Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- edge:b3-edge1:~# ubus call system board; \
- > uci export network; uci export wireless; \
- > uci export dhcp; uci export firewall; \
- > head -n -0 /etc/firewall.user; \
- > iptables-save -c; \
- > ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
- {
- "kernel": "4.15.0-1057-aws",
- "hostname": "vc-edge",
- "system": "Intel(R) Xeon(R) CPU E5-2686 v4 @ 2.30GHz",
- "release": {
- "distribution": "OpenWrt",
- "version": "cc-remerge-618-g0acfaf8",
- "revision": "r0+2278-0acfaf8",
- "codename": "example_vc-xen-aws",
- "target": "x64/vc-xen-aws",
- "description": "OpenWrt example vc-xen-aws cc-remerge-618-g0acfaf8"
- }
- }
- package network
- config interface 'loopback'
- option ifname 'lo'
- option proto 'static'
- option ipaddr '127.0.0.1'
- option netmask '255.0.0.0'
- option ipv6 '0'
- config interface 'management'
- option ifname 'management'
- option type 'bridge'
- option bridge_empty '1'
- option force_link '1'
- option proto 'static'
- list ipaddr '10.0.3.2'
- option netmask '255.255.255.255'
- option ipv6 '0'
- config interface 'segmgmt'
- option ifname 'segmgmt'
- option type 'bridge'
- option bridge_empty '1'
- option force_link '1'
- option proto 'static'
- list ipaddr '169.254.3.1'
- list ipaddr '169.254.3.2'
- list ipaddr '169.254.3.3'
- option netmask '255.255.255.255'
- option ipv6 '0'
- config interface 'network1'
- option ifname 'eth0 eth1'
- option proto 'static'
- option type 'bridge'
- list ipaddr '10.0.3.1/24'
- option ipv6 '0'
- option mtu '1500'
- config interface 'network100'
- option ifname 'eth1.100'
- option proto 'static'
- option type 'bridge'
- list ipaddr '10.100.3.1/24'
- option ipv6 '0'
- option mtu '1500'
- config interface 'network101'
- option ifname 'eth1.101'
- option proto 'static'
- option type 'bridge'
- list ipaddr '10.101.3.1/24'
- option ipv6 '0'
- option mtu '1500'
- config interface 'GE3'
- option ifname 'eth2'
- option proto 'static'
- option ipaddr '169.254.9.2'
- option netmask '255.255.255.248'
- option ipv6 '0'
- option mtu '1500'
- config route 'GE3_DEFAULT_ROUTE'
- option interface 'GE3'
- option target '0.0.0.0'
- option netmask '0.0.0.0'
- option gateway '169.254.9.1'
- option metric '5'
- config interface 'GE4'
- option ifname 'eth3'
- option hostname 'vc-ge4'
- option proto 'dhcp'
- option ipv6 '0'
- option mtu '1500'
- option metric '6'
- config interface 'GE4_100'
- option ifname 'eth3.100'
- option proto 'static'
- option ipaddr '172.17.3.2'
- option netmask '255.255.255.248'
- option ipv6 '0'
- option mtu '1500'
- option macaddr '02:42:ac:10:03:05'
- config interface 'GE4_101'
- option ifname 'eth3.101'
- option proto 'static'
- option ipaddr '172.18.3.2'
- option netmask '255.255.255.248'
- option ipv6 '0'
- option mtu '1500'
- option macaddr '02:42:ac:10:03:05'
- config interface 'GE5'
- option ifname 'eth4'
- option hostname 'vc-ge5'
- option proto 'dhcp'
- option ipv6 '0'
- option mtu '1500'
- option metric '7'
- config interface 'GE6'
- option ifname 'eth5'
- option hostname 'vc-ge6'
- option proto 'dhcp'
- option ipv6 '0'
- option mtu '1500'
- option metric '8'
- config interface 'GE7'
- option ifname 'eth6'
- option hostname 'vc-ge7'
- option proto 'dhcp'
- option ipv6 '0'
- option mtu '1500'
- option metric '9'
- config interface 'GE8'
- option ifname 'eth7'
- option hostname 'vc-ge8'
- option proto 'dhcp'
- option ipv6 '0'
- option mtu '1500'
- option metric '10'
- uci: Entry not found
- package dhcp
- config dnsmasq 'secure'
- option bind_dynamic '1'
- option domainneeded '1'
- option boguspriv '1'
- option filterwin2k '0'
- option localise_queries '1'
- option rebind_protection '0'
- option rebind_localhost '1'
- option local '/lan/'
- option domain 'lan'
- option expandhosts '1'
- option noresolv '1'
- option nonegcache '1'
- option authoritative '1'
- option readethers '1'
- option dnsforwardmax '500'
- option dhcpleasemax '5000'
- option dhcpnooverride '1'
- option logdhcp '1'
- option leasefile '/tmp/dhcp.leases.secure'
- list server '208.67.222.222@10.0.3.2'
- list server '208.67.220.220@10.0.3.2'
- list server '/example.net/8.8.8.8@10.0.3.2'
- list server '/example.net/8.8.4.4@10.0.3.2'
- list interface 'network1'
- list interface 'network100'
- list interface 'network101'
- list interface 'vce1'
- list interface 'lo'
- config dhcp 'network1'
- option interface 'network1'
- option dnsmasq_config 'secure'
- option start '13'
- option limit '242'
- option leasetime '86400'
- option force '1'
- list dhcp_option '119,example.net'
- config host
- option ip '10.0.3.25'
- option mac '02:42:0a:00:03:19'
- option dnsmasq_config 'secure'
- config dhcp 'network100'
- option interface 'network100'
- option dnsmasq_config 'secure'
- option start '13'
- option limit '242'
- option leasetime '86400'
- option force '1'
- list dhcp_option '119,example.net'
- config host
- option ip '10.100.3.100'
- option mac '02:42:0a:00:03:19'
- option dnsmasq_config 'secure'
- config dhcp 'network101'
- option interface 'network101'
- option dnsmasq_config 'secure'
- option start '13'
- option limit '242'
- option leasetime '86400'
- option force '1'
- list dhcp_option '119,example.net'
- config host
- option ip '10.101.3.100'
- option mac '02:42:0a:00:03:19'
- option dnsmasq_config 'secure'
- config host
- option ip '10.0.3.2'
- option mac 'ff:ff:ff:ff:ff:ff'
- option dnsmasq_config 'secure'
- package firewall
- config defaults
- option syn_flood '1'
- option input 'ACCEPT'
- option output 'ACCEPT'
- option forward 'REJECT'
- option disable_ipv6 '1'
- config zone
- option name 'GE3'
- option network 'GE3'
- option input 'REJECT'
- option output 'ACCEPT'
- option forward 'REJECT'
- option masq '1'
- config rule
- option name 'Allow-DHCP-Renew'
- option src 'GE3'
- option proto 'udp'
- option dest_port '68'
- option family 'ipv4'
- option target 'ACCEPT'
- config rule
- option name 'Allow-Ping'
- option src 'GE3'
- option proto 'icmp'
- option icmp_type 'echo-request'
- option family 'ipv4'
- option target 'ACCEPT'
- config zone
- option name 'GE4'
- option network 'GE4'
- option input 'REJECT'
- option output 'ACCEPT'
- option forward 'REJECT'
- option masq '1'
- config rule
- option name 'Allow-DHCP-Renew'
- option src 'GE4'
- option proto 'udp'
- option dest_port '68'
- option family 'ipv4'
- option target 'ACCEPT'
- config rule
- option name 'Allow-Ping'
- option src 'GE4'
- option proto 'icmp'
- option icmp_type 'echo-request'
- option family 'ipv4'
- option target 'ACCEPT'
- config zone
- option name 'GE5'
- option network 'GE5'
- option input 'REJECT'
- option output 'ACCEPT'
- option forward 'REJECT'
- option masq '1'
- config rule
- option name 'Allow-DHCP-Renew'
- option src 'GE5'
- option proto 'udp'
- option dest_port '68'
- option family 'ipv4'
- option target 'ACCEPT'
- config rule
- option name 'Allow-Ping'
- option src 'GE5'
- option proto 'icmp'
- option icmp_type 'echo-request'
- option family 'ipv4'
- option target 'ACCEPT'
- config zone
- option name 'GE6'
- option network 'GE6'
- option input 'REJECT'
- option output 'ACCEPT'
- option forward 'REJECT'
- option masq '1'
- config rule
- option name 'Allow-DHCP-Renew'
- option src 'GE6'
- option proto 'udp'
- option dest_port '68'
- option family 'ipv4'
- option target 'ACCEPT'
- config rule
- option name 'Allow-Ping'
- option src 'GE6'
- option proto 'icmp'
- option icmp_type 'echo-request'
- option family 'ipv4'
- option target 'ACCEPT'
- config zone
- option name 'GE7'
- option network 'GE7'
- option input 'REJECT'
- option output 'ACCEPT'
- option forward 'REJECT'
- option masq '1'
- config rule
- option name 'Allow-DHCP-Renew'
- option src 'GE7'
- option proto 'udp'
- option dest_port '68'
- option family 'ipv4'
- option target 'ACCEPT'
- config rule
- option name 'Allow-Ping'
- option src 'GE7'
- option proto 'icmp'
- option icmp_type 'echo-request'
- option family 'ipv4'
- option target 'ACCEPT'
- config zone
- option name 'GE8'
- option network 'GE8'
- option input 'REJECT'
- option output 'ACCEPT'
- option forward 'REJECT'
- option masq '1'
- config rule
- option name 'Allow-DHCP-Renew'
- option src 'GE8'
- option proto 'udp'
- option dest_port '68'
- option family 'ipv4'
- option target 'ACCEPT'
- config rule
- option name 'Allow-Ping'
- option src 'GE8'
- option proto 'icmp'
- option icmp_type 'echo-request'
- option family 'ipv4'
- option target 'ACCEPT'
- config include
- option path '/etc/firewall.user'
- config zone
- option name 'network1'
- option network 'network1'
- option input 'ACCEPT'
- option output 'ACCEPT'
- option forward 'REJECT'
- config forwarding
- option src 'network1'
- option dest 'GE3'
- option proto 'all'
- option target 'ACCEPT'
- config forwarding
- option src 'network1'
- option dest 'GE4'
- option proto 'all'
- option target 'ACCEPT'
- config forwarding
- option src 'network1'
- option dest 'GE5'
- option proto 'all'
- option target 'ACCEPT'
- config forwarding
- option src 'network1'
- option dest 'GE6'
- option proto 'all'
- option target 'ACCEPT'
- config forwarding
- option src 'network1'
- option dest 'GE7'
- option proto 'all'
- option target 'ACCEPT'
- config forwarding
- option src 'network1'
- option dest 'GE8'
- option proto 'all'
- option target 'ACCEPT'
- config rule
- option src 'network1'
- option dest_port '53'
- option proto 'tcpudp'
- option target 'ACCEPT'
- config rule
- option src 'network1'
- option src_port '67-68'
- option dest_port '67-68'
- option proto 'udp'
- option target 'ACCEPT'
- config rule
- option src 'network1'
- option dest_port '2607'
- option proto 'tcp'
- option target 'REJECT'
- config zone
- option name 'network100'
- option network 'network100'
- option input 'ACCEPT'
- option output 'ACCEPT'
- option forward 'REJECT'
- config forwarding
- option src 'network100'
- option dest 'GE3'
- option proto 'all'
- option target 'ACCEPT'
- config forwarding
- option src 'network100'
- option dest 'GE4'
- option proto 'all'
- option target 'ACCEPT'
- config forwarding
- option src 'network100'
- option dest 'GE5'
- option proto 'all'
- option target 'ACCEPT'
- config forwarding
- option src 'network100'
- option dest 'GE6'
- option proto 'all'
- option target 'ACCEPT'
- config forwarding
- option src 'network100'
- option dest 'GE7'
- option proto 'all'
- option target 'ACCEPT'
- config forwarding
- option src 'network100'
- option dest 'GE8'
- option proto 'all'
- option target 'ACCEPT'
- config rule
- option src 'network100'
- option dest_port '53'
- option proto 'tcpudp'
- option target 'ACCEPT'
- config rule
- option src 'network100'
- option src_port '67-68'
- option dest_port '67-68'
- option proto 'udp'
- option target 'ACCEPT'
- config rule
- option src 'network100'
- option dest_port '2607'
- option proto 'tcp'
- option target 'REJECT'
- config zone
- option name 'network101'
- option network 'network101'
- option input 'ACCEPT'
- option output 'ACCEPT'
- option forward 'REJECT'
- config forwarding
- option src 'network101'
- option dest 'GE3'
- option proto 'all'
- option target 'ACCEPT'
- config forwarding
- option src 'network101'
- option dest 'GE4'
- option proto 'all'
- option target 'ACCEPT'
- config forwarding
- option src 'network101'
- option dest 'GE5'
- option proto 'all'
- option target 'ACCEPT'
- config forwarding
- option src 'network101'
- option dest 'GE6'
- option proto 'all'
- option target 'ACCEPT'
- config forwarding
- option src 'network101'
- option dest 'GE7'
- option proto 'all'
- option target 'ACCEPT'
- config forwarding
- option src 'network101'
- option dest 'GE8'
- option proto 'all'
- option target 'ACCEPT'
- config rule
- option src 'network101'
- option dest_port '53'
- option proto 'tcpudp'
- option target 'ACCEPT'
- config rule
- option src 'network101'
- option src_port '67-68'
- option dest_port '67-68'
- option proto 'udp'
- option target 'ACCEPT'
- config rule
- option src 'network101'
- option dest_port '2607'
- option proto 'tcp'
- option target 'REJECT'
- #!/bin/sh
- iptables -t mangle -N LOGGING
- iptables -t mangle -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1320
- # Generated by iptables-save v1.4.21 on Tue Aug 25 09:22:41 2020
- *mangle
- :PREROUTING ACCEPT [3373329:616839538]
- :INPUT ACCEPT [3338494:614025214]
- :FORWARD ACCEPT [0:0]
- :OUTPUT ACCEPT [1144:375232]
- :POSTROUTING ACCEPT [686907:138297669]
- :LOGGING - [0:0]
- :MODEM_CHAIN - [0:0]
- :SEG_LAN_ROUTING_INPUT - [0:0]
- :SEG_LAN_ROUTING_OUTPUT - [0:0]
- :TUN_CHAIN - [0:0]
- :VCMP_MARK_ACL - [0:0]
- [3373722:616897812] -A PREROUTING -j SEG_LAN_ROUTING_INPUT
- [3373723:616897864] -A PREROUTING -j VCMP_MARK_ACL
- [0:0] -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1320
- [687310:138341500] -A OUTPUT -j SEG_LAN_ROUTING_OUTPUT
