1)
List all namespaces
#ip netns
qdhcp-7cc88da5-e38b-4a14-a64a-daa931f1d2d2
qrouter-e7189379-ccd9-44f6-804f-820173f30e26
2)
List all custom chains of Filter iptables table in a network namespace
#sudo ip netns exec qrouter-e7189379-ccd9-44f6-804f-820173f30e26 iptables -L -t filter
Chain INPUT (policy ACCEPT)
target prot opt source destination
neutron-l3-agent-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
neutron-filter-top all -- anywhere anywhere
neutron-l3-agent-FORWARD all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
neutron-filter-top all -- anywhere anywhere
neutron-l3-agent-OUTPUT all -- anywhere anywhere
Chain neutron-filter-top (2 references)
target prot opt source destination
neutron-l3-agent-local all -- anywhere anywhere
Chain neutron-l3-agent-FORWARD (1 references)
target prot opt source destination
Chain neutron-l3-agent-INPUT (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere localhost tcp dpt:9697
Chain neutron-l3-agent-OUTPUT (1 references)
target prot opt source destination
Chain neutron-l3-agent-local (1 references)
target prot opt source destination
3)
List all custom chains of NAT iptables table in a network namespace
#sudo ip netns exec qrouter-e7189379-ccd9-44f6-804f-820173f30e26 iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
neutron-l3-agent-PREROUTING all -- anywhere anywhere
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
neutron-l3-agent-OUTPUT all -- anywhere anywhere
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
neutron-l3-agent-POSTROUTING all -- anywhere anywhere
neutron-postrouting-bottom all -- anywhere anywhere
Chain neutron-l3-agent-OUTPUT (1 references)
target prot opt source destination
Chain neutron-l3-agent-POSTROUTING (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere ! ctstate DNAT
Chain neutron-l3-agent-PREROUTING (1 references)
target prot opt source destination
REDIRECT tcp -- anywhere 169.254.169.254 tcp dpt:http redir ports 9697
Chain neutron-l3-agent-float-snat (1 references)
target prot opt source destination
Chain neutron-l3-agent-snat (1 references)
target prot opt source destination
neutron-l3-agent-float-snat all -- anywhere anywhere
SNAT all -- 10.0.0.0/24 anywhere to:172.24.4.2
Chain neutron-postrouting-bottom (1 references)
target prot opt source destination
neutron-l3-agent-snat all -- anywhere anywhere
4)
List all custom chains of Mangle iptables table in a network namespace
#sudo ip netns exec qrouter-e7189379-ccd9-44f6-804f-820173f30e26 iptables -L -t mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
5)
List all custom chains of Raw iptables table in a network namespace
#sudo ip netns exec qrouter-e7189379-ccd9-44f6-804f-820173f30e26 iptables -L -t raw
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
List all namespaces
#ip netns
qdhcp-7cc88da5-e38b-4a14-a64a-daa931f1d2d2
qrouter-e7189379-ccd9-44f6-804f-820173f30e26
2)
List all custom chains of Filter iptables table in a network namespace
#sudo ip netns exec qrouter-e7189379-ccd9-44f6-804f-820173f30e26 iptables -L -t filter
Chain INPUT (policy ACCEPT)
target prot opt source destination
neutron-l3-agent-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
neutron-filter-top all -- anywhere anywhere
neutron-l3-agent-FORWARD all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
neutron-filter-top all -- anywhere anywhere
neutron-l3-agent-OUTPUT all -- anywhere anywhere
Chain neutron-filter-top (2 references)
target prot opt source destination
neutron-l3-agent-local all -- anywhere anywhere
Chain neutron-l3-agent-FORWARD (1 references)
target prot opt source destination
Chain neutron-l3-agent-INPUT (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere localhost tcp dpt:9697
Chain neutron-l3-agent-OUTPUT (1 references)
target prot opt source destination
Chain neutron-l3-agent-local (1 references)
target prot opt source destination
3)
List all custom chains of NAT iptables table in a network namespace
#sudo ip netns exec qrouter-e7189379-ccd9-44f6-804f-820173f30e26 iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
neutron-l3-agent-PREROUTING all -- anywhere anywhere
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
neutron-l3-agent-OUTPUT all -- anywhere anywhere
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
neutron-l3-agent-POSTROUTING all -- anywhere anywhere
neutron-postrouting-bottom all -- anywhere anywhere
Chain neutron-l3-agent-OUTPUT (1 references)
target prot opt source destination
Chain neutron-l3-agent-POSTROUTING (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere ! ctstate DNAT
Chain neutron-l3-agent-PREROUTING (1 references)
target prot opt source destination
REDIRECT tcp -- anywhere 169.254.169.254 tcp dpt:http redir ports 9697
Chain neutron-l3-agent-float-snat (1 references)
target prot opt source destination
Chain neutron-l3-agent-snat (1 references)
target prot opt source destination
neutron-l3-agent-float-snat all -- anywhere anywhere
SNAT all -- 10.0.0.0/24 anywhere to:172.24.4.2
Chain neutron-postrouting-bottom (1 references)
target prot opt source destination
neutron-l3-agent-snat all -- anywhere anywhere
4)
List all custom chains of Mangle iptables table in a network namespace
#sudo ip netns exec qrouter-e7189379-ccd9-44f6-804f-820173f30e26 iptables -L -t mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
5)
List all custom chains of Raw iptables table in a network namespace
#sudo ip netns exec qrouter-e7189379-ccd9-44f6-804f-820173f30e26 iptables -L -t raw
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
http://my.safaribooksonline.com/book/operating-systems-and-server-administration/linux/0596004613/4dot-networking/linuxsvrhack-chp-4-sect-5
ReplyDeletehttp://lists.openstack.org/pipermail/openstack/2013-November/003342.html
http://blog.jwilford.co.uk/post/33238674122/using-a-custom-chain-to-define-a-list-of-trusted-hosts
ReplyDeletehttp://gr8idea.info/os/tutorials/security/iptables8.html
http://mylinuxsimple.blogspot.in/2009/09/using-custom-chains-in-iptables.html