Advertisement
csakthikumar

dhcp renew failure- recreated

Aug 26th, 2020
32
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. My DHCP server config:
  2. subnet 172.16.2.0 netmask 255.255.255.0 {
  3. range 172.16.2.2 172.16.2.2;
  4. option routers 172.16.2.3;
  5. default-lease-time 300;
  6. max-lease-time 600;
  7. }
  8.  
  9.  
  10. packet capture in my EDGE:(DHCP client)
  11. edge:b2-edge1:~# tcpdump udp port '(67 or 68)' -nnpe -i eth4
  12. tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
  13. listening on eth4, link-type EN10MB (Ethernet), capture size 262144 bytes
  14. 15:49:00.177897 02:42:ac:10:02:02 > 02:42:ac:10:02:03, ethertype IPv4 (0x0800), length 342: 172.16.2.2.68 > 172.16.2.3.67: BOOTP/DHCP, Request from 02:42:ac:10:02:02, length 300
  15. 15:49:00.181304 02:42:ac:10:02:03 > 02:42:ac:10:02:02, ethertype IPv4 (0x0800), length 342: 172.16.2.3.67 > 172.16.2.2.68: BOOTP/DHCP, Reply, length 300
  16. 15:50:15.253255 02:42:ac:10:02:02 > 02:42:ac:10:02:03, ethertype IPv4 (0x0800), length 342: 172.16.2.2.68 > 172.16.2.3.67: BOOTP/DHCP, Request from 02:42:ac:10:02:02, length 300
  17. 15:50:15.253687 02:42:ac:10:02:03 > 02:42:ac:10:02:02, ethertype IPv4 (0x0800), length 342: 172.16.2.3.67 > 172.16.2.2.68: BOOTP/DHCP, Reply, length 300
  18. 15:50:52.329879 02:42:ac:10:02:02 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: 172.16.2.2.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 02:42:ac:10:02:02, length 300
  19. 15:50:52.332624 02:42:ac:10:02:03 > 02:42:ac:10:02:02, ethertype IPv4 (0x0800), length 342: 172.16.2.3.67 > 172.16.2.2.68: BOOTP/DHCP, Reply, length 300
  20. 15:53:22.473984 02:42:ac:10:02:02 > 02:42:ac:10:02:03, ethertype IPv4 (0x0800), length 342: 172.16.2.2.68 > 172.16.2.3.67: BOOTP/DHCP, Request from 02:42:ac:10:02:02, length 300
  21. 15:53:22.475907 02:42:ac:10:02:03 > 02:42:ac:10:02:02, ethertype IPv4 (0x0800), length 342: 172.16.2.3.67 > 172.16.2.2.68: BOOTP/DHCP, Reply, length 300
  22. 15:54:37.549189 02:42:ac:10:02:02 > 02:42:ac:10:02:03, ethertype IPv4 (0x0800), length 342: 172.16.2.2.68 > 172.16.2.3.67: BOOTP/DHCP, Request from 02:42:ac:10:02:02, length 300
  23. 15:54:37.549619 02:42:ac:10:02:03 > 02:42:ac:10:02:02, ethertype IPv4 (0x0800), length 342: 172.16.2.3.67 > 172.16.2.2.68: BOOTP/DHCP, Reply, length 300
  24. 15:55:14.621785 02:42:ac:10:02:02 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: 172.16.2.2.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 02:42:ac:10:02:02, length 300
  25. 15:55:14.624184 02:42:ac:10:02:03 > 02:42:ac:10:02:02, ethertype IPv4 (0x0800), length 342: 172.16.2.3.67 > 172.16.2.2.68: BOOTP/DHCP, Reply, length 300
  26. ^C
  27. 12 packets captured
  28. 12 packets received by filter
  29. 0 packets dropped by kernel
  30.  
  31.  
  32. UDHCP log messages in my device:
  33. edge:b2-edge1:~# tail -f /var/log/messages | grep -i dhcp
  34. 2020-08-26T15:49:00.178 NOTICE daemon netifd: GE5 (11668): udhcpc: sending renew to 172.16.2.3
  35. 2020-08-26T15:50:15.253 NOTICE daemon netifd: GE5 (11668): udhcpc: sending renew to 172.16.2.3
  36. 2020-08-26T15:50:52.310 NOTICE daemon netifd: GE5 (11668): udhcpc: sending renew to 0.0.0.0
  37. 2020-08-26T15:50:52.346 NOTICE daemon netifd: GE5 (11668): udhcpc: lease of 172.16.2.2 obtained, lease time 300
  38. 2020-08-26T15:53:22.473 NOTICE daemon netifd: GE5 (11668): udhcpc: sending renew to 172.16.2.3
  39. 2020-08-26T15:54:37.549 NOTICE daemon netifd: GE5 (11668): udhcpc: sending renew to 172.16.2.3
  40. 2020-08-26T15:55:14.605 NOTICE daemon netifd: GE5 (11668): udhcpc: sending renew to 0.0.0.0
  41. 2020-08-26T15:55:14.637 NOTICE daemon netifd: GE5 (11668): udhcpc: lease of 172.16.2.2 obtained, lease time 300
  42.  
  43.  
  44. Interface in which DHCP is configured:
  45. edge:b2-edge1:~# ifconfig eth4
  46. eth4 Link encap:Ethernet HWaddr 02:42:AC:10:02:02
  47. inet addr:172.16.2.2 Bcast:172.16.2.255 Mask:255.255.255.0
  48. UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
  49. RX packets:2782418 errors:0 dropped:0 overruns:0 frame:0
  50. TX packets:406817 errors:0 dropped:0 overruns:0 carrier:0
  51. collisions:0 txqueuelen:10000
  52. RX bytes:185307570 (176.7 Mb) TX bytes:18115794 (17.2 Mb)
  53. --
  54. Server side interface config:
  55. root@b2-l3switch1:~# ifconfig eth2
  56. eth2 Link encap:Ethernet HWaddr 02:42:ac:10:02:03
  57. inet addr:172.16.2.3 Bcast:172.16.2.7 Mask:255.255.255.248
  58. UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
  59. RX packets:406855 errors:0 dropped:0 overruns:0 frame:0
  60. TX packets:2801381 errors:0 dropped:0 overruns:0 carrier:0
  61. collisions:0 txqueuelen:0
  62. RX bytes:17161070 (17.1 MB) TX bytes:186134516 (186.1 MB)
  63.  
  64. root@b2-l3switch1:~#
  65.  
  66.  
  67. Requested logs:
  68. edge:b2-edge1:~#
  69. edge:b2-edge1:~# ubus call system board; \
  70. > uci export network; uci export wireless; \
  71. > uci export dhcp; uci export firewall; \
  72. > head -n -0 /etc/firewall.user; \
  73. > iptables-save -c; \
  74. > ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
  75. {
  76. "kernel": "4.15.0-1057-aws",
  77. "hostname": "vc-edge",
  78. "system": "Intel(R) Xeon(R) CPU E5-2686 v4 @ 2.30GHz",
  79. "release": {
  80. "distribution": "OpenWrt",
  81. "version": "cc-remerge-618-g0acfaf8",
  82. "revision": "r0+2278-0acfaf8",
  83. "codename": "masked_vc-xen-aws",
  84. "target": "x64/vc-xen-aws",
  85. "description": "OpenWrt masked vc-xen-aws cc-remerge-618-g0acfaf8"
  86. }
  87. }
  88. package network
  89.  
  90. config interface 'loopback'
  91. option ifname 'lo'
  92. option proto 'static'
  93. option ipaddr '127.0.0.1'
  94. option netmask '255.0.0.0'
  95. option ipv6 '0'
  96.  
  97. config interface 'management'
  98. option ifname 'management'
  99. option type 'bridge'
  100. option bridge_empty '1'
  101. option force_link '1'
  102. option proto 'static'
  103. list ipaddr '10.0.2.2'
  104. option netmask '255.255.255.255'
  105. option ipv6 '0'
  106.  
  107. config interface 'segmgmt'
  108. option ifname 'segmgmt'
  109. option type 'bridge'
  110. option bridge_empty '1'
  111. option force_link '1'
  112. option proto 'static'
  113. list ipaddr '169.254.3.1'
  114. list ipaddr '169.254.3.2'
  115. list ipaddr '169.254.3.3'
  116. option netmask '255.255.255.255'
  117. option ipv6 '0'
  118.  
  119. config interface 'network1'
  120. option ifname 'eth0 eth1'
  121. option proto 'static'
  122. option type 'bridge'
  123. list ipaddr '10.0.2.1/24'
  124. option ipv6 '0'
  125. option mtu '1500'
  126.  
  127. config interface 'network100'
  128. option ifname 'eth1.100'
  129. option proto 'static'
  130. option type 'bridge'
  131. list ipaddr '10.100.2.1/24'
  132. option ipv6 '0'
  133. option mtu '1500'
  134.  
  135. config interface 'network101'
  136. option ifname 'eth1.101'
  137. option proto 'static'
  138. option type 'bridge'
  139. list ipaddr '10.101.2.1/24'
  140. option ipv6 '0'
  141. option mtu '1500'
  142.  
  143. config interface 'GE3'
  144. option ifname 'eth2'
  145. option proto 'static'
  146. option ipaddr '169.254.6.45'
  147. option netmask '255.255.255.248'
  148. option ipv6 '0'
  149. option mtu '1500'
  150.  
  151. config route 'GE3_DEFAULT_ROUTE'
  152. option interface 'GE3'
  153. option target '0.0.0.0'
  154. option netmask '0.0.0.0'
  155. option gateway '169.254.6.41'
  156. option metric '5'
  157.  
  158. config interface 'GE4'
  159. option ifname 'eth3'
  160. option proto 'static'
  161. option ipaddr '169.254.7.2'
  162. option netmask '255.255.255.248'
  163. option ipv6 '0'
  164. option mtu '1500'
  165.  
  166. config route 'GE4_DEFAULT_ROUTE'
  167. option interface 'GE4'
  168. option target '0.0.0.0'
  169. option netmask '0.0.0.0'
  170. option gateway '169.254.7.1'
  171. option metric '6'
  172.  
  173. config interface 'GE5'
  174. option ifname 'eth4'
  175. option hostname 'vc-ge5'
  176. option proto 'dhcp'
  177. option ipv6 '0'
  178. option mtu '1500'
  179. option metric '7'
  180.  
  181. config interface 'GE5_100'
  182. option ifname 'eth4.100'
  183. option proto 'static'
  184. option ipaddr '172.17.2.2'
  185. option netmask '255.255.255.248'
  186. option ipv6 '0'
  187. option mtu '1500'
  188. option macaddr '02:42:ac:10:02:02'
  189.  
  190. config interface 'GE5_101'
  191. option ifname 'eth4.101'
  192. option proto 'static'
  193. option ipaddr '172.18.2.2'
  194. option netmask '255.255.255.248'
  195. option ipv6 '0'
  196. option mtu '1500'
  197. option macaddr '02:42:ac:10:02:02'
  198.  
  199. config interface 'GE6'
  200. option ifname 'eth5'
  201. option hostname 'vc-ge6'
  202. option proto 'dhcp'
  203. option ipv6 '0'
  204. option mtu '1500'
  205. option metric '8'
  206.  
  207. config interface 'GE7'
  208. option ifname 'eth6'
  209. option hostname 'vc-ge7'
  210. option proto 'dhcp'
  211. option ipv6 '0'
  212. option mtu '1500'
  213. option metric '9'
  214.  
  215. config interface 'GE8'
  216. option ifname 'eth7'
  217. option hostname 'vc-ge8'
  218. option proto 'dhcp'
  219. option ipv6 '0'
  220. option mtu '1500'
  221. option metric '10'
  222.  
  223. uci: Entry not found
  224. package dhcp
  225.  
  226. config dnsmasq 'secure'
  227. option bind_dynamic '1'
  228. option domainneeded '1'
  229. option boguspriv '1'
  230. option filterwin2k '0'
  231. option localise_queries '1'
  232. option rebind_protection '0'
  233. option rebind_localhost '1'
  234. option local '/lan/'
  235. option domain 'lan'
  236. option expandhosts '1'
  237. option noresolv '1'
  238. option nonegcache '1'
  239. option authoritative '1'
  240. option readethers '1'
  241. option dnsforwardmax '500'
  242. option dhcpleasemax '5000'
  243. option dhcpnooverride '1'
  244. option leasefile '/tmp/dhcp.leases.secure'
  245. list server '208.67.222.222@10.0.2.2'
  246. list server '208.67.220.220@10.0.2.2'
  247. list server '/masked.net/8.8.8.8@10.0.2.2'
  248. list server '/masked.net/8.8.4.4@10.0.2.2'
  249. list interface 'network1'
  250. list interface 'network100'
  251. list interface 'network101'
  252. list interface 'vce1'
  253. list interface 'lo'
  254.  
  255. config dhcp 'network1'
  256. option interface 'network1'
  257. option dnsmasq_config 'secure'
  258. option start '13'
  259. option limit '242'
  260. option leasetime '86400'
  261. option force '1'
  262. list dhcp_option '119,masked.net'
  263.  
  264. config host
  265. option ip '10.0.2.25'
  266. option mac '02:42:0a:00:02:19'
  267. option dnsmasq_config 'secure'
  268.  
  269. config dhcp 'network100'
  270. option interface 'network100'
  271. option dnsmasq_config 'secure'
  272. option start '13'
  273. option limit '242'
  274. option leasetime '86400'
  275. option force '1'
  276. list dhcp_option '119,masked.net'
  277.  
  278. config host
  279. option ip '10.100.2.100'
  280. option mac '02:42:0a:00:02:19'
  281. option dnsmasq_config 'secure'
  282.  
  283. config dhcp 'network101'
  284. option interface 'network101'
  285. option dnsmasq_config 'secure'
  286. option start '13'
  287. option limit '242'
  288. option leasetime '86400'
  289. option force '1'
  290. list dhcp_option '119,masked.net'
  291.  
  292. config host
  293. option ip '10.101.2.100'
  294. option mac '02:42:0a:00:02:19'
  295. option dnsmasq_config 'secure'
  296.  
  297. config host
  298. option ip '10.0.2.2'
  299. option mac 'ff:ff:ff:ff:ff:ff'
  300. option dnsmasq_config 'secure'
  301.  
  302. package firewall
  303.  
  304. config defaults
  305. option syn_flood '1'
  306. option input 'ACCEPT'
  307. option output 'ACCEPT'
  308. option forward 'REJECT'
  309. option disable_ipv6 '1'
  310.  
  311. config zone
  312. option name 'GE3'
  313. option network 'GE3'
  314. option input 'REJECT'
  315. option output 'ACCEPT'
  316. option forward 'REJECT'
  317. option masq '1'
  318.  
  319. config rule
  320. option name 'Allow-DHCP-Renew'
  321. option src 'GE3'
  322. option proto 'udp'
  323. option dest_port '68'
  324. option family 'ipv4'
  325. option target 'ACCEPT'
  326.  
  327. config rule
  328. option name 'Allow-Ping'
  329. option src 'GE3'
  330. option proto 'icmp'
  331. option icmp_type 'echo-request'
  332. option family 'ipv4'
  333. option target 'ACCEPT'
  334.  
  335. config zone
  336. option name 'GE4'
  337. option network 'GE4'
  338. option input 'REJECT'
  339. option output 'ACCEPT'
  340. option forward 'REJECT'
  341. option masq '1'
  342.  
  343. config rule
  344. option name 'Allow-DHCP-Renew'
  345. option src 'GE4'
  346. option proto 'udp'
  347. option dest_port '68'
  348. option family 'ipv4'
  349. option target 'ACCEPT'
  350.  
  351. config rule
  352. option name 'Allow-Ping'
  353. option src 'GE4'
  354. option proto 'icmp'
  355. option icmp_type 'echo-request'
  356. option family 'ipv4'
  357. option target 'ACCEPT'
  358.  
  359. config zone
  360. option name 'GE5'
  361. option network 'GE5'
  362. option input 'REJECT'
  363. option output 'ACCEPT'
  364. option forward 'REJECT'
  365. option masq '1'
  366.  
  367. config rule
  368. option name 'Allow-DHCP-Renew'
  369. option src 'GE5'
  370. option proto 'udp'
  371. option dest_port '68'
  372. option family 'ipv4'
  373. option target 'ACCEPT'
  374.  
  375. config rule
  376. option name 'Allow-Ping'
  377. option src 'GE5'
  378. option proto 'icmp'
  379. option icmp_type 'echo-request'
  380. option family 'ipv4'
  381. option target 'ACCEPT'
  382.  
  383. config zone
  384. option name 'GE6'
  385. option network 'GE6'
  386. option input 'REJECT'
  387. option output 'ACCEPT'
  388. option forward 'REJECT'
  389. option masq '1'
  390.  
  391. config rule
  392. option name 'Allow-DHCP-Renew'
  393. option src 'GE6'
  394. option proto 'udp'
  395. option dest_port '68'
  396. option family 'ipv4'
  397. option target 'ACCEPT'
  398.  
  399. config rule
  400. option name 'Allow-Ping'
  401. option src 'GE6'
  402. option proto 'icmp'
  403. option icmp_type 'echo-request'
  404. option family 'ipv4'
  405. option target 'ACCEPT'
  406.  
  407. config zone
  408. option name 'GE7'
  409. option network 'GE7'
  410. option input 'REJECT'
  411. option output 'ACCEPT'
  412. option forward 'REJECT'
  413. option masq '1'
  414.  
  415. config rule
  416. option name 'Allow-DHCP-Renew'
  417. option src 'GE7'
  418. option proto 'udp'
  419. option dest_port '68'
  420. option family 'ipv4'
  421. option target 'ACCEPT'
  422.  
  423. config rule
  424. option name 'Allow-Ping'
  425. option src 'GE7'
  426. option proto 'icmp'
  427. option icmp_type 'echo-request'
  428. option family 'ipv4'
  429. option target 'ACCEPT'
  430.  
  431. config zone
  432. option name 'GE8'
  433. option network 'GE8'
  434. option input 'REJECT'
  435. option output 'ACCEPT'
  436. option forward 'REJECT'
  437. option masq '1'
  438.  
  439. config rule
  440. option name 'Allow-DHCP-Renew'
  441. option src 'GE8'
  442. option proto 'udp'
  443. option dest_port '68'
  444. option family 'ipv4'
  445. option target 'ACCEPT'
  446.  
  447. config rule
  448. option name 'Allow-Ping'
  449. option src 'GE8'
  450. option proto 'icmp'
  451. option icmp_type 'echo-request'
  452. option family 'ipv4'
  453. option target 'ACCEPT'
  454.  
  455. config include
  456. option path '/etc/firewall.user'
  457.  
  458. config zone
  459. option name 'network1'
  460. option network 'network1'
  461. option input 'ACCEPT'
  462. option output 'ACCEPT'
  463. option forward 'REJECT'
  464.  
  465. config forwarding
  466. option src 'network1'
  467. option dest 'GE3'
  468. option proto 'all'
  469. option target 'ACCEPT'
  470.  
  471. config forwarding
  472. option src 'network1'
  473. option dest 'GE4'
  474. option proto 'all'
  475. option target 'ACCEPT'
  476.  
  477. config forwarding
  478. option src 'network1'
  479. option dest 'GE5'
  480. option proto 'all'
  481. option target 'ACCEPT'
  482.  
  483. config forwarding
  484. option src 'network1'
  485. option dest 'GE6'
  486. option proto 'all'
  487. option target 'ACCEPT'
  488.  
  489. config forwarding
  490. option src 'network1'
  491. option dest 'GE7'
  492. option proto 'all'
  493. option target 'ACCEPT'
  494.  
  495. config forwarding
  496. option src 'network1'
  497. option dest 'GE8'
  498. option proto 'all'
  499. option target 'ACCEPT'
  500.  