- [687310:138341500] -A OUTPUT -j TUN_CHAIN
- [0:0] -A SEG_LAN_ROUTING_INPUT -i br-network101 -m state --state NEW -j CONNMARK --set-xmark 0xd7/0xffffffff
- [0:0] -A SEG_LAN_ROUTING_INPUT -i br-network101 -m state --state NEW -j CONNMARK --set-xmark 0xd7/0xffffffff
- [0:0] -A SEG_LAN_ROUTING_INPUT -i br-network100 -m state --state NEW -j CONNMARK --set-xmark 0xd6/0xffffffff
- [0:0] -A SEG_LAN_ROUTING_INPUT -i br-network100 -m state --state NEW -j CONNMARK --set-xmark 0xd6/0xffffffff
- [15:960] -A SEG_LAN_ROUTING_INPUT -i br-network1 -m state --state NEW -j CONNMARK --set-xmark 0xd5/0xffffffff
- [15:960] -A SEG_LAN_ROUTING_INPUT -i br-network1 -m state --state NEW -j CONNMARK --set-xmark 0xd5/0xffffffff
- [0:0] -A SEG_LAN_ROUTING_OUTPUT -m connmark --mark 0xd7 -j MARK --set-xmark 0xd7/0xffffffff
- [0:0] -A SEG_LAN_ROUTING_OUTPUT -m connmark --mark 0xd6 -j MARK --set-xmark 0xd6/0xffffffff
- [7612:1248199] -A SEG_LAN_ROUTING_OUTPUT -m connmark --mark 0xd5 -j MARK --set-xmark 0xd5/0xffffffff
- [522959:123679713] -A TUN_CHAIN -p tcp -j MODEM_CHAIN
- [0:0] -A TUN_CHAIN -m connmark --mark 0xd9 -j MARK --set-xmark 0xd9/0xffffffff
- [0:0] -A TUN_CHAIN -m connmark --mark 0xd9 -j ACCEPT
- [0:0] -A TUN_CHAIN -m connmark --mark 0xd8 -j MARK --set-xmark 0xd8/0xffffffff
- [0:0] -A TUN_CHAIN -m connmark --mark 0xd8 -j ACCEPT
- [0:0] -A TUN_CHAIN -m connmark --mark 0xd3 -j MARK --set-xmark 0xd3/0xffffffff
- [0:0] -A TUN_CHAIN -m connmark --mark 0xd3 -j ACCEPT
- [0:0] -A TUN_CHAIN -m connmark --mark 0xd2 -j MARK --set-xmark 0xd2/0xffffffff
- [0:0] -A TUN_CHAIN -m connmark --mark 0xd2 -j ACCEPT
- [92696:8977738] -A TUN_CHAIN -d 127.0.0.1/32 -j ACCEPT
- [81408:5982888] -A TUN_CHAIN -o lo -j ACCEPT
- [0:0] -A TUN_CHAIN -s 169.254.3.0/24 -j MARK --set-xmark 0xc8/0xffffffff
- [0:0] -A TUN_CHAIN -s 169.254.3.0/24 -j ACCEPT
- [7682:1254823] -A TUN_CHAIN -o br-network1 -j ACCEPT
- [0:0] -A TUN_CHAIN -o br-network100 -j ACCEPT
- [0:0] -A TUN_CHAIN -o br-network101 -j ACCEPT
- [482385:120455663] -A TUN_CHAIN -s 10.0.3.2/32 -j MARK --set-xmark 0xc8/0xffffffff
- [482385:120455663] -A TUN_CHAIN -s 10.0.3.2/32 -j ACCEPT
- [0:0] -A TUN_CHAIN -p tcp -m multiport --sports 179 -j MARK --set-xmark 0xc8/0xffffffff
- [0:0] -A TUN_CHAIN -p tcp -m multiport --sports 179 -j ACCEPT
- [21634:1257213] -A TUN_CHAIN -p tcp -m multiport --dports 22,53,80,123,443,61000,179 -j MARK --set-xmark 0xc8/0xffffffff
- [21634:1257213] -A TUN_CHAIN -p tcp -m multiport --dports 22,53,80,123,443,61000,179 -j ACCEPT
- [0:0] -A TUN_CHAIN -p udp -m multiport --dports 53,123 -j MARK --set-xmark 0xc8/0xffffffff
- [0:0] -A TUN_CHAIN -p udp -m multiport --dports 53,123 -j ACCEPT
- [0:0] -A TUN_CHAIN -p icmp -m icmp --icmp-type 8/0 -j MARK --set-xmark 0xc8/0xffffffff
- [0:0] -A TUN_CHAIN -p icmp -j ACCEPT
- [2507118:371475719] -A VCMP_MARK_ACL -i eth2 -m state --state NEW -j CONNMARK --set-xmark 0xd2/0xffffffff
- [263515:28657744] -A VCMP_MARK_ACL -i eth3 -m state --state NEW -j CONNMARK --set-xmark 0xd3/0xffffffff
- [0:0] -A VCMP_MARK_ACL -i eth3.100 -m state --state NEW -j CONNMARK --set-xmark 0xd8/0xffffffff
- [0:0] -A VCMP_MARK_ACL -i eth3.101 -m state --state NEW -j CONNMARK --set-xmark 0xd9/0xffffffff
- COMMIT
- # Completed on Tue Aug 25 09:22:41 2020
- # Generated by iptables-save v1.4.21 on Tue Aug 25 09:22:41 2020
- *filter
- :INPUT ACCEPT [0:0]
- :FORWARD DROP [0:0]
- :OUTPUT ACCEPT [0:0]
- :PORTAL_INPUT - [0:0]
- :SEG_MGMT - [0:0]
- :VCMP_FWD_ACL - [0:0]
- :VCMP_IN_ACL - [0:0]
- :VCMP_IN_ACL_PERSIST - [0:0]
- :VCMP_IN_ACL_SEGMENT - [0:0]
- :VCMP_OUT_ACL - [0:0]
- :forwarding_GE3_rule - [0:0]
- :forwarding_GE4_rule - [0:0]
- :forwarding_GE5_rule - [0:0]
- :forwarding_GE6_rule - [0:0]
- :forwarding_GE7_rule - [0:0]
- :forwarding_GE8_rule - [0:0]
- :forwarding_network0_rule - [0:0]
- :forwarding_network1_rule - [0:0]
- :forwarding_rule - [0:0]
- :input_GE3_rule - [0:0]
- :input_GE4_rule - [0:0]
- :input_GE5_rule - [0:0]
- :input_GE6_rule - [0:0]
- :input_GE7_rule - [0:0]
- :input_GE8_rule - [0:0]
- :input_network0_rule - [0:0]
- :input_network1_rule - [0:0]
- :input_rule - [0:0]
- :output_GE3_rule - [0:0]
- :output_GE4_rule - [0:0]
- :output_GE5_rule - [0:0]
- :output_GE6_rule - [0:0]
- :output_GE7_rule - [0:0]
- :output_GE8_rule - [0:0]
- :output_network0_rule - [0:0]
- :output_network1_rule - [0:0]
- :output_rule - [0:0]
- :reject - [0:0]
- :syn_flood - [0:0]
- :zone_GE3_dest_ACCEPT - [0:0]
- :zone_GE3_dest_REJECT - [0:0]
- :zone_GE3_forward - [0:0]
- :zone_GE3_input - [0:0]
- :zone_GE3_output - [0:0]
- :zone_GE3_src_REJECT - [0:0]
- :zone_GE4_dest_ACCEPT - [0:0]
- :zone_GE4_dest_REJECT - [0:0]
- :zone_GE4_forward - [0:0]
- :zone_GE4_input - [0:0]
- :zone_GE4_output - [0:0]
- :zone_GE4_src_REJECT - [0:0]
- :zone_GE5_dest_ACCEPT - [0:0]
- :zone_GE5_dest_REJECT - [0:0]
- :zone_GE5_forward - [0:0]
- :zone_GE5_input - [0:0]
- :zone_GE5_output - [0:0]
- :zone_GE5_src_REJECT - [0:0]
- :zone_GE6_dest_ACCEPT - [0:0]
- :zone_GE6_dest_REJECT - [0:0]
- :zone_GE6_forward - [0:0]
- :zone_GE6_input - [0:0]
- :zone_GE6_output - [0:0]
- :zone_GE6_src_REJECT - [0:0]
- :zone_GE7_dest_ACCEPT - [0:0]
- :zone_GE7_dest_REJECT - [0:0]
- :zone_GE7_forward - [0:0]
- :zone_GE7_input - [0:0]
- :zone_GE7_output - [0:0]
- :zone_GE7_src_REJECT - [0:0]
- :zone_GE8_dest_ACCEPT - [0:0]
- :zone_GE8_dest_REJECT - [0:0]
- :zone_GE8_forward - [0:0]
- :zone_GE8_input - [0:0]
- :zone_GE8_output - [0:0]
- :zone_GE8_src_REJECT - [0:0]
- :zone_network0_forward - [0:0]
- :zone_network0_input - [0:0]
- :zone_network0_output - [0:0]
- :zone_network100_dest_ACCEPT - [0:0]
- :zone_network100_dest_REJECT - [0:0]
- :zone_network100_forward - [0:0]
- :zone_network100_input - [0:0]
- :zone_network100_output - [0:0]
- :zone_network100_src_ACCEPT - [0:0]
- :zone_network101_dest_ACCEPT - [0:0]
- :zone_network101_dest_REJECT - [0:0]
- :zone_network101_forward - [0:0]
- :zone_network101_input - [0:0]
- :zone_network101_output - [0:0]
- :zone_network101_src_ACCEPT - [0:0]
- :zone_network1_dest_ACCEPT - [0:0]
- :zone_network1_dest_REJECT - [0:0]
- :zone_network1_forward - [0:0]
- :zone_network1_input - [0:0]
- :zone_network1_output - [0:0]
- :zone_network1_src_ACCEPT - [0:0]
- [81040:8225520] -A INPUT -p icmp -j SEG_MGMT
- [0:0] -A INPUT -s 192.168.32.2/32 -i vce1 -p tcp -m tcp --sport 80 -j DROP
- [3338663:614061319] -A INPUT -j VCMP_IN_ACL_PERSIST
