netfilter-ruby 4.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,132 @@
1
+ class Netfilter
2
+ class Tool
3
+ attr_accessor :tables, :namespace
4
+
5
+ def self.import(data)
6
+ data = data.symbolize_keys
7
+ new(data[:namespace]).tap do |tool|
8
+ data[:tables].each do |data|
9
+ table = Table.import(tool, data)
10
+ tool.tables[table.name.to_s.downcase] = table
11
+ end
12
+ end
13
+ end
14
+
15
+ def self.executable
16
+ name.demodulize.downcase
17
+ end
18
+
19
+ def self.execute(command)
20
+ # puts "Executing: #{command}"
21
+ stdout = `#{command} 2>&1`.strip
22
+ status = $?
23
+ if status.exitstatus == 0
24
+ stdout
25
+ else
26
+ raise SystemError, :command => command, :error => stdout
27
+ end
28
+ end
29
+
30
+ def self.delete_chain(name)
31
+ commands = []
32
+ parse.each do |table, chains|
33
+ chains.each do |chain, rules|
34
+ rules.each do |rule|
35
+ if rule.match("-j #{name}")
36
+ commands << "--table #{table} --delete #{chain} #{rule}"
37
+ end
38
+ end
39
+ end
40
+
41
+ chains.each do |chain, rules|
42
+ if chain.match(name)
43
+ commands << "--table #{table} --delete-chain #{chain}"
44
+ end
45
+ end
46
+ end
47
+ commands.each{ |command| execute("#{executable} #{command}") }
48
+ end
49
+
50
+ def initialize(namespace = nil)
51
+ self.namespace = namespace
52
+ self.tables = {}
53
+ yield(self) if block_given?
54
+ end
55
+
56
+ def table(name, &block)
57
+ key = name.to_s.downcase
58
+ (tables[key] || Table.new(self, name)).tap do |table|
59
+ tables[key] = table
60
+ block.call(table) if block
61
+ end
62
+ end
63
+
64
+ def pp
65
+ tables.values.sort_by(&:name).each do |table|
66
+ puts [table.name]*"\t"
67
+ table.chains.values.sort_by(&:name).each do |chain|
68
+ puts ["", chain.name_as_argument]*"\t"
69
+ chain.filters.each do |filter|
70
+ puts ["", "", filter]*"\t"
71
+ end
72
+ end
73
+ end
74
+ end
75
+
76
+ def commands
77
+ [].tap do |commands|
78
+ tables.values.each do |table|
79
+ table.commands.each do |command|
80
+ commands << command.unshift(executable)*" "
81
+ end
82
+ end
83
+ end
84
+ end
85
+
86
+ def up
87
+ @executed_commands = []
88
+ commands.each do |command|
89
+ execute(command)
90
+ @executed_commands << command
91
+ end
92
+ rescue SystemError => e
93
+ rollback
94
+ raise e
95
+ end
96
+
97
+ def down
98
+ @executed_commands = commands
99
+ rollback
100
+ end
101
+
102
+ def export
103
+ {
104
+ :namespace => namespace,
105
+ :tables => tables.values.map{ |table| table.export },
106
+ }
107
+ end
108
+
109
+ def executable
110
+ self.class.executable
111
+ end
112
+
113
+ private
114
+
115
+ def rollback
116
+ @executed_commands.reverse.each do |command|
117
+ command = argument_rename(command, "new-chain", "delete-chain")
118
+ command = argument_rename(command, "append", "delete")
119
+ command = argument_rename(command, "insert", "delete")
120
+ execute(command)
121
+ end
122
+ end
123
+
124
+ def argument_rename(command, old_name, new_name)
125
+ command.gsub(/--#{Regexp.escape(old_name)}(\s|$)/, "--#{new_name}\\1")
