API tools faq
paste
Advertisement
Guest User

mon02

a guest
Dec 30th, 2021
40
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 23.59 KB | None | 0 0
raw download clone embed print report
  1. root@mon02:~# pve-firewall compile
  2. ipset cmdlist:
  3. exists PVEFW-0-management-v4 (IhYp62jU7XtKvLTE7SZci/oDVPk)
  4. create PVEFW-0-management-v4 hash:net family inet hashsize 64 maxelem 64 bucketsize 12
  5. add PVEFW-0-management-v4 192.168.10.0/24
  6. add PVEFW-0-management-v4 192.168.10.13
  7. add PVEFW-0-management-v4 192.168.10.14
  8. add PVEFW-0-management-v4 192.168.10.15
  9. add PVEFW-0-management-v4 192.168.10.8
  10. exists PVEFW-0-management-v6 (6g+lzHFoCegXcweHRfBY4vRsbOc)
  11. create PVEFW-0-management-v6 hash:net family inet6 hashsize 64 maxelem 64 bucketsize 12
  12.  
  13. iptables cmdlist:
  14. exists PVEFW-Drop (83WlR/a4wLbmURFqMQT3uJSgIG8)
  15. -A PVEFW-Drop -j PVEFW-DropBroadcast
  16. -A PVEFW-Drop -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT
  17. -A PVEFW-Drop -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
  18. -A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
  19. -A PVEFW-Drop -p udp --match multiport --dports 135,445 -j DROP
  20. -A PVEFW-Drop -p udp --dport 137:139 -j DROP
  21. -A PVEFW-Drop -p udp --sport 137 --dport 1024:65535 -j DROP
  22. -A PVEFW-Drop -p tcp --match multiport --dports 135,139,445 -j DROP
  23. -A PVEFW-Drop -p udp --dport 1900 -j DROP
  24. -A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
  25. -A PVEFW-Drop -p udp --sport 53 -j DROP
  26. exists PVEFW-DropBroadcast (NyjHNAtFbkH7WGLamPpdVnxHy4w)
  27. -A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
  28. -A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
  29. -A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
  30. -A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
  31. exists PVEFW-FORWARD (qnNexOcGa+y+jebd4dAUqFSp5nw)
  32. -A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
  33. -A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  34. -A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-in fwln+ -j PVEFW-FWBR-IN
  35. -A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-out fwln+ -j PVEFW-FWBR-OUT
  36. exists PVEFW-FWBR-IN (Ijl7/xz0DD7LF91MlLCz0ybZBE0)
  37. -A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
  38. exists PVEFW-FWBR-OUT (2jmj7l5rSw0yVb/vlWAYkK/YBwk)
  39. exists PVEFW-HOST-IN (ezgtFmiN1hX8rDNGlqtbBtqScxM)
  40. -A PVEFW-HOST-IN -i lo -j ACCEPT
  41. -A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
  42. -A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  43. -A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
  44. -A PVEFW-HOST-IN -p igmp -j RETURN
  45. -A PVEFW-HOST-IN -i vmbr10 -s 192.168.10.0/24 -d 192.168.10.0/24 -p tcp --dport 3551 -j RETURN
  46. -A PVEFW-HOST-IN -s 192.168.70.0/24 -d 192.168.70.0/24 -p tcp --dport 6800:7300 -j RETURN
