API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jun 4th, 2016
96
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 13.78 KB | None | 0 0
raw download clone embed print report
  1. root@virl:~# iptables-save
  2. # Generated by iptables-save v1.4.21 on Sat Jun 4 14:26:58 2016
  3. *raw
  4. :PREROUTING ACCEPT [2669008:2316472374]
  5. :OUTPUT ACCEPT [2678654:2318562649]
  6. COMMIT
  7. # Completed on Sat Jun 4 14:26:58 2016
  8. # Generated by iptables-save v1.4.21 on Sat Jun 4 14:26:58 2016
  9. *mangle
  10. :PREROUTING ACCEPT [2674864:2318565463]
  11. :INPUT ACCEPT [2669891:2318282287]
  12. :FORWARD ACCEPT [4973:283176]
  13. :OUTPUT ACCEPT [2686101:2320951372]
  14. :POSTROUTING ACCEPT [2691074:2321234548]
  15. :nova-api-POSTROUTING - [0:0]
  16. -A POSTROUTING -j nova-api-POSTROUTING
  17. -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
  18. COMMIT
  19. # Completed on Sat Jun 4 14:26:58 2016
  20. # Generated by iptables-save v1.4.21 on Sat Jun 4 14:26:58 2016
  21. *nat
  22. :PREROUTING ACCEPT [1022:52204]
  23. :INPUT ACCEPT [5:284]
  24. :OUTPUT ACCEPT [318:25914]
  25. :POSTROUTING ACCEPT [321:26070]
  26. :nova-api-OUTPUT - [0:0]
  27. :nova-api-POSTROUTING - [0:0]
  28. :nova-api-PREROUTING - [0:0]
  29. :nova-api-float-snat - [0:0]
  30. :nova-api-snat - [0:0]
  31. :nova-postrouting-bottom - [0:0]
  32. -A PREROUTING -j nova-api-PREROUTING
  33. -A PREROUTING -i bond0 -p tcp -m tcp --dport 11001 -j DNAT --to-destination 172.16.11.101:7023
  34. -A PREROUTING -i bond0 -p tcp -m tcp --dport 11002 -j DNAT --to-destination 172.16.11.102:7023
  35. -A PREROUTING -i bond0 -p tcp -m tcp --dport 11003 -j DNAT --to-destination 172.16.11.103:7023
  36. -A PREROUTING -i bond0 -p tcp -m tcp --dport 11004 -j DNAT --to-destination 172.16.11.104:7023
  37. -A PREROUTING -i bond0 -p tcp -m tcp --dport 11005 -j DNAT --to-destination 172.16.11.105:7023
  38. -A PREROUTING -i bond0 -p tcp -m tcp --dport 11006 -j DNAT --to-destination 172.16.11.106:7023
  39. -A PREROUTING -i bond0 -p tcp -m tcp --dport 11007 -j DNAT --to-destination 172.16.11.107:7023
  40. -A PREROUTING -i bond0 -p tcp -m tcp --dport 11008 -j DNAT --to-destination 172.16.11.108:7023
  41. -A PREROUTING -i bond0 -p tcp -m tcp --dport 11009 -j DNAT --to-destination 172.16.11.109:7023
  42. -A PREROUTING -i bond0 -p tcp -m tcp --dport 11010 -j DNAT --to-destination 172.16.11.110:7023
  43. -A PREROUTING -i bond0 -p tcp -m tcp --dport 11011 -j DNAT --to-destination 172.16.11.111:7023
  44. -A PREROUTING -i bond0 -p tcp -m tcp --dport 11012 -j DNAT --to-destination 172.16.11.112:7023
  45. -A PREROUTING -i bond0 -p tcp -m tcp --dport 11013 -j DNAT --to-destination 172.16.11.113:7023
  46. -A PREROUTING -i bond0 -p tcp -m tcp --dport 11014 -j DNAT --to-destination 172.16.11.114:7023
  47. -A PREROUTING -i bond0 -p tcp -m tcp --dport 11015 -j DNAT --to-destination 172.16.11.115:7023
  48. -A PREROUTING -i bond0 -p tcp -m tcp --dport 11016 -j DNAT --to-destination 172.16.11.116:7023
  49. -A PREROUTING -i bond0 -p tcp -m tcp --dport 11017 -j DNAT --to-destination 172.16.11.117:7023
  50. -A PREROUTING -i bond0 -p tcp -m tcp --dport 11018 -j DNAT --to-destination 172.16.11.118:7023
  51. -A PREROUTING -i bond0 -p tcp -m tcp --dport 11019 -j DNAT --to-destination 172.16.11.119:7023
  52. -A PREROUTING -i bond0 -p tcp -m tcp --dport 11020 -j DNAT --to-destination 172.16.11.120:7023
  53. -A PREROUTING -i bond0 -p tcp -m tcp --dport 11021 -j DNAT --to-destination 172.16.11.121:7023
  54. -A PREROUTING -i bond0 -p tcp -m tcp --dport 11022 -j DNAT --to-destination 172.16.11.122:7023
  55. -A PREROUTING -i bond0 -p tcp -m tcp --dport 11023 -j DNAT --to-destination 172.16.11.123:7023
