Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- root@pve01:~# pve-firewall compile
- ipset cmdlist:
- create PVEFW-0-management-v4 (IhYp62jU7XtKvLTE7SZci/oDVPk)
- create PVEFW-0-management-v4 hash:net family inet hashsize 64 maxelem 64 bucketsize 12
- add PVEFW-0-management-v4 192.168.10.0/24
- add PVEFW-0-management-v4 192.168.10.13
- add PVEFW-0-management-v4 192.168.10.14
- add PVEFW-0-management-v4 192.168.10.15
- add PVEFW-0-management-v4 192.168.10.8
- create PVEFW-0-management-v6 (6g+lzHFoCegXcweHRfBY4vRsbOc)
- create PVEFW-0-management-v6 hash:net family inet6 hashsize 64 maxelem 64 bucketsize 12
- iptables cmdlist:
- create PVEFW-Drop (83WlR/a4wLbmURFqMQT3uJSgIG8)
- -A PVEFW-Drop -j PVEFW-DropBroadcast
- -A PVEFW-Drop -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT
- -A PVEFW-Drop -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
- -A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
- -A PVEFW-Drop -p udp --match multiport --dports 135,445 -j DROP
- -A PVEFW-Drop -p udp --dport 137:139 -j DROP
- -A PVEFW-Drop -p udp --sport 137 --dport 1024:65535 -j DROP
- -A PVEFW-Drop -p tcp --match multiport --dports 135,139,445 -j DROP
- -A PVEFW-Drop -p udp --dport 1900 -j DROP
- -A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
- -A PVEFW-Drop -p udp --sport 53 -j DROP
- create PVEFW-DropBroadcast (NyjHNAtFbkH7WGLamPpdVnxHy4w)
- -A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
- -A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
- -A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
- -A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
- create PVEFW-FORWARD (qnNexOcGa+y+jebd4dAUqFSp5nw)
- -A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
- -A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-in fwln+ -j PVEFW-FWBR-IN
- -A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-out fwln+ -j PVEFW-FWBR-OUT
- create PVEFW-FWBR-IN (Ijl7/xz0DD7LF91MlLCz0ybZBE0)
- -A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
- create PVEFW-FWBR-OUT (2jmj7l5rSw0yVb/vlWAYkK/YBwk)
- create PVEFW-HOST-IN (ng3GppdCTE8qPyYYn4W21MM+Cg0)
- -A PVEFW-HOST-IN -i lo -j ACCEPT
- -A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
- -A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
- -A PVEFW-HOST-IN -p igmp -j RETURN
- -A PVEFW-HOST-IN -i vmbr10 -s 192.168.10.0/24 -d 192.168.10.0/24 -p tcp --dport 3551 -j RETURN
- -A PVEFW-HOST-IN -s 192.168.70.0/24 -d 192.168.70.0/24 -p tcp --dport 6800:7300 -j RETURN
- -A PVEFW-HOST-IN -d 192.168.80.128/25 -p udp --dport 5405:5406 -j RETURN
- -A PVEFW-HOST-IN -d 192.168.80.0/25 -p udp --dport 5405:5406 -j RETURN
- -A PVEFW-HOST-IN -d 192.168.10.0/24 -p tcp --dport 6789 -j RETURN
- -A PVEFW-HOST-IN -d 192.168.10.0/24 -p tcp --dport 3300 -j RETURN
- -A PVEFW-HOST-IN -d 192.168.10.0/24 -p tcp --dport 6800:7300 -j RETURN
- -A PVEFW-HOST-IN -d 192.168.70.0/24 -p tcp --dport 8006 -j PVEFW-reject
- -A PVEFW-HOST-IN -d 192.168.80.128/25 -p tcp --dport 8006 -j PVEFW-reject
- -A PVEFW-HOST-IN -d 192.168.80.0/25 -p tcp --dport 8006 -j PVEFW-reject
- -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 8006 -j RETURN
- -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 5900:5999 -j RETURN
- -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 3128 -j RETURN
- -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 22 -j RETURN
- -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 60000:60050 -j RETURN
- -A PVEFW-HOST-IN -d 192.168.80.101 -s 192.168.80.111 -p udp --dport 5404:5405 -j RETURN
- -A PVEFW-HOST-IN -d 192.168.80.201 -s 192.168.80.211 -p udp --dport 5404:5405 -j RETURN
