Custom Search

Wednesday, July 16, 2014

OpenStack neutron How to list iptables custom chains of Filter, NAT, Mangle and Raw iptables tables in a network namespace

1)
List all namespaces


#ip netns
qdhcp-7cc88da5-e38b-4a14-a64a-daa931f1d2d2
qrouter-e7189379-ccd9-44f6-804f-820173f30e26

2)
List all custom chains of Filter iptables table in a network namespace


#sudo ip netns exec qrouter-e7189379-ccd9-44f6-804f-820173f30e26 iptables -L -t filter

Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
neutron-l3-agent-INPUT  all  --  anywhere             anywhere           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
neutron-filter-top  all  --  anywhere             anywhere           
neutron-l3-agent-FORWARD  all  --  anywhere             anywhere           

Chain OUTPUT
(policy ACCEPT)
target     prot opt source               destination        
neutron-filter-top  all  --  anywhere             anywhere           
neutron-l3-agent-OUTPUT  all  --  anywhere             anywhere           

Chain neutron-filter-top (2 references)
target     prot opt source               destination        
neutron-l3-agent-local  all  --  anywhere             anywhere           

Chain neutron-l3-agent-FORWARD (1 references)
target     prot opt source               destination        

Chain neutron-l3-agent-INPUT (1 references)
target     prot opt source               destination        
ACCEPT     tcp  --  anywhere             localhost            tcp dpt:9697

Chain neutron-l3-agent-OUTPUT (1 references)
target     prot opt source               destination        

Chain neutron-l3-agent-local (1 references)
target     prot opt source               destination

3)
List all custom chains of NAT iptables table in a network namespace


#sudo ip netns exec qrouter-e7189379-ccd9-44f6-804f-820173f30e26 iptables -L -t nat


Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination        
neutron-l3-agent-PREROUTING  all  --  anywhere             anywhere           

Chain INPUT (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        
neutron-l3-agent-OUTPUT  all  --  anywhere             anywhere           

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination        
neutron-l3-agent-POSTROUTING  all  --  anywhere             anywhere           
neutron-postrouting-bottom  all  --  anywhere             anywhere           

Chain neutron-l3-agent-OUTPUT (1 references)
target     prot opt source               destination        

Chain neutron-l3-agent-POSTROUTING (1 references)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere             ! ctstate DNAT

Chain neutron-l3-agent-PREROUTING (1 references)
target     prot opt source               destination        
REDIRECT   tcp  --  anywhere             169.254.169.254      tcp dpt:http redir ports 9697

Chain neutron-l3-agent-float-snat (1 references)
target     prot opt source               destination        

Chain neutron-l3-agent-snat (1 references)
target     prot opt source               destination        
neutron-l3-agent-float-snat  all  --  anywhere             anywhere           
SNAT       all  --  10.0.0.0/24          anywhere             to:172.24.4.2

Chain neutron-postrouting-bottom (1 references)
target     prot opt source               destination        
neutron-l3-agent-snat  all  --  anywhere             anywhere      

4)
List all custom chains of Mangle iptables table in a network namespace


#sudo ip netns exec qrouter-e7189379-ccd9-44f6-804f-820173f30e26 iptables -L -t mangle

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination        

Chain INPUT (policy ACCEPT)
target     prot opt source               destination        

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

5)
List all custom chains of Raw iptables table in a network namespace


#sudo ip netns exec qrouter-e7189379-ccd9-44f6-804f-820173f30e26 iptables -L -t raw


Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 

2 comments:

  1. http://my.safaribooksonline.com/book/operating-systems-and-server-administration/linux/0596004613/4dot-networking/linuxsvrhack-chp-4-sect-5

    http://lists.openstack.org/pipermail/openstack/2013-November/003342.html

    ReplyDelete
  2. http://blog.jwilford.co.uk/post/33238674122/using-a-custom-chain-to-define-a-list-of-trusted-hosts

    http://gr8idea.info/os/tutorials/security/iptables8.html

    http://mylinuxsimple.blogspot.in/2009/09/using-custom-chains-in-iptables.html

    ReplyDelete