  56. -A PREROUTING -i bond0 -p tcp -m tcp --dport 11024 -j DNAT --to-destination 172.16.11.124:7023
  57. -A PREROUTING -i bond0 -p tcp -m tcp --dport 11025 -j DNAT --to-destination 172.16.11.125:7023
  58. -A PREROUTING -i bond0 -p tcp -m tcp --dport 11026 -j DNAT --to-destination 172.16.11.126:7023
  59. -A PREROUTING -i bond0 -p tcp -m tcp --dport 11027 -j DNAT --to-destination 172.16.11.127:7023
  60. -A PREROUTING -i bond0 -p tcp -m tcp --dport 11028 -j DNAT --to-destination 172.16.11.128:7023
  61. -A PREROUTING -i bond0 -p tcp -m tcp --dport 11029 -j DNAT --to-destination 172.16.11.129:7023
  62. -A PREROUTING -i bond0 -p tcp -m tcp --dport 11030 -j DNAT --to-destination 172.16.11.130:7023
  63. -A PREROUTING -i bond0 -p tcp -m tcp --dport 12001 -j DNAT --to-destination 172.16.11.201:7023
  64. -A PREROUTING -i bond0 -p tcp -m tcp --dport 12002 -j DNAT --to-destination 172.16.11.202:7023
  65. -A PREROUTING -i bond0 -p tcp -m tcp --dport 12003 -j DNAT --to-destination 172.16.11.203:7023
  66. -A PREROUTING -i bond0 -p tcp -m tcp --dport 12004 -j DNAT --to-destination 172.16.11.204:7023
  67. -A PREROUTING -i bond0 -p tcp -m tcp --dport 12005 -j DNAT --to-destination 172.16.11.205:7023
  68. -A PREROUTING -i bond0 -p tcp -m tcp --dport 12006 -j DNAT --to-destination 172.16.11.206:7023
  69. -A PREROUTING -i bond0 -p tcp -m tcp --dport 12007 -j DNAT --to-destination 172.16.11.207:7023
  70. -A PREROUTING -i bond0 -p tcp -m tcp --dport 12008 -j DNAT --to-destination 172.16.11.208:7023
  71. -A PREROUTING -i bond0 -p tcp -m tcp --dport 12009 -j DNAT --to-destination 172.16.11.209:7023
  72. -A PREROUTING -i bond0 -p tcp -m tcp --dport 12010 -j DNAT --to-destination 172.16.11.210:7023
  73. -A PREROUTING -i bond0 -p tcp -m tcp --dport 12011 -j DNAT --to-destination 172.16.11.211:7023
  74. -A PREROUTING -i bond0 -p tcp -m tcp --dport 12012 -j DNAT --to-destination 172.16.11.212:7023
  75. -A PREROUTING -i bond0 -p tcp -m tcp --dport 12013 -j DNAT --to-destination 172.16.11.213:7023
  76. -A PREROUTING -i bond0 -p tcp -m tcp --dport 12014 -j DNAT --to-destination 172.16.11.214:7023
  77. -A PREROUTING -i bond0 -p tcp -m tcp --dport 12015 -j DNAT --to-destination 172.16.11.215:7023
  78. -A PREROUTING -i bond0 -p tcp -m tcp --dport 12016 -j DNAT --to-destination 172.16.11.216:7023
  79. -A PREROUTING -i bond0 -p tcp -m tcp --dport 12017 -j DNAT --to-destination 172.16.11.217:7023
  80. -A PREROUTING -i bond0 -p tcp -m tcp --dport 12018 -j DNAT --to-destination 172.16.11.218:7023
  81. -A PREROUTING -i bond0 -p tcp -m tcp --dport 12019 -j DNAT --to-destination 172.16.11.219:7023
  82. -A PREROUTING -i bond0 -p tcp -m tcp --dport 12020 -j DNAT --to-destination 172.16.11.220:7023
  83. -A PREROUTING -i bond0 -p tcp -m tcp --dport 12021 -j DNAT --to-destination 172.16.11.221:7023
  84. -A PREROUTING -i bond0 -p tcp -m tcp --dport 12022 -j DNAT --to-destination 172.16.11.222:7023
  85. -A PREROUTING -i bond0 -p tcp -m tcp --dport 12023 -j DNAT --to-destination 172.16.11.223:7023
  86. -A PREROUTING -i bond0 -p tcp -m tcp --dport 12024 -j DNAT --to-destination 172.16.11.224:7023
  87. -A PREROUTING -i bond0 -p tcp -m tcp --dport 12025 -j DNAT --to-destination 172.16.11.225:7023
  88. -A PREROUTING -i bond0 -p tcp -m tcp --dport 12026 -j DNAT --to-destination 172.16.11.226:7023
  89. -A PREROUTING -i bond0 -p tcp -m tcp --dport 12027 -j DNAT --to-destination 172.16.11.227:7023
  90. -A PREROUTING -i bond0 -p tcp -m tcp --dport 12028 -j DNAT --to-destination 172.16.11.228:7023
  91. -A PREROUTING -i bond0 -p tcp -m tcp --dport 12029 -j DNAT --to-destination 172.16.11.229:7023
  92. -A PREROUTING -i bond0 -p tcp -m tcp --dport 12030 -j DNAT --to-destination 172.16.11.230:7023
