[pve-devel] pvefw security group question
Dietmar Maurer
dietmar at proxmox.com
Wed Feb 19 08:03:57 CET 2014
> Not sure, you do a goto PVE_SPECIAL_ACCEPT, so it's finished in
> PVE_SPECIAL_ACCEPT.
>
> But how do you go in the in vmbrX-IN, to check destination inbound rules ?
here is an example:
...
create PVEFW-SET-ACCEPT-MARK (uGWkX9NXBZni/I1q1QPuKX6AX5w)
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-mark 1
create GROUP-group1-IN (ero56fv6+VERm+VzEg8tBYCeC3Q)
-A GROUP-group1-IN -p tcp --dport 22 -j ACCEPT
create GROUP-group1-OUT (ftsSscJQ0Ev+Oi9l72TJRxz5UjE)
-A GROUP-group1-OUT -j MARK --set-mark 0
-A GROUP-group1-OUT -p tcp --dport 80 -g PVEFW-SET-ACCEPT-MARK
update tap100i0-OUT (iXbuWZcc7VZC6uexpZjL4Nwg5uY)
-A tap100i0-OUT -m state --state INVALID -j DROP
-A tap100i0-OUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A tap100i0-OUT -m mac ! --mac-source 0E:0B:38:B8:B3:21 -j DROP
-A tap100i0-OUT -j GROUP-group1-OUT
-A tap100i0-OUT -m mark --mark 1 -j vmbr0-IN
-A tap100i0-OUT -j LOG --log-prefix "tap100i0-OUT-dropped: " --log-level 4
-A tap100i0-OUT -j DROP
More information about the pve-devel
mailing list