  501. config rule
  502. option src 'network1'
  503. option dest_port '53'
  504. option proto 'tcpudp'
  505. option target 'ACCEPT'
  506.  
  507. config rule
  508. option src 'network1'
  509. option src_port '67-68'
  510. option dest_port '67-68'
  511. option proto 'udp'
  512. option target 'ACCEPT'
  513.  
  514. config rule
  515. option src 'network1'
  516. option dest_port '2607'
  517. option proto 'tcp'
  518. option target 'REJECT'
  519.  
  520. config zone
  521. option name 'network100'
  522. option network 'network100'
  523. option input 'ACCEPT'
  524. option output 'ACCEPT'
  525. option forward 'REJECT'
  526.  
  527. config forwarding
  528. option src 'network100'
  529. option dest 'GE3'
  530. option proto 'all'
  531. option target 'ACCEPT'
  532.  
  533. config forwarding
  534. option src 'network100'
  535. option dest 'GE4'
  536. option proto 'all'
  537. option target 'ACCEPT'
  538.  
  539. config forwarding
  540. option src 'network100'
  541. option dest 'GE5'
  542. option proto 'all'
  543. option target 'ACCEPT'
  544.  
  545. config forwarding
  546. option src 'network100'
  547. option dest 'GE6'
  548. option proto 'all'
  549. option target 'ACCEPT'
  550.  
  551. config forwarding
  552. option src 'network100'
  553. option dest 'GE7'
  554. option proto 'all'
  555. option target 'ACCEPT'
  556.  
  557. config forwarding
  558. option src 'network100'
  559. option dest 'GE8'
  560. option proto 'all'
  561. option target 'ACCEPT'
  562.  
  563. config rule
  564. option src 'network100'
  565. option dest_port '53'
  566. option proto 'tcpudp'
  567. option target 'ACCEPT'
  568.  
  569. config rule
  570. option src 'network100'
  571. option src_port '67-68'
  572. option dest_port '67-68'
  573. option proto 'udp'
  574. option target 'ACCEPT'
  575.  
  576. config rule
  577. option src 'network100'
  578. option dest_port '2607'
  579. option proto 'tcp'
  580. option target 'REJECT'
  581.  
  582. config zone
  583. option name 'network101'
  584. option network 'network101'
  585. option input 'ACCEPT'
  586. option output 'ACCEPT'
  587. option forward 'REJECT'
  588.  
  589. config forwarding
  590. option src 'network101'
  591. option dest 'GE3'
  592. option proto 'all'
  593. option target 'ACCEPT'
  594.  
  595. config forwarding
  596. option src 'network101'
  597. option dest 'GE4'
  598. option proto 'all'
  599. option target 'ACCEPT'
  600.  
  601. config forwarding
  602. option src 'network101'
  603. option dest 'GE5'
  604. option proto 'all'
  605. option target 'ACCEPT'
  606.  
  607. config forwarding
  608. option src 'network101'
  609. option dest 'GE6'
  610. option proto 'all'
  611. option target 'ACCEPT'
  612.  
  613. config forwarding
  614. option src 'network101'
  615. option dest 'GE7'
  616. option proto 'all'
  617. option target 'ACCEPT'
  618.  
  619. config forwarding
  620. option src 'network101'
  621. option dest 'GE8'
  622. option proto 'all'
  623. option target 'ACCEPT'
  624.  
  625. config rule
  626. option src 'network101'
  627. option dest_port '53'
  628. option proto 'tcpudp'
  629. option target 'ACCEPT'
  630.  
  631. config rule
  632. option src 'network101'
  633. option src_port '67-68'
  634. option dest_port '67-68'
  635. option proto 'udp'
  636. option target 'ACCEPT'
  637.  
  638. config rule
  639. option src 'network101'
  640. option dest_port '2607'
  641. option proto 'tcp'
  642. option target 'REJECT'
  643.  
  644. #!/bin/sh
  645. iptables -t mangle -N LOGGING
  646. iptables -t mangle -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1320
  647. # Generated by iptables-save v1.4.21 on Wed Aug 26 15:56:11 2020
  648. *mangle
  649. :PREROUTING ACCEPT [20598:2694195]
  650. :INPUT ACCEPT [10821:1354977]
  651. :FORWARD ACCEPT [0:0]
  652. :OUTPUT ACCEPT [4:1312]
  653. :POSTROUTING ACCEPT [3564:571851]
  654. :LOGGING - [0:0]
  655. :MODEM_CHAIN - [0:0]
  656. :SEG_LAN_ROUTING_INPUT - [0:0]
  657. :SEG_LAN_ROUTING_OUTPUT - [0:0]
  658. :TUN_CHAIN - [0:0]
  659. :VCMP_MARK_ACL - [0:0]
  660. [20991:2753444] -A PREROUTING -j SEG_LAN_ROUTING_INPUT
  661. [20992:2753493] -A PREROUTING -j VCMP_MARK_ACL
  662. [0:0] -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1320
  663. [3948:612468] -A OUTPUT -j SEG_LAN_ROUTING_OUTPUT
  664. [3949:612545] -A OUTPUT -j TUN_CHAIN
  665. [0:0] -A SEG_LAN_ROUTING_INPUT -i br-network101 -m state --state NEW -j CONNMARK --set-xmark 0xd5/0xffffffff
  666. [0:0] -A SEG_LAN_ROUTING_INPUT -i br-network101 -m state --state NEW -j CONNMARK --set-xmark 0xd5/0xffffffff
  667. [0:0] -A SEG_LAN_ROUTING_INPUT -i br-network100 -m state --state NEW -j CONNMARK --set-xmark 0xd4/0xffffffff
  668. [0:0] -A SEG_LAN_ROUTING_INPUT -i br-network100 -m state --state NEW -j CONNMARK --set-xmark 0xd4/0xffffffff
  669. [2:128] -A SEG_LAN_ROUTING_INPUT -i br-network1 -m state --state NEW -j CONNMARK --set-xmark 0xd3/0xffffffff
  670. [2:128] -A SEG_LAN_ROUTING_INPUT -i br-network1 -m state --state NEW -j CONNMARK --set-xmark 0xd3/0xffffffff
  671. [0:0] -A SEG_LAN_ROUTING_OUTPUT -m connmark --mark 0xd5 -j MARK --set-xmark 0xd5/0xffffffff
  672. [0:0] -A SEG_LAN_ROUTING_OUTPUT -m connmark --mark 0xd4 -j MARK --set-xmark 0xd4/0xffffffff
  673. [484:37982] -A SEG_LAN_ROUTING_OUTPUT -m connmark --mark 0xd3 -j MARK --set-xmark 0xd3/0xffffffff
  674. [2507:478692] -A TUN_CHAIN -p tcp -j MODEM_CHAIN
  675. [0:0] -A TUN_CHAIN -m connmark --mark 0xd8 -j MARK --set-xmark 0xd8/0xffffffff
  676. [0:0] -A TUN_CHAIN -m connmark --mark 0xd8 -j ACCEPT
  677. [0:0] -A TUN_CHAIN -m connmark --mark 0xd7 -j MARK --set-xmark 0xd7/0xffffffff
  678. [0:0] -A TUN_CHAIN -m connmark --mark 0xd7 -j ACCEPT
  679. [0:0] -A TUN_CHAIN -m connmark --mark 0xda -j MARK --set-xmark 0xda/0xffffffff
  680. [0:0] -A TUN_CHAIN -m connmark --mark 0xda -j ACCEPT
  681. [0:0] -A TUN_CHAIN -m connmark --mark 0xd9 -j MARK --set-xmark 0xd9/0xffffffff
  682. [0:0] -A TUN_CHAIN -m connmark --mark 0xd9 -j ACCEPT
  683. [0:0] -A TUN_CHAIN -m connmark --mark 0xd6 -j MARK --set-xmark 0xd6/0xffffffff
  684. [0:0] -A TUN_CHAIN -m connmark --mark 0xd6 -j ACCEPT
  685. [699:63961] -A TUN_CHAIN -d 127.0.0.1/32 -j ACCEPT
  686. [512:36992] -A TUN_CHAIN -o lo -j ACCEPT
  687. [0:0] -A TUN_CHAIN -s 169.254.3.0/24 -j MARK --set-xmark 0xc8/0xffffffff
  688. [0:0] -A TUN_CHAIN -s 169.254.3.0/24 -j ACCEPT
  689. [484:37982] -A TUN_CHAIN -o br-network1 -j ACCEPT
  690. [0:0] -A TUN_CHAIN -o br-network100 -j ACCEPT
  691. [0:0] -A TUN_CHAIN -o br-network101 -j ACCEPT
  692. [1776:423978] -A TUN_CHAIN -s 10.0.2.2/32 -j MARK --set-xmark 0xc8/0xffffffff
  693. [1776:423978] -A TUN_CHAIN -s 10.0.2.2/32 -j ACCEPT
  694. [0:0] -A TUN_CHAIN -p tcp -m multiport --sports 179 -j MARK --set-xmark 0xc8/0xffffffff
  695. [0:0] -A TUN_CHAIN -p tcp -m multiport --sports 179 -j ACCEPT
  696. [92:7746] -A TUN_CHAIN -p tcp -m multiport --dports 22,53,80,123,443,61000,179 -j MARK --set-xmark 0xc8/0xffffffff
  697. [92:7746] -A TUN_CHAIN -p tcp -m multiport --dports 22,53,80,123,443,61000,179 -j ACCEPT
  698. [0:0] -A TUN_CHAIN -p udp -m multiport --dports 53,123 -j MARK --set-xmark 0xc8/0xffffffff
  699. [0:0] -A TUN_CHAIN -p udp -m multiport --dports 53,123 -j ACCEPT
  700. [0:0] -A TUN_CHAIN -p icmp -m icmp --icmp-type 8/0 -j MARK --set-xmark 0xc8/0xffffffff
  701. [0:0] -A TUN_CHAIN -p icmp -j ACCEPT
  702. [747:39744] -A VCMP_MARK_ACL -i eth4 -m state --state NEW -j CONNMARK --set-xmark 0xd6/0xffffffff
  703. [673:35268] -A VCMP_MARK_ACL -i eth4.100 -m state --state NEW -j CONNMARK --set-xmark 0xd9/0xffffffff
  704. [671:35164] -A VCMP_MARK_ACL -i eth4.101 -m state --state NEW -j CONNMARK --set-xmark 0xda/0xffffffff
  705. [5480:359173] -A VCMP_MARK_ACL -i eth2 -m state --state NEW -j CONNMARK --set-xmark 0xd7/0xffffffff
