Created
June 15, 2025 15:54
-
-
Save schuerg/1b9fbd5bc09a0b20ffa975fe00c60fed to your computer and use it in GitHub Desktop.
ruleset.nft
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| table ip nat { | |
| chain DOCKER { | |
| iifname "docker0" counter packets 0 bytes 0 return | |
| } | |
| chain PREROUTING { | |
| type nat hook prerouting priority dstnat; policy accept; | |
| fib daddr type local counter packets 170 bytes 31777 jump DOCKER | |
| } | |
| chain OUTPUT { | |
| type nat hook output priority dstnat; policy accept; | |
| ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump DOCKER | |
| } | |
| chain POSTROUTING { | |
| type nat hook postrouting priority srcnat; policy accept; | |
| ip saddr 172.17.0.0/16 oifname != "docker0" counter packets 0 bytes 0 masquerade | |
| ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 1 bytes 67 masquerade | |
| } | |
| } | |
| table ip filter { | |
| chain DOCKER { | |
| iifname != "docker0" oifname "docker0" counter packets 0 bytes 0 drop | |
| } | |
| chain DOCKER-FORWARD { | |
| counter packets 0 bytes 0 jump DOCKER-CT | |
| counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-1 | |
| counter packets 0 bytes 0 jump DOCKER-BRIDGE | |
| iifname "docker0" counter packets 0 bytes 0 accept | |
| } | |
| chain DOCKER-BRIDGE { | |
| oifname "docker0" counter packets 0 bytes 0 jump DOCKER | |
| } | |
| chain DOCKER-CT { | |
| oifname "docker0" ct state related,established counter packets 0 bytes 0 accept | |
| } | |
| chain DOCKER-ISOLATION-STAGE-1 { | |
| iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2 | |
| } | |
| chain DOCKER-ISOLATION-STAGE-2 { | |
| oifname "docker0" counter packets 0 bytes 0 drop | |
| } | |
| chain FORWARD { | |
| type filter hook forward priority filter; policy drop; | |
| counter packets 0 bytes 0 jump DOCKER-USER | |
| counter packets 0 bytes 0 jump DOCKER-FORWARD | |
| } | |
| chain DOCKER-USER { | |
| } | |
| } | |
| table ip6 nat { | |
| chain DOCKER { | |
| } | |
| chain PREROUTING { | |
| type nat hook prerouting priority dstnat; policy accept; | |
| fib daddr type local counter packets 0 bytes 0 jump DOCKER | |
| } | |
| chain OUTPUT { | |
| type nat hook output priority dstnat; policy accept; | |
| ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump DOCKER | |
| } | |
| } | |
| table ip6 filter { | |
| chain DOCKER { | |
| } | |
| chain DOCKER-FORWARD { | |
| counter packets 0 bytes 0 jump DOCKER-CT | |
| counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-1 | |
| counter packets 0 bytes 0 jump DOCKER-BRIDGE | |
| } | |
| chain DOCKER-BRIDGE { | |
| } | |
| chain DOCKER-CT { | |
| } | |
| chain DOCKER-ISOLATION-STAGE-1 { | |
| } | |
| chain DOCKER-ISOLATION-STAGE-2 { | |
| } | |
| chain FORWARD { | |
| type filter hook forward priority filter; policy accept; | |
| counter packets 0 bytes 0 jump DOCKER-USER | |
| counter packets 0 bytes 0 jump DOCKER-FORWARD | |
| } | |
| chain DOCKER-USER { | |
| } | |
| } | |
| table ip libvirt_network { | |
| chain forward { | |
| type filter hook forward priority filter; policy accept; | |
| counter packets 1731 bytes 107548 jump guest_cross | |
| counter packets 1731 bytes 107548 jump guest_input | |
| counter packets 1731 bytes 107548 jump guest_output | |
| } | |
| chain guest_output { | |
| ip saddr 192.168.122.0/24 iif "virbr0" counter packets 0 bytes 0 accept | |