  47. -A PVEFW-HOST-IN -d 192.168.80.128/25 -p udp --dport 5405:5406 -j RETURN
  48. -A PVEFW-HOST-IN -d 192.168.80.0/25 -p udp --dport 5405:5406 -j RETURN
  49. -A PVEFW-HOST-IN -d 192.168.10.0/24 -p tcp --dport 6789 -j RETURN
  50. -A PVEFW-HOST-IN -d 192.168.10.0/24 -p tcp --dport 3300 -j RETURN
  51. -A PVEFW-HOST-IN -d 192.168.10.0/24 -p tcp --dport 6800:7300 -j RETURN
  52. -A PVEFW-HOST-IN -d 192.168.70.0/24 -p tcp --dport 8006 -j PVEFW-reject
  53. -A PVEFW-HOST-IN -d 192.168.80.128/25 -p tcp --dport 8006 -j PVEFW-reject
  54. -A PVEFW-HOST-IN -d 192.168.80.0/25 -p tcp --dport 8006 -j PVEFW-reject
  55. -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 8006 -j RETURN
  56. -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 5900:5999 -j RETURN
  57. -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 3128 -j RETURN
  58. -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 22 -j RETURN
  59. -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 60000:60050 -j RETURN
  60. -A PVEFW-HOST-IN -d 192.168.80.112 -s 192.168.80.111 -p udp --dport 5404:5405 -j RETURN
  61. -A PVEFW-HOST-IN -d 192.168.80.212 -s 192.168.80.211 -p udp --dport 5404:5405 -j RETURN
  62. -A PVEFW-HOST-IN -d 192.168.80.112 -s 192.168.80.113 -p udp --dport 5404:5405 -j RETURN
  63. -A PVEFW-HOST-IN -d 192.168.80.212 -s 192.168.80.213 -p udp --dport 5404:5405 -j RETURN
  64. -A PVEFW-HOST-IN -d 192.168.80.112 -s 192.168.80.101 -p udp --dport 5404:5405 -j RETURN
  65. -A PVEFW-HOST-IN -d 192.168.80.212 -s 192.168.80.201 -p udp --dport 5404:5405 -j RETURN
  66. -A PVEFW-HOST-IN -d 192.168.80.112 -s 192.168.80.102 -p udp --dport 5404:5405 -j RETURN
  67. -A PVEFW-HOST-IN -d 192.168.80.212 -s 192.168.80.202 -p udp --dport 5404:5405 -j RETURN
  68. -A PVEFW-HOST-IN -d 192.168.80.112 -s 192.168.80.103 -p udp --dport 5404:5405 -j RETURN
  69. -A PVEFW-HOST-IN -d 192.168.80.212 -s 192.168.80.203 -p udp --dport 5404:5405 -j RETURN
  70. -A PVEFW-HOST-IN -j PVEFW-Drop
  71. -A PVEFW-HOST-IN -j DROP
  72. exists PVEFW-HOST-OUT (YAYn8j1iTEcJy69ORHbJBP454RY)
  73. -A PVEFW-HOST-OUT -o lo -j ACCEPT
  74. -A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
  75. -A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  76. -A PVEFW-HOST-OUT -p igmp -j RETURN
  77. -A PVEFW-HOST-OUT -d 192.168.10.0/24 -p tcp --dport 8006 -j RETURN
  78. -A PVEFW-HOST-OUT -d 192.168.10.0/24 -p tcp --dport 22 -j RETURN
  79. -A PVEFW-HOST-OUT -d 192.168.10.0/24 -p tcp --dport 5900:5999 -j RETURN
  80. -A PVEFW-HOST-OUT -d 192.168.10.0/24 -p tcp --dport 3128 -j RETURN
  81. -A PVEFW-HOST-OUT -s 192.168.80.112 -d 192.168.80.111 -p udp --dport 5404:5405 -j RETURN
  82. -A PVEFW-HOST-OUT -s 192.168.80.212 -d 192.168.80.211 -p udp --dport 5404:5405 -j RETURN
  83. -A PVEFW-HOST-OUT -s 192.168.80.112 -d 192.168.80.113 -p udp --dport 5404:5405 -j RETURN
  84. -A PVEFW-HOST-OUT -s 192.168.80.212 -d 192.168.80.213 -p udp --dport 5404:5405 -j RETURN
  85. -A PVEFW-HOST-OUT -s 192.168.80.112 -d 192.168.80.101 -p udp --dport 5404:5405 -j RETURN
  86. -A PVEFW-HOST-OUT -s 192.168.80.212 -d 192.168.80.201 -p udp --dport 5404:5405 -j RETURN
  87. -A PVEFW-HOST-OUT -s 192.168.80.112 -d 192.168.80.102 -p udp --dport 5404:5405 -j RETURN
  88. -A PVEFW-HOST-OUT -s 192.168.80.212 -d 192.168.80.202 -p udp --dport 5404:5405 -j RETURN
  89. -A PVEFW-HOST-OUT -s 192.168.80.112 -d 192.168.80.103 -p udp --dport 5404:5405 -j RETURN
  90. -A PVEFW-HOST-OUT -s 192.168.80.212 -d 192.168.80.203 -p udp --dport 5404:5405 -j RETURN
  91. -A PVEFW-HOST-OUT -j RETURN
  92. exists PVEFW-INPUT (+5iMmLaxKXynOB/+5xibfx7WhFk)
  93. -A PVEFW-INPUT -j PVEFW-HOST-IN
  94. exists PVEFW-OUTPUT (LjHoZeSSiWAG3+2ZAyL/xuEehd0)
  95. -A PVEFW-OUTPUT -j PVEFW-HOST-OUT
  96. exists PVEFW-Reject (h3DyALVslgH5hutETfixGP08w7c)
  97. -A PVEFW-Reject -j PVEFW-DropBroadcast
  98. -A PVEFW-Reject -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT
  99. -A PVEFW-Reject -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
  100. -A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
  101. -A PVEFW-Reject -p udp --match multiport --dports 135,445 -j PVEFW-reject
  102. -A PVEFW-Reject -p udp --dport 137:139 -j PVEFW-reject
  103. -A PVEFW-Reject -p udp --sport 137 --dport 1024:65535 -j PVEFW-reject
  104. -A PVEFW-Reject -p tcp --match multiport --dports 135,139,445 -j PVEFW-reject
  105. -A PVEFW-Reject -p udp --dport 1900 -j DROP
  106. -A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
  107. -A PVEFW-Reject -p udp --sport 53 -j DROP
  108. exists PVEFW-SET-ACCEPT-MARK (Hg/OIgIwJChBUcWU8Xnjhdd2jUY)
  109. -A PVEFW-SET-ACCEPT-MARK -j MARK --set-mark 0x80000000/0x80000000
  110. exists PVEFW-logflags (MN4PH1oPZeABMuWr64RrygPfW7A)
  111. -A PVEFW-logflags -j DROP
  112. exists PVEFW-reject (Jlkrtle1mDdtxDeI9QaDSL++Npc)
  113. -A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
  114. -A PVEFW-reject -s 224.0.0.0/4 -j DROP
  115. -A PVEFW-reject -p icmp -j DROP
  116. -A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
  117. -A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
  118. -A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
  119. -A PVEFW-reject -j REJECT --reject-with icmp-host-prohibited
  120. exists PVEFW-smurflog (2gfT1VMkfr0JL6OccRXTGXo+1qk)
  121. -A PVEFW-smurflog -j DROP
  122. exists PVEFW-smurfs (HssVe5QCBXd5mc9kC88749+7fag)
  123. -A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
  124. -A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
  125. -A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
  126. exists PVEFW-tcpflags (CMFojwNPqllyqD67NeI5m+bP5mo)
  127. -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
  128. -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
  129. -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
  130. -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
  131. -A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
  132.  
