jlehtone wrote: ↑2020/03/25 14:50:10
CentOS 8 does not have "iptables" in the kernel. Kernel has only "nftables".
The userland tool to see nftables content is "nft". Firewalld uses nft to write nftables rules.
There is still tool "iptables" but it is just a wrapper for nft. Firewalld and iptables do not write to same tables.
The output from nft list ruleset contains forwarding rules:
Code: Select all
table ip firewalld {
...
chain nat_PRE_external_allow {
tcp dport 1119 dnat to 10.0.0.221
tcp dport 1120 dnat to 10.0.0.221
udp dport 3074 dnat to 10.0.0.221
udp dport 3097 dnat to 10.0.0.221
tcp dport 25565 dnat to 10.0.0.225
udp dport 25565 dnat to 10.0.0.225
udp dport 19133 dnat to 10.0.0.225
udp dport 19132 dnat to 10.0.0.225
udp dport 44310 dnat to 10.0.0.11
tcp dport 44310 dnat to 10.0.0.11
}
...
The whole output:
Code: Select all
$ sudo nft list ruleset
[sudo] password for router:
table ip filter {
chain INPUT {
type filter hook input priority 0; policy accept;
iifname "virbr0" meta l4proto udp udp dport 53 counter packets 0 bytes 0 accept
iifname "virbr0" meta l4proto tcp tcp dport 53 counter packets 0 bytes 0 accept
iifname "virbr0" meta l4proto udp udp dport 67 counter packets 0 bytes 0 accept
iifname "virbr0" meta l4proto tcp tcp dport 67 counter packets 0 bytes 0 accept
}
chain FORWARD {
type filter hook forward priority 0; policy accept;
oifname "virbr0" ip daddr 192.168.122.0/24 ct state related,established counter packets 0 bytes 0 accept
iifname "virbr0" ip saddr 192.168.122.0/24 counter packets 0 bytes 0 accept
iifname "virbr0" oifname "virbr0" counter packets 0 bytes 0 accept
oifname "virbr0" counter packets 0 bytes 0 reject
iifname "virbr0" counter packets 0 bytes 0 reject
iifname "enp2s0" oifname "enp0s20u1" counter packets 7895279 bytes 1672143468 accept
iifname "enp0s20u1" oifname "enp2s0" ct state related,established counter packets 10465407 bytes 11327638201 accept
}
chain OUTPUT {
type filter hook output priority 0; policy accept;
oifname "virbr0" meta l4proto udp udp dport 68 counter packets 0 bytes 0 accept
}
}
table ip6 filter {
chain INPUT {
type filter hook input priority 0; policy accept;
}
chain FORWARD {
type filter hook forward priority 0; policy accept;
}
chain OUTPUT {
type filter hook output priority 0; policy accept;
}
}
table bridge filter {
chain INPUT {
type filter hook input priority -200; policy accept;
}
chain FORWARD {
type filter hook forward priority -200; policy accept;
}
chain OUTPUT {
type filter hook output priority -200; policy accept;
}
}
table ip security {
chain INPUT {
type filter hook input priority 150; policy accept;
}
chain FORWARD {
type filter hook forward priority 150; policy accept;
}
chain OUTPUT {
type filter hook output priority 150; policy accept;
}
}
table ip raw {
chain PREROUTING {
type filter hook prerouting priority -300; policy accept;
}
chain OUTPUT {
type filter hook output priority -300; policy accept;
}
}
table ip mangle {
chain PREROUTING {
type filter hook prerouting priority -150; policy accept;
}
chain INPUT {
type filter hook input priority -150; policy accept;
}
chain FORWARD {
type filter hook forward priority -150; policy accept;
}
chain OUTPUT {
type route hook output priority -150; policy accept;
