Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- -P INPUT ACCEPT
- -P FORWARD ACCEPT
- -P OUTPUT ACCEPT
- -N LIBVIRT_FWI
- -N LIBVIRT_FWO
- -N LIBVIRT_FWX
- -N LIBVIRT_INP
- -N LIBVIRT_OUT
- -N nixos-fw
- -N nixos-fw-accept
- -N nixos-fw-log-refuse
- -N nixos-fw-refuse
- -A INPUT -j LIBVIRT_INP
- -A INPUT -j nixos-fw
- -A FORWARD -j LIBVIRT_FWX
- -A FORWARD -j LIBVIRT_FWI
- -A FORWARD -j LIBVIRT_FWO
- -A OUTPUT -j LIBVIRT_OUT
- -A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
- -A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT
- -A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
- -A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
- -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
- -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
- -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
- -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
- -A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
- -A nixos-fw -i lo -j nixos-fw-accept
- -A nixos-fw -m conntrack --ctstate RELATED,ESTABLISHED -j nixos-fw-accept
- -A nixos-fw -p tcp -m tcp --dport 22 -j nixos-fw-accept
- -A nixos-fw -p icmp -m icmp --icmp-type 8 -j nixos-fw-accept
- -A nixos-fw -j nixos-fw-log-refuse
- -A nixos-fw-accept -j ACCEPT
- -A nixos-fw-log-refuse -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "refused connection: " --log-level 6
- -A nixos-fw-log-refuse -m pkttype ! --pkt-type unicast -j nixos-fw-refuse
- -A nixos-fw-log-refuse -j nixos-fw-refuse
- -A nixos-fw-refuse -j DROP
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
