firewall: use a chain instead of adding rules directly

this helps in updating rules across upgrades

setup/start/cloudron-firewall.sh

@@ -117,16 +117,20 @@ ipxtables -t filter -A CLOUDRON -m limit --limit 2/min -j LOG --log-prefix "Pack
 ipxtables -t filter -A CLOUDRON -j DROP
 
 # prepend our chain to the filter table
-echo "==> Adding cloudron chain"
+echo "==> Adding cloudron filter chain"
 $iptables -t filter -C INPUT -j CLOUDRON 2>/dev/null || $iptables -t filter -I INPUT -j CLOUDRON
 $ip6tables -t filter -C INPUT -j CLOUDRON 2>/dev/null || $ip6tables -t filter -I INPUT -j CLOUDRON
 
 # masquerading rules for container ports to be accessible using public IP from other containers
-$iptables -t nat -D POSTROUTING -s 172.18.0.0/16 -d 172.18.0.0/16 -j MASQUERADE 2>/dev/null || true
-$iptables -t nat -A POSTROUTING -s 172.18.0.0/16 -d 172.18.0.0/16 -j MASQUERADE
+echo "==> Adding cloudron postrouting chain"
+ipxtables -t nat -N CLOUDRON_POSTROUTING || true
+ipxtables -t nat -F CLOUDRON_POSTROUTING # empty any existing rules
 
-$ip6tables -t nat -D POSTROUTING -s fd00:c107:d509::/64 -d fd00:c107:d509::/64 -j MASQUERADE 2>/dev/null || true
-$ip6tables -t nat -A POSTROUTING -s fd00:c107:d509::/64 -d fd00:c107:d509::/64 -j MASQUERADE
+$iptables -t nat -A CLOUDRON_POSTROUTING -s 172.18.0.0/16 -d 172.18.0.0/16 -j MASQUERADE
+$ip6tables -t nat -A CLOUDRON_POSTROUTING -s fd00:c107:d509::/64 -d fd00:c107:d509::/64 -j MASQUERADE
+
+$iptables -t nat -C POSTROUTING -j CLOUDRON_POSTROUTING 2>/dev/null || $iptables -t nat -I POSTROUTING -j CLOUDRON_POSTROUTING
+$ip6tables -t nat -C POSTROUTING -j CLOUDRON_POSTROUTING 2>/dev/null || $ip6tables -t nat -I POSTROUTING -j CLOUDRON_POSTROUTING
 
 # Setup rate limit chain (the recent info is at /proc/net/xt_recent)
 echo "==> Setup rate limit chain"