1)
List all namespaces
#ip netns
qdhcp-7cc88da5-e38b-4a14-a64a-daa931f1d2d2
qrouter-e7189379-ccd9-44f6-804f-820173f30e26
2)
List all iptables chains and rules of Filter, NAT, Mangle and Raw tables in a network namespace
#sudo ip netns exec qrouter-e7189379-ccd9-44f6-804f-820173f30e26 iptables-save
# Generated by iptables-save v1.4.21 on Wed Jul 16 17:53:18 2014
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [8:564]
COMMIT
# Completed on Wed Jul 16 17:53:18 2014
# Generated by iptables-save v1.4.21 on Wed Jul 16 17:53:18 2014
*nat
:PREROUTING ACCEPT [6:681]
:INPUT ACCEPT [2:393]
:OUTPUT ACCEPT [15:970]
:POSTROUTING ACCEPT [8:550]
:neutron-l3-agent-OUTPUT - [0:0]
:neutron-l3-agent-POSTROUTING - [0:0]
:neutron-l3-agent-PREROUTING - [0:0]
:neutron-l3-agent-float-snat - [0:0]
:neutron-l3-agent-snat - [0:0]
:neutron-postrouting-bottom - [0:0]
-A PREROUTING -j neutron-l3-agent-PREROUTING
-A OUTPUT -j neutron-l3-agent-OUTPUT
-A POSTROUTING -j neutron-l3-agent-POSTROUTING
-A POSTROUTING -j neutron-postrouting-bottom
-A neutron-l3-agent-POSTROUTING ! -i qg-77a4ae69-e3 ! -o qg-77a4ae69-e3 -m conntrack ! --ctstate DNAT -j ACCEPT
-A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697
-A neutron-l3-agent-snat -j neutron-l3-agent-float-snat
-A neutron-l3-agent-snat -s 10.0.0.0/24 -j SNAT --to-source 172.24.4.2
-A neutron-postrouting-bottom -j neutron-l3-agent-snat
COMMIT
# Completed on Wed Jul 16 17:53:18 2014
# Generated by iptables-save v1.4.21 on Wed Jul 16 17:53:18 2014
*mangle
:PREROUTING ACCEPT [311:33164]
:INPUT ACCEPT [64:6090]
:FORWARD ACCEPT [247:27074]
:OUTPUT ACCEPT [86:7130]
:POSTROUTING ACCEPT [333:34204]
COMMIT
# Completed on Wed Jul 16 17:53:18 2014
# Generated by iptables-save v1.4.21 on Wed Jul 16 17:53:18 2014
*filter
:INPUT ACCEPT [29:3778]
:FORWARD ACCEPT [247:27074]
:OUTPUT ACCEPT [86:7130]
:neutron-filter-top - [0:0]
:neutron-l3-agent-FORWARD - [0:0]
:neutron-l3-agent-INPUT - [0:0]
:neutron-l3-agent-OUTPUT - [0:0]
:neutron-l3-agent-local - [0:0]
-A INPUT -j neutron-l3-agent-INPUT
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-l3-agent-FORWARD
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-l3-agent-OUTPUT
-A neutron-filter-top -j neutron-l3-agent-local
-A neutron-l3-agent-INPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 9697 -j ACCEPT
COMMIT
# Completed on Wed Jul 16 17:53:18 2014
3)
List all chains and rules of Filter table in a network namespace
#sudo ip netns exec qrouter-e7189379-ccd9-44f6-804f-820173f30e26 iptables -t filter --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
neutron-l3-agent-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
neutron-filter-top all -- anywhere anywhere
neutron-l3-agent-FORWARD all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
neutron-filter-top all -- anywhere anywhere
neutron-l3-agent-OUTPUT all -- anywhere anywhere
Chain neutron-filter-top (2 references)
target prot opt source destination
neutron-l3-agent-local all -- anywhere anywhere
Chain neutron-l3-agent-FORWARD (1 references)
target prot opt source destination
Chain neutron-l3-agent-INPUT (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere localhost tcp dpt:9697
Chain neutron-l3-agent-OUTPUT (1 references)
target prot opt source destination
Chain neutron-l3-agent-local (1 references)
target prot opt source destination
4)
List all chains and rules of NAT table in a network namespace
#sudo ip netns exec qrouter-e7189379-ccd9-44f6-804f-820173f30e26 iptables -t nat --list
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
neutron-l3-agent-PREROUTING all -- anywhere anywhere
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
neutron-l3-agent-OUTPUT all -- anywhere anywhere
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
neutron-l3-agent-POSTROUTING all -- anywhere anywhere
neutron-postrouting-bottom all -- anywhere anywhere
Chain neutron-l3-agent-OUTPUT (1 references)
target prot opt source destination
Chain neutron-l3-agent-POSTROUTING (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere ! ctstate DNAT
Chain neutron-l3-agent-PREROUTING (1 references)
target prot opt source destination
REDIRECT tcp -- anywhere 169.254.169.254 tcp dpt:http redir ports 9697
Chain neutron-l3-agent-float-snat (1 references)
target prot opt source destination
Chain neutron-l3-agent-snat (1 references)
target prot opt source destination
neutron-l3-agent-float-snat all -- anywhere anywhere
SNAT all -- 10.0.0.0/24 anywhere to:172.24.4.2
Chain neutron-postrouting-bottom (1 references)
target prot opt source destination
neutron-l3-agent-snat all -- anywhere anywhere
5)
List all chains and rules of Mangle table in a network namespace
#sudo ip netns exec qrouter-e7189379-ccd9-44f6-804f-820173f30e26 iptables -t mangle --list
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
6)
List all chains and rules of Raw table in a network namespace
#sudo ip netns exec qrouter-e7189379-ccd9-44f6-804f-820173f30e26 iptables -t raw --list
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
List all namespaces
#ip netns
qdhcp-7cc88da5-e38b-4a14-a64a-daa931f1d2d2
qrouter-e7189379-ccd9-44f6-804f-820173f30e26
2)
List all iptables chains and rules of Filter, NAT, Mangle and Raw tables in a network namespace
#sudo ip netns exec qrouter-e7189379-ccd9-44f6-804f-820173f30e26 iptables-save
# Generated by iptables-save v1.4.21 on Wed Jul 16 17:53:18 2014
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [8:564]
COMMIT
# Completed on Wed Jul 16 17:53:18 2014
# Generated by iptables-save v1.4.21 on Wed Jul 16 17:53:18 2014
*nat
:PREROUTING ACCEPT [6:681]
:INPUT ACCEPT [2:393]
:OUTPUT ACCEPT [15:970]
:POSTROUTING ACCEPT [8:550]
:neutron-l3-agent-OUTPUT - [0:0]
:neutron-l3-agent-POSTROUTING - [0:0]
:neutron-l3-agent-PREROUTING - [0:0]
:neutron-l3-agent-float-snat - [0:0]
:neutron-l3-agent-snat - [0:0]
:neutron-postrouting-bottom - [0:0]
-A PREROUTING -j neutron-l3-agent-PREROUTING
-A OUTPUT -j neutron-l3-agent-OUTPUT
-A POSTROUTING -j neutron-l3-agent-POSTROUTING
-A POSTROUTING -j neutron-postrouting-bottom
-A neutron-l3-agent-POSTROUTING ! -i qg-77a4ae69-e3 ! -o qg-77a4ae69-e3 -m conntrack ! --ctstate DNAT -j ACCEPT
-A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697
-A neutron-l3-agent-snat -j neutron-l3-agent-float-snat
-A neutron-l3-agent-snat -s 10.0.0.0/24 -j SNAT --to-source 172.24.4.2
-A neutron-postrouting-bottom -j neutron-l3-agent-snat
COMMIT
# Completed on Wed Jul 16 17:53:18 2014
# Generated by iptables-save v1.4.21 on Wed Jul 16 17:53:18 2014
*mangle
:PREROUTING ACCEPT [311:33164]
:INPUT ACCEPT [64:6090]
:FORWARD ACCEPT [247:27074]
:OUTPUT ACCEPT [86:7130]
:POSTROUTING ACCEPT [333:34204]
COMMIT
# Completed on Wed Jul 16 17:53:18 2014
# Generated by iptables-save v1.4.21 on Wed Jul 16 17:53:18 2014
*filter
:INPUT ACCEPT [29:3778]
:FORWARD ACCEPT [247:27074]
:OUTPUT ACCEPT [86:7130]
:neutron-filter-top - [0:0]
:neutron-l3-agent-FORWARD - [0:0]
:neutron-l3-agent-INPUT - [0:0]
:neutron-l3-agent-OUTPUT - [0:0]
:neutron-l3-agent-local - [0:0]
-A INPUT -j neutron-l3-agent-INPUT
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-l3-agent-FORWARD
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-l3-agent-OUTPUT
-A neutron-filter-top -j neutron-l3-agent-local
-A neutron-l3-agent-INPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 9697 -j ACCEPT
COMMIT
# Completed on Wed Jul 16 17:53:18 2014
3)
List all chains and rules of Filter table in a network namespace
#sudo ip netns exec qrouter-e7189379-ccd9-44f6-804f-820173f30e26 iptables -t filter --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
neutron-l3-agent-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
neutron-filter-top all -- anywhere anywhere
neutron-l3-agent-FORWARD all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
neutron-filter-top all -- anywhere anywhere
neutron-l3-agent-OUTPUT all -- anywhere anywhere
Chain neutron-filter-top (2 references)
target prot opt source destination
neutron-l3-agent-local all -- anywhere anywhere
Chain neutron-l3-agent-FORWARD (1 references)
target prot opt source destination
Chain neutron-l3-agent-INPUT (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere localhost tcp dpt:9697
Chain neutron-l3-agent-OUTPUT (1 references)
target prot opt source destination
Chain neutron-l3-agent-local (1 references)
target prot opt source destination
4)
List all chains and rules of NAT table in a network namespace
#sudo ip netns exec qrouter-e7189379-ccd9-44f6-804f-820173f30e26 iptables -t nat --list
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
neutron-l3-agent-PREROUTING all -- anywhere anywhere
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
neutron-l3-agent-OUTPUT all -- anywhere anywhere
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
neutron-l3-agent-POSTROUTING all -- anywhere anywhere
neutron-postrouting-bottom all -- anywhere anywhere
Chain neutron-l3-agent-OUTPUT (1 references)
target prot opt source destination
Chain neutron-l3-agent-POSTROUTING (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere ! ctstate DNAT
Chain neutron-l3-agent-PREROUTING (1 references)
target prot opt source destination
REDIRECT tcp -- anywhere 169.254.169.254 tcp dpt:http redir ports 9697
Chain neutron-l3-agent-float-snat (1 references)
target prot opt source destination
Chain neutron-l3-agent-snat (1 references)
target prot opt source destination
neutron-l3-agent-float-snat all -- anywhere anywhere
SNAT all -- 10.0.0.0/24 anywhere to:172.24.4.2
Chain neutron-postrouting-bottom (1 references)
target prot opt source destination
neutron-l3-agent-snat all -- anywhere anywhere
5)
List all chains and rules of Mangle table in a network namespace
#sudo ip netns exec qrouter-e7189379-ccd9-44f6-804f-820173f30e26 iptables -t mangle --list
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
6)
List all chains and rules of Raw table in a network namespace
#sudo ip netns exec qrouter-e7189379-ccd9-44f6-804f-820173f30e26 iptables -t raw --list
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
http://www.thegeekstuff.com/2011/01/iptables-fundamentals/
ReplyDelete