Last active
December 15, 2015 05:29
-
-
Save lorin/5209761 to your computer and use it in GitHub Desktop.
iptables-save output on cloud controller (using no-op firewall)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Generated by iptables-save v1.4.12 on Tue Apr 2 17:30:26 2013 | |
| *mangle | |
| :PREROUTING ACCEPT [112473:568900113] | |
| :INPUT ACCEPT [111832:568845149] | |
| :FORWARD ACCEPT [641:54964] | |
| :OUTPUT ACCEPT [97053:983035383] | |
| :POSTROUTING ACCEPT [97694:983090347] | |
| -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill | |
| -A POSTROUTING -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill | |
| COMMIT | |
| # Completed on Tue Apr 2 17:30:26 2013 | |
| # Generated by iptables-save v1.4.12 on Tue Apr 2 17:30:26 2013 | |
| *nat | |
| :PREROUTING ACCEPT [634:115814] | |
| :INPUT ACCEPT [560:100103] | |
| :OUTPUT ACCEPT [614:43550] | |
| :POSTROUTING ACCEPT [603:39926] | |
| :nova-api-OUTPUT - [0:0] | |
| :nova-api-POSTROUTING - [0:0] | |
| :nova-api-PREROUTING - [0:0] | |
| :nova-api-float-snat - [0:0] | |
| :nova-api-snat - [0:0] | |
| :nova-network-OUTPUT - [0:0] | |
| :nova-network-POSTROUTING - [0:0] | |
| :nova-network-PREROUTING - [0:0] | |
| :nova-network-float-snat - [0:0] | |
| :nova-network-snat - [0:0] | |
| :nova-postrouting-bottom - [0:0] | |
| -A PREROUTING -j nova-network-PREROUTING | |
| -A PREROUTING -j nova-api-PREROUTING | |
| -A OUTPUT -j nova-network-OUTPUT | |
| -A OUTPUT -j nova-api-OUTPUT | |
| -A POSTROUTING -j nova-network-POSTROUTING | |
| -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 | |
| -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 | |
| -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE | |
| -A POSTROUTING -j nova-api-POSTROUTING | |
| -A POSTROUTING -j nova-postrouting-bottom | |
| -A nova-api-snat -j nova-api-float-snat | |
| -A nova-network-OUTPUT -d 10.20.0.3/32 -j DNAT --to-destination 10.40.0.2 | |
| -A nova-network-OUTPUT -d 10.20.0.4/32 -j DNAT --to-destination 10.40.0.3 | |
| -A nova-network-OUTPUT -d 10.20.0.5/32 -j DNAT --to-destination 10.40.0.4 | |
| -A nova-network-POSTROUTING -s 10.40.0.0/16 -d 10.30.0.131/32 -j ACCEPT | |
| -A nova-network-POSTROUTING -s 10.40.0.0/16 -d 10.40.0.0/16 -m conntrack ! --ctstate DNAT -j ACCEPT | |
| -A nova-network-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.30.0.131:8775 | |
| -A nova-network-PREROUTING -d 10.20.0.3/32 -j DNAT --to-destination 10.40.0.2 | |
| -A nova-network-PREROUTING -d 10.20.0.4/32 -j DNAT --to-destination 10.40.0.3 | |
| -A nova-network-PREROUTING -d 10.20.0.5/32 -j DNAT --to-destination 10.40.0.4 | |
| -A nova-network-float-snat -s 10.40.0.2/32 -o eth3 -j SNAT --to-source 10.20.0.3 | |
| -A nova-network-float-snat -s 10.40.0.3/32 -o eth3 -j SNAT --to-source 10.20.0.4 | |
| -A nova-network-float-snat -s 10.40.0.4/32 -o eth3 -j SNAT --to-source 10.20.0.5 | |
| -A nova-network-snat -j nova-network-float-snat | |
| -A nova-network-snat -s 10.40.0.0/16 -o eth3 -j SNAT --to-source 10.30.0.131 | |
| -A nova-postrouting-bottom -j nova-network-snat | |
| -A nova-postrouting-bottom -j nova-api-snat | |
| COMMIT | |
| # Completed on Tue Apr 2 17:30:26 2013 | |
| # Generated by iptables-save v1.4.12 on Tue Apr 2 17:30:26 2013 | |
| *filter | |
| :INPUT ACCEPT [584276:1129698292] | |
| :FORWARD ACCEPT [0:0] | |
| :OUTPUT ACCEPT [478136:1144508197] | |
| :nova-api-FORWARD - [0:0] | |
| :nova-api-INPUT - [0:0] | |
| :nova-api-OUTPUT - [0:0] | |
| :nova-api-local - [0:0] | |
| :nova-filter-top - [0:0] | |
| :nova-network-FORWARD - [0:0] | |
| :nova-network-INPUT - [0:0] | |
| :nova-network-OUTPUT - [0:0] | |
| :nova-network-local - [0:0] | |
| -A INPUT -j nova-network-INPUT | |
| -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT | |
| -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT | |
| -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT | |
| -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT | |
| -A INPUT -j nova-api-INPUT | |
| -A FORWARD -j nova-filter-top | |
| -A FORWARD -j nova-network-FORWARD | |
| -A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT | |
| -A FORWARD -i virbr0 -o virbr0 -j ACCEPT | |
| -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable | |
| -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable | |
| -A FORWARD -j nova-api-FORWARD | |
| -A OUTPUT -j nova-filter-top | |
| -A OUTPUT -j nova-network-OUTPUT | |
| -A OUTPUT -j nova-api-OUTPUT | |
| -A nova-api-INPUT -d 10.30.0.131/32 -p tcp -m tcp --dport 8775 -j ACCEPT | |
| -A nova-filter-top -j nova-network-local | |
| -A nova-filter-top -j nova-api-local | |
| -A nova-network-FORWARD -i br100 -j ACCEPT | |
| -A nova-network-FORWARD -o br100 -j ACCEPT | |
| -A nova-network-INPUT -i br100 -p udp -m udp --dport 67 -j ACCEPT | |
| -A nova-network-INPUT -i br100 -p tcp -m tcp --dport 67 -j ACCEPT | |
| -A nova-network-INPUT -i br100 -p udp -m udp --dport 53 -j ACCEPT | |
| -A nova-network-INPUT -i br100 -p tcp -m tcp --dport 53 -j ACCEPT | |
| COMMIT | |
| # Completed on Tue Apr 2 17:30:26 2013 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment