Online Text Editor - Create, Edit, Share and Save Text Files

Loading…
table ip filter {
	chain INPUT {
		type filter hook input priority filter; policy accept;
		counter packets 16076 bytes 5942948 jump LIBVIRT_INP
	}

	chain OUTPUT {
		type filter hook output priority filter; policy accept;
		counter packets 14529 bytes 1273317 jump LIBVIRT_OUT
	}

	chain FORWARD {
		type filter hook forward priority filter; policy drop;
		counter packets 0 bytes 0 jump DOCKER-USER
		counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-1
		oifname "docker0" ct state related,established counter packets 0 bytes 0 accept
		oifname "docker0" counter packets 0 bytes 0 jump DOCKER
		iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept
		iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
		counter packets 0 bytes 0 jump LIBVIRT_FWX
		counter packets 0 bytes 0 jump LIBVIRT_FWI
		counter packets 0 bytes 0 jump LIBVIRT_FWO
	}

	chain LIBVIRT_INP {
		iifname "virbr0" meta l4proto udp udp dport 53 counter packets 0 bytes 0 accept
		iifname "virbr0" meta l4proto tcp tcp dport 53 counter packets 0 bytes 0 accept
		iifname "virbr0" meta l4proto udp udp dport 67 counter packets 0 bytes 0 accept
		iifname "virbr0" meta l4proto tcp tcp dport 67 counter packets 0 bytes 0 accept
	}

	chain LIBVIRT_OUT {
		oifname "virbr0" meta l4proto udp udp dport 53 counter packets 0 bytes 0 accept
		oifname "virbr0" meta l4proto tcp tcp dport 53 counter packets 0 bytes 0 accept
		oifname "virbr0" meta l4proto udp udp dport 68 counter packets 0 bytes 0 accept
		oifname "virbr0" meta l4proto tcp tcp dport 68 counter packets 0 bytes 0 accept
	}

	chain LIBVIRT_FWO {
		iifname "virbr0" ip saddr 192.168.122.0/24 counter packets 0 bytes 0 accept
		iifname "virbr0" counter packets 0 bytes 0 reject
	}

	chain LIBVIRT_FWI {
		oifname "virbr0" ip daddr 192.168.122.0/24 ct state related,established counter packets 0 bytes 0 accept
		oifname "virbr0" counter packets 0 bytes 0 reject
	}

	chain LIBVIRT_FWX {
		iifname "virbr0" oifname "virbr0" counter packets 0 bytes 0 accept
	}

	chain DOCKER {
	}

	chain DOCKER-ISOLATION-STAGE-1 {
		iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
		counter packets 0 bytes 0 return
	}

	chain DOCKER-ISOLATION-STAGE-2 {
		oifname "docker0" counter packets 0 bytes 0 drop
		counter packets 0 bytes 0 return
	}

	chain DOCKER-USER {
		counter packets 0 bytes 0 return
	}
}
table ip6 filter {
	chain INPUT {
		type filter hook input priority filter; policy accept;
		counter packets 151 bytes 43679 jump LIBVIRT_INP
	}

	chain OUTPUT {
		type filter hook output priority filter; policy accept;
		counter packets 94 bytes 11025 jump LIBVIRT_OUT
	}

	chain FORWARD {
		type filter hook forward priority filter; policy drop;
		counter packets 0 bytes 0 jump LIBVIRT_FWX
		counter packets 0 bytes 0 jump LIBVIRT_FWI
		counter packets 0 bytes 0 jump LIBVIRT_FWO
	}

	chain LIBVIRT_INP {
	}

	chain LIBVIRT_OUT {
	}

	chain LIBVIRT_FWO {
	}

	chain LIBVIRT_FWI {
	}

	chain LIBVIRT_FWX {
	}
}
table inet firewalld {
	ct helper helper-tftp-udp {
		type "tftp" protocol udp
		l3proto inet
	}

	chain mangle_PREROUTING {
		type filter hook prerouting priority mangle + 10; policy accept;
		jump mangle_PREROUTING_ZONES
	}

	chain mangle_PREROUTING_POLICIES_pre {
		jump mangle_PRE_policy_allow-host-ipv6
	}

	chain mangle_PREROUTING_ZONES {
		iifname "docker0" goto mangle_PRE_docker
		iifname "virbr0" goto mangle_PRE_libvirt
		goto mangle_PRE_public
	}