  133. ip6tables cmdlist:
  134. exists PVEFW-Drop (Jb79Uw7z1vZglIcV7QXA5uY/nbk)
  135. -A PVEFW-Drop -p tcp --dport 43 -j PVEFW-reject
  136. -A PVEFW-Drop -j PVEFW-DropBroadcast
  137. -A PVEFW-Drop -p icmpv6 -m icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
  138. -A PVEFW-Drop -p icmpv6 -m icmpv6 --icmpv6-type time-exceeded -j ACCEPT
  139. -A PVEFW-Drop -p icmpv6 -m icmpv6 --icmpv6-type packet-too-big -j ACCEPT
  140. -A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
  141. -A PVEFW-Drop -p udp --match multiport --dports 135,445 -j DROP
  142. -A PVEFW-Drop -p udp --dport 137:139 -j DROP
  143. -A PVEFW-Drop -p udp --sport 137 --dport 1024:65535 -j DROP
  144. -A PVEFW-Drop -p tcp --match multiport --dports 135,139,445 -j DROP
  145. -A PVEFW-Drop -p udp --dport 1900 -j DROP
  146. -A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
  147. -A PVEFW-Drop -p udp --sport 53 -j DROP
  148. exists PVEFW-DropBroadcast (8Krk5Nh8pDZOOc7BQAbM6PlyFSU)
  149. -A PVEFW-DropBroadcast -d ff00::/8 -j DROP
  150. exists PVEFW-FORWARD (qnNexOcGa+y+jebd4dAUqFSp5nw)
  151. -A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
  152. -A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  153. -A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-in fwln+ -j PVEFW-FWBR-IN
  154. -A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-out fwln+ -j PVEFW-FWBR-OUT
  155. exists PVEFW-FWBR-IN (2jmj7l5rSw0yVb/vlWAYkK/YBwk)
  156. exists PVEFW-FWBR-OUT (2jmj7l5rSw0yVb/vlWAYkK/YBwk)
  157. exists PVEFW-HOST-IN (t+/LTT8OHyoSgF5i9Hox+PZEud4)
  158. -A PVEFW-HOST-IN -i lo -j ACCEPT
  159. -A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
  160. -A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  161. -A PVEFW-HOST-IN -p icmpv6 --icmpv6-type router-solicitation -j RETURN
  162. -A PVEFW-HOST-IN -p icmpv6 --icmpv6-type router-advertisement -j RETURN
  163. -A PVEFW-HOST-IN -p icmpv6 --icmpv6-type neighbor-solicitation -j RETURN
  164. -A PVEFW-HOST-IN -p icmpv6 --icmpv6-type neighbor-advertisement -j RETURN
  165. -A PVEFW-HOST-IN -p igmp -j RETURN
  166. -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 8006 -j RETURN
  167. -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 5900:5999 -j RETURN
  168. -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 3128 -j RETURN
  169. -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 22 -j RETURN
  170. -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 60000:60050 -j RETURN
  171. -A PVEFW-HOST-IN -j PVEFW-Drop
  172. -A PVEFW-HOST-IN -j DROP
  173. exists PVEFW-HOST-OUT (br2bPbA9ZjuHOMNhV8tfLRw1mAs)
  174. -A PVEFW-HOST-OUT -o lo -j ACCEPT
  175. -A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
  176. -A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  177. -A PVEFW-HOST-OUT -p icmpv6 --icmpv6-type router-solicitation -j RETURN
  178. -A PVEFW-HOST-OUT -p icmpv6 --icmpv6-type neighbor-solicitation -j RETURN
  179. -A PVEFW-HOST-OUT -p icmpv6 --icmpv6-type neighbor-advertisement -j RETURN
  180. -A PVEFW-HOST-OUT -p igmp -j RETURN
  181. -A PVEFW-HOST-OUT -j RETURN
  182. exists PVEFW-INPUT (+5iMmLaxKXynOB/+5xibfx7WhFk)
  183. -A PVEFW-INPUT -j PVEFW-HOST-IN
  184. exists PVEFW-OUTPUT (LjHoZeSSiWAG3+2ZAyL/xuEehd0)
  185. -A PVEFW-OUTPUT -j PVEFW-HOST-OUT