| iif "virbr0" counter packets 0 bytes 0 reject | |
| } | |
| chain guest_input { | |
| oif "virbr0" ip daddr 192.168.122.0/24 ct state established,related counter packets 0 bytes 0 accept | |
| oif "virbr0" counter packets 0 bytes 0 reject | |
| } | |
| chain guest_cross { | |
| iif "virbr0" oif "virbr0" counter packets 0 bytes 0 accept | |
| } | |
| chain guest_nat { | |
| type nat hook postrouting priority srcnat; policy accept; | |
| ip saddr 192.168.122.0/24 ip daddr 224.0.0.0/24 counter packets 0 bytes 0 return | |
| ip saddr 192.168.122.0/24 ip daddr 255.255.255.255 counter packets 0 bytes 0 return | |
| meta l4proto tcp ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade to :1024-65535 | |
| meta l4proto udp ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade to :1024-65535 | |
| ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade | |
| } | |
| } | |
| table ip6 libvirt_network { | |
| chain forward { | |
| type filter hook forward priority filter; policy accept; | |
| counter packets 0 bytes 0 jump guest_cross | |
| counter packets 0 bytes 0 jump guest_input | |
| counter packets 0 bytes 0 jump guest_output | |
| } | |
| chain guest_output { | |
| } | |
| chain guest_input { | |
| } | |
| chain guest_cross { | |
| } | |
| chain guest_nat { | |
| type nat hook postrouting priority srcnat; policy accept; | |
| } | |
| } | |
| table inet firewalld { | |
| ct helper helper-netbios-ns-udp { | |
| type "netbios-ns" protocol udp | |
| l3proto ip | |
| } | |
| ct helper helper-tftp-udp { | |
| type "tftp" protocol udp | |
| l3proto inet | |
| } | |
| chain mangle_PREROUTING { | |
| type filter hook prerouting priority mangle + 10; policy accept; | |
| jump mangle_PREROUTING_POLICIES | |
| } | |
| chain mangle_PREROUTING_POLICIES { | |
| iifname "wlp0s20f3" jump mangle_PRE_policy_allow-host-ipv6 | |
| iifname "wlp0s20f3" jump mangle_PRE_FedoraWorkstation | |
| iifname "wlp0s20f3" return | |
| iifname "docker0" jump mangle_PRE_policy_allow-host-ipv6 | |
| iifname "docker0" jump mangle_PRE_docker | |
| iifname "docker0" return | |
| iifname "virbr0" jump mangle_PRE_policy_allow-host-ipv6 | |
| iifname "virbr0" jump mangle_PRE_libvirt | |
| iifname "virbr0" return | |
| jump mangle_PRE_policy_allow-host-ipv6 | |
| jump mangle_PRE_FedoraWorkstation | |
| return | |
| } | |
| chain nat_PREROUTING { | |
| type nat hook prerouting priority dstnat + 10; policy accept; | |
| jump nat_PREROUTING_POLICIES | |
| } | |
| chain nat_PREROUTING_POLICIES { | |
| iifname "wlp0s20f3" jump nat_PRE_policy_allow-host-ipv6 | |
| iifname "wlp0s20f3" jump nat_PRE_FedoraWorkstation | |
| iifname "wlp0s20f3" return | |
| iifname "docker0" jump nat_PRE_policy_allow-host-ipv6 | |
| iifname "docker0" jump nat_PRE_docker | |
| iifname "docker0" return | |
| iifname "virbr0" jump nat_PRE_policy_allow-host-ipv6 | |
| iifname "virbr0" jump nat_PRE_libvirt | |
| iifname "virbr0" return | |
| jump nat_PRE_policy_allow-host-ipv6 | |
| jump nat_PRE_FedoraWorkstation | |
| return | |
| } | |
| chain nat_POSTROUTING { | |
| type nat hook postrouting priority srcnat + 10; policy accept; | |
| jump nat_POSTROUTING_POLICIES | |
| } | |
| chain nat_POSTROUTING_POLICIES { | |
| iifname "wlp0s20f3" oifname "wlp0s20f3" jump nat_POST_FedoraWorkstation | |
| iifname "wlp0s20f3" oifname "wlp0s20f3" return | |
| iifname "docker0" oifname "wlp0s20f3" jump nat_POST_FedoraWorkstation | |