	chain mangle_PREROUTING_POLICIES_post {
	}

	chain nat_PREROUTING {
		type nat hook prerouting priority dstnat + 10; policy accept;
		jump nat_PREROUTING_ZONES
	}

	chain nat_PREROUTING_POLICIES_pre {
		jump nat_PRE_policy_allow-host-ipv6
	}

	chain nat_PREROUTING_ZONES {
		iifname "docker0" goto nat_PRE_docker
		iifname "virbr0" goto nat_PRE_libvirt
		goto nat_PRE_public
	}

	chain nat_PREROUTING_POLICIES_post {
	}

	chain nat_POSTROUTING {
		type nat hook postrouting priority srcnat + 10; policy accept;
		jump nat_POSTROUTING_ZONES
	}

	chain nat_POSTROUTING_POLICIES_pre {
	}

	chain nat_POSTROUTING_ZONES {
		oifname "docker0" goto nat_POST_docker
		oifname "virbr0" goto nat_POST_libvirt
		goto nat_POST_public
	}

	chain nat_POSTROUTING_POLICIES_post {
	}

	chain nat_OUTPUT {
		type nat hook output priority -90; policy accept;
		jump nat_OUTPUT_POLICIES_pre
		jump nat_OUTPUT_POLICIES_post
	}

	chain nat_OUTPUT_POLICIES_pre {
	}

	chain nat_OUTPUT_POLICIES_post {
	}

	chain filter_PREROUTING {
		type filter hook prerouting priority filter + 10; policy accept;
		icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
		meta nfproto ipv6 fib saddr . mark . iif oif missing drop
	}

	chain filter_INPUT {
		type filter hook input priority filter + 10; policy accept;
		ct state { established, related } accept
		ct status dnat accept
		ct state invalid drop
		iifname "lo" accept
		jump filter_INPUT_ZONES
		reject with icmpx admin-prohibited
	}

	chain filter_FORWARD {
		type filter hook forward priority filter + 10; policy accept;
		ct state { established, related } accept
		ct status dnat accept
		ct state invalid drop
		iifname "lo" accept
		ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
		jump filter_FORWARD_ZONES
		reject with icmpx admin-prohibited
	}

	chain filter_OUTPUT {
		type filter hook output priority filter + 10; policy accept;
		ct state { established, related } accept
		oifname "lo" accept
		ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
		jump filter_OUTPUT_POLICIES_pre
		jump filter_OUTPUT_POLICIES_post
	}

	chain filter_INPUT_POLICIES_pre {
		jump filter_IN_policy_allow-host-ipv6
	}

	chain filter_INPUT_ZONES {
		iifname "docker0" goto filter_IN_docker
		iifname "virbr0" goto filter_IN_libvirt
		goto filter_IN_public
	}

	chain filter_INPUT_POLICIES_post {
	}

	chain filter_FORWARD_POLICIES_pre {
	}

	chain filter_FORWARD_ZONES {
		iifname "docker0" goto filter_FWD_docker
		iifname "virbr0" goto filter_FWD_libvirt
		goto filter_FWD_public
	}

	chain filter_FORWARD_POLICIES_post {
	}

	chain filter_OUTPUT_POLICIES_pre {
	}

	chain filter_OUTPUT_POLICIES_post {
	}

	chain filter_IN_public {
		jump filter_INPUT_POLICIES_pre
		jump filter_IN_public_pre
		jump filter_IN_public_log
		jump filter_IN_public_deny
		jump filter_IN_public_allow
		jump filter_IN_public_post
		jump filter_INPUT_POLICIES_post
		meta l4proto { icmp, ipv6-icmp } accept
		reject with icmpx admin-prohibited
	}

	chain filter_IN_public_pre {
	}

	chain filter_IN_public_log {
	}

	chain filter_IN_public_deny {
	}

	chain filter_IN_public_allow {
		tcp dport 22 ct state { new, untracked } accept
		ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept
	}

	chain filter_IN_public_post {
	}

	chain nat_POST_public {
		jump nat_POSTROUTING_POLICIES_pre
		jump nat_POST_public_pre
		jump nat_POST_public_log
		jump nat_POST_public_deny
		jump nat_POST_public_allow
		jump nat_POST_public_post
		jump nat_POSTROUTING_POLICIES_post
	}

