Hi all! I have stupid quation :( Don't work SNAT/MASQUERADE for VEs. Please help me get knowlege, how make work configuration.
In my one Hardware node MASQUERADE for VEs work fine, but i want make deafult configuration with PXE Anaconda kikstart and puppet for put configs for some count of node. I want have reproduced configuration :) But now, I don't understand how, on my node, work MASQUERADE :( This server have not reproduced configuration:( And i don't remeber how I was configurated this server in the past :( I read this guide now, and in the past. And, in the past, as i remeber, i had means it's doe'snt work for me: http://wiki.openvz.org/Using_NAT_for_VE_with_private_IPs I don't remeber, how problem was solved :( Network in test openvz server, for containers work: [r...@ovz-test2 ~]# vzlist | grep 407 407 14 running 10.0.5.47 test-dns.local [r...@ovz-test2 ~]# ICMP from HN to VE: [r...@ovz-test2 ~]# ping -c 1 10.0.5.47 PING 10.0.5.47 (10.0.5.47) 56(84) bytes of data. 64 bytes from 10.0.5.47: icmp_seq=1 ttl=64 time=0.258 ms --- 10.0.5.47 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.258/0.258/0.258/0.000 ms [r...@ovz-test2 ~]# ICMP from VE to HN: [r...@test-dns ~]# ping -c 1 ovz-test2 PING ovz-test2.local (10.0.5.128) 56(84) bytes of data. 64 bytes from ovz-test2.local (10.0.5.128): icmp_seq=1 ttl=64 time=0.064 ms --- ovz-test2.local ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.064/0.064/0.064/0.000 ms [r...@test-dns ~]# And, icmp from VE to another host in LAN: [r...@test-dns ~]# ping -c 1 puppet PING puppet.local (10.0.5.16) 56(84) bytes of data. 64 bytes from puppet.loc (10.0.5.16): icmp_seq=1 ttl=63 time=1.78 ms --- puppet.local ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.780/1.780/1.780/0.000 ms [r...@test-dns ~]# But, NAT to another networks, for example for internet, does'nt work: [r...@test-dns ~]# ping -c 1 google.com PING google.com (74.125.77.147) 56(84) bytes of data. >From ovz-test2.local (10.0.5.128) icmp_seq=1 Destination Net Unreachable --- google.com ping statistics --- 1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms [r...@test-dns ~]# [r...@test-dns ~]# wget google.com --2009-12-20 13:11:19-- http://google.com/ Resolving google.com... 74.125.77.104, 74.125.77.99, 74.125.77.147 Connecting to google.com|74.125.77.104|:80... failed: Network is unreachable. Connecting to google.com|74.125.77.99|:80... failed: Network is unreachable. Connecting to google.com|74.125.77.147|:80... failed: Network is unreachable. [r...@test-dns ~]# Configuration of HN: [r...@ovz-test2 ~]# cat /etc/redhat-release CentOS release 5.3 (Final) [r...@ovz-test2 ~]# [r...@ovz-test2 ~]# uname -a Linux ovz-test2.local 2.6.18-128.2.1.el5.028stab064.4 #1 SMP Wed Jul 22 00:11:00 MSD 2009 i686 i686 i386 GNU/Linux [r...@ovz-test2 ~]# [r...@ovz-test2 ~]# ifconfig eth0 Link encap:Ethernet HWaddr 54:52:00:3D:CB:40 inet addr:10.0.5.128 Bcast:10.0.5.255 Mask:255.255.255.0 inet6 addr: fe80::5652:ff:fe3d:cb40/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:112743 errors:0 dropped:0 overruns:0 frame:0 TX packets:119926 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:21101421 (20.1 MiB) TX bytes:23473181 (22.3 MiB) Interrupt:11 Base address:0x4000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:14 errors:0 dropped:0 overruns:0 frame:0 TX packets:14 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:878 (878.0 b) TX bytes:878 (878.0 b) venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1 RX packets:267 errors:0 dropped:0 overruns:0 frame:0 TX packets:368 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:28529 (27.8 KiB) TX bytes:29631 (28.9 KiB) [r...@ovz-test2 ~]# [r...@ovz-test2 ~]# rpm -qa | grep vz vzctl-lib-3.0.23-1 vzrpm43-python-4.3.3-7_nonptl.6 vzrpm44-4.4.1-22.5 vzrpm43-4.3.3-7_nonptl.6 vzquota-3.0.12-1 vzpkg-2.7.0-18 ovzkernel-2.6.18-128.2.1.el5.028stab064.4 vzrpm44-python-4.4.1-22.5 vzctl-3.0.23-1 vzdump-1.1-2 vzyum-2.4.0-11 ha-ovz-tools-1.2-1 [r...@ovz-test2 ~]# [r...@ovz-test2 ~]# sysctl -p net.ipv4.conf.default.forwarding = 1 net.ipv4.conf.default.proxy_arp = 0 net.ipv4.ip_forward = 1 net.ipv4.conf.all.rp_filter = 1 kernel.sysrq = 1 net.ipv4.conf.default.send_redirects = 1 net.ipv4.conf.all.send_redirects = 0 [r...@ovz-test2 ~]# [r...@ovz-test2 ~]# cat /etc/sysconfig/vz ## Global parameters VIRTUOZZO=yes LOCKDIR=/vz/lock DUMPDIR=/vz/dump VE0CPUUNITS=1000 ## Logging parameters LOGGING=yes LOGFILE=/var/log/vzctl.log LOG_LEVEL=0 VERBOSE=0 ## Disk quota parameters DISK_QUOTA=yes VZFASTBOOT=no # Disable module loading. If set, vz initscript do not load any modules. #MODULES_DISABLED=yes # The name of the device whose IP address will be used as source IP for CT. # By default automatically assigned. VE_ROUTE_SRC_DEV="eth0" # Controls which interfaces to send ARP requests and modify APR tables on. NEIGHBOUR_DEVS=detect ## Template parameters TEMPLATE=/vz/template ## Defaults for containers VE_ROOT=/vz/root/$VEID VE_PRIVATE=/vz/private/$VEID CONFIGFILE="vps.basic" DEF_OSTEMPLATE="fedora-core-4" ## Load vzwdog module VZWDOG="no" ## IPv4 iptables kernel modules IPTABLES="iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_state ipt_helper iptable_nat ip_nat_ftp ip_nat_irc ipt_REDIRECT" ## Enable IPv6 IPV6="no" ## IPv6 ip6tables kernel modules IP6TABLES="ip6_tables ip6table_filter ip6table_mangle ip6t_REJECT" [r...@ovz-test2 ~]# cat /proc/sys/net/ipv4/conf/eth0/forwarding 1 [r...@ovz-test2 ~]# cat /proc/sys/net/ipv4/conf/venet0/forwarding 1 [r...@ovz-test2 ~]# I try very-very many of counts differents configuration of iptables. All of it's does'nt work. I try use configuration from old hardware node, it's doe'snt work to :( One of don't working configuration: [r...@ovz-test2 ~]# iptables-save # Generated by iptables-save v1.3.5 on Sun Dec 20 13:17:25 2009 *raw :PREROUTING ACCEPT [9708:1526221] :OUTPUT ACCEPT [9198:1571058] COMMIT # Completed on Sun Dec 20 13:17:25 2009 # Generated by iptables-save v1.3.5 on Sun Dec 20 13:17:25 2009 *nat :PREROUTING ACCEPT [73:4765] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [945:55800] -A POSTROUTING -m mark --mark 0x9 -j MASQUERADE -A POSTROUTING -o eth0 -j MASQUERADE -A POSTROUTING -o venet0 -j MASQUERADE -A POSTROUTING -m mark --mark 0x9 -j MASQUERADE COMMIT # Completed on Sun Dec 20 13:17:25 2009 # Generated by iptables-save v1.3.5 on Sun Dec 20 13:17:25 2009 *mangle :PREROUTING ACCEPT [11775:1810121] :INPUT ACCEPT [11090:1747639] :FORWARD ACCEPT [668:61270] :OUTPUT ACCEPT [11071:1902912] :POSTROUTING ACCEPT [11739:1964182] -A PREROUTING -i eth0 -j MARK --set-mark 0x9 -A PREROUTING -i venet0 -j MARK --set-mark 0x9 -A PREROUTING -i eth0 -j MARK --set-mark 0x9 -A PREROUTING -i venet0 -j MARK --set-mark 0x9 COMMIT # Completed on Sun Dec 20 13:17:25 2009 # Generated by iptables-save v1.3.5 on Sun Dec 20 13:17:25 2009 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [11071:1902912] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -i eth0 -j ACCEPT -A RH-Firewall-1-INPUT -i venet0 -j ACCEPT -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p esp -j ACCEPT -A RH-Firewall-1-INPUT -p ah -j ACCEPT -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Sun Dec 20 13:17:25 2009 [r...@ovz-test2 ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT esp -- anywhere anywhere ACCEPT ah -- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT tcp -- anywhere anywhere tcp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED REJECT all -- anywhere anywhere reject-with icmp-host-prohibited [r...@ovz-test2 ~]# ================= Iptables from old hardware node (it's has three network interfaces), SNAT and another networks work for container: [shaggy...@hn iptables-dumps]$ cat iptables_L Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT icmp -- anywhere anywhere icmp any ACCEPT tcp -- 10.0.9.25 anywhere multiport dports smtp ACCEPT all -- 10.0.7.0/24 10.0.10.33 ACCEPT tcp -- 10.0.10.0/24 10.0.9.25 multiport dports smtp ACCEPT tcp -- 10.0.5.2 anywhere multiport dports smtp ACCEPT all -- anywhere 255.255.255.255 DROP tcp -- 10.0.9.0/24 anywhere multiport dports smtp DROP tcp -- 10.0.7.0/24 anywhere multiport dports smtp DROP tcp -- 10.0.5.0/24 anywhere multiport dports smtp DROP tcp -- 10.0.10.0/24 anywhere multiport dports smtp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere icmp any DROP tcp -- anywhere anywhere tcp dpt:smtp ACCEPT all -- anywhere anywhere RH-Firewall-1-INPUT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT esp -- anywhere anywhere ACCEPT ah -- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT tcp -- anywhere anywhere tcp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:959 ACCEPT udp -- anywhere anywhere state NEW udp dpt:4666 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:6419 ACCEPT udp -- anywhere anywhere state NEW udp dpt:6429 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:oms ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:rmopagt ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:7422 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:7480 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:7622 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:7680 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:7922 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:quest-vista ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:7918 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:7912 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pop3 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imap ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:7222 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:itactionserver1 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:7922 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:quest-vista ACCEPT udp -- anywhere anywhere state NEW udp dpt:domain ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pcsync-https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:7222 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:itactionserver1 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:7580 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:7522 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:7880 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:7822 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:7821 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:7843 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:5212 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:xmpp-client ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:5218 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:5228 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:7780 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:7722 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:5142 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited [shaggy...@hn iptables-dumps]$ # Generated by iptables-save v1.3.5 on Sun Dec 20 13:26:58 2009 *raw :PREROUTING ACCEPT [13342675:9357652753] :OUTPUT ACCEPT [67843:7963321] COMMIT # Completed on Sun Dec 20 13:26:58 2009 # Generated by iptables-save v1.3.5 on Sun Dec 20 13:26:58 2009 *nat :PREROUTING ACCEPT [380907:40676143] :POSTROUTING ACCEPT [2034:119928] :OUTPUT ACCEPT [929:57360] -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 4662 -j DNAT --to-destination 10.0.10.3:4662 -A PREROUTING -d XX.XX.XX.XX -i eth0 -p udp -m udp --dport 4666 -j DNAT --to-destination 10.0.10.3:4666 -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 6419 -j DNAT --to-destination 10.0.10.3:6419 -A PREROUTING -d XX.XX.XX.XX -i eth0 -p udp -m udp --dport 6419 -j DNAT --to-destination 10.0.10.3:6419 -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 6882 -j DNAT --to-destination 10.0.10.3:6882 -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 1959 -j DNAT --to-destination 10.0.10.3:22 -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.10.33:80 -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 2959 -j DNAT --to-destination 10.0.10.5:22 -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7422 -j DNAT --to-destination 10.0.7.4:22 -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7480 -j DNAT --to-destination 10.0.7.4:80 -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7822 -j DNAT --to-destination 10.0.7.8:22 -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7880 -j DNAT --to-destination 10.0.7.8:80 -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7821 -j DNAT --to-destination 10.0.7.8:21 -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7680 -j DNAT --to-destination 10.0.7.6:80 -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7622 -j DNAT --to-destination 10.0.7.6:22 -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7922 -j DNAT --to-destination 10.0.7.9:22 -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7980 -j DNAT --to-destination 10.0.7.9:80 -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7912 -j DNAT --to-destination 10.0.7.11:22 -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7918 -j DNAT --to-destination 10.0.7.11:80 -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 110 -j DNAT --to-destination 10.0.9.25:110 -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 143 -j DNAT --to-destination 10.0.9.25:143 -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.0.9.25:25 -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7222 -j DNAT --to-destination 10.0.7.2:22 -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7980 -j DNAT --to-destination 10.0.7.2:80 -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7980 -j DNAT --to-destination 10.0.7.9:80 -A PREROUTING -d XX.XX.XX.XX -i eth0 -p udp -m udp --dport 53 -j DNAT --to-destination 10.0.9.29:53 -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 8443 -j DNAT --to-destination 10.0.9.22 -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7222 -j DNAT --to-destination 10.0.7.2:22 -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7280 -j DNAT --to-destination 10.0.7.2:80 -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7580 -j DNAT --to-destination 10.0.7.5:80 -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7522 -j DNAT --to-destination 10.0.7.5:22 -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7822 -j DNAT --to-destination 10.0.7.8:22 -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 5212 -j DNAT --to-destination 10.0.5.21:22 -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 5222 -j DNAT --to-destination 10.0.5.22:22 -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 5218 -j DNAT --to-destination 10.0.5.21:80 -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 5228 -j DNAT --to-destination 10.0.5.22:80 -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7322 -j DNAT --to-destination 10.0.7.3:22 -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7380 -j DNAT --to-destination 10.0.7.3:80 -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7780 -j DNAT --to-destination 10.0.7.7:80 -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7722 -j DNAT --to-destination 10.0.7.7:22 -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 5142 -j DNAT --to-destination 10.0.5.14:22 -A POSTROUTING -m mark --mark 0x9 -j MASQUERADE -A POSTROUTING -s 10.0.9.25 -p tcp -m tcp --dport 25 -j ACCEPT -A POSTROUTING -s 10.0.5.2 -p tcp -m tcp --dport 25 -j ACCEPT -A POSTROUTING -s 10.0.9.0/255.255.255.0 -p tcp -m multiport --dports 25 -j DROP -A POSTROUTING -s 10.0.7.0/255.255.255.0 -p tcp -m multiport --dports 25 -j DROP -A POSTROUTING -s 10.0.5.0/255.255.255.0 -p tcp -m multiport --dports 25 -j DROP -A POSTROUTING -s 10.0.10.0/255.255.255.0 -p tcp -m multiport --dports 25 -j DROP COMMIT # Completed on Sun Dec 20 13:26:58 2009 # Generated by iptables-save v1.3.5 on Sun Dec 20 13:26:58 2009 *mangle :PREROUTING ACCEPT [13342678:9357654449] :INPUT ACCEPT [121922:31158972] :FORWARD ACCEPT [13221657:9326618380] :OUTPUT ACCEPT [67843:7963321] :POSTROUTING ACCEPT [13289494:9334581397] -A PREROUTING -i br0 -j MARK --set-mark 0x9 -A PREROUTING -i wlan0 -j MARK --set-mark 0x9 -A PREROUTING -i venet0 -j MARK --set-mark 0x9 COMMIT # Completed on Sun Dec 20 13:26:58 2009 # Generated by iptables-save v1.3.5 on Sun Dec 20 13:26:58 2009 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [67843:7963321] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -p icmp -m icmp --icmp-type any -j ACCEPT -A FORWARD -s 10.0.9.25 -p tcp -m multiport --dports 25 -j ACCEPT -A FORWARD -s 10.0.7.0/255.255.255.0 -d 10.0.10.33 -j ACCEPT -A FORWARD -s 10.0.10.0/255.255.255.0 -d 10.0.9.25 -p tcp -m multiport --dports 25 -j ACCEPT -A FORWARD -s 10.0.5.2 -p tcp -m multiport --dports 25 -j ACCEPT -A FORWARD -d 255.255.255.255 -j ACCEPT -A FORWARD -s 10.0.9.0/255.255.255.0 -p tcp -m multiport --dports 25 -j DROP -A FORWARD -s 10.0.7.0/255.255.255.0 -p tcp -m multiport --dports 25 -j DROP -A FORWARD -s 10.0.5.0/255.255.255.0 -p tcp -m multiport --dports 25 -j DROP -A FORWARD -s 10.0.10.0/255.255.255.0 -p tcp -m multiport --dports 25 -j DROP -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -p icmp -m icmp --icmp-type any -j ACCEPT -A FORWARD -p tcp -m tcp --dport 25 -j DROP -A FORWARD -o eth0 -j ACCEPT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -i br0 -j ACCEPT -A RH-Firewall-1-INPUT -i ath0 -j ACCEPT -A RH-Firewall-1-INPUT -i venet0 -j ACCEPT -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p esp -j ACCEPT -A RH-Firewall-1-INPUT -p ah -j ACCEPT -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 959 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 4666 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 6419 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 6429 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 4662 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2959 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7422 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7480 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7622 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7680 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7922 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7980 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7918 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7912 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7222 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7280 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7922 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7980 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8443 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7222 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7280 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7580 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7522 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7880 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7822 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7821 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7843 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5212 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5222 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5218 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5228 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7780 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7722 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5142 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Sun Dec 20 13:26:58 2009 -- Galina Lisovskaya _______________________________________________ Users mailing list Users@openvz.org https://openvz.org/mailman/listinfo/users