  706. [9704:1335666] -A VCMP_MARK_ACL -i eth3 -m state --state NEW -j CONNMARK --set-xmark 0xd8/0xffffffff
  707. COMMIT
  708. # Completed on Wed Aug 26 15:56:11 2020
  709. # Generated by iptables-save v1.4.21 on Wed Aug 26 15:56:11 2020
  710. *filter
  711. :INPUT ACCEPT [9:8040]
  712. :FORWARD DROP [0:0]
  713. :OUTPUT ACCEPT [0:0]
  714. :PORTAL_INPUT - [0:0]
  715. :SEG_MGMT - [0:0]
  716. :VCMP_FWD_ACL - [0:0]
  717. :VCMP_IN_ACL - [0:0]
  718. :VCMP_IN_ACL_PERSIST - [0:0]
  719. :VCMP_IN_ACL_SEGMENT - [0:0]
  720. :VCMP_OUT_ACL - [0:0]
  721. :forwarding_GE3_rule - [0:0]
  722. :forwarding_GE4_rule - [0:0]
  723. :forwarding_GE5_rule - [0:0]
  724. :forwarding_GE6_rule - [0:0]
  725. :forwarding_GE7_rule - [0:0]
  726. :forwarding_GE8_rule - [0:0]
  727. :forwarding_network0_rule - [0:0]
  728. :forwarding_network1_rule - [0:0]
  729. :forwarding_rule - [0:0]
  730. :input_GE3_rule - [0:0]
  731. :input_GE4_rule - [0:0]
  732. :input_GE5_rule - [0:0]
  733. :input_GE6_rule - [0:0]
  734. :input_GE7_rule - [0:0]
  735. :input_GE8_rule - [0:0]
  736. :input_network0_rule - [0:0]
  737. :input_network1_rule - [0:0]
  738. :input_rule - [0:0]
  739. :output_GE3_rule - [0:0]
  740. :output_GE4_rule - [0:0]
  741. :output_GE5_rule - [0:0]
  742. :output_GE6_rule - [0:0]
  743. :output_GE7_rule - [0:0]
  744. :output_GE8_rule - [0:0]
  745. :output_network0_rule - [0:0]
  746. :output_network1_rule - [0:0]
  747. :output_rule - [0:0]
  748. :reject - [0:0]
  749. :syn_flood - [0:0]
  750. :zone_GE3_dest_ACCEPT - [0:0]
  751. :zone_GE3_dest_REJECT - [0:0]
  752. :zone_GE3_forward - [0:0]
  753. :zone_GE3_input - [0:0]
  754. :zone_GE3_output - [0:0]
  755. :zone_GE3_src_REJECT - [0:0]
  756. :zone_GE4_dest_ACCEPT - [0:0]
  757. :zone_GE4_dest_REJECT - [0:0]
  758. :zone_GE4_forward - [0:0]
  759. :zone_GE4_input - [0:0]
  760. :zone_GE4_output - [0:0]
  761. :zone_GE4_src_REJECT - [0:0]
  762. :zone_GE5_dest_ACCEPT - [0:0]
  763. :zone_GE5_dest_REJECT - [0:0]
  764. :zone_GE5_forward - [0:0]
  765. :zone_GE5_input - [0:0]
  766. :zone_GE5_output - [0:0]
  767. :zone_GE5_src_REJECT - [0:0]
  768. :zone_GE6_dest_ACCEPT - [0:0]
  769. :zone_GE6_dest_REJECT - [0:0]
  770. :zone_GE6_forward - [0:0]
  771. :zone_GE6_input - [0:0]
  772. :zone_GE6_output - [0:0]
  773. :zone_GE6_src_REJECT - [0:0]
  774. :zone_GE7_dest_ACCEPT - [0:0]
  775. :zone_GE7_dest_REJECT - [0:0]
  776. :zone_GE7_forward - [0:0]
  777. :zone_GE7_input - [0:0]
  778. :zone_GE7_output - [0:0]
  779. :zone_GE7_src_REJECT - [0:0]
  780. :zone_GE8_dest_ACCEPT - [0:0]
  781. :zone_GE8_dest_REJECT - [0:0]
  782. :zone_GE8_forward - [0:0]
  783. :zone_GE8_input - [0:0]
  784. :zone_GE8_output - [0:0]
  785. :zone_GE8_src_REJECT - [0:0]
  786. :zone_network0_forward - [0:0]
  787. :zone_network0_input - [0:0]
  788. :zone_network0_output - [0:0]
  789. :zone_network100_dest_ACCEPT - [0:0]
  790. :zone_network100_dest_REJECT - [0:0]
  791. :zone_network100_forward - [0:0]
  792. :zone_network100_input - [0:0]
  793. :zone_network100_output - [0:0]
  794. :zone_network100_src_ACCEPT - [0:0]
  795. :zone_network101_dest_ACCEPT - [0:0]
  796. :zone_network101_dest_REJECT - [0:0]
  797. :zone_network101_forward - [0:0]
  798. :zone_network101_input - [0:0]
  799. :zone_network101_output - [0:0]
  800. :zone_network101_src_ACCEPT - [0:0]
  801. :zone_network1_dest_ACCEPT - [0:0]
  802. :zone_network1_dest_REJECT - [0:0]
  803. :zone_network1_forward - [0:0]
  804. :zone_network1_input - [0:0]
  805. :zone_network1_output - [0:0]
  806. :zone_network1_src_ACCEPT - [0:0]
  807. [0:0] -A INPUT -s 192.168.32.2/32 -i vce1 -p tcp -m tcp --sport 80 -j DROP
  808. [528:52872] -A INPUT -p icmp -j SEG_MGMT
  809. [10981:1391408] -A INPUT -j VCMP_IN_ACL_PERSIST
  810. [10636:1379371] -A INPUT -j VCMP_IN_ACL_SEGMENT
  811. [10636:1379371] -A INPUT -j VCMP_IN_ACL
  812. [0:0] -A INPUT -s 192.168.32.2/32 -i vce1 -p tcp -m tcp --sport 80 -j DROP
  813. [2054:172113] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
  814. [1653:789055] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
  815. [1602:778764] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
  816. [0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
  817. [12:672] -A INPUT -i eth2 -m comment --comment "!fw3" -j zone_GE3_input
  818. [0:0] -A INPUT -i eth3 -m comment --comment "!fw3" -j zone_GE4_input
  819. [10:520] -A INPUT -i eth4 -m comment --comment "!fw3" -j zone_GE5_input
  820. [0:0] -A INPUT -i eth5 -m comment --comment "!fw3" -j zone_GE6_input
  821. [0:0] -A INPUT -i eth6 -m comment --comment "!fw3" -j zone_GE7_input
  822. [0:0] -A INPUT -i eth7 -m comment --comment "!fw3" -j zone_GE8_input
  823. [0:0] -A INPUT -i br-network1 -m comment --comment "!fw3" -j zone_network1_input
  824. [0:0] -A INPUT -i br-network100 -m comment --comment "!fw3" -j zone_network100_input
  825. [0:0] -A INPUT -i br-network101 -m comment --comment "!fw3" -j zone_network101_input
  826. [0:0] -A FORWARD -o vce1 -j ACCEPT
  827. [0:0] -A FORWARD -i vce1 -j ACCEPT
  828. [0:0] -A FORWARD -j VCMP_FWD_ACL
  829. [0:0] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
  830. [0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
  831. [0:0] -A FORWARD -i eth2 -m comment --comment "!fw3" -j zone_GE3_forward
  832. [0:0] -A FORWARD -i eth3 -m comment --comment "!fw3" -j zone_GE4_forward
  833. [0:0] -A FORWARD -i eth4 -m comment --comment "!fw3" -j zone_GE5_forward
  834. [0:0] -A FORWARD -i eth5 -m comment --comment "!fw3" -j zone_GE6_forward
  835. [0:0] -A FORWARD -i eth6 -m comment --comment "!fw3" -j zone_GE7_forward
  836. [0:0] -A FORWARD -i eth7 -m comment --comment "!fw3" -j zone_GE8_forward
  837. [0:0] -A FORWARD -i br-network1 -m comment --comment "!fw3" -j zone_network1_forward
  838. [0:0] -A FORWARD -i br-network100 -m comment --comment "!fw3" -j zone_network100_forward
  839. [0:0] -A FORWARD -i br-network101 -m comment --comment "!fw3" -j zone_network101_forward
  840. [0:0] -A FORWARD -m comment --comment "!fw3" -j reject
  841. [3949:612545] -A OUTPUT -j VCMP_OUT_ACL
  842. [2054:172113] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
  843. [2477:489314] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
  844. [2300:480578] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
  845. [176:8408] -A OUTPUT -o eth2 -m comment --comment "!fw3" -j zone_GE3_output
  846. [0:0] -A OUTPUT -o eth3 -m comment --comment "!fw3" -j zone_GE4_output
  847. [1:328] -A OUTPUT -o eth4 -m comment --comment "!fw3" -j zone_GE5_output
  848. [0:0] -A OUTPUT -o eth5 -m comment --comment "!fw3" -j zone_GE6_output
  849. [0:0] -A OUTPUT -o eth6 -m comment --comment "!fw3" -j zone_GE7_output
  850. [0:0] -A OUTPUT -o eth7 -m comment --comment "!fw3" -j zone_GE8_output
  851. [0:0] -A OUTPUT -o br-network1 -m comment --comment "!fw3" -j zone_network1_output
  852. [0:0] -A OUTPUT -o br-network100 -m comment --comment "!fw3" -j zone_network100_output
  853. [0:0] -A OUTPUT -o br-network101 -m comment --comment "!fw3" -j zone_network101_output
  854. [0:0] -A SEG_MGMT ! -s 10.101.2.0/24 -d 10.101.2.1/32 -p icmp -m icmp --icmp-type 8 -j DROP
  855. [0:0] -A SEG_MGMT ! -s 10.101.2.0/24 -d 10.101.2.1/32 -p icmp -m icmp --icmp-type 8 -j DROP
  856. [0:0] -A SEG_MGMT ! -s 10.100.2.0/24 -d 10.100.2.1/32 -p icmp -m icmp --icmp-type 8 -j DROP
  857. [0:0] -A SEG_MGMT ! -s 10.100.2.0/24 -d 10.100.2.1/32 -p icmp -m icmp --icmp-type 8 -j DROP
  858. [0:0] -A SEG_MGMT ! -s 10.0.2.0/24 -d 10.0.2.1/32 -p icmp -m icmp --icmp-type 8 -j DROP
  859. [0:0] -A SEG_MGMT ! -s 10.0.2.0/24 -d 10.0.2.1/32 -p icmp -m icmp --icmp-type 8 -j DROP
  860. [0:0] -A VCMP_FWD_ACL -i br-network1 -o br-network100 -j DROP
  861. [0:0] -A VCMP_FWD_ACL -i br-network1 -o br-network101 -j DROP
  862. [0:0] -A VCMP_FWD_ACL -i br-network100 -o br-network1 -j DROP
  863. [0:0] -A VCMP_FWD_ACL -i br-network100 -o br-network101 -j DROP