| iifname "docker0" oifname "wlp0s20f3" return | |
| iifname "virbr0" oifname "wlp0s20f3" jump nat_POST_FedoraWorkstation | |
| iifname "virbr0" oifname "wlp0s20f3" return | |
| oifname "wlp0s20f3" jump nat_POST_FedoraWorkstation | |
| oifname "wlp0s20f3" return | |
| iifname "wlp0s20f3" oifname "docker0" jump nat_POST_policy_docker-forwarding | |
| iifname "wlp0s20f3" oifname "docker0" jump nat_POST_docker | |
| iifname "wlp0s20f3" oifname "docker0" return | |
| iifname "docker0" oifname "docker0" jump nat_POST_policy_docker-forwarding | |
| iifname "docker0" oifname "docker0" jump nat_POST_docker | |
| iifname "docker0" oifname "docker0" return | |
| iifname "virbr0" oifname "docker0" jump nat_POST_policy_docker-forwarding | |
| iifname "virbr0" oifname "docker0" jump nat_POST_docker | |
| iifname "virbr0" oifname "docker0" return | |
| oifname "docker0" jump nat_POST_policy_docker-forwarding | |
| oifname "docker0" jump nat_POST_docker | |
| oifname "docker0" return | |
| iifname "wlp0s20f3" oifname "virbr0" jump nat_POST_libvirt | |
| iifname "wlp0s20f3" oifname "virbr0" return | |
| iifname "docker0" oifname "virbr0" jump nat_POST_libvirt | |
| iifname "docker0" oifname "virbr0" return | |
| iifname "virbr0" oifname "virbr0" jump nat_POST_libvirt | |
| iifname "virbr0" oifname "virbr0" return | |
| oifname "virbr0" jump nat_POST_libvirt | |
| oifname "virbr0" return | |
| iifname "wlp0s20f3" jump nat_POST_FedoraWorkstation | |
| iifname "wlp0s20f3" return | |
| iifname "docker0" jump nat_POST_FedoraWorkstation | |
| iifname "docker0" return | |
| iifname "virbr0" jump nat_POST_FedoraWorkstation | |
| iifname "virbr0" return | |
| jump nat_POST_FedoraWorkstation | |
| return | |
| } | |
| chain nat_OUTPUT { | |
| type nat hook output priority dstnat + 10; policy accept; | |
| jump nat_OUTPUT_POLICIES | |
| } | |
| chain nat_OUTPUT_POLICIES { | |
| oifname "wlp0s20f3" jump nat_OUT_FedoraWorkstation | |
| oifname "wlp0s20f3" return | |
| oifname "docker0" jump nat_OUT_docker | |
| oifname "docker0" return | |
| oifname "virbr0" jump nat_OUT_libvirt | |
| oifname "virbr0" return | |
| jump nat_OUT_FedoraWorkstation | |
| return | |
| } | |
| chain filter_PREROUTING { | |
| type filter hook prerouting priority filter + 10; policy accept; | |
| icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept | |
| meta nfproto ipv6 fib saddr . mark . iif oif missing drop | |
| } | |
| chain filter_INPUT { | |
| type filter hook input priority filter + 10; policy accept; | |
| ct state { established, related } accept | |
| ct status dnat accept | |
| iifname "lo" accept | |
| ct state invalid drop | |
| jump filter_INPUT_POLICIES | |
| reject with icmpx admin-prohibited | |
| } | |
| chain filter_FORWARD { | |
| type filter hook forward priority filter + 10; policy accept; | |
| ct state { established, related } accept | |
| ct status dnat accept | |
| iifname "lo" accept | |
| ct state invalid drop | |
| ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable | |
| jump filter_FORWARD_POLICIES | |
| reject with icmpx admin-prohibited | |
| } | |
| chain filter_OUTPUT { | |
| type filter hook output priority filter + 10; policy accept; | |
| ct state { established, related } accept | |
| oifname "lo" accept | |
| ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable | |
| jump filter_OUTPUT_POLICIES | |
| } | |
| chain filter_INPUT_POLICIES { | |
| iifname "wlp0s20f3" jump filter_IN_policy_allow-host-ipv6 | |
| iifname "wlp0s20f3" jump filter_IN_FedoraWorkstation | |
| iifname "wlp0s20f3" reject with icmpx admin-prohibited | |
| iifname "docker0" jump filter_IN_policy_allow-host-ipv6 | |
| iifname "docker0" jump filter_IN_docker | |
| iifname "docker0" accept | |
| iifname "virbr0" jump filter_IN_policy_allow-host-ipv6 | |
| iifname "virbr0" jump filter_IN_libvirt | |
| iifname "virbr0" accept | |
| jump filter_IN_policy_allow-host-ipv6 | |
| jump filter_IN_FedoraWorkstation | |
| reject with icmpx admin-prohibited | |
| } | |
| chain filter_FORWARD_POLICIES { | |
| iifname "wlp0s20f3" oifname "wlp0s20f3" jump filter_FWD_FedoraWorkstation | |
| iifname "wlp0s20f3" oifname "wlp0s20f3" reject with icmpx admin-prohibited | |
| iifname "wlp0s20f3" oifname "docker0" jump filter_FWD_policy_docker-forwarding | |
| iifname "wlp0s20f3" oifname "docker0" jump filter_FWD_FedoraWorkstation | |
| iifname "wlp0s20f3" oifname "docker0" reject with icmpx admin-prohibited | |
| iifname "wlp0s20f3" oifname "virbr0" jump filter_FWD_FedoraWorkstation | |
| iifname "wlp0s20f3" oifname "virbr0" reject with icmpx admin-prohibited | |
| iifname "wlp0s20f3" jump filter_FWD_FedoraWorkstation | |
| iifname "wlp0s20f3" reject with icmpx admin-prohibited | |
| iifname "docker0" oifname "wlp0s20f3" jump filter_FWD_docker | |
| iifname "docker0" oifname "wlp0s20f3" accept | |
| iifname "docker0" oifname "docker0" jump filter_FWD_policy_docker-forwarding | |
| iifname "docker0" oifname "docker0" jump filter_FWD_docker | |
| iifname "docker0" oifname "docker0" accept | |
| iifname "docker0" oifname "virbr0" jump filter_FWD_docker | |
| iifname "docker0" oifname "virbr0" accept | |
| iifname "docker0" jump filter_FWD_docker | |
| iifname "docker0" accept | |
| iifname "virbr0" oifname "wlp0s20f3" jump filter_FWD_libvirt | |
| iifname "virbr0" oifname "wlp0s20f3" accept | |
| iifname "virbr0" oifname "docker0" jump filter_FWD_policy_docker-forwarding | |
| iifname "virbr0" oifname "docker0" jump filter_FWD_libvirt | |
| iifname "virbr0" oifname "docker0" accept | |
| iifname "virbr0" oifname "virbr0" jump filter_FWD_libvirt | |
| iifname "virbr0" oifname "virbr0" accept | |
| iifname "virbr0" jump filter_FWD_libvirt | |
| iifname "virbr0" accept | |
| oifname "wlp0s20f3" jump filter_FWD_FedoraWorkstation | |
| oifname "wlp0s20f3" reject with icmpx admin-prohibited | |
| oifname "docker0" jump filter_FWD_policy_docker-forwarding | |
| oifname "docker0" jump filter_FWD_FedoraWorkstation | |
| oifname "docker0" reject with icmpx admin-prohibited | |
| oifname "virbr0" jump filter_FWD_FedoraWorkstation | |
| oifname "virbr0" reject with icmpx admin-prohibited | |
| jump filter_FWD_FedoraWorkstation | |
| reject with icmpx admin-prohibited | |
| } | |
| chain filter_OUTPUT_POLICIES { | |
| oifname "wlp0s20f3" jump filter_OUT_FedoraWorkstation | |
| oifname "wlp0s20f3" return | |
| oifname "docker0" jump filter_OUT_docker | |
| oifname "docker0" return | |
| oifname "virbr0" jump filter_OUT_libvirt | |
| oifname "virbr0" return | |
| jump filter_OUT_FedoraWorkstation | |
| return | |
| } | |
| chain filter_IN_FedoraWorkstation { | |
| jump filter_IN_FedoraWorkstation_pre | |
| jump filter_IN_FedoraWorkstation_log | |
| jump filter_IN_FedoraWorkstation_deny | |
| jump filter_IN_FedoraWorkstation_allow | |