	chain nat_POST_public_pre {
	}

	chain nat_POST_public_log {
	}

	chain nat_POST_public_deny {
	}

	chain nat_POST_public_allow {
	}

	chain nat_POST_public_post {
	}

	chain filter_FWD_public {
		jump filter_FORWARD_POLICIES_pre
		jump filter_FWD_public_pre
		jump filter_FWD_public_log
		jump filter_FWD_public_deny
		jump filter_FWD_public_allow
		jump filter_FWD_public_post
		jump filter_FORWARD_POLICIES_post
		reject with icmpx admin-prohibited
	}

	chain filter_FWD_public_pre {
	}

	chain filter_FWD_public_log {
	}

	chain filter_FWD_public_deny {
	}

	chain filter_FWD_public_allow {
	}

	chain filter_FWD_public_post {
	}

	chain nat_PRE_public {
		jump nat_PREROUTING_POLICIES_pre
		jump nat_PRE_public_pre
		jump nat_PRE_public_log
		jump nat_PRE_public_deny
		jump nat_PRE_public_allow
		jump nat_PRE_public_post
		jump nat_PREROUTING_POLICIES_post
	}

	chain nat_PRE_public_pre {
	}

	chain nat_PRE_public_log {
	}

	chain nat_PRE_public_deny {
	}

	chain nat_PRE_public_allow {
	}

	chain nat_PRE_public_post {
	}

	chain mangle_PRE_public {
		jump mangle_PREROUTING_POLICIES_pre
		jump mangle_PRE_public_pre
		jump mangle_PRE_public_log
		jump mangle_PRE_public_deny
		jump mangle_PRE_public_allow
		jump mangle_PRE_public_post
		jump mangle_PREROUTING_POLICIES_post
	}

	chain mangle_PRE_public_pre {
	}

	chain mangle_PRE_public_log {
	}

	chain mangle_PRE_public_deny {
	}

	chain mangle_PRE_public_allow {
	}

	chain mangle_PRE_public_post {
	}

	chain filter_IN_policy_allow-host-ipv6 {
		jump filter_IN_policy_allow-host-ipv6_pre
		jump filter_IN_policy_allow-host-ipv6_log
		jump filter_IN_policy_allow-host-ipv6_deny
		jump filter_IN_policy_allow-host-ipv6_allow
		jump filter_IN_policy_allow-host-ipv6_post
	}

	chain filter_IN_policy_allow-host-ipv6_pre {
	}

	chain filter_IN_policy_allow-host-ipv6_log {
	}

	chain filter_IN_policy_allow-host-ipv6_deny {
	}

	chain filter_IN_policy_allow-host-ipv6_allow {
		icmpv6 type nd-neighbor-advert accept
		icmpv6 type nd-neighbor-solicit accept
		icmpv6 type nd-router-advert accept
		icmpv6 type nd-redirect accept
	}

	chain filter_IN_policy_allow-host-ipv6_post {
	}

	chain nat_PRE_policy_allow-host-ipv6 {
		jump nat_PRE_policy_allow-host-ipv6_pre
		jump nat_PRE_policy_allow-host-ipv6_log
		jump nat_PRE_policy_allow-host-ipv6_deny
		jump nat_PRE_policy_allow-host-ipv6_allow
		jump nat_PRE_policy_allow-host-ipv6_post
	}

	chain nat_PRE_policy_allow-host-ipv6_pre {
	}

	chain nat_PRE_policy_allow-host-ipv6_log {
	}

	chain nat_PRE_policy_allow-host-ipv6_deny {
	}

	chain nat_PRE_policy_allow-host-ipv6_allow {
	}

	chain nat_PRE_policy_allow-host-ipv6_post {
	}

	chain mangle_PRE_policy_allow-host-ipv6 {
		jump mangle_PRE_policy_allow-host-ipv6_pre
		jump mangle_PRE_policy_allow-host-ipv6_log
		jump mangle_PRE_policy_allow-host-ipv6_deny
		jump mangle_PRE_policy_allow-host-ipv6_allow
		jump mangle_PRE_policy_allow-host-ipv6_post
	}

	chain mangle_PRE_policy_allow-host-ipv6_pre {
	}

	chain mangle_PRE_policy_allow-host-ipv6_log {
	}

	chain mangle_PRE_policy_allow-host-ipv6_deny {
	}

	chain mangle_PRE_policy_allow-host-ipv6_allow {
	}

	chain mangle_PRE_policy_allow-host-ipv6_post {
	}

	chain filter_IN_libvirt {
		jump filter_INPUT_POLICIES_pre
		jump filter_IN_libvirt_pre
		jump filter_IN_libvirt_log
		jump filter_IN_libvirt_deny
		jump filter_IN_libvirt_allow
		jump filter_IN_libvirt_post
		jump filter_INPUT_POLICIES_post
		accept
	}

	chain filter_IN_libvirt_pre {
	}

	chain filter_IN_libvirt_log {
	}

	chain filter_IN_libvirt_deny {
	}

	chain filter_IN_libvirt_allow {
		udp dport 67 ct state { new, untracked } accept
		udp dport 547 ct state { new, untracked } accept
		tcp dport 53 ct state { new, untracked } accept
		udp dport 53 ct state { new, untracked } accept
		tcp dport 22 ct state { new, untracked } accept
		udp dport 69 ct helper set "helper-tftp-udp"
		udp dport 69 ct state { new, untracked } accept
		meta l4proto icmp ct state { new, untracked } accept
		meta l4proto ipv6-icmp ct state { new, untracked } accept
	}

	chain filter_IN_libvirt_post {
		reject
	}

	chain nat_POST_libvirt {
		jump nat_POSTROUTING_POLICIES_pre
		jump nat_POST_libvirt_pre
		jump nat_POST_libvirt_log
		jump nat_POST_libvirt_deny
		jump nat_POST_libvirt_allow
		jump nat_POST_libvirt_post
		jump nat_POSTROUTING_POLICIES_post
	}

	chain nat_POST_libvirt_pre {
	}

	chain nat_POST_libvirt_log {
	}

	chain nat_POST_libvirt_deny {
	}

	chain nat_POST_libvirt_allow {
	}

	chain nat_POST_libvirt_post {
	}

	chain filter_FWD_libvirt {
		jump filter_FORWARD_POLICIES_pre
		jump filter_FWD_libvirt_pre
		jump filter_FWD_libvirt_log
		jump filter_FWD_libvirt_deny
		jump filter_FWD_libvirt_allow
		jump filter_FWD_libvirt_post
		jump filter_FORWARD_POLICIES_post
		accept
	}

	chain filter_FWD_libvirt_pre {
	}

	chain filter_FWD_libvirt_log {
	}

	chain filter_FWD_libvirt_deny {
	}

	chain filter_FWD_libvirt_allow {
	}

	chain filter_FWD_libvirt_post {
	}

	chain nat_PRE_libvirt {
		jump nat_PREROUTING_POLICIES_pre
		jump nat_PRE_libvirt_pre
		jump nat_PRE_libvirt_log
		jump nat_PRE_libvirt_deny
		jump nat_PRE_libvirt_allow
		jump nat_PRE_libvirt_post
		jump nat_PREROUTING_POLICIES_post
	}

	chain nat_PRE_libvirt_pre {
	}

	chain nat_PRE_libvirt_log {
	}

	chain nat_PRE_libvirt_deny {
	}

	chain nat_PRE_libvirt_allow {
	}

	chain nat_PRE_libvirt_post {
	}

	chain mangle_PRE_libvirt {
		jump mangle_PREROUTING_POLICIES_pre
		jump mangle_PRE_libvirt_pre
		jump mangle_PRE_libvirt_log
		jump mangle_PRE_libvirt_deny
		jump mangle_PRE_libvirt_allow
		jump mangle_PRE_libvirt_post
		jump mangle_PREROUTING_POLICIES_post
	}

	chain mangle_PRE_libvirt_pre {
	}

	chain mangle_PRE_libvirt_log {
	}

	chain mangle_PRE_libvirt_deny {
	}

	chain mangle_PRE_libvirt_allow {
	}

	chain mangle_PRE_libvirt_post {
	}

	chain filter_IN_docker {
		jump filter_INPUT_POLICIES_pre
		jump filter_IN_docker_pre
		jump filter_IN_docker_log
		jump filter_IN_docker_deny
		jump filter_IN_docker_allow
		jump filter_IN_docker_post
		jump filter_INPUT_POLICIES_post
		accept
	}