}
chain POSTROUTING {
type filter hook postrouting priority -150; policy accept;
oifname "virbr0" meta l4proto udp udp dport 68 counter packets 0 bytes 0 # CHECKSUM fill
}
}
table ip nat {
chain PREROUTING {
type nat hook prerouting priority -100; policy accept;
}
chain INPUT {
type nat hook input priority 100; policy accept;
}
chain POSTROUTING {
type nat hook postrouting priority 100; policy accept;
ip saddr 192.168.122.0/24 ip daddr 224.0.0.0/24 counter packets 2 bytes 159 return
ip saddr 192.168.122.0/24 ip daddr 255.255.255.255 counter packets 0 bytes 0 return
meta l4proto tcp ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade to :1024-65535
meta l4proto udp ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade to :1024-65535
ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade
oifname "enp0s20u1" counter packets 31391 bytes 3415807 masquerade
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
}
}
table ip6 security {
chain INPUT {
type filter hook input priority 150; policy accept;
}
chain FORWARD {
type filter hook forward priority 150; policy accept;
}
chain OUTPUT {
type filter hook output priority 150; policy accept;
}
}
table ip6 raw {
chain PREROUTING {
type filter hook prerouting priority -300; policy accept;
}
chain OUTPUT {
type filter hook output priority -300; policy accept;
}
}
table ip6 mangle {
chain PREROUTING {
type filter hook prerouting priority -150; policy accept;
}
chain INPUT {
type filter hook input priority -150; policy accept;
}
chain FORWARD {
type filter hook forward priority -150; policy accept;
}
chain OUTPUT {
type route hook output priority -150; policy accept;
}
chain POSTROUTING {
type filter hook postrouting priority -150; policy accept;
}
}
table ip6 nat {
chain PREROUTING {
type nat hook prerouting priority -100; policy accept;
}
chain INPUT {
type nat hook input priority 100; policy accept;
}
chain POSTROUTING {
type nat hook postrouting priority 100; policy accept;
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
}
}
table bridge nat {
chain PREROUTING {
type filter hook prerouting priority -300; policy accept;
}
chain OUTPUT {
type filter hook output priority 100; policy accept;
}
chain POSTROUTING {
type filter hook postrouting priority 300; policy accept;
}
}
table inet firewalld {
ct helper helper-tftp-udp {
type "tftp" protocol udp
l3proto inet
}
ct helper helper-netbios-ns-udp {
type "netbios-ns" protocol udp
l3proto ip
}
chain raw_PREROUTING {
type filter hook prerouting priority -290; policy accept;
icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
meta nfproto ipv6 fib saddr . iif oif missing drop
jump raw_PREROUTING_ZONES
}
chain raw_PREROUTING_ZONES {
iifname "enp2s0" goto raw_PRE_internal
iifname "enp0s20u1" goto raw_PRE_external
iifname "virbr0" goto raw_PRE_libvirt
goto raw_PRE_public
}
chain mangle_PREROUTING {
type filter hook prerouting priority -140; policy accept;
jump mangle_PREROUTING_ZONES
}
chain mangle_PREROUTING_ZONES {
iifname "enp2s0" goto mangle_PRE_internal
iifname "enp0s20u1" goto mangle_PRE_external
iifname "virbr0" goto mangle_PRE_libvirt
goto mangle_PRE_public
}
chain filter_INPUT {
type filter hook input priority 10; policy accept;
ct state established,related accept
ct status dnat accept
iifname "lo" accept
jump filter_INPUT_ZONES
ct state invalid drop
reject with icmpx type admin-prohibited
}
chain filter_FORWARD {
type filter hook forward priority 10; policy accept;
ct state established,related accept
ct status dnat accept
iifname "lo" accept
ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 type addr-unreachable
jump filter_FORWARD_IN_ZONES
jump filter_FORWARD_OUT_ZONES
ct state invalid drop
reject with icmpx type admin-prohibited
}
chain filter_OUTPUT {
type filter hook output priority 10; policy accept;
oifname "lo" accept
ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 type addr-unreachable
}
chain filter_INPUT_ZONES {
iifname "enp2s0" goto filter_IN_internal
iifname "enp0s20u1" goto filter_IN_external
iifname "virbr0" goto filter_IN_libvirt
goto filter_IN_public
}
chain filter_FORWARD_IN_ZONES {
iifname "enp2s0" goto filter_FWDI_internal
iifname "enp0s20u1" goto filter_FWDI_external
iifname "virbr0" goto filter_FWDI_libvirt
goto filter_FWDI_public
}
chain filter_FORWARD_OUT_ZONES {
oifname "enp2s0" goto filter_FWDO_internal
oifname "enp0s20u1" goto filter_FWDO_external
oifname "virbr0" goto filter_FWDO_libvirt
goto filter_FWDO_public
}
chain raw_PRE_libvirt {
jump raw_PRE_libvirt_pre
jump raw_PRE_libvirt_log
jump raw_PRE_libvirt_deny
jump raw_PRE_libvirt_allow
jump raw_PRE_libvirt_post
}
chain raw_PRE_libvirt_pre {
}
chain raw_PRE_libvirt_log {
}
chain raw_PRE_libvirt_deny {
}
chain raw_PRE_libvirt_allow {
}
chain raw_PRE_libvirt_post {
}
chain filter_IN_libvirt {
jump filter_IN_libvirt_pre
jump filter_IN_libvirt_log
jump filter_IN_libvirt_deny
jump filter_IN_libvirt_allow
jump filter_IN_libvirt_post
accept
}
chain filter_IN_libvirt_pre {
}
chain filter_IN_libvirt_log {
}
chain filter_IN_libvirt_deny {
}
chain filter_IN_libvirt_allow {
udp dport bootps ct state new,untracked accept
udp dport dhcpv6-server ct state new,untracked accept
tcp dport domain ct state new,untracked accept
udp dport domain ct state new,untracked accept
tcp dport ssh ct state new,untracked accept
udp dport tftp ct helper set "helper-tftp-udp"
udp dport tftp ct state new,untracked accept
meta l4proto icmp ct state new,untracked accept
meta l4proto ipv6-icmp ct state new,untracked accept
}
chain filter_IN_libvirt_post {
reject
}
chain mangle_PRE_libvirt {
jump mangle_PRE_libvirt_pre
jump mangle_PRE_libvirt_log
jump mangle_PRE_libvirt_deny
jump mangle_PRE_libvirt_allow
jump mangle_PRE_libvirt_post
}
chain mangle_PRE_libvirt_pre {
}
chain mangle_PRE_libvirt_log {
}
chain mangle_PRE_libvirt_deny {
}
chain mangle_PRE_libvirt_allow {
}
chain mangle_PRE_libvirt_post {
}
chain filter_FWDI_libvirt {
jump filter_FWDI_libvirt_pre
jump filter_FWDI_libvirt_log
jump filter_FWDI_libvirt_deny
jump filter_FWDI_libvirt_allow
jump filter_FWDI_libvirt_post
accept
}
chain filter_FWDI_libvirt_pre {
}
chain filter_FWDI_libvirt_log {
}
chain filter_FWDI_libvirt_deny {
}
chain filter_FWDI_libvirt_allow {
}
chain filter_FWDI_libvirt_post {
}
chain filter_FWDO_libvirt {
jump filter_FWDO_libvirt_pre
jump filter_FWDO_libvirt_log
jump filter_FWDO_libvirt_deny
jump filter_FWDO_libvirt_allow
jump filter_FWDO_libvirt_post
accept