- [3329472:613572334] -A INPUT -j VCMP_IN_ACL_SEGMENT
- [3329472:613572334] -A INPUT -j VCMP_IN_ACL
- [0:0] -A INPUT -s 192.168.32.2/32 -i vce1 -p tcp -m tcp --sport 80 -j DROP
- [10176:890400] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
- [26282:12613151] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
- [26282:12613151] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
- [0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
- [0:0] -A INPUT -i eth2 -m comment --comment "!fw3" -j zone_GE3_input
- [0:0] -A INPUT -i eth3 -m comment --comment "!fw3" -j zone_GE4_input
- [0:0] -A INPUT -i eth4 -m comment --comment "!fw3" -j zone_GE5_input
- [0:0] -A INPUT -i eth5 -m comment --comment "!fw3" -j zone_GE6_input
- [0:0] -A INPUT -i eth6 -m comment --comment "!fw3" -j zone_GE7_input
- [0:0] -A INPUT -i eth7 -m comment --comment "!fw3" -j zone_GE8_input
- [0:0] -A INPUT -i br-network1 -m comment --comment "!fw3" -j zone_network1_input
- [0:0] -A INPUT -i br-network100 -m comment --comment "!fw3" -j zone_network100_input
- [0:0] -A INPUT -i br-network101 -m comment --comment "!fw3" -j zone_network101_input
- [0:0] -A FORWARD -o vce1 -j ACCEPT
- [0:0] -A FORWARD -i vce1 -j ACCEPT
- [0:0] -A FORWARD -j VCMP_FWD_ACL
- [0:0] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
- [0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
- [0:0] -A FORWARD -i eth2 -m comment --comment "!fw3" -j zone_GE3_forward
- [0:0] -A FORWARD -i eth3 -m comment --comment "!fw3" -j zone_GE4_forward
- [0:0] -A FORWARD -i eth4 -m comment --comment "!fw3" -j zone_GE5_forward
- [0:0] -A FORWARD -i eth5 -m comment --comment "!fw3" -j zone_GE6_forward
- [0:0] -A FORWARD -i eth6 -m comment --comment "!fw3" -j zone_GE7_forward
- [0:0] -A FORWARD -i eth7 -m comment --comment "!fw3" -j zone_GE8_forward
- [0:0] -A FORWARD -i br-network1 -m comment --comment "!fw3" -j zone_network1_forward
- [0:0] -A FORWARD -i br-network100 -m comment --comment "!fw3" -j zone_network100_forward
- [0:0] -A FORWARD -i br-network101 -m comment --comment "!fw3" -j zone_network101_forward
- [0:0] -A FORWARD -m comment --comment "!fw3" -j reject
- [687317:138342013] -A OUTPUT -j VCMP_OUT_ACL
- [10176:890400] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
- [32727:7157482] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
- [29934:7023418] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
- [2793:134064] -A OUTPUT -o eth2 -m comment --comment "!fw3" -j zone_GE3_output
- [0:0] -A OUTPUT -o eth3 -m comment --comment "!fw3" -j zone_GE4_output
- [0:0] -A OUTPUT -o eth4 -m comment --comment "!fw3" -j zone_GE5_output
- [0:0] -A OUTPUT -o eth5 -m comment --comment "!fw3" -j zone_GE6_output
- [0:0] -A OUTPUT -o eth6 -m comment --comment "!fw3" -j zone_GE7_output
- [0:0] -A OUTPUT -o eth7 -m comment --comment "!fw3" -j zone_GE8_output
- [0:0] -A OUTPUT -o br-network1 -m comment --comment "!fw3" -j zone_network1_output
- [0:0] -A OUTPUT -o br-network100 -m comment --comment "!fw3" -j zone_network100_output
- [0:0] -A OUTPUT -o br-network101 -m comment --comment "!fw3" -j zone_network101_output
- [0:0] -A SEG_MGMT ! -s 10.101.3.0/24 -d 10.101.3.1/32 -p icmp -m icmp --icmp-type 8 -j DROP
- [0:0] -A SEG_MGMT ! -s 10.101.3.0/24 -d 10.101.3.1/32 -p icmp -m icmp --icmp-type 8 -j DROP
- [0:0] -A SEG_MGMT ! -s 10.100.3.0/24 -d 10.100.3.1/32 -p icmp -m icmp --icmp-type 8 -j DROP
- [0:0] -A SEG_MGMT ! -s 10.100.3.0/24 -d 10.100.3.1/32 -p icmp -m icmp --icmp-type 8 -j DROP
- [0:0] -A SEG_MGMT ! -s 10.0.3.0/24 -d 10.0.3.1/32 -p icmp -m icmp --icmp-type 8 -j DROP
- [0:0] -A SEG_MGMT ! -s 10.0.3.0/24 -d 10.0.3.1/32 -p icmp -m icmp --icmp-type 8 -j DROP
- [0:0] -A VCMP_FWD_ACL -i br-network1 -o br-network100 -j DROP
- [0:0] -A VCMP_FWD_ACL -i br-network1 -o br-network101 -j DROP
- [0:0] -A VCMP_FWD_ACL -i br-network100 -o br-network1 -j DROP
- [0:0] -A VCMP_FWD_ACL -i br-network100 -o br-network101 -j DROP
- [0:0] -A VCMP_FWD_ACL -i br-network101 -o br-network1 -j DROP
- [0:0] -A VCMP_FWD_ACL -i br-network101 -o br-network100 -j DROP
- [0:0] -A VCMP_FWD_ACL -j DROP
- [0:0] -A VCMP_IN_ACL -s 192.168.14.1/32 -j ACCEPT
- [0:0] -A VCMP_IN_ACL -s 192.168.32.2/32 -j ACCEPT
- [0:0] -A VCMP_IN_ACL -i eth2 -p icmp -m icmp --icmp-type 11 -j ACCEPT
- [0:0] -A VCMP_IN_ACL -i eth2 -p icmp -m icmp --icmp-type 3 -j ACCEPT
- [2507126:371479988] -A VCMP_IN_ACL -i eth2 -j DROP
- [0:0] -A VCMP_IN_ACL -i eth3 -p icmp -m icmp --icmp-type 11 -j ACCEPT
- [0:0] -A VCMP_IN_ACL -i eth3 -p icmp -m icmp --icmp-type 3 -j ACCEPT
- [230292:26372432] -A VCMP_IN_ACL -i eth3 -j DROP
- [0:0] -A VCMP_IN_ACL -i eth3.100 -p icmp -m icmp --icmp-type 11 -j ACCEPT
- [0:0] -A VCMP_IN_ACL -i eth3.100 -p icmp -m icmp --icmp-type 3 -j ACCEPT
- [0:0] -A VCMP_IN_ACL -i eth3.100 -j DROP
- [0:0] -A VCMP_IN_ACL -i eth3.101 -p icmp -m icmp --icmp-type 11 -j ACCEPT
- [0:0] -A VCMP_IN_ACL -i eth3.101 -p icmp -m icmp --icmp-type 3 -j ACCEPT
- [0:0] -A VCMP_IN_ACL -i eth3.101 -j DROP
- [0:0] -A VCMP_IN_ACL -i br-network1 -p tcp -m tcp --dport 179 -j DROP
- [0:0] -A VCMP_IN_ACL -i br-network1 -p tcp -m tcp --sport 179 -j DROP
- [0:0] -A VCMP_IN_ACL -i br-network100 -p tcp -m tcp --dport 179 -j DROP
- [0:0] -A VCMP_IN_ACL -i br-network100 -p tcp -m tcp --sport 179 -j DROP
- [0:0] -A VCMP_IN_ACL -i br-network101 -p tcp -m tcp --dport 179 -j DROP
- [0:0] -A VCMP_IN_ACL -i br-network101 -p tcp -m tcp --sport 179 -j DROP
- [0:0] -A VCMP_IN_ACL_PERSIST -s 172.16.5.3/32 -p tcp -m tcp --dport 22 -j ACCEPT
- [0:0] -A VCMP_IN_ACL_PERSIST -s 169.254.9.1/32 -p tcp -m tcp --dport 22 -j ACCEPT
- [9406:510711] -A VCMP_IN_ACL_PERSIST -s 10.0.3.25/32 -p tcp -m tcp --dport 22 -j ACCEPT
- [0:0] -A VCMP_IN_ACL_PERSIST -p tcp -m tcp --dport 22 -j DROP
- [0:0] -A VCMP_IN_ACL_PERSIST -p udp -m udp --dport 161 -j DROP
- [0:0] -A VCMP_IN_ACL_PERSIST -p tcp -m tcp --dport 80 -j DROP
- [0:0] -A VCMP_IN_ACL_SEGMENT -d 10.101.3.1/32 -i vce1 -j DROP
- [0:0] -A VCMP_IN_ACL_SEGMENT -d 10.100.3.1/32 -i vce1 -j DROP
- [0:0] -A VCMP_IN_ACL_SEGMENT -d 169.254.129.4/32 -i br-network101 -j DROP
- [0:0] -A VCMP_IN_ACL_SEGMENT -d 10.100.3.1/32 -i br-network101 -j DROP
- [0:0] -A VCMP_IN_ACL_SEGMENT -d 10.0.3.1/32 -i br-network101 -j DROP
- [0:0] -A VCMP_IN_ACL_SEGMENT -d 10.0.3.2/32 -i br-network101 -j DROP
- [0:0] -A VCMP_IN_ACL_SEGMENT -d 169.254.129.4/32 -i br-network100 -j DROP