  864. [0:0] -A VCMP_FWD_ACL -i br-network101 -o br-network1 -j DROP
  865. [0:0] -A VCMP_FWD_ACL -i br-network101 -o br-network100 -j DROP
  866. [0:0] -A VCMP_FWD_ACL -j DROP
  867. [0:0] -A VCMP_IN_ACL -s 192.168.14.1/32 -j ACCEPT
  868. [0:0] -A VCMP_IN_ACL -s 192.168.32.2/32 -j ACCEPT
  869. [0:0] -A VCMP_IN_ACL -i eth4 -p icmp -m icmp --icmp-type 11 -j ACCEPT
  870. [0:0] -A VCMP_IN_ACL -i eth4 -p icmp -m icmp --icmp-type 3 -j ACCEPT
  871. [679:37156] -A VCMP_IN_ACL -i eth4 -j DROP
  872. [0:0] -A VCMP_IN_ACL -i eth4.100 -p icmp -m icmp --icmp-type 11 -j ACCEPT
  873. [0:0] -A VCMP_IN_ACL -i eth4.100 -p icmp -m icmp --icmp-type 3 -j ACCEPT
  874. [673:35268] -A VCMP_IN_ACL -i eth4.100 -j DROP
  875. [0:0] -A VCMP_IN_ACL -i eth4.101 -p icmp -m icmp --icmp-type 11 -j ACCEPT
  876. [0:0] -A VCMP_IN_ACL -i eth4.101 -p icmp -m icmp --icmp-type 3 -j ACCEPT
  877. [671:35164] -A VCMP_IN_ACL -i eth4.101 -j DROP
  878. [0:0] -A VCMP_IN_ACL -i eth2 -p icmp -m icmp --icmp-type 11 -j ACCEPT
  879. [0:0] -A VCMP_IN_ACL -i eth2 -p icmp -m icmp --icmp-type 3 -j ACCEPT
  880. [5482:359269] -A VCMP_IN_ACL -i eth2 -j DROP
  881. [0:0] -A VCMP_IN_ACL -i eth3 -p icmp -m icmp --icmp-type 11 -j ACCEPT
  882. [0:0] -A VCMP_IN_ACL -i eth3 -p icmp -m icmp --icmp-type 3 -j ACCEPT
  883. [0:0] -A VCMP_IN_ACL -i eth3 -j DROP
  884. [0:0] -A VCMP_IN_ACL -i br-network1 -p tcp -m tcp --dport 179 -j DROP
  885. [0:0] -A VCMP_IN_ACL -i br-network1 -p tcp -m tcp --sport 179 -j DROP
  886. [0:0] -A VCMP_IN_ACL -i br-network100 -p tcp -m tcp --dport 179 -j DROP
  887. [0:0] -A VCMP_IN_ACL -i br-network100 -p tcp -m tcp --sport 179 -j DROP
  888. [0:0] -A VCMP_IN_ACL -i br-network101 -p tcp -m tcp --dport 179 -j DROP
  889. [0:0] -A VCMP_IN_ACL -i br-network101 -p tcp -m tcp --sport 179 -j DROP
  890. [0:0] -A VCMP_IN_ACL_PERSIST -s 169.254.6.41/32 -p tcp -m tcp --dport 22 -j ACCEPT
  891. [0:0] -A VCMP_IN_ACL_PERSIST -s 169.254.7.1/32 -p tcp -m tcp --dport 22 -j ACCEPT
  892. [0:0] -A VCMP_IN_ACL_PERSIST -s 172.16.2.3/32 -p tcp -m tcp --dport 22 -j ACCEPT
  893. [562:32550] -A VCMP_IN_ACL_PERSIST -s 10.0.2.25/32 -p tcp -m tcp --dport 22 -j ACCEPT
  894. [0:0] -A VCMP_IN_ACL_PERSIST -p tcp -m tcp --dport 22 -j DROP
  895. [0:0] -A VCMP_IN_ACL_PERSIST -p udp -m udp --dport 161 -j DROP
  896. [0:0] -A VCMP_IN_ACL_PERSIST -p tcp -m tcp --dport 80 -j DROP
  897. [0:0] -A VCMP_IN_ACL_SEGMENT -d 10.100.2.1/32 -i br-network101 -j DROP
  898. [0:0] -A VCMP_IN_ACL_SEGMENT -d 10.0.2.1/32 -i br-network101 -j DROP
  899. [0:0] -A VCMP_IN_ACL_SEGMENT -d 10.0.2.2/32 -i br-network101 -j DROP
  900. [0:0] -A VCMP_IN_ACL_SEGMENT -d 10.101.2.1/32 -i br-network100 -j DROP
  901. [0:0] -A VCMP_IN_ACL_SEGMENT -d 10.0.2.1/32 -i br-network100 -j DROP
  902. [0:0] -A VCMP_IN_ACL_SEGMENT -d 10.0.2.2/32 -i br-network100 -j DROP
  903. [0:0] -A VCMP_IN_ACL_SEGMENT -d 10.101.2.1/32 -i br-network1 -j DROP
  904. [0:0] -A VCMP_IN_ACL_SEGMENT -d 10.100.2.1/32 -i br-network1 -j DROP
  905. [0:0] -A VCMP_IN_ACL_SEGMENT -d 10.101.2.1/32 -i br-management -j DROP
  906. [0:0] -A VCMP_IN_ACL_SEGMENT -d 10.100.2.1/32 -i br-management -j DROP
  907. [0:0] -A VCMP_OUT_ACL -p icmp -m icmp --icmp-type 11/0 -j DROP
  908. [0:0] -A VCMP_OUT_ACL -o eth4 -p icmp -m icmp --icmp-type 5 -j DROP
  909. [0:0] -A VCMP_OUT_ACL -o eth4.100 -p icmp -m icmp --icmp-type 5 -j DROP
  910. [0:0] -A VCMP_OUT_ACL -o eth4.101 -p icmp -m icmp --icmp-type 5 -j DROP
  911. [0:0] -A VCMP_OUT_ACL -o eth2 -p icmp -m icmp --icmp-type 5 -j DROP
  912. [0:0] -A VCMP_OUT_ACL -o eth3 -p icmp -m icmp --icmp-type 5 -j DROP
  913. [2:96] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
  914. [20:1096] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
  915. [0:0] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
  916. [0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
  917. [5:200] -A zone_GE3_dest_ACCEPT -o eth2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
  918. [171:8208] -A zone_GE3_dest_ACCEPT -o eth2 -m comment --comment "!fw3" -j ACCEPT
  919. [0:0] -A zone_GE3_dest_REJECT -o eth2 -m comment --comment "!fw3" -j reject
  920. [0:0] -A zone_GE3_forward -m comment --comment "!fw3: Custom GE3 forwarding rule chain" -j forwarding_GE3_rule
  921. [0:0] -A zone_GE3_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
  922. [0:0] -A zone_GE3_forward -m comment --comment "!fw3" -j zone_GE3_dest_REJECT
  923. [12:672] -A zone_GE3_input -m comment --comment "!fw3: Custom GE3 input rule chain" -j input_GE3_rule
  924. [0:0] -A zone_GE3_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
  925. [0:0] -A zone_GE3_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
  926. [0:0] -A zone_GE3_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
  927. [12:672] -A zone_GE3_input -m comment --comment "!fw3" -j zone_GE3_src_REJECT
  928. [176:8408] -A zone_GE3_output -m comment --comment "!fw3: Custom GE3 output rule chain" -j output_GE3_rule
  929. [176:8408] -A zone_GE3_output -m comment --comment "!fw3" -j zone_GE3_dest_ACCEPT
  930. [12:672] -A zone_GE3_src_REJECT -i eth2 -m comment --comment "!fw3" -j reject
  931. [0:0] -A zone_GE4_dest_ACCEPT -o eth3 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
  932. [0:0] -A zone_GE4_dest_ACCEPT -o eth3 -m comment --comment "!fw3" -j ACCEPT
  933. [0:0] -A zone_GE4_dest_REJECT -o eth3 -m comment --comment "!fw3" -j reject
  934. [0:0] -A zone_GE4_forward -m comment --comment "!fw3: Custom GE4 forwarding rule chain" -j forwarding_GE4_rule
  935. [0:0] -A zone_GE4_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
  936. [0:0] -A zone_GE4_forward -m comment --comment "!fw3" -j zone_GE4_dest_REJECT
  937. [0:0] -A zone_GE4_input -m comment --comment "!fw3: Custom GE4 input rule chain" -j input_GE4_rule
  938. [0:0] -A zone_GE4_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
  939. [0:0] -A zone_GE4_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
  940. [0:0] -A zone_GE4_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
  941. [0:0] -A zone_GE4_input -m comment --comment "!fw3" -j zone_GE4_src_REJECT
  942. [0:0] -A zone_GE4_output -m comment --comment "!fw3: Custom GE4 output rule chain" -j output_GE4_rule
  943. [0:0] -A zone_GE4_output -m comment --comment "!fw3" -j zone_GE4_dest_ACCEPT
  944. [0:0] -A zone_GE4_src_REJECT -i eth3 -m comment --comment "!fw3" -j reject
  945. [0:0] -A zone_GE5_dest_ACCEPT -o eth4 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
  946. [1:328] -A zone_GE5_dest_ACCEPT -o eth4 -m comment --comment "!fw3" -j ACCEPT
  947. [0:0] -A zone_GE5_dest_REJECT -o eth4 -m comment --comment "!fw3" -j reject
  948. [0:0] -A zone_GE5_forward -m comment --comment "!fw3: Custom GE5 forwarding rule chain" -j forwarding_GE5_rule
  949. [0:0] -A zone_GE5_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
  950. [0:0] -A zone_GE5_forward -m comment --comment "!fw3" -j zone_GE5_dest_REJECT
  951. [10:520] -A zone_GE5_input -m comment --comment "!fw3: Custom GE5 input rule chain" -j input_GE5_rule
  952. [0:0] -A zone_GE5_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
  953. [0:0] -A zone_GE5_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
  954. [0:0] -A zone_GE5_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
  955. [10:520] -A zone_GE5_input -m comment --comment "!fw3" -j zone_GE5_src_REJECT
  956. [1:328] -A zone_GE5_output -m comment --comment "!fw3: Custom GE5 output rule chain" -j output_GE5_rule
  957. [1:328] -A zone_GE5_output -m comment --comment "!fw3" -j zone_GE5_dest_ACCEPT
  958. [10:520] -A zone_GE5_src_REJECT -i eth4 -m comment --comment "!fw3" -j reject
  959. [0:0] -A zone_GE6_dest_ACCEPT -o eth5 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
  960. [0:0] -A zone_GE6_dest_ACCEPT -o eth5 -m comment --comment "!fw3" -j ACCEPT
  961. [0:0] -A zone_GE6_dest_REJECT -o eth5 -m comment --comment "!fw3" -j reject
