nil {
+		global.LOG.Errorf("check chain %s from tab %s exist failed, err: %v", chain, tab, err)
+		return false, fmt.Errorf("check chain %s from tab %s exist failed, err: %v", chain, tab, err)
+	}
+	if strings.TrimSpace(stdout) == "" {
+		return false, nil
+	}
+	return true, nil
+}
+func CheckChainBind(tab, parentChain, chain string) (bool, error) {
+	stdout, err := RunWithStd(tab, fmt.Sprintf("-L %s | grep -w %s", parentChain, chain))
+	if err != nil {
+		global.LOG.Errorf("check chain %s from tab %s is bind to %s failed, err: %v", chain, tab, parentChain, err)
+		return false, fmt.Errorf("check chain %s from tab %s is bind to %s failed, err: %v", chain, tab, parentChain, err)
+	}
+	if strings.TrimSpace(stdout) == "" {
+		return false, nil
+	}
+	return true, nil
+}
+func CheckRuleExist(tab, chain, rule string) bool {
+	_, err := RunWithoutIgnrore(tab, fmt.Sprintf("-C %s %s", chain, rule))
+	return err == nil
+}
+
+func AddChain(tab, chain string) error {
+	exists, err := CheckChainExist(tab, chain)
+	if err != nil {
+		return fmt.Errorf("check chain %s exist from tab %s failed, err: %w", chain, tab, err)
+	}
+	if !exists {
+		if err := NewChain(tab, chain); err != nil {
+			return fmt.Errorf("add chain %s for tab %s failed, err: %w", tab, chain, err)
+		}
+	}
+	return nil
+}
+func BindChain(tab, targetChain, chain string, position int) error {
+	line, err := FindChainNum(tab, targetChain, chain)
+	if err != nil {
+		return fmt.Errorf("find chain %s number from %s failed, err: %w", chain, targetChain, err)
+	}
+	if line == 0 {
+		if err := Run(tab, fmt.Sprintf("-I %s %d -j %s", targetChain, position, chain)); err != nil {
+			return fmt.Errorf("bind chain %s to %s failed, err: %w", chain, targetChain, err)
+		}
+	}
+	return nil
+}
+func UnbindChain(tab, targetChain, chain string) error {
+	line, err := FindChainNum(tab, targetChain, chain)
+	if err != nil {
+		return fmt.Errorf("find chain %s number from %s failed, err: %w", chain, targetChain, err)
+	}
+	if line != 0 {
+		return Run(tab, fmt.Sprintf("-D %s %v", targetChain, line))
+	}
+	return nil
+}
+
+func FindChainNum(tab, targetChain, chain string) (int, error) {
+	stdout, err := RunWithStd(tab, fmt.Sprintf("-L %s --line-numbers -n | grep -w %s", targetChain, chain))
+	if err != nil {
+		return 0, fmt.Errorf("failed to list rules in chain %s: %w", targetChain, err)
+	}
+
+	lineItem := strings.TrimSpace(stdout)
+	lines := strings.Split(lineItem, "\n")
+	for _, line := range lines {
+		fields := strings.Fields(line)
+		if len(fields) < 2 {
+			continue
+		}
+		if fields[1] == chain {
+			itemNum, err := strconv.Atoi(fields[0])
+			return itemNum, err
+		}
+	}
+	return 0, nil
+}
+
+func AddChainWithAppend(tab, parentChain, chain string) error {
+	exists, err := CheckChainExist(tab, chain)
+	if err != nil {
+		return fmt.Errorf("failed to check chain %s: %w", chain, err)
+	}
+	if !exists {
+		if err := NewChain(tab, chain); err != nil {
+			return fmt.Errorf("failed to create chain %s: %w", chain, err)
+		}
+	}
+	isBind, err := CheckChainBind(tab, parentChain, chain)
+	if err != nil {
+		return fmt.Errorf("check chain %s bind to %s failed, err: %w", parentChain, chain, err)
+	}
+	if !isBind {
+		if err := AppendChain(tab, parentChain, chain); err != nil {
+			return fmt.Errorf("failed to append %s to %s: %w", chain, parentChain, err)
+		}
+	}
+	return nil
+}
+func AppendChain(tab string, parentChain, chain string) error {
+	return Run(tab, fmt.Sprintf("-A %s -j %s", parentChain, chain))
+}
diff --git a/agent/utils/firewall/client/iptables/filter.go b/agent/utils/firewall/client/iptables/filter.go
new file mode 100644
index 000000000000..f476350984d3
--- /dev/null
+++ b/agent/utils/firewall/client/iptables/filter.go
@@ -0,0 +1,132 @@
+package iptables
+
+import (
+	"fmt"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/1Panel-dev/1Panel/agent/utils/cmd"
+)
+
+type FilterRules struct {
+	ID          uint   `json:"id"`
+	Protocol    string `json:"protocol"`
+	SrcPort     uint   `json:"srcPort"`
+	DstPort     uint   `json:"dstPort"`
+	SrcIP       string `json:"srcIP"`
+	DstIP       string `json:"dstIP"`
+	Strategy    string `json:"strategy"`
+	Description string `json:"description"`
+}
+
+func AddFilterRule(chain string, policy FilterRules) error {
+	iptablesArg := fmt.Sprintf("-A %s", chain)
+	if policy.Protocol != "" {
+		iptablesArg += fmt.Sprintf(" -p %s", policy.Protocol)
+	}
+	if policy.SrcPort != 0 {
+		iptablesArg += fmt.Sprintf(" --sport %d", policy.SrcPort)
+	}
+	if policy.DstPort != 0 {
+		iptablesArg += fmt.Sprintf(" --dport %d", policy.DstPort)
+	}
+	if policy.SrcIP != "" {
+		iptablesArg += fmt.Sprintf(" -s %s", policy.SrcIP)
+	}
+	if policy.DstIP != "" {
+		iptablesArg += fmt.Sprintf(" -d %s", policy.DstIP)
+	}
+	iptablesArg += fmt.Sprintf(" -j %s", policy.Strategy)
+
+	return Run(FilterTab, iptablesArg)
+}
+
+func DeleteFilterRule(chain string, policy FilterRules) error {
+	iptablesArg := fmt.Sprintf("-D %s", chain)
+	if policy.Protocol != "" {
+		iptablesArg += fmt.Sprintf(" -p %s", policy.Protocol)
+	}
+	if policy.SrcPort != 0 {
+		iptablesArg += fmt.Sprintf(" --sport %d", policy.SrcPort)
+	}
+	if policy.DstPort != 0 {
+		iptablesArg += fmt.Sprintf(" --dport %d", policy.DstPort)
+	}
+	if policy.SrcIP != "" {
+		iptablesArg += fmt.Sprintf(" -s %s", policy.SrcIP)
+	}
+	if policy.DstIP != "" {
+		iptablesArg += fmt.Sprintf(" -d %s", policy.DstIP)
+	}
+	iptablesArg += fmt.Sprintf(" -j %s", policy.Strategy)
+
+	return Run(FilterTab, iptablesArg)
+}
+
+func ReadFilterRulesByChain(chain string) ([]FilterRules, error) {
+	var rules []FilterRules
+	cmdMgr := cmd.NewCommandMgr(cmd.WithIgnoreExist1(), cmd.WithTimeout(20*time.Second))
+	stdout, err := cmdMgr.RunWithStdoutBashCf("%s iptables -t %s -L %s", cmd.SudoHandleCmd(), FilterTab, chain)
+	if err != nil {
+		return rules, fmt.Errorf("load filter fules by chain %s failed, %v", chain, err)
+	}
+	lines := strings.Split(stdout, "\n")
+	for i := 0; i < len(lines); i++ {
+		fields := strings.Fields(lines[i])
+		if len(fields) < 7 {
+			continue
+		}
+		itemRule := FilterRules{
+			Protocol: fields[1],
+			SrcPort:  loadPort("src", fields[6]),
+			DstPort:  loadPort("dst", fields[6]),
+			SrcIP:    loadIP(fields[3]),
+			DstIP:    loadIP(fields[4]),
+			Strategy: fields[0],
+		}
+		rules = append(rules, itemRule)
+	}
+	return rules, nil
+}
+
+func LoadDefaultStrategy(chain string) (string, error) {
+	cmdMgr := cmd.NewCommandMgr(cmd.WithIgnoreExist1(), cmd.WithTimeout(20*time.Second))
+	stdout, err := cmdMgr.RunWithStdoutBashCf("%s iptables -t %s -L %s", cmd.SudoHandleCmd(), FilterTab, chain)
+	if err != nil {
+		return "", fmt.Errorf("load filter fules by chain %s failed, %v", chain, err)
+	}
+	lines := strings.Split(stdout, "\n")
+	for i := len(lines) - 1; i > 0; i-- {
+		fields := strings.Fields(lines[i])
+		if len(fields) < 5 {
+			continue
+		}
+		if fields[0] == "DROP" && fields[1] == "all" && fields[3] == ANYWHERE && fields[4] == ANYWHERE {
+			return DROP, nil
+		}
+	}
+	return ACCEPT, nil
+}
+
+func loadPort(position, portStr string) uint {
+	var portItem string
+	if strings.Contains(portStr, "spt:") && position == "src" {
+		portItem = strings.ReplaceAll(portStr, "spt:", "")
+	}
+	if strings.Contains(portStr, "dpt:") && position == "dst" {
+		portItem = strings.ReplaceAll(portStr, "dpt:", "")
+	}
+	if len(portItem) == 0 {
+		return 0
+	}
+	port, _ := strconv.Atoi(portItem)
+	return uint(port)
+}
+
+func loadIP(ipStr string) string {
+	if ipStr == ANYWHERE {
+		return ""
+	}
+	return ipStr
+}
diff --git a/agent/utils/firewall/client/iptables/forward.go b/agent/utils/firewall/client/iptables/forward.go
new file mode 100644
index 000000000000..bfb80ca0a31f
--- /dev/null
+++ b/agent/utils/firewall/client/iptables/forward.go
@@ -0,0 +1,112 @@
+package iptables
+
+import (
+	"fmt"
+	"strings"
+)
+
+func AddForward(protocol, srcPort, dest, destPort, iface string, save bool) error {
+	if dest != "" && dest != "127.0.0.1" && dest != "localhost" {
+		iptablesArg := fmt.Sprintf("-A %s", Chain1PanelPreRouting)
+		if iface != "" {
+			iptablesArg += fmt.Sprintf(" -i %s", iface)
+		}
+		iptablesArg += fmt.Sprintf(" -p %s --dport %s -j DNAT --to-destination %s:%s", protocol, srcPort, dest, destPort)
+		if err := Run(NatTab, iptablesArg); err != nil {
+			return err
+		}
+
+		if err := Run(NatTab, fmt.Sprintf("-A %s -d %s -p %s --dport %s -j MASQUERADE", Chain1PanelPostRouting, dest, protocol, destPort)); err != nil {
+			return err
+		}
+
+		if err := Run(FilterTab, fmt.Sprintf("-A %s -d %s -p %s --dport %s -j ACCEPT", Chain1PanelForward, dest, protocol, destPort)); err != nil {
+			return err
+		}
+
+		if err := Run(FilterTab, fmt.Sprintf("-A %s -s %s -p %s --sport %s -j ACCEPT", Chain1PanelForward, dest, protocol, destPort)); err != nil {
+			return err
+		}
+	} else {
+		iptablesArg := fmt.Sprintf("-A %s", Chain1PanelPreRouting)
+		if iface != "" {
+			iptablesArg += fmt.Sprintf(" -i %s", iface)
+		}
+		iptablesArg += fmt.Sprintf(" -p %s --dport %s -j REDIRECT --to-port %s", protocol, srcPort, destPort)
+		if err := Run(NatTab, iptablesArg); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func DeleteForward(num string, protocol, srcPort, dest, destPort, iface string) error {
+	if err := Run(NatTab, fmt.Sprintf("-D %s %s", Chain1PanelPreRouting, num)); err != nil {
+		return err
+	}
+
+	if dest != "" && dest != "127.0.0.1" && dest != "localhost" {
+		if err := Run(NatTab, fmt.Sprintf("-D %s -d %s -p %s --dport %s -j MASQUERADE", Chain1PanelPostRouting, dest, protocol, destPort)); err != nil {
+			return err
+		}
+
+		if err := Run(FilterTab, fmt.Sprintf("-D %s -d %s -p %s --dport %s -j ACCEPT", Chain1PanelForward, dest, protocol, destPort)); err != nil {
+			return err
+		}
+
+		if err := Run(FilterTab, fmt.Sprintf("-D %s -s %s -p %s --sport %s -j ACCEPT", Chain1PanelForward, dest, protocol, destPort)); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func ListForward(chain ...string) ([]IptablesNatInfo, error) {
+	if len(chain) == 0 {
+		chain = append(chain, Chain1PanelPreRouting)
+	}
+	stdout, err := RunWithStd(NatTab, fmt.Sprintf("-nvL %s --line-numbers", chain[0]))
+	if err != nil {
+		return nil, err
+	}
+
+	var forwardList []IptablesNatInfo
+	for _, line := range strings.Split(stdout, "\n") {
+		line = strings.TrimFunc(line, func(r rune) bool {
+			return r <= 32
+		})
+		if natListRegex.MatchString(line) {
+			match := natListRegex.FindStringSubmatch(line)
+			if !strings.Contains(match[13], ":") {
+				match[13] = fmt.Sprintf(":%s", match[13])
+			}
+			forwardList = append(forwardList, IptablesNatInfo{
+				Num:         match[1],
+				Target:      match[4],
+				Protocol:    match[11],
+				InIface:     match[7],
+				OutIface:    match[8],
+				Opt:         match[6],
+				Source:      match[9],
+				Destination: match[10],
+				SrcPort:     match[12],
+				DestPort:    match[13],
+			})
+		}
+	}
+
+	return forwardList, nil
+}
+
+type IptablesNatInfo struct {
+	Num         string `json:"num"`
+	Target      string `json:"target"`
+	Protocol    string `json:"protocol"`
+	InIface     string `json:"inIface"`
+	OutIface    string `json:"outIface"`
+	Opt         string `json:"opt"`
+	Source      string `json:"source"`
+	Destination string `json:"destination"`
+	SrcPort     string `json:"srcPort"`
+	DestPort    string `json:"destPort"`
+}
diff --git a/agent/utils/firewall/client/iptables/persistence.go b/agent/utils/firewall/client/iptables/persistence.go
new file mode 100644
index 000000000000..c2f0b7f2e5b6
--- /dev/null
+++ b/agent/utils/firewall/client/iptables/persistence.go
@@ -0,0 +1,103 @@
+package iptables
+
+import (
+	"bufio"
+	"fmt"
+	"os"
+	"path"
+	"strings"
+
+	"github.com/1Panel-dev/1Panel/agent/global"
+)
+
+const (
+	BasicFileName    = "1panel_basic.rules"
+	InputFileName    = "1panel_input.rules"
+	OutputFileName   = "1panel_out.rules"
+	ForwardFileName  = "1panel_forward.rules"
+	ForwardFileName1 = "1panel_forward_pre.rules"
+	ForwardFileName2 = "1panel_forward_post.rules"
+)
+
+func SaveRulesToFile(tab, chain, fileName string) error {
+	rulesFile := path.Join(global.Dir.FirewallDir, fileName)
+
+	stdout, err := RunWithStd(tab, fmt.Sprintf("-S %s", chain))
+	if err != nil {
+		return fmt.Errorf("failed to list %s rules: %w", chain, err)
+	}
+	var rules []string
+	lines := strings.Split(stdout, "\n")
+	for _, line := range lines {
+		line = strings.TrimSpace(line)
+		if strings.HasPrefix(line, fmt.Sprintf("-A %s", chain)) {
+			rules = append(rules, line)
+		}
+	}
+
+	file, err := os.Create(rulesFile)
+	if err != nil {
+		return fmt.Errorf("failed to create rules file: %w", err)
+	}
+	defer file.Close()
+
+	writer := bufio.NewWriter(file)
+	for _, rule := range rules {
+		_, err := writer.WriteString(rule + "\n")
+		if err != nil {
+			return fmt.Errorf("failed to write rule to file: %w", err)
+		}
+	}
+
+	if err := writer.Flush(); err != nil {
+		return fmt.Errorf("failed to flush rules to file: %w", err)
+	}
+
+	global.LOG.Infof("persistence rules to %s successful", rulesFile)
+	return nil
+}
+
+func LoadRulesFromFile(tab, chain, fileName string) error {
+	rulesFile := path.Join(global.Dir.FirewallDir, fileName)
+	if _, err := os.Stat(rulesFile); os.IsNotExist(err) {
+		return nil
+	}
+
+	file, err := os.Open(rulesFile)
+	if err != nil {
+		return fmt.Errorf("failed to open rules file: %w", err)
+	}
+	defer file.Close()
+
+	var rules []string
+	scanner := bufio.NewScanner(file)
+	for scanner.Scan() {
+		line := strings.TrimSpace(scanner.Text())
+		if line == "" || strings.HasPrefix(line, "#") {
+			continue
+		}
+		rules = append(rules, line)
+	}
+
+	if err := scanner.Err(); err != nil {
+		return fmt.Errorf("failed to read rules file: %w", err)
+	}
+
+	if err := ClearChain(tab, chain); err != nil {
+		global.LOG.Warnf("Failed to clear existing rules from %s: %v", chain, err)
+	}
+
+	appliedCount := 0
+	for _, rule := range rules {
+		if strings.HasPrefix(rule, fmt.Sprintf("-A %s", chain)) {
+			ruleArgs := strings.TrimPrefix(rule, "-A ")
+			if err := Run(tab, "-A "+ruleArgs); err != nil {
+				global.LOG.Errorf("Failed to apply rule '%s': %v", rule, err)
+				continue
+			}
+			appliedCount++
+		}
+	}
+
+	return nil
+}
diff --git a/agent/utils/firewall/client/iptables_fw.go b/agent/utils/firewall/client/iptables_fw.go
deleted file mode 100644
index 2e3a46044327..000000000000
--- a/agent/utils/firewall/client/iptables_fw.go
+++ /dev/null
@@ -1,447 +0,0 @@
-package client
-
-import (
-	"fmt"
-	"regexp"
-	"strconv"
-	"strings"
-
-	"github.com/1Panel-dev/1Panel/agent/buserr"
-	"github.com/1Panel-dev/1Panel/agent/global"
-	"github.com/1Panel-dev/1Panel/agent/utils/cmd"
-	"github.com/1Panel-dev/1Panel/agent/utils/controller"
-)
-
-var portRuleRegex = regexp.MustCompile(`-A\s+INPUT\s+-p\s+(\w+)(?:\s+-m\s+\w+)*\s+--dport\s+(\d+(?::\d+)?)\s+-j\s+(\w+)`)
