Re: Docker/Libvirt networking issue / bug?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Oct 14, 2016 at 03:00:58PM -0600, Nathanael D. Noblet wrote:
> On Thu, 2016-10-06 at 14:02 -0500, Dan Williams wrote:
> > 
> > Try running 'iptables-save' before you start docker, and then running
> > 'iptables-save' after.  Diff the results.  Did docker remove
> > anything?
> 
> Hello,
> 
>   So this seems to be the source of the problem but I'm a little out of
> my depth to all its doing.
> 
> So I've attached three files
> 
> [1] iptables.onBoot (which is iptables after a clean boot)
> [2] iptables.afterDockerService (which is iptables after systemctl
> start docker)
> [3] iptables.diff ( the difference between the two files where I've
> removed differences that don't matter like packet counts etc).
> 
> So this seems like docker doesn't play well with libvirtd? Should I be
> filing a bug on docker? Or is this just a mis-configuration on my part?
> I don't think I've changed either libvirtd/qemu or docker's default
> configuration. Other than my VMs all attach to bridge0 instead of using
> NAT.
> 
> I'll start looking up what the -m addrtype --dst-type LOCAL does and
> all the docker related rules that are added but I'm really not sure
> what's going on. Particularly since VMs that are running and network
> connected when before I run a docker container continue to be. Only VMs
> brought up after that aren't. Also at a minimum if I stop the docker
> service I would expect these rules to go away which they don't. For
> example after systemctl stop docker I still have docker0 bridge
> interface up and 
> 

Thats alot to look at, but I would wager you're correct, this rule:
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER

Probably mucks up a good deal of other services.  This basically says that
regardless of egress interface, or source interface, if a packet is destined for
an ip address that is local to the system (e.g. a local bridge interface to
either a docker container of a libvirt guest), it should traverse the docker
rule chain.  Likely that rule chain is built with docker interfaces specified
and all others ignored, and the default rule is drop or some such there.  The
rule above should almost certainly be further constrained to only apply to
interfaces used by docker.

Neil

> [gnat@iridium ~]$ sudo iptables -L -n | grep DOCKER
> DOCKER-ISOLATION  all  --  0.0.0.0/0            0.0.0.0/0           
> DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
> Chain DOCKER (1 references)
> Chain DOCKER-ISOLATION (1 references)
> 
> still shows the chains are in place...

> # Generated by iptables-save v1.6.0 on Fri Oct 14 14:49:48 2016
> *nat
> :PREROUTING ACCEPT [25:1604]
> :INPUT ACCEPT [0:0]
> :OUTPUT ACCEPT [126:9336]
> :POSTROUTING ACCEPT [126:9336]
> :DOCKER - [0:0]
> :OUTPUT_direct - [0:0]
> :POSTROUTING_ZONES - [0:0]
> :POSTROUTING_ZONES_SOURCE - [0:0]
> :POSTROUTING_direct - [0:0]
> :POST_FedoraWorkstation - [0:0]
> :POST_FedoraWorkstation_allow - [0:0]
> :POST_FedoraWorkstation_deny - [0:0]
> :POST_FedoraWorkstation_log - [0:0]
> :POST_dmz - [0:0]
> :POST_dmz_allow - [0:0]
> :POST_dmz_deny - [0:0]
> :POST_dmz_log - [0:0]
> :POST_trusted - [0:0]
> :POST_trusted_allow - [0:0]
> :POST_trusted_deny - [0:0]
> :POST_trusted_log - [0:0]
> :PREROUTING_ZONES - [0:0]
> :PREROUTING_ZONES_SOURCE - [0:0]
> :PREROUTING_direct - [0:0]
> :PRE_FedoraWorkstation - [0:0]
> :PRE_FedoraWorkstation_allow - [0:0]
> :PRE_FedoraWorkstation_deny - [0:0]
> :PRE_FedoraWorkstation_log - [0:0]
> :PRE_dmz - [0:0]
> :PRE_dmz_allow - [0:0]
> :PRE_dmz_deny - [0:0]
> :PRE_dmz_log - [0:0]
> :PRE_trusted - [0:0]
> :PRE_trusted_allow - [0:0]
> :PRE_trusted_deny - [0:0]
> :PRE_trusted_log - [0:0]
> -A PREROUTING -j PREROUTING_direct
> -A PREROUTING -j PREROUTING_ZONES_SOURCE
> -A PREROUTING -j PREROUTING_ZONES
> -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
> -A OUTPUT -j OUTPUT_direct
> -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
> -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
> -A POSTROUTING -s 192.168.121.0/24 -d 224.0.0.0/24 -j RETURN
> -A POSTROUTING -s 192.168.121.0/24 -d 255.255.255.255/32 -j RETURN
> -A POSTROUTING -s 192.168.121.0/24 ! -d 192.168.121.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
> -A POSTROUTING -s 192.168.121.0/24 ! -d 192.168.121.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
> -A POSTROUTING -s 192.168.121.0/24 ! -d 192.168.121.0/24 -j MASQUERADE
> -A POSTROUTING -j POSTROUTING_direct
> -A POSTROUTING -j POSTROUTING_ZONES_SOURCE
> -A POSTROUTING -j POSTROUTING_ZONES
> -A DOCKER -i docker0 -j RETURN
> -A POSTROUTING_ZONES -o em1 -g POST_dmz
> -A POSTROUTING_ZONES -o bridge0 -g POST_dmz
> -A POSTROUTING_ZONES -o virbr0 -j POST_trusted
> -A POSTROUTING_ZONES -o virbr0-nic -j POST_trusted
> -A POSTROUTING_ZONES -g POST_FedoraWorkstation
> -A POSTROUTING_ZONES_SOURCE -d 192.168.121.0/24 -g POST_dmz
> -A POSTROUTING_ZONES_SOURCE -d 192.168.4.0/24 -g POST_dmz
> -A POST_FedoraWorkstation -j POST_FedoraWorkstation_log
> -A POST_FedoraWorkstation -j POST_FedoraWorkstation_deny
> -A POST_FedoraWorkstation -j POST_FedoraWorkstation_allow
> -A POST_dmz -j POST_dmz_log
> -A POST_dmz -j POST_dmz_deny
> -A POST_dmz -j POST_dmz_allow
> -A POST_trusted -j POST_trusted_log
> -A POST_trusted -j POST_trusted_deny
> -A POST_trusted -j POST_trusted_allow
> -A PREROUTING_ZONES -i em1 -g PRE_dmz
> -A PREROUTING_ZONES -i bridge0 -g PRE_dmz
> -A PREROUTING_ZONES -i virbr0 -j PRE_trusted
> -A PREROUTING_ZONES -i virbr0-nic -j PRE_trusted
> -A PREROUTING_ZONES -g PRE_FedoraWorkstation
> -A PREROUTING_ZONES_SOURCE -s 192.168.121.0/24 -g PRE_dmz
> -A PREROUTING_ZONES_SOURCE -s 192.168.4.0/24 -g PRE_dmz
> -A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_log
> -A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_deny
> -A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_allow
> -A PRE_dmz -j PRE_dmz_log
> -A PRE_dmz -j PRE_dmz_deny
> -A PRE_dmz -j PRE_dmz_allow
> -A PRE_trusted -j PRE_trusted_log
> -A PRE_trusted -j PRE_trusted_deny
> -A PRE_trusted -j PRE_trusted_allow
> COMMIT
> # Completed on Fri Oct 14 14:49:48 2016
> # Generated by iptables-save v1.6.0 on Fri Oct 14 14:49:48 2016
> *security
> :INPUT ACCEPT [13216:6582247]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [12390:2830935]
> :FORWARD_direct - [0:0]
> :INPUT_direct - [0:0]
> :OUTPUT_direct - [0:0]
> -A INPUT -j INPUT_direct
> -A FORWARD -j FORWARD_direct
> -A OUTPUT -j OUTPUT_direct
> COMMIT
> # Completed on Fri Oct 14 14:49:48 2016
> # Generated by iptables-save v1.6.0 on Fri Oct 14 14:49:48 2016
> *raw
> :PREROUTING ACCEPT [13256:6585647]
> :OUTPUT ACCEPT [12390:2830935]
> :OUTPUT_direct - [0:0]
> :PREROUTING_direct - [0:0]
> -A PREROUTING -j PREROUTING_direct
> -A OUTPUT -j OUTPUT_direct
> COMMIT
> # Completed on Fri Oct 14 14:49:48 2016
> # Generated by iptables-save v1.6.0 on Fri Oct 14 14:49:48 2016
> *mangle
> :PREROUTING ACCEPT [13256:6585647]
> :INPUT ACCEPT [13221:6583355]
> :FORWARD ACCEPT [27:1814]
> :OUTPUT ACCEPT [12390:2830935]
> :POSTROUTING ACCEPT [12515:2849689]
> :FORWARD_direct - [0:0]
> :INPUT_direct - [0:0]
> :OUTPUT_direct - [0:0]
> :POSTROUTING_direct - [0:0]
> :PREROUTING_ZONES - [0:0]
> :PREROUTING_ZONES_SOURCE - [0:0]
> :PREROUTING_direct - [0:0]
> :PRE_FedoraWorkstation - [0:0]
> :PRE_FedoraWorkstation_allow - [0:0]
> :PRE_FedoraWorkstation_deny - [0:0]
> :PRE_FedoraWorkstation_log - [0:0]
> :PRE_dmz - [0:0]
> :PRE_dmz_allow - [0:0]
> :PRE_dmz_deny - [0:0]
> :PRE_dmz_log - [0:0]
> :PRE_trusted - [0:0]
> :PRE_trusted_allow - [0:0]
> :PRE_trusted_deny - [0:0]
> :PRE_trusted_log - [0:0]
> -A PREROUTING -j PREROUTING_direct
> -A PREROUTING -j PREROUTING_ZONES_SOURCE
> -A PREROUTING -j PREROUTING_ZONES
> -A INPUT -j INPUT_direct
> -A FORWARD -j FORWARD_direct
> -A OUTPUT -j OUTPUT_direct
> -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
> -A POSTROUTING -j POSTROUTING_direct
> -A PREROUTING_ZONES -i em1 -g PRE_dmz
> -A PREROUTING_ZONES -i bridge0 -g PRE_dmz
> -A PREROUTING_ZONES -i virbr0 -j PRE_trusted
> -A PREROUTING_ZONES -i virbr0-nic -j PRE_trusted
> -A PREROUTING_ZONES -g PRE_FedoraWorkstation
> -A PREROUTING_ZONES_SOURCE -s 192.168.121.0/24 -g PRE_dmz
> -A PREROUTING_ZONES_SOURCE -s 192.168.4.0/24 -g PRE_dmz
> -A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_log
> -A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_deny
> -A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_allow
> -A PRE_dmz -j PRE_dmz_log
> -A PRE_dmz -j PRE_dmz_deny
> -A PRE_dmz -j PRE_dmz_allow
> -A PRE_trusted -j PRE_trusted_log
> -A PRE_trusted -j PRE_trusted_deny
> -A PRE_trusted -j PRE_trusted_allow
> COMMIT
> # Completed on Fri Oct 14 14:49:48 2016
> # Generated by iptables-save v1.6.0 on Fri Oct 14 14:49:48 2016
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [4353:1246826]
> :DOCKER - [0:0]
> :DOCKER-ISOLATION - [0:0]
> :FORWARD_IN_ZONES - [0:0]
> :FORWARD_IN_ZONES_SOURCE - [0:0]
> :FORWARD_OUT_ZONES - [0:0]
> :FORWARD_OUT_ZONES_SOURCE - [0:0]
> :FORWARD_direct - [0:0]
> :FWDI_FedoraWorkstation - [0:0]
> :FWDI_FedoraWorkstation_allow - [0:0]
> :FWDI_FedoraWorkstation_deny - [0:0]
> :FWDI_FedoraWorkstation_log - [0:0]
> :FWDI_dmz - [0:0]
> :FWDI_dmz_allow - [0:0]
> :FWDI_dmz_deny - [0:0]
> :FWDI_dmz_log - [0:0]
> :FWDI_trusted - [0:0]
> :FWDI_trusted_allow - [0:0]
> :FWDI_trusted_deny - [0:0]
> :FWDI_trusted_log - [0:0]
> :FWDO_FedoraWorkstation - [0:0]
> :FWDO_FedoraWorkstation_allow - [0:0]
> :FWDO_FedoraWorkstation_deny - [0:0]
> :FWDO_FedoraWorkstation_log - [0:0]
> :FWDO_dmz - [0:0]
> :FWDO_dmz_allow - [0:0]
> :FWDO_dmz_deny - [0:0]
> :FWDO_dmz_log - [0:0]
> :FWDO_trusted - [0:0]
> :FWDO_trusted_allow - [0:0]
> :FWDO_trusted_deny - [0:0]
> :FWDO_trusted_log - [0:0]
> :INPUT_ZONES - [0:0]
> :INPUT_ZONES_SOURCE - [0:0]
> :INPUT_direct - [0:0]
> :IN_FedoraWorkstation - [0:0]
> :IN_FedoraWorkstation_allow - [0:0]
> :IN_FedoraWorkstation_deny - [0:0]
> :IN_FedoraWorkstation_log - [0:0]
> :IN_dmz - [0:0]
> :IN_dmz_allow - [0:0]
> :IN_dmz_deny - [0:0]
> :IN_dmz_log - [0:0]
> :IN_trusted - [0:0]
> :IN_trusted_allow - [0:0]
> :IN_trusted_deny - [0:0]
> :IN_trusted_log - [0:0]
> :OUTPUT_direct - [0:0]
> -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
> -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
> -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
> -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
> -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -j INPUT_direct
> -A INPUT -j INPUT_ZONES_SOURCE
> -A INPUT -j INPUT_ZONES
> -A INPUT -m conntrack --ctstate INVALID -j DROP
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> -A FORWARD -j DOCKER-ISOLATION
> -A FORWARD -o docker0 -j DOCKER
> -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
> -A FORWARD -i docker0 -o docker0 -j ACCEPT
> -A FORWARD -d 192.168.121.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -s 192.168.121.0/24 -i virbr0 -j ACCEPT
> -A FORWARD -i virbr0 -o virbr0 -j ACCEPT
> -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
> -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
> -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -i lo -j ACCEPT
> -A FORWARD -j FORWARD_direct
> -A FORWARD -j FORWARD_IN_ZONES_SOURCE
> -A FORWARD -j FORWARD_IN_ZONES
> -A FORWARD -j FORWARD_OUT_ZONES_SOURCE
> -A FORWARD -j FORWARD_OUT_ZONES
> -A FORWARD -m conntrack --ctstate INVALID -j DROP
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
> -A OUTPUT -j OUTPUT_direct
> -A DOCKER-ISOLATION -j RETURN
> -A FORWARD_IN_ZONES -i em1 -g FWDI_dmz
> -A FORWARD_IN_ZONES -i bridge0 -g FWDI_dmz
> -A FORWARD_IN_ZONES -i virbr0 -j FWDI_trusted
> -A FORWARD_IN_ZONES -i virbr0-nic -j FWDI_trusted
> -A FORWARD_IN_ZONES -g FWDI_FedoraWorkstation
> -A FORWARD_IN_ZONES_SOURCE -s 192.168.121.0/24 -g FWDI_dmz
> -A FORWARD_IN_ZONES_SOURCE -s 192.168.4.0/24 -g FWDI_dmz
> -A FORWARD_OUT_ZONES -o em1 -g FWDO_dmz
> -A FORWARD_OUT_ZONES -o bridge0 -g FWDO_dmz
> -A FORWARD_OUT_ZONES -o virbr0 -j FWDO_trusted
> -A FORWARD_OUT_ZONES -o virbr0-nic -j FWDO_trusted
> -A FORWARD_OUT_ZONES -g FWDO_FedoraWorkstation
> -A FORWARD_OUT_ZONES_SOURCE -d 192.168.121.0/24 -g FWDO_dmz
> -A FORWARD_OUT_ZONES_SOURCE -d 192.168.4.0/24 -g FWDO_dmz
> -A FWDI_FedoraWorkstation -j FWDI_FedoraWorkstation_log
> -A FWDI_FedoraWorkstation -j FWDI_FedoraWorkstation_deny
> -A FWDI_FedoraWorkstation -j FWDI_FedoraWorkstation_allow
> -A FWDI_FedoraWorkstation -p icmp -j ACCEPT
> -A FWDI_dmz -j FWDI_dmz_log
> -A FWDI_dmz -j FWDI_dmz_deny
> -A FWDI_dmz -j FWDI_dmz_allow
> -A FWDI_dmz -p icmp -j ACCEPT
> -A FWDI_trusted -j FWDI_trusted_log
> -A FWDI_trusted -j FWDI_trusted_deny
> -A FWDI_trusted -j FWDI_trusted_allow
> -A FWDI_trusted -j ACCEPT
> -A FWDO_FedoraWorkstation -j FWDO_FedoraWorkstation_log
> -A FWDO_FedoraWorkstation -j FWDO_FedoraWorkstation_deny
> -A FWDO_FedoraWorkstation -j FWDO_FedoraWorkstation_allow
> -A FWDO_dmz -j FWDO_dmz_log
> -A FWDO_dmz -j FWDO_dmz_deny
> -A FWDO_dmz -j FWDO_dmz_allow
> -A FWDO_trusted -j FWDO_trusted_log
> -A FWDO_trusted -j FWDO_trusted_deny
> -A FWDO_trusted -j FWDO_trusted_allow
> -A FWDO_trusted -j ACCEPT
> -A INPUT_ZONES -i em1 -g IN_dmz
> -A INPUT_ZONES -i bridge0 -g IN_dmz
> -A INPUT_ZONES -i virbr0 -j IN_trusted
> -A INPUT_ZONES -i virbr0-nic -j IN_trusted
> -A INPUT_ZONES -g IN_FedoraWorkstation
> -A INPUT_ZONES_SOURCE -s 192.168.121.0/24 -g IN_dmz
> -A INPUT_ZONES_SOURCE -s 192.168.4.0/24 -g IN_dmz
> -A IN_FedoraWorkstation -j IN_FedoraWorkstation_log
> -A IN_FedoraWorkstation -j IN_FedoraWorkstation_deny
> -A IN_FedoraWorkstation -j IN_FedoraWorkstation_allow
> -A IN_FedoraWorkstation -p icmp -j ACCEPT
> -A IN_FedoraWorkstation_allow -p tcp -m tcp --dport 111 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_FedoraWorkstation_allow -p udp -m udp --dport 111 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_FedoraWorkstation_allow -p tcp -m tcp --dport 20048 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_FedoraWorkstation_allow -p udp -m udp --dport 20048 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_FedoraWorkstation_allow -p tcp -m tcp --dport 2049 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_FedoraWorkstation_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_FedoraWorkstation_allow -p udp -m udp --dport 137 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_FedoraWorkstation_allow -p udp -m udp --dport 138 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_FedoraWorkstation_allow -p udp -m udp --dport 1025:65535 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_FedoraWorkstation_allow -p tcp -m tcp --dport 1025:65535 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_dmz -j IN_dmz_log
> -A IN_dmz -j IN_dmz_deny
> -A IN_dmz -j IN_dmz_allow
> -A IN_dmz -p icmp -j ACCEPT
> -A IN_dmz_allow -p tcp -m tcp --dport 5900:5903 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_dmz_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_dmz_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_dmz_allow -p tcp -m tcp --dport 5500 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_dmz_allow -p tcp -m tcp --dport 2222 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_dmz_allow -p tcp -m tcp --dport 6881:6890 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_dmz_allow -s 192.168.4.0/24 -p tcp -m tcp --dport 9091 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_dmz_allow -s 192.168.4.0/24 -p tcp -m tcp --dport 20048 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_dmz_allow -s 192.168.4.0/24 -p udp -m udp --dport 20048 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_dmz_allow -s 192.168.4.0/24 -p tcp -m tcp --dport 111 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_dmz_allow -s 192.168.4.0/24 -p udp -m udp --dport 111 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_dmz_allow -s 192.168.4.0/24 -p tcp -m tcp --dport 5001 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_dmz_allow -s 192.168.4.0/24 -p tcp -m tcp --dport 9000 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_dmz_allow -s 192.168.4.0/24 -p tcp -m tcp --dport 2049 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_trusted -j IN_trusted_log
> -A IN_trusted -j IN_trusted_deny
> -A IN_trusted -j IN_trusted_allow
> -A IN_trusted -j ACCEPT
> -A IN_trusted_allow -p tcp -m tcp --dport 111 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_trusted_allow -p udp -m udp --dport 111 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_trusted_allow -p tcp -m tcp --dport 2049 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_trusted_allow -p tcp -m tcp --dport 20048 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_trusted_allow -p udp -m udp --dport 20048 -m conntrack --ctstate NEW -j ACCEPT
> COMMIT
> # Completed on Fri Oct 14 14:49:48 2016

> # Generated by iptables-save v1.6.0 on Fri Oct 14 14:47:44 2016
> *nat
> :PREROUTING ACCEPT [2:433]
> :INPUT ACCEPT [1:105]
> :OUTPUT ACCEPT [235:15814]
> :POSTROUTING ACCEPT [234:15619]
> :OUTPUT_direct - [0:0]
> :POSTROUTING_ZONES - [0:0]
> :POSTROUTING_ZONES_SOURCE - [0:0]
> :POSTROUTING_direct - [0:0]
> :POST_FedoraWorkstation - [0:0]
> :POST_FedoraWorkstation_allow - [0:0]
> :POST_FedoraWorkstation_deny - [0:0]
> :POST_FedoraWorkstation_log - [0:0]
> :POST_dmz - [0:0]
> :POST_dmz_allow - [0:0]
> :POST_dmz_deny - [0:0]
> :POST_dmz_log - [0:0]
> :POST_trusted - [0:0]
> :POST_trusted_allow - [0:0]
> :POST_trusted_deny - [0:0]
> :POST_trusted_log - [0:0]
> :PREROUTING_ZONES - [0:0]
> :PREROUTING_ZONES_SOURCE - [0:0]
> :PREROUTING_direct - [0:0]
> :PRE_FedoraWorkstation - [0:0]
> :PRE_FedoraWorkstation_allow - [0:0]
> :PRE_FedoraWorkstation_deny - [0:0]
> :PRE_FedoraWorkstation_log - [0:0]
> :PRE_dmz - [0:0]
> :PRE_dmz_allow - [0:0]
> :PRE_dmz_deny - [0:0]
> :PRE_dmz_log - [0:0]
> :PRE_trusted - [0:0]
> :PRE_trusted_allow - [0:0]
> :PRE_trusted_deny - [0:0]
> :PRE_trusted_log - [0:0]
> -A PREROUTING -j PREROUTING_direct
> -A PREROUTING -j PREROUTING_ZONES_SOURCE
> -A PREROUTING -j PREROUTING_ZONES
> -A OUTPUT -j OUTPUT_direct
> -A POSTROUTING -s 192.168.121.0/24 -d 224.0.0.0/24 -j RETURN
> -A POSTROUTING -s 192.168.121.0/24 -d 255.255.255.255/32 -j RETURN
> -A POSTROUTING -s 192.168.121.0/24 ! -d 192.168.121.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
> -A POSTROUTING -s 192.168.121.0/24 ! -d 192.168.121.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
> -A POSTROUTING -s 192.168.121.0/24 ! -d 192.168.121.0/24 -j MASQUERADE
> -A POSTROUTING -j POSTROUTING_direct
> -A POSTROUTING -j POSTROUTING_ZONES_SOURCE
> -A POSTROUTING -j POSTROUTING_ZONES
> -A POSTROUTING_ZONES -o em1 -g POST_dmz
> -A POSTROUTING_ZONES -o bridge0 -g POST_dmz
> -A POSTROUTING_ZONES -o virbr0 -j POST_trusted
> -A POSTROUTING_ZONES -o virbr0-nic -j POST_trusted
> -A POSTROUTING_ZONES -g POST_FedoraWorkstation
> -A POSTROUTING_ZONES_SOURCE -d 192.168.121.0/24 -g POST_dmz
> -A POSTROUTING_ZONES_SOURCE -d 192.168.4.0/24 -g POST_dmz
> -A POST_FedoraWorkstation -j POST_FedoraWorkstation_log
> -A POST_FedoraWorkstation -j POST_FedoraWorkstation_deny
> -A POST_FedoraWorkstation -j POST_FedoraWorkstation_allow
> -A POST_dmz -j POST_dmz_log
> -A POST_dmz -j POST_dmz_deny
> -A POST_dmz -j POST_dmz_allow
> -A POST_trusted -j POST_trusted_log
> -A POST_trusted -j POST_trusted_deny
> -A POST_trusted -j POST_trusted_allow
> -A PREROUTING_ZONES -i em1 -g PRE_dmz
> -A PREROUTING_ZONES -i bridge0 -g PRE_dmz
> -A PREROUTING_ZONES -i virbr0 -j PRE_trusted
> -A PREROUTING_ZONES -i virbr0-nic -j PRE_trusted
> -A PREROUTING_ZONES -g PRE_FedoraWorkstation
> -A PREROUTING_ZONES_SOURCE -s 192.168.121.0/24 -g PRE_dmz
> -A PREROUTING_ZONES_SOURCE -s 192.168.4.0/24 -g PRE_dmz
> -A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_log
> -A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_deny
> -A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_allow
> -A PRE_dmz -j PRE_dmz_log
> -A PRE_dmz -j PRE_dmz_deny
> -A PRE_dmz -j PRE_dmz_allow
> -A PRE_trusted -j PRE_trusted_log
> -A PRE_trusted -j PRE_trusted_deny
> -A PRE_trusted -j PRE_trusted_allow
> COMMIT
> # Completed on Fri Oct 14 14:47:44 2016
> # Generated by iptables-save v1.6.0 on Fri Oct 14 14:47:44 2016
> *security
> :INPUT ACCEPT [1923:1481804]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [1848:237711]
> :FORWARD_direct - [0:0]
> :INPUT_direct - [0:0]
> :OUTPUT_direct - [0:0]
> -A INPUT -j INPUT_direct
> -A FORWARD -j FORWARD_direct
> -A OUTPUT -j OUTPUT_direct
> COMMIT
> # Completed on Fri Oct 14 14:47:44 2016
> # Generated by iptables-save v1.6.0 on Fri Oct 14 14:47:44 2016
> *raw
> :PREROUTING ACCEPT [1931:1482877]
> :OUTPUT ACCEPT [1848:237711]
> :OUTPUT_direct - [0:0]
> :PREROUTING_direct - [0:0]
> -A PREROUTING -j PREROUTING_direct
> -A OUTPUT -j OUTPUT_direct
> COMMIT
> # Completed on Fri Oct 14 14:47:44 2016
> # Generated by iptables-save v1.6.0 on Fri Oct 14 14:47:44 2016
> *mangle
> :PREROUTING ACCEPT [1931:1482877]
> :INPUT ACCEPT [1926:1482389]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [1848:237711]
> :POSTROUTING ACCEPT [1912:246559]
> :FORWARD_direct - [0:0]
> :INPUT_direct - [0:0]
> :OUTPUT_direct - [0:0]
> :POSTROUTING_direct - [0:0]
> :PREROUTING_ZONES - [0:0]
> :PREROUTING_ZONES_SOURCE - [0:0]
> :PREROUTING_direct - [0:0]
> :PRE_FedoraWorkstation - [0:0]
> :PRE_FedoraWorkstation_allow - [0:0]
> :PRE_FedoraWorkstation_deny - [0:0]
> :PRE_FedoraWorkstation_log - [0:0]
> :PRE_dmz - [0:0]
> :PRE_dmz_allow - [0:0]
> :PRE_dmz_deny - [0:0]
> :PRE_dmz_log - [0:0]
> :PRE_trusted - [0:0]
> :PRE_trusted_allow - [0:0]
> :PRE_trusted_deny - [0:0]
> :PRE_trusted_log - [0:0]
> -A PREROUTING -j PREROUTING_direct
> -A PREROUTING -j PREROUTING_ZONES_SOURCE
> -A PREROUTING -j PREROUTING_ZONES
> -A INPUT -j INPUT_direct
> -A FORWARD -j FORWARD_direct
> -A OUTPUT -j OUTPUT_direct
> -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
> -A POSTROUTING -j POSTROUTING_direct
> -A PREROUTING_ZONES -i em1 -g PRE_dmz
> -A PREROUTING_ZONES -i bridge0 -g PRE_dmz
> -A PREROUTING_ZONES -i virbr0 -j PRE_trusted
> -A PREROUTING_ZONES -i virbr0-nic -j PRE_trusted
> -A PREROUTING_ZONES -g PRE_FedoraWorkstation
> -A PREROUTING_ZONES_SOURCE -s 192.168.121.0/24 -g PRE_dmz
> -A PREROUTING_ZONES_SOURCE -s 192.168.4.0/24 -g PRE_dmz
> -A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_log
> -A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_deny
> -A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_allow
> -A PRE_dmz -j PRE_dmz_log
> -A PRE_dmz -j PRE_dmz_deny
> -A PRE_dmz -j PRE_dmz_allow
> -A PRE_trusted -j PRE_trusted_log
> -A PRE_trusted -j PRE_trusted_deny
> -A PRE_trusted -j PRE_trusted_allow
> COMMIT
> # Completed on Fri Oct 14 14:47:44 2016
> # Generated by iptables-save v1.6.0 on Fri Oct 14 14:47:44 2016
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [1848:237711]
> :FORWARD_IN_ZONES - [0:0]
> :FORWARD_IN_ZONES_SOURCE - [0:0]
> :FORWARD_OUT_ZONES - [0:0]
> :FORWARD_OUT_ZONES_SOURCE - [0:0]
> :FORWARD_direct - [0:0]
> :FWDI_FedoraWorkstation - [0:0]
> :FWDI_FedoraWorkstation_allow - [0:0]
> :FWDI_FedoraWorkstation_deny - [0:0]
> :FWDI_FedoraWorkstation_log - [0:0]
> :FWDI_dmz - [0:0]
> :FWDI_dmz_allow - [0:0]
> :FWDI_dmz_deny - [0:0]
> :FWDI_dmz_log - [0:0]
> :FWDI_trusted - [0:0]
> :FWDI_trusted_allow - [0:0]
> :FWDI_trusted_deny - [0:0]
> :FWDI_trusted_log - [0:0]
> :FWDO_FedoraWorkstation - [0:0]
> :FWDO_FedoraWorkstation_allow - [0:0]
> :FWDO_FedoraWorkstation_deny - [0:0]
> :FWDO_FedoraWorkstation_log - [0:0]
> :FWDO_dmz - [0:0]
> :FWDO_dmz_allow - [0:0]
> :FWDO_dmz_deny - [0:0]
> :FWDO_dmz_log - [0:0]
> :FWDO_trusted - [0:0]
> :FWDO_trusted_allow - [0:0]
> :FWDO_trusted_deny - [0:0]
> :FWDO_trusted_log - [0:0]
> :INPUT_ZONES - [0:0]
> :INPUT_ZONES_SOURCE - [0:0]
> :INPUT_direct - [0:0]
> :IN_FedoraWorkstation - [0:0]
> :IN_FedoraWorkstation_allow - [0:0]
> :IN_FedoraWorkstation_deny - [0:0]
> :IN_FedoraWorkstation_log - [0:0]
> :IN_dmz - [0:0]
> :IN_dmz_allow - [0:0]
> :IN_dmz_deny - [0:0]
> :IN_dmz_log - [0:0]
> :IN_trusted - [0:0]
> :IN_trusted_allow - [0:0]
> :IN_trusted_deny - [0:0]
> :IN_trusted_log - [0:0]
> :OUTPUT_direct - [0:0]
> -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
> -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
> -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
> -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
> -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -j INPUT_direct
> -A INPUT -j INPUT_ZONES_SOURCE
> -A INPUT -j INPUT_ZONES
> -A INPUT -m conntrack --ctstate INVALID -j DROP
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> -A FORWARD -d 192.168.121.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -s 192.168.121.0/24 -i virbr0 -j ACCEPT
> -A FORWARD -i virbr0 -o virbr0 -j ACCEPT
> -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
> -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
> -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -i lo -j ACCEPT
> -A FORWARD -j FORWARD_direct
> -A FORWARD -j FORWARD_IN_ZONES_SOURCE
> -A FORWARD -j FORWARD_IN_ZONES
> -A FORWARD -j FORWARD_OUT_ZONES_SOURCE
> -A FORWARD -j FORWARD_OUT_ZONES
> -A FORWARD -m conntrack --ctstate INVALID -j DROP
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
> -A OUTPUT -j OUTPUT_direct
> -A FORWARD_IN_ZONES -i em1 -g FWDI_dmz
> -A FORWARD_IN_ZONES -i bridge0 -g FWDI_dmz
> -A FORWARD_IN_ZONES -i virbr0 -j FWDI_trusted
> -A FORWARD_IN_ZONES -i virbr0-nic -j FWDI_trusted
> -A FORWARD_IN_ZONES -g FWDI_FedoraWorkstation
> -A FORWARD_IN_ZONES_SOURCE -s 192.168.121.0/24 -g FWDI_dmz
> -A FORWARD_IN_ZONES_SOURCE -s 192.168.4.0/24 -g FWDI_dmz
> -A FORWARD_OUT_ZONES -o em1 -g FWDO_dmz
> -A FORWARD_OUT_ZONES -o bridge0 -g FWDO_dmz
> -A FORWARD_OUT_ZONES -o virbr0 -j FWDO_trusted
> -A FORWARD_OUT_ZONES -o virbr0-nic -j FWDO_trusted
> -A FORWARD_OUT_ZONES -g FWDO_FedoraWorkstation
> -A FORWARD_OUT_ZONES_SOURCE -d 192.168.121.0/24 -g FWDO_dmz
> -A FORWARD_OUT_ZONES_SOURCE -d 192.168.4.0/24 -g FWDO_dmz
> -A FWDI_FedoraWorkstation -j FWDI_FedoraWorkstation_log
> -A FWDI_FedoraWorkstation -j FWDI_FedoraWorkstation_deny
> -A FWDI_FedoraWorkstation -j FWDI_FedoraWorkstation_allow
> -A FWDI_FedoraWorkstation -p icmp -j ACCEPT
> -A FWDI_dmz -j FWDI_dmz_log
> -A FWDI_dmz -j FWDI_dmz_deny
> -A FWDI_dmz -j FWDI_dmz_allow
> -A FWDI_dmz -p icmp -j ACCEPT
> -A FWDI_trusted -j FWDI_trusted_log
> -A FWDI_trusted -j FWDI_trusted_deny
> -A FWDI_trusted -j FWDI_trusted_allow
> -A FWDI_trusted -j ACCEPT
> -A FWDO_FedoraWorkstation -j FWDO_FedoraWorkstation_log
> -A FWDO_FedoraWorkstation -j FWDO_FedoraWorkstation_deny
> -A FWDO_FedoraWorkstation -j FWDO_FedoraWorkstation_allow
> -A FWDO_dmz -j FWDO_dmz_log
> -A FWDO_dmz -j FWDO_dmz_deny
> -A FWDO_dmz -j FWDO_dmz_allow
> -A FWDO_trusted -j FWDO_trusted_log
> -A FWDO_trusted -j FWDO_trusted_deny
> -A FWDO_trusted -j FWDO_trusted_allow
> -A FWDO_trusted -j ACCEPT
> -A INPUT_ZONES -i em1 -g IN_dmz
> -A INPUT_ZONES -i bridge0 -g IN_dmz
> -A INPUT_ZONES -i virbr0 -j IN_trusted
> -A INPUT_ZONES -i virbr0-nic -j IN_trusted
> -A INPUT_ZONES -g IN_FedoraWorkstation
> -A INPUT_ZONES_SOURCE -s 192.168.121.0/24 -g IN_dmz
> -A INPUT_ZONES_SOURCE -s 192.168.4.0/24 -g IN_dmz
> -A IN_FedoraWorkstation -j IN_FedoraWorkstation_log
> -A IN_FedoraWorkstation -j IN_FedoraWorkstation_deny
> -A IN_FedoraWorkstation -j IN_FedoraWorkstation_allow
> -A IN_FedoraWorkstation -p icmp -j ACCEPT
> -A IN_FedoraWorkstation_allow -p tcp -m tcp --dport 111 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_FedoraWorkstation_allow -p udp -m udp --dport 111 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_FedoraWorkstation_allow -p tcp -m tcp --dport 20048 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_FedoraWorkstation_allow -p udp -m udp --dport 20048 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_FedoraWorkstation_allow -p tcp -m tcp --dport 2049 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_FedoraWorkstation_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_FedoraWorkstation_allow -p udp -m udp --dport 137 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_FedoraWorkstation_allow -p udp -m udp --dport 138 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_FedoraWorkstation_allow -p udp -m udp --dport 1025:65535 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_FedoraWorkstation_allow -p tcp -m tcp --dport 1025:65535 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_dmz -j IN_dmz_log
> -A IN_dmz -j IN_dmz_deny
> -A IN_dmz -j IN_dmz_allow
> -A IN_dmz -p icmp -j ACCEPT
> -A IN_dmz_allow -p tcp -m tcp --dport 5900:5903 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_dmz_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_dmz_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_dmz_allow -p tcp -m tcp --dport 5500 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_dmz_allow -p tcp -m tcp --dport 2222 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_dmz_allow -p tcp -m tcp --dport 6881:6890 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_dmz_allow -s 192.168.4.0/24 -p tcp -m tcp --dport 9091 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_dmz_allow -s 192.168.4.0/24 -p tcp -m tcp --dport 20048 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_dmz_allow -s 192.168.4.0/24 -p udp -m udp --dport 20048 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_dmz_allow -s 192.168.4.0/24 -p tcp -m tcp --dport 111 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_dmz_allow -s 192.168.4.0/24 -p udp -m udp --dport 111 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_dmz_allow -s 192.168.4.0/24 -p tcp -m tcp --dport 5001 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_dmz_allow -s 192.168.4.0/24 -p tcp -m tcp --dport 9000 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_dmz_allow -s 192.168.4.0/24 -p tcp -m tcp --dport 2049 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_trusted -j IN_trusted_log
> -A IN_trusted -j IN_trusted_deny
> -A IN_trusted -j IN_trusted_allow
> -A IN_trusted -j ACCEPT
> -A IN_trusted_allow -p tcp -m tcp --dport 111 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_trusted_allow -p udp -m udp --dport 111 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_trusted_allow -p tcp -m tcp --dport 2049 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_trusted_allow -p tcp -m tcp --dport 20048 -m conntrack --ctstate NEW -j ACCEPT
> -A IN_trusted_allow -p udp -m udp --dport 20048 -m conntrack --ctstate NEW -j ACCEPT
> COMMIT
> # Completed on Fri Oct 14 14:47:44 2016

> --- iptables.onBoot	2016-10-14 14:47:44.481693854 -0600
> +++ iptables.afterDockerService	2016-10-14 14:49:48.717627103 -0600
> @@ -38,7 +39,10 @@
>  -A PREROUTING -j PREROUTING_direct
>  -A PREROUTING -j PREROUTING_ZONES_SOURCE
>  -A PREROUTING -j PREROUTING_ZONES
> +-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
>  -A OUTPUT -j OUTPUT_direct
> +-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
> +-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
>  -A POSTROUTING -s 192.168.121.0/24 -d 224.0.0.0/24 -j RETURN
>  -A POSTROUTING -s 192.168.121.0/24 -d 255.255.255.255/32 -j RETURN
>  -A POSTROUTING -s 192.168.121.0/24 ! -d 192.168.121.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
> @@ -47,6 +51,7 @@
>  -A POSTROUTING -j POSTROUTING_direct
>  -A POSTROUTING -j POSTROUTING_ZONES_SOURCE
>  -A POSTROUTING -j POSTROUTING_ZONES
> +-A DOCKER -i docker0 -j RETURN
>  -A POSTROUTING_ZONES -o em1 -g POST_dmz
>  -A POSTROUTING_ZONES -o bridge0 -g POST_dmz
>  -A POSTROUTING_ZONES -o virbr0 -j POST_trusted
> @@ -155,12 +160,14 @@
> # Completed on Fri Oct 14 14:49:48 2016
> # Generated by iptables-save v1.6.0 on Fri Oct 14 14:49:48 2016
>  *filter
>  :INPUT ACCEPT [0:0]
>  :FORWARD ACCEPT [0:0]
>  :OUTPUT ACCEPT [1848:237711]
> +:DOCKER - [0:0]
> +:DOCKER-ISOLATION - [0:0]
>  :FORWARD_IN_ZONES - [0:0]
>  :FORWARD_IN_ZONES_SOURCE - [0:0]
>  :FORWARD_OUT_ZONES - [0:0]
> @@ -217,6 +224,11 @@
>  -A INPUT -j INPUT_ZONES
>  -A INPUT -m conntrack --ctstate INVALID -j DROP
>  -A INPUT -j REJECT --reject-with icmp-host-prohibited
> +-A FORWARD -j DOCKER-ISOLATION
> +-A FORWARD -o docker0 -j DOCKER
> +-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> +-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
> +-A FORWARD -i docker0 -o docker0 -j ACCEPT
>  -A FORWARD -d 192.168.121.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
>  -A FORWARD -s 192.168.121.0/24 -i virbr0 -j ACCEPT
>  -A FORWARD -i virbr0 -o virbr0 -j ACCEPT
> @@ -233,6 +245,7 @@
>  -A FORWARD -j REJECT --reject-with icmp-host-prohibited
>  -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
>  -A OUTPUT -j OUTPUT_direct
> +-A DOCKER-ISOLATION -j RETURN
>  -A FORWARD_IN_ZONES -i em1 -g FWDI_dmz
>  -A FORWARD_IN_ZONES -i bridge0 -g FWDI_dmz
>  -A FORWARD_IN_ZONES -i virbr0 -j FWDI_trusted
> 

> _______________________________________________
> devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux