hex-data-test.fwall 4.89 KB
Newer Older
1 2 3 4
#ebtables -t nat -L PREROUTING | grep vnet0 | grep -v "^Bridge" | grep -v "^$"
-i vnet0 -j libvirt-I-vnet0
#ebtables -t nat -L POSTROUTING | grep vnet0 | grep -v "^Bridge" | grep -v "^$"
-o vnet0 -j libvirt-O-vnet0
5
#ebtables -t nat -L libvirt-I-vnet0 | sed 's#/ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000#/113#g' | sed 's#/ffff:fc00::#/22#g' | sed s/01:02:03:04:05:06/1:2:3:4:5:6/g | sed s/0a:0b:0c:0d:0e:0f/a:b:c:d:e:f/g | grep -v "^Bridge" | grep -v "^$"
6
-p IPv4 -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --ip-src 10.1.2.3 --ip-dst 10.1.2.3 --ip-tos 0x32 --ip-proto udp --ip-sport 291:564 --ip-dport 13398:17767 -j ACCEPT 
7
-p IPv6 -s 1:2:3:4:5:6/ff:ff:ff:ff:ff:fe -d aa:bb:cc:dd:ee:80/ff:ff:ff:ff:ff:80 --ip6-src ::/22 --ip6-dst ::10.1.0.0/113 --ip6-proto tcp --ip6-sport 273:400 --ip6-dport 13107:65535 -j ACCEPT
8 9 10 11 12 13
-p ARP -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --arp-op Request --arp-htype 18 --arp-ptype 0x56 --arp-mac-src 1:2:3:4:5:6 --arp-mac-dst a:b:c:d:e:f -j ACCEPT 
#ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v "^$"
-p 0x1234 -j ACCEPT 
#iptables -L FI-vnet0 -n
Chain FI-vnet0 (1 references)
target     prot opt source               destination         
14
RETURN     udp  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x22udp spts:291:400 dpts:564:1092 state NEW,ESTABLISHED ctdir REPLY
15 16 17
#iptables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target     prot opt source               destination         
18
ACCEPT     udp  --  10.1.2.3             0.0.0.0/0           DSCP match 0x22udp spts:564:1092 dpts:291:400 state ESTABLISHED ctdir ORIGINAL
19 20 21
#iptables -L HI-vnet0 -n
Chain HI-vnet0 (1 references)
target     prot opt source               destination         
22
RETURN     udp  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x22udp spts:291:400 dpts:564:1092 state NEW,ESTABLISHED ctdir REPLY
23 24 25 26 27 28 29
#iptables -L libvirt-host-in -n | grep HI-vnet0 | tr -s " "
HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 
#iptables -L libvirt-in -n | grep FI-vnet0 | tr -s " "
FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 
#iptables -L libvirt-in-post -n | grep vnet0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in vnet0 
#iptables -L libvirt-out -n | grep vnet0 | tr -s " "
30
FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 --physdev-is-bridged
31
#ip6tables -L FI-vnet0 -n | sed 's/\/128/    /'
32 33
Chain FI-vnet0 (1 references)
target     prot opt source               destination         
34 35
RETURN     tcp      ::/0                 a:b:c::             DSCP match 0x39 tcp spts:256:4369 dpts:32:33 state ESTABLISHED ctdir ORIGINAL
#ip6tables -L FO-vnet0 -n | sed 's/\/128/    /'
36 37
Chain FO-vnet0 (1 references)
target     prot opt source               destination         
38 39
ACCEPT     tcp      a:b:c::              ::/0                MAC 01:02:03:04:05:06 DSCP match 0x39 tcp spts:32:33 dpts:256:4369 state NEW,ESTABLISHED ctdir REPLY
#ip6tables -L HI-vnet0 -n | sed 's/\/128/    /'
40 41
Chain HI-vnet0 (1 references)
target     prot opt source               destination         
42
RETURN     tcp      ::/0                 a:b:c::             DSCP match 0x39 tcp spts:256:4369 dpts:32:33 state ESTABLISHED ctdir ORIGINAL
43 44 45 46 47 48 49
#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " "
HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 
#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " "
FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 
#ip6tables -L libvirt-in-post -n | grep vnet0
ACCEPT     all      ::/0                 ::/0                PHYSDEV match --physdev-in vnet0 
#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " "
50
FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 --physdev-is-bridged
51 52 53 54 55 56 57
#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 
#iptables -L libvirt-in -n | grep vnet0 | tr -s " "
FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 
#iptables -L libvirt-in-post -n | grep vnet0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in vnet0 
#iptables -L libvirt-out -n | grep vnet0 | tr -s " "
58
FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 --physdev-is-bridged
59 60 61 62 63 64 65 66 67
#ip6tables -L INPUT -n --line-numbers | grep libvirt
1    libvirt-host-in  all      ::/0                 ::/0                
#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " "
HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 
#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " "
FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 
#ip6tables -L libvirt-in-post -n | grep vnet0
ACCEPT     all      ::/0                 ::/0                PHYSDEV match --physdev-in vnet0 
#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " "
68
FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 --physdev-is-bridged