| jump filter_IN_FedoraWorkstation_post | |
| meta l4proto { icmp, ipv6-icmp } accept | |
| } | |
| chain filter_IN_FedoraWorkstation_pre { | |
| } | |
| chain filter_IN_FedoraWorkstation_log { | |
| } | |
| chain filter_IN_FedoraWorkstation_deny { | |
| } | |
| chain filter_IN_FedoraWorkstation_allow { | |
| ip6 daddr fe80::/64 udp dport 546 accept | |
| tcp dport 22 accept | |
| udp dport 137 ct helper set "helper-netbios-ns-udp" | |
| udp dport 137 accept | |
| udp dport 138 accept | |
| ip daddr 224.0.0.251 udp dport 5353 accept | |
| ip6 daddr ff02::fb udp dport 5353 accept | |
| udp dport 1025-65535 accept | |
| tcp dport 1025-65535 accept | |
| } | |
| chain filter_IN_FedoraWorkstation_post { | |
| } | |
| chain filter_OUT_FedoraWorkstation { | |
| jump filter_OUT_FedoraWorkstation_pre | |
| jump filter_OUT_FedoraWorkstation_log | |
| jump filter_OUT_FedoraWorkstation_deny | |
| jump filter_OUT_FedoraWorkstation_allow | |
| jump filter_OUT_FedoraWorkstation_post | |
| } | |
| chain filter_OUT_FedoraWorkstation_pre { | |
| } | |
| chain filter_OUT_FedoraWorkstation_log { | |
| } | |
| chain filter_OUT_FedoraWorkstation_deny { | |
| } | |
| chain filter_OUT_FedoraWorkstation_allow { | |
| } | |
| chain filter_OUT_FedoraWorkstation_post { | |
| } | |
| chain nat_OUT_FedoraWorkstation { | |
| jump nat_OUT_FedoraWorkstation_pre | |
| jump nat_OUT_FedoraWorkstation_log | |
| jump nat_OUT_FedoraWorkstation_deny | |
| jump nat_OUT_FedoraWorkstation_allow | |
| jump nat_OUT_FedoraWorkstation_post | |
| } | |
| chain nat_OUT_FedoraWorkstation_pre { | |
| } | |
| chain nat_OUT_FedoraWorkstation_log { | |
| } | |
| chain nat_OUT_FedoraWorkstation_deny { | |
| } | |
| chain nat_OUT_FedoraWorkstation_allow { | |
| } | |
| chain nat_OUT_FedoraWorkstation_post { | |
| } | |
| chain nat_POST_FedoraWorkstation { | |
| jump nat_POST_FedoraWorkstation_pre | |
| jump nat_POST_FedoraWorkstation_log | |
| jump nat_POST_FedoraWorkstation_deny | |
| jump nat_POST_FedoraWorkstation_allow | |
| jump nat_POST_FedoraWorkstation_post | |
| } | |
| chain nat_POST_FedoraWorkstation_pre { | |
| } | |
| chain nat_POST_FedoraWorkstation_log { | |
| } | |
| chain nat_POST_FedoraWorkstation_deny { | |
| } | |
| chain nat_POST_FedoraWorkstation_allow { | |
| } | |
| chain nat_POST_FedoraWorkstation_post { | |
| } | |
| chain filter_FWD_FedoraWorkstation { | |
| jump filter_FWD_FedoraWorkstation_pre | |
| jump filter_FWD_FedoraWorkstation_log | |
| jump filter_FWD_FedoraWorkstation_deny | |
| jump filter_FWD_FedoraWorkstation_allow | |
| jump filter_FWD_FedoraWorkstation_post | |
| } | |
| chain filter_FWD_FedoraWorkstation_pre { | |
| } | |
| chain filter_FWD_FedoraWorkstation_log { | |
| } | |
| chain filter_FWD_FedoraWorkstation_deny { | |
| } | |
| chain filter_FWD_FedoraWorkstation_allow { | |
| oifname "wlp0s20f3" accept | |
| } | |
| chain filter_FWD_FedoraWorkstation_post { | |
| } | |
| chain nat_PRE_FedoraWorkstation { | |
| jump nat_PRE_FedoraWorkstation_pre | |
| jump nat_PRE_FedoraWorkstation_log | |
| jump nat_PRE_FedoraWorkstation_deny | |
| jump nat_PRE_FedoraWorkstation_allow | |
| jump nat_PRE_FedoraWorkstation_post | |
| } | |
| chain nat_PRE_FedoraWorkstation_pre { | |
| } | |
| chain nat_PRE_FedoraWorkstation_log { | |
| } | |
| chain nat_PRE_FedoraWorkstation_deny { | |
| } | |
| chain nat_PRE_FedoraWorkstation_allow { | |
| } | |