  93. -A OUTPUT -j nova-api-OUTPUT
  94. -A POSTROUTING -j nova-api-POSTROUTING
  95. -A POSTROUTING -j nova-postrouting-bottom
  96. -A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
  97. -A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
  98. -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
  99. -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
  100. -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
  101. -A POSTROUTING -s 172.16.0.0/19 -o bond0 -j MASQUERADE
  102. -A POSTROUTING -s 172.16.0.0/19 -o bond0 -j MASQUERADE
  103. -A nova-api-snat -j nova-api-float-snat
  104. -A nova-postrouting-bottom -j nova-api-snat
  105. COMMIT
  106. # Completed on Sat Jun 4 14:26:58 2016
  107. # Generated by iptables-save v1.4.21 on Sat Jun 4 14:26:58 2016
  108. *filter
  109. :INPUT DROP [0:0]
  110. :FORWARD ACCEPT [21:840]
  111. :OUTPUT ACCEPT [0:0]
  112. :nova-api-FORWARD - [0:0]
  113. :nova-api-INPUT - [0:0]
  114. :nova-api-OUTPUT - [0:0]
  115. :nova-api-local - [0:0]
  116. :nova-filter-top - [0:0]
  117. :ufw-after-forward - [0:0]
  118. :ufw-after-input - [0:0]
  119. :ufw-after-logging-forward - [0:0]
  120. :ufw-after-logging-input - [0:0]
  121. :ufw-after-logging-output - [0:0]
  122. :ufw-after-output - [0:0]
  123. :ufw-before-forward - [0:0]
  124. :ufw-before-input - [0:0]
  125. :ufw-before-logging-forward - [0:0]
  126. :ufw-before-logging-input - [0:0]
  127. :ufw-before-logging-output - [0:0]
  128. :ufw-before-output - [0:0]
  129. :ufw-logging-allow - [0:0]
  130. :ufw-logging-deny - [0:0]
  131. :ufw-not-local - [0:0]
  132. :ufw-reject-forward - [0:0]
  133. :ufw-reject-input - [0:0]
  134. :ufw-reject-output - [0:0]
  135. :ufw-skip-to-policy-forward - [0:0]
  136. :ufw-skip-to-policy-input - [0:0]
  137. :ufw-skip-to-policy-output - [0:0]
  138. :ufw-track-forward - [0:0]
  139. :ufw-track-input - [0:0]
  140. :ufw-track-output - [0:0]
  141. :ufw-user-forward - [0:0]
  142. :ufw-user-input - [0:0]
  143. :ufw-user-limit - [0:0]
  144. :ufw-user-limit-accept - [0:0]
  145. :ufw-user-logging-forward - [0:0]
  146. :ufw-user-logging-input - [0:0]
  147. :ufw-user-logging-output - [0:0]
  148. :ufw-user-output - [0:0]
  149. -A INPUT -j nova-api-INPUT
  150. -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
  151. -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
  152. -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
  153. -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
  154. -A INPUT -j ufw-before-logging-input
  155. -A INPUT -j ufw-before-input
  156. -A INPUT -j ufw-after-input
  157. -A INPUT -j ufw-after-logging-input
  158. -A INPUT -j ufw-reject-input
  159. -A INPUT -j ufw-track-input
  160. -A FORWARD -j nova-filter-top
  161. -A FORWARD -j nova-api-FORWARD
  162. -A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  163. -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
  164. -A FORWARD -i virbr0 -o virbr0 -j ACCEPT
  165. -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
  166. -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
  167. -A FORWARD -j ufw-before-logging-forward
  168. -A FORWARD -j ufw-before-forward
  169. -A FORWARD -j ufw-after-forward
  170. -A FORWARD -j ufw-after-logging-forward
  171. -A FORWARD -j ufw-reject-forward
  172. -A FORWARD -j ufw-track-forward
  173. -A OUTPUT -j nova-filter-top
  174. -A OUTPUT -j nova-api-OUTPUT
  175. -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
  176. -A OUTPUT -j ufw-before-logging-output
  177. -A OUTPUT -j ufw-before-output
  178. -A OUTPUT -j ufw-after-output
  179. -A OUTPUT -j ufw-after-logging-output
  180. -A OUTPUT -j ufw-reject-output
  181. -A OUTPUT -j ufw-track-output
  182. -A nova-api-INPUT -p tcp -m tcp --dport 8775 -m addrtype --dst-type LOCAL -j ACCEPT
  183. -A nova-filter-top -j nova-api-local
  184. -A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
  185. -A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
  186. -A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
  187. -A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
  188. -A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
  189. -A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
  190. -A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
  191. -A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
  192. -A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  193. -A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
  194. -A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT
  195. -A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
  196. -A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
  197. -A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
  198. -A ufw-before-forward -j ufw-user-forward
  199. -A ufw-before-input -i lo -j ACCEPT
  200. -A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  201. -A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
  202. -A ufw-before-input -m conntrack --ctstate INVALID -j DROP
  203. -A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
  204. -A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
  205. -A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
  206. -A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
  207. -A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
  208. -A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
  209. -A ufw-before-input -j ufw-not-local
  210. -A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
  211. -A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
  212. -A ufw-before-input -j ufw-user-input
  213. -A ufw-before-output -o lo -j ACCEPT
  214. -A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  215. -A ufw-before-output -j ufw-user-output
  216. -A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
  217. -A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
  218. -A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
  219. -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
  220. -A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
  221. -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
  222. -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
  223. -A ufw-not-local -j DROP
  224. -A ufw-skip-to-policy-forward -j ACCEPT
  225. -A ufw-skip-to-policy-input -j DROP
  226. -A ufw-skip-to-policy-output -j ACCEPT
  227. -A ufw-track-forward -p tcp -m conntrack --ctstate NEW -j ACCEPT
  228. -A ufw-track-forward -p udp -m conntrack --ctstate NEW -j ACCEPT
  229. -A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
  230. -A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
  231. -A ufw-user-input -i bond0 -p tcp -m multiport --dports 11001:11030 -j DROP
  232. -A ufw-user-input -i bond0 -p tcp -m tcp --dport 22 -j ACCEPT
  233. -A ufw-user-input -s 10.0.0.0/8 -j ACCEPT
  234. -A ufw-user-input -i bond0 -p tcp -m tcp --dport 4506 -j ACCEPT
  235. -A ufw-user-input -i bond0 -p tcp -m tcp --dport 4505 -j ACCEPT
  236. -A ufw-user-input -i bond0 -p tcp -m tcp --dport 1194 -j ACCEPT
  237. -A ufw-user-input -i bond0 -p tcp -m tcp --dport 443 -j ACCEPT
  238. -A ufw-user-input -i bond0 -j DROP
  239. -A ufw-user-input -j ACCEPT
  240. -A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
  241. -A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
  242. -A ufw-user-limit-accept -j ACCEPT
  243. COMMIT
  244. # Completed on Sat Jun 4 14:26:58 2016
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!