}
chain filter_FWDO_libvirt_pre {
}
chain filter_FWDO_libvirt_log {
}
chain filter_FWDO_libvirt_deny {
}
chain filter_FWDO_libvirt_allow {
}
chain filter_FWDO_libvirt_post {
}
chain raw_PRE_public {
jump raw_PRE_public_pre
jump raw_PRE_public_log
jump raw_PRE_public_deny
jump raw_PRE_public_allow
jump raw_PRE_public_post
}
chain raw_PRE_public_pre {
}
chain raw_PRE_public_log {
}
chain raw_PRE_public_deny {
}
chain raw_PRE_public_allow {
}
chain raw_PRE_public_post {
}
chain filter_IN_public {
jump filter_IN_public_pre
jump filter_IN_public_log
jump filter_IN_public_deny
jump filter_IN_public_allow
jump filter_IN_public_post
meta l4proto { icmp, ipv6-icmp } accept
}
chain filter_IN_public_pre {
}
chain filter_IN_public_log {
}
chain filter_IN_public_deny {
}
chain filter_IN_public_allow {
tcp dport ssh ct state new,untracked accept
ip6 daddr fe80::/64 udp dport dhcpv6-client ct state new,untracked accept
tcp dport 9090 ct state new,untracked accept
}
chain filter_IN_public_post {
}
chain filter_FWDI_public {
jump filter_FWDI_public_pre
jump filter_FWDI_public_log
jump filter_FWDI_public_deny
jump filter_FWDI_public_allow
jump filter_FWDI_public_post
meta l4proto { icmp, ipv6-icmp } accept
}
chain filter_FWDI_public_pre {
}
chain filter_FWDI_public_log {
}
chain filter_FWDI_public_deny {
}
chain filter_FWDI_public_allow {
}
chain filter_FWDI_public_post {
}
chain mangle_PRE_public {
jump mangle_PRE_public_pre
jump mangle_PRE_public_log
jump mangle_PRE_public_deny
jump mangle_PRE_public_allow
jump mangle_PRE_public_post
}
chain mangle_PRE_public_pre {
}
chain mangle_PRE_public_log {
}
chain mangle_PRE_public_deny {
}
chain mangle_PRE_public_allow {
}
chain mangle_PRE_public_post {
}
chain filter_FWDO_public {
jump filter_FWDO_public_pre
jump filter_FWDO_public_log
jump filter_FWDO_public_deny
jump filter_FWDO_public_allow
jump filter_FWDO_public_post
}
chain filter_FWDO_public_pre {
}
chain filter_FWDO_public_log {
}
chain filter_FWDO_public_deny {
}
chain filter_FWDO_public_allow {
}
chain filter_FWDO_public_post {
}
chain raw_PRE_external {
jump raw_PRE_external_pre
jump raw_PRE_external_log
jump raw_PRE_external_deny
jump raw_PRE_external_allow
jump raw_PRE_external_post
}
chain raw_PRE_external_pre {
}
chain raw_PRE_external_log {
}
chain raw_PRE_external_deny {
}
chain raw_PRE_external_allow {
}
chain raw_PRE_external_post {
}
chain filter_IN_external {
jump filter_IN_external_pre
jump filter_IN_external_log
jump filter_IN_external_deny
jump filter_IN_external_allow
jump filter_IN_external_post
meta l4proto { icmp, ipv6-icmp } accept
}
chain filter_IN_external_pre {
}
chain filter_IN_external_log {
}
chain filter_IN_external_deny {
}
chain filter_IN_external_allow {
tcp dport ssh ct state new,untracked accept
}
chain filter_IN_external_post {
}
chain filter_FWDO_external {
jump filter_FWDO_external_pre
jump filter_FWDO_external_log
jump filter_FWDO_external_deny
jump filter_FWDO_external_allow
jump filter_FWDO_external_post
}
chain filter_FWDO_external_pre {
}
chain filter_FWDO_external_log {
}
chain filter_FWDO_external_deny {
}
chain filter_FWDO_external_allow {
ct state new,untracked accept
}
chain filter_FWDO_external_post {
}
chain filter_FWDI_external {