  962. [0:0] -A zone_GE6_forward -m comment --comment "!fw3: Custom GE6 forwarding rule chain" -j forwarding_GE6_rule
  963. [0:0] -A zone_GE6_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
  964. [0:0] -A zone_GE6_forward -m comment --comment "!fw3" -j zone_GE6_dest_REJECT
  965. [0:0] -A zone_GE6_input -m comment --comment "!fw3: Custom GE6 input rule chain" -j input_GE6_rule
  966. [0:0] -A zone_GE6_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
  967. [0:0] -A zone_GE6_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
  968. [0:0] -A zone_GE6_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
  969. [0:0] -A zone_GE6_input -m comment --comment "!fw3" -j zone_GE6_src_REJECT
  970. [0:0] -A zone_GE6_output -m comment --comment "!fw3: Custom GE6 output rule chain" -j output_GE6_rule
  971. [0:0] -A zone_GE6_output -m comment --comment "!fw3" -j zone_GE6_dest_ACCEPT
  972. [0:0] -A zone_GE6_src_REJECT -i eth5 -m comment --comment "!fw3" -j reject
  973. [0:0] -A zone_GE7_dest_ACCEPT -o eth6 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
  974. [0:0] -A zone_GE7_dest_ACCEPT -o eth6 -m comment --comment "!fw3" -j ACCEPT
  975. [0:0] -A zone_GE7_dest_REJECT -o eth6 -m comment --comment "!fw3" -j reject
  976. [0:0] -A zone_GE7_forward -m comment --comment "!fw3: Custom GE7 forwarding rule chain" -j forwarding_GE7_rule
  977. [0:0] -A zone_GE7_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
  978. [0:0] -A zone_GE7_forward -m comment --comment "!fw3" -j zone_GE7_dest_REJECT
  979. [0:0] -A zone_GE7_input -m comment --comment "!fw3: Custom GE7 input rule chain" -j input_GE7_rule
  980. [0:0] -A zone_GE7_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
  981. [0:0] -A zone_GE7_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
  982. [0:0] -A zone_GE7_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
  983. [0:0] -A zone_GE7_input -m comment --comment "!fw3" -j zone_GE7_src_REJECT
  984. [0:0] -A zone_GE7_output -m comment --comment "!fw3: Custom GE7 output rule chain" -j output_GE7_rule
  985. [0:0] -A zone_GE7_output -m comment --comment "!fw3" -j zone_GE7_dest_ACCEPT
  986. [0:0] -A zone_GE7_src_REJECT -i eth6 -m comment --comment "!fw3" -j reject
  987. [0:0] -A zone_GE8_dest_ACCEPT -o eth7 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
  988. [0:0] -A zone_GE8_dest_ACCEPT -o eth7 -m comment --comment "!fw3" -j ACCEPT
  989. [0:0] -A zone_GE8_dest_REJECT -o eth7 -m comment --comment "!fw3" -j reject
  990. [0:0] -A zone_GE8_forward -m comment --comment "!fw3: Custom GE8 forwarding rule chain" -j forwarding_GE8_rule
  991. [0:0] -A zone_GE8_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
  992. [0:0] -A zone_GE8_forward -m comment --comment "!fw3" -j zone_GE8_dest_REJECT
  993. [0:0] -A zone_GE8_input -m comment --comment "!fw3: Custom GE8 input rule chain" -j input_GE8_rule
  994. [0:0] -A zone_GE8_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
  995. [0:0] -A zone_GE8_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
  996. [0:0] -A zone_GE8_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
  997. [0:0] -A zone_GE8_input -m comment --comment "!fw3" -j zone_GE8_src_REJECT
  998. [0:0] -A zone_GE8_output -m comment --comment "!fw3: Custom GE8 output rule chain" -j output_GE8_rule
  999. [0:0] -A zone_GE8_output -m comment --comment "!fw3" -j zone_GE8_dest_ACCEPT
  1000. [0:0] -A zone_GE8_src_REJECT -i eth7 -m comment --comment "!fw3" -j reject
  1001. [0:0] -A zone_network100_dest_ACCEPT -o br-network100 -m comment --comment "!fw3" -j ACCEPT
  1002. [0:0] -A zone_network100_dest_REJECT -o br-network100 -m comment --comment "!fw3" -j reject
  1003. [0:0] -A zone_network100_forward -m comment --comment "!fw3: Zone network100 to GE3 forwarding policy" -j zone_GE3_dest_ACCEPT
  1004. [0:0] -A zone_network100_forward -m comment --comment "!fw3: Zone network100 to GE4 forwarding policy" -j zone_GE4_dest_ACCEPT
  1005. [0:0] -A zone_network100_forward -m comment --comment "!fw3: Zone network100 to GE5 forwarding policy" -j zone_GE5_dest_ACCEPT
  1006. [0:0] -A zone_network100_forward -m comment --comment "!fw3: Zone network100 to GE6 forwarding policy" -j zone_GE6_dest_ACCEPT
  1007. [0:0] -A zone_network100_forward -m comment --comment "!fw3: Zone network100 to GE7 forwarding policy" -j zone_GE7_dest_ACCEPT
  1008. [0:0] -A zone_network100_forward -m comment --comment "!fw3: Zone network100 to GE8 forwarding policy" -j zone_GE8_dest_ACCEPT
  1009. [0:0] -A zone_network100_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
  1010. [0:0] -A zone_network100_forward -m comment --comment "!fw3" -j zone_network100_dest_REJECT
  1011. [0:0] -A zone_network100_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: @rule[15]" -j ACCEPT
  1012. [0:0] -A zone_network100_input -p udp -m udp --dport 53 -m comment --comment "!fw3: @rule[15]" -j ACCEPT
  1013. [0:0] -A zone_network100_input -p udp -m udp --sport 67:68 --dport 67:68 -m comment --comment "!fw3: @rule[16]" -j ACCEPT
  1014. [0:0] -A zone_network100_input -p tcp -m tcp --dport 2607 -m comment --comment "!fw3: @rule[17]" -j reject
  1015. [0:0] -A zone_network100_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
  1016. [0:0] -A zone_network100_input -m comment --comment "!fw3" -j zone_network100_src_ACCEPT
  1017. [0:0] -A zone_network100_output -m comment --comment "!fw3" -j zone_network100_dest_ACCEPT
  1018. [0:0] -A zone_network100_src_ACCEPT -i br-network100 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
  1019. [0:0] -A zone_network101_dest_ACCEPT -o br-network101 -m comment --comment "!fw3" -j ACCEPT
  1020. [0:0] -A zone_network101_dest_REJECT -o br-network101 -m comment --comment "!fw3" -j reject
  1021. [0:0] -A zone_network101_forward -m comment --comment "!fw3: Zone network101 to GE3 forwarding policy" -j zone_GE3_dest_ACCEPT
  1022. [0:0] -A zone_network101_forward -m comment --comment "!fw3: Zone network101 to GE4 forwarding policy" -j zone_GE4_dest_ACCEPT
  1023. [0:0] -A zone_network101_forward -m comment --comment "!fw3: Zone network101 to GE5 forwarding policy" -j zone_GE5_dest_ACCEPT
  1024. [0:0] -A zone_network101_forward -m comment --comment "!fw3: Zone network101 to GE6 forwarding policy" -j zone_GE6_dest_ACCEPT
  1025. [0:0] -A zone_network101_forward -m comment --comment "!fw3: Zone network101 to GE7 forwarding policy" -j zone_GE7_dest_ACCEPT
  1026. [0:0] -A zone_network101_forward -m comment --comment "!fw3: Zone network101 to GE8 forwarding policy" -j zone_GE8_dest_ACCEPT
  1027. [0:0] -A zone_network101_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
  1028. [0:0] -A zone_network101_forward -m comment --comment "!fw3" -j zone_network101_dest_REJECT
  1029. [0:0] -A zone_network101_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: @rule[18]" -j ACCEPT
  1030. [0:0] -A zone_network101_input -p udp -m udp --dport 53 -m comment --comment "!fw3: @rule[18]" -j ACCEPT
  1031. [0:0] -A zone_network101_input -p udp -m udp --sport 67:68 --dport 67:68 -m comment --comment "!fw3: @rule[19]" -j ACCEPT
  1032. [0:0] -A zone_network101_input -p tcp -m tcp --dport 2607 -m comment --comment "!fw3: @rule[20]" -j reject
  1033. [0:0] -A zone_network101_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
  1034. [0:0] -A zone_network101_input -m comment --comment "!fw3" -j zone_network101_src_ACCEPT
  1035. [0:0] -A zone_network101_output -m comment --comment "!fw3" -j zone_network101_dest_ACCEPT
  1036. [0:0] -A zone_network101_src_ACCEPT -i br-network101 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
  1037. [0:0] -A zone_network1_dest_ACCEPT -o br-network1 -m comment --comment "!fw3" -j ACCEPT
  1038. [0:0] -A zone_network1_dest_REJECT -o br-network1 -m comment --comment "!fw3" -j reject
  1039. [0:0] -A zone_network1_forward -m comment --comment "!fw3: Custom network1 forwarding rule chain" -j forwarding_network1_rule
  1040. [0:0] -A zone_network1_forward -m comment --comment "!fw3: Zone network1 to GE3 forwarding policy" -j zone_GE3_dest_ACCEPT
  1041. [0:0] -A zone_network1_forward -m comment --comment "!fw3: Zone network1 to GE4 forwarding policy" -j zone_GE4_dest_ACCEPT
  1042. [0:0] -A zone_network1_forward -m comment --comment "!fw3: Zone network1 to GE5 forwarding policy" -j zone_GE5_dest_ACCEPT
  1043. [0:0] -A zone_network1_forward -m comment --comment "!fw3: Zone network1 to GE6 forwarding policy" -j zone_GE6_dest_ACCEPT
  1044. [0:0] -A zone_network1_forward -m comment --comment "!fw3: Zone network1 to GE7 forwarding policy" -j zone_GE7_dest_ACCEPT
  1045. [0:0] -A zone_network1_forward -m comment --comment "!fw3: Zone network1 to GE8 forwarding policy" -j zone_GE8_dest_ACCEPT
  1046. [0:0] -A zone_network1_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
  1047. [0:0] -A zone_network1_forward -m comment --comment "!fw3" -j zone_network1_dest_REJECT
  1048. [0:0] -A zone_network1_input -m comment --comment "!fw3: Custom network1 input rule chain" -j input_network1_rule
  1049. [0:0] -A zone_network1_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: @rule[12]" -j ACCEPT
  1050. [0:0] -A zone_network1_input -p udp -m udp --dport 53 -m comment --comment "!fw3: @rule[12]" -j ACCEPT
  1051. [0:0] -A zone_network1_input -p udp -m udp --sport 67:68 --dport 67:68 -m comment --comment "!fw3: @rule[13]" -j ACCEPT
  1052. [0:0] -A zone_network1_input -p tcp -m tcp --dport 2607 -m comment --comment "!fw3: @rule[14]" -j reject
  1053. [0:0] -A zone_network1_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
  1054. [0:0] -A zone_network1_input -m comment --comment "!fw3" -j zone_network1_src_ACCEPT
  1055. [0:0] -A zone_network1_output -m comment --comment "!fw3: Custom network1 output rule chain" -j output_network1_rule
  1056. [0:0] -A zone_network1_output -m comment --comment "!fw3" -j zone_network1_dest_ACCEPT
  1057. [0:0] -A zone_network1_src_ACCEPT -i br-network1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
  1058. COMMIT
  1059. # Completed on Wed Aug 26 15:56:11 2020
  1060. # Generated by iptables-save v1.4.21 on Wed Aug 26 15:56:11 2020
  1061. *nat
  1062. :PREROUTING ACCEPT [16035:1748821]
  1063. :INPUT ACCEPT [10:8152]
  1064. :OUTPUT ACCEPT [594:38244]
  1065. :POSTROUTING ACCEPT [586:37580]
  1066. :VCMP_DNAT_ACL - [0:0]
  1067. :VCMP_SNAT_ACL - [0:0]
  1068. :postrouting_GE3_rule - [0:0]
  1069. :postrouting_GE4_rule - [0:0]
  1070. :postrouting_GE5_rule - [0:0]
  1071. :postrouting_GE6_rule - [0:0]
  1072. :postrouting_GE7_rule - [0:0]
  1073. :postrouting_GE8_rule - [0:0]
  1074. :postrouting_network0_rule - [0:0]
  1075. :postrouting_network1_rule - [0:0]
  1076. :postrouting_rule - [0:0]
  1077. :prerouting_GE3_rule - [0:0]
  1078. :prerouting_GE4_rule - [0:0]
  1079. :prerouting_GE5_rule - [0:0]
  1080. :prerouting_GE6_rule - [0:0]
  1081. :prerouting_GE7_rule - [0:0]
  1082. :prerouting_GE8_rule - [0:0]
  1083. :prerouting_network0_rule - [0:0]
  1084. :prerouting_network1_rule - [0:0]
  1085. :prerouting_rule - [0:0]
  1086. :zone_GE3_postrouting - [0:0]
  1087. :zone_GE3_prerouting - [0:0]
  1088. :zone_GE4_postrouting - [0:0]
  1089. :zone_GE4_prerouting - [0:0]
  1090. :zone_GE5_postrouting - [0:0]
  1091. :zone_GE5_prerouting - [0:0]
  1092. :zone_GE6_postrouting - [0:0]
  1093. :zone_GE6_prerouting - [0:0]
  1094. :zone_GE7_postrouting - [0:0]
  1095. :zone_GE7_prerouting - [0:0]
  1096. :zone_GE8_postrouting - [0:0]
  1097. :zone_GE8_prerouting - [0:0]
  1098. :zone_network100_postrouting - [0:0]
  1099. :zone_network100_prerouting - [0:0]
  1100. :zone_network101_postrouting - [0:0]
  1101. :zone_network101_prerouting - [0:0]
  1102. :zone_network1_postrouting - [0:0]
  1103. :zone_network1_prerouting - [0:0]
  1104. [16035:1748821] -A PREROUTING -j VCMP_DNAT_ACL
  1105. [16336:1772700] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
  1106. [5678:374899] -A PREROUTING -i eth2 -m comment --comment "!fw3" -j zone_GE3_prerouting
  1107. [9771:1342556] -A PREROUTING -i eth3 -m comment --comment "!fw3" -j zone_GE4_prerouting
  1108. [776:41278] -A PREROUTING -i eth4 -m comment --comment "!fw3" -j zone_GE5_prerouting
  1109. [0:0] -A PREROUTING -i eth5 -m comment --comment "!fw3" -j zone_GE6_prerouting
  1110. [0:0] -A PREROUTING -i eth6 -m comment --comment "!fw3" -j zone_GE7_prerouting
  1111. [0:0] -A PREROUTING -i eth7 -m comment --comment "!fw3" -j zone_GE8_prerouting
  1112. [2:128] -A PREROUTING -i br-network1 -m comment --comment "!fw3" -j zone_network1_prerouting
  1113. [0:0] -A PREROUTING -i br-network100 -m comment --comment "!fw3" -j zone_network100_prerouting
  1114. [0:0] -A PREROUTING -i br-network101 -m comment --comment "!fw3" -j zone_network101_prerouting
  1115. [594:38244] -A POSTROUTING -j VCMP_SNAT_ACL
  1116. [779:51237] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
  1117. [8:384] -A POSTROUTING -o eth2 -m comment --comment "!fw3" -j zone_GE3_postrouting
  1118. [0:0] -A POSTROUTING -o eth3 -m comment --comment "!fw3" -j zone_GE4_postrouting
  1119. [1:328] -A POSTROUTING -o eth4 -m comment --comment "!fw3" -j zone_GE5_postrouting
  1120. [0:0] -A POSTROUTING -o eth5 -m comment --comment "!fw3" -j zone_GE6_postrouting
  1121. [0:0] -A POSTROUTING -o eth6 -m comment --comment "!fw3" -j zone_GE7_postrouting
  1122. [0:0] -A POSTROUTING -o eth7 -m comment --comment "!fw3" -j zone_GE8_postrouting
  1123. [0:0] -A POSTROUTING -o br-network1 -m comment --comment "!fw3" -j zone_network1_postrouting
  1124. [0:0] -A POSTROUTING -o br-network100 -m comment --comment "!fw3" -j zone_network100_postrouting
  1125. [0:0] -A POSTROUTING -o br-network101 -m comment --comment "!fw3" -j zone_network101_postrouting
  1126. [8:384] -A zone_GE3_postrouting -m comment --comment "!fw3: Custom GE3 postrouting rule chain" -j postrouting_GE3_rule
  1127. [8:384] -A zone_GE3_postrouting -m comment --comment "!fw3" -j MASQUERADE
  1128. [5678:374899] -A zone_GE3_prerouting -m comment --comment "!fw3: Custom GE3 prerouting rule chain" -j prerouting_GE3_rule
  1129. [0:0] -A zone_GE4_postrouting -m comment --comment "!fw3: Custom GE4 postrouting rule chain" -j postrouting_GE4_rule
  1130. [0:0] -A zone_GE4_postrouting -m comment --comment "!fw3" -j MASQUERADE
  1131. [9771:1342556] -A zone_GE4_prerouting -m comment --comment "!fw3: Custom GE4 prerouting rule chain" -j prerouting_GE4_rule
  1132. [1:328] -A zone_GE5_postrouting -m comment --comment "!fw3: Custom GE5 postrouting rule chain" -j postrouting_GE5_rule
  1133. [1:328] -A zone_GE5_postrouting -m comment --comment "!fw3" -j MASQUERADE
  1134. [776:41278] -A zone_GE5_prerouting -m comment --comment "!fw3: Custom GE5 prerouting rule chain" -j prerouting_GE5_rule
  1135. [0:0] -A zone_GE6_postrouting -m comment --comment "!fw3: Custom GE6 postrouting rule chain" -j postrouting_GE6_rule
  1136. [0:0] -A zone_GE6_postrouting -m comment --comment "!fw3" -j MASQUERADE
  1137. [0:0] -A zone_GE6_prerouting -m comment --comment "!fw3: Custom GE6 prerouting rule chain" -j prerouting_GE6_rule
  1138. [0:0] -A zone_GE7_postrouting -m comment --comment "!fw3: Custom GE7 postrouting rule chain" -j postrouting_GE7_rule
  1139. [0:0] -A zone_GE7_postrouting -m comment --comment "!fw3" -j MASQUERADE
  1140. [0:0] -A zone_GE7_prerouting -m comment --comment "!fw3: Custom GE7 prerouting rule chain" -j prerouting_GE7_rule
  1141. [0:0] -A zone_GE8_postrouting -m comment --comment "!fw3: Custom GE8 postrouting rule chain" -j postrouting_GE8_rule
  1142. [0:0] -A zone_GE8_postrouting -m comment --comment "!fw3" -j MASQUERADE
  1143. [0:0] -A zone_GE8_prerouting -m comment --comment "!fw3: Custom GE8 prerouting rule chain" -j prerouting_GE8_rule
  1144. [0:0] -A zone_network1_postrouting -m comment --comment "!fw3: Custom network1 postrouting rule chain" -j postrouting_network1_rule