- [0:0] -A VCMP_IN_ACL_SEGMENT -d 10.101.3.1/32 -i br-network100 -j DROP
- [0:0] -A VCMP_IN_ACL_SEGMENT -d 10.0.3.1/32 -i br-network100 -j DROP
- [0:0] -A VCMP_IN_ACL_SEGMENT -d 10.0.3.2/32 -i br-network100 -j DROP
- [0:0] -A VCMP_IN_ACL_SEGMENT -d 10.101.3.1/32 -i br-network1 -j DROP
- [0:0] -A VCMP_IN_ACL_SEGMENT -d 10.100.3.1/32 -i br-network1 -j DROP
- [0:0] -A VCMP_IN_ACL_SEGMENT -d 10.101.3.1/32 -i br-management -j DROP
- [0:0] -A VCMP_IN_ACL_SEGMENT -d 10.100.3.1/32 -i br-management -j DROP
- [0:0] -A VCMP_OUT_ACL -p icmp -m icmp --icmp-type 11/0 -j DROP
- [0:0] -A VCMP_OUT_ACL -o eth2 -p icmp -m icmp --icmp-type 5 -j DROP
- [0:0] -A VCMP_OUT_ACL -o eth3 -p icmp -m icmp --icmp-type 5 -j DROP
- [0:0] -A VCMP_OUT_ACL -o eth3.100 -p icmp -m icmp --icmp-type 5 -j DROP
- [0:0] -A VCMP_OUT_ACL -o eth3.101 -p icmp -m icmp --icmp-type 5 -j DROP
- [0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
- [0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
- [0:0] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
- [0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
- [0:0] -A zone_GE3_dest_ACCEPT -o eth2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
- [2793:134064] -A zone_GE3_dest_ACCEPT -o eth2 -m comment --comment "!fw3" -j ACCEPT
- [0:0] -A zone_GE3_dest_REJECT -o eth2 -m comment --comment "!fw3" -j reject
- [0:0] -A zone_GE3_forward -m comment --comment "!fw3: Custom GE3 forwarding rule chain" -j forwarding_GE3_rule
- [0:0] -A zone_GE3_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
- [0:0] -A zone_GE3_forward -m comment --comment "!fw3" -j zone_GE3_dest_REJECT
- [0:0] -A zone_GE3_input -m comment --comment "!fw3: Custom GE3 input rule chain" -j input_GE3_rule
- [0:0] -A zone_GE3_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
- [0:0] -A zone_GE3_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
- [0:0] -A zone_GE3_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
- [0:0] -A zone_GE3_input -m comment --comment "!fw3" -j zone_GE3_src_REJECT
- [2793:134064] -A zone_GE3_output -m comment --comment "!fw3: Custom GE3 output rule chain" -j output_GE3_rule
- [2793:134064] -A zone_GE3_output -m comment --comment "!fw3" -j zone_GE3_dest_ACCEPT
- [0:0] -A zone_GE3_src_REJECT -i eth2 -m comment --comment "!fw3" -j reject
- [0:0] -A zone_GE4_dest_ACCEPT -o eth3 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
- [0:0] -A zone_GE4_dest_ACCEPT -o eth3 -m comment --comment "!fw3" -j ACCEPT
- [0:0] -A zone_GE4_dest_REJECT -o eth3 -m comment --comment "!fw3" -j reject
- [0:0] -A zone_GE4_forward -m comment --comment "!fw3: Custom GE4 forwarding rule chain" -j forwarding_GE4_rule
- [0:0] -A zone_GE4_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
- [0:0] -A zone_GE4_forward -m comment --comment "!fw3" -j zone_GE4_dest_REJECT
- [0:0] -A zone_GE4_input -m comment --comment "!fw3: Custom GE4 input rule chain" -j input_GE4_rule
- [0:0] -A zone_GE4_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
- [0:0] -A zone_GE4_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
- [0:0] -A zone_GE4_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
- [0:0] -A zone_GE4_input -m comment --comment "!fw3" -j zone_GE4_src_REJECT
- [0:0] -A zone_GE4_output -m comment --comment "!fw3: Custom GE4 output rule chain" -j output_GE4_rule
- [0:0] -A zone_GE4_output -m comment --comment "!fw3" -j zone_GE4_dest_ACCEPT
- [0:0] -A zone_GE4_src_REJECT -i eth3 -m comment --comment "!fw3" -j reject
- [0:0] -A zone_GE5_dest_ACCEPT -o eth4 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
- [0:0] -A zone_GE5_dest_ACCEPT -o eth4 -m comment --comment "!fw3" -j ACCEPT
- [0:0] -A zone_GE5_dest_REJECT -o eth4 -m comment --comment "!fw3" -j reject
- [0:0] -A zone_GE5_forward -m comment --comment "!fw3: Custom GE5 forwarding rule chain" -j forwarding_GE5_rule
- [0:0] -A zone_GE5_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
- [0:0] -A zone_GE5_forward -m comment --comment "!fw3" -j zone_GE5_dest_REJECT
- [0:0] -A zone_GE5_input -m comment --comment "!fw3: Custom GE5 input rule chain" -j input_GE5_rule
- [0:0] -A zone_GE5_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
- [0:0] -A zone_GE5_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
- [0:0] -A zone_GE5_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
- [0:0] -A zone_GE5_input -m comment --comment "!fw3" -j zone_GE5_src_REJECT
- [0:0] -A zone_GE5_output -m comment --comment "!fw3: Custom GE5 output rule chain" -j output_GE5_rule
- [0:0] -A zone_GE5_output -m comment --comment "!fw3" -j zone_GE5_dest_ACCEPT
- [0:0] -A zone_GE5_src_REJECT -i eth4 -m comment --comment "!fw3" -j reject
- [0:0] -A zone_GE6_dest_ACCEPT -o eth5 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
- [0:0] -A zone_GE6_dest_ACCEPT -o eth5 -m comment --comment "!fw3" -j ACCEPT
- [0:0] -A zone_GE6_dest_REJECT -o eth5 -m comment --comment "!fw3" -j reject
- [0:0] -A zone_GE6_forward -m comment --comment "!fw3: Custom GE6 forwarding rule chain" -j forwarding_GE6_rule
- [0:0] -A zone_GE6_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
- [0:0] -A zone_GE6_forward -m comment --comment "!fw3" -j zone_GE6_dest_REJECT
- [0:0] -A zone_GE6_input -m comment --comment "!fw3: Custom GE6 input rule chain" -j input_GE6_rule
- [0:0] -A zone_GE6_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
- [0:0] -A zone_GE6_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
- [0:0] -A zone_GE6_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
- [0:0] -A zone_GE6_input -m comment --comment "!fw3" -j zone_GE6_src_REJECT
- [0:0] -A zone_GE6_output -m comment --comment "!fw3: Custom GE6 output rule chain" -j output_GE6_rule
- [0:0] -A zone_GE6_output -m comment --comment "!fw3" -j zone_GE6_dest_ACCEPT
- [0:0] -A zone_GE6_src_REJECT -i eth5 -m comment --comment "!fw3" -j reject
- [0:0] -A zone_GE7_dest_ACCEPT -o eth6 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
- [0:0] -A zone_GE7_dest_ACCEPT -o eth6 -m comment --comment "!fw3" -j ACCEPT
- [0:0] -A zone_GE7_dest_REJECT -o eth6 -m comment --comment "!fw3" -j reject
- [0:0] -A zone_GE7_forward -m comment --comment "!fw3: Custom GE7 forwarding rule chain" -j forwarding_GE7_rule
- [0:0] -A zone_GE7_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
- [0:0] -A zone_GE7_forward -m comment --comment "!fw3" -j zone_GE7_dest_REJECT
- [0:0] -A zone_GE7_input -m comment --comment "!fw3: Custom GE7 input rule chain" -j input_GE7_rule