  186. exists PVEFW-Reject (aL1nrxJk/u3XmTb3Am2eaM/3yCM)
  187. -A PVEFW-Reject -p tcp --dport 43 -j PVEFW-reject
  188. -A PVEFW-Reject -j PVEFW-DropBroadcast
  189. -A PVEFW-Reject -p icmpv6 -m icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
  190. -A PVEFW-Reject -p icmpv6 -m icmpv6 --icmpv6-type time-exceeded -j ACCEPT
  191. -A PVEFW-Reject -p icmpv6 -m icmpv6 --icmpv6-type packet-too-big -j ACCEPT
  192. -A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
  193. -A PVEFW-Reject -p udp --match multiport --dports 135,445 -j PVEFW-reject
  194. -A PVEFW-Reject -p udp --dport 137:139 -j PVEFW-reject
  195. -A PVEFW-Reject -p udp --sport 137 --dport 1024:65535 -j PVEFW-reject
  196. -A PVEFW-Reject -p tcp --match multiport --dports 135,139,445 -j PVEFW-reject
  197. -A PVEFW-Reject -p udp --dport 1900 -j DROP
  198. -A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
  199. -A PVEFW-Reject -p udp --sport 53 -j DROP
  200. exists PVEFW-SET-ACCEPT-MARK (Hg/OIgIwJChBUcWU8Xnjhdd2jUY)
  201. -A PVEFW-SET-ACCEPT-MARK -j MARK --set-mark 0x80000000/0x80000000
  202. exists PVEFW-logflags (MN4PH1oPZeABMuWr64RrygPfW7A)
  203. -A PVEFW-logflags -j DROP
  204. exists PVEFW-reject (etEECUYcgUdzuuO+LDP83pu0S8Y)
  205. -A PVEFW-reject -p icmpv6 -j DROP
  206. -A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
  207. -A PVEFW-reject -p udp -j REJECT --reject-with icmp6-port-unreachable
  208. -A PVEFW-reject -j REJECT --reject-with icmp6-adm-prohibited
  209. exists PVEFW-tcpflags (CMFojwNPqllyqD67NeI5m+bP5mo)
  210. -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
  211. -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
  212. -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
  213. -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
  214. -A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
  215.  
  216. ebtables cmdlist:
  217. exists PVEFW-FORWARD (ULtZ6lqjrD/jAKLY+OZo3BbXs9k)
  218. -A PVEFW-FORWARD -p IPv4 -j ACCEPT
  219. -A PVEFW-FORWARD -p IPv6 -j ACCEPT
  220. -A PVEFW-FORWARD -o fwln+ -j PVEFW-FWBR-OUT
  221. exists PVEFW-FWBR-OUT (2jmj7l5rSw0yVb/vlWAYkK/YBwk)
  222. ignore FORWARD (zuQi5YOvmMWiM9zohnQw/qWemOA)
  223. ignore INPUT (2jmj7l5rSw0yVb/vlWAYkK/YBwk)
  224. ignore OUTPUT (2jmj7l5rSw0yVb/vlWAYkK/YBwk)
  225.  
  226. iptables table raw cmdlist:
  227.  
  228. ip6tables table raw cmdlist:
  229. no changes
  230. root@mon02:~#
  231. root@mon02:~#
  232. root@mon02:~# iptables-save
  233. # Generated by iptables-save v1.8.7 on Thu Dec 30 06:51:09 2021
  234. *raw
  235. :PREROUTING ACCEPT [133755091:64546199927]
  236. :OUTPUT ACCEPT [130661975:69754270776]
  237. COMMIT
  238. # Completed on Thu Dec 30 06:51:09 2021
  239. # Generated by iptables-save v1.8.7 on Thu Dec 30 06:51:09 2021
  240. *filter
  241. :INPUT ACCEPT [1585054:94997148]
  242. :FORWARD ACCEPT [0:0]
  243. :OUTPUT ACCEPT [776103:46568441]
  244. :PVEFW-Drop - [0:0]
  245. :PVEFW-DropBroadcast - [0:0]
  246. :PVEFW-FORWARD - [0:0]
  247. :PVEFW-FWBR-IN - [0:0]
  248. :PVEFW-FWBR-OUT - [0:0]
  249. :PVEFW-HOST-IN - [0:0]
  250. :PVEFW-HOST-OUT - [0:0]
  251. :PVEFW-INPUT - [0:0]
  252. :PVEFW-OUTPUT - [0:0]
  253. :PVEFW-Reject - [0:0]
  254. :PVEFW-SET-ACCEPT-MARK - [0:0]
  255. :PVEFW-logflags - [0:0]
  256. :PVEFW-reject - [0:0]