-var addressRuleRegex = regexp.MustCompile(`-A\s+(INPUT|OUTPUT)\s+-s\s+(\S+)\s+-j\s+(\w+)`)
-
-// IptablesFirewall wraps Iptables to implement FirewallClient interface
-type IptablesFirewall struct {
-	iptables *Iptables
-}
-
-// NewIptablesFirewall creates a new IptablesFirewall instance
-func NewIptablesFirewall() (*IptablesFirewall, error) {
-	iptables, err := NewIptables()
-	if err != nil {
-		return nil, err
-	}
-	return &IptablesFirewall{
-		iptables: iptables,
-	}, nil
-}
-
-func (ifw *IptablesFirewall) Name() string {
-	return "iptables"
-}
-
-func (ifw *IptablesFirewall) Status() (bool, error) {
-	// Check if iptables has any rules (indicates it's running)
-	stdout, err := cmd.RunDefaultWithStdoutBashC("iptables -L -n | head -1")
-	if err != nil {
-		return false, err
-	}
-	// If we can list rules, iptables is functional
-	return strings.Contains(stdout, "Chain"), nil
-}
-
-func (ifw *IptablesFirewall) Start() error {
-	// Try different service names
-	services := []string{"iptables", "iptables-services"}
-	var lastErr error
-
-	for _, svc := range services {
-		if err := controller.HandleStart(svc); err == nil {
-			break
-		} else {
-			lastErr = err
-		}
-	}
-
-	// If systemd service doesn't work, try loading kernel modules
-	if err := cmd.RunDefaultBashC("modprobe ip_tables"); err != nil {
-		global.LOG.Warnf("failed to load ip_tables module: %v", err)
-	}
-
-	if lastErr != nil {
-		global.LOG.Warnf("iptables service management not available: %v", lastErr)
-	}
-
-	// Use unified chain setup method
-	if err := ifw.iptables.Setup1PanelFirewallChains("input"); err != nil {
-		return fmt.Errorf("failed to setup 1Panel firewall chains: %w", err)
-	}
-
-	global.LOG.Infof("1Panel firewall chains setup completed")
-	return nil
-}
-
-func (ifw *IptablesFirewall) Stop() error {
-	global.LOG.Info("Stopping 1Panel firewall - removing chains from INPUT")
-
-	// Remove jump rule from INPUT to 1PANEL_INPUT
-	err := ifw.iptables.run(FilterTab, fmt.Sprintf("-D INPUT -j %s", Chain1PanelInput))
-	if err != nil {
-		global.LOG.Warnf("failed to detach 1PANEL_INPUT from INPUT: %v", err)
-	}
-
-	// Remove jump rule from INPUT to 1PANEL_BASIC
-	err = ifw.iptables.run(FilterTab, fmt.Sprintf("-D INPUT -j %s", Chain1PanelBasic))
-	if err != nil {
-		global.LOG.Warnf("failed to detach 1PANEL_BASIC from INPUT: %v", err)
-	}
-
-	// Flush the 1PANEL_INPUT chain (clear all rules but keep chain)
-	err = ifw.iptables.run(FilterTab, fmt.Sprintf("-F %s", Chain1PanelInput))
-	if err != nil {
-		global.LOG.Warnf("failed to flush 1PANEL_INPUT chain: %v", err)
-	}
-
-	// Flush the 1PANEL_BASIC chain (clear all rules but keep chain)
-	err = ifw.iptables.run(FilterTab, fmt.Sprintf("-F %s", Chain1PanelBasic))
-	if err != nil {
-		global.LOG.Warnf("failed to flush 1PANEL_BASIC chain: %v", err)
-	}
-
-	// Keep chains (do not delete) so data can still be read from them
-	global.LOG.Info("1Panel firewall chains flushed and detached")
-
-	return nil
-}
-
-func (ifw *IptablesFirewall) Restart() error {
-	// Restart is disabled - frontend will remove this functionality
-	// No operation needed for iptables
-	global.LOG.Info("Restart is a no-op for iptables")
-	return nil
-}
-
-func (ifw *IptablesFirewall) Reload() error {
-	return ifw.iptables.Reload()
-}
-
-func (ifw *IptablesFirewall) Version() (string, error) {
-	return ifw.iptables.GetVersion()
-}
-
-func (ifw *IptablesFirewall) ListPort() ([]FireInfo, error) {
-	stdout, err := ifw.iptables.out(FilterTab, fmt.Sprintf("-S %s", Chain1PanelBasic))
-	if err != nil {
-		return nil, fmt.Errorf("failed to list 1PANEL_BASIC rules: %w", err)
-	}
-
-	var datas []FireInfo
-	lines := strings.Split(stdout, "\n")
-
-	// Updated regex to match 1PANEL_BASIC chain
-	chainPortRegex := regexp.MustCompile(fmt.Sprintf(`-A\s+%s\s+(?:-s\s+(\S+)\s+)?-p\s+(\w+)(?:\s+-m\s+\w+)*\s+--dport\s+(\d+(?::\d+)?)\s+-j\s+(\w+)`, Chain1PanelBasic))
-
-	for _, line := range lines {
-		line = strings.TrimSpace(line)
-		if !strings.HasPrefix(line, fmt.Sprintf("-A %s", Chain1PanelBasic)) {
-			continue
-		}
-
-		// Parse rules like: -A 1PANEL_BASIC -p tcp --dport 80 -j ACCEPT
-		if matches := chainPortRegex.FindStringSubmatch(line); len(matches) == 5 {
-			address := matches[1]
-			protocol := matches[2]
-			port := strings.ReplaceAll(matches[3], ":", "-")
-			action := strings.ToLower(matches[4])
-
-			strategy := "accept"
-			if action == "drop" || action == "reject" {
-				strategy = "drop"
-			}
-
-			datas = append(datas, FireInfo{
-				Address:  address,
-				Protocol: protocol,
-				Port:     port,
-				Strategy: strategy,
-				Family:   "ipv4",
-			})
-		}
-	}
-
-	return datas, nil
-}
-
-func (ifw *IptablesFirewall) ListForward() ([]FireInfo, error) {
-	natList, err := ifw.iptables.NatList(PreRoutingChain)
-	if err != nil {
-		return nil, fmt.Errorf("failed to list NAT rules: %w", err)
-	}
-
-	var datas []FireInfo
-	for _, nat := range natList {
-		datas = append(datas, FireInfo{
-			Num:        nat.Num,
-			Protocol:   nat.Protocol,
-			Port:       strings.TrimPrefix(nat.SrcPort, ":"),
-			TargetIP:   nat.Destination,
-			TargetPort: strings.TrimPrefix(nat.DestPort, ":"),
-			Interface:  nat.InIface,
-		})
-	}
-
-	return datas, nil
-}
-
-func (ifw *IptablesFirewall) ListAddress() ([]FireInfo, error) {
-	stdout, err := ifw.iptables.out(FilterTab, fmt.Sprintf("-S %s", Chain1PanelBasic))
-	if err != nil {
-		return nil, fmt.Errorf("failed to list 1PANEL_BASIC address rules: %w", err)
-	}
-
-	var datas []FireInfo
-	lines := strings.Split(stdout, "\n")
-	addressMap := make(map[string]FireInfo) // Deduplicate by address
-
-	// Updated regex to match both source and destination addresses in 1PANEL_BASIC chain
-	chainAddressRegex := regexp.MustCompile(fmt.Sprintf(`-A\s+%s\s+(?:-s\s+(\S+)|(?:-d\s+(\S+)))?\s+-j\s+(\w+)`, Chain1PanelBasic))
-
-	for _, line := range lines {
-		line = strings.TrimSpace(line)
-		if !strings.HasPrefix(line, fmt.Sprintf("-A %s", Chain1PanelBasic)) {
-			continue
-		}
-
-		// Parse rules like: -A 1PANEL_BASIC -s 192.168.1.1 -j DROP
-		if matches := chainAddressRegex.FindStringSubmatch(line); len(matches) >= 4 {
-			// matches[1] is source address (-s), matches[2] is dest address (-d), matches[3] is action
-			address := matches[1]
-			if address == "" {
-				address = matches[2]
-			}
-			if address == "" {
-				continue
-			}
-			action := strings.ToLower(matches[3])
-
-			strategy := "accept"
-			if action == "drop" || action == "reject" {
-				strategy = "drop"
-			}
-
-			// Use address as key to deduplicate
-			if _, exists := addressMap[address]; !exists {
-				addressMap[address] = FireInfo{
-					Address:  address,
-					Strategy: strategy,
-					Family:   "ipv4",
-				}
-			}
-		}
-	}
-
-	// Convert map to slice
-	for _, info := range addressMap {
-		datas = append(datas, info)
-	}
-
-	return datas, nil
-}
-
-func (ifw *IptablesFirewall) Port(port FireInfo, operation string) error {
-	if operation != "add" && operation != "remove" {
-		return buserr.New("ErrCmdIllegal")
-	}
-
-	// Validate port
-	portSpec, err := normalizePortSpec(port.Port)
-	if err != nil {
-		return err
-	}
-
-	protocol := port.Protocol
-	if protocol == "" {
-		protocol = "tcp"
-	}
-
-	action := "ACCEPT"
-	if port.Strategy == "drop" {
-		action = "DROP"
-	}
-
-	opFlag := "-A"
-	if operation == "remove" {
-		opFlag = "-D"
-	}
-
-	args := []string{fmt.Sprintf("%s %s", opFlag, Chain1PanelBasic), fmt.Sprintf("-p %s", protocol)}
-	if protocol == "tcp" || protocol == "udp" {
-		args = append(args, fmt.Sprintf("-m %s", protocol))
-	}
-	args = append(args, fmt.Sprintf("--dport %s", portSpec), fmt.Sprintf("-j %s", action))
-
-	return ifw.iptables.run(FilterTab, strings.Join(args, " "))
-}
-
-func (ifw *IptablesFirewall) RichRules(rule FireInfo, operation string) error {
-	if operation != "add" && operation != "remove" {
-		return buserr.New("ErrCmdIllegal")
-	}
-
-	address := strings.TrimSpace(rule.Address)
-	if strings.EqualFold(address, "Anywhere") {
-		address = ""
-	}
-
-	action := "ACCEPT"
-	if rule.Strategy == "drop" {
-		action = "DROP"
-	}
-
-	var ruleStr string
-	opFlag := "-A"
-	if operation == "remove" {
-		opFlag = "-D"
-	}
-
-	args := []string{fmt.Sprintf("%s %s", opFlag, Chain1PanelBasic)}
-	if address != "" {
-		args = append(args, fmt.Sprintf("-s %s", address))
-	}
-
-	protocol := strings.TrimSpace(rule.Protocol)
-	if rule.Port != "" && protocol == "" {
-		protocol = "tcp"
-	}
-
-	if protocol != "" {
-		args = append(args, fmt.Sprintf("-p %s", protocol))
-	}
-
-	if rule.Port != "" {
-		portSegment, err := normalizePortSpec(rule.Port)
-		if err != nil {
-			return err
-		}
-		if protocol == "" {
-			return fmt.Errorf("protocol is required when specifying a port")
-		}
-		if protocol == "tcp" || protocol == "udp" {
-			args = append(args, fmt.Sprintf("-m %s", protocol))
-		}
-		args = append(args, fmt.Sprintf("--dport %s", portSegment))
-	}
-
-	args = append(args, fmt.Sprintf("-j %s", action))
-	ruleStr = strings.Join(args, " ")
-	return ifw.iptables.run(FilterTab, ruleStr)
-}
-
-func (ifw *IptablesFirewall) PortForward(info Forward, operation string) error {
-	if operation != "add" && operation != "remove" {
-		return buserr.New("ErrCmdIllegal")
-	}
-
-	// Validate inputs
-	if info.Protocol == "" || info.Port == "" || info.TargetPort == "" {
-		return fmt.Errorf("protocol, port, and target port are required")
-	}
-
-	if operation == "add" {
-		// Use existing NatAdd method
-		return ifw.iptables.NatAdd(info.Protocol, info.Port, info.TargetIP, info.TargetPort, info.Interface, true)
-	} else {
-		// For remove, we need to find the rule number first
-		natList, err := ifw.iptables.NatList(PreRoutingChain)
-		if err != nil {
-			return fmt.Errorf("failed to list NAT rules: %w", err)
-		}
-
-		// Find matching rule
-		for _, nat := range natList {
-			if nat.Protocol == info.Protocol &&
-				strings.TrimPrefix(nat.SrcPort, ":") == info.Port &&
-				strings.TrimPrefix(nat.DestPort, ":") == info.TargetPort {
-
-				targetIP := info.TargetIP
-				if targetIP == "" {
-					targetIP = "127.0.0.1"
-				}
-
-				return ifw.iptables.NatRemove(nat.Num, info.Protocol, info.Port, targetIP, info.TargetPort, info.Interface)
-			}
-		}
-
-		return fmt.Errorf("forward rule not found")
-	}
-}
-
-func (ifw *IptablesFirewall) EnableForward() error {
-	// Enable IP forwarding
-	if err := cmd.RunDefaultBashC("echo 1 > /proc/sys/net/ipv4/ip_forward"); err != nil {
-		return fmt.Errorf("failed to enable IP forwarding: %w", err)
-	}
-
-	// Make it persistent (if sysctl.conf exists)
-	_ = cmd.RunDefaultBashC("grep -q '^net.ipv4.ip_forward' /etc/sysctl.conf || echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf")
-	_ = cmd.RunDefaultBashC("sysctl -p")
-
-	// Setup NAT and Forward chains
-	if err := ifw.iptables.ensureChainWithJump(NatTab, "PREROUTING", PreRoutingChain); err != nil {
-		return err
-	}
-	if err := ifw.iptables.ensureChainWithJump(NatTab, "POSTROUTING", PostRoutingChain); err != nil {
-		return err
-	}
-	if err := ifw.iptables.ensureChainWithJump(FilterTab, "FORWARD", ForwardChain); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-// Helper function to parse port number
-func parsePort(portStr string) (int, error) {
-	port, err := strconv.Atoi(portStr)
-	if err != nil {
-		return 0, fmt.Errorf("invalid port number: %s", portStr)
-	}
-	if port < 1 || port > 65535 {
-		return 0, fmt.Errorf("port out of range: %d", port)
-	}
-	return port, nil
-}
-
-func normalizePortSpec(port string) (string, error) {
-	value := strings.TrimSpace(port)
-	if value == "" {
-		return "", fmt.Errorf("port is required")
-	}
-
-	separator := ""
-	if strings.Contains(value, "-") {
-		separator = "-"
-	} else if strings.Contains(value, ":") {
-		separator = ":"
-	}
-
-	if separator != "" {
-		parts := strings.Split(value, separator)
-		if len(parts) != 2 {
-			return "", fmt.Errorf("invalid port range: %s", port)
-		}
-		start, err := parsePort(strings.TrimSpace(parts[0]))
-		if err != nil {
-			return "", err
-		}
-		end, err := parsePort(strings.TrimSpace(parts[1]))
-		if err != nil {
-			return "", err
-		}
-		if start > end {
-			return "", fmt.Errorf("invalid port range: %d-%d", start, end)
-		}
-		return fmt.Sprintf("%d:%d", start, end), nil
-	}
-
-	single, err := parsePort(value)
-	if err != nil {
-		return "", err
-	}
-	return fmt.Sprintf("%d", single), nil
-}
diff --git a/agent/utils/firewall/client/iptables_policy.go b/agent/utils/firewall/client/iptables_policy.go
deleted file mode 100644
index edce0c3b4955..000000000000
--- a/agent/utils/firewall/client/iptables_policy.go
+++ /dev/null
@@ -1,99 +0,0 @@
-package client
-
-import (
-	"fmt"
-	"strings"
-)
-
-// IptablesChain
-type IptablesChain struct {
-	Name          string
-	DefaultPolicy string
-	FirstRule     *IptablesPolicyChainItem
-	LastRule      *IptablesPolicyChainItem
-}
-
-func (c *IptablesChain) ParseLine(line string) error {
-	cmd := strings.Split(line, " ")
-
-	if cmd[0] == "-P" {
-		c.Name = cmd[1]
-		c.DefaultPolicy = cmd[2]
-		return nil
-	}
-	if cmd[0] == "-A" {
-		if cmd[1] != c.Name {
-			return fmt.Errorf("invalid chain name in rule line: %s", line)
-		}
-		policy := IptablesPolicy{}
-		for i := 2; i < len(cmd); i++ {
-			switch cmd[i] {
-			case "-p":
-				i++
-				policy.Protocol = cmd[i]
-			case "--dport":
-				i++
-				// parse port
-				var port uint16
-				fmt.Sscanf(cmd[i], "%d", &port)
-				policy.DstPort = port
-			case "--sport":
-				i++
-				var port uint16
-				fmt.Sscanf(cmd[i], "%d", &port)
-				policy.SrcPort = port
-			case "-s":
-				i++
-				policy.SourceIP = cmd[i]
-			case "-d":
-				i++
-				policy.DestIP = cmd[i]
-			case "-j":
-				i++
-				policy.Action = cmd[i]
-			case "-m":
-				// skip
-				i++
-			case "--comment":
-				i++
-				policy.Comment = strings.Trim(cmd[i], "\"")
-			}
-		}
-		newItem := &IptablesPolicyChainItem{
-			P: policy,
-		}
-		if c.FirstRule == nil {
-			c.FirstRule = newItem
-			c.LastRule = newItem
-		} else {
-			current := c.LastRule
-			current.SetNext(newItem)
-			c.LastRule = newItem
-		}
-		return nil
-	}
-	return fmt.Errorf("invalid iptables rule line: %s", line)
-}
-
-type IptablesPolicyChainItem struct {
-	next *IptablesPolicyChainItem
-	P    IptablesPolicy
-}
-
-func (item *IptablesPolicyChainItem) SetNext(next *IptablesPolicyChainItem) {
-	item.next = next
-}
-
-func (item *IptablesPolicyChainItem) Next() *IptablesPolicyChainItem {
-	return item.next
-}
-
-type IptablesPolicy struct {
-	Protocol string
-	SrcPort  uint16
-	DstPort  uint16
-	SourceIP string
-	DestIP   string
-	Action   string // ACCEPT, DROP, REJECT
-	Comment  string
-}
diff --git a/agent/utils/firewall/client/ufw.go b/agent/utils/firewall/client/ufw.go
index 80be44c59b3a..97da61e2faa5 100644
--- a/agent/utils/firewall/client/ufw.go
+++ b/agent/utils/firewall/client/ufw.go
@@ -5,7 +5,6 @@ import (
 	"strings"
 
 	"github.com/1Panel-dev/1Panel/agent/buserr"
-	"github.com/1Panel-dev/1Panel/agent/global"
 	"github.com/1Panel-dev/1Panel/agent/utils/cmd"
 )
 
@@ -97,40 +96,6 @@ func (f *Ufw) ListPort() ([]FireInfo, error) {
 	return datas, nil
 }
 
-func (f *Ufw) ListForward() ([]FireInfo, error) {
-	if err := f.EnableForward(); err != nil {
-		global.LOG.Errorf("init port forward failed, err: %v", err)
-	}
-	iptables, err := NewIptables()
-	if err != nil {
-		return nil, err
-	}
-	rules, err := iptables.NatList()
-	if err != nil {
-		return nil, err
-	}
-
-	var list []FireInfo
-	for _, rule := range rules {
-		dest := strings.Split(rule.DestPort, ":")
-		if len(dest) < 2 {
-			continue
-		}
-		if len(dest[0]) == 0 {
-			dest[0] = "127.0.0.1"
-		}
-		list = append(list, FireInfo{
-			Num:        rule.Num,
-			Protocol:   rule.Protocol,
-			Interface:  rule.InIface,
-			Port:       rule.SrcPort,
-			TargetIP:   dest[0],
-			TargetPort: dest[1],
-		})
-	}
-	return list, nil
-}
-
 func (f *Ufw) ListAddress() ([]FireInfo, error) {
 	stdout, err := cmd.RunDefaultWithStdoutBashCf("%s status verbose", f.CmdStr)
 	if err != nil {
@@ -232,20 +197,15 @@ func (f *Ufw) RichRules(rule FireInfo, operation string) error {
 }
 
 func (f *Ufw) PortForward(info Forward, operation string) error {
-	iptables, err := NewIptables()
-	if err != nil {
-		return err
-	}
+	return iptablesPortForward(info, operation)
+}
 
-	if operation == "add" {
-		err = iptables.NatAdd(info.Protocol, info.Port, info.TargetIP, info.TargetPort, info.Interface, true)
-	} else {
-		err = iptables.NatRemove(info.Num, info.Protocol, info.Port, info.TargetIP, info.TargetPort, info.Interface)
-	}
-	if err != nil {
-		return fmt.Errorf("%s port forward failed, err: %s", operation, err)
-	}
-	return nil
+func (f *Ufw) EnableForward() error {
+	return EnableIptablesForward()
+}
+
+func (f *Ufw) ListForward() ([]FireInfo, error) {
+	return iptablesListForward()
 }
 
 func (f *Ufw) loadInfo(line string, fireType string) FireInfo {
@@ -292,39 +252,3 @@ func (f *Ufw) loadInfo(line string, fireType string) FireInfo {
 
 	return itemInfo
 }
-
-func (f *Ufw) EnableForward() error {
-	iptables, err := NewIptables()
-	if err != nil {
-		return err
-	}
-	if err = iptables.Check(); err != nil {
-		return err
-	}
-
-	_ = iptables.NewChain(NatTab, PreRoutingChain)
-	_ = iptables.NewChain(NatTab, PostRoutingChain)
-	_ = iptables.NewChain(FilterTab, ForwardChain)
-
-	if err = f.enableChain(iptables); err != nil {
-		return err
-	}
-	return iptables.Reload()
-}
-
-func (f *Ufw) enableChain(iptables *Iptables) error {
-	rules, err := iptables.NatList("PREROUTING")
-	if err != nil {
-		return err
-	}
-	for _, rule := range rules {
-		if rule.Target == PreRoutingChain {
-			return nil
-		}
-	}
-
-	_ = iptables.AppendChain(NatTab, "PREROUTING", PreRoutingChain)
-	_ = iptables.AppendChain(NatTab, "POSTROUTING", PostRoutingChain)
-	_ = iptables.AppendChain(FilterTab, "FORWARD", ForwardChain)
-	return nil
-}
diff --git a/core/server/server.go b/core/server/server.go
index a37e906ba91d..d640a8b30ed5 100644
--- a/core/server/server.go
+++ b/core/server/server.go
@@ -9,16 +9,13 @@ import (
 	"os"
 	"path"
 
-	"github.com/1Panel-dev/1Panel/core/init/proxy"
-	"github.com/gin-gonic/gin"
-
-	"github.com/1Panel-dev/1Panel/core/init/proxy"
-
 	"github.com/1Panel-dev/1Panel/core/init/db"
 	"github.com/1Panel-dev/1Panel/core/init/geo"
 	"github.com/1Panel-dev/1Panel/core/init/log"
 	"github.com/1Panel-dev/1Panel/core/init/migration"
+	"github.com/1Panel-dev/1Panel/core/init/proxy"
 	"github.com/1Panel-dev/1Panel/core/init/run"
+	"github.com/gin-gonic/gin"
 
 	"github.com/1Panel-dev/1Panel/core/constant"
 	"github.com/1Panel-dev/1Panel/core/global"
diff --git a/frontend/src/api/interface/host.ts b/frontend/src/api/interface/host.ts
index e3c6a1447bed..622beaaa116f 100644
--- a/frontend/src/api/interface/host.ts
+++ b/frontend/src/api/interface/host.ts
@@ -68,6 +68,8 @@ export namespace Host {
         name: string;
         isExist: boolean;
         isActive: boolean;
+        isInit: boolean;
+        isBind: boolean;
         version: string;
         pingStatus: string;
     }
@@ -265,45 +267,39 @@ export namespace Host {
     }
 
     // Iptables Filter
-    export interface IptablesFilterRuleSearch {
-        chains?: string[];
+    export interface IptablesFilterRuleSearch extends ReqPage {
+        info: string;
+        type: string;
     }
-
-    export interface IptablesChainInfo {
-        version: string;
-        name: string;
-        defaultPolicy: string;
-        rules: IptablesFilterRuleInfo[];
-        isApplied: boolean;
+    export interface IptablesData {
+        items: IptablesRules[];
+        total: number;
+        defaultStrategy: string;
     }
-
-    export interface IptablesFilterRuleInfo {
+    export interface IptablesRules {
         id: number;
         protocol: string;
-        sourceIP: string;
-        sourcePort: number;
-        destIP: string;
-        destPort: number;
-        action: string;
-        comment: string;
+        srcPort: number;
+        dstPort: number;
+        srcIP: string;
+        dstIP: string;
+        strategy: string;
         description: string;
-        ruleOrder: number;
     }
-
-    export interface IptablesFilterRuleOperate {
+    export interface ChainStatus {
+        isBind: boolean;
+        defaultStrategy: string;
+    }
+    export interface IptablesFilterRuleOp {
         operation: string;
         id?: number;
         chain: string;
         protocol: string;
-        sourceIP?: string;
-        sourcePort?: number;
-        destIP?: string;
-        destPort?: number;
-        action: string;
+        srcIP?: string;
+        srcPort?: number;
+        dstIP?: string;
+        dstPort?: number;
+        strategy: string;
         description?: string;
     }
-
-    export interface IptablesFilterApply {
-        operation: string;
-    }
 }
diff --git a/frontend/src/api/modules/host.ts b/frontend/src/api/modules/host.ts
index bac8c8c4da9a..500cfdc35e67 100644
--- a/frontend/src/api/modules/host.ts
+++ b/frontend/src/api/modules/host.ts
@@ -6,8 +6,8 @@ import { deepCopy } from '@/utils/util';
 import { Base64 } from 'js-base64';
 
 // firewall
-export const loadFireBaseInfo = () => {
-    return http.get<Host.FirewallBase>(`/hosts/firewall/base`);
+export const loadFireBaseInfo = (tab: string) => {
+    return http.post<Host.FirewallBase>(`/hosts/firewall/base`, { name: tab }, TimeoutEnum.T_40S);
 };
 export const searchFireRule = (params: Host.RuleSearch) => {
     return http.post<ResPage<Host.RuleInfo>>(`/hosts/firewall/search`, params, TimeoutEnum.T_40S);
@@ -45,17 +45,20 @@ export const batchOperateRule = (params: Host.BatchRule) => {
 };
 
 // Iptables Filter
-export const getFilterRules = (params: Host.IptablesFilterRuleSearch) => {
-    return http.post<Host.IptablesChainInfo[]>(`/hosts/firewall/filter/rules`, params);
+export const searchFilterRules = (params: Host.IptablesFilterRuleSearch) => {
+    return http.post<Host.IptablesData>(`/hosts/firewall/filter/rule/search`, params);
 };
-export const operateFilterRule = (params: Host.IptablesFilterRuleOperate) => {
-    return http.post(`/hosts/firewall/filter/rule`, params, TimeoutEnum.T_40S);
+export const loadChainStatus = (name: string) => {
+    return http.post<Host.ChainStatus>(`/hosts/firewall/filter/chain/status`, { name: name }, TimeoutEnum.T_60S);
 };
-export const batchOperateFilterRule = (params: { rules: Host.IptablesFilterRuleOperate[] }) => {
-    return http.post(`/hosts/firewall/filter/batch`, params, TimeoutEnum.T_40S);
+export const operateFilterRule = (params: Host.IptablesFilterRuleOp) => {
+    return http.post(`/hosts/firewall/filter/rule/operate`, params, TimeoutEnum.T_40S);
 };
-export const applyFilterFirewall = (params: Host.IptablesFilterApply) => {
-    return http.post(`/hosts/firewall/filter/apply`, params, TimeoutEnum.T_60S);
+export const batchOperateFilterRule = (params: { rules: Host.IptablesFilterRuleOp[] }) => {
+    return http.post(`/hosts/firewall/filter/rule/batch`, params, TimeoutEnum.T_40S);
+};
+export const operateFilterChain = (name: string, op: string) => {
+    return http.post(`/hosts/firewall/filter/operate`, { name: name, operate: op }, TimeoutEnum.T_60S);
 };
 
 // monitors
diff --git a/frontend/src/lang/modules/en.ts b/frontend/src/lang/modules/en.ts
index 551fe1b6149c..ae59f35557ec 100644
--- a/frontend/src/lang/modules/en.ts
+++ b/frontend/src/lang/modules/en.ts
@@ -2888,9 +2888,6 @@ const message = {
         portHelper2: 'Range port, e.g. 8080-8089',
         changeStrategyHelper:
             'Change [{1}] {0} strategy to [{2}]. After setting, {0} will access {2} externally. Do you want to continue?',
-        portHelper: 'Multiple ports can be entered, e.g. 80,81, or range ports, e.g. 80-88',
-        allPorts: 'All Ports',
-        ruleTemplate: 'Rule template',
 
         strategy: 'Strategy',
         accept: 'Accept',
@@ -2912,8 +2909,6 @@ const message = {
         createIpRule: '@:commons.button.create @:firewall.ipRule',
         userAgent: 'User-Agent filter',
         sourcePort: 'Source port',
-        inboundDirection: 'Inbound',
-        outboundDirection: 'Outbound',
         targetIP: 'Destination IP',
         targetPort: 'Destination port',
         forwardHelper1: 'If you want to forward to the local port, the destination IP should be set to "127.0.0.1".',
@@ -2923,6 +2918,37 @@ const message = {
         exportHelper: 'About to export {0} firewall rules. Continue?',
         importSuccess: 'Successfully imported {0} rules',
         importPartialSuccess: 'Import completed: {0} succeeded, {1} failed',
+
+        basicStatus: 'Current chain {0} status is unbound. Added firewall rules will take effect after binding!',
+        baseIptables: 'Iptables Service',
+        forwardIptables: 'Iptables Port Forwarding Service',
+        advanceIptables: 'Iptables Advanced Configuration Service',
+        initMsg: 'About to initialize {0}, continue?',
+        initHelper:
+            'Detected that {0} is not initialized. Please click the initialization button in the top status bar to configure!',
+        bindHelper: 'Bind - Firewall rules will only take effect when the status is bound. Confirm?',
+        unbindHelper:
+            'Unbind - When unbound, all added firewall rules will become invalid. Proceed with caution. Confirm?',
+        defaultStrategy: 'Default policy for current chain {0} is {1}',
+        defaultStrategy2:
+            'Default policy for current chain {0} is {1}, current status is unbound. Added firewall rules will take effect after binding!',
+        filterRule: 'Filter Rule',
+        filterHelper:
+            'Filter rules allow you to control network traffic at the INPUT/OUTPUT level. Configure carefully to avoid locking the system.',
+        chain: 'Chain',
+        targetChain: 'Target Chain',
+        sourceIP: 'Source IP',
+        destIP: 'Destination IP',
+        inboundDirection: 'Inbound Direction',
+        outboundDirection: 'Outbound Direction',
+        destPort: 'Destination Port',
+        action: 'Action',
+        reject: 'Reject',
+        sourceIPHelper: 'CIDR format, e.g., 192.168.1.0/24. Leave empty for all addresses',
+        destIPHelper: 'CIDR format, e.g., 10.0.0.0/8. Leave empty for all addresses',
+        portHelper: '0 means any port',
+        allPorts: 'All Ports',
+        deleteRuleConfirm: 'Will delete {0} rules. Continue?',
     },
     runtime: {
         runtime: 'Runtime',
diff --git a/frontend/src/lang/modules/es-es.ts b/frontend/src/lang/modules/es-es.ts
index 8dc84a1b4cb6..5a850dca946f 100644
--- a/frontend/src/lang/modules/es-es.ts
+++ b/frontend/src/lang/modules/es-es.ts
@@ -2861,9 +2861,6 @@ const message = {
         portHelper2: 'Rango de puertos, ej. 8080-8089',
         changeStrategyHelper:
             'Cambiar estrategia de {0} [{1}] a [{2}]. Después de configurarla, {0} tendrá acceso externo como {2}. ¿Deseas continuar?',
-        portHelper: 'Se pueden ingresar múltiples puertos, ej. 80,81, o rangos, ej. 80-88',
-        allPorts: 'Todos los puertos',
-        ruleTemplate: 'Plantilla de regla',
 
         strategy: 'Estrategia',
         accept: 'Aceptar',
@@ -2885,8 +2882,6 @@ const message = {
         createIpRule: '@:commons.button.create @:firewall.ipRule',
         userAgent: 'Filtro User-Agent',
         sourcePort: 'Puerto de origen',
-        inboundDirection: 'Entrada',
-        outboundDirection: 'Salida',
         targetIP: 'IP de destino',
         targetPort: 'Puerto de destino',
         forwardHelper1: 'Si quieres reenviar al puerto local, la IP de destino debe ser "127.0.0.1".',
@@ -2896,6 +2891,39 @@ const message = {
         exportHelper: 'A punto de exportar {0} reglas de firewall. ¿Continuar?',
         importSuccess: 'Se importaron correctamente {0} reglas',
         importPartialSuccess: 'Importación completada: {0} correctas, {1} fallidas',
+
+        basicStatus:
+            'El estado actual de la cadena {0} es no vinculado. ¡Las reglas de firewall agregadas surtirán efecto después de la vinculación!',
+        baseIptables: 'Servicio Iptables',
+        forwardIptables: 'Servicio de Reenvío de Puertos Iptables',
+        advanceIptables: 'Servicio de Configuración Avanzada de Iptables',
+        initMsg: 'A punto de inicializar {0}, ¿continuar?',
+        initHelper:
+            'Se detectó que {0} no está inicializado. ¡Haga clic en el botón de inicialización en la barra de estado superior para configurar!',
+        bindHelper:
+            'Vincular: las reglas de firewall solo surtirán efecto cuando el estado esté vinculado. ¿Confirmar?',
+        unbindHelper:
+            'Desvincular: al desvincular, todas las reglas de firewall agregadas se volverán inválidas. Proceda con precaución. ¿Confirmar?',
+        defaultStrategy: 'La política predeterminada para la cadena actual {0} es {1}',
+        defaultStrategy2:
+            'La política predeterminada para la cadena actual {0} es {1}, el estado actual es no vinculado. ¡Las reglas de firewall agregadas surtirán efecto después de la vinculación!',
+        filterRule: 'Regla de Filtro',
+        filterHelper:
+            'Las reglas de filtro le permiten controlar el tráfico de red a nivel INPUT/OUTPUT. Configure con cuidado para evitar bloquear el sistema.',
+        chain: 'Cadena',
+        targetChain: 'Cadena de Destino',
+        sourceIP: 'IP de Origen',
+        destIP: 'IP de Destino',
+        inboundDirection: 'Dirección de Entrada',
+        outboundDirection: 'Dirección de Salida',
+        destPort: 'Puerto de Destino',
+        action: 'Acción',
+        reject: 'Rechazar',
+        sourceIPHelper: 'Formato CIDR, ej. 192.168.1.0/24. Dejar vacío para todas las direcciones',
+        destIPHelper: 'Formato CIDR, ej. 10.0.0.0/8. Dejar vacío para todas las direcciones',
+        portHelper: '0 significa cualquier puerto',
+        allPorts: 'Todos los Puertos',
+        deleteRuleConfirm: 'Se eliminarán {0} reglas. ¿Continuar?',
     },
     runtime: {
         runtime: 'Runtime',
diff --git a/frontend/src/lang/modules/ja.ts b/frontend/src/lang/modules/ja.ts
index 28e2bd229d73..45fa0a6e0ab6 100644
--- a/frontend/src/lang/modules/ja.ts
+++ b/frontend/src/lang/modules/ja.ts
@@ -2804,9 +2804,6 @@ const message = {
         portHelper2: '範囲ポート、例えば8080-8089',
         changeStrategyHelper:
             '[{1}] {0}戦略を[{2}]に変更します。設定後、{0}は外部から{2}にアクセスします。続けたいですか？',
-        portHelper: '複数のポートを入力できます。80,81、または範囲ポート、例えば80-88',
-        allPorts: 'すべてのポート',
-        ruleTemplate: 'ルールテンプレート',
 
         strategy: '戦略',
         accept: '受け入れる',
@@ -2828,8 +2825,6 @@ const message = {
         createIpRule: '@:commons.button.create @:firewall.iprule',
         userAgent: 'ユーザーエージェントフィルター',
         sourcePort: 'ソースポート',
-        inboundDirection: '受信方向',
-        outboundDirection: '送信方向',
         targetIP: '宛先IP',
         targetPort: '宛先ポート',
         forwardHelper1: 'ローカルポートに転送する場合は、宛先IPを「127.0.0.1」に設定する必要があります。',
@@ -2839,6 +2834,38 @@ const message = {
         exportHelper: '{0} 件のファイアウォールルールをエクスポートします。続行しますか？',
         importSuccess: '{0} 件のルールを正常にインポートしました',
         importPartialSuccess: 'インポート完了: {0} 件成功、{1} 件失敗',
+
+        basicStatus:
+            '現在のチェーン {0} の状態は未バインドです。追加されたファイアウォールルールはバインド後に有効になります！',
+        baseIptables: 'Iptables サービス',
+        forwardIptables: 'Iptables ポート転送サービス',
+        advanceIptables: 'Iptables 高度な設定サービス',
+        initMsg: '{0} を初期化します。続行しますか？',
+        initHelper:
+            '{0} が初期化されていないことを検出しました。上部ステータスバーの初期化ボタンをクリックして設定してください！',
+        bindHelper: 'バインド - ファイアウォールルールは状態がバインドされている場合のみ有効になります。確認しますか？',
+        unbindHelper:
+            'アンバインド - アンバインドすると、追加されたすべてのファイアウォールルールが無効になります。注意して操作してください。確認しますか？',
+        defaultStrategy: '現在のチェーン {0} のデフォルトポリシーは {1} です',
+        defaultStrategy2:
+            '現在のチェーン {0} のデフォルトポリシーは {1} です。現在の状態は未バインドです。追加されたファイアウォールルールはバインド後に有効になります！',
+        filterRule: 'フィルタールール',
+        filterHelper:
+            'フィルタールールを使用すると、INPUT/OUTPUT レベルでネットワークトラフィックを制御できます。システムをロックしないように注意して設定してください。',
+        chain: 'チェーン',
+        targetChain: 'ターゲットチェーン',
+        sourceIP: '送信元 IP',
+        destIP: '宛先 IP',
+        inboundDirection: 'インバウンド方向',
+        outboundDirection: 'アウトバウンド方向',
+        destPort: '宛先ポート',
+        action: 'アクション',
+        reject: '拒否',
+        sourceIPHelper: 'CIDR 形式、例: 192.168.1.0/24。すべてのアドレスの場合は空のまま',
+        destIPHelper: 'CIDR 形式、例: 10.0.0.0/8。すべてのアドレスの場合は空のまま',
+        portHelper: '0 は任意のポートを意味します',
+        allPorts: 'すべてのポート',
+        deleteRuleConfirm: '{0} 個のルールを削除します。続行しますか？',
     },
     runtime: {
         runtime: 'ランタイム',
diff --git a/frontend/src/lang/modules/ko.ts b/frontend/src/lang/modules/ko.ts
index efe2b8aea333..f3a8606887c5 100644
--- a/frontend/src/lang/modules/ko.ts
+++ b/frontend/src/lang/modules/ko.ts
@@ -2755,9 +2755,6 @@ const message = {
         portHelper2: '포트 범위, 예: 8080-8089',
         changeStrategyHelper:
             '[{1}] {0} 전략을 [{2}]로 변경합니다. 설정 후 {0}은(는) {2}로 외부 접근을 허용합니다. 계속하시겠습니까?',
-        portHelper: '여러 포트를 입력할 수 있습니다. 예: 80, 81 또는 포트 범위, 예: 80-88',
-        allPorts: '모든 포트',
-        ruleTemplate: '규칙 템플릿',
 
