The host is connected to the normal network through vmbr0 bridge, and the VM is connected to the network through vmbr1 interface NAT mode. There should be no problem in each configuration, and the network can be connected normally when the VM firewall is not turned on. However, once the VM firewall VM is turned on, it cannot be connected to the network or ping the gateway and the same network segment VM. The VM firewall has turned on the ICMP access settings. Ask God for help!
VM can't Ping the gateway and can't connect to the network when the firewall is turned on
- Thread starter muyang_ren
- Start date
-
- Tags
- natmode
Than you!
root@PVE101 ~ # pveversion -v
proxmox-ve: 6.2-1 (running kernel: 5.4.41-1-pve)
pve-manager: 6.2-6 (running version: 6.2-6/ee1d7754)
pve-kernel-5.4: 6.2-2
pve-kernel-helper: 6.2-2
pve-kernel-5.4.41-1-pve: 5.4.41-1
ceph-fuse: 12.2.11+dfsg1-2.1+b1
corosync: 3.0.3-pve1
criu: 3.11-3
glusterfs-client: 5.5-3
ifupdown: 0.8.35+pve1
libjs-extjs: 6.0.1-10
libknet1: 1.15-pve1
libproxmox-acme-perl: 1.0.4
libpve-access-control: 6.1-1
libpve-apiclient-perl: 3.0-3
libpve-common-perl: 6.1-3
libpve-guest-common-perl: 3.0-10
libpve-http-server-perl: 3.0-5
libpve-storage-perl: 6.1-8
libqb0: 1.0.5-1
libspice-server1: 0.14.2-4~pve6+1
lvm2: 2.03.02-pve4
lxc-pve: 4.0.2-1
lxcfs: 4.0.3-pve2
novnc-pve: 1.1.0-1
proxmox-mini-journalreader: 1.1-1
proxmox-widget-toolkit: 2.2-7
pve-cluster: 6.1-8
pve-container: 3.1-8
pve-docs: 6.2-4
pve-edk2-firmware: 2.20200229-1
pve-firewall: 4.1-2
pve-firmware: 3.1-1
pve-ha-manager: 3.0-9
pve-i18n: 2.1-3
pve-qemu-kvm: 5.0.0-4
pve-xtermjs: 4.3.0-1
qemu-server: 6.2-3
smartmontools: 7.1-pve2
spiceterm: 3.1-1
vncterm: 1.6-1
root@PVE101 ~ # pveversion -v
proxmox-ve: 6.2-1 (running kernel: 5.4.41-1-pve)
pve-manager: 6.2-6 (running version: 6.2-6/ee1d7754)
pve-kernel-5.4: 6.2-2
pve-kernel-helper: 6.2-2
pve-kernel-5.4.41-1-pve: 5.4.41-1
ceph-fuse: 12.2.11+dfsg1-2.1+b1
corosync: 3.0.3-pve1
criu: 3.11-3
glusterfs-client: 5.5-3
ifupdown: 0.8.35+pve1
libjs-extjs: 6.0.1-10
libknet1: 1.15-pve1
libproxmox-acme-perl: 1.0.4
libpve-access-control: 6.1-1
libpve-apiclient-perl: 3.0-3
libpve-common-perl: 6.1-3
libpve-guest-common-perl: 3.0-10
libpve-http-server-perl: 3.0-5
libpve-storage-perl: 6.1-8
libqb0: 1.0.5-1
libspice-server1: 0.14.2-4~pve6+1
lvm2: 2.03.02-pve4
lxc-pve: 4.0.2-1
lxcfs: 4.0.3-pve2
novnc-pve: 1.1.0-1
proxmox-mini-journalreader: 1.1-1
proxmox-widget-toolkit: 2.2-7
pve-cluster: 6.1-8
pve-container: 3.1-8
pve-docs: 6.2-4
pve-edk2-firmware: 2.20200229-1
pve-firewall: 4.1-2
pve-firmware: 3.1-1
pve-ha-manager: 3.0-9
pve-i18n: 2.1-3
pve-qemu-kvm: 5.0.0-4
pve-xtermjs: 4.3.0-1
qemu-server: 6.2-3
smartmontools: 7.1-pve2
spiceterm: 3.1-1
vncterm: 1.6-1
Turning on the firewall automatically generates too many rules, as follows:
root@PVE101 ~ # pve-firewall compile
ipset cmdlist:
exists PVEFW-0-management-v4 (wUkb5FpQvEqpMcadyVEXs1Pr/dU)
create PVEFW-0-management-v4 hash:net family inet hashsize 64 maxelem 64
exists PVEFW-0-management-v6 (BFNZ5Ozo1dnHuw6aY0C7YsG3uQM)
create PVEFW-0-management-v6 hash:net family inet6 hashsize 64 maxelem 64
add PVEFW-0-management-v6 2a01:4f8:162:2004::2
iptables cmdlist:
exists PVEFW-Drop (WDy2wbFe7jNYEyoO3QhUELZ4mIQ)
-A PVEFW-Drop -p tcp --dport 43 -j PVEFW-reject
-A PVEFW-Drop -j PVEFW-DropBroadcast
-A PVEFW-Drop -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT
-A PVEFW-Drop -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Drop -p udp --match multiport --dports 135,445 -j DROP
-A PVEFW-Drop -p udp --dport 137:139 -j DROP
-A PVEFW-Drop -p udp --sport 137 --dport 1024:65535 -j DROP
-A PVEFW-Drop -p tcp --match multiport --dports 135,139,445 -j DROP
-A PVEFW-Drop -p udp --dport 1900 -j DROP
-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Drop -p udp --sport 53 -j DROP
exists PVEFW-DropBroadcast (NyjHNAtFbkH7WGLamPpdVnxHy4w)
-A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
-A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
exists PVEFW-FORWARD (qnNexOcGa+y+jebd4dAUqFSp5nw)
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-in fwln+ -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-out fwln+ -j PVEFW-FWBR-OUT
exists PVEFW-FWBR-IN (YHE3EYjm/ctNxw/LlPIpcBuz/Ho)
-A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-FWBR-IN -m physdev --physdev-is-bridged --physdev-out tap900i0 -j tap900i0-IN
exists PVEFW-FWBR-OUT (E5PLKIdlSgYaxgKcK13G7c1Q5xM)
-A PVEFW-FWBR-OUT -m physdev --physdev-is-bridged --physdev-in tap900i0 -j tap900i0-OUT
exists PVEFW-HOST-IN (JTf5ysO5rbwF17I1FjA6ZF186qQ)
-A PVEFW-HOST-IN -i lo -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -p icmp -m icmp --icmp-type echo-request -j NFLOG --nflog-prefix ":0:7
VEFW-HOST-IN: ACCEPT: "
-A PVEFW-HOST-IN -p icmp -m icmp --icmp-type echo-request -j RETURN
-A PVEFW-HOST-IN -p tcp --dport 10122 -j RETURN
-A PVEFW-HOST-IN -p tcp --dport 10022 -j RETURN
-A PVEFW-HOST-IN -p tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -p tcp --dport 6231 -j RETURN
-A PVEFW-HOST-IN -p icmp -m icmp --icmp-type echo-request -j RETURN
-A PVEFW-HOST-IN -p tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 60000:60050 -j RETURN
-A PVEFW-HOST-IN -j PVEFW-Drop
-A PVEFW-HOST-IN -j DROP
exists PVEFW-HOST-OUT (0zVqGNg5V7YiSxt0h+sEYJsXD+M)
-A PVEFW-HOST-OUT -o lo -j ACCEPT
-A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-OUT -p igmp -j RETURN
-A PVEFW-HOST-OUT -j RETURN
exists PVEFW-INPUT (+5iMmLaxKXynOB/+5xibfx7WhFk)
-A PVEFW-INPUT -j PVEFW-HOST-IN
exists PVEFW-OUTPUT (LjHoZeSSiWAG3+2ZAyL/xuEehd0)
-A PVEFW-OUTPUT -j PVEFW-HOST-OUT
exists PVEFW-Reject (CZJnIN6rAdpu+ej59QPr9+laMUo)
-A PVEFW-Reject -p tcp --dport 43 -j PVEFW-reject
-A PVEFW-Reject -j PVEFW-DropBroadcast
-A PVEFW-Reject -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT
-A PVEFW-Reject -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Reject -p udp --match multiport --dports 135,445 -j PVEFW-reject
-A PVEFW-Reject -p udp --dport 137:139 -j PVEFW-reject
-A PVEFW-Reject -p udp --sport 137 --dport 1024:65535 -j PVEFW-reject
-A PVEFW-Reject -p tcp --match multiport --dports 135,139,445 -j PVEFW-reject
-A PVEFW-Reject -p udp --dport 1900 -j DROP
-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Reject -p udp --sport 53 -j DROP
exists PVEFW-SET-ACCEPT-MARK (Hg/OIgIwJChBUcWU8Xnjhdd2jUY)
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-mark 0x80000000/0x80000000
exists PVEFW-logflags (MN4PH1oPZeABMuWr64RrygPfW7A)
-A PVEFW-logflags -j DROP
exists PVEFW-reject (Jlkrtle1mDdtxDeI9QaDSL++Npc)
-A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-reject -s 224.0.0.0/4 -j DROP
-A PVEFW-reject -p icmp -j DROP
-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
-A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A PVEFW-reject -j REJECT --reject-with icmp-host-prohibited
exists PVEFW-smurflog (2gfT1VMkfr0JL6OccRXTGXo+1qk)
-A PVEFW-smurflog -j DROP
exists PVEFW-smurfs (HssVe5QCBXd5mc9kC88749+7fag)
-A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
-A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
-A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
exists PVEFW-tcpflags (CMFojwNPqllyqD67NeI5m+bP5mo)
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
exists tap900i0-IN (it+SnZgrhKHdzHZ/OkFGB4PPxt8)
-A tap900i0-IN -p tcp --dport 22 -j ACCEPT
-A tap900i0-IN -p icmp -m icmp --icmp-type echo-request -j ACCEPT
-A tap900i0-IN -j PVEFW-Drop
-A tap900i0-IN -j NFLOG --nflog-prefix ":900:7:tap900i0-IN: policy DROP: "
-A tap900i0-IN -j DROP
exists tap900i0-OUT (hR/NHsjeyxNsMORrV+w/ffo0TQo)
-A tap900i0-OUT -j MARK --set-mark 0x00000000/0x80000000
-A tap900i0-OUT -p icmp -m icmp --icmp-type echo-request -j NFLOG --nflog-prefix ":900:7:tap900i0-OUT: ACCEPT: "
-A tap900i0-OUT -p icmp -m icmp --icmp-type echo-request -g PVEFW-SET-ACCEPT-MARK
-A tap900i0-OUT -g PVEFW-SET-ACCEPT-MARK
root@PVE101 ~ # pve-firewall compile
ipset cmdlist:
exists PVEFW-0-management-v4 (wUkb5FpQvEqpMcadyVEXs1Pr/dU)
create PVEFW-0-management-v4 hash:net family inet hashsize 64 maxelem 64
exists PVEFW-0-management-v6 (BFNZ5Ozo1dnHuw6aY0C7YsG3uQM)
create PVEFW-0-management-v6 hash:net family inet6 hashsize 64 maxelem 64
add PVEFW-0-management-v6 2a01:4f8:162:2004::2
iptables cmdlist:
exists PVEFW-Drop (WDy2wbFe7jNYEyoO3QhUELZ4mIQ)
-A PVEFW-Drop -p tcp --dport 43 -j PVEFW-reject
-A PVEFW-Drop -j PVEFW-DropBroadcast
-A PVEFW-Drop -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT
-A PVEFW-Drop -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Drop -p udp --match multiport --dports 135,445 -j DROP
-A PVEFW-Drop -p udp --dport 137:139 -j DROP
-A PVEFW-Drop -p udp --sport 137 --dport 1024:65535 -j DROP
-A PVEFW-Drop -p tcp --match multiport --dports 135,139,445 -j DROP
-A PVEFW-Drop -p udp --dport 1900 -j DROP
-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Drop -p udp --sport 53 -j DROP
exists PVEFW-DropBroadcast (NyjHNAtFbkH7WGLamPpdVnxHy4w)
-A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
-A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
exists PVEFW-FORWARD (qnNexOcGa+y+jebd4dAUqFSp5nw)
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-in fwln+ -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-out fwln+ -j PVEFW-FWBR-OUT
exists PVEFW-FWBR-IN (YHE3EYjm/ctNxw/LlPIpcBuz/Ho)
-A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-FWBR-IN -m physdev --physdev-is-bridged --physdev-out tap900i0 -j tap900i0-IN
exists PVEFW-FWBR-OUT (E5PLKIdlSgYaxgKcK13G7c1Q5xM)
-A PVEFW-FWBR-OUT -m physdev --physdev-is-bridged --physdev-in tap900i0 -j tap900i0-OUT
exists PVEFW-HOST-IN (JTf5ysO5rbwF17I1FjA6ZF186qQ)
-A PVEFW-HOST-IN -i lo -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -p icmp -m icmp --icmp-type echo-request -j NFLOG --nflog-prefix ":0:7
VEFW-HOST-IN: ACCEPT: "-A PVEFW-HOST-IN -p icmp -m icmp --icmp-type echo-request -j RETURN
-A PVEFW-HOST-IN -p tcp --dport 10122 -j RETURN
-A PVEFW-HOST-IN -p tcp --dport 10022 -j RETURN
-A PVEFW-HOST-IN -p tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -p tcp --dport 6231 -j RETURN
-A PVEFW-HOST-IN -p icmp -m icmp --icmp-type echo-request -j RETURN
-A PVEFW-HOST-IN -p tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 60000:60050 -j RETURN
-A PVEFW-HOST-IN -j PVEFW-Drop
-A PVEFW-HOST-IN -j DROP
exists PVEFW-HOST-OUT (0zVqGNg5V7YiSxt0h+sEYJsXD+M)
-A PVEFW-HOST-OUT -o lo -j ACCEPT
-A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-OUT -p igmp -j RETURN
-A PVEFW-HOST-OUT -j RETURN
exists PVEFW-INPUT (+5iMmLaxKXynOB/+5xibfx7WhFk)
-A PVEFW-INPUT -j PVEFW-HOST-IN
exists PVEFW-OUTPUT (LjHoZeSSiWAG3+2ZAyL/xuEehd0)
-A PVEFW-OUTPUT -j PVEFW-HOST-OUT
exists PVEFW-Reject (CZJnIN6rAdpu+ej59QPr9+laMUo)
-A PVEFW-Reject -p tcp --dport 43 -j PVEFW-reject
-A PVEFW-Reject -j PVEFW-DropBroadcast
-A PVEFW-Reject -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT
-A PVEFW-Reject -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Reject -p udp --match multiport --dports 135,445 -j PVEFW-reject
-A PVEFW-Reject -p udp --dport 137:139 -j PVEFW-reject
-A PVEFW-Reject -p udp --sport 137 --dport 1024:65535 -j PVEFW-reject
-A PVEFW-Reject -p tcp --match multiport --dports 135,139,445 -j PVEFW-reject
-A PVEFW-Reject -p udp --dport 1900 -j DROP
-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Reject -p udp --sport 53 -j DROP
exists PVEFW-SET-ACCEPT-MARK (Hg/OIgIwJChBUcWU8Xnjhdd2jUY)
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-mark 0x80000000/0x80000000
exists PVEFW-logflags (MN4PH1oPZeABMuWr64RrygPfW7A)
-A PVEFW-logflags -j DROP
exists PVEFW-reject (Jlkrtle1mDdtxDeI9QaDSL++Npc)
-A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-reject -s 224.0.0.0/4 -j DROP
-A PVEFW-reject -p icmp -j DROP
-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
-A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A PVEFW-reject -j REJECT --reject-with icmp-host-prohibited
exists PVEFW-smurflog (2gfT1VMkfr0JL6OccRXTGXo+1qk)
-A PVEFW-smurflog -j DROP
exists PVEFW-smurfs (HssVe5QCBXd5mc9kC88749+7fag)
-A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
-A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
-A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
exists PVEFW-tcpflags (CMFojwNPqllyqD67NeI5m+bP5mo)
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
exists tap900i0-IN (it+SnZgrhKHdzHZ/OkFGB4PPxt8)
-A tap900i0-IN -p tcp --dport 22 -j ACCEPT
-A tap900i0-IN -p icmp -m icmp --icmp-type echo-request -j ACCEPT
-A tap900i0-IN -j PVEFW-Drop
-A tap900i0-IN -j NFLOG --nflog-prefix ":900:7:tap900i0-IN: policy DROP: "
-A tap900i0-IN -j DROP
exists tap900i0-OUT (hR/NHsjeyxNsMORrV+w/ffo0TQo)
-A tap900i0-OUT -j MARK --set-mark 0x00000000/0x80000000
-A tap900i0-OUT -p icmp -m icmp --icmp-type echo-request -j NFLOG --nflog-prefix ":900:7:tap900i0-OUT: ACCEPT: "
-A tap900i0-OUT -p icmp -m icmp --icmp-type echo-request -g PVEFW-SET-ACCEPT-MARK
-A tap900i0-OUT -g PVEFW-SET-ACCEPT-MARK
ip6tables cmdlist:
exists PVEFW-Drop (Jb79Uw7z1vZglIcV7QXA5uY/nbk)
-A PVEFW-Drop -p tcp --dport 43 -j PVEFW-reject
-A PVEFW-Drop -j PVEFW-DropBroadcast
-A PVEFW-Drop -p icmpv6 -m icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
-A PVEFW-Drop -p icmpv6 -m icmpv6 --icmpv6-type time-exceeded -j ACCEPT
-A PVEFW-Drop -p icmpv6 -m icmpv6 --icmpv6-type packet-too-big -j ACCEPT
-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Drop -p udp --match multiport --dports 135,445 -j DROP
-A PVEFW-Drop -p udp --dport 137:139 -j DROP
-A PVEFW-Drop -p udp --sport 137 --dport 1024:65535 -j DROP
-A PVEFW-Drop -p tcp --match multiport --dports 135,139,445 -j DROP
-A PVEFW-Drop -p udp --dport 1900 -j DROP
-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Drop -p udp --sport 53 -j DROP
exists PVEFW-DropBroadcast (8Krk5Nh8pDZOOc7BQAbM6PlyFSU)
-A PVEFW-DropBroadcast -d ff00::/8 -j DROP
exists PVEFW-FORWARD (qnNexOcGa+y+jebd4dAUqFSp5nw)
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-in fwln+ -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-out fwln+ -j PVEFW-FWBR-OUT
exists PVEFW-FWBR-IN (gO2kEz1dFJGRax+en9HDr0/TFoo)
-A PVEFW-FWBR-IN -m physdev --physdev-is-bridged --physdev-out tap900i0 -j tap900i0-IN
exists PVEFW-FWBR-OUT (E5PLKIdlSgYaxgKcK13G7c1Q5xM)
-A PVEFW-FWBR-OUT -m physdev --physdev-is-bridged --physdev-in tap900i0 -j tap900i0-OUT
exists PVEFW-HOST-IN (olZP/JVpr3ttWL80cUvWyU0TUIo)
-A PVEFW-HOST-IN -i lo -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-IN -p icmpv6 --icmpv6-type router-solicitation -j RETURN
-A PVEFW-HOST-IN -p icmpv6 --icmpv6-type router-advertisement -j RETURN
-A PVEFW-HOST-IN -p icmpv6 --icmpv6-type neighbor-solicitation -j RETURN
-A PVEFW-HOST-IN -p icmpv6 --icmpv6-type neighbor-advertisement -j RETURN
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -p icmpv6 -m icmpv6 --icmpv6-type echo-request -j NFLOG --nflog-prefix ":0:7VEFW-HOST-IN: RETURN: "
-A PVEFW-HOST-IN -p icmpv6 -m icmpv6 --icmpv6-type echo-request -j RETURN
-A PVEFW-HOST-IN -p tcp --dport 10122 -j RETURN
-A PVEFW-HOST-IN -p tcp --dport 10022 -j RETURN
-A PVEFW-HOST-IN -p tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -p tcp --dport 6231 -j RETURN
-A PVEFW-HOST-IN -p icmpv6 -m icmpv6 --icmpv6-type echo-request -j RETURN
-A PVEFW-HOST-IN -p tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 60000:60050 -j RETURN
-A PVEFW-HOST-IN -j PVEFW-Drop
-A PVEFW-HOST-IN -j DROP
exists PVEFW-HOST-OUT (TUldfgeoI+/YHW9JEkPPe/EXd+w)
-A PVEFW-HOST-OUT -o lo -j ACCEPT
-A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-OUT -p icmpv6 --icmpv6-type router-solicitation -j RETURN
-A PVEFW-HOST-OUT -p icmpv6 --icmpv6-type neighbor-solicitation -j RETURN
-A PVEFW-HOST-OUT -p icmpv6 --icmpv6-type neighbor-advertisement -j RETURN
-A PVEFW-HOST-OUT -p igmp -j RETURN
-A PVEFW-HOST-OUT -d 2a01:04f8:0162:2004:0000:0000:0000:0002 -p tcp --dport 8006 -j RETURN
-A PVEFW-HOST-OUT -d 2a01:04f8:0162:2004:0000:0000:0000:0002 -p tcp --dport 22 -j RETURN
-A PVEFW-HOST-OUT -d 2a01:04f8:0162:2004:0000:0000:0000:0002 -p tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-OUT -d 2a01:04f8:0162:2004:0000:0000:0000:0002 -p tcp --dport 3128 -j RETURN
-A PVEFW-HOST-OUT -j RETURN
exists PVEFW-INPUT (+5iMmLaxKXynOB/+5xibfx7WhFk)
-A PVEFW-INPUT -j PVEFW-HOST-IN
exists PVEFW-OUTPUT (LjHoZeSSiWAG3+2ZAyL/xuEehd0)
-A PVEFW-OUTPUT -j PVEFW-HOST-OUT
exists PVEFW-Reject (aL1nrxJk/u3XmTb3Am2eaM/3yCM)
-A PVEFW-Reject -p tcp --dport 43 -j PVEFW-reject
-A PVEFW-Reject -j PVEFW-DropBroadcast
-A PVEFW-Reject -p icmpv6 -m icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
-A PVEFW-Reject -p icmpv6 -m icmpv6 --icmpv6-type time-exceeded -j ACCEPT
-A PVEFW-Reject -p icmpv6 -m icmpv6 --icmpv6-type packet-too-big -j ACCEPT
-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Reject -p udp --match multiport --dports 135,445 -j PVEFW-reject
-A PVEFW-Reject -p udp --dport 137:139 -j PVEFW-reject
-A PVEFW-Reject -p udp --sport 137 --dport 1024:65535 -j PVEFW-reject
-A PVEFW-Reject -p tcp --match multiport --dports 135,139,445 -j PVEFW-reject
-A PVEFW-Reject -p udp --dport 1900 -j DROP
-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Reject -p udp --sport 53 -j DROP
exists PVEFW-SET-ACCEPT-MARK (Hg/OIgIwJChBUcWU8Xnjhdd2jUY)
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-mark 0x80000000/0x80000000
exists PVEFW-logflags (MN4PH1oPZeABMuWr64RrygPfW7A)
-A PVEFW-logflags -j DROP
exists PVEFW-reject (etEECUYcgUdzuuO+LDP83pu0S8Y)
-A PVEFW-reject -p icmpv6 -j DROP
-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
-A PVEFW-reject -p udp -j REJECT --reject-with icmp6-port-unreachable
-A PVEFW-reject -j REJECT --reject-with icmp6-adm-prohibited
exists PVEFW-tcpflags (CMFojwNPqllyqD67NeI5m+bP5mo)
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
exists tap900i0-IN (Rif1vmoGVJPzZ5AAG/kOaQZolCs)
-A tap900i0-IN -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT
-A tap900i0-IN -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
-A tap900i0-IN -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-A tap900i0-IN -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-A tap900i0-IN -p tcp --dport 22 -j ACCEPT
-A tap900i0-IN -p icmpv6 -m icmpv6 --icmpv6-type echo-request -j ACCEPT
-A tap900i0-IN -j PVEFW-Drop
-A tap900i0-IN -j NFLOG --nflog-prefix ":900:7:tap900i0-IN: policy DROP: "
-A tap900i0-IN -j DROP
exists tap900i0-OUT (PX1M89KsGWO6iktm/p0N56eFwEM)
-A tap900i0-OUT -p icmpv6 --icmpv6-type router-advertisement -j DROP
-A tap900i0-OUT -j MARK --set-mark 0x00000000/0x80000000
-A tap900i0-OUT -p icmpv6 --icmpv6-type router-solicitation -g PVEFW-SET-ACCEPT-MARK
-A tap900i0-OUT -p icmpv6 --icmpv6-type neighbor-solicitation -g PVEFW-SET-ACCEPT-MARK
-A tap900i0-OUT -p icmpv6 --icmpv6-type neighbor-advertisement -g PVEFW-SET-ACCEPT-MARK
-A tap900i0-OUT -p icmpv6 -m icmpv6 --icmpv6-type echo-request -j NFLOG --nflog-prefix ":900:7:tap900i0-OUT: PVEFW-SET-ACCEPT-MARK: "
-A tap900i0-OUT -p icmpv6 -m icmpv6 --icmpv6-type echo-request -g PVEFW-SET-ACCEPT-MARK
-A tap900i0-OUT -g PVEFW-SET-ACCEPT-MARK
ebtables cmdlist:
exists PVEFW-FORWARD (ULtZ6lqjrD/jAKLY+OZo3BbXs9k)
-A PVEFW-FORWARD -p IPv4 -j ACCEPT
-A PVEFW-FORWARD -p IPv6 -j ACCEPT
-A PVEFW-FORWARD -o fwln+ -j PVEFW-FWBR-OUT
exists PVEFW-FWBR-OUT (bfetKdp3dkm19kc03T5syFAdpy0)
-A PVEFW-FWBR-OUT -i tap900i0 -j tap900i0-OUT
exists tap900i0-OUT (qXt9rq0Q/YMvlhRkHQm0AlV8mQA)
-A tap900i0-OUT -j ACCEPT
ignore FORWARD (zuQi5YOvmMWiM9zohnQw/qWemOA)
ignore INPUT (2jmj7l5rSw0yVb/vlWAYkK/YBwk)
ignore OUTPUT (2jmj7l5rSw0yVb/vlWAYkK/YBwk)
iptables table raw cmdlist:
ip6tables table raw cmdlist:
no changes
root@PVE101 ~ #
exists PVEFW-Drop (Jb79Uw7z1vZglIcV7QXA5uY/nbk)
-A PVEFW-Drop -p tcp --dport 43 -j PVEFW-reject
-A PVEFW-Drop -j PVEFW-DropBroadcast
-A PVEFW-Drop -p icmpv6 -m icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
-A PVEFW-Drop -p icmpv6 -m icmpv6 --icmpv6-type time-exceeded -j ACCEPT
-A PVEFW-Drop -p icmpv6 -m icmpv6 --icmpv6-type packet-too-big -j ACCEPT
-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Drop -p udp --match multiport --dports 135,445 -j DROP
-A PVEFW-Drop -p udp --dport 137:139 -j DROP
-A PVEFW-Drop -p udp --sport 137 --dport 1024:65535 -j DROP
-A PVEFW-Drop -p tcp --match multiport --dports 135,139,445 -j DROP
-A PVEFW-Drop -p udp --dport 1900 -j DROP
-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Drop -p udp --sport 53 -j DROP
exists PVEFW-DropBroadcast (8Krk5Nh8pDZOOc7BQAbM6PlyFSU)
-A PVEFW-DropBroadcast -d ff00::/8 -j DROP
exists PVEFW-FORWARD (qnNexOcGa+y+jebd4dAUqFSp5nw)
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-in fwln+ -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-out fwln+ -j PVEFW-FWBR-OUT
exists PVEFW-FWBR-IN (gO2kEz1dFJGRax+en9HDr0/TFoo)
-A PVEFW-FWBR-IN -m physdev --physdev-is-bridged --physdev-out tap900i0 -j tap900i0-IN
exists PVEFW-FWBR-OUT (E5PLKIdlSgYaxgKcK13G7c1Q5xM)
-A PVEFW-FWBR-OUT -m physdev --physdev-is-bridged --physdev-in tap900i0 -j tap900i0-OUT
exists PVEFW-HOST-IN (olZP/JVpr3ttWL80cUvWyU0TUIo)
-A PVEFW-HOST-IN -i lo -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-IN -p icmpv6 --icmpv6-type router-solicitation -j RETURN
-A PVEFW-HOST-IN -p icmpv6 --icmpv6-type router-advertisement -j RETURN
-A PVEFW-HOST-IN -p icmpv6 --icmpv6-type neighbor-solicitation -j RETURN
-A PVEFW-HOST-IN -p icmpv6 --icmpv6-type neighbor-advertisement -j RETURN
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -p icmpv6 -m icmpv6 --icmpv6-type echo-request -j NFLOG --nflog-prefix ":0:7
VEFW-HOST-IN: RETURN: "-A PVEFW-HOST-IN -p icmpv6 -m icmpv6 --icmpv6-type echo-request -j RETURN
-A PVEFW-HOST-IN -p tcp --dport 10122 -j RETURN
-A PVEFW-HOST-IN -p tcp --dport 10022 -j RETURN
-A PVEFW-HOST-IN -p tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -p tcp --dport 6231 -j RETURN
-A PVEFW-HOST-IN -p icmpv6 -m icmpv6 --icmpv6-type echo-request -j RETURN
-A PVEFW-HOST-IN -p tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 60000:60050 -j RETURN
-A PVEFW-HOST-IN -j PVEFW-Drop
-A PVEFW-HOST-IN -j DROP
exists PVEFW-HOST-OUT (TUldfgeoI+/YHW9JEkPPe/EXd+w)
-A PVEFW-HOST-OUT -o lo -j ACCEPT
-A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-OUT -p icmpv6 --icmpv6-type router-solicitation -j RETURN
-A PVEFW-HOST-OUT -p icmpv6 --icmpv6-type neighbor-solicitation -j RETURN
-A PVEFW-HOST-OUT -p icmpv6 --icmpv6-type neighbor-advertisement -j RETURN
-A PVEFW-HOST-OUT -p igmp -j RETURN
-A PVEFW-HOST-OUT -d 2a01:04f8:0162:2004:0000:0000:0000:0002 -p tcp --dport 8006 -j RETURN
-A PVEFW-HOST-OUT -d 2a01:04f8:0162:2004:0000:0000:0000:0002 -p tcp --dport 22 -j RETURN
-A PVEFW-HOST-OUT -d 2a01:04f8:0162:2004:0000:0000:0000:0002 -p tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-OUT -d 2a01:04f8:0162:2004:0000:0000:0000:0002 -p tcp --dport 3128 -j RETURN
-A PVEFW-HOST-OUT -j RETURN
exists PVEFW-INPUT (+5iMmLaxKXynOB/+5xibfx7WhFk)
-A PVEFW-INPUT -j PVEFW-HOST-IN
exists PVEFW-OUTPUT (LjHoZeSSiWAG3+2ZAyL/xuEehd0)
-A PVEFW-OUTPUT -j PVEFW-HOST-OUT
exists PVEFW-Reject (aL1nrxJk/u3XmTb3Am2eaM/3yCM)
-A PVEFW-Reject -p tcp --dport 43 -j PVEFW-reject
-A PVEFW-Reject -j PVEFW-DropBroadcast
-A PVEFW-Reject -p icmpv6 -m icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
-A PVEFW-Reject -p icmpv6 -m icmpv6 --icmpv6-type time-exceeded -j ACCEPT
-A PVEFW-Reject -p icmpv6 -m icmpv6 --icmpv6-type packet-too-big -j ACCEPT
-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Reject -p udp --match multiport --dports 135,445 -j PVEFW-reject
-A PVEFW-Reject -p udp --dport 137:139 -j PVEFW-reject
-A PVEFW-Reject -p udp --sport 137 --dport 1024:65535 -j PVEFW-reject
-A PVEFW-Reject -p tcp --match multiport --dports 135,139,445 -j PVEFW-reject
-A PVEFW-Reject -p udp --dport 1900 -j DROP
-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Reject -p udp --sport 53 -j DROP
exists PVEFW-SET-ACCEPT-MARK (Hg/OIgIwJChBUcWU8Xnjhdd2jUY)
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-mark 0x80000000/0x80000000
exists PVEFW-logflags (MN4PH1oPZeABMuWr64RrygPfW7A)
-A PVEFW-logflags -j DROP
exists PVEFW-reject (etEECUYcgUdzuuO+LDP83pu0S8Y)
-A PVEFW-reject -p icmpv6 -j DROP
-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
-A PVEFW-reject -p udp -j REJECT --reject-with icmp6-port-unreachable
-A PVEFW-reject -j REJECT --reject-with icmp6-adm-prohibited
exists PVEFW-tcpflags (CMFojwNPqllyqD67NeI5m+bP5mo)
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
exists tap900i0-IN (Rif1vmoGVJPzZ5AAG/kOaQZolCs)
-A tap900i0-IN -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT
-A tap900i0-IN -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
-A tap900i0-IN -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-A tap900i0-IN -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-A tap900i0-IN -p tcp --dport 22 -j ACCEPT
-A tap900i0-IN -p icmpv6 -m icmpv6 --icmpv6-type echo-request -j ACCEPT
-A tap900i0-IN -j PVEFW-Drop
-A tap900i0-IN -j NFLOG --nflog-prefix ":900:7:tap900i0-IN: policy DROP: "
-A tap900i0-IN -j DROP
exists tap900i0-OUT (PX1M89KsGWO6iktm/p0N56eFwEM)
-A tap900i0-OUT -p icmpv6 --icmpv6-type router-advertisement -j DROP
-A tap900i0-OUT -j MARK --set-mark 0x00000000/0x80000000
-A tap900i0-OUT -p icmpv6 --icmpv6-type router-solicitation -g PVEFW-SET-ACCEPT-MARK
-A tap900i0-OUT -p icmpv6 --icmpv6-type neighbor-solicitation -g PVEFW-SET-ACCEPT-MARK
-A tap900i0-OUT -p icmpv6 --icmpv6-type neighbor-advertisement -g PVEFW-SET-ACCEPT-MARK
-A tap900i0-OUT -p icmpv6 -m icmpv6 --icmpv6-type echo-request -j NFLOG --nflog-prefix ":900:7:tap900i0-OUT: PVEFW-SET-ACCEPT-MARK: "
-A tap900i0-OUT -p icmpv6 -m icmpv6 --icmpv6-type echo-request -g PVEFW-SET-ACCEPT-MARK
-A tap900i0-OUT -g PVEFW-SET-ACCEPT-MARK
ebtables cmdlist:
exists PVEFW-FORWARD (ULtZ6lqjrD/jAKLY+OZo3BbXs9k)
-A PVEFW-FORWARD -p IPv4 -j ACCEPT
-A PVEFW-FORWARD -p IPv6 -j ACCEPT
-A PVEFW-FORWARD -o fwln+ -j PVEFW-FWBR-OUT
exists PVEFW-FWBR-OUT (bfetKdp3dkm19kc03T5syFAdpy0)
-A PVEFW-FWBR-OUT -i tap900i0 -j tap900i0-OUT
exists tap900i0-OUT (qXt9rq0Q/YMvlhRkHQm0AlV8mQA)
-A tap900i0-OUT -j ACCEPT
ignore FORWARD (zuQi5YOvmMWiM9zohnQw/qWemOA)
ignore INPUT (2jmj7l5rSw0yVb/vlWAYkK/YBwk)
ignore OUTPUT (2jmj7l5rSw0yVb/vlWAYkK/YBwk)
iptables table raw cmdlist:
ip6tables table raw cmdlist:
no changes
root@PVE101 ~ #
Hello,oguz:
The above is all the output data generated according to the command you require. In firewall configuration, in addition to several features, the specific port forwarding of a virtual machine is manually added by me, other parameters are automatically generated after the firewall is turned on. I don't know where the problem is, please help me. In addition, a situation may help you analyze the problem: when the virtual machine is turned on After the firewall, the virtual machine can not Ping the host or other virtual machines in the network segment, but it can access the virtual machine and communicate normally through the forwarding port (such as the SSH connection mapped from port22 to port10022) in the external network.
thank you!
The above is all the output data generated according to the command you require. In firewall configuration, in addition to several features, the specific port forwarding of a virtual machine is manually added by me, other parameters are automatically generated after the firewall is turned on. I don't know where the problem is, please help me. In addition, a situation may help you analyze the problem: when the virtual machine is turned on After the firewall, the virtual machine can not Ping the host or other virtual machines in the network segment, but it can access the virtual machine and communicate normally through the forwarding port (such as the SSH connection mapped from port22 to port10022) in the external network.
thank you!
hi,
thank you for the output and sorry for the delay.
do you have a masquerading network setup with portforwarding?
in that case you will need to set up conntrack zones [0]
check in your
[0]: https://pve.proxmox.com/wiki/Networ...ith_tt_span_class_monospaced_iptables_span_tt
thank you for the output and sorry for the delay.
do you have a masquerading network setup with portforwarding?
in that case you will need to set up conntrack zones [0]
check in your
/etc/network/interfaces file and add the two lines on the wiki page if they're missing. after restarting the networking try again[0]: https://pve.proxmox.com/wiki/Networ...ith_tt_span_class_monospaced_iptables_span_tt
Hello oguz,
According to your suggestion last time, I added the rule item suggested in the document to the raw table, which effectively solved the problem of VM accessing the external network. However, the VM still could not Ping the gateway address of the host, and the internal VMS could not access each other or Ping each other. What's more, a new KVM type VM was created today, which unexpectedly caused the problem of unable to access the external network, so it was closed VM firewall after the problem disappeared, I really don't know how to deal with it, so help you, thank you!
The following is the detailed firewall configuration list for your reference.
ipset cmdlist:
exists PVEFW-0-management-v4 (wUkb5FpQvEqpMcadyVEXs1Pr/dU)
create PVEFW-0-management-v4 hash:net family inet hashsize 64 maxelem 64
exists PVEFW-0-management-v6 (lqofslucC/dL7L4GGuHKVULacp8)
create PVEFW-0-management-v6 hash:net family inet6 hashsize 64 maxelem 64
add PVEFW-0-management-v6 2a01:4f8:212:2ba2::2
exists PVEFW-7578794 (biZ78Gz5Sr8CAQzaG/0Cf0xgKec)
create PVEFW-7578794 hash:net family inet6 hashsize 64 maxelem 64
exists PVEFW-9578ABA (iVjaZ6kI6bscPfzoOwWkddJ2J9U)
create PVEFW-9578ABA hash:net family inet hashsize 64 maxelem 64
add PVEFW-9578ABA 5.9.93.15
iptables cmdlist:
exists PVEFW-Drop (WDy2wbFe7jNYEyoO3QhUELZ4mIQ)
-A PVEFW-Drop -p tcp --dport 43 -j PVEFW-reject
-A PVEFW-Drop -j PVEFW-DropBroadcast
-A PVEFW-Drop -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT
-A PVEFW-Drop -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Drop -p udp --match multiport --dports 135,445 -j DROP
-A PVEFW-Drop -p udp --dport 137:139 -j DROP
-A PVEFW-Drop -p udp --sport 137 --dport 1024:65535 -j DROP
-A PVEFW-Drop -p tcp --match multiport --dports 135,139,445 -j DROP
-A PVEFW-Drop -p udp --dport 1900 -j DROP
-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Drop -p udp --sport 53 -j DROP
exists PVEFW-DropBroadcast (NyjHNAtFbkH7WGLamPpdVnxHy4w)
-A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
-A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
exists PVEFW-FORWARD (qnNexOcGa+y+jebd4dAUqFSp5nw)
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-in fwln+ -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-out fwln+ -j PVEFW-FWBR-OUT
exists PVEFW-FWBR-IN (fXcLRW8GyZjLx04/R93U/plggj0)
-A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-FWBR-IN -m physdev --physdev-is-bridged --physdev-out tap100i0 -j tap100i0-IN
-A PVEFW-FWBR-IN -m physdev --physdev-is-bridged --physdev-out tap101i0 -j tap101i0-IN
-A PVEFW-FWBR-IN -m physdev --physdev-is-bridged --physdev-out tap200i0 -j tap200i0-IN
exists PVEFW-FWBR-OUT (zen3LJaF2K54zEOOPjGDyWAPK1o)
-A PVEFW-FWBR-OUT -m physdev --physdev-is-bridged --physdev-in tap100i0 -j tap100i0-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-is-bridged --physdev-in tap101i0 -j tap101i0-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-is-bridged --physdev-in tap200i0 -j tap200i0-OUT
exists PVEFW-HOST-IN (ARl8pt8CbecefOuafIoWadeXHMs)
-A PVEFW-HOST-IN -i lo -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -p icmp -j RETURN
-A PVEFW-HOST-IN -p tcp --match multiport --dports 8006,6231 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 60000:60050 -j RETURN
-A PVEFW-HOST-IN -j PVEFW-Drop
-A PVEFW-HOST-IN -j DROP
exists PVEFW-HOST-OUT (0zVqGNg5V7YiSxt0h+sEYJsXD+M)
-A PVEFW-HOST-OUT -o lo -j ACCEPT
-A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-OUT -p igmp -j RETURN
-A PVEFW-HOST-OUT -j RETURN
exists PVEFW-INPUT (+5iMmLaxKXynOB/+5xibfx7WhFk)
-A PVEFW-INPUT -j PVEFW-HOST-IN
exists PVEFW-OUTPUT (LjHoZeSSiWAG3+2ZAyL/xuEehd0)
-A PVEFW-OUTPUT -j PVEFW-HOST-OUT
exists PVEFW-Reject (CZJnIN6rAdpu+ej59QPr9+laMUo)
-A PVEFW-Reject -p tcp --dport 43 -j PVEFW-reject
-A PVEFW-Reject -j PVEFW-DropBroadcast
-A PVEFW-Reject -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT
-A PVEFW-Reject -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Reject -p udp --match multiport --dports 135,445 -j PVEFW-reject
-A PVEFW-Reject -p udp --dport 137:139 -j PVEFW-reject
-A PVEFW-Reject -p udp --sport 137 --dport 1024:65535 -j PVEFW-reject
-A PVEFW-Reject -p tcp --match multiport --dports 135,139,445 -j PVEFW-reject
-A PVEFW-Reject -p udp --dport 1900 -j DROP
-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Reject -p udp --sport 53 -j DROP
exists PVEFW-SET-ACCEPT-MARK (Hg/OIgIwJChBUcWU8Xnjhdd2jUY)
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-mark 0x80000000/0x80000000
exists PVEFW-logflags (MN4PH1oPZeABMuWr64RrygPfW7A)
-A PVEFW-logflags -j DROP
exists PVEFW-reject (Jlkrtle1mDdtxDeI9QaDSL++Npc)
-A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-reject -s 224.0.0.0/4 -j DROP
-A PVEFW-reject -p icmp -j DROP
-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
-A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A PVEFW-reject -j REJECT --reject-with icmp-host-prohibited
exists PVEFW-smurflog (2gfT1VMkfr0JL6OccRXTGXo+1qk)
-A PVEFW-smurflog -j DROP
exists PVEFW-smurfs (HssVe5QCBXd5mc9kC88749+7fag)
-A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
-A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
-A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
exists PVEFW-tcpflags (CMFojwNPqllyqD67NeI5m+bP5mo)
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
exists tap100i0-IN (1dGN8VGabsdsZ9rxo9EZQOh/tk0)
-A tap100i0-IN -p icmp -m icmp --icmp-type echo-request -j ACCEPT
-A tap100i0-IN -j PVEFW-Drop
-A tap100i0-IN -j DROP
exists tap100i0-OUT (BiiNE5Hzj9M2QVX0Ewsen4sbwRc)
-A tap100i0-OUT -m mac ! --mac-source A6:A3:92:17:01:A0 -j DROP
-A tap100i0-OUT -j MARK --set-mark 0x00000000/0x80000000
-A tap100i0-OUT -g PVEFW-SET-ACCEPT-MARK
exists tap101i0-IN (GH5aHJp9WYTKBubkUZxY58dMUlw)
-A tap101i0-IN -p icmp -j ACCEPT
-A tap101i0-IN -p tcp --dport 22 -j ACCEPT
-A tap101i0-IN -j PVEFW-Drop
-A tap101i0-IN -m limit --limit 1/sec -j NFLOG --nflog-prefix ":101:7:tap101i0-IN: policy DROP: "
-A tap101i0-IN -j DROP
exists tap101i0-OUT (gMvoEzMT/MMote0dRqGnt0f+Cg8)
-A tap101i0-OUT -j MARK --set-mark 0x00000000/0x80000000
-A tap101i0-OUT -g PVEFW-SET-ACCEPT-MARK
exists tap200i0-IN (0rNLy9kCBQrpiNnWq1dSOdFojcY)
-A tap200i0-IN -p tcp --dport 22 -j ACCEPT
-A tap200i0-IN -j PVEFW-Drop
-A tap200i0-IN -m limit --limit 1/sec -j NFLOG --nflog-prefix ":200:7:tap200i0-IN: policy DROP: "
-A tap200i0-IN -j DROP
exists tap200i0-OUT (dOD+aWU/LwzTR9Mi2e3yjKWVZOU)
-A tap200i0-OUT -j MARK --set-mark 0x00000000/0x80000000
-A tap200i0-OUT -g PVEFW-SET-ACCEPT-MARK
According to your suggestion last time, I added the rule item suggested in the document to the raw table, which effectively solved the problem of VM accessing the external network. However, the VM still could not Ping the gateway address of the host, and the internal VMS could not access each other or Ping each other. What's more, a new KVM type VM was created today, which unexpectedly caused the problem of unable to access the external network, so it was closed VM firewall after the problem disappeared, I really don't know how to deal with it, so help you, thank you!
The following is the detailed firewall configuration list for your reference.
ipset cmdlist:
exists PVEFW-0-management-v4 (wUkb5FpQvEqpMcadyVEXs1Pr/dU)
create PVEFW-0-management-v4 hash:net family inet hashsize 64 maxelem 64
exists PVEFW-0-management-v6 (lqofslucC/dL7L4GGuHKVULacp8)
create PVEFW-0-management-v6 hash:net family inet6 hashsize 64 maxelem 64
add PVEFW-0-management-v6 2a01:4f8:212:2ba2::2
exists PVEFW-7578794 (biZ78Gz5Sr8CAQzaG/0Cf0xgKec)
create PVEFW-7578794 hash:net family inet6 hashsize 64 maxelem 64
exists PVEFW-9578ABA (iVjaZ6kI6bscPfzoOwWkddJ2J9U)
create PVEFW-9578ABA hash:net family inet hashsize 64 maxelem 64
add PVEFW-9578ABA 5.9.93.15
iptables cmdlist:
exists PVEFW-Drop (WDy2wbFe7jNYEyoO3QhUELZ4mIQ)
-A PVEFW-Drop -p tcp --dport 43 -j PVEFW-reject
-A PVEFW-Drop -j PVEFW-DropBroadcast
-A PVEFW-Drop -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT
-A PVEFW-Drop -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Drop -p udp --match multiport --dports 135,445 -j DROP
-A PVEFW-Drop -p udp --dport 137:139 -j DROP
-A PVEFW-Drop -p udp --sport 137 --dport 1024:65535 -j DROP
-A PVEFW-Drop -p tcp --match multiport --dports 135,139,445 -j DROP
-A PVEFW-Drop -p udp --dport 1900 -j DROP
-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Drop -p udp --sport 53 -j DROP
exists PVEFW-DropBroadcast (NyjHNAtFbkH7WGLamPpdVnxHy4w)
-A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
-A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
exists PVEFW-FORWARD (qnNexOcGa+y+jebd4dAUqFSp5nw)
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-in fwln+ -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-out fwln+ -j PVEFW-FWBR-OUT
exists PVEFW-FWBR-IN (fXcLRW8GyZjLx04/R93U/plggj0)
-A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-FWBR-IN -m physdev --physdev-is-bridged --physdev-out tap100i0 -j tap100i0-IN
-A PVEFW-FWBR-IN -m physdev --physdev-is-bridged --physdev-out tap101i0 -j tap101i0-IN
-A PVEFW-FWBR-IN -m physdev --physdev-is-bridged --physdev-out tap200i0 -j tap200i0-IN
exists PVEFW-FWBR-OUT (zen3LJaF2K54zEOOPjGDyWAPK1o)
-A PVEFW-FWBR-OUT -m physdev --physdev-is-bridged --physdev-in tap100i0 -j tap100i0-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-is-bridged --physdev-in tap101i0 -j tap101i0-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-is-bridged --physdev-in tap200i0 -j tap200i0-OUT
exists PVEFW-HOST-IN (ARl8pt8CbecefOuafIoWadeXHMs)
-A PVEFW-HOST-IN -i lo -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -p icmp -j RETURN
-A PVEFW-HOST-IN -p tcp --match multiport --dports 8006,6231 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 60000:60050 -j RETURN
-A PVEFW-HOST-IN -j PVEFW-Drop
-A PVEFW-HOST-IN -j DROP
exists PVEFW-HOST-OUT (0zVqGNg5V7YiSxt0h+sEYJsXD+M)
-A PVEFW-HOST-OUT -o lo -j ACCEPT
-A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-OUT -p igmp -j RETURN
-A PVEFW-HOST-OUT -j RETURN
exists PVEFW-INPUT (+5iMmLaxKXynOB/+5xibfx7WhFk)
-A PVEFW-INPUT -j PVEFW-HOST-IN
exists PVEFW-OUTPUT (LjHoZeSSiWAG3+2ZAyL/xuEehd0)
-A PVEFW-OUTPUT -j PVEFW-HOST-OUT
exists PVEFW-Reject (CZJnIN6rAdpu+ej59QPr9+laMUo)
-A PVEFW-Reject -p tcp --dport 43 -j PVEFW-reject
-A PVEFW-Reject -j PVEFW-DropBroadcast
-A PVEFW-Reject -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT
-A PVEFW-Reject -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Reject -p udp --match multiport --dports 135,445 -j PVEFW-reject
-A PVEFW-Reject -p udp --dport 137:139 -j PVEFW-reject
-A PVEFW-Reject -p udp --sport 137 --dport 1024:65535 -j PVEFW-reject
-A PVEFW-Reject -p tcp --match multiport --dports 135,139,445 -j PVEFW-reject
-A PVEFW-Reject -p udp --dport 1900 -j DROP
-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Reject -p udp --sport 53 -j DROP
exists PVEFW-SET-ACCEPT-MARK (Hg/OIgIwJChBUcWU8Xnjhdd2jUY)
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-mark 0x80000000/0x80000000
exists PVEFW-logflags (MN4PH1oPZeABMuWr64RrygPfW7A)
-A PVEFW-logflags -j DROP
exists PVEFW-reject (Jlkrtle1mDdtxDeI9QaDSL++Npc)
-A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-reject -s 224.0.0.0/4 -j DROP
-A PVEFW-reject -p icmp -j DROP
-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
-A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A PVEFW-reject -j REJECT --reject-with icmp-host-prohibited
exists PVEFW-smurflog (2gfT1VMkfr0JL6OccRXTGXo+1qk)
-A PVEFW-smurflog -j DROP
exists PVEFW-smurfs (HssVe5QCBXd5mc9kC88749+7fag)
-A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
-A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
-A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
exists PVEFW-tcpflags (CMFojwNPqllyqD67NeI5m+bP5mo)
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
exists tap100i0-IN (1dGN8VGabsdsZ9rxo9EZQOh/tk0)
-A tap100i0-IN -p icmp -m icmp --icmp-type echo-request -j ACCEPT
-A tap100i0-IN -j PVEFW-Drop
-A tap100i0-IN -j DROP
exists tap100i0-OUT (BiiNE5Hzj9M2QVX0Ewsen4sbwRc)
-A tap100i0-OUT -m mac ! --mac-source A6:A3:92:17:01:A0 -j DROP
-A tap100i0-OUT -j MARK --set-mark 0x00000000/0x80000000
-A tap100i0-OUT -g PVEFW-SET-ACCEPT-MARK
exists tap101i0-IN (GH5aHJp9WYTKBubkUZxY58dMUlw)
-A tap101i0-IN -p icmp -j ACCEPT
-A tap101i0-IN -p tcp --dport 22 -j ACCEPT
-A tap101i0-IN -j PVEFW-Drop
-A tap101i0-IN -m limit --limit 1/sec -j NFLOG --nflog-prefix ":101:7:tap101i0-IN: policy DROP: "
-A tap101i0-IN -j DROP
exists tap101i0-OUT (gMvoEzMT/MMote0dRqGnt0f+Cg8)
-A tap101i0-OUT -j MARK --set-mark 0x00000000/0x80000000
-A tap101i0-OUT -g PVEFW-SET-ACCEPT-MARK
exists tap200i0-IN (0rNLy9kCBQrpiNnWq1dSOdFojcY)
-A tap200i0-IN -p tcp --dport 22 -j ACCEPT
-A tap200i0-IN -j PVEFW-Drop
-A tap200i0-IN -m limit --limit 1/sec -j NFLOG --nflog-prefix ":200:7:tap200i0-IN: policy DROP: "
-A tap200i0-IN -j DROP
exists tap200i0-OUT (dOD+aWU/LwzTR9Mi2e3yjKWVZOU)
-A tap200i0-OUT -j MARK --set-mark 0x00000000/0x80000000
-A tap200i0-OUT -g PVEFW-SET-ACCEPT-MARK
ip6tables cmdlist:
exists PVEFW-Drop (Jb79Uw7z1vZglIcV7QXA5uY/nbk)
-A PVEFW-Drop -p tcp --dport 43 -j PVEFW-reject
-A PVEFW-Drop -j PVEFW-DropBroadcast
-A PVEFW-Drop -p icmpv6 -m icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
-A PVEFW-Drop -p icmpv6 -m icmpv6 --icmpv6-type time-exceeded -j ACCEPT
-A PVEFW-Drop -p icmpv6 -m icmpv6 --icmpv6-type packet-too-big -j ACCEPT
-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Drop -p udp --match multiport --dports 135,445 -j DROP
-A PVEFW-Drop -p udp --dport 137:139 -j DROP
-A PVEFW-Drop -p udp --sport 137 --dport 1024:65535 -j DROP
-A PVEFW-Drop -p tcp --match multiport --dports 135,139,445 -j DROP
-A PVEFW-Drop -p udp --dport 1900 -j DROP
-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Drop -p udp --sport 53 -j DROP
exists PVEFW-DropBroadcast (8Krk5Nh8pDZOOc7BQAbM6PlyFSU)
-A PVEFW-DropBroadcast -d ff00::/8 -j DROP
exists PVEFW-FORWARD (qnNexOcGa+y+jebd4dAUqFSp5nw)
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-in fwln+ -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-out fwln+ -j PVEFW-FWBR-OUT
exists PVEFW-FWBR-IN (6MS+jj1878Sfsd4slOVzhAjvQ68)
-A PVEFW-FWBR-IN -m physdev --physdev-is-bridged --physdev-out tap100i0 -j tap100i0-IN
-A PVEFW-FWBR-IN -m physdev --physdev-is-bridged --physdev-out tap101i0 -j tap101i0-IN
-A PVEFW-FWBR-IN -m physdev --physdev-is-bridged --physdev-out tap200i0 -j tap200i0-IN
exists PVEFW-FWBR-OUT (zen3LJaF2K54zEOOPjGDyWAPK1o)
-A PVEFW-FWBR-OUT -m physdev --physdev-is-bridged --physdev-in tap100i0 -j tap100i0-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-is-bridged --physdev-in tap101i0 -j tap101i0-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-is-bridged --physdev-in tap200i0 -j tap200i0-OUT
exists PVEFW-HOST-IN (hhsGLTLDpHyAfsND+RymbnOiXx0)
-A PVEFW-HOST-IN -i lo -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-IN -p icmpv6 --icmpv6-type router-solicitation -j RETURN
-A PVEFW-HOST-IN -p icmpv6 --icmpv6-type router-advertisement -j RETURN
-A PVEFW-HOST-IN -p icmpv6 --icmpv6-type neighbor-solicitation -j RETURN
-A PVEFW-HOST-IN -p icmpv6 --icmpv6-type neighbor-advertisement -j RETURN
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -p tcp --match multiport --dports 8006,6231 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 60000:60050 -j RETURN
-A PVEFW-HOST-IN -j PVEFW-Drop
-A PVEFW-HOST-IN -j DROP
exists PVEFW-HOST-OUT (fFdmA2gUhSWYr3moGLIs6UAsUUI)
-A PVEFW-HOST-OUT -o lo -j ACCEPT
-A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-OUT -p icmpv6 --icmpv6-type router-solicitation -j RETURN
-A PVEFW-HOST-OUT -p icmpv6 --icmpv6-type neighbor-solicitation -j RETURN
-A PVEFW-HOST-OUT -p icmpv6 --icmpv6-type neighbor-advertisement -j RETURN
-A PVEFW-HOST-OUT -p igmp -j RETURN
-A PVEFW-HOST-OUT -d 2a01:04f8:0212:2ba2:0000:0000:0000:0002 -p tcp --dport 8006 -j RETURN
-A PVEFW-HOST-OUT -d 2a01:04f8:0212:2ba2:0000:0000:0000:0002 -p tcp --dport 22 -j RETURN
-A PVEFW-HOST-OUT -d 2a01:04f8:0212:2ba2:0000:0000:0000:0002 -p tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-OUT -d 2a01:04f8:0212:2ba2:0000:0000:0000:0002 -p tcp --dport 3128 -j RETURN
-A PVEFW-HOST-OUT -j RETURN
exists PVEFW-INPUT (+5iMmLaxKXynOB/+5xibfx7WhFk)
-A PVEFW-INPUT -j PVEFW-HOST-IN
exists PVEFW-OUTPUT (LjHoZeSSiWAG3+2ZAyL/xuEehd0)
-A PVEFW-OUTPUT -j PVEFW-HOST-OUT
exists PVEFW-Reject (aL1nrxJk/u3XmTb3Am2eaM/3yCM)
-A PVEFW-Reject -p tcp --dport 43 -j PVEFW-reject
-A PVEFW-Reject -j PVEFW-DropBroadcast
-A PVEFW-Reject -p icmpv6 -m icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
-A PVEFW-Reject -p icmpv6 -m icmpv6 --icmpv6-type time-exceeded -j ACCEPT
-A PVEFW-Reject -p icmpv6 -m icmpv6 --icmpv6-type packet-too-big -j ACCEPT
-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Reject -p udp --match multiport --dports 135,445 -j PVEFW-reject
-A PVEFW-Reject -p udp --dport 137:139 -j PVEFW-reject
-A PVEFW-Reject -p udp --sport 137 --dport 1024:65535 -j PVEFW-reject
-A PVEFW-Reject -p tcp --match multiport --dports 135,139,445 -j PVEFW-reject
-A PVEFW-Reject -p udp --dport 1900 -j DROP
-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Reject -p udp --sport 53 -j DROP
exists PVEFW-SET-ACCEPT-MARK (Hg/OIgIwJChBUcWU8Xnjhdd2jUY)
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-mark 0x80000000/0x80000000
exists PVEFW-logflags (MN4PH1oPZeABMuWr64RrygPfW7A)
-A PVEFW-logflags -j DROP
exists PVEFW-reject (etEECUYcgUdzuuO+LDP83pu0S8Y)
-A PVEFW-reject -p icmpv6 -j DROP
-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
-A PVEFW-reject -p udp -j REJECT --reject-with icmp6-port-unreachable
-A PVEFW-reject -j REJECT --reject-with icmp6-adm-prohibited
exists PVEFW-tcpflags (CMFojwNPqllyqD67NeI5m+bP5mo)
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
exists tap100i0-IN (Ow3GUgZ5jCGEFexHHa1Z4CixMvo)
-A tap100i0-IN -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT
-A tap100i0-IN -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
-A tap100i0-IN -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-A tap100i0-IN -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-A tap100i0-IN -p icmpv6 -m icmpv6 --icmpv6-type echo-request -j ACCEPT
-A tap100i0-IN -j PVEFW-Drop
-A tap100i0-IN -j DROP
exists tap100i0-OUT (WPdUzdkNQCLblPsEP6mjcbQJItM)
-A tap100i0-OUT -m mac ! --mac-source A6:A3:92:17:01:A0 -j DROP
-A tap100i0-OUT -j MARK --set-mark 0x00000000/0x80000000
-A tap100i0-OUT -p icmpv6 --icmpv6-type router-solicitation -g PVEFW-SET-ACCEPT-MARK
-A tap100i0-OUT -p icmpv6 --icmpv6-type router-advertisement -g PVEFW-SET-ACCEPT-MARK
-A tap100i0-OUT -p icmpv6 --icmpv6-type neighbor-solicitation -g PVEFW-SET-ACCEPT-MARK
-A tap100i0-OUT -p icmpv6 --icmpv6-type neighbor-advertisement -g PVEFW-SET-ACCEPT-MARK
-A tap100i0-OUT -g PVEFW-SET-ACCEPT-MARK
exists tap101i0-IN (P6x7+3r22iqDHe9sR+Gn0Ige9ZM)
-A tap101i0-IN -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT
-A tap101i0-IN -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
-A tap101i0-IN -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-A tap101i0-IN -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-A tap101i0-IN -p tcp --dport 22 -j ACCEPT
-A tap101i0-IN -j PVEFW-Drop
-A tap101i0-IN -m limit --limit 1/sec -j NFLOG --nflog-prefix ":101:7:tap101i0-IN: policy DROP: "
-A tap101i0-IN -j DROP
exists tap101i0-OUT (tO3k4zCk4/W38x6vK9NQiibv51E)
-A tap101i0-OUT -p icmpv6 --icmpv6-type router-advertisement -j DROP
-A tap101i0-OUT -j MARK --set-mark 0x00000000/0x80000000
-A tap101i0-OUT -p icmpv6 --icmpv6-type router-solicitation -g PVEFW-SET-ACCEPT-MARK
-A tap101i0-OUT -p icmpv6 --icmpv6-type neighbor-solicitation -g PVEFW-SET-ACCEPT-MARK
-A tap101i0-OUT -p icmpv6 --icmpv6-type neighbor-advertisement -g PVEFW-SET-ACCEPT-MARK
-A tap101i0-OUT -g PVEFW-SET-ACCEPT-MARK
exists tap200i0-IN (ZgY1Ygv14a5cfSWpC/n+0RDSJsE)
-A tap200i0-IN -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT
-A tap200i0-IN -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
-A tap200i0-IN -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-A tap200i0-IN -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-A tap200i0-IN -p tcp --dport 22 -j ACCEPT
-A tap200i0-IN -j PVEFW-Drop
-A tap200i0-IN -m limit --limit 1/sec -j NFLOG --nflog-prefix ":200:7:tap200i0-IN: policy DROP: "
-A tap200i0-IN -j DROP
exists tap200i0-OUT (bIwhy2FFnXYHbAKJCfAr4yhJyNc)
-A tap200i0-OUT -p icmpv6 --icmpv6-type router-advertisement -j DROP
-A tap200i0-OUT -j MARK --set-mark 0x00000000/0x80000000
-A tap200i0-OUT -p icmpv6 --icmpv6-type router-solicitation -g PVEFW-SET-ACCEPT-MARK
-A tap200i0-OUT -p icmpv6 --icmpv6-type neighbor-solicitation -g PVEFW-SET-ACCEPT-MARK
-A tap200i0-OUT -p icmpv6 --icmpv6-type neighbor-advertisement -g PVEFW-SET-ACCEPT-MARK
-A tap200i0-OUT -g PVEFW-SET-ACCEPT-MARK
exists PVEFW-Drop (Jb79Uw7z1vZglIcV7QXA5uY/nbk)
-A PVEFW-Drop -p tcp --dport 43 -j PVEFW-reject
-A PVEFW-Drop -j PVEFW-DropBroadcast
-A PVEFW-Drop -p icmpv6 -m icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
-A PVEFW-Drop -p icmpv6 -m icmpv6 --icmpv6-type time-exceeded -j ACCEPT
-A PVEFW-Drop -p icmpv6 -m icmpv6 --icmpv6-type packet-too-big -j ACCEPT
-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Drop -p udp --match multiport --dports 135,445 -j DROP
-A PVEFW-Drop -p udp --dport 137:139 -j DROP
-A PVEFW-Drop -p udp --sport 137 --dport 1024:65535 -j DROP
-A PVEFW-Drop -p tcp --match multiport --dports 135,139,445 -j DROP
-A PVEFW-Drop -p udp --dport 1900 -j DROP
-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Drop -p udp --sport 53 -j DROP
exists PVEFW-DropBroadcast (8Krk5Nh8pDZOOc7BQAbM6PlyFSU)
-A PVEFW-DropBroadcast -d ff00::/8 -j DROP
exists PVEFW-FORWARD (qnNexOcGa+y+jebd4dAUqFSp5nw)
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-in fwln+ -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-out fwln+ -j PVEFW-FWBR-OUT
exists PVEFW-FWBR-IN (6MS+jj1878Sfsd4slOVzhAjvQ68)
-A PVEFW-FWBR-IN -m physdev --physdev-is-bridged --physdev-out tap100i0 -j tap100i0-IN
-A PVEFW-FWBR-IN -m physdev --physdev-is-bridged --physdev-out tap101i0 -j tap101i0-IN
-A PVEFW-FWBR-IN -m physdev --physdev-is-bridged --physdev-out tap200i0 -j tap200i0-IN
exists PVEFW-FWBR-OUT (zen3LJaF2K54zEOOPjGDyWAPK1o)
-A PVEFW-FWBR-OUT -m physdev --physdev-is-bridged --physdev-in tap100i0 -j tap100i0-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-is-bridged --physdev-in tap101i0 -j tap101i0-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-is-bridged --physdev-in tap200i0 -j tap200i0-OUT
exists PVEFW-HOST-IN (hhsGLTLDpHyAfsND+RymbnOiXx0)
-A PVEFW-HOST-IN -i lo -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-IN -p icmpv6 --icmpv6-type router-solicitation -j RETURN
-A PVEFW-HOST-IN -p icmpv6 --icmpv6-type router-advertisement -j RETURN
-A PVEFW-HOST-IN -p icmpv6 --icmpv6-type neighbor-solicitation -j RETURN
-A PVEFW-HOST-IN -p icmpv6 --icmpv6-type neighbor-advertisement -j RETURN
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -p tcp --match multiport --dports 8006,6231 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 60000:60050 -j RETURN
-A PVEFW-HOST-IN -j PVEFW-Drop
-A PVEFW-HOST-IN -j DROP
exists PVEFW-HOST-OUT (fFdmA2gUhSWYr3moGLIs6UAsUUI)
-A PVEFW-HOST-OUT -o lo -j ACCEPT
-A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-OUT -p icmpv6 --icmpv6-type router-solicitation -j RETURN
-A PVEFW-HOST-OUT -p icmpv6 --icmpv6-type neighbor-solicitation -j RETURN
-A PVEFW-HOST-OUT -p icmpv6 --icmpv6-type neighbor-advertisement -j RETURN
-A PVEFW-HOST-OUT -p igmp -j RETURN
-A PVEFW-HOST-OUT -d 2a01:04f8:0212:2ba2:0000:0000:0000:0002 -p tcp --dport 8006 -j RETURN
-A PVEFW-HOST-OUT -d 2a01:04f8:0212:2ba2:0000:0000:0000:0002 -p tcp --dport 22 -j RETURN
-A PVEFW-HOST-OUT -d 2a01:04f8:0212:2ba2:0000:0000:0000:0002 -p tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-OUT -d 2a01:04f8:0212:2ba2:0000:0000:0000:0002 -p tcp --dport 3128 -j RETURN
-A PVEFW-HOST-OUT -j RETURN
exists PVEFW-INPUT (+5iMmLaxKXynOB/+5xibfx7WhFk)
-A PVEFW-INPUT -j PVEFW-HOST-IN
exists PVEFW-OUTPUT (LjHoZeSSiWAG3+2ZAyL/xuEehd0)
-A PVEFW-OUTPUT -j PVEFW-HOST-OUT
exists PVEFW-Reject (aL1nrxJk/u3XmTb3Am2eaM/3yCM)
-A PVEFW-Reject -p tcp --dport 43 -j PVEFW-reject
-A PVEFW-Reject -j PVEFW-DropBroadcast
-A PVEFW-Reject -p icmpv6 -m icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
-A PVEFW-Reject -p icmpv6 -m icmpv6 --icmpv6-type time-exceeded -j ACCEPT
-A PVEFW-Reject -p icmpv6 -m icmpv6 --icmpv6-type packet-too-big -j ACCEPT
-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Reject -p udp --match multiport --dports 135,445 -j PVEFW-reject
-A PVEFW-Reject -p udp --dport 137:139 -j PVEFW-reject
-A PVEFW-Reject -p udp --sport 137 --dport 1024:65535 -j PVEFW-reject
-A PVEFW-Reject -p tcp --match multiport --dports 135,139,445 -j PVEFW-reject
-A PVEFW-Reject -p udp --dport 1900 -j DROP
-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Reject -p udp --sport 53 -j DROP
exists PVEFW-SET-ACCEPT-MARK (Hg/OIgIwJChBUcWU8Xnjhdd2jUY)
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-mark 0x80000000/0x80000000
exists PVEFW-logflags (MN4PH1oPZeABMuWr64RrygPfW7A)
-A PVEFW-logflags -j DROP
exists PVEFW-reject (etEECUYcgUdzuuO+LDP83pu0S8Y)
-A PVEFW-reject -p icmpv6 -j DROP
-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
-A PVEFW-reject -p udp -j REJECT --reject-with icmp6-port-unreachable
-A PVEFW-reject -j REJECT --reject-with icmp6-adm-prohibited
exists PVEFW-tcpflags (CMFojwNPqllyqD67NeI5m+bP5mo)
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
exists tap100i0-IN (Ow3GUgZ5jCGEFexHHa1Z4CixMvo)
-A tap100i0-IN -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT
-A tap100i0-IN -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
-A tap100i0-IN -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-A tap100i0-IN -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-A tap100i0-IN -p icmpv6 -m icmpv6 --icmpv6-type echo-request -j ACCEPT
-A tap100i0-IN -j PVEFW-Drop
-A tap100i0-IN -j DROP
exists tap100i0-OUT (WPdUzdkNQCLblPsEP6mjcbQJItM)
-A tap100i0-OUT -m mac ! --mac-source A6:A3:92:17:01:A0 -j DROP
-A tap100i0-OUT -j MARK --set-mark 0x00000000/0x80000000
-A tap100i0-OUT -p icmpv6 --icmpv6-type router-solicitation -g PVEFW-SET-ACCEPT-MARK
-A tap100i0-OUT -p icmpv6 --icmpv6-type router-advertisement -g PVEFW-SET-ACCEPT-MARK
-A tap100i0-OUT -p icmpv6 --icmpv6-type neighbor-solicitation -g PVEFW-SET-ACCEPT-MARK
-A tap100i0-OUT -p icmpv6 --icmpv6-type neighbor-advertisement -g PVEFW-SET-ACCEPT-MARK
-A tap100i0-OUT -g PVEFW-SET-ACCEPT-MARK
exists tap101i0-IN (P6x7+3r22iqDHe9sR+Gn0Ige9ZM)
-A tap101i0-IN -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT
-A tap101i0-IN -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
-A tap101i0-IN -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-A tap101i0-IN -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-A tap101i0-IN -p tcp --dport 22 -j ACCEPT
-A tap101i0-IN -j PVEFW-Drop
-A tap101i0-IN -m limit --limit 1/sec -j NFLOG --nflog-prefix ":101:7:tap101i0-IN: policy DROP: "
-A tap101i0-IN -j DROP
exists tap101i0-OUT (tO3k4zCk4/W38x6vK9NQiibv51E)
-A tap101i0-OUT -p icmpv6 --icmpv6-type router-advertisement -j DROP
-A tap101i0-OUT -j MARK --set-mark 0x00000000/0x80000000
-A tap101i0-OUT -p icmpv6 --icmpv6-type router-solicitation -g PVEFW-SET-ACCEPT-MARK
-A tap101i0-OUT -p icmpv6 --icmpv6-type neighbor-solicitation -g PVEFW-SET-ACCEPT-MARK
-A tap101i0-OUT -p icmpv6 --icmpv6-type neighbor-advertisement -g PVEFW-SET-ACCEPT-MARK
-A tap101i0-OUT -g PVEFW-SET-ACCEPT-MARK
exists tap200i0-IN (ZgY1Ygv14a5cfSWpC/n+0RDSJsE)
-A tap200i0-IN -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT
-A tap200i0-IN -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
-A tap200i0-IN -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-A tap200i0-IN -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-A tap200i0-IN -p tcp --dport 22 -j ACCEPT
-A tap200i0-IN -j PVEFW-Drop
-A tap200i0-IN -m limit --limit 1/sec -j NFLOG --nflog-prefix ":200:7:tap200i0-IN: policy DROP: "
-A tap200i0-IN -j DROP
exists tap200i0-OUT (bIwhy2FFnXYHbAKJCfAr4yhJyNc)
-A tap200i0-OUT -p icmpv6 --icmpv6-type router-advertisement -j DROP
-A tap200i0-OUT -j MARK --set-mark 0x00000000/0x80000000
-A tap200i0-OUT -p icmpv6 --icmpv6-type router-solicitation -g PVEFW-SET-ACCEPT-MARK
-A tap200i0-OUT -p icmpv6 --icmpv6-type neighbor-solicitation -g PVEFW-SET-ACCEPT-MARK
-A tap200i0-OUT -p icmpv6 --icmpv6-type neighbor-advertisement -g PVEFW-SET-ACCEPT-MARK
-A tap200i0-OUT -g PVEFW-SET-ACCEPT-MARK
ebtables cmdlist:
exists PVEFW-FORWARD (ULtZ6lqjrD/jAKLY+OZo3BbXs9k)
-A PVEFW-FORWARD -p IPv4 -j ACCEPT
-A PVEFW-FORWARD -p IPv6 -j ACCEPT
-A PVEFW-FORWARD -o fwln+ -j PVEFW-FWBR-OUT
exists PVEFW-FWBR-OUT (bBErr+BFdPnjoJyK1GRUb7tVk9o)
-A PVEFW-FWBR-OUT -i tap100i0 -j tap100i0-OUT
-A PVEFW-FWBR-OUT -i tap101i0 -j tap101i0-OUT
-A PVEFW-FWBR-OUT -i tap200i0 -j tap200i0-OUT
exists tap100i0-OUT (+BRBqx01lcYKmq+SupcYIiuFBG0)
-A tap100i0-OUT -s ! a6:a3:92:17:1:a0 -j DROP
-A tap100i0-OUT -j ACCEPT
exists tap101i0-OUT (cdgmRI8WmHPt1Y05ofnvm8BQjaU)
-A tap101i0-OUT -j ACCEPT
exists tap200i0-OUT (UYkYuHRaWKh6dqdHPsmeZa2+hHI)
-A tap200i0-OUT -j ACCEPT
ignore FORWARD (zuQi5YOvmMWiM9zohnQw/qWemOA)
ignore INPUT (2jmj7l5rSw0yVb/vlWAYkK/YBwk)
ignore OUTPUT (2jmj7l5rSw0yVb/vlWAYkK/YBwk)
iptables table raw cmdlist:
ip6tables table raw cmdlist:
no changes
exists PVEFW-FORWARD (ULtZ6lqjrD/jAKLY+OZo3BbXs9k)
-A PVEFW-FORWARD -p IPv4 -j ACCEPT
-A PVEFW-FORWARD -p IPv6 -j ACCEPT
-A PVEFW-FORWARD -o fwln+ -j PVEFW-FWBR-OUT
exists PVEFW-FWBR-OUT (bBErr+BFdPnjoJyK1GRUb7tVk9o)
-A PVEFW-FWBR-OUT -i tap100i0 -j tap100i0-OUT
-A PVEFW-FWBR-OUT -i tap101i0 -j tap101i0-OUT
-A PVEFW-FWBR-OUT -i tap200i0 -j tap200i0-OUT
exists tap100i0-OUT (+BRBqx01lcYKmq+SupcYIiuFBG0)
-A tap100i0-OUT -s ! a6:a3:92:17:1:a0 -j DROP
-A tap100i0-OUT -j ACCEPT
exists tap101i0-OUT (cdgmRI8WmHPt1Y05ofnvm8BQjaU)
-A tap101i0-OUT -j ACCEPT
exists tap200i0-OUT (UYkYuHRaWKh6dqdHPsmeZa2+hHI)
-A tap200i0-OUT -j ACCEPT
ignore FORWARD (zuQi5YOvmMWiM9zohnQw/qWemOA)
ignore INPUT (2jmj7l5rSw0yVb/vlWAYkK/YBwk)
ignore OUTPUT (2jmj7l5rSw0yVb/vlWAYkK/YBwk)
iptables table raw cmdlist:
ip6tables table raw cmdlist:
no changes
The following is a detailed list of iptables rule configuration, which may help you:
# Generated by iptables-save v1.8.2 on Thu Jun 18 04:17:20 2020
*nat
REROUTING ACCEPT [18:1380]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [3:180]
OSTROUTING ACCEPT [3:180]
-A PREROUTING -i enp2s0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.1.5:3389
-A PREROUTING -i enp2s0 -p tcp -m tcp --dport 10022 -j DNAT --to-destination 192.168.1.12:22
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.1.0/24 -j SNAT --to-source 192.168.1.1
-A POSTROUTING -s 192.168.1.0/24 -o enp2s0 -j MASQUERADE
COMMIT
# Completed on Thu Jun 18 04:17:20 2020
# Generated by iptables-save v1.8.2 on Thu Jun 18 04:17:20 2020
*raw
REROUTING ACCEPT [270859:144980796]
:OUTPUT ACCEPT [152706:92529278]
-A PREROUTING -i fwbr+ -j CT --zone 1
COMMIT
# Completed on Thu Jun 18 04:17:20 2020
# Generated by iptables-save v1.8.2 on Thu Jun 18 04:17:20 2020
*filter
:INPUT ACCEPT [81:4258]
:FORWARD ACCEPT [887:76858]
:OUTPUT ACCEPT [0:0]
VEFW-Drop - [0:0]
VEFW-DropBroadcast - [0:0]
VEFW-FORWARD - [0:0]
VEFW-FWBR-IN - [0:0]
VEFW-FWBR-OUT - [0:0]
VEFW-HOST-IN - [0:0]
VEFW-HOST-OUT - [0:0]
VEFW-INPUT - [0:0]
VEFW-OUTPUT - [0:0]
VEFW-Reject - [0:0]
VEFW-SET-ACCEPT-MARK - [0:0]
VEFW-logflags - [0:0]
VEFW-reject - [0:0]
VEFW-smurflog - [0:0]
VEFW-smurfs - [0:0]
VEFW-tcpflags - [0:0]
:tap100i0-IN - [0:0]
:tap100i0-OUT - [0:0]
:tap101i0-IN - [0:0]
:tap101i0-OUT - [0:0]
:tap200i0-IN - [0:0]
:tap200i0-OUT - [0:0]
-A INPUT -j PVEFW-INPUT
-A FORWARD -j PVEFW-FORWARD
-A OUTPUT -j PVEFW-OUTPUT
-A PVEFW-Drop -p tcp -m tcp --dport 43 -j PVEFW-reject
-A PVEFW-Drop -j PVEFW-DropBroadcast
-A PVEFW-Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Drop -p udp -m multiport --dports 135,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 137:139 -j DROP
-A PVEFW-Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
-A PVEFW-Drop -p tcp -m multiport --dports 135,139,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Drop -p udp -m udp --sport 53 -j DROP
-A PVEFW-Drop -m comment --comment "PVESIG:WDy2wbFe7jNYEyoO3QhUELZ4mIQ"
-A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
-A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
-A PVEFW-DropBroadcast -m comment --comment "PVESIG:NyjHNAtFbkH7WGLamPpdVnxHy4w"
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged -j PVEFW-FWBR-OUT
-A PVEFW-FORWARD -m comment --comment "PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw"
-A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-FWBR-IN -m physdev --physdev-out tap100i0 --physdev-is-bridged -j tap100i0-IN
-A PVEFW-FWBR-IN -m physdev --physdev-out tap101i0 --physdev-is-bridged -j tap101i0-IN
-A PVEFW-FWBR-IN -m physdev --physdev-out tap200i0 --physdev-is-bridged -j tap200i0-IN
-A PVEFW-FWBR-IN -m comment --comment "PVESIG:fXcLRW8GyZjLx04/R93U/plggj0"
-A PVEFW-FWBR-OUT -m physdev --physdev-in tap100i0 --physdev-is-bridged -j tap100i0-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-in tap101i0 --physdev-is-bridged -j tap101i0-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-in tap200i0 --physdev-is-bridged -j tap200i0-OUT
-A PVEFW-FWBR-OUT -m comment --comment "PVESIG:zen3LJaF2K54zEOOPjGDyWAPK1o"
-A PVEFW-HOST-IN -i lo -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -p icmp -j RETURN
-A PVEFW-HOST-IN -p tcp -m multiport --dports 8006,6231 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 60000:60050 -j RETURN
-A PVEFW-HOST-IN -j PVEFW-Drop
-A PVEFW-HOST-IN -j DROP
-A PVEFW-HOST-IN -m comment --comment "PVESIG:ARl8pt8CbecefOuafIoWadeXHMs"
-A PVEFW-HOST-OUT -o lo -j ACCEPT
-A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-OUT -p igmp -j RETURN
-A PVEFW-HOST-OUT -j RETURN
-A PVEFW-HOST-OUT -m comment --comment "PVESIG:0zVqGNg5V7YiSxt0h+sEYJsXD+M"
-A PVEFW-INPUT -j PVEFW-HOST-IN
-A PVEFW-INPUT -m comment --comment "PVESIG:+5iMmLaxKXynOB/+5xibfx7WhFk"
-A PVEFW-OUTPUT -j PVEFW-HOST-OUT
-A PVEFW-OUTPUT -m comment --comment "PVESIG:LjHoZeSSiWAG3+2ZAyL/xuEehd0"
-A PVEFW-Reject -p tcp -m tcp --dport 43 -j PVEFW-reject
-A PVEFW-Reject -j PVEFW-DropBroadcast
-A PVEFW-Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Reject -p udp -m multiport --dports 135,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 137:139 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --sport 137 --dport 1024:65535 -j PVEFW-reject
-A PVEFW-Reject -p tcp -m multiport --dports 135,139,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Reject -p udp -m udp --sport 53 -j DROP
-A PVEFW-Reject -m comment --comment "PVESIG:CZJnIN6rAdpu+ej59QPr9+laMUo"
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-xmark 0x80000000/0x80000000
-A PVEFW-SET-ACCEPT-MARK -m comment --comment "PVESIG:Hg/OIgIwJChBUcWU8Xnjhdd2jUY"
-A PVEFW-logflags -j DROP
-A PVEFW-logflags -m comment --comment "PVESIG:MN4PH1oPZeABMuWr64RrygPfW7A"
-A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-reject -s 224.0.0.0/4 -j DROP
-A PVEFW-reject -p icmp -j DROP
-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
-A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A PVEFW-reject -j REJECT --reject-with icmp-host-prohibited
-A PVEFW-reject -m comment --comment "PVESIG:Jlkrtle1mDdtxDeI9QaDSL++Npc"