  257. :PVEFW-smurflog - [0:0]
  258. :PVEFW-smurfs - [0:0]
  259. :PVEFW-tcpflags - [0:0]
  260. -A INPUT -j PVEFW-INPUT
  261. -A FORWARD -j PVEFW-FORWARD
  262. -A OUTPUT -j PVEFW-OUTPUT
  263. -A PVEFW-Drop -j PVEFW-DropBroadcast
  264. -A PVEFW-Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
  265. -A PVEFW-Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT
  266. -A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
  267. -A PVEFW-Drop -p udp -m multiport --dports 135,445 -j DROP
  268. -A PVEFW-Drop -p udp -m udp --dport 137:139 -j DROP
  269. -A PVEFW-Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
  270. -A PVEFW-Drop -p tcp -m multiport --dports 135,139,445 -j DROP
  271. -A PVEFW-Drop -p udp -m udp --dport 1900 -j DROP
  272. -A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
  273. -A PVEFW-Drop -p udp -m udp --sport 53 -j DROP
  274. -A PVEFW-Drop -m comment --comment "PVESIG:83WlR/a4wLbmURFqMQT3uJSgIG8"
  275. -A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
  276. -A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
  277. -A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
  278. -A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
  279. -A PVEFW-DropBroadcast -m comment --comment "PVESIG:NyjHNAtFbkH7WGLamPpdVnxHy4w"
  280. -A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
  281. -A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  282. -A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j PVEFW-FWBR-IN
  283. -A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged -j PVEFW-FWBR-OUT
  284. -A PVEFW-FORWARD -m comment --comment "PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw"
  285. -A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
  286. -A PVEFW-FWBR-IN -m comment --comment "PVESIG:Ijl7/xz0DD7LF91MlLCz0ybZBE0"
  287. -A PVEFW-FWBR-OUT -m comment --comment "PVESIG:2jmj7l5rSw0yVb/vlWAYkK/YBwk"
  288. -A PVEFW-HOST-IN -i lo -j ACCEPT
  289. -A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
  290. -A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  291. -A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
  292. -A PVEFW-HOST-IN -p igmp -j RETURN
  293. -A PVEFW-HOST-IN -s 192.168.10.0/24 -d 192.168.10.0/24 -i vmbr10 -p tcp -m tcp --dport 3551 -j RETURN
  294. -A PVEFW-HOST-IN -s 192.168.70.0/24 -d 192.168.70.0/24 -p tcp -m tcp --dport 6800:7300 -j RETURN
  295. -A PVEFW-HOST-IN -d 192.168.80.128/25 -p udp -m udp --dport 5405:5406 -j RETURN
  296. -A PVEFW-HOST-IN -d 192.168.80.0/25 -p udp -m udp --dport 5405:5406 -j RETURN
  297. -A PVEFW-HOST-IN -d 192.168.10.0/24 -p tcp -m tcp --dport 6789 -j RETURN
  298. -A PVEFW-HOST-IN -d 192.168.10.0/24 -p tcp -m tcp --dport 3300 -j RETURN
  299. -A PVEFW-HOST-IN -d 192.168.10.0/24 -p tcp -m tcp --dport 6800:7300 -j RETURN
  300. -A PVEFW-HOST-IN -d 192.168.70.0/24 -p tcp -m tcp --dport 8006 -j PVEFW-reject
  301. -A PVEFW-HOST-IN -d 192.168.80.128/25 -p tcp -m tcp --dport 8006 -j PVEFW-reject
  302. -A PVEFW-HOST-IN -d 192.168.80.0/25 -p tcp -m tcp --dport 8006 -j PVEFW-reject
  303. -A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 8006 -j RETURN
  304. -A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 5900:5999 -j RETURN
  305. -A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 3128 -j RETURN
  306. -A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 22 -j RETURN
  307. -A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 60000:60050 -j RETURN
  308. -A PVEFW-HOST-IN -s 192.168.80.111/32 -d 192.168.80.112/32 -p udp -m udp --dport 5404:5405 -j RETURN
  309. -A PVEFW-HOST-IN -s 192.168.80.211/32 -d 192.168.80.212/32 -p udp -m udp --dport 5404:5405 -j RETURN
  310. -A PVEFW-HOST-IN -s 192.168.80.113/32 -d 192.168.80.112/32 -p udp -m udp --dport 5404:5405 -j RETURN
  311. -A PVEFW-HOST-IN -s 192.168.80.213/32 -d 192.168.80.212/32 -p udp -m udp --dport 5404:5405 -j RETURN
  312. -A PVEFW-HOST-IN -s 192.168.80.101/32 -d 192.168.80.112/32 -p udp -m udp --dport 5404:5405 -j RETURN
  313. -A PVEFW-HOST-IN -s 192.168.80.201/32 -d 192.168.80.212/32 -p udp -m udp --dport 5404:5405 -j RETURN
  314. -A PVEFW-HOST-IN -s 192.168.80.102/32 -d 192.168.80.112/32 -p udp -m udp --dport 5404:5405 -j RETURN
  315. -A PVEFW-HOST-IN -s 192.168.80.202/32 -d 192.168.80.212/32 -p udp -m udp --dport 5404:5405 -j RETURN
  316. -A PVEFW-HOST-IN -s 192.168.80.103/32 -d 192.168.80.112/32 -p udp -m udp --dport 5404:5405 -j RETURN
  317. -A PVEFW-HOST-IN -s 192.168.80.203/32 -d 192.168.80.212/32 -p udp -m udp --dport 5404:5405 -j RETURN
  318. -A PVEFW-HOST-IN -j PVEFW-Drop
  319. -A PVEFW-HOST-IN -j DROP
  320. -A PVEFW-HOST-IN -m comment --comment "PVESIG:ezgtFmiN1hX8rDNGlqtbBtqScxM"
  321. -A PVEFW-HOST-OUT -o lo -j ACCEPT
  322. -A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
  323. -A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  324. -A PVEFW-HOST-OUT -p igmp -j RETURN
  325. -A PVEFW-HOST-OUT -d 192.168.10.0/24 -p tcp -m tcp --dport 8006 -j RETURN
  326. -A PVEFW-HOST-OUT -d 192.168.10.0/24 -p tcp -m tcp --dport 22 -j RETURN
  327. -A PVEFW-HOST-OUT -d 192.168.10.0/24 -p tcp -m tcp --dport 5900:5999 -j RETURN
  328. -A PVEFW-HOST-OUT -d 192.168.10.0/24 -p tcp -m tcp --dport 3128 -j RETURN
  329. -A PVEFW-HOST-OUT -s 192.168.80.112/32 -d 192.168.80.111/32 -p udp -m udp --dport 5404:5405 -j RETURN
  330. -A PVEFW-HOST-OUT -s 192.168.80.212/32 -d 192.168.80.211/32 -p udp -m udp --dport 5404:5405 -j RETURN
  331. -A PVEFW-HOST-OUT -s 192.168.80.112/32 -d 192.168.80.113/32 -p udp -m udp --dport 5404:5405 -j RETURN
  332. -A PVEFW-HOST-OUT -s 192.168.80.212/32 -d 192.168.80.213/32 -p udp -m udp --dport 5404:5405 -j RETURN
  333. -A PVEFW-HOST-OUT -s 192.168.80.112/32 -d 192.168.80.101/32 -p udp -m udp --dport 5404:5405 -j RETURN
  334. -A PVEFW-HOST-OUT -s 192.168.80.212/32 -d 192.168.80.201/32 -p udp -m udp --dport 5404:5405 -j RETURN
  335. -A PVEFW-HOST-OUT -s 192.168.80.112/32 -d 192.168.80.102/32 -p udp -m udp --dport 5404:5405 -j RETURN
  336. -A PVEFW-HOST-OUT -s 192.168.80.212/32 -d 192.168.80.202/32 -p udp -m udp --dport 5404:5405 -j RETURN
  337. -A PVEFW-HOST-OUT -s 192.168.80.112/32 -d 192.168.80.103/32 -p udp -m udp --dport 5404:5405 -j RETURN
  338. -A PVEFW-HOST-OUT -s 192.168.80.212/32 -d 192.168.80.203/32 -p udp -m udp --dport 5404:5405 -j RETURN
  339. -A PVEFW-HOST-OUT -j RETURN
  340. -A PVEFW-HOST-OUT -m comment --comment "PVESIG:YAYn8j1iTEcJy69ORHbJBP454RY"
  341. -A PVEFW-INPUT -j PVEFW-HOST-IN
  342. -A PVEFW-INPUT -m comment --comment "PVESIG:+5iMmLaxKXynOB/+5xibfx7WhFk"
  343. -A PVEFW-OUTPUT -j PVEFW-HOST-OUT