	chain filter_IN_docker_pre {
	}

	chain filter_IN_docker_log {
	}

	chain filter_IN_docker_deny {
	}

	chain filter_IN_docker_allow {
	}

	chain filter_IN_docker_post {
	}

	chain nat_POST_docker {
		jump nat_POSTROUTING_POLICIES_pre
		jump nat_POST_docker_pre
		jump nat_POST_docker_log
		jump nat_POST_docker_deny
		jump nat_POST_docker_allow
		jump nat_POST_docker_post
		jump nat_POSTROUTING_POLICIES_post
	}

	chain nat_POST_docker_pre {
	}

	chain nat_POST_docker_log {
	}

	chain nat_POST_docker_deny {
	}

	chain nat_POST_docker_allow {
	}

	chain nat_POST_docker_post {
	}

	chain filter_FWD_docker {
		jump filter_FORWARD_POLICIES_pre
		jump filter_FWD_docker_pre
		jump filter_FWD_docker_log
		jump filter_FWD_docker_deny
		jump filter_FWD_docker_allow
		jump filter_FWD_docker_post
		jump filter_FORWARD_POLICIES_post
		accept
	}

	chain filter_FWD_docker_pre {
	}

	chain filter_FWD_docker_log {
	}

	chain filter_FWD_docker_deny {
	}

	chain filter_FWD_docker_allow {
		oifname "docker0" accept
	}

	chain filter_FWD_docker_post {
	}

	chain nat_PRE_docker {
		jump nat_PREROUTING_POLICIES_pre
		jump nat_PRE_docker_pre
		jump nat_PRE_docker_log
		jump nat_PRE_docker_deny
		jump nat_PRE_docker_allow
		jump nat_PRE_docker_post
		jump nat_PREROUTING_POLICIES_post
	}

	chain nat_PRE_docker_pre {
	}

	chain nat_PRE_docker_log {
	}

	chain nat_PRE_docker_deny {
	}

	chain nat_PRE_docker_allow {
	}

	chain nat_PRE_docker_post {
	}

	chain mangle_PRE_docker {
		jump mangle_PREROUTING_POLICIES_pre
		jump mangle_PRE_docker_pre
		jump mangle_PRE_docker_log
		jump mangle_PRE_docker_deny
		jump mangle_PRE_docker_allow
		jump mangle_PRE_docker_post
		jump mangle_PREROUTING_POLICIES_post
	}

	chain mangle_PRE_docker_pre {
	}

	chain mangle_PRE_docker_log {
	}

	chain mangle_PRE_docker_deny {
	}

	chain mangle_PRE_docker_allow {
	}

	chain mangle_PRE_docker_post {
	}
}
table ip nat {
	chain LIBVIRT_PRT {
		ip saddr 192.168.122.0/24 ip daddr 224.0.0.0/24 counter packets 7 bytes 486 return
		ip saddr 192.168.122.0/24 ip daddr 255.255.255.255 counter packets 0 bytes 0 return
		meta l4proto tcp ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade to :1024-65535 
		meta l4proto udp ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade to :1024-65535 
		ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade 
	}

	chain POSTROUTING {
		type nat hook postrouting priority srcnat; policy accept;
		oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 0 bytes 0 masquerade 
		counter packets 2062 bytes 157212 jump LIBVIRT_PRT
	}

	chain DOCKER {
		iifname "docker0" counter packets 0 bytes 0 return
	}

	chain PREROUTING {
		type nat hook prerouting priority dstnat; policy accept;
		fib daddr type local counter packets 5 bytes 286 jump DOCKER
	}

	chain OUTPUT {
		type nat hook output priority -100; policy accept;
		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump DOCKER
	}
}
table ip mangle {
	chain LIBVIRT_PRT {
		oifname "virbr0" meta l4proto udp udp dport 68 counter packets 0 bytes 0 # CHECKSUM fill
	}

	chain POSTROUTING {
		type filter hook postrouting priority mangle; policy accept;
		counter packets 14766 bytes 1307235 jump LIBVIRT_PRT
	}
}
table ip6 nat {
	chain LIBVIRT_PRT {
	}

	chain POSTROUTING {
		type nat hook postrouting priority srcnat; policy accept;
		counter packets 7 bytes 749 jump LIBVIRT_PRT
	}
}
table ip6 mangle {
	chain LIBVIRT_PRT {
	}

	chain POSTROUTING {
		type filter hook postrouting priority mangle; policy accept;
		counter packets 121 bytes 15866 jump LIBVIRT_PRT
	}
}