-A PVEFW-smurflog -j DROP
-A PVEFW-smurflog -m comment --comment "PVESIG:2gfT1VMkfr0JL6OccRXTGXo+1qk"
-A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
-A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
-A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
-A PVEFW-smurfs -m comment --comment "PVESIG:HssVe5QCBXd5mc9kC88749+7fag"
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
-A PVEFW-tcpflags -m comment --comment "PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo"
-A tap100i0-IN -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A tap100i0-IN -j PVEFW-Drop
-A tap100i0-IN -j DROP
-A tap100i0-IN -m comment --comment "PVESIG:1dGN8VGabsdsZ9rxo9EZQOh/tk0"
-A tap100i0-OUT -m mac ! --mac-source A6:A3:92:17:01:A0 -j DROP
-A tap100i0-OUT -j MARK --set-xmark 0x0/0x80000000
-A tap100i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A tap100i0-OUT -m comment --comment "PVESIG:BiiNE5Hzj9M2QVX0Ewsen4sbwRc"
-A tap101i0-IN -p tcp -m tcp --dport 22 -j ACCEPT
-A tap101i0-IN -j PVEFW-Drop
-A tap101i0-IN -m limit --limit 1/sec -j NFLOG --nflog-prefix ":101:7:tap101i0-IN: policy DROP: "
-A tap101i0-IN -j DROP
-A tap101i0-IN -m comment --comment "PVESIG:YRakR7W/fQu1IcBgge2jRE1xqEY"
-A tap101i0-OUT -j MARK --set-xmark 0x0/0x80000000
-A tap101i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A tap101i0-OUT -m comment --comment "PVESIG:gMvoEzMT/MMote0dRqGnt0f+Cg8"
-A tap200i0-IN -p tcp -m tcp --dport 22 -j ACCEPT
-A tap200i0-IN -j PVEFW-Drop
-A tap200i0-IN -m limit --limit 1/sec -j NFLOG --nflog-prefix ":200:7:tap200i0-IN: policy DROP: "
-A tap200i0-IN -j DROP
-A tap200i0-IN -m comment --comment "PVESIG:0rNLy9kCBQrpiNnWq1dSOdFojcY"
-A tap200i0-OUT -j MARK --set-xmark 0x0/0x80000000
-A tap200i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A tap200i0-OUT -m comment --comment "PVESIG:dOD+aWU/LwzTR9Mi2e3yjKWVZOU"
COMMIT
# Completed on Thu Jun 18 04:17:20 2020
# Generated by iptables-save v1.8.2 on Thu Jun 18 04:17:20 2020
*nat
REROUTING ACCEPT [18:1380]:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [3:180]
OSTROUTING ACCEPT [3:180]-A PREROUTING -i enp2s0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.1.5:3389
-A PREROUTING -i enp2s0 -p tcp -m tcp --dport 10022 -j DNAT --to-destination 192.168.1.12:22
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.1.0/24 -j SNAT --to-source 192.168.1.1
-A POSTROUTING -s 192.168.1.0/24 -o enp2s0 -j MASQUERADE
COMMIT
# Completed on Thu Jun 18 04:17:20 2020
# Generated by iptables-save v1.8.2 on Thu Jun 18 04:17:20 2020
*raw
REROUTING ACCEPT [270859:144980796]:OUTPUT ACCEPT [152706:92529278]
-A PREROUTING -i fwbr+ -j CT --zone 1
COMMIT
# Completed on Thu Jun 18 04:17:20 2020
# Generated by iptables-save v1.8.2 on Thu Jun 18 04:17:20 2020
*filter
:INPUT ACCEPT [81:4258]
:FORWARD ACCEPT [887:76858]
:OUTPUT ACCEPT [0:0]
VEFW-Drop - [0:0]VEFW-DropBroadcast - [0:0]VEFW-FORWARD - [0:0]VEFW-FWBR-IN - [0:0]VEFW-FWBR-OUT - [0:0]VEFW-HOST-IN - [0:0]VEFW-HOST-OUT - [0:0]VEFW-INPUT - [0:0]VEFW-OUTPUT - [0:0]VEFW-Reject - [0:0]VEFW-SET-ACCEPT-MARK - [0:0]VEFW-logflags - [0:0]VEFW-reject - [0:0]VEFW-smurflog - [0:0]VEFW-smurfs - [0:0]VEFW-tcpflags - [0:0]:tap100i0-IN - [0:0]
:tap100i0-OUT - [0:0]
:tap101i0-IN - [0:0]
:tap101i0-OUT - [0:0]
:tap200i0-IN - [0:0]
:tap200i0-OUT - [0:0]
-A INPUT -j PVEFW-INPUT
-A FORWARD -j PVEFW-FORWARD
-A OUTPUT -j PVEFW-OUTPUT
-A PVEFW-Drop -p tcp -m tcp --dport 43 -j PVEFW-reject
-A PVEFW-Drop -j PVEFW-DropBroadcast
-A PVEFW-Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Drop -p udp -m multiport --dports 135,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 137:139 -j DROP
-A PVEFW-Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
-A PVEFW-Drop -p tcp -m multiport --dports 135,139,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Drop -p udp -m udp --sport 53 -j DROP
-A PVEFW-Drop -m comment --comment "PVESIG:WDy2wbFe7jNYEyoO3QhUELZ4mIQ"
-A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
-A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
-A PVEFW-DropBroadcast -m comment --comment "PVESIG:NyjHNAtFbkH7WGLamPpdVnxHy4w"
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged -j PVEFW-FWBR-OUT
-A PVEFW-FORWARD -m comment --comment "PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw"
-A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-FWBR-IN -m physdev --physdev-out tap100i0 --physdev-is-bridged -j tap100i0-IN
-A PVEFW-FWBR-IN -m physdev --physdev-out tap101i0 --physdev-is-bridged -j tap101i0-IN
-A PVEFW-FWBR-IN -m physdev --physdev-out tap200i0 --physdev-is-bridged -j tap200i0-IN
-A PVEFW-FWBR-IN -m comment --comment "PVESIG:fXcLRW8GyZjLx04/R93U/plggj0"
-A PVEFW-FWBR-OUT -m physdev --physdev-in tap100i0 --physdev-is-bridged -j tap100i0-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-in tap101i0 --physdev-is-bridged -j tap101i0-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-in tap200i0 --physdev-is-bridged -j tap200i0-OUT
-A PVEFW-FWBR-OUT -m comment --comment "PVESIG:zen3LJaF2K54zEOOPjGDyWAPK1o"
-A PVEFW-HOST-IN -i lo -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -p icmp -j RETURN
-A PVEFW-HOST-IN -p tcp -m multiport --dports 8006,6231 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 60000:60050 -j RETURN
-A PVEFW-HOST-IN -j PVEFW-Drop
-A PVEFW-HOST-IN -j DROP
-A PVEFW-HOST-IN -m comment --comment "PVESIG:ARl8pt8CbecefOuafIoWadeXHMs"
-A PVEFW-HOST-OUT -o lo -j ACCEPT
-A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-OUT -p igmp -j RETURN
-A PVEFW-HOST-OUT -j RETURN
-A PVEFW-HOST-OUT -m comment --comment "PVESIG:0zVqGNg5V7YiSxt0h+sEYJsXD+M"
-A PVEFW-INPUT -j PVEFW-HOST-IN
-A PVEFW-INPUT -m comment --comment "PVESIG:+5iMmLaxKXynOB/+5xibfx7WhFk"
-A PVEFW-OUTPUT -j PVEFW-HOST-OUT
-A PVEFW-OUTPUT -m comment --comment "PVESIG:LjHoZeSSiWAG3+2ZAyL/xuEehd0"
-A PVEFW-Reject -p tcp -m tcp --dport 43 -j PVEFW-reject
-A PVEFW-Reject -j PVEFW-DropBroadcast
-A PVEFW-Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Reject -p udp -m multiport --dports 135,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 137:139 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --sport 137 --dport 1024:65535 -j PVEFW-reject
-A PVEFW-Reject -p tcp -m multiport --dports 135,139,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Reject -p udp -m udp --sport 53 -j DROP
-A PVEFW-Reject -m comment --comment "PVESIG:CZJnIN6rAdpu+ej59QPr9+laMUo"
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-xmark 0x80000000/0x80000000
-A PVEFW-SET-ACCEPT-MARK -m comment --comment "PVESIG:Hg/OIgIwJChBUcWU8Xnjhdd2jUY"
-A PVEFW-logflags -j DROP
-A PVEFW-logflags -m comment --comment "PVESIG:MN4PH1oPZeABMuWr64RrygPfW7A"
-A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-reject -s 224.0.0.0/4 -j DROP
-A PVEFW-reject -p icmp -j DROP
-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
-A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A PVEFW-reject -j REJECT --reject-with icmp-host-prohibited
-A PVEFW-reject -m comment --comment "PVESIG:Jlkrtle1mDdtxDeI9QaDSL++Npc"
-A PVEFW-smurflog -j DROP
-A PVEFW-smurflog -m comment --comment "PVESIG:2gfT1VMkfr0JL6OccRXTGXo+1qk"
-A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
-A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
-A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
-A PVEFW-smurfs -m comment --comment "PVESIG:HssVe5QCBXd5mc9kC88749+7fag"
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
-A PVEFW-tcpflags -m comment --comment "PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo"
-A tap100i0-IN -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A tap100i0-IN -j PVEFW-Drop
-A tap100i0-IN -j DROP
-A tap100i0-IN -m comment --comment "PVESIG:1dGN8VGabsdsZ9rxo9EZQOh/tk0"
-A tap100i0-OUT -m mac ! --mac-source A6:A3:92:17:01:A0 -j DROP
-A tap100i0-OUT -j MARK --set-xmark 0x0/0x80000000
-A tap100i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A tap100i0-OUT -m comment --comment "PVESIG:BiiNE5Hzj9M2QVX0Ewsen4sbwRc"
-A tap101i0-IN -p tcp -m tcp --dport 22 -j ACCEPT
-A tap101i0-IN -j PVEFW-Drop
-A tap101i0-IN -m limit --limit 1/sec -j NFLOG --nflog-prefix ":101:7:tap101i0-IN: policy DROP: "
-A tap101i0-IN -j DROP
-A tap101i0-IN -m comment --comment "PVESIG:YRakR7W/fQu1IcBgge2jRE1xqEY"
-A tap101i0-OUT -j MARK --set-xmark 0x0/0x80000000
-A tap101i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A tap101i0-OUT -m comment --comment "PVESIG:gMvoEzMT/MMote0dRqGnt0f+Cg8"
-A tap200i0-IN -p tcp -m tcp --dport 22 -j ACCEPT
-A tap200i0-IN -j PVEFW-Drop
-A tap200i0-IN -m limit --limit 1/sec -j NFLOG --nflog-prefix ":200:7:tap200i0-IN: policy DROP: "
-A tap200i0-IN -j DROP
-A tap200i0-IN -m comment --comment "PVESIG:0rNLy9kCBQrpiNnWq1dSOdFojcY"
-A tap200i0-OUT -j MARK --set-xmark 0x0/0x80000000
-A tap200i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A tap200i0-OUT -m comment --comment "PVESIG:dOD+aWU/LwzTR9Mi2e3yjKWVZOU"
COMMIT
# Completed on Thu Jun 18 04:17:20 2020
have you checked the routing tables? if they're not routing into the subnet then they can't talk with each other. also you should allow whichever ports you'd like to use between the VMs
if you want to debug the firewall, you can use
tcpdump or wireshark to see if the packets are reaching the destination, being accepted/denied etc.also please don't make multiple posts sending your configuration in the future, but instead create a file and attach it on the post