         strategy: '전략',
         accept: '허용',
@@ -2779,8 +2776,6 @@ const message = {
         createIpRule: '@:commons.button.create @:firewall.ipRule',
         userAgent: 'User-Agent 필터',
         sourcePort: '소스 포트',
-        inboundDirection: '인바운드',
-        outboundDirection: '아웃바운드',
         targetIP: '대상 IP',
         targetPort: '대상 포트',
         forwardHelper1: "로컬 포트로 전달하려면, 대상 IP 를 '127.0.0.1'로 설정해야 합니다.",
@@ -2790,6 +2785,36 @@ const message = {
         exportHelper: '{0}개의 방화벽 규칙을 내보내려고 합니다. 계속하시겠습니까?',
         importSuccess: '{0}개의 규칙을 성공적으로 가져왔습니다',
         importPartialSuccess: '가져오기 완료: 성공 {0}건, 실패 {1}건',
+
+        basicStatus: '현재 체인 {0} 상태가 바인딩되지 않았습니다. 추가된 방화벽 규칙은 바인딩 후에 효과가 발생합니다!',
+        baseIptables: 'Iptables 서비스',
+        forwardIptables: 'Iptables 포트 포워딩 서비스',
+        advanceIptables: 'Iptables 고급 구성 서비스',
+        initMsg: '{0}을(를) 초기화하려고 합니다. 계속하시겠습니까?',
+        initHelper: '{0}이(가) 초기화되지 않았습니다. 상단 상태 표시줄의 초기화 버튼을 클릭하여 구성하세요!',
+        bindHelper: '바인딩 - 방화벽 규칙은 상태가 바인딩된 경우에만 효과가 있습니다. 확인하시겠습니까?',
+        unbindHelper:
+            '바인딩 해제 - 바인딩 해제 시 추가된 모든 방화벽 규칙이 무효화됩니다. 주의하여 진행하세요. 확인하시겠습니까?',
+        defaultStrategy: '현재 체인 {0}의 기본 정책은 {1}입니다',
+        defaultStrategy2:
+            '현재 체인 {0}의 기본 정책은 {1}입니다. 현재 상태는 바인딩되지 않았습니다. 추가된 방화벽 규칙은 바인딩 후에 효과가 발생합니다!',
+        filterRule: '필터 규칙',
+        filterHelper:
+            '필터 규칙을 사용하면 INPUT/OUTPUT 수준에서 네트워크 트래픽을 제어할 수 있습니다. 시스템 잠금을 방지하기 위해 주의하여 구성하세요.',
+        chain: '체인',
+        targetChain: '대상 체인',
+        sourceIP: '소스 IP',
+        destIP: '대상 IP',
+        inboundDirection: '인바운드 방향',
+        outboundDirection: '아웃바운드 방향',
+        destPort: '대상 포트',
+        action: '동작',
+        reject: '거부',
+        sourceIPHelper: 'CIDR 형식, 예: 192.168.1.0/24. 모든 주소의 경우 비워 둠',
+        destIPHelper: 'CIDR 형식, 예: 10.0.0.0/8. 모든 주소의 경우 비워 둠',
+        portHelper: '0은 모든 포트를 의미합니다',
+        allPorts: '모든 포트',
+        deleteRuleConfirm: '{0}개의 규칙을 삭제합니다. 계속하시겠습니까?',
     },
     runtime: {
         runtime: '실행 환경',
diff --git a/frontend/src/lang/modules/ms.ts b/frontend/src/lang/modules/ms.ts
index bce3029bcb1a..f3bf78d653e5 100644
--- a/frontend/src/lang/modules/ms.ts
+++ b/frontend/src/lang/modules/ms.ts
@@ -2869,9 +2869,6 @@ const message = {
         portHelper2: 'Port rentang, contohnya 8080-8089',
         changeStrategyHelper:
             'Tukar strategi {0} [{1}] kepada [{2}]. Selepas tetapan, {0} akan mengakses {2} secara luaran. Adakah anda mahu meneruskan?',
-        portHelper: 'Pelbagai port boleh dimasukkan, contohnya 80,81, atau rentang port, contohnya 80-88',
-        allPorts: 'Semua port',
-        ruleTemplate: 'Templat peraturan',
 
         strategy: 'Strategi',
         accept: 'Terima',
@@ -2893,8 +2890,6 @@ const message = {
         createIpRule: '@:commons.button.create @:firewall.ipRule',
         userAgent: 'Penapis User-Agent',
         sourcePort: 'Port sumber',
-        inboundDirection: 'Masuk',
-        outboundDirection: 'Keluar',
         targetIP: 'IP sasaran',
         targetPort: 'Port sasaran',
         forwardHelper1: 'Jika anda ingin memajukan ke port tempatan, IP sasaran harus ditetapkan kepada "127.0.0.1".',
@@ -2904,6 +2899,37 @@ const message = {
         exportHelper: 'Akan mengeksport {0} peraturan firewall. Teruskan?',
         importSuccess: '{0} peraturan berjaya diimport',
         importPartialSuccess: 'Import selesai: {0} berjaya, {1} gagal',
+
+        basicStatus:
+            'Status rantaian semasa {0} adalah tidak terikat. Peraturan firewall yang ditambah akan berkuat kuasa selepas pengikatan!',
+        baseIptables: 'Perkhidmatan Iptables',
+        forwardIptables: 'Perkhidmatan Penerusan Port Iptables',
+        advanceIptables: 'Perkhidmatan Konfigurasi Lanjutan Iptables',
+        initMsg: 'Akan memulakan {0}, teruskan?',
+        initHelper: 'Mengesan {0} tidak dimulakan. Sila klik butang pemulaan di bar status atas untuk mengkonfigurasi!',
+        bindHelper: 'Ikat - Peraturan firewall hanya akan berkuat kuasa apabila status terikat. Sahkan?',
+        unbindHelper:
+            'Nyahikat - Apabila tidak terikat, semua peraturan firewall yang ditambah akan menjadi tidak sah. Teruskan dengan berhati-hati. Sahkan?',
+        defaultStrategy: 'Dasar lalai untuk rantaian semasa {0} adalah {1}',
+        defaultStrategy2:
+            'Dasar lalai untuk rantaian semasa {0} adalah {1}, status semasa adalah tidak terikat. Peraturan firewall yang ditambah akan berkuat kuasa selepas pengikatan!',
+        filterRule: 'Peraturan Penapis',
+        filterHelper:
+            'Peraturan penapis membolehkan anda mengawal trafik rangkaian pada tahap INPUT/OUTPUT. Konfigurasikan dengan berhati-hati untuk mengelakkan mengunci sistem.',
+        chain: 'Rantai',
+        targetChain: 'Rantai Sasaran',
+        sourceIP: 'IP Sumber',
+        destIP: 'IP Destinasi',
+        inboundDirection: 'Arah Masuk',
+        outboundDirection: 'Arah Keluar',
+        destPort: 'Port Destinasi',
+        action: 'Tindakan',
+        reject: 'Tolak',
+        sourceIPHelper: 'Format CIDR, cth. 192.168.1.0/24. Biarkan kosong untuk semua alamat',
+        destIPHelper: 'Format CIDR, cth. 10.0.0.0/8. Biarkan kosong untuk semua alamat',
+        portHelper: '0 bermaksud mana-mana port',
+        allPorts: 'Semua Port',
+        deleteRuleConfirm: 'Akan memadam {0} peraturan. Teruskan?',
     },
     runtime: {
         runtime: 'Runtime',
diff --git a/frontend/src/lang/modules/pt-br.ts b/frontend/src/lang/modules/pt-br.ts
index 889cd3dd8872..723e6b406a4f 100644
--- a/frontend/src/lang/modules/pt-br.ts
+++ b/frontend/src/lang/modules/pt-br.ts
@@ -2874,9 +2874,6 @@ const message = {
         portHelper2: 'Faixa de portas, ex.: 8080-8089',
         changeStrategyHelper:
             'Alterar a estratégia [{1}] {0} para [{2}]. Após a definição, {0} acessará {2} externamente. Deseja continuar?',
-        portHelper: 'Várias portas podem ser inseridas, ex.: 80,81, ou faixas de portas, ex.: 80-88',
-        allPorts: 'Todas as portas',
-        ruleTemplate: 'Modelo de regra',
 
         strategy: 'Estratégia',
         accept: 'Aceitar',
@@ -2898,8 +2895,6 @@ const message = {
         createIpRule: '@:commons.button.create @:firewall.ipRule',
         userAgent: 'Filtro User-Agent',
         sourcePort: 'Porta de origem',
-        inboundDirection: 'Entrada',
-        outboundDirection: 'Saída',
         targetIP: 'IP de destino',
         targetPort: 'Porta de destino',
         forwardHelper1:
@@ -2910,6 +2905,39 @@ const message = {
         exportHelper: 'Prestes a exportar {0} regras de firewall. Continuar?',
         importSuccess: '{0} regras importadas com sucesso',
         importPartialSuccess: 'Importação concluída: {0} sucesso, {1} falha',
+
+        basicStatus:
+            'O status atual da cadeia {0} é não vinculado. As regras de firewall adicionadas entrarão em vigor após a vinculação!',
+        baseIptables: 'Serviço Iptables',
+        forwardIptables: 'Serviço de Encaminhamento de Porta Iptables',
+        advanceIptables: 'Serviço de Configuração Avançada do Iptables',
+        initMsg: 'Prestes a inicializar {0}, continuar?',
+        initHelper:
+            'Detectado que {0} não está inicializado. Clique no botão de inicialização na barra de status superior para configurar!',
+        bindHelper:
+            'Vincular - As regras de firewall só entrarão em vigor quando o status estiver vinculado. Confirmar?',
+        unbindHelper:
+            'Desvincular - Quando desvinculado, todas as regras de firewall adicionadas se tornarão inválidas. Prossiga com cautela. Confirmar?',
+        defaultStrategy: 'A política padrão para a cadeia atual {0} é {1}',
+        defaultStrategy2:
+            'A política padrão para a cadeia atual {0} é {1}, o status atual é não vinculado. As regras de firewall adicionadas entrarão em vigor após a vinculação!',
+        filterRule: 'Regra de Filtro',
+        filterHelper:
+            'As regras de filtro permitem controlar o tráfego de rede no nível INPUT/OUTPUT. Configure com cuidado para evitar bloquear o sistema.',
+        chain: 'Cadeia',
+        targetChain: 'Cadeia de Destino',
+        sourceIP: 'IP de Origem',
+        destIP: 'IP de Destino',
+        inboundDirection: 'Direção de Entrada',
+        outboundDirection: 'Direção de Saída',
+        destPort: 'Porta de Destino',
+        action: 'Ação',
+        reject: 'Rejeitar',
+        sourceIPHelper: 'Formato CIDR, ex. 192.168.1.0/24. Deixe vazio para todos os endereços',
+        destIPHelper: 'Formato CIDR, ex. 10.0.0.0/8. Deixe vazio para todos os endereços',
+        portHelper: '0 significa qualquer porta',
+        allPorts: 'Todas as Portas',
+        deleteRuleConfirm: 'Excluirá {0} regras. Continuar?',
     },
     runtime: {
         runtime: 'Runtime',
diff --git a/frontend/src/lang/modules/ru.ts b/frontend/src/lang/modules/ru.ts
index e52c3ca82d8e..dd249e20cc5d 100644
--- a/frontend/src/lang/modules/ru.ts
+++ b/frontend/src/lang/modules/ru.ts
@@ -2868,9 +2868,6 @@ const message = {
         portHelper2: 'Диапазон портов, например 8080-8089',
         changeStrategyHelper:
             'Изменить стратегию {0} [{1}] на [{2}]. После установки {0} будет иметь внешний доступ {2}. Хотите продолжить?',
-        portHelper: 'Можно ввести несколько портов, например 80,81, или диапазон портов, например 80-88',
-        allPorts: 'Все порты',
-        ruleTemplate: 'Шаблон правила',
 
         strategy: 'Стратегия',
         accept: 'Принять',
@@ -2892,8 +2889,6 @@ const message = {
         createIpRule: '@:commons.button.create @:firewall.ipRule',
         userAgent: 'Фильтр User-Agent',
         sourcePort: 'Исходный порт',
-        inboundDirection: 'Входящий',
-        outboundDirection: 'Исходящий',
         targetIP: 'Целевой IP',
         targetPort: 'Целевой порт',
         forwardHelper1:
@@ -2904,6 +2899,38 @@ const message = {
         exportHelper: 'Собираюсь экспортировать {0} правил брандмауэра. Продолжить?',
         importSuccess: 'Успешно импортировано {0} правил',
         importPartialSuccess: 'Импорт завершён: {0} успешно, {1} с ошибкой',
+
+        basicStatus:
+            'Текущий статус цепочки {0} - не привязан. Добавленные правила брандмауэра вступят в силу после привязки!',
+        baseIptables: 'Сервис Iptables',
+        forwardIptables: 'Сервис Переадресации Порта Iptables',
+        advanceIptables: 'Сервис Расширенной Конфигурации Iptables',
+        initMsg: 'Собираюсь инициализировать {0}, продолжить?',
+        initHelper:
+            'Обнаружено, что {0} не инициализирован. Нажмите кнопку инициализации в верхней строке состояния для настройки!',
+        bindHelper: 'Привязать - Правила брандмауэра вступят в силу только когда статус привязан. Подтвердить?',
+        unbindHelper:
+            'Отвязать - При отвязке все добавленные правила брандмауэра станут недействительными. Действуйте осторожно. Подтвердить?',
+        defaultStrategy: 'Политика по умолчанию для текущей цепочки {0} - {1}',
+        defaultStrategy2:
+            'Политика по умолчанию для текущей цепочки {0} - {1}, текущий статус - не привязан. Добавленные правила брандмауэра вступят в силу после привязки!',
+        filterRule: 'Правило Фильтра',
+        filterHelper:
+            'Правила фильтра позволяют управлять сетевым трафиком на уровне INPUT/OUTPUT. Настраивайте осторожно, чтобы избежать блокировки системы.',
+        chain: 'Цепочка',
+        targetChain: 'Целевая Цепочка',
+        sourceIP: 'Исходный IP',
+        destIP: 'Целевой IP',
+        inboundDirection: 'Входящее Направление',
+        outboundDirection: 'Исходящее Направление',
+        destPort: 'Целевой Порт',
+        action: 'Действие',
+        reject: 'Отклонить',
+        sourceIPHelper: 'Формат CIDR, напр. 192.168.1.0/24. Оставьте пустым для всех адресов',
+        destIPHelper: 'Формат CIDR, напр. 10.0.0.0/8. Оставьте пустым для всех адресов',
+        portHelper: '0 означает любой порт',
+        allPorts: 'Все Порта',
+        deleteRuleConfirm: 'Удалит {0} правил. Продолжить?',
     },
     runtime: {
         runtime: 'Среда выполнения',
diff --git a/frontend/src/lang/modules/tr.ts b/frontend/src/lang/modules/tr.ts
index 643271e6963a..86897069688f 100644
--- a/frontend/src/lang/modules/tr.ts
+++ b/frontend/src/lang/modules/tr.ts
@@ -2927,9 +2927,6 @@ const message = {
         portHelper2: 'Aralık portu, ör. 8080-8089',
         changeStrategyHelper:
             '[{1}] {0} stratejisini [{2}] olarak değiştirin. Ayar yapıldıktan sonra {0}, dışarıdan {2} erişimi sağlayacak. Devam etmek istiyor musunuz?',
-        portHelper: 'Birden fazla port girilebilir, ör. 80,81 veya aralık portları, ör. 80-88',
-        allPorts: 'Tüm portlar',
-        ruleTemplate: 'Kural şablonu',
         strategy: 'Strateji',
         accept: 'Kabul Et',
         drop: 'Reddet',
@@ -2950,8 +2947,6 @@ const message = {
         createIpRule: '@:commons.button.create @:firewall.ipRule',
         userAgent: 'Kullanıcı-Aracısı filtresi',
         sourcePort: 'Kaynak port',
-        inboundDirection: 'Gelen',
-        outboundDirection: 'Giden',
         targetIP: 'Hedef IP',
         targetPort: 'Hedef port',
         forwardHelper1: 'Yerel porta yönlendirmek istiyorsanız, hedef IP "127.0.0.1" olarak ayarlanmalıdır.',
@@ -2961,6 +2956,38 @@ const message = {
         exportHelper: '{0} güvenlik duvarı kuralını dışa aktarmak üzere. Devam etmek istiyor musunuz?',
         importSuccess: '{0} kural başarıyla içe aktarıldı',
         importPartialSuccess: 'İçe aktarma tamamlandı: {0} başarılı, {1} başarısız',
+
+        basicStatus:
+            'Mevcut zincir {0} durumu bağlı değil. Eklenen güvenlik duvarı kuralları bağlandıktan sonra etkili olacak!',
+        baseIptables: 'Iptables Servisi',
+        forwardIptables: 'Iptables Port Yönlendirme Servisi',
+        advanceIptables: 'Iptables Gelişmiş Yapılandırma Servisi',
+        initMsg: '{0} başlatılmak üzere, devam etmek istiyor musunuz?',
+        initHelper:
+            '{0} başlatılmadığı tespit edildi. Lütfen üst durum çubuğundaki başlatma düğmesine tıklayarak yapılandırın!',
+        bindHelper: 'Bağla - Güvenlik duvarı kuralları yalnızca durum bağlı olduğunda etkili olur. Onaylıyor musunuz?',
+        unbindHelper:
+            'Bağlantıyı Kaldır - Bağlantı kaldırıldığında, eklenen tüm güvenlik duvarı kuralları geçersiz olacaktır. Dikkatli ilerleyin. Onaylıyor musunuz?',
+        defaultStrategy: 'Mevcut zincir {0} için varsayılan politika {1}',
+        defaultStrategy2:
+            'Mevcut zincir {0} için varsayılan politika {1}, mevcut durum bağlı değil. Eklenen güvenlik duvarı kuralları bağlandıktan sonra etkili olacak!',
+        filterRule: 'Filtre Kuralı',
+        filterHelper:
+            'Filtre kuralları, INPUT/OUTPUT seviyesinde ağ trafiğini kontrol etmenize izin verir. Sistemi kilitlememek için dikkatli yapılandırın.',
+        chain: 'Zincir',
+        targetChain: 'Hedef Zincir',
+        sourceIP: 'Kaynak IP',
+        destIP: 'Hedef IP',
+        inboundDirection: 'Gelen Yön',
+        outboundDirection: 'Giden Yön',
+        destPort: 'Hedef Port',
+        action: 'Eylem',
+        reject: 'Reddet',
+        sourceIPHelper: 'CIDR formatı, örn. 192.168.1.0/24. Tüm adresler için boş bırakın',
+        destIPHelper: 'CIDR formatı, örn. 10.0.0.0/8. Tüm adresler için boş bırakın',
+        portHelper: '0 herhangi bir port anlamına gelir',
+        allPorts: 'Tüm Portlar',
+        deleteRuleConfirm: '{0} kural silinecek. Devam etmek istiyor musunuz?',
     },
     runtime: {
         runtime: 'Çalışma Zamanı',
diff --git a/frontend/src/lang/modules/zh-Hant.ts b/frontend/src/lang/modules/zh-Hant.ts
index 69eccdae0911..8300c251f9ad 100644
--- a/frontend/src/lang/modules/zh-Hant.ts
+++ b/frontend/src/lang/modules/zh-Hant.ts
@@ -2679,8 +2679,6 @@ const message = {
         portFormatError: '請輸入正確的埠資訊！',
         portHelper1: '多個埠，如：8080,8081',
         portHelper2: '範圍埠，如：8080-8089',
-        allPorts: '所有埠',
-        ruleTemplate: '規則模板',
         strategy: '策略',
         accept: '允許',
         drop: '拒絕',
@@ -2701,8 +2699,6 @@ const message = {
         createIpRule: '@:commons.button.create @:firewall.ipRule',
         userAgent: 'User-Agent 過濾',
         sourcePort: '來源埠',
-        inboundDirection: '入站方向',
-        outboundDirection: '出站方向',
         targetIP: '目標 IP',
         targetPort: '目標埠',
         forwardHelper1: '如果是本機埠轉發，目標 IP 為：127.0.0.1',
@@ -2712,6 +2708,33 @@ const message = {
         exportHelper: '即將導出 {0} 條防火牆規則，是否繼續？',
         importSuccess: '成功匯入 {0} 條規則',
         importPartialSuccess: '匯入完成：成功 {0} 條，失敗 {1} 條',
+
+        basicStatus: '目前鏈 {0} 狀態為未綁定，已新增的防火牆規則需要綁定後生效！',
+        baseIptables: 'Iptables 服務',
+        forwardIptables: 'Iptables 端口轉發服務',
+        advanceIptables: 'Iptables 進階設定服務',
+        initMsg: '即將初始化 {0}, 是否繼續？',
+        initHelper: '偵測到 {0} 未初始化，請點選頂部狀態列的初始化按鈕進行設定！',
+        bindHelper: '綁定 僅當狀態為綁定時，防火牆規則才能生效，是否確認？',
+        unbindHelper: '解除綁定 解除綁定時，已新增的所有防火牆規則將失效，請謹慎操作，是否確認？',
+        defaultStrategy: '目前鏈 {0} 的預設策略為 {1}',
+        defaultStrategy2: '目前鏈 {0} 的預設策略為 {1}，目前狀態為未綁定，已新增的防火牆規則需要綁定後生效！',
+        filterRule: 'Filter 規則',
+        filterHelper: 'Filter 規則允許您在 INPUT/OUTPUT 層級控制網路流量。請謹慎設定，避免鎖定系統。',
+        chain: '鏈',
+        targetChain: '目標鏈',
+        sourceIP: '來源 IP',
+        destIP: '目標 IP',
+        inboundDirection: '入站方向',
+        outboundDirection: '出站方向',
+        destPort: '目標端口',
+        action: '動作',
+        reject: '拒絕',
+        sourceIPHelper: 'CIDR 格式，如 192.168.1.0/24，留空表示所有地址',
+        destIPHelper: 'CIDR 格式，如 10.0.0.0/8，留空表示所有地址',
+        portHelper: '0 表示任意端口',
+        allPorts: '所有端口',
+        deleteRuleConfirm: '將刪除 {0} 條規則，是否繼續？',
     },
     runtime: {
         runtime: '執行環境',
diff --git a/frontend/src/lang/modules/zh.ts b/frontend/src/lang/modules/zh.ts
index dff67ae3ff19..81b416032e35 100644
--- a/frontend/src/lang/modules/zh.ts
+++ b/frontend/src/lang/modules/zh.ts
@@ -2707,12 +2707,21 @@ const message = {
         exportHelper: '即将导出 {0} 条防火墙规则，是否继续？',
         importSuccess: '成功导入 {0} 条规则',
         importPartialSuccess: '导入完成：成功 {0} 条，失败 {1} 条',
+
+        basicStatus: '当前链 {0} 状态为未绑定，已添加的防火墙规则需要绑定后生效！',
+        baseIptables: 'Iptables 服务',
+        forwardIptables: 'Iptables 端口转发服务',
+        advanceIptables: 'Iptables 高级配置服务',
+        initMsg: '即将初始化 {0}, 是否继续？',
+        initHelper: '检测到 {0} 未初始化，请点击顶部状态栏的初始化按钮进行配置！',
+        bindHelper: '绑定 仅当状态为绑定时，防火墙规则才能生效，是否确认？',
+        unbindHelper: '解绑 解除绑定时，已添加的所有防火墙规则将失效，请谨慎操作，是否确认？',
+        defaultStrategy: '当前链 {0} 的默认策略为 {1}',
+        defaultStrategy2: '当前链 {0} 的默认策略为 {1}，当前状态为未绑定，已添加的防火墙规则需要绑定后生效！',
         filterRule: 'Filter 规则',
         filterHelper: 'Filter 规则允许您在 INPUT/OUTPUT 级别控制网络流量。请谨慎配置，避免锁定系统。',
         chain: '链',
         targetChain: '目标链',
-        chainHelper: '仅允许修改 1PANEL_INPUT 和 1PANEL_OUTPUT 自定义链',
-        ruleOrder: '顺序',
         sourceIP: '源 IP',
         destIP: '目标 IP',
         inboundDirection: '入站方向',
@@ -2720,21 +2729,11 @@ const message = {
         destPort: '目标端口',
         action: '动作',
         reject: '拒绝',
-        defaultPolicy: '默认策略',
-        applied: '已应用',
-        notApplied: '未应用',
-        initChains: '初始化链',
-        applyFirewall: '应用防火墙',
-        unloadFirewall: '禁用防火墙',
         sourceIPHelper: 'CIDR 格式，如 192.168.1.0/24，留空表所有地址',
         destIPHelper: 'CIDR 格式，如 10.0.0.0/留空表所有地址',
         portHelper: '0 表示任意端口',
         allPorts: '所有端口',
-        ruleTemplate: '规则模板',
         deleteRuleConfirm: '将删除 {0} 条规则，是否继续？',
-        initChainsConfirm: '将重置 1PANEL_INPUT 和 1PANEL_OUTPUT 链为默认 ACCEPT 规则，是否继续？',
-        applyConfirm: '将应用自定义链到 INPUT/OUTPUT，请确保 SSH 端口（22）已放行，是否继续？',
-        unloadConfirm: '将从 INPUT/OUTPUT 移除自定义链，是否继续？',
     },
     runtime: {
         runtime: '运行环境',
diff --git a/frontend/src/routers/modules/host.ts b/frontend/src/routers/modules/host.ts
index 2ecd27623e69..a0996b66ac7f 100644
--- a/frontend/src/routers/modules/host.ts
+++ b/frontend/src/routers/modules/host.ts
@@ -81,9 +81,9 @@ const hostRouter = {
             },
         },
         {
-            path: '/hosts/firewall/filter',
-            name: 'FirewallFilter',
-            component: () => import('@/views/host/firewall/filter/index.vue'),
+            path: '/hosts/firewall/advance',
+            name: 'FirewallAdvance',
+            component: () => import('@/views/host/firewall/advance/index.vue'),
             hidden: true,
             meta: {
                 activeMenu: '/hosts/firewall/port',
diff --git a/frontend/src/views/host/firewall/filter/index.vue b/frontend/src/views/host/firewall/advance/index.vue
similarity index 58%
rename from frontend/src/views/host/firewall/filter/index.vue
rename to frontend/src/views/host/firewall/advance/index.vue
index 815df76dbb8c..07f9e49db32d 100644
--- a/frontend/src/views/host/firewall/filter/index.vue
+++ b/frontend/src/views/host/firewall/advance/index.vue
@@ -10,9 +10,9 @@
                 v-model:mask-show="maskShow"
                 v-model:is-active="isActive"
                 v-model:name="fireName"
-                :show-advanced-controls="true"
+                current-tab="advance"
             />
-            <div v-if="fireName === '-'">
+            <div v-if="fireName !== '-' && fireName !== 'iptables'">
                 <LayoutContent :divider="true">
                     <template #main>
                         <div class="app-warn">
@@ -27,31 +27,25 @@
                 </LayoutContent>
             </div>
 
-            <div v-else-if="!isIptablesComputed">
-                <LayoutContent :divider="true">
-                    <template #main>
-                        <div class="app-warn">
-                            <div class="flex flex-col gap-2 items-center justify-center w-full sm:flex-row">
-                                <span>{{ $t('firewall.advancedControlNotAvailable', [fireName]) }}</span>
-                            </div>
-                            <div>
-                                <img src="@/assets/images/no_app.svg" />
-                            </div>
-                        </div>
-                    </template>
-                </LayoutContent>
-            </div>
-
-            <div v-else>
+            <div v-if="fireName === 'iptables'">
                 <el-card v-if="!isActive && maskShow" class="mask-prompt">
                     <span>{{ $t('firewall.firewallNotStart') }}</span>
                 </el-card>
                 <LayoutContent :title="$t('firewall.filterRule')" :class="{ mask: !isActive }">
+                    <template #prompt>
+                        <el-alert type="info" :closable="false" :title="loadPrompt()" />
+                    </template>
                     <template #leftToolBar>
-                        <el-button type="primary" @click="onOpenDialog('create')" :disabled="!isCustomChain">
+                        <el-button type="primary" @click="onOpenDialog('create')">
                             {{ $t('firewall.create') }}
                         </el-button>
-                        <el-button @click="onDelete(null)" plain :disabled="selects.length === 0 || !isCustomChain">
+                        <el-button v-if="isBind" plain @click="onUnBind">
+                            {{ $t('commons.button.unbind') }}
+                        </el-button>
+                        <el-button v-if="!isBind" plain @click="onBind">
+                            {{ $t('commons.button.bind') }}
+                        </el-button>
+                        <el-button @click="onDelete(null)" plain :disabled="selects.length === 0">
                             {{ $t('commons.button.delete') }}
                         </el-button>
                     </template>
@@ -61,80 +55,55 @@
                             <template #prefix>{{ $t('firewall.chain') }}</template>
                             <el-option :label="$t('firewall.inboundDirection')" value="1PANEL_INPUT"></el-option>
                             <el-option :label="$t('firewall.outboundDirection')" value="1PANEL_OUTPUT"></el-option>
-                            <el-option label="INPUT" value="INPUT"></el-option>
-                            <el-option label="OUTPUT" value="OUTPUT"></el-option>
                         </el-select>
                         <TableRefresh @search="search()" />
                         <TableSetting title="firewall-filter-refresh" @search="search()" />
                     </template>
 
                     <template #main>
-                        <!-- Chain Status Cards -->
-                        <el-row :gutter="20" class="mb-4">
-                            <el-col :span="12">
-                                <el-card>
-                                    <div class="chain-card">
-                                        <div class="chain-title">{{ $t('firewall.inboundDirection') }}</div>
-                                        <div class="chain-policy">
-                                            {{ $t('firewall.defaultPolicy') }}:
-                                            {{ inputChainInfo?.defaultPolicy || 'ACCEPT' }}
-                                        </div>
-                                    </div>
-                                </el-card>
-                            </el-col>
-                            <el-col :span="12">
-                                <el-card>
-                                    <div class="chain-card">
-                                        <div class="chain-title">{{ $t('firewall.outboundDirection') }}</div>
-                                        <div class="chain-policy">
-                                            {{ $t('firewall.defaultPolicy') }}:
-                                            {{ outputChainInfo?.defaultPolicy || 'ACCEPT' }}
-                                        </div>
-                                    </div>
-                                </el-card>
-                            </el-col>
-                        </el-row>
-
                         <ComplexTable
                             :pagination-config="paginationConfig"
                             v-model:selects="selects"
                             @search="search"
                             :data="data"
-                            :heightDiff="520"
+                            :heightDiff="220"
                         >
                             <el-table-column type="selection" fix />
-                            <el-table-column :label="$t('firewall.ruleOrder')" :min-width="80" prop="ruleOrder" />
                             <el-table-column :label="$t('commons.table.protocol')" :min-width="80" prop="protocol">
                                 <template #default="{ row }">
-                                    <span>{{ row.protocol === '' ? 'ALL' : row.protocol.toUpperCase() }}</span>
+                                    {{ row.protocol === '' ? 'ALL' : row.protocol }}
                                 </template>
                             </el-table-column>
-                            <el-table-column :label="$t('firewall.sourceIP')" :min-width="120" prop="sourceIP">
+                            <el-table-column :label="$t('firewall.sourceIP')" :min-width="120" prop="srcIP">
                                 <template #default="{ row }">
-                                    <span>{{ row.sourceIP || $t('firewall.anyWhere') }}</span>
+                                    {{ formatIP(row.srcIP) }}
                                 </template>
                             </el-table-column>
                             <el-table-column :label="$t('firewall.sourcePort')" :min-width="100" prop="sourcePort">
                                 <template #default="{ row }">
-                                    <span>{{ formatPort(row.sourcePort) }}</span>
+                                    {{ formatPort(row.srcPort) }}
                                 </template>
                             </el-table-column>
-                            <el-table-column :label="$t('firewall.destIP')" :min-width="120" prop="destIP">
+                            <el-table-column :label="$t('firewall.destIP')" :min-width="120" prop="dstIP">
                                 <template #default="{ row }">
-                                    <span>{{ row.destIP || $t('firewall.anyWhere') }}</span>
+                                    {{ formatIP(row.dstIP) }}
                                 </template>
                             </el-table-column>
-                            <el-table-column :label="$t('firewall.destPort')" :min-width="100" prop="destPort">
+                            <el-table-column :label="$t('firewall.destPort')" :min-width="100" prop="dstPort">
                                 <template #default="{ row }">
-                                    <span>{{ formatPort(row.destPort) }}</span>
+                                    {{ formatPort(row.dstPort) }}
                                 </template>
                             </el-table-column>
-                            <el-table-column :min-width="100" :label="$t('firewall.action')" prop="action">
+                            <el-table-column :min-width="100" :label="$t('firewall.action')" prop="strategy">
                                 <template #default="{ row }">
-                                    <el-tag v-if="row.action === 'ACCEPT'" type="success">{{ row.action }}</el-tag>
-                                    <el-tag v-else-if="row.action === 'DROP'" type="danger">{{ row.action }}</el-tag>
-                                    <el-tag v-else-if="row.action === 'REJECT'" type="warning">{{ row.action }}</el-tag>
-                                    <el-tag v-else type="info">{{ row.action }}</el-tag>
+                                    <el-tag v-if="row.strategy === 'ACCEPT'" type="success">{{ row.strategy }}</el-tag>
+                                    <el-tag v-else-if="row.strategy === 'DROP'" type="danger">
+                                        {{ row.strategy }}
+                                    </el-tag>
+                                    <el-tag v-else-if="row.strategy === 'REJECT'" type="warning">
+                                        {{ row.strategy }}
+                                    </el-tag>
+                                    <el-tag v-else type="info">{{ row.strategy }}</el-tag>
                                 </template>
                             </el-table-column>
                             <el-table-column
@@ -144,7 +113,6 @@
                                 show-overflow-tooltip
                             />
                             <fu-table-operations
-                                v-if="isCustomChain"
                                 width="120px"
                                 :buttons="buttons"
                                 :ellipsis="10"
@@ -165,30 +133,28 @@
 <script lang="ts" setup>
 import FireRouter from '@/views/host/firewall/index.vue';
 import FireStatus from '@/views/host/firewall/status/index.vue';
-import OperateDialog from '@/views/host/firewall/filter/operate/index.vue';
-import { computed, onMounted, reactive, ref } from 'vue';
-import { getFilterRules, batchOperateFilterRule } from '@/api/modules/host';
+import OperateDialog from '@/views/host/firewall/advance/operate/index.vue';
+import { onMounted, reactive, ref } from 'vue';
+import { searchFilterRules, batchOperateFilterRule, loadChainStatus, operateFilterChain } from '@/api/modules/host';
 import { Host } from '@/api/interface/host';
 import i18n from '@/lang';
+import { MsgSuccess } from '@/utils/message';
 
 const loading = ref();
 const selects = ref<any>([]);
 const selectedChain = ref('1PANEL_INPUT');
-const iptablesVersion = ref('');
+const defaultStrategy = ref('ACCEPT');
 const firewallName = ref('');
 
 const maskShow = ref(true);
 const isActive = ref(false);
+const isBind = ref(false);
 const fireName = ref();
 const fireStatusRef = ref();
 
 const opRef = ref();
 
-const chainInfoMap = ref<Map<string, Host.IptablesChainInfo>>(new Map());
-const data = computed(() => {
-    const chainInfo = chainInfoMap.value.get(selectedChain.value);
-    return chainInfo?.rules || [];
-});
+const data = ref();
 
 const formatPort = (port?: number | null | string) => {
     if (port === 0 || port === '0') {
@@ -199,14 +165,12 @@ const formatPort = (port?: number | null | string) => {
     }
     return port;
 };
-
-const isIptablesComputed = computed(() => fireName.value === 'iptables');
-const inputChainInfo = computed(() => chainInfoMap.value.get('INPUT'));
-const outputChainInfo = computed(() => chainInfoMap.value.get('OUTPUT'));
-
-const isCustomChain = computed(() => {
-    return selectedChain.value === '1PANEL_INPUT' || selectedChain.value === '1PANEL_OUTPUT';
-});
+const formatIP = (ip?: null | string) => {
+    if (ip) {
+        return ip === 'anywhere' ? i18n.global.t('firewall.anyWhere') : ip;
+    }
+    return i18n.global.t('firewall.anyWhere');
+};
 
 const paginationConfig = reactive({
     cacheSizeKey: 'firewall-filter-page-size',
@@ -218,49 +182,80 @@ const paginationConfig = reactive({
 const search = async () => {
     if (!isActive.value) {
         loading.value = false;
-        chainInfoMap.value.clear();
         paginationConfig.total = 0;
         return;
     }
-    const params: Host.IptablesFilterRuleSearch = {
-        chains: ['INPUT', 'OUTPUT', '1PANEL_INPUT', '1PANEL_OUTPUT'],
+    let params = {
+        type: selectedChain.value,
+        info: '',
+        page: paginationConfig.currentPage,
+        pageSize: paginationConfig.pageSize,
     };
     loading.value = true;
-    await getFilterRules(params)
+    loadStatus();
+    await searchFilterRules(params)
         .then((res) => {
             loading.value = false;
-            chainInfoMap.value.clear();
-            res.data.forEach((chainInfo: Host.IptablesChainInfo) => {
-                chainInfoMap.value.set(chainInfo.name, chainInfo);
-            });
-            const currentChainData = data.value || [];
-            iptablesVersion.value = chainInfoMap.value.get('INPUT')?.version || '';
-            paginationConfig.total = currentChainData.length;
+            data.value = res.data.items || [];
+            paginationConfig.total = res.data.total;
         })
         .catch(() => {
             loading.value = false;
         });
 };
 
-const dialogRef = ref();
-const onOpenDialog = async (title: string, rowData?: Host.IptablesFilterRuleOperate) => {
-    if (!isCustomChain.value) {
-        return;
+const loadPrompt = () => {
+    if (isBind.value) {
+        return i18n.global.t('firewall.defaultStrategy', [selectedChain.value, defaultStrategy.value]);
     }
+    return i18n.global.t('firewall.defaultStrategy2', [selectedChain.value, defaultStrategy.value]);
+};
+
+const loadStatus = async () => {
+    await loadChainStatus(selectedChain.value).then((res) => {
+        isBind.value = res.data.isBind;
+        defaultStrategy.value = res.data.defaultStrategy || 'ACCEPT';
+    });
+};
+const onBind = async () => {
+    ElMessageBox.confirm(i18n.global.t('firewall.bindHelper'), i18n.global.t('commons.button.bind'), {
+        confirmButtonText: i18n.global.t('commons.button.confirm'),
+        cancelButtonText: i18n.global.t('commons.button.cancel'),
+    }).then(async () => {
+        await operateFilterChain(selectedChain.value, 'bind').then(() => {
+            MsgSuccess(i18n.global.t('commons.msg.operationSuccess'));
+            loadStatus();
+        });
+    });
+};
+const onUnBind = async () => {
+    ElMessageBox.confirm(i18n.global.t('firewall.unbindHelper'), i18n.global.t('commons.button.unbind'), {
+        confirmButtonText: i18n.global.t('commons.button.confirm'),
+        cancelButtonText: i18n.global.t('commons.button.cancel'),
+    }).then(async () => {
+        await operateFilterChain(selectedChain.value, 'unbind').then(() => {
+            MsgSuccess(i18n.global.t('commons.msg.operationSuccess'));
+            loadStatus();
+        });
+    });
+};
+
+const dialogRef = ref();
+const onOpenDialog = async (title: string, rowData?: Host.IptablesFilterRuleOp) => {
     const params = {
         title,
         rowData: rowData || {
             chain: selectedChain.value,
-            protocol: 'all',
-            action: 'ACCEPT',
-            sourcePort: 0,
-            destPort: 0,
+            protocol: 'tcp',
+            strategy: 'ACCEPT',
+            srcPort: 0,
+            dstPort: 0,
         },
     };
     dialogRef.value!.acceptParams(params);
 };
 
-const onDelete = async (row: Host.IptablesFilterRuleInfo | null) => {
+const onDelete = async (row: Host.IptablesFilterRuleOp | null) => {
     let names = [];
     let rules = [];
     if (row) {
@@ -268,27 +263,33 @@ const onDelete = async (row: Host.IptablesFilterRuleInfo | null) => {
             operation: 'remove',
             id: row.id,
             chain: selectedChain.value,
+            srcPort: row.srcPort,
+            dstPort: row.dstPort,
+            srcIP: row.srcIP === 'anywhere' ? '' : row.srcIP,
+            dstIP: row.dstIP === 'anywhere' ? '' : row.dstIP,
             protocol: row.protocol,
-            action: row.action,
+            strategy: row.strategy,
         });
         names = [
-            `${row.protocol} ${row.sourceIP || '*'}:${row.sourcePort || '*'} -> ${row.destIP || '*'}:${
-                row.destPort || '*'
-            }`,
+            `${row.protocol} ${row.srcIP || '*'}:${row.srcPort || '*'} -> ${row.dstIP || '*'}:${row.dstPort || '*'}`,
         ];
     } else {
         for (const item of selects.value) {
             names.push(
-                `${item.protocol} ${item.sourceIP || '*'}:${item.sourcePort || '*'} -> ${item.destIP || '*'}:${
-                    item.destPort || '*'
+                `${item.protocol} ${item.srcIP || '*'}:${item.srcPort || '*'} -> ${item.dstIP || '*'}:${
+                    item.dstPort || '*'
                 }`,
             );
             rules.push({
                 operation: 'remove',
                 id: item.id,
                 chain: selectedChain.value,
+                srcPort: item.srcPort,
+                dstPort: item.dstPort,
+                srcIP: item.srcIP === 'anywhere' ? '' : item.srcIP,
+                dstIP: item.dstIP === 'anywhere' ? '' : item.dstIP,
                 protocol: item.protocol,
-                action: item.action,
+                strategy: item.strategy,
             });
         }
     }
@@ -304,7 +305,7 @@ const onDelete = async (row: Host.IptablesFilterRuleInfo | null) => {
 const buttons = [
     {
         label: i18n.global.t('commons.button.delete'),
-        click: (row: Host.IptablesFilterRuleInfo) => {
+        click: (row: Host.IptablesFilterRuleOp) => {
             onDelete(row);
         },
     },
diff --git a/frontend/src/views/host/firewall/advance/operate/index.vue b/frontend/src/views/host/firewall/advance/operate/index.vue
new file mode 100644
index 000000000000..189094ebec24
--- /dev/null
+++ b/frontend/src/views/host/firewall/advance/operate/index.vue
@@ -0,0 +1,166 @@
+<template>
+    <DrawerPro v-model="drawerVisible" :header="title" @close="handleClose" size="large">
+        <el-form ref="formRef" label-position="top" :model="dialogData.rowData" :rules="rules" v-loading="loading">
+            <el-form-item :label="$t('commons.table.protocol')" prop="protocol">
+                <el-select class="w-full" v-model="dialogData.rowData!.protocol" @change="changeProtocol">
+                    <el-option value="all" label="all" />
+                    <el-option value="tcp" label="tcp" />
+                    <el-option value="udp" label="udp" />
+                    <el-option value="icmp" label="icmp" />
+                </el-select>
+            </el-form-item>
+
+            <el-form-item
+                v-if="dialogData.rowData?.chain === '1PANEL_INPUT'"
+                :label="$t('firewall.sourceIP')"
+                prop="srcIP"
+            >
+                <el-input clearable v-model.trim="dialogData.rowData!.srcIP" placeholder="0.0.0.0/0" />
+                <span class="input-help">{{ $t('firewall.sourceIPHelper') }}</span>
+            </el-form-item>
+
+            <el-form-item
+                v-if="dialogData.rowData?.chain === '1PANEL_OUTPUT'"
+                :label="$t('firewall.destIP')"
+                prop="dstIP"
+            >
+                <el-input clearable v-model.trim="dialogData.rowData!.dstIP" placeholder="0.0.0.0/0" />
+                <span class="input-help">{{ $t('firewall.destIPHelper') }}</span>
+            </el-form-item>
+
+            <el-form-item :label="$t('firewall.destPort')" prop="dstPort">
+                <el-input-number
+                    class="w-full"
+                    v-model="dialogData.rowData!.dstPort"
+                    :min="0"
+                    :max="65535"
+                    :disabled="dialogData.rowData?.protocol === 'all'"
+                />
+                <span class="input-help">{{ $t('firewall.portHelper') }}</span>
+            </el-form-item>
+
+            <el-form-item :label="$t('firewall.action')" prop="strategy">
+                <el-radio-group v-model="dialogData.rowData!.strategy">
+                    <el-radio value="ACCEPT">{{ $t('firewall.accept') }}</el-radio>
+                    <el-radio value="DROP">{{ $t('firewall.drop') }}</el-radio>
+                </el-radio-group>
+            </el-form-item>
+
+            <el-form-item :label="$t('commons.table.description')" prop="description">
+                <el-input clearable v-model.trim="dialogData.rowData!.description" />
+            </el-form-item>
+        </el-form>
+        <template #footer>
+            <span class="dialog-footer">
+                <el-button @click="drawerVisible = false">{{ $t('commons.button.cancel') }}</el-button>
+                <el-button type="primary" @click="onSubmit(formRef)">
+                    {{ $t('commons.button.confirm') }}
+                </el-button>
+            </span>
+        </template>
+    </DrawerPro>
+</template>
+
+<script lang="ts" setup>
+import { reactive, ref } from 'vue';
+import { Rules } from '@/global/form-rules';
+import i18n from '@/lang';
+import { ElForm } from 'element-plus';
+import { MsgSuccess } from '@/utils/message';
+import { Host } from '@/api/interface/host';
+import { operateFilterRule } from '@/api/modules/host';
+import { checkCidr, checkCidrV6, checkIpV4V6 } from '@/utils/util';
+
+const loading = ref();
+
+interface DialogProps {
+    title: string;
+    rowData?: Host.IptablesFilterRuleOp;
+}
+const title = ref<string>('');
+const drawerVisible = ref(false);
+const dialogData = ref<DialogProps>({
+    title: '',
+});
+
+const acceptParams = (params: DialogProps): void => {
+    dialogData.value = params;
+    title.value = i18n.global.t('firewall.' + dialogData.value.title);
+    if (dialogData.value.rowData.chain === '1PANEL_INPUT') {
+        dialogData.value.rowData.dstIP = '';
+    } else if (dialogData.value.rowData.chain === '1PANEL_OUTPUT') {
+        dialogData.value.rowData.srcIP = '';
+    }
+    drawerVisible.value = true;
+};
+const emit = defineEmits<{ (e: 'search'): void }>();
+
+const handleClose = () => {
+    drawerVisible.value = false;
+};
+
+const rules = reactive({
+    chain: [Rules.requiredSelect],
+    protocol: [Rules.requiredSelect],
+    strategy: [Rules.requiredSelect],
+    srcIP: [{ validator: checkIPAddress, trigger: 'blur' }],
+    dstIP: [{ validator: checkIPAddress, trigger: 'blur' }],
+});
+
+function checkIPAddress(_rule: any, value: any, callback: any) {
+    if (!value) {
+        return callback();
+    }
+    if (value.indexOf('/') !== -1) {
+        if (value.indexOf(':') !== -1) {
+            if (checkCidrV6(value)) {
+                return callback(new Error(i18n.global.t('firewall.addressFormatError')));
+            }
+        } else {
+            if (checkCidr(value)) {
+                return callback(new Error(i18n.global.t('firewall.addressFormatError')));
+            }
+        }
+    } else {
+        if (checkIpV4V6(value)) {
+            return callback(new Error(i18n.global.t('firewall.addressFormatError')));
+        }
+    }
+    callback();
+}
+
+const changeProtocol = () => {
+    if (dialogData.value.rowData.protocol === 'all') {
+        dialogData.value.rowData.srcPort = 0;
+        dialogData.value.rowData.dstPort = 0;
+    }
+};
+
+type FormInstance = InstanceType<typeof ElForm>;
+const formRef = ref<FormInstance>();
+
+const onSubmit = async (formEl: FormInstance | undefined) => {
+    if (!formEl) return;
+    formEl.validate(async (valid) => {
+        if (!valid) return;
+        dialogData.value.rowData.operation = 'add';
+        if (!dialogData.value.rowData) return;
+
+        loading.value = true;
+        await operateFilterRule(dialogData.value.rowData)
+            .then(() => {
+                loading.value = false;
+                MsgSuccess(i18n.global.t('commons.msg.operationSuccess'));
+                emit('search');
+                drawerVisible.value = false;
+            })
+            .catch(() => {
+                loading.value = false;
+            });
+    });
+};
+
+defineExpose({
+    acceptParams,
+});
+</script>
diff --git a/frontend/src/views/host/firewall/filter/operate/index.vue b/frontend/src/views/host/firewall/filter/operate/index.vue
deleted file mode 100644
index 23ac0c1b284c..000000000000
--- a/frontend/src/views/host/firewall/filter/operate/index.vue
+++ /dev/null
@@ -1,250 +0,0 @@
-<template>
-    <DrawerPro v-model="drawerVisible" :header="title" @close="handleClose" size="large">
-        <el-form ref="formRef" label-position="top" :model="dialogData.rowData" :rules="rules" v-loading="loading">
-            <el-form-item :label="$t('firewall.targetChain')" prop="chain">
-                <el-select class="w-full" v-model="dialogData.rowData!.chain">
-                    <el-option value="1PANEL_INPUT" :label="$t('firewall.inboundDirection')" />
-                    <el-option value="1PANEL_OUTPUT" :label="$t('firewall.outboundDirection')" />
-                </el-select>
-            </el-form-item>
-
-            <el-form-item :label="$t('firewall.ruleTemplate')">
-                <el-select class="w-full" v-model="templateValue" clearable>
-                    <el-option
-                        v-for="item in ruleTemplates"
-                        :key="item.value"
-                        :label="$t(item.label)"
-                        :value="item.value"
-                    />
-                </el-select>
-            </el-form-item>
-
-            <el-form-item :label="$t('commons.table.protocol')" prop="protocol">
-                <el-select class="w-full" v-model="dialogData.rowData!.protocol">
-                    <el-option value="all" label="ALL" />
-                    <el-option value="tcp" label="TCP" />
-                    <el-option value="udp" label="UDP" />
-                    <el-option value="icmp" label="ICMP" />
-                </el-select>
-            </el-form-item>
-
-            <el-form-item v-if="!isOutbound" :label="$t('firewall.sourceIP')" prop="sourceIP">
-                <el-input clearable v-model.trim="dialogData.rowData!.sourceIP" placeholder="0.0.0.0/0" />
-                <span class="input-help">{{ $t('firewall.sourceIPHelper') }}</span>
-            </el-form-item>
-
-            <el-form-item v-if="!isInbound" :label="$t('firewall.destIP')" prop="destIP">
-                <el-input clearable v-model.trim="dialogData.rowData!.destIP" placeholder="0.0.0.0/0" />
-                <span class="input-help">{{ $t('firewall.destIPHelper') }}</span>
-            </el-form-item>
-
-            <el-form-item :label="$t('firewall.destPort')" prop="destPort">
-                <el-input-number
-                    class="w-full"
-                    v-model="dialogData.rowData!.destPort"
-                    :min="0"
-                    :max="65535"
-                    controls-position="right"
-                    :disabled="isProtocolAll"
-                />
-                <span class="input-help">{{ $t('firewall.portHelper') }}</span>
-            </el-form-item>
-
-            <el-form-item :label="$t('firewall.action')" prop="action">
-                <el-radio-group v-model="dialogData.rowData!.action">
-                    <el-radio value="ACCEPT">{{ $t('firewall.accept') }}</el-radio>
-                    <el-radio value="DROP">{{ $t('firewall.drop') }}</el-radio>
-                </el-radio-group>
-            </el-form-item>
-
-            <el-form-item :label="$t('commons.table.description')" prop="description">
-                <el-input clearable v-model.trim="dialogData.rowData!.description" />
-            </el-form-item>
-        </el-form>
-        <template #footer>
-            <span class="dialog-footer">
-                <el-button @click="drawerVisible = false">{{ $t('commons.button.cancel') }}</el-button>
-                <el-button type="primary" @click="onSubmit(formRef)" :disabled="isDangerousRule">
-                    {{ $t('commons.button.confirm') }}
-                </el-button>
-            </span>
-        </template>
-    </DrawerPro>
-</template>
-
-<script lang="ts" setup>
-import { computed, reactive, ref, watch } from 'vue';
-import { Rules } from '@/global/form-rules';
-import i18n from '@/lang';
-import { ElForm } from 'element-plus';
-import { MsgSuccess } from '@/utils/message';
-import { Host } from '@/api/interface/host';
-import { operateFilterRule } from '@/api/modules/host';
-import { checkCidr, checkCidrV6, checkIpV4V6 } from '@/utils/util';
-
-const loading = ref();
-
-interface DialogProps {
-    title: string;
-    rowData?: Host.IptablesFilterRuleOperate;
-    getTableList?: () => Promise<any>;
-}
-const title = ref<string>('');
-const drawerVisible = ref(false);
-const dialogData = ref<DialogProps>({
-    title: '',
-});
-const templateValue = ref<string>('');
-const ruleTemplates = [
-    { value: 'http', label: 'HTTP(80)', protocol: 'tcp', port: 80 },
-    { value: 'https', label: 'HTTPS(443)', protocol: 'tcp', port: 443 },
-    { value: 'mysql', label: 'MYSQL(3306)', protocol: 'tcp', port: 3306 },
-] as const;
-
-const isInbound = computed(() => dialogData.value.rowData?.chain === '1PANEL_INPUT');
-const isOutbound = computed(() => dialogData.value.rowData?.chain === '1PANEL_OUTPUT');
-
-const isDangerousRule = computed(() => {
-    const rowData = dialogData.value.rowData;
-    if (!rowData) return false;
-
-    // 当规则为拒绝、端口为0、且IP留空时认为是危险规则
-    if (rowData.action === 'DROP' && rowData.destPort === 0) {
-        const isSourceIPEmpty = !rowData.sourceIP || rowData.sourceIP.trim() === '';
-        const isDestIPEmpty = !rowData.destIP || rowData.destIP.trim() === '';
-
-        if ((isInbound.value && isSourceIPEmpty) || (isOutbound.value && isDestIPEmpty)) {
-            return true;
-        }
-    }
-    return false;
-});
-
-const acceptParams = (params: DialogProps): void => {
-    dialogData.value = params;
-    title.value = i18n.global.t('firewall.' + dialogData.value.title);
-    templateValue.value = detectTemplate(dialogData.value.rowData);
-    drawerVisible.value = true;
-};
-const emit = defineEmits<{ (e: 'search'): void }>();
-
-const handleClose = () => {
-    drawerVisible.value = false;
-};
-
-const rules = reactive({
-    chain: [Rules.requiredSelect],
-    protocol: [Rules.requiredSelect],
-    action: [Rules.requiredSelect],
-    sourceIP: [{ validator: checkIPAddress, trigger: 'blur' }],
-    destIP: [{ validator: checkIPAddress, trigger: 'blur' }],
-});
-
-const isProtocolAll = computed(() => dialogData.value.rowData?.protocol === 'all');
-
-watch(
-    () => dialogData.value.rowData?.chain,
-    (chain) => {
-        const rowData = dialogData.value.rowData;
-        if (!rowData) return;
-        if (chain === '1PANEL_INPUT') {
-            rowData.destIP = '';
-        } else if (chain === '1PANEL_OUTPUT') {
-            rowData.sourceIP = '';
-        }
-    },
-    { immediate: true },
-);
-
-watch(
-    () => dialogData.value.rowData?.protocol,
-    (protocol) => {
-        if (protocol === 'all' && dialogData.value.rowData) {
-            dialogData.value.rowData.sourcePort = 0;
-            dialogData.value.rowData.destPort = 0;
-        }
-    },
-    { immediate: true },
-);
-
-watch(templateValue, (value) => {
-    const rowData = dialogData.value.rowData;
-    if (!rowData || !value) {
-        return;
-    }
-    const template = ruleTemplates.find((item) => item.value === value);
-    if (!template) return;
-    rowData.protocol = template.protocol;
-    rowData.destPort = template.port;
-});
-
-watch(
-    () => [dialogData.value.rowData?.protocol, dialogData.value.rowData?.destPort],
-    ([protocol, port]) => {
-        const matched = ruleTemplates.find((item) => item.protocol === protocol && item.port === Number(port));
-        const nextValue = matched?.value || '';
-        if (templateValue.value !== nextValue) {
-            templateValue.value = nextValue;
-        }
-    },
-    { immediate: true },
-);
-
-function checkIPAddress(_rule: any, value: any, callback: any) {
-    if (!value) {
-        return callback();
-    }
-    if (value.indexOf('/') !== -1) {
-        if (value.indexOf(':') !== -1) {
-            if (checkCidrV6(value)) {
-                return callback(new Error(i18n.global.t('firewall.addressFormatError')));
-            }
-        } else {
-            if (checkCidr(value)) {
-                return callback(new Error(i18n.global.t('firewall.addressFormatError')));
-            }
-        }
-    } else {
-        if (checkIpV4V6(value)) {
-            return callback(new Error(i18n.global.t('firewall.addressFormatError')));
-        }
-    }
-    callback();
-}
-
-type FormInstance = InstanceType<typeof ElForm>;
-const formRef = ref<FormInstance>();
-
-const onSubmit = async (formEl: FormInstance | undefined) => {
-    if (!formEl) return;
-    formEl.validate(async (valid) => {
-        if (!valid) return;
-        dialogData.value.rowData.operation = 'add';
-        if (!dialogData.value.rowData) return;
-
-        loading.value = true;
-        await operateFilterRule(dialogData.value.rowData)
-            .then(() => {
-                loading.value = false;
-                MsgSuccess(i18n.global.t('commons.msg.operationSuccess'));
-                emit('search');
-                drawerVisible.value = false;
-            })
-            .catch(() => {
-                loading.value = false;
-            });
-    });
-};
-
-defineExpose({
-    acceptParams,
-});
-
-function detectTemplate(rowData?: Host.IptablesFilterRuleOperate) {
-    if (!rowData) return '';
-    const match = ruleTemplates.find(
-        (item) => item.protocol === rowData.protocol && item.port === Number(rowData.destPort),
-    );
-    return match?.value || '';
-}
-</script>
diff --git a/frontend/src/views/host/firewall/forward/index.vue b/frontend/src/views/host/firewall/forward/index.vue
index 346237b874ee..9c7a05d83cde 100644
--- a/frontend/src/views/host/firewall/forward/index.vue
+++ b/frontend/src/views/host/firewall/forward/index.vue
@@ -10,6 +10,7 @@
                 v-model:mask-show="maskShow"
                 v-model:is-active="isActive"
                 v-model:name="fireName"
+                current-tab="forward"
             />
             <div v-if="fireName !== '-'">
                 <el-card v-if="!isActive && maskShow" class="mask-prompt">
diff --git a/frontend/src/views/host/firewall/index.vue b/frontend/src/views/host/firewall/index.vue
index b94eb4b2d034..68421ba148f0 100644
--- a/frontend/src/views/host/firewall/index.vue
+++ b/frontend/src/views/host/firewall/index.vue
@@ -25,7 +25,7 @@ const buttons = [
     },
     {
         label: i18n.global.t('firewall.advancedControl'),
-        path: '/hosts/firewall/filter',
+        path: '/hosts/firewall/advance',
     },
 ];
 </script>
diff --git a/frontend/src/views/host/firewall/ip/index.vue b/frontend/src/views/host/firewall/ip/index.vue
index 5351dac5a722..a2b2882428b2 100644
--- a/frontend/src/views/host/firewall/ip/index.vue
+++ b/frontend/src/views/host/firewall/ip/index.vue
@@ -10,6 +10,7 @@
                 v-model:name="fireName"
                 v-model:mask-show="maskShow"
                 v-model:is-active="isActive"
+                current-tab="base"
             />
 
             <div v-if="fireName !== '-'">
diff --git a/frontend/src/views/host/firewall/port/index.vue b/frontend/src/views/host/firewall/port/index.vue
index 8c6b725636d3..9f66ffe69da4 100644
--- a/frontend/src/views/host/firewall/port/index.vue
+++ b/frontend/src/views/host/firewall/port/index.vue
@@ -10,6 +10,7 @@
                 v-model:mask-show="maskShow"
                 v-model:is-active="isActive"
                 v-model:name="fireName"
+                current-tab="base"
             />
             <div v-if="fireName !== '-'">
                 <el-card v-if="!isActive && maskShow" class="mask-prompt">
@@ -33,6 +34,14 @@
                                 </span>
                             </template>
                         </el-alert>
+
+                        <div v-if="!isBind" class="mt-2">
+                            <el-alert
+                                type="info"
+                                :closable="false"
+                                :title="$t('firewall.basicStatus', ['1PANEL_BASIC'])"
+                            />
+                        </div>
                     </template>
                     <template #leftToolBar>
                         <el-button type="primary" @click="onOpenDialog('create')">
@@ -160,7 +169,13 @@ import OperateDialog from '@/views/host/firewall/port/operate/index.vue';
 import ImportDialog from '@/views/host/firewall/port/import/index.vue';
 import FireStatus from '@/views/host/firewall/status/index.vue';
 import { onMounted, reactive, ref } from 'vue';
-import { batchOperateRule, searchFireRule, updateFirewallDescription, updatePortRule } from '@/api/modules/host';
+import {
+    batchOperateRule,
+    loadChainStatus,
+    searchFireRule,
+    updateFirewallDescription,
+    updatePortRule,
+} from '@/api/modules/host';
 import { Host } from '@/api/interface/host';
 import i18n from '@/lang';
 import { MsgSuccess } from '@/utils/message';
@@ -177,6 +192,7 @@ const searchStrategy = ref('');
 
 const maskShow = ref(true);
 const isActive = ref(false);
+const isBind = ref(false);
 const fireName = ref();
 const fireStatusRef = ref();
 
@@ -207,6 +223,7 @@ const search = async () => {
         pageSize: paginationConfig.pageSize,
     };
     loading.value = true;
+    loadStatus();
     await searchFireRule(params)
         .then((res) => {
             loading.value = false;
@@ -289,6 +306,12 @@ const onChange = async (info: any) => {
     MsgSuccess(i18n.global.t('commons.msg.operationSuccess'));
 };
 
+const loadStatus = async () => {
+    await loadChainStatus('1PANEL_BASIC').then((res) => {
+        isBind.value = res.data.isBind;
+    });
+};
+
 const onDelete = async (row: Host.RuleInfo | null) => {
     let names = [];
     let rules = [];
diff --git a/frontend/src/views/host/firewall/status/index.vue b/frontend/src/views/host/firewall/status/index.vue
index 972178346466..89976b5feb18 100644
--- a/frontend/src/views/host/firewall/status/index.vue
+++ b/frontend/src/views/host/firewall/status/index.vue
@@ -5,18 +5,7 @@
                 <div class="flex w-full flex-col gap-4 md:flex-row">
                     <div class="flex flex-wrap gap-4 ml-3">
                         <el-tag effect="dark" type="success">{{ baseInfo.name }}</el-tag>
-                        <Status
-                            class="mt-0.5"
-                            :status="
-                                baseInfo.name === 'iptables'
-                                    ? isApplied
-                                        ? 'enable'
-                                        : 'disable'
-                                    : baseInfo.isActive
-                                    ? 'enable'
-                                    : 'disable'
-                            "
-                        />
+                        <Status class="mt-0.5" :status="baseInfo.isActive ? 'enable' : 'disable'" />
                         <el-tag>{{ $t('app.version') }}: {{ baseInfo.version }}</el-tag>
                     </div>
                     <div class="mt-0.5">
@@ -32,18 +21,19 @@
                                 {{ $t('commons.button.restart') }}
                             </el-button>
                         </template>
-                        <template v-if="baseInfo.name === 'iptables'">
+                        <template v-if="!baseInfo.isInit">
                             <el-divider direction="vertical" />
-                            <el-button type="primary" @click="onAdvancedOperate('init')" link :disabled="isApplied">
-                                {{ $t('firewall.initChains') }}
+                            <el-button type="primary" link @click="onInit">
+                                {{ $t('commons.button.init') }}
                             </el-button>
+                        </template>
+                        <template v-if="baseInfo.isInit && props.currentTab == 'base'">
                             <el-divider direction="vertical" />
-                            <el-button type="success" @click="onAdvancedOperate('apply')" link :disabled="isApplied">
-                                {{ $t('firewall.applyFirewall') }}
+                            <el-button v-if="baseInfo.isBind" type="primary" link @click="onUnBind">
+                                {{ $t('commons.button.unbind') }}
                             </el-button>
-                            <el-divider direction="vertical" />
-                            <el-button type="warning" @click="onAdvancedOperate('unload')" link :disabled="!isApplied">
-                                {{ $t('firewall.unloadFirewall') }}
+                            <el-button v-if="!baseInfo.isBind" type="primary" link @click="onBind">
+                                {{ $t('commons.button.bind') }}
                             </el-button>
                         </template>
                         <span v-if="onPing !== 'None'">
@@ -62,7 +52,21 @@
                 </div>
             </el-card>
         </div>
-        <NoSuchService v-if="!baseInfo.isExist" name="Firewalld / Ufw" />
+        <NoSuchService v-else name="Firewalld / Ufw" />
+
+        <LayoutContent :divider="true" v-if="!baseInfo.isInit">
+            <template #main>
+                <div class="app-warn">
+                    <div class="flex flex-col gap-2 items-center justify-center w-full sm:flex-row">
+                        <span>{{ loadInitMsg() }}</span>
+                    </div>
+                    <div>
+                        <img src="@/assets/images/no_app.svg" />
+                    </div>
+                </div>
+            </template>
+        </LayoutContent>
+
         <DockerRestart
             ref="dockerRef"
             v-model:withDockerRestart="withDockerRestart"
@@ -78,58 +82,50 @@
 
 <script lang="ts" setup>
 import { Host } from '@/api/interface/host';
-import { loadFireBaseInfo, operateFire, getFilterRules, applyFilterFirewall } from '@/api/modules/host';
+import { loadFireBaseInfo, operateFilterChain, operateFire } from '@/api/modules/host';
 import i18n from '@/lang';
 import NoSuchService from '@/components/layout-content/no-such-service.vue';
 import DockerRestart from '@/components/docker-proxy/docker-restart.vue';
 import { MsgSuccess } from '@/utils/message';
 import { ElMessageBox } from 'element-plus';
-import { ref, computed } from 'vue';
+import { ref } from 'vue';
 
-defineProps({
-    showAdvancedControls: {
-        type: Boolean,
-        default: false,
-    },
+const props = defineProps({
+    currentTab: String,
 });
 
-const baseInfo = ref<Host.FirewallBase>({ isActive: false, isExist: true, name: '', version: '', pingStatus: '' });
+const baseInfo = ref<Host.FirewallBase>({
+    isActive: false,
+    isExist: true,
+    isInit: false,
+    isBind: false,
+    name: '',
+    version: '',
+    pingStatus: '',
+});
 const onPing = ref('Disable');
 const oldStatus = ref();
 const dockerRef = ref();
 const operation = ref('restart');
 const withDockerRestart = ref(false);
 
-// Iptables specific state
-const chainInfoMap = ref<Map<string, Host.IptablesChainInfo>>(new Map());
-
-const isApplied = computed(() => {
-    if (baseInfo.value.name !== 'iptables') return false;
-    const inputInfo = chainInfoMap.value.get('INPUT');
-    const outputInfo = chainInfoMap.value.get('OUTPUT');
-    return inputInfo?.isApplied || outputInfo?.isApplied;
-});
-
 const acceptParams = (): void => {
     loadBaseInfo(true);
 };
 const emit = defineEmits(['search', 'update:is-active', 'update:loading', 'update:maskShow', 'update:name']);
 
 const loadBaseInfo = async (search: boolean) => {
-    await loadFireBaseInfo()
+    await loadFireBaseInfo(props.currentTab)
         .then(async (res) => {
             baseInfo.value = res.data;
             onPing.value = baseInfo.value.pingStatus;
             oldStatus.value = onPing.value;
-            emit('update:name', baseInfo.value.name);
-            emit('update:is-active', baseInfo.value.isActive);
-
-            // Load iptables chain info if firewall is iptables
-            if (baseInfo.value.name === 'iptables' && baseInfo.value.isActive) {
-                await loadIptablesChainInfo();
+            if (baseInfo.value.isInit) {
+                emit('update:name', baseInfo.value.name);
             } else {
-                chainInfoMap.value.clear();
+                emit('update:name', '-');
             }
+            emit('update:is-active', baseInfo.value.isActive);
 
             if (search) {
                 emit('search');
@@ -144,25 +140,67 @@ const loadBaseInfo = async (search: boolean) => {
         });
 };
 
-const loadIptablesChainInfo = async () => {
-    const params: Host.IptablesFilterRuleSearch = {
-        chains: ['INPUT', 'OUTPUT', '1PANEL_INPUT', '1PANEL_OUTPUT'],
-    };
-    await getFilterRules(params)
-        .then((res) => {
-            chainInfoMap.value.clear();
-            res.data.forEach((chainInfo: Host.IptablesChainInfo) => {
-                chainInfoMap.value.set(chainInfo.name, chainInfo);
-            });
-        })
-        .catch(() => {
-            chainInfoMap.value.clear();
+const loadInitMsg = () => {
+    switch (props.currentTab) {
+        case 'base':
+            return i18n.global.t('firewall.initHelper', [i18n.global.t('firewall.baseIptables')]);
+        case 'forward':
+            return i18n.global.t('firewall.initHelper', [i18n.global.t('firewall.forwardIptables')]);
+        case 'advance':
+            return i18n.global.t('firewall.initHelper', [i18n.global.t('firewall.advanceIptables')]);
+    }
+};
+
+const onInit = async () => {
+    let chainName = '';
+    let msg = '';
+    switch (props.currentTab) {
+        case 'base':
+            chainName = '1PANEL_BASIC';
+            msg = i18n.global.t('firewall.initMsg', [i18n.global.t('firewall.baseIptables')]);
+        case 'forward':
+            chainName = '1PANEL_FORWARD';
+            msg = i18n.global.t('firewall.initMsg', [i18n.global.t('firewall.forwardIptables')]);
+        case 'advance':
+            chainName = '1PANEL_INPUT';
+            msg = i18n.global.t('firewall.initMsg', [i18n.global.t('firewall.advanceIptables')]);
+    }
+    ElMessageBox.confirm(msg, i18n.global.t('commons.button.init'), {
+        confirmButtonText: i18n.global.t('commons.button.confirm'),
+        cancelButtonText: i18n.global.t('commons.button.cancel'),
+    }).then(async () => {
+        await operateFilterChain(chainName, 'init-' + props.currentTab).then(() => {
+            MsgSuccess(i18n.global.t('commons.msg.operationSuccess'));
+            loadBaseInfo(true);
+        });
+    });
+};
+
+const onBind = async () => {
+    ElMessageBox.confirm(i18n.global.t('firewall.bindHelper'), i18n.global.t('commons.button.bind'), {
+        confirmButtonText: i18n.global.t('commons.button.confirm'),
+        cancelButtonText: i18n.global.t('commons.button.cancel'),
+    }).then(async () => {
+        await operateFilterChain('1PANEL_BASIC', 'bind-base').then(() => {
+            MsgSuccess(i18n.global.t('commons.msg.operationSuccess'));
+            loadBaseInfo(true);
+        });
+    });
+};
+const onUnBind = async () => {
+    ElMessageBox.confirm(i18n.global.t('firewall.unbindHelper'), i18n.global.t('commons.button.unbind'), {
+        confirmButtonText: i18n.global.t('commons.button.confirm'),
+        cancelButtonText: i18n.global.t('commons.button.cancel'),
+    }).then(async () => {
+        await operateFilterChain('1PANEL_BASIC', 'unbind-base').then(() => {
+            MsgSuccess(i18n.global.t('commons.msg.operationSuccess'));
+            loadBaseInfo(true);
         });
+    });
 };
 
 const onOperate = async (op: string) => {
     operation.value = op;
-    // For iptables, skip docker restart warning and execute directly
     if (baseInfo.value.name === 'iptables') {
         emit('update:loading', true);
         emit('update:maskShow', true);
@@ -219,38 +257,6 @@ const onPingOperate = async (operation: string) => {
         });
 };
 
-const onAdvancedOperate = async (op: string) => {
-    let confirmMsg = '';
-    let title = '';
-
-    if (op === 'init') {
-        confirmMsg = i18n.global.t('firewall.initChainsConfirm');
-        title = i18n.global.t('firewall.initChains');
-    } else if (op === 'apply') {
-        confirmMsg = i18n.global.t('firewall.applyConfirm');
-        title = i18n.global.t('firewall.applyFirewall');
-    } else {
-        confirmMsg = i18n.global.t('firewall.unloadConfirm');
-        title = i18n.global.t('firewall.unloadFirewall');
-    }
-
-    ElMessageBox.confirm(confirmMsg, title, {
-        confirmButtonText: i18n.global.t('commons.button.confirm'),
-        cancelButtonText: i18n.global.t('commons.button.cancel'),
-    }).then(async () => {
-        emit('update:loading', true);
-        emit('update:maskShow', true);
-        await applyFilterFirewall({ operation: op })
-            .then(() => {
-                MsgSuccess(i18n.global.t('commons.msg.operationSuccess'));
-                loadBaseInfo(true);
-            })
-            .catch(() => {
-                loadBaseInfo(true);
-            });
-    });
-};
-
 defineExpose({
     acceptParams,
 });

From 5964299319891c0de6d95f648b201f864b9c406b Mon Sep 17 00:00:00 2001
From: KOMATA <20227709+HynoR@users.noreply.github.com>
Date: Mon, 10 Nov 2025 20:42:36 +0800
Subject: [PATCH 15/16] merge: iptables (#10907)

* fix: update iptables initialization logic to check for iptables command availability

* fix

* fix: improve iptables rule operation handling logic

* fix: add validation for unsafe DROP rules in iptables filter
---
 agent/app/model/firewall.go                   |  8 ++--
 agent/app/service/iptables.go                 | 45 +++++++++++--------
 .../utils/firewall/client/iptables/filter.go  | 25 +++++++++++
 3 files changed, 55 insertions(+), 23 deletions(-)

diff --git a/agent/app/model/firewall.go b/agent/app/model/firewall.go
index 7218d4238521..87fbb7efcd14 100644
--- a/agent/app/model/firewall.go
+++ b/agent/app/model/firewall.go
@@ -3,10 +3,10 @@ package model
 type Firewall struct {
 	BaseModel
 
-	Type         string `gorm:"not null" json:"type"`
-	FirewallType string `gorm:"not null" json:"firewallType"`
-	Port         string `gorm:"not null" json:"port"`    // Deprecated
-	Address      string `gorm:"not null" json:"address"` // Deprecated
+	Type         string `json:"type"`
+	FirewallType string `json:"firewallType"`
+	Port         string `json:"port"`    // Deprecated
+	Address      string `json:"address"` // Deprecated
 
 	Chain       string `json:"chain"`
 	Protocol    string `json:"protocol"`
diff --git a/agent/app/service/iptables.go b/agent/app/service/iptables.go
index 28ea50d71ef4..f86889cda3ac 100644
--- a/agent/app/service/iptables.go
+++ b/agent/app/service/iptables.go
@@ -97,21 +97,23 @@ func (s *IptablesService) OperateRule(req dto.IptablesRuleOp) error {
 			return fmt.Errorf("failed to save rule to database: %w", err)
 		}
 		return nil
-	}
-	if err := iptables.DeleteFilterRule(req.Chain, policy); err != nil {
-		return fmt.Errorf("failed to remove iptables rule: %w", err)
-	}
-	name := iptables.InputFileName
-	if req.Chain == iptables.Chain1PanelOutput {
-		name = iptables.OutputFileName
-	}
-	if err := iptables.SaveRulesToFile(iptables.FilterTab, req.Chain, name); err != nil {
-		global.LOG.Errorf("persistence for %s failed, err: %v", iptables.Chain1PanelBasic, err)
-	}
-	if req.ID != 0 {
-		if err := hostRepo.DeleteFirewallRecordByID(req.ID); err != nil {
-			return fmt.Errorf("failed to delete rule from database: %w", err)
+	} else if req.Operation == "remove" {
+		if err := iptables.DeleteFilterRule(req.Chain, policy); err != nil {
+			return fmt.Errorf("failed to remove iptables rule: %w", err)
+		}
+		name := iptables.InputFileName
+		if req.Chain == iptables.Chain1PanelOutput {
+			name = iptables.OutputFileName
+		}
+		if err := iptables.SaveRulesToFile(iptables.FilterTab, req.Chain, name); err != nil {
+			global.LOG.Errorf("persistence for %s failed, err: %v", iptables.Chain1PanelBasic, err)
+		}
+		if req.ID != 0 {
+			if err := hostRepo.DeleteFirewallRecordByID(req.ID); err != nil {
+				return fmt.Errorf("failed to delete rule from database: %w", err)
+			}
 		}
+		return nil
 	}
 	return nil
 }
@@ -126,14 +128,14 @@ func (s *IptablesService) BatchOperate(req dto.IptablesBatchOperate) error {
 }
 
 func (s *IptablesService) Operate(req dto.IptablesOp) error {
-	targetChain := "INPUT"
-	if req.Name == "1PANEL_OUTPUT" {
-		targetChain = "OUTPUT"
+	targetChain := iptables.ChainInput
+	if req.Name == iptables.Chain1PanelOutput {
+		targetChain = iptables.ChainOutput
 	}
 	switch req.Operate {
 	case "init-base":
-		if err := cmd.RunDefaultBashC("modprobe ip_tables"); err != nil {
-			return fmt.Errorf("failed to load ip_tables module: %v", err)
+		if ok := cmd.Which("iptables"); !ok {
+			return fmt.Errorf("failed to find iptables")
 		}
 		if err := iptables.AddChain(iptables.FilterTab, iptables.Chain1PanelBasicBefore); err != nil {
 			return err
@@ -173,6 +175,7 @@ func (s *IptablesService) Operate(req dto.IptablesOp) error {
 		if err := iptables.BindChain(iptables.FilterTab, iptables.ChainInput, iptables.Chain1PanelInput, number); err != nil {
 			return err
 		}
+		return nil
 	case "bind-base":
 		if err := initPreRules(); err != nil {
 			return err
@@ -186,6 +189,7 @@ func (s *IptablesService) Operate(req dto.IptablesOp) error {
 		if err := iptables.BindChain(iptables.FilterTab, iptables.ChainInput, iptables.Chain1PanelBasicAfter, 3); err != nil {
 			return err
 		}
+		return nil
 	case "unbind-base":
 		if err := iptables.UnbindChain(iptables.FilterTab, iptables.ChainInput, iptables.Chain1PanelBasicAfter); err != nil {
 			return err
@@ -196,14 +200,17 @@ func (s *IptablesService) Operate(req dto.IptablesOp) error {
 		if err := iptables.UnbindChain(iptables.FilterTab, iptables.ChainInput, iptables.Chain1PanelBasic); err != nil {
 			return err
 		}
+		return nil
 	case "bind":
 		if err := iptables.BindChain(iptables.FilterTab, targetChain, req.Name, loadBindNumber()); err != nil {
 			return err
 		}
+		return nil
 	case "unbind":
 		if err := iptables.UnbindChain(iptables.FilterTab, targetChain, req.Name); err != nil {
 			return err
 		}
+		return nil
 	}
 	return nil
 }
diff --git a/agent/utils/firewall/client/iptables/filter.go b/agent/utils/firewall/client/iptables/filter.go
index f476350984d3..21dda8fd7fda 100644
--- a/agent/utils/firewall/client/iptables/filter.go
+++ b/agent/utils/firewall/client/iptables/filter.go
@@ -21,6 +21,9 @@ type FilterRules struct {
 }
 
 func AddFilterRule(chain string, policy FilterRules) error {
+	if err := validateRuleSafety(policy, chain); err != nil {
+		return err
+	}
 	iptablesArg := fmt.Sprintf("-A %s", chain)
 	if policy.Protocol != "" {
 		iptablesArg += fmt.Sprintf(" -p %s", policy.Protocol)
@@ -130,3 +133,25 @@ func loadIP(ipStr string) string {
 	}
 	return ipStr
 }
+
+func validateRuleSafety(rule FilterRules, chain string) error {
+	if strings.ToUpper(rule.Strategy) != "DROP" {
+		return nil
+	}
+
+	// 入方向检查是否存在无条件 DROP
+	if chain == ChainInput || chain == Chain1PanelInput || chain == Chain1PanelBasic {
+		if rule.SrcIP == "0.0.0.0/0" && rule.SrcPort == 0 && rule.DstPort == 0 {
+			return fmt.Errorf("unsafe DROP is not allowed")
+		}
+	}
+
+	// 出方向检查是否存在无条件 DROP
+	if chain == ChainOutput || chain == Chain1PanelOutput || chain == Chain1PanelBasicAfter {
+		if rule.DstIP == "0.0.0.0/0" && rule.DstPort == 0 && rule.SrcPort == 0 {
+			return fmt.Errorf("unsafe DROP is not allowed")
+		}
+	}
+
+	return nil
+}

From b22b39da53d67233ce654b93d4d588978814864f Mon Sep 17 00:00:00 2001
From: ssongliu <songlius11@163.com>
Date: Mon, 10 Nov 2025 21:15:12 +0800
Subject: [PATCH 16/16] fix: adjust chain 1PANEL_INPUT position

---
 agent/app/model/firewall.go                   |  7 +++--
 agent/app/repo/host.go                        |  6 -----
 agent/app/service/firewall.go                 | 26 ++++++++++++------
 agent/app/service/iptables.go                 | 27 +++++++++----------
 agent/init/migration/migrations/init.go       |  1 +
 .../utils/firewall/client/iptables/filter.go  |  2 --
 frontend/src/views/host/firewall/index.vue    |  2 +-
 7 files changed, 35 insertions(+), 36 deletions(-)

diff --git a/agent/app/model/firewall.go b/agent/app/model/firewall.go
index 87fbb7efcd14..fc79023494d0 100644
--- a/agent/app/model/firewall.go
+++ b/agent/app/model/firewall.go
@@ -3,10 +3,9 @@ package model
 type Firewall struct {
 	BaseModel
 
-	Type         string `json:"type"`
-	FirewallType string `json:"firewallType"`
-	Port         string `json:"port"`    // Deprecated
-	Address      string `json:"address"` // Deprecated
+	Type    string `json:"type"`
+	Port    string `json:"port"`    // Deprecated
+	Address string `json:"address"` // Deprecated
 
 	Chain       string `json:"chain"`
 	Protocol    string `json:"protocol"`
diff --git a/agent/app/repo/host.go b/agent/app/repo/host.go
index 66a2c69f03a3..0d399229baad 100644
--- a/agent/app/repo/host.go
+++ b/agent/app/repo/host.go
@@ -24,7 +24,6 @@ type IHostRepo interface {
 	DeleteCert(opts ...DBOption) error
 
 	WithByChain(chain string) DBOption
-	WithByFirewallType(fireType string) DBOption
 }
 
 func NewIHostRepo() IHostRepo {
@@ -155,11 +154,6 @@ func (u *HostRepo) SyncCert(data []model.RootCert) error {
 	return nil
 }
 
-func (u *HostRepo) WithByFirewallType(fireType string) DBOption {
-	return func(g *gorm.DB) *gorm.DB {
-		return g.Where("firewall_type = ?", fireType)
-	}
-}
 func (u *HostRepo) WithByChain(chain string) DBOption {
 	return func(g *gorm.DB) *gorm.DB {
 		return g.Where("chain = ?", chain)
diff --git a/agent/app/service/firewall.go b/agent/app/service/firewall.go
index 6f93b688d16a..788e4809ce54 100644
--- a/agent/app/service/firewall.go
+++ b/agent/app/service/firewall.go
@@ -231,6 +231,10 @@ func (u *FirewallService) OperatePortRule(req dto.PortRuleOperate, reload bool)
 	if err != nil {
 		return err
 	}
+	chain := ""
+	if client.Name() == "iptables" {
+		chain = iptables.Chain1PanelBasic
+	}
 	protos := strings.Split(req.Protocol, "/")
 	itemAddress := strings.Split(strings.TrimSuffix(req.Address, ","), ",")
 
@@ -248,7 +252,7 @@ func (u *FirewallService) OperatePortRule(req dto.PortRuleOperate, reload bool)
 						return err
 					}
 					req.Port = strings.ReplaceAll(req.Port, ":", "-")
-					if err := u.addPortRecord(req); err != nil {
+					if err := u.addPortRecord(chain, req); err != nil {
 						return err
 					}
 				}
@@ -269,7 +273,7 @@ func (u *FirewallService) OperatePortRule(req dto.PortRuleOperate, reload bool)
 			if len(req.Protocol) == 0 {
 				req.Protocol = "tcp/udp"
 			}
-			if err := u.addPortRecord(req); err != nil {
+			if err := u.addPortRecord(chain, req); err != nil {
 				return err
 			}
 		}
@@ -285,7 +289,7 @@ func (u *FirewallService) OperatePortRule(req dto.PortRuleOperate, reload bool)
 				if err := u.operatePort(client, req); err != nil {
 					return err
 				}
-				if err := u.addPortRecord(req); err != nil {
+				if err := u.addPortRecord(chain, req); err != nil {
 					return err
 				}
 			}
@@ -302,7 +306,7 @@ func (u *FirewallService) OperatePortRule(req dto.PortRuleOperate, reload bool)
 					if err := u.operatePort(client, req); err != nil {
 						return err
 					}
-					if err := u.addPortRecord(req); err != nil {
+					if err := u.addPortRecord(chain, req); err != nil {
 						return err
 					}
 				}
@@ -411,7 +415,10 @@ func (u *FirewallService) OperateAddressRule(req dto.AddrRuleOperate, reload boo
 	if err != nil {
 		return err
 	}
-
+	chain := ""
+	if client.Name() == "iptables" {
+		chain = iptables.Chain1PanelBasic
+	}
 	var fireInfo fireClient.FireInfo
 	if err := copier.Copy(&fireInfo, &req); err != nil {
 		return err
@@ -427,7 +434,7 @@ func (u *FirewallService) OperateAddressRule(req dto.AddrRuleOperate, reload boo
 			return err
 		}
 		req.Address = addressList[i]
-		if err := u.addAddressRecord(req); err != nil {
+		if err := u.addAddressRecord(chain, req); err != nil {
 			return err
 		}
 	}
@@ -672,7 +679,7 @@ func (u *FirewallService) addPortsBeforeStart(client firewall.FirewallClient) er
 	return client.Reload()
 }
 
-func (u *FirewallService) addPortRecord(req dto.PortRuleOperate) error {
+func (u *FirewallService) addPortRecord(chain string, req dto.PortRuleOperate) error {
 	if req.Operation == "remove" {
 		if req.ID != 0 {
 			return hostRepo.DeleteFirewallRecordByID(req.ID)
@@ -681,6 +688,7 @@ func (u *FirewallService) addPortRecord(req dto.PortRuleOperate) error {
 
 	if err := hostRepo.SaveFirewallRecord(&model.Firewall{
 		Type:        "port",
+		Chain:       chain,
 		DstPort:     req.Port,
 		Protocol:    req.Protocol,
 		SrcIP:       req.Address,
@@ -693,14 +701,16 @@ func (u *FirewallService) addPortRecord(req dto.PortRuleOperate) error {
 	return nil
 }
 
-func (u *FirewallService) addAddressRecord(req dto.AddrRuleOperate) error {
+func (u *FirewallService) addAddressRecord(chain string, req dto.AddrRuleOperate) error {
 	if req.Operation == "remove" {
 		if req.ID != 0 {
 			return hostRepo.DeleteFirewallRecordByID(req.ID)
 		}
 	}
+
 	if err := hostRepo.SaveFirewallRecord(&model.Firewall{
 		Type:        "address",
+		Chain:       chain,
 		SrcIP:       req.Address,
 		Strategy:    req.Strategy,
 		Description: req.Description,
diff --git a/agent/app/service/iptables.go b/agent/app/service/iptables.go
index f86889cda3ac..f1ee7fdffbb9 100644
--- a/agent/app/service/iptables.go
+++ b/agent/app/service/iptables.go
@@ -45,7 +45,7 @@ func (s *IptablesService) Search(req dto.SearchPageWithType) (int64, interface{}
 		records = rules[start:end]
 	}
 
-	rulesInDB, _ := hostRepo.ListFirewallRecord(hostRepo.WithByFirewallType("iptables"), hostRepo.WithByChain(req.Type))
+	rulesInDB, _ := hostRepo.ListFirewallRecord(hostRepo.WithByChain(req.Type))
 
 	for i := 0; i < len(records); i++ {
 		for _, item := range rulesInDB {
@@ -73,7 +73,12 @@ func (s *IptablesService) OperateRule(req dto.IptablesRuleOp) error {
 		Strategy: req.Strategy,
 	}
 
-	if req.Operation == "add" {
+	name := iptables.InputFileName
+	if req.Chain == iptables.Chain1PanelOutput {
+		name = iptables.OutputFileName
+	}
+	switch req.Operation {
+	case "add":
 		if err := s.validateRuleInput(&req); err != nil {
 			return err
 		}
@@ -96,24 +101,19 @@ func (s *IptablesService) OperateRule(req dto.IptablesRuleOp) error {
 		if err := hostRepo.SaveFirewallRecord(rule); err != nil {
 			return fmt.Errorf("failed to save rule to database: %w", err)
 		}
-		return nil
-	} else if req.Operation == "remove" {
+	case "remove":
 		if err := iptables.DeleteFilterRule(req.Chain, policy); err != nil {
 			return fmt.Errorf("failed to remove iptables rule: %w", err)
 		}
-		name := iptables.InputFileName
-		if req.Chain == iptables.Chain1PanelOutput {
-			name = iptables.OutputFileName
-		}
-		if err := iptables.SaveRulesToFile(iptables.FilterTab, req.Chain, name); err != nil {
-			global.LOG.Errorf("persistence for %s failed, err: %v", iptables.Chain1PanelBasic, err)
-		}
 		if req.ID != 0 {
 			if err := hostRepo.DeleteFirewallRecordByID(req.ID); err != nil {
 				return fmt.Errorf("failed to delete rule from database: %w", err)
 			}
 		}
-		return nil
+	}
+
+	if err := iptables.SaveRulesToFile(iptables.FilterTab, req.Chain, name); err != nil {
+		global.LOG.Errorf("persistence for %s failed, err: %v", iptables.Chain1PanelBasic, err)
 	}
 	return nil
 }
@@ -287,9 +287,6 @@ func loadBindNumber() int {
 	if exist, _ := iptables.CheckChainExist(iptables.FilterTab, iptables.Chain1PanelBasic); exist {
 		number++
 	}
-	if exist, _ := iptables.CheckChainExist(iptables.FilterTab, iptables.Chain1PanelBasicAfter); exist {
-		number++
-	}
 	return number
 }
 
diff --git a/agent/init/migration/migrations/init.go b/agent/init/migration/migrations/init.go
index ed28d5c20a8e..651cd1bf0359 100644
--- a/agent/init/migration/migrations/init.go
+++ b/agent/init/migration/migrations/init.go
@@ -676,6 +676,7 @@ var AddIptablesFilterRuleTable = &gormigrate.Migration{
 		}
 		for _, item := range firewalls {
 			if err := tx.Model(&model.Firewall{}).
+				Where("id = ?", item.ID).
 				Updates(map[string]interface{}{"dst_port": item.Port, "src_ip": item.Address, "firewall_type": firewallType}); err != nil {
 				global.LOG.Errorf("update firewall failed, err: %v", err)
 			}
diff --git a/agent/utils/firewall/client/iptables/filter.go b/agent/utils/firewall/client/iptables/filter.go
index 21dda8fd7fda..60efbd323476 100644
--- a/agent/utils/firewall/client/iptables/filter.go
+++ b/agent/utils/firewall/client/iptables/filter.go
@@ -139,14 +139,12 @@ func validateRuleSafety(rule FilterRules, chain string) error {
 		return nil
 	}
 
-	// 入方向检查是否存在无条件 DROP
 	if chain == ChainInput || chain == Chain1PanelInput || chain == Chain1PanelBasic {
 		if rule.SrcIP == "0.0.0.0/0" && rule.SrcPort == 0 && rule.DstPort == 0 {
 			return fmt.Errorf("unsafe DROP is not allowed")
 		}
 	}
 
-	// 出方向检查是否存在无条件 DROP
 	if chain == ChainOutput || chain == Chain1PanelOutput || chain == Chain1PanelBasicAfter {
 		if rule.DstIP == "0.0.0.0/0" && rule.DstPort == 0 && rule.SrcPort == 0 {
 			return fmt.Errorf("unsafe DROP is not allowed")
diff --git a/frontend/src/views/host/firewall/index.vue b/frontend/src/views/host/firewall/index.vue
index 68421ba148f0..790c647767d3 100644
--- a/frontend/src/views/host/firewall/index.vue
+++ b/frontend/src/views/host/firewall/index.vue
@@ -24,7 +24,7 @@ const buttons = [
         path: '/hosts/firewall/ip',
     },
     {
-        label: i18n.global.t('firewall.advancedControl'),
+        label: 'iptables ' + i18n.global.t('firewall.advancedControl'),
         path: '/hosts/firewall/advance',
     },
 ];