API tools faq
paste
Advertisement
Guest User

iptables-simba

a guest
Oct 27th, 2016
73
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 7.61 KB | None | 0 0
raw download clone embed print report
  1. # Generated by iptables-save v1.4.21 on Thu Oct 27 11:45:08 2016
  2. *nat
  3. :PREROUTING ACCEPT [8402:668940]
  4. :INPUT ACCEPT [1:40]
  5. :OUTPUT ACCEPT [1:76]
  6. :POSTROUTING ACCEPT [2:128]
  7. :DOCKER - [0:0]
  8. :OUTPUT_direct - [0:0]
  9. :POSTROUTING_ZONES - [0:0]
  10. :POSTROUTING_ZONES_SOURCE - [0:0]
  11. :POSTROUTING_direct - [0:0]
  12. :POST_public - [0:0]
  13. :POST_public_allow - [0:0]
  14. :POST_public_deny - [0:0]
  15. :POST_public_log - [0:0]
  16. :PREROUTING_ZONES - [0:0]
  17. :PREROUTING_ZONES_SOURCE - [0:0]
  18. :PREROUTING_direct - [0:0]
  19. :PRE_public - [0:0]
  20. :PRE_public_allow - [0:0]
  21. :PRE_public_deny - [0:0]
  22. :PRE_public_log - [0:0]
  23. -A PREROUTING -j PREROUTING_direct
  24. -A PREROUTING -j PREROUTING_ZONES_SOURCE
  25. -A PREROUTING -j PREROUTING_ZONES
  26. -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
  27. -A OUTPUT -j OUTPUT_direct
  28. -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
  29. -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
  30. -A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
  31. -A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
  32. -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
  33. -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
  34. -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
  35. -A POSTROUTING -j POSTROUTING_direct
  36. -A POSTROUTING -j POSTROUTING_ZONES_SOURCE
  37. -A POSTROUTING -j POSTROUTING_ZONES
  38. -A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 5000 -j MASQUERADE
  39. -A POSTROUTING -s 172.17.0.5/32 -d 172.17.0.5/32 -p tcp -m tcp --dport 53 -j MASQUERADE
  40. -A POSTROUTING -s 172.17.0.4/32 -d 172.17.0.4/32 -p tcp -m tcp --dport 8080 -j MASQUERADE
  41. -A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 8080 -j MASQUERADE
  42. -A DOCKER -i docker0 -j RETURN
  43. -A DOCKER ! -i docker0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.17.0.2:5000
  44. -A DOCKER -d 172.23.28.190/32 ! -i docker0 -p tcp -m tcp --dport 53 -j DNAT --to-destination 172.17.0.5:53
  45. -A DOCKER ! -i docker0 -p tcp -m tcp --dport 4321 -j DNAT --to-destination 172.17.0.4:8080
  46. -A DOCKER -d 172.23.28.190/32 ! -i docker0 -p tcp -m tcp --dport 6660 -j DNAT --to-destination 172.17.0.3:8080
  47. -A POSTROUTING_ZONES -o enp0s25 -g POST_public
  48. -A POSTROUTING_ZONES -g POST_public
  49. -A POST_public -j POST_public_log
  50. -A POST_public -j POST_public_deny
  51. -A POST_public -j POST_public_allow
  52. -A PREROUTING_ZONES -i enp0s25 -g PRE_public
  53. -A PREROUTING_ZONES -g PRE_public
  54. -A PRE_public -j PRE_public_log
  55. -A PRE_public -j PRE_public_deny
  56. -A PRE_public -j PRE_public_allow
  57. COMMIT
  58. # Completed on Thu Oct 27 11:45:08 2016
  59. # Generated by iptables-save v1.4.21 on Thu Oct 27 11:45:08 2016
  60. *mangle
  61. :PREROUTING ACCEPT [159106999:49022546747]
  62. :INPUT ACCEPT [125861908:12249689951]
  63. :FORWARD ACCEPT [29680245:36588393328]
  64. :OUTPUT ACCEPT [297470:45978572]
  65. :POSTROUTING ACCEPT [29977724:36634373683]
  66. :FORWARD_direct - [0:0]
  67. :INPUT_direct - [0:0]
  68. :OUTPUT_direct - [0:0]
  69. :POSTROUTING_direct - [0:0]
  70. :PREROUTING_ZONES - [0:0]
  71. :PREROUTING_ZONES_SOURCE - [0:0]
  72. :PREROUTING_direct - [0:0]
  73. :PRE_public - [0:0]
  74. :PRE_public_allow - [0:0]
  75. :PRE_public_deny - [0:0]
  76. :PRE_public_log - [0:0]
  77. -A PREROUTING -j PREROUTING_direct
  78. -A PREROUTING -j PREROUTING_ZONES_SOURCE
  79. -A PREROUTING -j PREROUTING_ZONES
  80. -A INPUT -j INPUT_direct
  81. -A FORWARD -j FORWARD_direct
  82. -A OUTPUT -j OUTPUT_direct
  83. -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
  84. -A POSTROUTING -j POSTROUTING_direct
  85. -A PREROUTING_ZONES -i enp0s25 -g PRE_public
  86. -A PREROUTING_ZONES -g PRE_public
  87. -A PRE_public -j PRE_public_log
  88. -A PRE_public -j PRE_public_deny
  89. -A PRE_public -j PRE_public_allow
  90. COMMIT
  91. # Completed on Thu Oct 27 11:45:08 2016
  92. # Generated by iptables-save v1.4.21 on Thu Oct 27 11:45:08 2016
  93. *security
  94. :INPUT ACCEPT [1604955:3751473199]
  95. :FORWARD ACCEPT [33012895:40363862146]