- -A PVEFW-HOST-IN -d 192.168.80.101 -s 192.168.80.112 -p udp --dport 5404:5405 -j RETURN
- -A PVEFW-HOST-IN -d 192.168.80.201 -s 192.168.80.212 -p udp --dport 5404:5405 -j RETURN
- -A PVEFW-HOST-IN -d 192.168.80.101 -s 192.168.80.113 -p udp --dport 5404:5405 -j RETURN
- -A PVEFW-HOST-IN -d 192.168.80.201 -s 192.168.80.213 -p udp --dport 5404:5405 -j RETURN
- -A PVEFW-HOST-IN -d 192.168.80.101 -s 192.168.80.102 -p udp --dport 5404:5405 -j RETURN
- -A PVEFW-HOST-IN -d 192.168.80.201 -s 192.168.80.202 -p udp --dport 5404:5405 -j RETURN
- -A PVEFW-HOST-IN -d 192.168.80.101 -s 192.168.80.103 -p udp --dport 5404:5405 -j RETURN
- -A PVEFW-HOST-IN -d 192.168.80.201 -s 192.168.80.203 -p udp --dport 5404:5405 -j RETURN
- -A PVEFW-HOST-IN -j PVEFW-Drop
- -A PVEFW-HOST-IN -m limit --limit 1/sec -j NFLOG --nflog-prefix ":0:6:PVEFW-HOST-IN: policy DROP: "
- -A PVEFW-HOST-IN -j DROP
- create PVEFW-HOST-OUT (OzXkW+FRpC/Q9gHuEexitHeoYlI)
- -A PVEFW-HOST-OUT -o lo -j ACCEPT
- -A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
- -A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A PVEFW-HOST-OUT -p igmp -j RETURN
- -A PVEFW-HOST-OUT -d 192.168.10.0/24 -p tcp --dport 8006 -j RETURN
- -A PVEFW-HOST-OUT -d 192.168.10.0/24 -p tcp --dport 22 -j RETURN
- -A PVEFW-HOST-OUT -d 192.168.10.0/24 -p tcp --dport 5900:5999 -j RETURN
- -A PVEFW-HOST-OUT -d 192.168.10.0/24 -p tcp --dport 3128 -j RETURN
- -A PVEFW-HOST-OUT -s 192.168.80.101 -d 192.168.80.111 -p udp --dport 5404:5405 -j RETURN
- -A PVEFW-HOST-OUT -s 192.168.80.201 -d 192.168.80.211 -p udp --dport 5404:5405 -j RETURN
- -A PVEFW-HOST-OUT -s 192.168.80.101 -d 192.168.80.112 -p udp --dport 5404:5405 -j RETURN
- -A PVEFW-HOST-OUT -s 192.168.80.201 -d 192.168.80.212 -p udp --dport 5404:5405 -j RETURN
- -A PVEFW-HOST-OUT -s 192.168.80.101 -d 192.168.80.113 -p udp --dport 5404:5405 -j RETURN
- -A PVEFW-HOST-OUT -s 192.168.80.201 -d 192.168.80.213 -p udp --dport 5404:5405 -j RETURN
- -A PVEFW-HOST-OUT -s 192.168.80.101 -d 192.168.80.102 -p udp --dport 5404:5405 -j RETURN
- -A PVEFW-HOST-OUT -s 192.168.80.201 -d 192.168.80.202 -p udp --dport 5404:5405 -j RETURN
- -A PVEFW-HOST-OUT -s 192.168.80.101 -d 192.168.80.103 -p udp --dport 5404:5405 -j RETURN
- -A PVEFW-HOST-OUT -s 192.168.80.201 -d 192.168.80.203 -p udp --dport 5404:5405 -j RETURN
- -A PVEFW-HOST-OUT -j RETURN
- create PVEFW-INPUT (+5iMmLaxKXynOB/+5xibfx7WhFk)
- -A PVEFW-INPUT -j PVEFW-HOST-IN
- create PVEFW-OUTPUT (LjHoZeSSiWAG3+2ZAyL/xuEehd0)
- -A PVEFW-OUTPUT -j PVEFW-HOST-OUT
- create PVEFW-Reject (h3DyALVslgH5hutETfixGP08w7c)
- -A PVEFW-Reject -j PVEFW-DropBroadcast
- -A PVEFW-Reject -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT
- -A PVEFW-Reject -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
- -A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
- -A PVEFW-Reject -p udp --match multiport --dports 135,445 -j PVEFW-reject
- -A PVEFW-Reject -p udp --dport 137:139 -j PVEFW-reject
- -A PVEFW-Reject -p udp --sport 137 --dport 1024:65535 -j PVEFW-reject
- -A PVEFW-Reject -p tcp --match multiport --dports 135,139,445 -j PVEFW-reject
- -A PVEFW-Reject -p udp --dport 1900 -j DROP
- -A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
- -A PVEFW-Reject -p udp --sport 53 -j DROP
- create PVEFW-SET-ACCEPT-MARK (Hg/OIgIwJChBUcWU8Xnjhdd2jUY)
- -A PVEFW-SET-ACCEPT-MARK -j MARK --set-mark 0x80000000/0x80000000
- create PVEFW-logflags (MN4PH1oPZeABMuWr64RrygPfW7A)
- -A PVEFW-logflags -j DROP
- create PVEFW-reject (Jlkrtle1mDdtxDeI9QaDSL++Npc)
- -A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
- -A PVEFW-reject -s 224.0.0.0/4 -j DROP
- -A PVEFW-reject -p icmp -j DROP
- -A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
- -A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
- -A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
- -A PVEFW-reject -j REJECT --reject-with icmp-host-prohibited
- create PVEFW-smurflog (2gfT1VMkfr0JL6OccRXTGXo+1qk)
- -A PVEFW-smurflog -j DROP
- create PVEFW-smurfs (HssVe5QCBXd5mc9kC88749+7fag)
- -A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
- -A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
- -A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
- create PVEFW-tcpflags (CMFojwNPqllyqD67NeI5m+bP5mo)
- -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
- -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
- -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
- -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
- -A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
- ip6tables cmdlist:
- create PVEFW-Drop (Jb79Uw7z1vZglIcV7QXA5uY/nbk)
- -A PVEFW-Drop -p tcp --dport 43 -j PVEFW-reject
- -A PVEFW-Drop -j PVEFW-DropBroadcast
- -A PVEFW-Drop -p icmpv6 -m icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
- -A PVEFW-Drop -p icmpv6 -m icmpv6 --icmpv6-type time-exceeded -j ACCEPT
- -A PVEFW-Drop -p icmpv6 -m icmpv6 --icmpv6-type packet-too-big -j ACCEPT
- -A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
- -A PVEFW-Drop -p udp --match multiport --dports 135,445 -j DROP
- -A PVEFW-Drop -p udp --dport 137:139 -j DROP
- -A PVEFW-Drop -p udp --sport 137 --dport 1024:65535 -j DROP
- -A PVEFW-Drop -p tcp --match multiport --dports 135,139,445 -j DROP
- -A PVEFW-Drop -p udp --dport 1900 -j DROP
- -A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
- -A PVEFW-Drop -p udp --sport 53 -j DROP
- create PVEFW-DropBroadcast (8Krk5Nh8pDZOOc7BQAbM6PlyFSU)
- -A PVEFW-DropBroadcast -d ff00::/8 -j DROP
- create PVEFW-FORWARD (qnNexOcGa+y+jebd4dAUqFSp5nw)
- -A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
- -A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-in fwln+ -j PVEFW-FWBR-IN
- -A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-out fwln+ -j PVEFW-FWBR-OUT
- create PVEFW-FWBR-IN (2jmj7l5rSw0yVb/vlWAYkK/YBwk)
- create PVEFW-FWBR-OUT (2jmj7l5rSw0yVb/vlWAYkK/YBwk)
- create PVEFW-HOST-IN (G5RxcxJzHl8SHdIJWqqdR+ZyBgA)
- -A PVEFW-HOST-IN -i lo -j ACCEPT
- -A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
- -A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A PVEFW-HOST-IN -p icmpv6 --icmpv6-type router-solicitation -j RETURN
- -A PVEFW-HOST-IN -p icmpv6 --icmpv6-type router-advertisement -j RETURN
- -A PVEFW-HOST-IN -p icmpv6 --icmpv6-type neighbor-solicitation -j RETURN
- -A PVEFW-HOST-IN -p icmpv6 --icmpv6-type neighbor-advertisement -j RETURN
- -A PVEFW-HOST-IN -p igmp -j RETURN
- -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 8006 -j RETURN
- -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 5900:5999 -j RETURN
- -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 3128 -j RETURN
- -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 22 -j RETURN
- -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 60000:60050 -j RETURN
- -A PVEFW-HOST-IN -j PVEFW-Drop
- -A PVEFW-HOST-IN -m limit --limit 1/sec -j NFLOG --nflog-prefix ":0:6:PVEFW-HOST-IN: policy DROP: "
- -A PVEFW-HOST-IN -j DROP
- create PVEFW-HOST-OUT (br2bPbA9ZjuHOMNhV8tfLRw1mAs)
- -A PVEFW-HOST-OUT -o lo -j ACCEPT
- -A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
- -A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A PVEFW-HOST-OUT -p icmpv6 --icmpv6-type router-solicitation -j RETURN
- -A PVEFW-HOST-OUT -p icmpv6 --icmpv6-type neighbor-solicitation -j RETURN
- -A PVEFW-HOST-OUT -p icmpv6 --icmpv6-type neighbor-advertisement -j RETURN
- -A PVEFW-HOST-OUT -p igmp -j RETURN
- -A PVEFW-HOST-OUT -j RETURN
- create PVEFW-INPUT (+5iMmLaxKXynOB/+5xibfx7WhFk)
- -A PVEFW-INPUT -j PVEFW-HOST-IN
- create PVEFW-OUTPUT (LjHoZeSSiWAG3+2ZAyL/xuEehd0)
- -A PVEFW-OUTPUT -j PVEFW-HOST-OUT
- create PVEFW-Reject (aL1nrxJk/u3XmTb3Am2eaM/3yCM)
- -A PVEFW-Reject -p tcp --dport 43 -j PVEFW-reject
- -A PVEFW-Reject -j PVEFW-DropBroadcast
- -A PVEFW-Reject -p icmpv6 -m icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
- -A PVEFW-Reject -p icmpv6 -m icmpv6 --icmpv6-type time-exceeded -j ACCEPT
- -A PVEFW-Reject -p icmpv6 -m icmpv6 --icmpv6-type packet-too-big -j ACCEPT
- -A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
- -A PVEFW-Reject -p udp --match multiport --dports 135,445 -j PVEFW-reject
- -A PVEFW-Reject -p udp --dport 137:139 -j PVEFW-reject
- -A PVEFW-Reject -p udp --sport 137 --dport 1024:65535 -j PVEFW-reject
- -A PVEFW-Reject -p tcp --match multiport --dports 135,139,445 -j PVEFW-reject
- -A PVEFW-Reject -p udp --dport 1900 -j DROP
- -A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
- -A PVEFW-Reject -p udp --sport 53 -j DROP
- create PVEFW-SET-ACCEPT-MARK (Hg/OIgIwJChBUcWU8Xnjhdd2jUY)
- -A PVEFW-SET-ACCEPT-MARK -j MARK --set-mark 0x80000000/0x80000000
- create PVEFW-logflags (MN4PH1oPZeABMuWr64RrygPfW7A)
- -A PVEFW-logflags -j DROP
- create PVEFW-reject (etEECUYcgUdzuuO+LDP83pu0S8Y)
- -A PVEFW-reject -p icmpv6 -j DROP
- -A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
- -A PVEFW-reject -p udp -j REJECT --reject-with icmp6-port-unreachable
- -A PVEFW-reject -j REJECT --reject-with icmp6-adm-prohibited
- create PVEFW-tcpflags (CMFojwNPqllyqD67NeI5m+bP5mo)
- -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
- -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
- -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
- -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
- -A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
- ebtables cmdlist:
- create PVEFW-FORWARD (ULtZ6lqjrD/jAKLY+OZo3BbXs9k)
- -A PVEFW-FORWARD -p IPv4 -j ACCEPT
- -A PVEFW-FORWARD -p IPv6 -j ACCEPT
- -A PVEFW-FORWARD -o fwln+ -j PVEFW-FWBR-OUT
- create PVEFW-FWBR-OUT (2jmj7l5rSw0yVb/vlWAYkK/YBwk)
- ignore FORWARD (2jmj7l5rSw0yVb/vlWAYkK/YBwk)
- ignore INPUT (2jmj7l5rSw0yVb/vlWAYkK/YBwk)
- ignore OUTPUT (2jmj7l5rSw0yVb/vlWAYkK/YBwk)
- iptables table raw cmdlist:
- ip6tables table raw cmdlist:
- detected changes
- root@pve01:~#
- root@pve01:~#
- root@pve01:~# iptables-save
- # Generated by iptables-save v1.8.7 on Thu Dec 30 06:40:01 2021
- *raw
- :PREROUTING ACCEPT [277743187:890399602266]
- :OUTPUT ACCEPT [256870320:2937334564111]
- COMMIT
- # Completed on Thu Dec 30 06:40:01 2021
- # Generated by iptables-save v1.8.7 on Thu Dec 30 06:40:01 2021
- *filter
- :INPUT ACCEPT [199699699:696413386993]
- :FORWARD ACCEPT [25311923:82313462272]
- :OUTPUT ACCEPT [200515979:1920220680332]
- COMMIT
- # Completed on Thu Dec 30 06:40:01 2021
- root@pve01:~#
- root@pve01:~#
- root@pve01:~# pve-firewall localnet
- local hostname: pve01
- local IP address: 192.168.10.3
- network auto detect: 192.168.10.0/24
- using detected local_network: 192.168.10.0/24
- accepting corosync traffic from/to:
- - mon01: 192.168.80.111 (link: 0)
- - mon01: 192.168.80.211 (link: 1)
- - mon02: 192.168.80.112 (link: 0)
- - mon02: 192.168.80.212 (link: 1)
- - mon03: 192.168.80.113 (link: 0)
- - mon03: 192.168.80.213 (link: 1)
- - pve02: 192.168.80.102 (link: 0)
- - pve02: 192.168.80.202 (link: 1)
- - pve03: 192.168.80.103 (link: 0)
- - pve03: 192.168.80.203 (link: 1)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement