7,540
edits
Changes
→IPtables modifications
<br>
====IPtables modifications====
:[[File:ClipCapIt-180623-010335.PNG|800px]]
<br>Switches:
* -o, --out-interface name
* -i, --input-interface name
* -p, Sets the IP protocol for the rule
* -j, jump to the given target/chain
<br>
DNS and DCHP packages from the Virtual Bridges are allowed to be sent to the host machine.
<pre>
</pre>
The bridge '''virbrDocker bridge ''' can send packages anywhere (first line) and can receive packages back if the connections was previously already established (second line)<br>
<pre>
-A FORWARD -d 192.168.123.0/24 -o virbrDocker -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
</pre>
The bridges can send packages to themselves, otherwise everything is rejected that was sent to or form the bridges
<pre>
-A FORWARD -i virbrDocker -o virbrDocker -j ACCEPT
</pre>
The bridge '''virbrDocker''' can send packages to the outside world. (MASQUERADE is a special SNAT target, where the destination IP doesn't have to be specified. SNAT replaces the source IP address of the package with the public IP address of our system)
Last two lines: The bridge can't send anything to the multicast and to the broadcast addresses.
<pre>
-A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.123.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.123.0/24 -d 255.255.255.255/32 -j RETURN
</pre>