| chain nat_PRE_FedoraWorkstation_post { | |
| } | |
| chain mangle_PRE_FedoraWorkstation { | |
| jump mangle_PRE_FedoraWorkstation_pre | |
| jump mangle_PRE_FedoraWorkstation_log | |
| jump mangle_PRE_FedoraWorkstation_deny | |
| jump mangle_PRE_FedoraWorkstation_allow | |
| jump mangle_PRE_FedoraWorkstation_post | |
| } | |
| chain mangle_PRE_FedoraWorkstation_pre { | |
| } | |
| chain mangle_PRE_FedoraWorkstation_log { | |
| } | |
| chain mangle_PRE_FedoraWorkstation_deny { | |
| } | |
| chain mangle_PRE_FedoraWorkstation_allow { | |
| } | |
| chain mangle_PRE_FedoraWorkstation_post { | |
| } | |
| chain filter_IN_policy_allow-host-ipv6 { | |
| jump filter_IN_policy_allow-host-ipv6_pre | |
| jump filter_IN_policy_allow-host-ipv6_log | |
| jump filter_IN_policy_allow-host-ipv6_deny | |
| jump filter_IN_policy_allow-host-ipv6_allow | |
| jump filter_IN_policy_allow-host-ipv6_post | |
| } | |
| chain filter_IN_policy_allow-host-ipv6_pre { | |
| } | |
| chain filter_IN_policy_allow-host-ipv6_log { | |
| } | |
| chain filter_IN_policy_allow-host-ipv6_deny { | |
| } | |
| chain filter_IN_policy_allow-host-ipv6_allow { | |
| icmpv6 type nd-neighbor-advert accept | |
| icmpv6 type nd-neighbor-solicit accept | |
| icmpv6 type nd-router-advert accept | |
| icmpv6 type nd-redirect accept | |
| } | |
| chain filter_IN_policy_allow-host-ipv6_post { | |
| } | |
| chain nat_PRE_policy_allow-host-ipv6 { | |
| jump nat_PRE_policy_allow-host-ipv6_pre | |
| jump nat_PRE_policy_allow-host-ipv6_log | |
| jump nat_PRE_policy_allow-host-ipv6_deny | |
| jump nat_PRE_policy_allow-host-ipv6_allow | |
| jump nat_PRE_policy_allow-host-ipv6_post | |
| } | |
| chain nat_PRE_policy_allow-host-ipv6_pre { | |
| } | |
| chain nat_PRE_policy_allow-host-ipv6_log { | |
| } | |
| chain nat_PRE_policy_allow-host-ipv6_deny { | |
| } | |
| chain nat_PRE_policy_allow-host-ipv6_allow { | |
| } | |
| chain nat_PRE_policy_allow-host-ipv6_post { | |
| } | |
| chain mangle_PRE_policy_allow-host-ipv6 { | |
| jump mangle_PRE_policy_allow-host-ipv6_pre | |
| jump mangle_PRE_policy_allow-host-ipv6_log | |
| jump mangle_PRE_policy_allow-host-ipv6_deny | |
| jump mangle_PRE_policy_allow-host-ipv6_allow | |
| jump mangle_PRE_policy_allow-host-ipv6_post | |
| } | |
| chain mangle_PRE_policy_allow-host-ipv6_pre { | |
| } | |
| chain mangle_PRE_policy_allow-host-ipv6_log { | |
| } | |
| chain mangle_PRE_policy_allow-host-ipv6_deny { | |
| } | |
| chain mangle_PRE_policy_allow-host-ipv6_allow { | |
| } | |
| chain mangle_PRE_policy_allow-host-ipv6_post { | |
| } | |
| chain filter_IN_libvirt { | |
| jump filter_IN_libvirt_pre | |
| jump filter_IN_libvirt_log | |
| jump filter_IN_libvirt_deny | |
| jump filter_IN_libvirt_allow | |
| jump filter_IN_libvirt_post | |
| } | |
| chain filter_IN_libvirt_pre { | |
| } | |
| chain filter_IN_libvirt_log { | |
| } | |
| chain filter_IN_libvirt_deny { | |
| } | |
| chain filter_IN_libvirt_allow { | |
| udp dport 67 accept | |
| udp dport 547 accept | |
| tcp dport 53 accept | |
| udp dport 53 accept | |
| tcp dport 22 accept | |
| udp dport 69 ct helper set "helper-tftp-udp" | |
| udp dport 69 accept | |
| meta l4proto icmp accept | |
| meta l4proto ipv6-icmp accept | |
| } | |
| chain filter_IN_libvirt_post { | |
| reject | |
| } | |
| chain filter_OUT_libvirt { | |
| jump filter_OUT_libvirt_pre | |
| jump filter_OUT_libvirt_log | |
| jump filter_OUT_libvirt_deny | |