  1145. [2:128] -A zone_network1_prerouting -m comment --comment "!fw3: Custom network1 prerouting rule chain" -j prerouting_network1_rule
  1146. COMMIT
  1147. # Completed on Wed Aug 26 15:56:11 2020
  1148. 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
  1149. inet 127.0.0.1/8 scope host lo
  1150. valid_lft forever preferred_lft forever
  1151. 24: br-management: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
  1152. inet 10.0.2.2/32 brd 255.255.255.255 scope global br-management
  1153. valid_lft forever preferred_lft forever
  1154. 25: br-network1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
  1155. inet 10.0.2.1/24 brd 10.0.2.255 scope global br-network1
  1156. valid_lft forever preferred_lft forever
  1157. 26: br-network100: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
  1158. inet 10.100.2.1/24 brd 10.100.2.255 scope global br-network100
  1159. valid_lft forever preferred_lft forever
  1160. 28: br-network101: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
  1161. inet 10.101.2.1/24 brd 10.101.2.255 scope global br-network101
  1162. valid_lft forever preferred_lft forever
  1163. 30: br-segmgmt: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
  1164. inet 169.254.3.1/32 brd 255.255.255.255 scope global br-segmgmt
  1165. valid_lft forever preferred_lft forever
  1166. inet 169.254.3.2/32 brd 255.255.255.255 scope global br-segmgmt
  1167. valid_lft forever preferred_lft forever
  1168. inet 169.254.3.3/32 brd 255.255.255.255 scope global br-segmgmt
  1169. valid_lft forever preferred_lft forever
  1170. 31: eth4.100@eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
  1171. inet 172.17.2.2/29 brd 172.17.2.7 scope global eth4.100
  1172. valid_lft forever preferred_lft forever
  1173. 32: eth4.101@eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
  1174. inet 172.18.2.2/29 brd 172.18.2.7 scope global eth4.101
  1175. valid_lft forever preferred_lft forever
  1176. 33: vce1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 4096
  1177. inet 169.254.129.3 peer 169.254.129.1/32 scope global vce1
  1178. valid_lft forever preferred_lft forever
  1179. 95: eth4@if96: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 10000 link-netnsid 0
  1180. inet 172.16.2.2/24 brd 172.16.2.255 scope global eth4
  1181. valid_lft forever preferred_lft forever
  1182. 203: eth2@if204: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 10000 link-netnsid 0
  1183. inet 169.254.6.45/29 brd 169.254.6.47 scope global eth2
  1184. valid_lft forever preferred_lft forever
  1185. 209: eth3@if210: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 10000 link-netnsid 0
  1186. inet 169.254.7.2/29 brd 169.254.7.7 scope global eth3
  1187. valid_lft forever preferred_lft forever
  1188. default dev vce1 table 200 scope link
  1189. default dev br-network1 table 211 scope link
  1190. default dev br-network100 table 212 scope link
  1191. default dev br-network101 table 213 scope link
  1192. default via 172.16.2.3 dev eth4 table 214
  1193. default via 169.254.6.41 dev eth2 table 215
  1194. default via 169.254.7.1 dev eth3 table 216
  1195. default via 172.17.2.3 dev eth4.100 table 217
  1196. 172.17.2.0/29 dev eth4.100 table 217 scope link
  1197. default via 172.18.2.3 dev eth4.101 table 218
  1198. 172.18.2.0/29 dev eth4.101 table 218 scope link
  1199. default via 169.254.6.41 dev eth2 proto static metric 5
  1200. default via 169.254.7.1 dev eth3 proto static metric 6
  1201. default via 172.16.2.3 dev eth4 proto static src 172.16.2.2 metric 7
  1202. 10.0.2.0/24 dev br-network1 proto kernel scope link src 10.0.2.1
  1203. 10.100.2.0/24 dev br-network100 proto kernel scope link src 10.100.2.1
  1204. 10.101.2.0/24 dev br-network101 proto kernel scope link src 10.101.2.1
  1205. 169.254.6.40/29 dev eth2 proto kernel scope link src 169.254.6.45
  1206. 169.254.7.0/29 dev eth3 proto kernel scope link src 169.254.7.2
  1207. 169.254.129.1 dev vce1 proto kernel scope link src 169.254.129.3
  1208. 172.16.2.0/24 dev eth4 proto static scope link metric 7
  1209. 172.16.2.3 dev eth4 proto static scope link src 172.16.2.2 metric 7
  1210. 172.17.2.0/29 dev eth4.100 proto kernel scope link src 172.17.2.2
  1211. 172.18.2.0/29 dev eth4.101 proto kernel scope link src 172.18.2.2
  1212. broadcast 10.0.2.0 dev br-network1 table local proto kernel scope link src 10.0.2.1
  1213. local 10.0.2.1 dev br-network1 table local proto kernel scope host src 10.0.2.1
  1214. local 10.0.2.2 dev br-management table local proto kernel scope host src 10.0.2.2
  1215. broadcast 10.0.2.255 dev br-network1 table local proto kernel scope link src 10.0.2.1
  1216. broadcast 10.100.2.0 dev br-network100 table local proto kernel scope link src 10.100.2.1
  1217. local 10.100.2.1 dev br-network100 table local proto kernel scope host src 10.100.2.1
  1218. broadcast 10.100.2.255 dev br-network100 table local proto kernel scope link src 10.100.2.1
  1219. broadcast 10.101.2.0 dev br-network101 table local proto kernel scope link src 10.101.2.1
  1220. local 10.101.2.1 dev br-network101 table local proto kernel scope host src 10.101.2.1
  1221. broadcast 10.101.2.255 dev br-network101 table local proto kernel scope link src 10.101.2.1
  1222. broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
  1223. local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
  1224. local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
  1225. broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
  1226. local 169.254.3.1 dev br-segmgmt table local proto kernel scope host src 169.254.3.1
  1227. local 169.254.3.2 dev br-segmgmt table local proto kernel scope host src 169.254.3.2
  1228. local 169.254.3.3 dev br-segmgmt table local proto kernel scope host src 169.254.3.3
  1229. broadcast 169.254.6.40 dev eth2 table local proto kernel scope link src 169.254.6.45
  1230. local 169.254.6.45 dev eth2 table local proto kernel scope host src 169.254.6.45
  1231. broadcast 169.254.6.47 dev eth2 table local proto kernel scope link src 169.254.6.45
  1232. broadcast 169.254.7.0 dev eth3 table local proto kernel scope link src 169.254.7.2
  1233. local 169.254.7.2 dev eth3 table local proto kernel scope host src 169.254.7.2
  1234. broadcast 169.254.7.7 dev eth3 table local proto kernel scope link src 169.254.7.2
  1235. local 169.254.129.3 dev vce1 table local proto kernel scope host src 169.254.129.3
  1236. broadcast 172.16.2.0 dev eth4 table local proto kernel scope link src 172.16.2.2
  1237. local 172.16.2.2 dev eth4 table local proto kernel scope host src 172.16.2.2
  1238. broadcast 172.16.2.255 dev eth4 table local proto kernel scope link src 172.16.2.2
  1239. broadcast 172.17.2.0 dev eth4.100 table local proto kernel scope link src 172.17.2.2
  1240. local 172.17.2.2 dev eth4.100 table local proto kernel scope host src 172.17.2.2
  1241. broadcast 172.17.2.7 dev eth4.100 table local proto kernel scope link src 172.17.2.2
  1242. broadcast 172.18.2.0 dev eth4.101 table local proto kernel scope link src 172.18.2.2
  1243. local 172.18.2.2 dev eth4.101 table local proto kernel scope host src 172.18.2.2
  1244. broadcast 172.18.2.7 dev eth4.101 table local proto kernel scope link src 172.18.2.2
  1245. 0: from all lookup local
  1246. 32756: from all fwmark 0xc8 lookup 200
  1247. 32757: from all fwmark 0xd5 lookup 213
  1248. 32758: from all fwmark 0xd4 lookup 212
  1249. 32759: from all fwmark 0xd3 lookup 211
  1250. 32761: from all fwmark 0xd8 lookup 216
  1251. 32762: from all fwmark 0xd7 lookup 215
  1252. 32763: from all fwmark 0xda lookup 218
  1253. 32764: from all fwmark 0xd9 lookup 217
  1254. 32765: from all fwmark 0xd6 lookup 214
  1255. 32766: from all lookup main
  1256. 32767: from all lookup default
  1257. edge:b2-edge1:~#
  1258.  
  1259.  
Advertisement
RAW Paste Data Copied
Advertisement