  96. :OUTPUT ACCEPT [1365707:3822635357]
  97. :FORWARD_direct - [0:0]
  98. :INPUT_direct - [0:0]
  99. :OUTPUT_direct - [0:0]
  100. -A INPUT -j INPUT_direct
  101. -A FORWARD -j FORWARD_direct
  102. -A OUTPUT -j OUTPUT_direct
  103. COMMIT
  104. # Completed on Thu Oct 27 11:45:08 2016
  105. # Generated by iptables-save v1.4.21 on Thu Oct 27 11:45:08 2016
  106. *raw
  107. :PREROUTING ACCEPT [214940282:61002176107]
  108. :OUTPUT ACCEPT [1365707:3822635357]
  109. :OUTPUT_direct - [0:0]
  110. :PREROUTING_direct - [0:0]
  111. -A PREROUTING -j PREROUTING_direct
  112. -A OUTPUT -j OUTPUT_direct
  113. COMMIT
  114. # Completed on Thu Oct 27 11:45:08 2016
  115. # Generated by iptables-save v1.4.21 on Thu Oct 27 11:45:08 2016
  116. *filter
  117. :INPUT ACCEPT [0:0]
  118. :FORWARD ACCEPT [0:0]
  119. :OUTPUT ACCEPT [81:18892]
  120. :DOCKER - [0:0]
  121. :DOCKER-ISOLATION - [0:0]
  122. :FORWARD_IN_ZONES - [0:0]
  123. :FORWARD_IN_ZONES_SOURCE - [0:0]
  124. :FORWARD_OUT_ZONES - [0:0]
  125. :FORWARD_OUT_ZONES_SOURCE - [0:0]
  126. :FORWARD_direct - [0:0]
  127. :FWDI_public - [0:0]
  128. :FWDI_public_allow - [0:0]
  129. :FWDI_public_deny - [0:0]
  130. :FWDI_public_log - [0:0]
  131. :FWDO_public - [0:0]
  132. :FWDO_public_allow - [0:0]
  133. :FWDO_public_deny - [0:0]
  134. :FWDO_public_log - [0:0]
  135. :INPUT_ZONES - [0:0]
  136. :INPUT_ZONES_SOURCE - [0:0]
  137. :INPUT_direct - [0:0]
  138. :IN_public - [0:0]
  139. :IN_public_allow - [0:0]
  140. :IN_public_deny - [0:0]
  141. :IN_public_log - [0:0]
  142. :OUTPUT_direct - [0:0]
  143. -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
  144. -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
  145. -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
  146. -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
  147. -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  148. -A INPUT -i lo -j ACCEPT
  149. -A INPUT -j INPUT_direct
  150. -A INPUT -j INPUT_ZONES_SOURCE
  151. -A INPUT -j INPUT_ZONES
  152. -A INPUT -p icmp -j ACCEPT
  153. -A INPUT -j REJECT --reject-with icmp-host-prohibited
  154. -A INPUT -i docker0 -j ACCEPT
  155. -A FORWARD -j DOCKER-ISOLATION
  156. -A FORWARD -o docker0 -j DOCKER
  157. -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  158. -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
  159. -A FORWARD -i docker0 -o docker0 -j ACCEPT
  160. -A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  161. -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
  162. -A FORWARD -i virbr0 -o virbr0 -j ACCEPT
  163. -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
  164. -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
  165. -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  166. -A FORWARD -i lo -j ACCEPT
  167. -A FORWARD -j FORWARD_direct
  168. -A FORWARD -j FORWARD_IN_ZONES_SOURCE
  169. -A FORWARD -j FORWARD_IN_ZONES
  170. -A FORWARD -j FORWARD_OUT_ZONES_SOURCE
  171. -A FORWARD -j FORWARD_OUT_ZONES
  172. -A FORWARD -p icmp -j ACCEPT
  173. -A FORWARD -j REJECT --reject-with icmp-host-prohibited
  174. -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
  175. -A OUTPUT -j OUTPUT_direct
  176. -A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 5000 -j ACCEPT
  177. -A DOCKER -d 172.17.0.5/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 53 -j ACCEPT
  178. -A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8080 -j ACCEPT
  179. -A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8080 -j ACCEPT
  180. -A DOCKER-ISOLATION -j RETURN
  181. -A FORWARD_IN_ZONES -i enp0s25 -g FWDI_public
  182. -A FORWARD_IN_ZONES -g FWDI_public
  183. -A FORWARD_OUT_ZONES -o enp0s25 -g FWDO_public
  184. -A FORWARD_OUT_ZONES -g FWDO_public
  185. -A FWDI_public -j FWDI_public_log
  186. -A FWDI_public -j FWDI_public_deny
  187. -A FWDI_public -j FWDI_public_allow
  188. -A FWDO_public -j FWDO_public_log
  189. -A FWDO_public -j FWDO_public_deny
  190. -A FWDO_public -j FWDO_public_allow
  191. -A INPUT_ZONES -i enp0s25 -g IN_public
  192. -A INPUT_ZONES -g IN_public
  193. -A IN_public -j IN_public_log
  194. -A IN_public -j IN_public_deny
  195. -A IN_public -j IN_public_allow
  196. -A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
  197. COMMIT
  198. # Completed on Thu Oct 27 11:45:08 2016
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!