126
+ end
127
+
128
+ def execute(command)
129
+ self.class.execute(command)
130
+ end
131
+ end
132
+ end
@@ -0,0 +1,3 @@
1
+ class Netfilter
2
+ VERSION = "4.2"
3
+ end
@@ -0,0 +1,26 @@
1
+ # -*- encoding: utf-8 -*-
2
+ lib = File.expand_path('../lib', __FILE__)
3
+ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
4
+ require 'netfilter/version'
5
+
6
+ Gem::Specification.new do |gem|
7
+ gem.name = "netfilter-ruby"
8
+ gem.version = Netfilter::VERSION
9
+ gem.authors = ["Netskin GmbH", "Corin Langosch"]
10
+ gem.email = ["info@netskin.com", "info@corinlangosch.com"]
11
+ gem.description = %q{Awesome Netfilter management}
12
+ gem.summary = %q{Awesome Netfilter (iptables & ebtables) management using ruby}
13
+ gem.homepage = "http://github.com/netskin/netfilter-ruby"
14
+
15
+ gem.files = `git ls-files`.split($/)
16
+ gem.executables = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
17
+ gem.test_files = gem.files.grep(%r{^(test|spec|features)/})
18
+ gem.require_paths = ["lib"]
19
+
20
+ gem.add_dependency "activesupport", ">= 3.0.0"
21
+
22
+ gem.add_development_dependency "rspec", "~> 2.12"
23
+ gem.add_development_dependency "awesome_print"
24
+ gem.add_development_dependency "json"
25
+ gem.add_development_dependency "rake"
26
+ end
@@ -0,0 +1,209 @@
1
+ #encoding: utf-8
2
+ require 'spec_helper'
3
+ describe Netfilter::EbTables do
4
+ describe "Class Methods" do
5
+ describe "parse" do
6
+ it "should not crash when there are no rules" do
7
+ Netfilter::EbTables.stub(:execute).and_return <<EOT
8
+ Bridge table: filter
9
+
10
+ Bridge chain: INPUT, entries: 0, policy: ACCEPT
11
+
12
+ Bridge chain: FORWARD, entries: 0, policy: ACCEPT
13
+
14
+ Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
15
+ EOT
16
+
17
+ Netfilter::EbTables.parse.should eq(
18
+ "filter" => {
19
+ "INPUT" => [
20
+ ],
21
+ "FORWARD" => [
22
+ ],
23
+ "OUTPUT" => [
24
+ ],
25
+ },
26
+ )
27
+ end
28
+
29
+ it "should properly parse the current system's iptables" do
30
+ Netfilter::EbTables.stub(:execute).and_return <<EOT
31
+ Bridge table: filter
32
+
33
+ Bridge chain: INPUT, entries: 3, policy: ACCEPT
34
+ -i tap15866 -j guest15865-1-o
35
+ -i tap19266 -j guest19265-1-o
36
+ -i tap592992 -j guest592991-1-o
37
+
38
+ Bridge chain: FORWARD, entries: 6, policy: ACCEPT
39
+ -i tap15866 -j guest15865-1-o
40
+ -o tap15866 -j guest15865-1-i
41
+ -i tap19266 -j guest19265-1-o
42
+ -o tap19266 -j guest19265-1-i
43
+ -i tap592992 -j guest592991-1-o
44
+ -o tap592992 -j guest592991-1-i
45
+
46
+ Bridge chain: OUTPUT, entries: 3, policy: ACCEPT
47
+ -o tap15866 -j guest15865-1-i
48
+ -o tap19266 -j guest19265-1-i
49
+ -o tap592992 -j guest592991-1-i
50
+
51
+ Bridge chain: guest15865-1-o, entries: 14, policy: ACCEPT
52
+ -s ! 2:1a:83:13:5d:26 -j DROP
53
+ -p IPv4 --ip-dst 10.0.0.0/8 -j DROP
54
+ -p IPv4 --ip-dst 169.254.0.0/16 -j DROP
55
+ -p IPv4 --ip-dst 172.16.0.0/12 -j DROP
56
+ -p IPv4 --ip-dst 192.168.0.0/16 -j DROP
57
+ -p IPv4 --ip-src 185.14.157.11 -j RETURN
58
+ -p ARP --arp-ip-src 185.14.157.11 --arp-mac-src 2:1a:83:13:5d:26 -j RETURN
59
+ -p IPv4 --ip-src 185.14.157.12 -j RETURN
60
+ -p ARP --arp-ip-src 185.14.157.12 --arp-mac-src 2:1a:83:13:5d:26 -j RETURN
61
+ -p IPv4 --ip-src 185.14.157.13 -j RETURN
62
+ -p ARP --arp-ip-src 185.14.157.13 --arp-mac-src 2:1a:83:13:5d:26 -j RETURN
63
+ -p IPv6 --ip6-src 2a03:b240:101:4f::/ffff:ffff:ffff:ffff:: -j RETURN
64
+ -p IPv4 --ip-src 0.0.0.0 --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 68 --ip-dport 67 -j RETURN
65
+ -j DROP
66
+
67
+ Bridge chain: guest15865-1-i, entries: 8, policy: ACCEPT
68
+ -p ARP --arp-op Request --arp-ip-dst 185.14.157.11 -j RETURN
69
+ -p ARP --arp-op Request --arp-ip-dst 185.14.157.12 -j RETURN
70
+ -p ARP --arp-op Request --arp-ip-dst 185.14.157.13 -j RETURN
71
+ -p ARP --arp-op Request -j DROP
72
+ -d 2:1a:83:13:5d:26 -j RETURN
73
+ -d 33:33:0:0:0:0/ff:ff:0:0:0:0 -j RETURN
74
+ -p IPv4 -s 0:16:3e:d6:1:4 -d Broadcast --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 67 --ip-dport 68 -j RETURN
75
+ -j DROP
76
+
77
+ Bridge chain: guest19265-1-o, entries: 10, policy: ACCEPT
78
+ -s ! 2:bd:7f:46:96:e -j DROP
79
+ -p IPv4 --ip-dst 10.0.0.0/8 -j DROP
80
+ -p IPv4 --ip-dst 169.254.0.0/16 -j DROP
81
+ -p IPv4 --ip-dst 172.16.0.0/12 -j DROP
82
+ -p IPv4 --ip-dst 192.168.0.0/16 -j DROP
83
+ -p IPv4 --ip-src 185.14.157.109 -j RETURN
84
+ -p ARP --arp-ip-src 185.14.157.109 --arp-mac-src 2:bd:7f:46:96:e -j RETURN
85
+ -p IPv6 --ip6-src 2a03:b240:101:16::/ffff:ffff:ffff:ffff:: -j RETURN
86
+ -p IPv4 --ip-src 0.0.0.0 --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 68 --ip-dport 67 -j RETURN
87
+ -j DROP
88
+
89
+ Bridge chain: guest19265-1-i, entries: 6, policy: ACCEPT
90
+ -p ARP --arp-op Request --arp-ip-dst 185.14.157.109 -j RETURN
91
+ -p ARP --arp-op Request -j DROP
92
+ -d 2:bd:7f:46:96:e -j RETURN
93
+ -d 33:33:0:0:0:0/ff:ff:0:0:0:0 -j RETURN
94
+ -p IPv4 -s 0:16:3e:d6:1:4 -d Broadcast --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 67 --ip-dport 68 -j RETURN
95
+ -j DROP
96
+
97
+ Bridge chain: guest592991-1-o, entries: 10, policy: ACCEPT
98
+ -s ! 2:23:6c:ab:41:c5 -j DROP
99
+ -p IPv4 --ip-dst 10.0.0.0/8 -j DROP
100
+ -p IPv4 --ip-dst 169.254.0.0/16 -j DROP
101
+ -p IPv4 --ip-dst 172.16.0.0/12 -j DROP
102
+ -p IPv4 --ip-dst 192.168.0.0/16 -j DROP
103
+ -p IPv4 --ip-src 185.14.157.123 -j RETURN
104
+ -p ARP --arp-ip-src 185.14.157.123 --arp-mac-src 2:23:6c:ab:41:c5 -j RETURN
105
+ -p IPv6 --ip6-src 2a03:b240:101:14::/ffff:ffff:ffff:ffff:: -j RETURN
106
+ -p IPv4 --ip-src 0.0.0.0 --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 68 --ip-dport 67 -j RETURN
107
+ -j DROP
108
+
109
+ Bridge chain: guest592991-1-i, entries: 6, policy: ACCEPT
110
+ -p ARP --arp-op Request --arp-ip-dst 185.14.157.123 -j RETURN
111
+ -p ARP --arp-op Request -j DROP
112
+ -d 2:23:6c:ab:41:c5 -j RETURN
113
+ -d 33:33:0:0:0:0/ff:ff:0:0:0:0 -j RETURN
114
+ -p IPv4 -s 0:16:3e:d6:1:4 -d Broadcast --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 67 --ip-dport 68 -j RETURN
115
+ -j DROP
116
+ EOT
117
+
118
+ Netfilter::EbTables.parse.should eq(
119
+ "filter" => {
120
+ "INPUT" => [
121
+ "-i tap15866 -j guest15865-1-o",
122
+ "-i tap19266 -j guest19265-1-o",
123
+ "-i tap592992 -j guest592991-1-o"
124
+ ],
125
+ "FORWARD" => [
126
+ "-i tap15866 -j guest15865-1-o",
127
+ "-o tap15866 -j guest15865-1-i",
128
+ "-i tap19266 -j guest19265-1-o",
129
+ "-o tap19266 -j guest19265-1-i",
130
+ "-i tap592992 -j guest592991-1-o",
131
+ "-o tap592992 -j guest592991-1-i"
132
+ ],
133
+ "OUTPUT" => [
134
+ "-o tap15866 -j guest15865-1-i",
135
+ "-o tap19266 -j guest19265-1-i",
136
+ "-o tap592992 -j guest592991-1-i"
137
+ ],
138
+ "guest15865-1-o" => [
139
+ "-s ! 2:1a:83:13:5d:26 -j DROP",
140
+ "-p IPv4 --ip-dst 10.0.0.0/8 -j DROP",
141
+ "-p IPv4 --ip-dst 169.254.0.0/16 -j DROP",
142
+ "-p IPv4 --ip-dst 172.16.0.0/12 -j DROP",
143
+ "-p IPv4 --ip-dst 192.168.0.0/16 -j DROP",
144
+ "-p IPv4 --ip-src 185.14.157.11 -j RETURN",
145
+ "-p ARP --arp-ip-src 185.14.157.11 --arp-mac-src 2:1a:83:13:5d:26 -j RETURN",
146
+ "-p IPv4 --ip-src 185.14.157.12 -j RETURN",
147
+ "-p ARP --arp-ip-src 185.14.157.12 --arp-mac-src 2:1a:83:13:5d:26 -j RETURN",
148
+ "-p IPv4 --ip-src 185.14.157.13 -j RETURN",
149
+ "-p ARP --arp-ip-src 185.14.157.13 --arp-mac-src 2:1a:83:13:5d:26 -j RETURN",
150
+ "-p IPv6 --ip6-src 2a03:b240:101:4f::/ffff:ffff:ffff:ffff:: -j RETURN",
151
+ "-p IPv4 --ip-src 0.0.0.0 --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 68 --ip-dport 67 -j RETURN",
152
+ "-j DROP"
153
+ ],
154
+ "guest15865-1-i" => [
155
+ "-p ARP --arp-op Request --arp-ip-dst 185.14.157.11 -j RETURN",
156
+ "-p ARP --arp-op Request --arp-ip-dst 185.14.157.12 -j RETURN",
157
+ "-p ARP --arp-op Request --arp-ip-dst 185.14.157.13 -j RETURN",
158
+ "-p ARP --arp-op Request -j DROP",
159
+ "-d 2:1a:83:13:5d:26 -j RETURN",
160
+ "-d 33:33:0:0:0:0/ff:ff:0:0:0:0 -j RETURN",
161
+ "-p IPv4 -s 0:16:3e:d6:1:4 -d Broadcast --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 67 --ip-dport 68 -j RETURN",
162
+ "-j DROP"
163
+ ],
164
+ "guest19265-1-o" => [
165
+ "-s ! 2:bd:7f:46:96:e -j DROP",
166
+ "-p IPv4 --ip-dst 10.0.0.0/8 -j DROP",
167
+ "-p IPv4 --ip-dst 169.254.0.0/16 -j DROP",
168
+ "-p IPv4 --ip-dst 172.16.0.0/12 -j DROP",
169
+ "-p IPv4 --ip-dst 192.168.0.0/16 -j DROP",
170
+ "-p IPv4 --ip-src 185.14.157.109 -j RETURN",
171
+ "-p ARP --arp-ip-src 185.14.157.109 --arp-mac-src 2:bd:7f:46:96:e -j RETURN",
172
+ "-p IPv6 --ip6-src 2a03:b240:101:16::/ffff:ffff:ffff:ffff:: -j RETURN",
173
+ "-p IPv4 --ip-src 0.0.0.0 --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 68 --ip-dport 67 -j RETURN",
174
+ "-j DROP"
175
+ ],
176
+ "guest19265-1-i" => [
177
+ "-p ARP --arp-op Request --arp-ip-dst 185.14.157.109 -j RETURN",
178
+ "-p ARP --arp-op Request -j DROP",
179
+ "-d 2:bd:7f:46:96:e -j RETURN",
180
+ "-d 33:33:0:0:0:0/ff:ff:0:0:0:0 -j RETURN",
181
+ "-p IPv4 -s 0:16:3e:d6:1:4 -d Broadcast --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 67 --ip-dport 68 -j RETURN",
182
+ "-j DROP"
183
+ ],
184
+ "guest592991-1-o" => [
185
+ "-s ! 2:23:6c:ab:41:c5 -j DROP",
186
+ "-p IPv4 --ip-dst 10.0.0.0/8 -j DROP",
187
+ "-p IPv4 --ip-dst 169.254.0.0/16 -j DROP",
188
+ "-p IPv4 --ip-dst 172.16.0.0/12 -j DROP",
189
+ "-p IPv4 --ip-dst 192.168.0.0/16 -j DROP",
190
+ "-p IPv4 --ip-src 185.14.157.123 -j RETURN",
191
+ "-p ARP --arp-ip-src 185.14.157.123 --arp-mac-src 2:23:6c:ab:41:c5 -j RETURN",
192
+ "-p IPv6 --ip6-src 2a03:b240:101:14::/ffff:ffff:ffff:ffff:: -j RETURN",
193
+ "-p IPv4 --ip-src 0.0.0.0 --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 68 --ip-dport 67 -j RETURN",
194
+ "-j DROP"
195
+ ],
196
+ "guest592991-1-i" => [
197
+ "-p ARP --arp-op Request --arp-ip-dst 185.14.157.123 -j RETURN",
198
+ "-p ARP --arp-op Request -j DROP",
199
+ "-d 2:23:6c:ab:41:c5 -j RETURN",
200
+ "-d 33:33:0:0:0:0/ff:ff:0:0:0:0 -j RETURN",
201
+ "-p IPv4 -s 0:16:3e:d6:1:4 -d Broadcast --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 67 --ip-dport 68 -j RETURN",
202
+ "-j DROP"
203
+ ],
204
+ },
205
+ )
206
+ end
207
+ end
208
+ end
209
+ end
@@ -0,0 +1,133 @@
1
+ #encoding: utf-8
2
+ require 'spec_helper'
3
+ describe Netfilter::IpTables do
4
+ describe "Class Methods" do
5
+ describe "parse" do
6
+ it "should not crash when there are no rules" do
7
+ Netfilter::IpTables.stub(:execute).and_return <<EOT
8
+ # Generated by iptables-save v1.4.12 on Wed Sep 18 22:10:46 2013
9
+ *filter
10
+ :INPUT ACCEPT [482594:85187003]
11
+ :FORWARD ACCEPT [0:0]
12
+ :OUTPUT ACCEPT [481491:61131132]
13
+ COMMIT
14
+ # Completed on Wed Sep 18 22:10:46 2013
15
+ EOT
16
+
17
+ Netfilter::IpTables.parse.should eq(
18
+ "filter" => {
19
+ "INPUT" => [
20
+ ],
21
+ "FORWARD" => [
22
+ ],
23
+ "OUTPUT" => [
24
+ ],
25
+ },
26
+ )
27
+ end
28
+
29
+
30
+ it "should properly parse the current system's iptables" do
31
+ Netfilter::IpTables.stub(:execute).and_return <<EOT
32
+ # Generated by iptables-save v1.4.12 on Wed Sep 18 14:15:43 2013
33
+ *nat
34
+ :PREROUTING ACCEPT [920364:135062514]
35
+ :INPUT ACCEPT [62393:3917616]
36
+ :OUTPUT ACCEPT [59623:4116943]
37
+ :POSTROUTING ACCEPT [640454:41456220]
38
+ -A PREROUTING -d 185.14.157.109/32 -p tcp -m tcp --dport 5900 -j DNAT --to-destination 10.0.0.8:5921
39
+ -A PREROUTING -d 185.14.157.123/32 -p tcp -m tcp --dport 5900 -j DNAT --to-destination 10.0.0.8:5923
40
+ COMMIT
41
+ # Completed on Wed Sep 18 14:15:43 2013
42
+ # Generated by iptables-save v1.4.12 on Wed Sep 18 14:15:43 2013
43
+ *filter
44
+ :INPUT DROP [5647:1842222]
45
+ :FORWARD ACCEPT [267259:341060431]
46
+ :OUTPUT ACCEPT [3936250:18401515934]
47
+ :guest15865-1-i - [0:0]
48
+ :guest19265-1-i - [0:0]
49
+ :guest592991-1-i - [0:0]
50
+ -A INPUT -d 10.0.0.8/32 -p tcp -m tcp --dport 5920 -j DROP
51
+ -A INPUT -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
52
+ -A INPUT -d 127.0.0.0/8 -i lo -j ACCEPT
53
+ -A INPUT -s 212.224.87.102/32 -p tcp -m tcp --dport 4949 -j ACCEPT
54
+ -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
55
+ -A INPUT -p icmp -j ACCEPT
56
+ -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
57
+ -A INPUT -m conntrack --ctstate INVALID -j DROP
58
+ -A INPUT -d 10.0.0.8/32 -p tcp -m tcp --dport 5921 -j ACCEPT
59
+ -A INPUT -d 10.0.0.8/32 -p tcp -m tcp --dport 5923 -j ACCEPT
60
+ -A FORWARD -m physdev --physdev-out tap15866 --physdev-is-bridged -j guest15865-1-i
61
+ -A FORWARD -m physdev --physdev-out tap19266 --physdev-is-bridged -j guest19265-1-i
62
+ -A FORWARD -m physdev --physdev-out tap592992 --physdev-is-bridged -j guest592991-1-i
63
+ -A guest15865-1-i -j RETURN
64
+ -A guest19265-1-i -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN
65
+ -A guest19265-1-i -p tcp -m tcp --dport 80 -j RETURN
66
+ -A guest19265-1-i -p tcp -m tcp --dport 22 -j RETURN
67
+ -A guest19265-1-i -p tcp -m tcp --dport 443 -j RETURN
68
+ -A guest19265-1-i -s 185.14.157.0/24 -p udp -m udp --dport 67 -j RETURN
69
+ -A guest19265-1-i -s 185.14.157.0/24 -p udp -m udp --dport 68 -j RETURN
70
+ -A guest19265-1-i -p tcp -j DROP
71
+ -A guest19265-1-i -p udp -j DROP
72
+ -A guest19265-1-i -j RETURN
73
+ -A guest592991-1-i -j RETURN
74
+ COMMIT
75
+ # Completed on Wed Sep 18 14:15:43 2013
76
+ EOT
77
+
78
+ Netfilter::IpTables.parse.should eq(
79
+ "nat" => {
80
+ "PREROUTING" => [
81
+ "-d 185.14.157.109/32 -p tcp -m tcp --dport 5900 -j DNAT --to-destination 10.0.0.8:5921",
82
+ "-d 185.14.157.123/32 -p tcp -m tcp --dport 5900 -j DNAT --to-destination 10.0.0.8:5923"
83
+ ],
84
+ "INPUT" => [
85
+ ],
86
+ "OUTPUT" => [
87
+ ],
88
+ "POSTROUTING" => [
89
+ ],
90
+ },
91
+ "filter" => {
92
+ "INPUT" => [
93
+ "-d 10.0.0.8/32 -p tcp -m tcp --dport 5920 -j DROP",
94
+ "-s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT",
95
+ "-d 127.0.0.0/8 -i lo -j ACCEPT",
96
+ "-s 212.224.87.102/32 -p tcp -m tcp --dport 4949 -j ACCEPT",
97
+ "-p tcp -m tcp --dport 22 -j ACCEPT",
98
+ "-p icmp -j ACCEPT",
99
+ "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT",
100
+ "-m conntrack --ctstate INVALID -j DROP",
101
+ "-d 10.0.0.8/32 -p tcp -m tcp --dport 5921 -j ACCEPT",
102
+ "-d 10.0.0.8/32 -p tcp -m tcp --dport 5923 -j ACCEPT"
103
+ ],
104
+ "FORWARD" => [
105
+ "-m physdev --physdev-out tap15866 --physdev-is-bridged -j guest15865-1-i",
106
+ "-m physdev --physdev-out tap19266 --physdev-is-bridged -j guest19265-1-i",
107
+ "-m physdev --physdev-out tap592992 --physdev-is-bridged -j guest592991-1-i"
108
+ ],
109
+ "OUTPUT" => [
110
+ ],
111
+ "guest15865-1-i" => [
112
+ "-j RETURN"
113
+ ],
114
+ "guest19265-1-i" => [
115
+ "-m conntrack --ctstate RELATED,ESTABLISHED -j RETURN",
116
+ "-p tcp -m tcp --dport 80 -j RETURN",
117
+ "-p tcp -m tcp --dport 22 -j RETURN",
118
+ "-p tcp -m tcp --dport 443 -j RETURN",
119
+ "-s 185.14.157.0/24 -p udp -m udp --dport 67 -j RETURN",
120
+ "-s 185.14.157.0/24 -p udp -m udp --dport 68 -j RETURN",
121
+ "-p tcp -j DROP",
122
+ "-p udp -j DROP",
123
+ "-j RETURN"
124
+ ],
125
+ "guest592991-1-i" => [
126
+ "-j RETURN"
127
+ ],
128
+ },
129
+ )
130
+ end
131
+ end
132
+ end
133
+ end