| jump filter_OUT_libvirt_allow | |
| jump filter_OUT_libvirt_post | |
| } | |
| chain filter_OUT_libvirt_pre { | |
| } | |
| chain filter_OUT_libvirt_log { | |
| } | |
| chain filter_OUT_libvirt_deny { | |
| } | |
| chain filter_OUT_libvirt_allow { | |
| } | |
| chain filter_OUT_libvirt_post { | |
| } | |
| chain nat_OUT_libvirt { | |
| jump nat_OUT_libvirt_pre | |
| jump nat_OUT_libvirt_log | |
| jump nat_OUT_libvirt_deny | |
| jump nat_OUT_libvirt_allow | |
| jump nat_OUT_libvirt_post | |
| } | |
| chain nat_OUT_libvirt_pre { | |
| } | |
| chain nat_OUT_libvirt_log { | |
| } | |
| chain nat_OUT_libvirt_deny { | |
| } | |
| chain nat_OUT_libvirt_allow { | |
| } | |
| chain nat_OUT_libvirt_post { | |
| } | |
| chain nat_POST_libvirt { | |
| jump nat_POST_libvirt_pre | |
| jump nat_POST_libvirt_log | |
| jump nat_POST_libvirt_deny | |
| jump nat_POST_libvirt_allow | |
| jump nat_POST_libvirt_post | |
| } | |
| chain nat_POST_libvirt_pre { | |
| } | |
| chain nat_POST_libvirt_log { | |
| } | |
| chain nat_POST_libvirt_deny { | |
| } | |
| chain nat_POST_libvirt_allow { | |
| meta nfproto ipv4 oifname != "lo" masquerade | |
| } | |
| chain nat_POST_libvirt_post { | |
| } | |
| chain filter_FWD_libvirt { | |
| jump filter_FWD_libvirt_pre | |
| jump filter_FWD_libvirt_log | |
| jump filter_FWD_libvirt_deny | |
| jump filter_FWD_libvirt_allow | |
| jump filter_FWD_libvirt_post | |
| } | |
| chain filter_FWD_libvirt_pre { | |
| } | |
| chain filter_FWD_libvirt_log { | |
| } | |
| chain filter_FWD_libvirt_deny { | |
| } | |
| chain filter_FWD_libvirt_allow { | |
| oifname "virbr0" accept | |
| } | |
| chain filter_FWD_libvirt_post { | |
| } | |
| chain nat_PRE_libvirt { | |
| jump nat_PRE_libvirt_pre | |
| jump nat_PRE_libvirt_log | |
| jump nat_PRE_libvirt_deny | |
| jump nat_PRE_libvirt_allow | |
| jump nat_PRE_libvirt_post | |
| } | |
| chain nat_PRE_libvirt_pre { | |
| } | |
| chain nat_PRE_libvirt_log { | |
| } | |
| chain nat_PRE_libvirt_deny { | |
| } | |
| chain nat_PRE_libvirt_allow { | |
| } | |
| chain nat_PRE_libvirt_post { | |
| } | |
| chain mangle_PRE_libvirt { | |
| jump mangle_PRE_libvirt_pre | |
| jump mangle_PRE_libvirt_log | |
| jump mangle_PRE_libvirt_deny | |
| jump mangle_PRE_libvirt_allow | |
| jump mangle_PRE_libvirt_post | |
| } | |
| chain mangle_PRE_libvirt_pre { | |
| } | |
| chain mangle_PRE_libvirt_log { | |
| } | |
| chain mangle_PRE_libvirt_deny { | |
| } | |
| chain mangle_PRE_libvirt_allow { | |
| } | |
| chain mangle_PRE_libvirt_post { | |
| } | |
| chain filter_IN_docker { | |
| jump filter_IN_docker_pre | |
| jump filter_IN_docker_log | |
| jump filter_IN_docker_deny | |
| jump filter_IN_docker_allow | |
| jump filter_IN_docker_post | |
| } | |
| chain filter_IN_docker_pre { | |
| } | |
| chain filter_IN_docker_log { | |
| } | |
| chain filter_IN_docker_deny { | |
| } | |
| chain filter_IN_docker_allow { | |
| } | |
| chain filter_IN_docker_post { | |
| } | |
| chain filter_OUT_docker { | |
| jump filter_OUT_docker_pre | |
| jump filter_OUT_docker_log | |
| jump filter_OUT_docker_deny | |
| jump filter_OUT_docker_allow | |
| jump filter_OUT_docker_post | |
| } | |
| chain filter_OUT_docker_pre { | |
| } | |
| chain filter_OUT_docker_log { | |
| } | |
| chain filter_OUT_docker_deny { | |
| } | |
| chain filter_OUT_docker_allow { | |
| } | |
| chain filter_OUT_docker_post { | |
| } | |
| chain nat_OUT_docker { | |
| jump nat_OUT_docker_pre | |
| jump nat_OUT_docker_log | |
| jump nat_OUT_docker_deny | |
| jump nat_OUT_docker_allow | |
| jump nat_OUT_docker_post | |
| } | |
| chain nat_OUT_docker_pre { | |
| } | |
| chain nat_OUT_docker_log { | |
| } | |
| chain nat_OUT_docker_deny { | |
| } | |
| chain nat_OUT_docker_allow { | |
| } | |
| chain nat_OUT_docker_post { | |
| } | |
| chain nat_POST_docker { | |
| jump nat_POST_docker_pre | |
| jump nat_POST_docker_log | |
| jump nat_POST_docker_deny | |
| jump nat_POST_docker_allow | |
| jump nat_POST_docker_post | |
| } | |
| chain nat_POST_docker_pre { | |
| } | |
| chain nat_POST_docker_log { | |
| } | |
| chain nat_POST_docker_deny { | |
| } | |
| chain nat_POST_docker_allow { | |
| } | |
| chain nat_POST_docker_post { | |
| } | |
| chain filter_FWD_docker { | |
| jump filter_FWD_docker_pre | |
| jump filter_FWD_docker_log | |
| jump filter_FWD_docker_deny | |
| jump filter_FWD_docker_allow | |
| jump filter_FWD_docker_post | |
| } | |
| chain filter_FWD_docker_pre { | |
| } | |
| chain filter_FWD_docker_log { | |
| } | |
| chain filter_FWD_docker_deny { | |
| } | |
| chain filter_FWD_docker_allow { | |
| oifname "docker0" accept | |
| } | |
| chain filter_FWD_docker_post { | |
| } | |
| chain nat_PRE_docker { | |
| jump nat_PRE_docker_pre | |
| jump nat_PRE_docker_log | |
| jump nat_PRE_docker_deny | |
| jump nat_PRE_docker_allow | |
| jump nat_PRE_docker_post | |
| } | |
| chain nat_PRE_docker_pre { | |
| } | |
| chain nat_PRE_docker_log { | |
| } | |
| chain nat_PRE_docker_deny { | |
| } | |
| chain nat_PRE_docker_allow { | |
| } | |
| chain nat_PRE_docker_post { | |
| } | |
| chain mangle_PRE_docker { | |
| jump mangle_PRE_docker_pre | |
| jump mangle_PRE_docker_log | |
| jump mangle_PRE_docker_deny | |
| jump mangle_PRE_docker_allow | |
| jump mangle_PRE_docker_post | |
| } | |
| chain mangle_PRE_docker_pre { | |
| } | |
| chain mangle_PRE_docker_log { | |
| } | |
| chain mangle_PRE_docker_deny { | |
| } | |
| chain mangle_PRE_docker_allow { | |
| } | |
| chain mangle_PRE_docker_post { | |
| } | |
| chain filter_FWD_policy_docker-forwarding { | |
| jump filter_FWD_policy_docker-forwarding_pre | |
| jump filter_FWD_policy_docker-forwarding_log | |
| jump filter_FWD_policy_docker-forwarding_deny | |
| jump filter_FWD_policy_docker-forwarding_allow | |
| jump filter_FWD_policy_docker-forwarding_post | |
| accept | |
| } | |
| chain filter_FWD_policy_docker-forwarding_pre { | |
| } | |
| chain filter_FWD_policy_docker-forwarding_log { | |
| } | |
| chain filter_FWD_policy_docker-forwarding_deny { | |
| } | |
| chain filter_FWD_policy_docker-forwarding_allow { | |
| } | |
| chain filter_FWD_policy_docker-forwarding_post { | |
| } | |
| chain nat_POST_policy_docker-forwarding { | |
| jump nat_POST_policy_docker-forwarding_pre | |
| jump nat_POST_policy_docker-forwarding_log | |
| jump nat_POST_policy_docker-forwarding_deny | |
| jump nat_POST_policy_docker-forwarding_allow | |
| jump nat_POST_policy_docker-forwarding_post | |
| } | |
| chain nat_POST_policy_docker-forwarding_pre { | |
| } | |
| chain nat_POST_policy_docker-forwarding_log { | |
| } | |
| chain nat_POST_policy_docker-forwarding_deny { | |
| } | |
| chain nat_POST_policy_docker-forwarding_allow { | |
| } | |
| chain nat_POST_policy_docker-forwarding_post { | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment