XenServer-IPTABLES_myLiberty_XSNEUTRON

1. ==========================================
2. XENSERVER IPTABLES
3. ==========================================
4.  
5. # iptables -L
6. Chain INPUT (policy ACCEPT)
7. target     prot opt source               destination
8. neutron-openvswi-INPUT  all  --  anywhere             anywhere
9. ACCEPT     gre  --  anywhere             anywhere
10. RH-Firewall-1-INPUT  all  --  anywhere             anywhere
11.  
12. Chain FORWARD (policy DROP)
13. target     prot opt source               destination
14. neutron-filter-top  all  --  anywhere             anywhere
15. neutron-openvswi-FORWARD  all  --  anywhere             anywhere
16. RH-Firewall-1-INPUT  all  --  anywhere             anywhere
17. ACCEPT     all  --  anywhere             anywhere             PHYSDEV match --physdev-in eth0
18. ACCEPT     all  --  anywhere             anywhere             PHYSDEV match --physdev-in eth1
19.  
20. Chain OUTPUT (policy ACCEPT)
21. target     prot opt source               destination
22. neutron-filter-top  all  --  anywhere             anywhere
23. neutron-openvswi-OUTPUT  all  --  anywhere             anywhere
24.  
25. Chain RH-Firewall-1-INPUT (2 references)
26. target     prot opt source               destination
27. ACCEPT     all  --  anywhere             anywhere
28. ACCEPT     icmp --  anywhere             anywhere             icmp any
29. ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
30. ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
31. ACCEPT     udp  --  anywhere             anywhere             ctstate NEW udp dpt:ha-cluster
32. ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:ssh
33. ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:http
34. ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:https
35. ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:21064
36. ACCEPT     udp  --  anywhere             anywhere             multiport dports hpoms-dps-lstn,netsupport
37. REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
38.  
39. Chain neutron-filter-top (2 references)
40. target     prot opt source               destination
41. neutron-openvswi-local  all  --  anywhere             anywhere
42.  
43. Chain neutron-openvswi-FORWARD (1 references)
44. target     prot opt source               destination
45. neutron-openvswi-sg-chain  all  --  anywhere             anywhere             PHYSDEV match --physdev-out tap696e1525-a5 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */
46. neutron-openvswi-sg-chain  all  --  anywhere             anywhere             PHYSDEV match --physdev-in tap696e1525-a5 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */
47. neutron-openvswi-sg-chain  all  --  anywhere             anywhere             PHYSDEV match --physdev-out tapb03ff89d-4b --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */
48. neutron-openvswi-sg-chain  all  --  anywhere             anywhere             PHYSDEV match --physdev-in tapb03ff89d-4b --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */
49.  
50. Chain neutron-openvswi-INPUT (1 references)
51. target     prot opt source               destination
52. neutron-openvswi-o696e1525-a  all  --  anywhere             anywhere             PHYSDEV match --physdev-in tap696e1525-a5 --physdev-is-bridged /* Direct incoming traffic from VM to the security group chain. */
53. neutron-openvswi-ob03ff89d-4  all  --  anywhere             anywhere             PHYSDEV match --physdev-in tapb03ff89d-4b --physdev-is-bridged /* Direct incoming traffic from VM to the security group chain. */
54.  
55. Chain neutron-openvswi-OUTPUT (1 references)
56. target     prot opt source               destination
57.  
58. Chain neutron-openvswi-i696e1525-a (1 references)
59. target     prot opt source               destination
60. RETURN     all  --  anywhere             anywhere             state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
61. RETURN     udp  --  10.0.1.2             anywhere             udp spt:bootps udp dpt:bootpc
62. DROP       all  --  anywhere             anywhere             state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
63. neutron-openvswi-sg-fallback  all  --  anywhere             anywhere             /* Send unmatched traffic to the fallback chain. */
64.  
65. Chain neutron-openvswi-ib03ff89d-4 (1 references)
66. target     prot opt source               destination
67. RETURN     all  --  anywhere             anywhere             state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
68. RETURN     udp  --  ipv4-85-53-2.as55666.net  anywhere             udp spt:bootps udp dpt:bootpc
69. DROP       all  --  anywhere             anywhere             state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
70. neutron-openvswi-sg-fallback  all  --  anywhere             anywhere             /* Send unmatched traffic to the fallback chain. */
71.  
72. Chain neutron-openvswi-local (1 references)
73. target     prot opt source               destination
74.  
75. Chain neutron-openvswi-o696e1525-a (2 references)
76. target     prot opt source               destination
77. RETURN     udp  --  default              255.255.255.255      udp spt:bootpc dpt:bootps /* Allow DHCP client traffic. */
78. neutron-openvswi-s696e1525-a  all  --  anywhere             anywhere
79. RETURN     udp  --  anywhere             anywhere             udp spt:bootpc dpt:bootps /* Allow DHCP client traffic. */
80. DROP       udp  --  anywhere             anywhere             udp spt:bootps udp dpt:bootpc /* Prevent DHCP Spoofing by VM. */
81. RETURN     all  --  anywhere             anywhere             state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
82. DROP       all  --  anywhere             anywhere             state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
83. neutron-openvswi-sg-fallback  all  --  anywhere             anywhere             /* Send unmatched traffic to the fallback chain. */
84.  
85. Chain neutron-openvswi-ob03ff89d-4 (2 references)
86. target     prot opt source               destination
87. RETURN     udp  --  default              255.255.255.255      udp spt:bootpc dpt:bootps /* Allow DHCP client traffic. */
88. neutron-openvswi-sb03ff89d-4  all  --  anywhere             anywhere
89. RETURN     udp  --  anywhere             anywhere             udp spt:bootpc dpt:bootps /* Allow DHCP client traffic. */
90. DROP       udp  --  anywhere             anywhere             udp spt:bootps udp dpt:bootpc /* Prevent DHCP Spoofing by VM. */
91. RETURN     all  --  anywhere             anywhere             state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
92. DROP       all  --  anywhere             anywhere             state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
93. neutron-openvswi-sg-fallback  all  --  anywhere             anywhere             /* Send unmatched traffic to the fallback chain. */
94.  
95. Chain neutron-openvswi-s696e1525-a (1 references)
96. target     prot opt source               destination
97. RETURN     all  --  10.0.1.23            anywhere             MAC FA:16:3E:F7:C6:38 /* Allow traffic from defined IP/MAC pairs. */
98. DROP       all  --  anywhere             anywhere             /* Drop traffic without an IP/MAC allow rule. */
99.  
100. Chain neutron-openvswi-sb03ff89d-4 (1 references)
101. target     prot opt source               destination
102. RETURN     all  --  ipv4-86-53-2.as55666.net  anywhere             MAC FA:16:3E:DF:6D:E1 /* Allow traffic from defined IP/MAC pairs. */
103. DROP       all  --  anywhere             anywhere             /* Drop traffic without an IP/MAC allow rule. */
104.  
105. Chain neutron-openvswi-sg-chain (4 references)
106. target     prot opt source               destination
107. neutron-openvswi-i696e1525-a  all  --  anywhere             anywhere             PHYSDEV match --physdev-out tap696e1525-a5 --physdev-is-bridged /* Jump to the VM specific chain. */
108. neutron-openvswi-o696e1525-a  all  --  anywhere             anywhere             PHYSDEV match --physdev-in tap696e1525-a5 --physdev-is-bridged /* Jump to the VM specific chain. */
109. neutron-openvswi-ib03ff89d-4  all  --  anywhere             anywhere             PHYSDEV match --physdev-out tapb03ff89d-4b --physdev-is-bridged /* Jump to the VM specific chain. */
110. neutron-openvswi-ob03ff89d-4  all  --  anywhere             anywhere             PHYSDEV match --physdev-in tapb03ff89d-4b --physdev-is-bridged /* Jump to the VM specific chain. */
111. ACCEPT     all  --  anywhere             anywhere
112.  
113. Chain neutron-openvswi-sg-fallback (4 references)
114. target     prot opt source               destination
115. DROP       all  --  anywhere             anywhere             /* Default drop rule for unmatched traffic. */