- [0:0] -A zone_GE7_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
- [0:0] -A zone_GE7_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
- [0:0] -A zone_GE7_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
- [0:0] -A zone_GE7_input -m comment --comment "!fw3" -j zone_GE7_src_REJECT
- [0:0] -A zone_GE7_output -m comment --comment "!fw3: Custom GE7 output rule chain" -j output_GE7_rule
- [0:0] -A zone_GE7_output -m comment --comment "!fw3" -j zone_GE7_dest_ACCEPT
- [0:0] -A zone_GE7_src_REJECT -i eth6 -m comment --comment "!fw3" -j reject
- [0:0] -A zone_GE8_dest_ACCEPT -o eth7 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
- [0:0] -A zone_GE8_dest_ACCEPT -o eth7 -m comment --comment "!fw3" -j ACCEPT
- [0:0] -A zone_GE8_dest_REJECT -o eth7 -m comment --comment "!fw3" -j reject
- [0:0] -A zone_GE8_forward -m comment --comment "!fw3: Custom GE8 forwarding rule chain" -j forwarding_GE8_rule
- [0:0] -A zone_GE8_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
- [0:0] -A zone_GE8_forward -m comment --comment "!fw3" -j zone_GE8_dest_REJECT
- [0:0] -A zone_GE8_input -m comment --comment "!fw3: Custom GE8 input rule chain" -j input_GE8_rule
- [0:0] -A zone_GE8_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
- [0:0] -A zone_GE8_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
- [0:0] -A zone_GE8_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
- [0:0] -A zone_GE8_input -m comment --comment "!fw3" -j zone_GE8_src_REJECT
- [0:0] -A zone_GE8_output -m comment --comment "!fw3: Custom GE8 output rule chain" -j output_GE8_rule
- [0:0] -A zone_GE8_output -m comment --comment "!fw3" -j zone_GE8_dest_ACCEPT
- [0:0] -A zone_GE8_src_REJECT -i eth7 -m comment --comment "!fw3" -j reject
- [0:0] -A zone_network100_dest_ACCEPT -o br-network100 -m comment --comment "!fw3" -j ACCEPT
- [0:0] -A zone_network100_dest_REJECT -o br-network100 -m comment --comment "!fw3" -j reject
- [0:0] -A zone_network100_forward -m comment --comment "!fw3: Zone network100 to GE3 forwarding policy" -j zone_GE3_dest_ACCEPT
- [0:0] -A zone_network100_forward -m comment --comment "!fw3: Zone network100 to GE4 forwarding policy" -j zone_GE4_dest_ACCEPT
- [0:0] -A zone_network100_forward -m comment --comment "!fw3: Zone network100 to GE5 forwarding policy" -j zone_GE5_dest_ACCEPT
- [0:0] -A zone_network100_forward -m comment --comment "!fw3: Zone network100 to GE6 forwarding policy" -j zone_GE6_dest_ACCEPT
- [0:0] -A zone_network100_forward -m comment --comment "!fw3: Zone network100 to GE7 forwarding policy" -j zone_GE7_dest_ACCEPT
- [0:0] -A zone_network100_forward -m comment --comment "!fw3: Zone network100 to GE8 forwarding policy" -j zone_GE8_dest_ACCEPT
- [0:0] -A zone_network100_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
- [0:0] -A zone_network100_forward -m comment --comment "!fw3" -j zone_network100_dest_REJECT
- [0:0] -A zone_network100_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: @rule[15]" -j ACCEPT
- [0:0] -A zone_network100_input -p udp -m udp --dport 53 -m comment --comment "!fw3: @rule[15]" -j ACCEPT
- [0:0] -A zone_network100_input -p udp -m udp --sport 67:68 --dport 67:68 -m comment --comment "!fw3: @rule[16]" -j ACCEPT
- [0:0] -A zone_network100_input -p tcp -m tcp --dport 2607 -m comment --comment "!fw3: @rule[17]" -j reject
- [0:0] -A zone_network100_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
- [0:0] -A zone_network100_input -m comment --comment "!fw3" -j zone_network100_src_ACCEPT
- [0:0] -A zone_network100_output -m comment --comment "!fw3" -j zone_network100_dest_ACCEPT
- [0:0] -A zone_network100_src_ACCEPT -i br-network100 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
- [0:0] -A zone_network101_dest_ACCEPT -o br-network101 -m comment --comment "!fw3" -j ACCEPT
- [0:0] -A zone_network101_dest_REJECT -o br-network101 -m comment --comment "!fw3" -j reject
- [0:0] -A zone_network101_forward -m comment --comment "!fw3: Zone network101 to GE3 forwarding policy" -j zone_GE3_dest_ACCEPT
- [0:0] -A zone_network101_forward -m comment --comment "!fw3: Zone network101 to GE4 forwarding policy" -j zone_GE4_dest_ACCEPT
- [0:0] -A zone_network101_forward -m comment --comment "!fw3: Zone network101 to GE5 forwarding policy" -j zone_GE5_dest_ACCEPT
- [0:0] -A zone_network101_forward -m comment --comment "!fw3: Zone network101 to GE6 forwarding policy" -j zone_GE6_dest_ACCEPT
- [0:0] -A zone_network101_forward -m comment --comment "!fw3: Zone network101 to GE7 forwarding policy" -j zone_GE7_dest_ACCEPT
- [0:0] -A zone_network101_forward -m comment --comment "!fw3: Zone network101 to GE8 forwarding policy" -j zone_GE8_dest_ACCEPT
- [0:0] -A zone_network101_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
- [0:0] -A zone_network101_forward -m comment --comment "!fw3" -j zone_network101_dest_REJECT
- [0:0] -A zone_network101_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: @rule[18]" -j ACCEPT
- [0:0] -A zone_network101_input -p udp -m udp --dport 53 -m comment --comment "!fw3: @rule[18]" -j ACCEPT
- [0:0] -A zone_network101_input -p udp -m udp --sport 67:68 --dport 67:68 -m comment --comment "!fw3: @rule[19]" -j ACCEPT
- [0:0] -A zone_network101_input -p tcp -m tcp --dport 2607 -m comment --comment "!fw3: @rule[20]" -j reject
- [0:0] -A zone_network101_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
- [0:0] -A zone_network101_input -m comment --comment "!fw3" -j zone_network101_src_ACCEPT
- [0:0] -A zone_network101_output -m comment --comment "!fw3" -j zone_network101_dest_ACCEPT
- [0:0] -A zone_network101_src_ACCEPT -i br-network101 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
- [0:0] -A zone_network1_dest_ACCEPT -o br-network1 -m comment --comment "!fw3" -j ACCEPT
- [0:0] -A zone_network1_dest_REJECT -o br-network1 -m comment --comment "!fw3" -j reject
- [0:0] -A zone_network1_forward -m comment --comment "!fw3: Custom network1 forwarding rule chain" -j forwarding_network1_rule
- [0:0] -A zone_network1_forward -m comment --comment "!fw3: Zone network1 to GE3 forwarding policy" -j zone_GE3_dest_ACCEPT
- [0:0] -A zone_network1_forward -m comment --comment "!fw3: Zone network1 to GE4 forwarding policy" -j zone_GE4_dest_ACCEPT
- [0:0] -A zone_network1_forward -m comment --comment "!fw3: Zone network1 to GE5 forwarding policy" -j zone_GE5_dest_ACCEPT