  344. -A PVEFW-OUTPUT -m comment --comment "PVESIG:LjHoZeSSiWAG3+2ZAyL/xuEehd0"
  345. -A PVEFW-Reject -j PVEFW-DropBroadcast
  346. -A PVEFW-Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
  347. -A PVEFW-Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT
  348. -A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
  349. -A PVEFW-Reject -p udp -m multiport --dports 135,445 -j PVEFW-reject
  350. -A PVEFW-Reject -p udp -m udp --dport 137:139 -j PVEFW-reject
  351. -A PVEFW-Reject -p udp -m udp --sport 137 --dport 1024:65535 -j PVEFW-reject
  352. -A PVEFW-Reject -p tcp -m multiport --dports 135,139,445 -j PVEFW-reject
  353. -A PVEFW-Reject -p udp -m udp --dport 1900 -j DROP
  354. -A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
  355. -A PVEFW-Reject -p udp -m udp --sport 53 -j DROP
  356. -A PVEFW-Reject -m comment --comment "PVESIG:h3DyALVslgH5hutETfixGP08w7c"
  357. -A PVEFW-SET-ACCEPT-MARK -j MARK --set-xmark 0x80000000/0x80000000
  358. -A PVEFW-SET-ACCEPT-MARK -m comment --comment "PVESIG:Hg/OIgIwJChBUcWU8Xnjhdd2jUY"
  359. -A PVEFW-logflags -j DROP
  360. -A PVEFW-logflags -m comment --comment "PVESIG:MN4PH1oPZeABMuWr64RrygPfW7A"
  361. -A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
  362. -A PVEFW-reject -s 224.0.0.0/4 -j DROP
  363. -A PVEFW-reject -p icmp -j DROP
  364. -A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
  365. -A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
  366. -A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
  367. -A PVEFW-reject -j REJECT --reject-with icmp-host-prohibited
  368. -A PVEFW-reject -m comment --comment "PVESIG:Jlkrtle1mDdtxDeI9QaDSL++Npc"
  369. -A PVEFW-smurflog -j DROP
  370. -A PVEFW-smurflog -m comment --comment "PVESIG:2gfT1VMkfr0JL6OccRXTGXo+1qk"
  371. -A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
  372. -A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
  373. -A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
  374. -A PVEFW-smurfs -m comment --comment "PVESIG:HssVe5QCBXd5mc9kC88749+7fag"
  375. -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
  376. -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
  377. -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
  378. -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
  379. -A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
  380. -A PVEFW-tcpflags -m comment --comment "PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo"
  381. COMMIT
  382. # Completed on Thu Dec 30 06:51:09 2021
  383. root@mon02:~#
  384. root@mon02:~#
  385. root@mon02:~# pve-firewall localnet
  386. local hostname: mon02
  387. local IP address: 192.168.10.202
  388. network auto detect: 192.168.10.0/24
  389. using detected local_network: 192.168.10.0/24
  390.  
  391. accepting corosync traffic from/to:
  392. - mon01: 192.168.80.111 (link: 0)
  393. - mon01: 192.168.80.211 (link: 1)
  394. - mon03: 192.168.80.113 (link: 0)
  395. - mon03: 192.168.80.213 (link: 1)
  396. - pve01: 192.168.80.101 (link: 0)
  397. - pve01: 192.168.80.201 (link: 1)
  398. - pve02: 192.168.80.102 (link: 0)
  399. - pve02: 192.168.80.202 (link: 1)
  400. - pve03: 192.168.80.103 (link: 0)
  401. - pve03: 192.168.80.203 (link: 1)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!