1
0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-12-25 01:34:11 +03:00
libvirt/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
Daniel P. Berrange 20512b8436 Add test for converting network XML to iptables rules
Using the virCommand dry run capability, capture iptables rules
created by various network XML documents.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-04-25 15:44:09 +01:00

43 lines
2.5 KiB
Plaintext

iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
--destination-port 67 --jump ACCEPT
iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
--destination-port 67 --jump ACCEPT
iptables --table filter --insert OUTPUT --out-interface virbr0 --protocol udp \
--destination-port 68 --jump ACCEPT
iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
--destination-port 53 --jump ACCEPT
iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
--destination-port 53 --jump ACCEPT
iptables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT
iptables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT
iptables --table filter --insert FORWARD --in-interface virbr0 \
--out-interface virbr0 --jump ACCEPT
ip6tables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT
ip6tables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT
ip6tables --table filter --insert FORWARD --in-interface virbr0 \
--out-interface virbr0 --jump ACCEPT
ip6tables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
--destination-port 53 --jump ACCEPT
ip6tables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
--destination-port 53 --jump ACCEPT
ip6tables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
--destination-port 547 --jump ACCEPT
iptables --table filter --insert FORWARD --source 192.168.122.0/24 \
--in-interface virbr0 --jump ACCEPT
iptables --table filter --insert FORWARD --destination 192.168.122.0/24 \
--out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 '!' \
--destination 192.168.122.0/24 --jump MASQUERADE
iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
-p udp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535
iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
-p tcp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535
iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
--destination 255.255.255.255/32 --jump RETURN
iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
--destination 224.0.0.0/24 --jump RETURN
ip6tables --table filter --insert FORWARD --source 2001:db8:ca2:2::/64 \
--in-interface virbr0 --jump ACCEPT
ip6tables --table filter --insert FORWARD --destination 2001:db8:ca2:2::/64 \
--out-interface virbr0 --jump ACCEPT