1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61
|
#iptables -L FI-vnet0 -n
Chain FI-vnet0 (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY/* accept rule -- dir out */
DROP all -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02/* drop rule -- dir out */
REJECT all -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02/* reject rule -- dir out */ reject-with icmp-port-unreachable
RETURN all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED ctdir ORIGINAL/* accept rule -- dir in */
DROP all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21/* drop rule -- dir in */
REJECT all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21/* reject rule -- dir in */ reject-with icmp-port-unreachable
RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* accept rule -- dir inout */
DROP all -- 0.0.0.0/0 0.0.0.0/0 /* drop rule -- dir inout */
REJECT all -- 0.0.0.0/0 0.0.0.0/0 /* reject rule -- dir inout */ reject-with icmp-port-unreachable
#iptables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
ACCEPT all -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED ctdir ORIGINAL/* accept rule -- dir out */
DROP all -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02/* drop rule -- dir out */
REJECT all -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02/* reject rule -- dir out */ reject-with icmp-port-unreachable
ACCEPT all -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY/* accept rule -- dir in */
DROP all -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21/* drop rule -- dir in */
REJECT all -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21/* reject rule -- dir in */ reject-with icmp-port-unreachable
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* accept rule -- dir inout */
DROP all -- 0.0.0.0/0 0.0.0.0/0 /* drop rule -- dir inout */
REJECT all -- 0.0.0.0/0 0.0.0.0/0 /* reject rule -- dir inout */ reject-with icmp-port-unreachable
#iptables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY/* accept rule -- dir out */
DROP all -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02/* drop rule -- dir out */
REJECT all -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02/* reject rule -- dir out */ reject-with icmp-port-unreachable
RETURN all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED ctdir ORIGINAL/* accept rule -- dir in */
DROP all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21/* drop rule -- dir in */
REJECT all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21/* reject rule -- dir in */ reject-with icmp-port-unreachable
RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* accept rule -- dir inout */
DROP all -- 0.0.0.0/0 0.0.0.0/0 /* drop rule -- dir inout */
REJECT all -- 0.0.0.0/0 0.0.0.0/0 /* reject rule -- dir inout */ reject-with icmp-port-unreachable
#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0
#iptables -L libvirt-in -n | grep vnet0 | tr -s " "
FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0
#iptables -L libvirt-in-post -n | grep vnet0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0
#iptables -L libvirt-out -n | grep vnet0 | tr -s " "
FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0
#iptables -L FORWARD --line-number | grep libvirt
1 libvirt-in all -- anywhere anywhere
2 libvirt-out all -- anywhere anywhere
3 libvirt-in-post all -- anywhere anywhere
#ebtables -t nat -L PREROUTING | grep vnet0 | grep -v "^Bridge" | grep -v "^$"
-i vnet0 -j libvirt-I-vnet0
#ebtables -t nat -L POSTROUTING | grep vnet0 | grep -v "^Bridge" | grep -v "^$"
-o vnet0 -j libvirt-O-vnet0
#ebtables -t nat -L libvirt-I-vnet0 | grep -v "^Bridge" | grep -v "^$"
-p ARP -s 1:2:3:4:5:6 -j ACCEPT
-p ARP -s 1:2:3:4:5:6 -j DROP
-p ARP -s 1:2:3:4:5:6 -j DROP
#ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v "^$"
-p IPv4 -d aa:bb:cc:dd:ee:ff -j ACCEPT
-p IPv4 -d aa:bb:cc:dd:ee:ff -j DROP
-p IPv4 -d aa:bb:cc:dd:ee:ff -j DROP
|