この記事は約21分32秒で読むことができます。

自作したlibvirt管理のネットワークとデフぉで出来るネットワークの差分確認する話

まえがき

仮想ホストOSから見た際の仮想ゲストOSに対するiptablesの設定を確認したい。

INPUTチェインのルール

コード表示

[root@centos vx]# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
INPUT_direct  all  --  anywhere             anywhere            
INPUT_ZONES_SOURCE  all  --  anywhere             anywhere            
INPUT_ZONES  all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             ctstate INVALID
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

OUTPUTチェインのルール

コード表示

[root@centos vx]# iptables -L OUTPUT
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc
OUTPUT_direct  all  --  anywhere             anywhere            

FORWARDチェインのルール

コード表示

[root@centos vx]# iptables -L FORWARD
Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             192.168.121.0/24     ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.121.0/24     anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             192.168.102.0/24     ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.102.0/24     anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             192.168.101.0/24     ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.101.0/24     anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             192.168.100.0/24     ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.100.0/24     anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
FORWARD_direct  all  --  anywhere             anywhere            
FORWARD_IN_ZONES_SOURCE  all  --  anywhere             anywhere            
FORWARD_IN_ZONES  all  --  anywhere             anywhere            
FORWARD_OUT_ZONES_SOURCE  all  --  anywhere             anywhere            
FORWARD_OUT_ZONES  all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             ctstate INVALID
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

PREROUTINGチェインのルール

コード表示

[root@centos vx]# iptables -t nat -L PREROUTING
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
PREROUTING_direct  all  --  anywhere             anywhere            
PREROUTING_ZONES_SOURCE  all  --  anywhere             anywhere            
PREROUTING_ZONES  all  --  anywhere             anywhere            
DOCKER     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL

POSTROUTINGチェインのルール

コード表示

[root@centos vx]# iptables -t nat -L POSTROUTING
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
RETURN     all  --  192.168.121.0/24     base-address.mcast.net/24 
RETURN     all  --  192.168.121.0/24     255.255.255.255     
MASQUERADE  tcp  --  192.168.121.0/24    !192.168.121.0/24     masq ports: 1024-65535
MASQUERADE  udp  --  192.168.121.0/24    !192.168.121.0/24     masq ports: 1024-65535
MASQUERADE  all  --  192.168.121.0/24    !192.168.121.0/24    
RETURN     all  --  192.168.102.0/24     base-address.mcast.net/24 
RETURN     all  --  192.168.102.0/24     255.255.255.255     
MASQUERADE  tcp  --  192.168.102.0/24    !192.168.102.0/24     masq ports: 1024-65535
MASQUERADE  udp  --  192.168.102.0/24    !192.168.102.0/24     masq ports: 1024-65535
MASQUERADE  all  --  192.168.102.0/24    !192.168.102.0/24    
RETURN     all  --  192.168.101.0/24     base-address.mcast.net/24 
RETURN     all  --  192.168.101.0/24     255.255.255.255     
MASQUERADE  tcp  --  192.168.101.0/24    !192.168.101.0/24     masq ports: 1024-65535
MASQUERADE  udp  --  192.168.101.0/24    !192.168.101.0/24     masq ports: 1024-65535
MASQUERADE  all  --  192.168.101.0/24    !192.168.101.0/24    
RETURN     all  --  192.168.100.0/24     base-address.mcast.net/24 
RETURN     all  --  192.168.100.0/24     255.255.255.255     
MASQUERADE  tcp  --  192.168.100.0/24    !192.168.100.0/24     masq ports: 1024-65535
MASQUERADE  udp  --  192.168.100.0/24    !192.168.100.0/24     masq ports: 1024-65535
MASQUERADE  all  --  192.168.100.0/24    !192.168.100.0/24    
MASQUERADE  all  --  172.17.0.0/16        anywhere            
POSTROUTING_direct  all  --  anywhere             anywhere            
POSTROUTING_ZONES_SOURCE  all  --  anywhere             anywhere            
POSTROUTING_ZONES  all  --  anywhere             anywhere            

RAWチェインのルール

コード表示

[root@centos vx]# iptables -t nat -nvL RAW
iptables: No chain/target/match by that name.

自作するなら、POSTROUTINGチェインのルールとFORWARDチェインのルールは気にする必要はありそう

Leave a Reply

Your email address will not be published. Required fields are marked *