jump filter_FWDI_external_pre
jump filter_FWDI_external_log
jump filter_FWDI_external_deny
jump filter_FWDI_external_allow
jump filter_FWDI_external_post
meta l4proto { icmp, ipv6-icmp } accept
}
chain filter_FWDI_external_pre {
}
chain filter_FWDI_external_log {
}
chain filter_FWDI_external_deny {
}
chain filter_FWDI_external_allow {
}
chain filter_FWDI_external_post {
}
chain mangle_PRE_external {
jump mangle_PRE_external_pre
jump mangle_PRE_external_log
jump mangle_PRE_external_deny
jump mangle_PRE_external_allow
jump mangle_PRE_external_post
}
chain mangle_PRE_external_pre {
}
chain mangle_PRE_external_log {
}
chain mangle_PRE_external_deny {
}
chain mangle_PRE_external_allow {
}
chain mangle_PRE_external_post {
}
chain raw_PRE_internal {
jump raw_PRE_internal_pre
jump raw_PRE_internal_log
jump raw_PRE_internal_deny
jump raw_PRE_internal_allow
jump raw_PRE_internal_post
}
chain raw_PRE_internal_pre {
}
chain raw_PRE_internal_log {
}
chain raw_PRE_internal_deny {
}
chain raw_PRE_internal_allow {
}
chain raw_PRE_internal_post {
}
chain filter_IN_internal {
jump filter_IN_internal_pre
jump filter_IN_internal_log
jump filter_IN_internal_deny
jump filter_IN_internal_allow
jump filter_IN_internal_post
meta l4proto { icmp, ipv6-icmp } accept
}
chain filter_IN_internal_pre {
}
chain filter_IN_internal_log {
}
chain filter_IN_internal_deny {
}
chain filter_IN_internal_allow {
tcp dport ssh ct state new,untracked accept
ip daddr 224.0.0.251 udp dport mdns ct state new,untracked accept
ip6 daddr ff02::fb udp dport mdns ct state new,untracked accept
udp dport netbios-ns ct helper set "helper-netbios-ns-udp"
udp dport netbios-ns ct state new,untracked accept
udp dport netbios-dgm ct state new,untracked accept
ip6 daddr fe80::/64 udp dport dhcpv6-client ct state new,untracked accept
tcp dport 9090 ct state new,untracked accept
}
chain filter_IN_internal_post {
}
chain filter_FWDI_internal {
jump filter_FWDI_internal_pre
jump filter_FWDI_internal_log
jump filter_FWDI_internal_deny
jump filter_FWDI_internal_allow
jump filter_FWDI_internal_post
meta l4proto { icmp, ipv6-icmp } accept
}
chain filter_FWDI_internal_pre {
}
chain filter_FWDI_internal_log {
}
chain filter_FWDI_internal_deny {
}
chain filter_FWDI_internal_allow {
}
chain filter_FWDI_internal_post {
}
chain mangle_PRE_internal {
jump mangle_PRE_internal_pre
jump mangle_PRE_internal_log
jump mangle_PRE_internal_deny
jump mangle_PRE_internal_allow
jump mangle_PRE_internal_post
}
chain mangle_PRE_internal_pre {
}
chain mangle_PRE_internal_log {
}
chain mangle_PRE_internal_deny {
}
chain mangle_PRE_internal_allow {
}
chain mangle_PRE_internal_post {
}
chain filter_FWDO_internal {
jump filter_FWDO_internal_pre
jump filter_FWDO_internal_log
jump filter_FWDO_internal_deny
jump filter_FWDO_internal_allow
jump filter_FWDO_internal_post
}
chain filter_FWDO_internal_pre {
}
chain filter_FWDO_internal_log {
}
chain filter_FWDO_internal_deny {
}
chain filter_FWDO_internal_allow {
}
chain filter_FWDO_internal_post {
}
}
table ip firewalld {
chain nat_PREROUTING {
type nat hook prerouting priority -90; policy accept;
jump nat_PREROUTING_ZONES
}
chain nat_PREROUTING_ZONES {
iifname "enp2s0" goto nat_PRE_internal
iifname "enp0s20u1" goto nat_PRE_external
iifname "virbr0" goto nat_PRE_libvirt
goto nat_PRE_public
}
chain nat_POSTROUTING {
type nat hook postrouting priority 110; policy accept;
jump nat_POSTROUTING_ZONES
}
chain nat_POSTROUTING_ZONES {
oifname "enp2s0" goto nat_POST_internal
oifname "enp0s20u1" goto nat_POST_external
oifname "virbr0" goto nat_POST_libvirt
goto nat_POST_public
}
chain nat_PRE_libvirt {
jump nat_PRE_libvirt_pre
jump nat_PRE_libvirt_log
jump nat_PRE_libvirt_deny
jump nat_PRE_libvirt_allow
jump nat_PRE_libvirt_post
}
chain nat_PRE_libvirt_pre {
}
chain nat_PRE_libvirt_log {
}
chain nat_PRE_libvirt_deny {
}
chain nat_PRE_libvirt_allow {
}
chain nat_PRE_libvirt_post {
}
chain nat_POST_libvirt {
jump nat_POST_libvirt_pre
jump nat_POST_libvirt_log
jump nat_POST_libvirt_deny
jump nat_POST_libvirt_allow
jump nat_POST_libvirt_post
}
chain nat_POST_libvirt_pre {
}
chain nat_POST_libvirt_log {
}
chain nat_POST_libvirt_deny {
}
chain nat_POST_libvirt_allow {
}
chain nat_POST_libvirt_post {
}
chain nat_PRE_public {
jump nat_PRE_public_pre
jump nat_PRE_public_log
jump nat_PRE_public_deny
jump nat_PRE_public_allow
jump nat_PRE_public_post
}
chain nat_PRE_public_pre {
}
chain nat_PRE_public_log {
}
chain nat_PRE_public_deny {
}
chain nat_PRE_public_allow {
}
chain nat_PRE_public_post {
}
chain nat_POST_public {
jump nat_POST_public_pre
jump nat_POST_public_log
jump nat_POST_public_deny
jump nat_POST_public_allow
jump nat_POST_public_post
}
chain nat_POST_public_pre {
}
chain nat_POST_public_log {
}
chain nat_POST_public_deny {
}
chain nat_POST_public_allow {
}
chain nat_POST_public_post {
}
chain nat_POST_external {
jump nat_POST_external_pre
jump nat_POST_external_log
jump nat_POST_external_deny
jump nat_POST_external_allow
jump nat_POST_external_post
}
chain nat_POST_external_pre {
}
chain nat_POST_external_log {
}
chain nat_POST_external_deny {
}
chain nat_POST_external_allow {
oifname != "lo" masquerade
}
chain nat_POST_external_post {
}
chain nat_PRE_external {
jump nat_PRE_external_pre
jump nat_PRE_external_log
jump nat_PRE_external_deny
jump nat_PRE_external_allow
jump nat_PRE_external_post
}
chain nat_PRE_external_pre {
}
chain nat_PRE_external_log {
}
chain nat_PRE_external_deny {
}
chain nat_PRE_external_allow {
tcp dport 1119 dnat to 10.0.0.221
tcp dport 1120 dnat to 10.0.0.221
udp dport 3074 dnat to 10.0.0.221
udp dport 3097 dnat to 10.0.0.221
tcp dport 25565 dnat to 10.0.0.225
udp dport 25565 dnat to 10.0.0.225
udp dport 19133 dnat to 10.0.0.225
udp dport 19132 dnat to 10.0.0.225
udp dport 44310 dnat to 10.0.0.11
tcp dport 44310 dnat to 10.0.0.11
}
chain nat_PRE_external_post {
}
chain nat_PRE_internal {
jump nat_PRE_internal_pre
jump nat_PRE_internal_log
jump nat_PRE_internal_deny
jump nat_PRE_internal_allow
jump nat_PRE_internal_post
}
chain nat_PRE_internal_pre {
}
chain nat_PRE_internal_log {
}
chain nat_PRE_internal_deny {
}
chain nat_PRE_internal_allow {
}
chain nat_PRE_internal_post {
}
chain nat_POST_internal {
jump nat_POST_internal_pre
jump nat_POST_internal_log
jump nat_POST_internal_deny
jump nat_POST_internal_allow
jump nat_POST_internal_post
}
chain nat_POST_internal_pre {
}
chain nat_POST_internal_log {
}
chain nat_POST_internal_deny {
}
chain nat_POST_internal_allow {
}
chain nat_POST_internal_post {
}
}
table ip6 firewalld {
chain nat_PREROUTING {
type nat hook prerouting priority -90; policy accept;
jump nat_PREROUTING_ZONES
}
chain nat_PREROUTING_ZONES {
iifname "enp2s0" goto nat_PRE_internal
iifname "enp0s20u1" goto nat_PRE_external
iifname "virbr0" goto nat_PRE_libvirt
goto nat_PRE_public
}
chain nat_POSTROUTING {
type nat hook postrouting priority 110; policy accept;
jump nat_POSTROUTING_ZONES
}
chain nat_POSTROUTING_ZONES {
oifname "enp2s0" goto nat_POST_internal
oifname "enp0s20u1" goto nat_POST_external
oifname "virbr0" goto nat_POST_libvirt
goto nat_POST_public
}
chain nat_PRE_libvirt {
jump nat_PRE_libvirt_pre
jump nat_PRE_libvirt_log
jump nat_PRE_libvirt_deny
jump nat_PRE_libvirt_allow
jump nat_PRE_libvirt_post
}
chain nat_PRE_libvirt_pre {
}
chain nat_PRE_libvirt_log {
}
chain nat_PRE_libvirt_deny {
}
chain nat_PRE_libvirt_allow {
}
chain nat_PRE_libvirt_post {
}
chain nat_POST_libvirt {
jump nat_POST_libvirt_pre
jump nat_POST_libvirt_log
jump nat_POST_libvirt_deny
jump nat_POST_libvirt_allow
jump nat_POST_libvirt_post
}
chain nat_POST_libvirt_pre {
}
chain nat_POST_libvirt_log {
}
chain nat_POST_libvirt_deny {
}
chain nat_POST_libvirt_allow {
}
chain nat_POST_libvirt_post {
}
chain nat_PRE_public {
jump nat_PRE_public_pre
jump nat_PRE_public_log
jump nat_PRE_public_deny
jump nat_PRE_public_allow
jump nat_PRE_public_post
}
chain nat_PRE_public_pre {
}
chain nat_PRE_public_log {
}
chain nat_PRE_public_deny {
}
chain nat_PRE_public_allow {
}
chain nat_PRE_public_post {
}
chain nat_POST_public {
jump nat_POST_public_pre
jump nat_POST_public_log
jump nat_POST_public_deny
jump nat_POST_public_allow
jump nat_POST_public_post
}
chain nat_POST_public_pre {
}
chain nat_POST_public_log {
}
chain nat_POST_public_deny {
}
chain nat_POST_public_allow {
}
chain nat_POST_public_post {
}
chain nat_POST_external {
jump nat_POST_external_pre
jump nat_POST_external_log
jump nat_POST_external_deny
jump nat_POST_external_allow
jump nat_POST_external_post
}
chain nat_POST_external_pre {
}
chain nat_POST_external_log {
}
chain nat_POST_external_deny {
}
chain nat_POST_external_allow {
oifname != "lo" masquerade
}
chain nat_POST_external_post {
}
chain nat_PRE_external {
jump nat_PRE_external_pre
jump nat_PRE_external_log
jump nat_PRE_external_deny
jump nat_PRE_external_allow
jump nat_PRE_external_post
}
chain nat_PRE_external_pre {
}
chain nat_PRE_external_log {
}
chain nat_PRE_external_deny {
}
chain nat_PRE_external_allow {
}
chain nat_PRE_external_post {
}
chain nat_PRE_internal {
jump nat_PRE_internal_pre
jump nat_PRE_internal_log
jump nat_PRE_internal_deny
jump nat_PRE_internal_allow
jump nat_PRE_internal_post
}
chain nat_PRE_internal_pre {
}
chain nat_PRE_internal_log {
}
chain nat_PRE_internal_deny {
}
chain nat_PRE_internal_allow {
}
chain nat_PRE_internal_post {
}
chain nat_POST_internal {
jump nat_POST_internal_pre
jump nat_POST_internal_log
jump nat_POST_internal_deny
jump nat_POST_internal_allow
jump nat_POST_internal_post
}
chain nat_POST_internal_pre {
}
chain nat_POST_internal_log {
}
chain nat_POST_internal_deny {
}
chain nat_POST_internal_allow {
}
chain nat_POST_internal_post {
}
}