- [0:0] -A zone_network1_forward -m comment --comment "!fw3: Zone network1 to GE6 forwarding policy" -j zone_GE6_dest_ACCEPT
- [0:0] -A zone_network1_forward -m comment --comment "!fw3: Zone network1 to GE7 forwarding policy" -j zone_GE7_dest_ACCEPT
- [0:0] -A zone_network1_forward -m comment --comment "!fw3: Zone network1 to GE8 forwarding policy" -j zone_GE8_dest_ACCEPT
- [0:0] -A zone_network1_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
- [0:0] -A zone_network1_forward -m comment --comment "!fw3" -j zone_network1_dest_REJECT
- [0:0] -A zone_network1_input -m comment --comment "!fw3: Custom network1 input rule chain" -j input_network1_rule
- [0:0] -A zone_network1_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: @rule[12]" -j ACCEPT
- [0:0] -A zone_network1_input -p udp -m udp --dport 53 -m comment --comment "!fw3: @rule[12]" -j ACCEPT
- [0:0] -A zone_network1_input -p udp -m udp --sport 67:68 --dport 67:68 -m comment --comment "!fw3: @rule[13]" -j ACCEPT
- [0:0] -A zone_network1_input -p tcp -m tcp --dport 2607 -m comment --comment "!fw3: @rule[14]" -j reject
- [0:0] -A zone_network1_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
- [0:0] -A zone_network1_input -m comment --comment "!fw3" -j zone_network1_src_ACCEPT
- [0:0] -A zone_network1_output -m comment --comment "!fw3: Custom network1 output rule chain" -j output_network1_rule
- [0:0] -A zone_network1_output -m comment --comment "!fw3" -j zone_network1_dest_ACCEPT
- [0:0] -A zone_network1_src_ACCEPT -i br-network1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
- COMMIT
- # Completed on Tue Aug 25 09:22:41 2020
- # Generated by iptables-save v1.4.21 on Tue Aug 25 09:22:41 2020
- *nat
- :PREROUTING ACCEPT [170945:24378274]
- :INPUT ACCEPT [3:192]
- :OUTPUT ACCEPT [5333:320754]
- :POSTROUTING ACCEPT [5333:320754]
- :VCMP_DNAT_ACL - [0:0]
- :VCMP_SNAT_ACL - [0:0]
- :postrouting_GE3_rule - [0:0]
- :postrouting_GE4_rule - [0:0]
- :postrouting_GE5_rule - [0:0]
- :postrouting_GE6_rule - [0:0]
- :postrouting_GE7_rule - [0:0]
- :postrouting_GE8_rule - [0:0]
- :postrouting_network0_rule - [0:0]
- :postrouting_network1_rule - [0:0]
- :postrouting_rule - [0:0]
- :prerouting_GE3_rule - [0:0]
- :prerouting_GE4_rule - [0:0]
- :prerouting_GE5_rule - [0:0]
- :prerouting_GE6_rule - [0:0]
- :prerouting_GE7_rule - [0:0]
- :prerouting_GE8_rule - [0:0]
- :prerouting_network0_rule - [0:0]
- :prerouting_network1_rule - [0:0]
- :prerouting_rule - [0:0]
- :zone_GE3_postrouting - [0:0]
- :zone_GE3_prerouting - [0:0]
- :zone_GE4_postrouting - [0:0]
- :zone_GE4_prerouting - [0:0]
- :zone_GE5_postrouting - [0:0]
- :zone_GE5_prerouting - [0:0]
- :zone_GE6_postrouting - [0:0]
- :zone_GE6_prerouting - [0:0]
- :zone_GE7_postrouting - [0:0]
- :zone_GE7_prerouting - [0:0]
- :zone_GE8_postrouting - [0:0]
- :zone_GE8_prerouting - [0:0]
- :zone_network100_postrouting - [0:0]
- :zone_network100_prerouting - [0:0]
- :zone_network101_postrouting - [0:0]
- :zone_network101_prerouting - [0:0]
- :zone_network1_postrouting - [0:0]
- :zone_network1_prerouting - [0:0]
- [2770681:400137463] -A PREROUTING -j VCMP_DNAT_ACL
- [170945:24378274] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
- [156734:23313218] -A PREROUTING -i eth2 -m comment --comment "!fw3" -j zone_GE3_prerouting
- [14208:1064864] -A PREROUTING -i eth3 -m comment --comment "!fw3" -j zone_GE4_prerouting
- [0:0] -A PREROUTING -i eth4 -m comment --comment "!fw3" -j zone_GE5_prerouting
- [0:0] -A PREROUTING -i eth5 -m comment --comment "!fw3" -j zone_GE6_prerouting
- [0:0] -A PREROUTING -i eth6 -m comment --comment "!fw3" -j zone_GE7_prerouting
- [0:0] -A PREROUTING -i eth7 -m comment --comment "!fw3" -j zone_GE8_prerouting
- [3:192] -A PREROUTING -i br-network1 -m comment --comment "!fw3" -j zone_network1_prerouting
- [0:0] -A PREROUTING -i br-network100 -m comment --comment "!fw3" -j zone_network100_prerouting
- [0:0] -A PREROUTING -i br-network101 -m comment --comment "!fw3" -j zone_network101_prerouting
- [85521:5206872] -A POSTROUTING -j VCMP_SNAT_ACL
- [5333:320754] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
- [0:0] -A POSTROUTING -o eth2 -m comment --comment "!fw3" -j zone_GE3_postrouting
- [0:0] -A POSTROUTING -o eth3 -m comment --comment "!fw3" -j zone_GE4_postrouting
- [0:0] -A POSTROUTING -o eth4 -m comment --comment "!fw3" -j zone_GE5_postrouting
- [0:0] -A POSTROUTING -o eth5 -m comment --comment "!fw3" -j zone_GE6_postrouting
- [0:0] -A POSTROUTING -o eth6 -m comment --comment "!fw3" -j zone_GE7_postrouting
- [0:0] -A POSTROUTING -o eth7 -m comment --comment "!fw3" -j zone_GE8_postrouting
- [0:0] -A POSTROUTING -o br-network1 -m comment --comment "!fw3" -j zone_network1_postrouting
- [0:0] -A POSTROUTING -o br-network100 -m comment --comment "!fw3" -j zone_network100_postrouting
- [0:0] -A POSTROUTING -o br-network101 -m comment --comment "!fw3" -j zone_network101_postrouting
- [0:0] -A zone_GE3_postrouting -m comment --comment "!fw3: Custom GE3 postrouting rule chain" -j postrouting_GE3_rule
- [0:0] -A zone_GE3_postrouting -m comment --comment "!fw3" -j MASQUERADE
- [156734:23313218] -A zone_GE3_prerouting -m comment --comment "!fw3: Custom GE3 prerouting rule chain" -j prerouting_GE3_rule
- [0:0] -A zone_GE4_postrouting -m comment --comment "!fw3: Custom GE4 postrouting rule chain" -j postrouting_GE4_rule
- [0:0] -A zone_GE4_postrouting -m comment --comment "!fw3" -j MASQUERADE
- [14208:1064864] -A zone_GE4_prerouting -m comment --comment "!fw3: Custom GE4 prerouting rule chain" -j prerouting_GE4_rule
- [0:0] -A zone_GE5_postrouting -m comment --comment "!fw3: Custom GE5 postrouting rule chain" -j postrouting_GE5_rule
- [0:0] -A zone_GE5_postrouting -m comment --comment "!fw3" -j MASQUERADE
- [0:0] -A zone_GE5_prerouting -m comment --comment "!fw3: Custom GE5 prerouting rule chain" -j prerouting_GE5_rule
- [0:0] -A zone_GE6_postrouting -m comment --comment "!fw3: Custom GE6 postrouting rule chain" -j postrouting_GE6_rule
- [0:0] -A zone_GE6_postrouting -m comment --comment "!fw3" -j MASQUERADE
- [0:0] -A zone_GE6_prerouting -m comment --comment "!fw3: Custom GE6 prerouting rule chain" -j prerouting_GE6_rule
- [0:0] -A zone_GE7_postrouting -m comment --comment "!fw3: Custom GE7 postrouting rule chain" -j postrouting_GE7_rule
- [0:0] -A zone_GE7_postrouting -m comment --comment "!fw3" -j MASQUERADE
- [0:0] -A zone_GE7_prerouting -m comment --comment "!fw3: Custom GE7 prerouting rule chain" -j prerouting_GE7_rule
- [0:0] -A zone_GE8_postrouting -m comment --comment "!fw3: Custom GE8 postrouting rule chain" -j postrouting_GE8_rule
- [0:0] -A zone_GE8_postrouting -m comment --comment "!fw3" -j MASQUERADE
- [0:0] -A zone_GE8_prerouting -m comment --comment "!fw3: Custom GE8 prerouting rule chain" -j prerouting_GE8_rule
- [0:0] -A zone_network1_postrouting -m comment --comment "!fw3: Custom network1 postrouting rule chain" -j postrouting_network1_rule
- [3:192] -A zone_network1_prerouting -m comment --comment "!fw3: Custom network1 prerouting rule chain" -j prerouting_network1_rule
- COMMIT
- # Completed on Tue Aug 25 09:22:41 2020
- 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
- inet 127.0.0.1/8 scope host lo
- valid_lft forever preferred_lft forever
- 271: eth2@if272: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 10000 link-netnsid 0
- inet 169.254.9.2/29 brd 169.254.9.7 scope global eth2
- valid_lft forever preferred_lft forever
- 21: br-management: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
- inet 10.0.3.2/32 brd 255.255.255.255 scope global br-management
- valid_lft forever preferred_lft forever
- 22: br-network1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
- inet 10.0.3.1/24 brd 10.0.3.255 scope global br-network1
- valid_lft forever preferred_lft forever
- 23: br-network100: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
- inet 10.100.3.1/24 brd 10.100.3.255 scope global br-network100
- valid_lft forever preferred_lft forever
- 25: br-network101: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
- inet 10.101.3.1/24 brd 10.101.3.255 scope global br-network101
- valid_lft forever preferred_lft forever
- 27: br-segmgmt: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
- inet 169.254.3.1/32 brd 255.255.255.255 scope global br-segmgmt
- valid_lft forever preferred_lft forever
- inet 169.254.3.2/32 brd 255.255.255.255 scope global br-segmgmt
- valid_lft forever preferred_lft forever
- inet 169.254.3.3/32 brd 255.255.255.255 scope global br-segmgmt
- valid_lft forever preferred_lft forever
- 28: eth3.100@eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
- inet 172.17.3.2/29 brd 172.17.3.7 scope global eth3.100
- valid_lft forever preferred_lft forever
- 29: eth3.101@eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
- inet 172.18.3.2/29 brd 172.18.3.7 scope global eth3.101
- valid_lft forever preferred_lft forever
- 30: vce1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 4096
- inet 169.254.129.4 peer 169.254.129.1/32 scope global vce1
- valid_lft forever preferred_lft forever
- default dev vce1 table 200 scope link
- default via 169.254.9.1 dev eth2 table 210
- default dev br-network1 table 213 scope link
- default dev br-network100 table 214 scope link
- default dev br-network101 table 215 scope link
- default via 172.17.3.3 dev eth3.100 table 216
- 172.17.3.0/29 dev eth3.100 table 216 scope link
- default via 172.18.3.3 dev eth3.101 table 217
- 172.18.3.0/29 dev eth3.101 table 217 scope link
- default via 169.254.9.1 dev eth2 proto static metric 5
- 10.0.3.0/24 dev br-network1 proto kernel scope link src 10.0.3.1
- 10.100.3.0/24 dev br-network100 proto kernel scope link src 10.100.3.1
- 10.101.3.0/24 dev br-network101 proto kernel scope link src 10.101.3.1
- 169.254.9.0/29 dev eth2 proto kernel scope link src 169.254.9.2
- 169.254.129.1 dev vce1 proto kernel scope link src 169.254.129.4
- 172.17.3.0/29 dev eth3.100 proto kernel scope link src 172.17.3.2
- 172.18.3.0/29 dev eth3.101 proto kernel scope link src 172.18.3.2
- broadcast 10.0.3.0 dev br-network1 table local proto kernel scope link src 10.0.3.1
- local 10.0.3.1 dev br-network1 table local proto kernel scope host src 10.0.3.1
- local 10.0.3.2 dev br-management table local proto kernel scope host src 10.0.3.2
- broadcast 10.0.3.255 dev br-network1 table local proto kernel scope link src 10.0.3.1
- broadcast 10.100.3.0 dev br-network100 table local proto kernel scope link src 10.100.3.1
- local 10.100.3.1 dev br-network100 table local proto kernel scope host src 10.100.3.1
- broadcast 10.100.3.255 dev br-network100 table local proto kernel scope link src 10.100.3.1
- broadcast 10.101.3.0 dev br-network101 table local proto kernel scope link src 10.101.3.1
- local 10.101.3.1 dev br-network101 table local proto kernel scope host src 10.101.3.1
- broadcast 10.101.3.255 dev br-network101 table local proto kernel scope link src 10.101.3.1
- broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
- local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
- local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
- broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
- local 169.254.3.1 dev br-segmgmt table local proto kernel scope host src 169.254.3.1
- local 169.254.3.2 dev br-segmgmt table local proto kernel scope host src 169.254.3.2
- local 169.254.3.3 dev br-segmgmt table local proto kernel scope host src 169.254.3.3
- broadcast 169.254.9.0 dev eth2 table local proto kernel scope link src 169.254.9.2
- local 169.254.9.2 dev eth2 table local proto kernel scope host src 169.254.9.2
- broadcast 169.254.9.7 dev eth2 table local proto kernel scope link src 169.254.9.2
- local 169.254.129.4 dev vce1 table local proto kernel scope host src 169.254.129.4
- broadcast 172.17.3.0 dev eth3.100 table local proto kernel scope link src 172.17.3.2
- local 172.17.3.2 dev eth3.100 table local proto kernel scope host src 172.17.3.2
- broadcast 172.17.3.7 dev eth3.100 table local proto kernel scope link src 172.17.3.2
- broadcast 172.18.3.0 dev eth3.101 table local proto kernel scope link src 172.18.3.2
- local 172.18.3.2 dev eth3.101 table local proto kernel scope host src 172.18.3.2
- broadcast 172.18.3.7 dev eth3.101 table local proto kernel scope link src 172.18.3.2
- 0: from all lookup local
- 32755: from all fwmark 0xc8 lookup 200
- 32756: from all fwmark 0xd7 lookup 215
- 32757: from all fwmark 0xd6 lookup 214
- 32758: from all fwmark 0xd5 lookup 213
- 32760: from all fwmark 0xd9 lookup 217
- 32761: from all fwmark 0xd8 lookup 216
- 32762: from all fwmark 0xd3 lookup 211
- 32763: from all fwmark 0xd2 lookup 210
- 32766: from all lookup main
- 32767: from all lookup default
- edge:b3-edge1:~#
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement