# Generated by iptables-save v1.6.1 on Wed Nov 29 13:01:31 2017 # This format is understood by iptables-restore. See `man iptables-restore`. *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] # DHCP packets sent to VMs have no checksum (due to a longstanding bug). -A POSTROUTING -o virbr1 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill COMMIT *nat :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] # Nodeport traffic -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn -m multiport --dports 31000:31999 -j DNAT --to-destination 192.168.100.10 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn -m multiport --dports 32000:32999 -j DNAT --to-destination 192.168.100.20 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn -m multiport --dports 33000:33999 -j DNAT --to-destination 192.168.100.30 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn -m multiport --dports 34000:34999 -j DNAT --to-destination 192.168.100.40 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn -m multiport --dports 35000:35999 -j DNAT --to-destination 192.168.100.50 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn -m multiport --dports 36000:36999 -j DNAT --to-destination 192.168.100.60 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn -m multiport --dports 37000:37999 -j DNAT --to-destination 192.168.100.70 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn -m multiport --dports 38000:38999 -j DNAT --to-destination 192.168.100.80 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn -m multiport --dports 39000:39999 -j DNAT --to-destination 192.168.100.90 # Master traffic -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8101 -j DNAT --to-destination 192.168.100.10:8443 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8102 -j DNAT --to-destination 192.168.100.20:8443 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8103 -j DNAT --to-destination 192.168.100.30:8443 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8104 -j DNAT --to-destination 192.168.100.40:8443 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8105 -j DNAT --to-destination 192.168.100.50:8443 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8106 -j DNAT --to-destination 192.168.100.60:8443 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8107 -j DNAT --to-destination 192.168.100.70:8443 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8108 -j DNAT --to-destination 192.168.100.80:8443 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8109 -j DNAT --to-destination 192.168.100.90:8443 # ssh access -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8000 -j DNAT --to-destination 192.168.100.254:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8010 -j DNAT --to-destination 192.168.100.10:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8011 -j DNAT --to-destination 192.168.100.11:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8012 -j DNAT --to-destination 192.168.100.12:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8012 -j DNAT --to-destination 192.168.100.12:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8013 -j DNAT --to-destination 192.168.100.13:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8014 -j DNAT --to-destination 192.168.100.14:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8015 -j DNAT --to-destination 192.168.100.15:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8016 -j DNAT --to-destination 192.168.100.16:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8017 -j DNAT --to-destination 192.168.100.17:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8018 -j DNAT --to-destination 192.168.100.18:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8019 -j DNAT --to-destination 192.168.100.19:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8020 -j DNAT --to-destination 192.168.100.20:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8021 -j DNAT --to-destination 192.168.100.21:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8022 -j DNAT --to-destination 192.168.100.22:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8023 -j DNAT --to-destination 192.168.100.23:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8024 -j DNAT --to-destination 192.168.100.24:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8025 -j DNAT --to-destination 192.168.100.25:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8026 -j DNAT --to-destination 192.168.100.26:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8027 -j DNAT --to-destination 192.168.100.27:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8028 -j DNAT --to-destination 192.168.100.28:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8029 -j DNAT --to-destination 192.168.100.29:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8030 -j DNAT --to-destination 192.168.100.30:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8031 -j DNAT --to-destination 192.168.100.31:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8032 -j DNAT --to-destination 192.168.100.32:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8033 -j DNAT --to-destination 192.168.100.33:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8034 -j DNAT --to-destination 192.168.100.34:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8035 -j DNAT --to-destination 192.168.100.35:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8036 -j DNAT --to-destination 192.168.100.36:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8037 -j DNAT --to-destination 192.168.100.37:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8038 -j DNAT --to-destination 192.168.100.38:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8039 -j DNAT --to-destination 192.168.100.39:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8040 -j DNAT --to-destination 192.168.100.40:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8041 -j DNAT --to-destination 192.168.100.41:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8042 -j DNAT --to-destination 192.168.100.42:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8043 -j DNAT --to-destination 192.168.100.43:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8044 -j DNAT --to-destination 192.168.100.44:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8045 -j DNAT --to-destination 192.168.100.45:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8046 -j DNAT --to-destination 192.168.100.46:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8047 -j DNAT --to-destination 192.168.100.47:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8048 -j DNAT --to-destination 192.168.100.48:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8049 -j DNAT --to-destination 192.168.100.49:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8050 -j DNAT --to-destination 192.168.100.50:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8051 -j DNAT --to-destination 192.168.100.51:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8052 -j DNAT --to-destination 192.168.100.52:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8053 -j DNAT --to-destination 192.168.100.53:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8054 -j DNAT --to-destination 192.168.100.54:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8055 -j DNAT --to-destination 192.168.100.55:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8056 -j DNAT --to-destination 192.168.100.56:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8057 -j DNAT --to-destination 192.168.100.57:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8058 -j DNAT --to-destination 192.168.100.58:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8059 -j DNAT --to-destination 192.168.100.59:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8060 -j DNAT --to-destination 192.168.100.60:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8061 -j DNAT --to-destination 192.168.100.61:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8062 -j DNAT --to-destination 192.168.100.62:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8063 -j DNAT --to-destination 192.168.100.63:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8064 -j DNAT --to-destination 192.168.100.64:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8065 -j DNAT --to-destination 192.168.100.65:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8066 -j DNAT --to-destination 192.168.100.66:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8067 -j DNAT --to-destination 192.168.100.67:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8068 -j DNAT --to-destination 192.168.100.68:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8069 -j DNAT --to-destination 192.168.100.69:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8070 -j DNAT --to-destination 192.168.100.70:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8071 -j DNAT --to-destination 192.168.100.71:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8072 -j DNAT --to-destination 192.168.100.72:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8073 -j DNAT --to-destination 192.168.100.73:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8074 -j DNAT --to-destination 192.168.100.74:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8075 -j DNAT --to-destination 192.168.100.75:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8076 -j DNAT --to-destination 192.168.100.76:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8077 -j DNAT --to-destination 192.168.100.77:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8078 -j DNAT --to-destination 192.168.100.78:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8079 -j DNAT --to-destination 192.168.100.79:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8080 -j DNAT --to-destination 192.168.100.80:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8081 -j DNAT --to-destination 192.168.100.81:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8082 -j DNAT --to-destination 192.168.100.82:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8083 -j DNAT --to-destination 192.168.100.83:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8084 -j DNAT --to-destination 192.168.100.84:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8085 -j DNAT --to-destination 192.168.100.85:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8086 -j DNAT --to-destination 192.168.100.86:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8087 -j DNAT --to-destination 192.168.100.87:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8088 -j DNAT --to-destination 192.168.100.88:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8089 -j DNAT --to-destination 192.168.100.89:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8090 -j DNAT --to-destination 192.168.100.90:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8091 -j DNAT --to-destination 192.168.100.91:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8092 -j DNAT --to-destination 192.168.100.92:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8093 -j DNAT --to-destination 192.168.100.93:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8094 -j DNAT --to-destination 192.168.100.94:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8095 -j DNAT --to-destination 192.168.100.95:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8096 -j DNAT --to-destination 192.168.100.96:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8097 -j DNAT --to-destination 192.168.100.97:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8098 -j DNAT --to-destination 192.168.100.98:22 -A PREROUTING -d 192.168.1.45/32 -p tcp -m tcp --syn --dport 8099 -j DNAT --to-destination 192.168.100.99:22 # Do not masquerade to these reserved address blocks. -A POSTROUTING -s 192.168.100.0/24 -d 224.0.0.0/24 -j RETURN -A POSTROUTING -s 192.168.100.0/24 -d 255.255.255.255/32 -j RETURN # Masquerade all packets going from VMs to the LAN/Internet. -A POSTROUTING -s 192.168.100.0/24 ! -d 192.168.100.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s 192.168.100.0/24 ! -d 192.168.100.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s 192.168.100.0/24 ! -d 192.168.100.0/24 -j MASQUERADE COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] # Allow basic INPUT traffic. -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT # Accept ssh, master and nodeport connections as well as nginx ignition requests -A INPUT -p tcp -m tcp --syn -m conntrack --ctstate NEW -m multiport --dports 22,80,31000:39999,8443 -j ACCEPT # Accept DNS (port 53) and DHCP (port 67) and NTPD (port 123) packets from VMs. -A INPUT -i virbr1 -p udp -m udp -m multiport --dports 53,67,123 -j ACCEPT -A INPUT -i virbr1 -p tcp -m tcp -m multiport --dports 53,67,123 -j ACCEPT # Reject everything else. -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -p tcp -m tcp -j REJECT --reject-with tcp-reset -A INPUT -j REJECT --reject-with icmp-port-unreachable # Allow established traffic to the private subnet. -A FORWARD -d 192.168.100.0/24 -o virbr1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # Allow outbound traffic from the private subnet. -A FORWARD -s 192.168.100.0/24 -i virbr1 -j ACCEPT # Allow traffic between virtual machines. -A FORWARD -i virbr1 -o virbr1 -j ACCEPT # Allow packets that have been forwarded to particular ports on the VM. -A FORWARD -d 192.168.100.0/24 -o virbr1 -p tcp -m tcp --syn -m conntrack --ctstate NEW -m multiport --dports 22,80,8443,30000:39999 -j ACCEPT -A FORWARD -d 192.168.1.45/32 -o virbr1 -p tcp -m tcp --syn -m conntrack --ctstate NEW -m multiport --dports 8000:8099,8101:8109,30000:39999 -j ACCEPT # Reject everything else. -A FORWARD -i virbr1 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -o virbr1 -j REJECT --reject-with icmp-port-unreachable COMMIT