On 1/9/23 14:26, Carlos E. R. wrote:

On 2023-01-09 23:23, Marc Chamberlin wrote:

...

Hi -  I am running an OpenSuSE 15.4 x64 using Firewalld with iptables as the backend.

firewall-cmd -V 0.9.3

I also use Knockd and port knocks to open and close various ports on this system. (and yes I understand the drawbacks of using port knocking!) The trouble is, Firewalld is blocking the knocks and preventing the knockd.service daemon from hearing them.

Maybe just open the ports used for knocking?

Thanks Carlos for your reply, yeah I tried that already 😁, no joy... 😭 -- *"The Truth is out there" - Spooky* *_   _   .   .   .       .   .   .   _ _       .   _   _   _   _   .       .   .   .           _   .   .       .           .   _   _       .   _       _ _   .   .   .       .   _   _   .       _   .   .   _   .   _   _           _   _       .   _       .   _   .     _   .   _   . * Computers: the final frontier. These are the voyages of the user Marc. His mission: to explore strange new hardware. To seek out new software and new applications. To boldly go where no Marc has gone before! (/This email is digitally signed and the OpenPGP electronic signature is added as an attachment. If you know how, you can use my public key to prove this email indeed came from me and has not been modified in transit. My public key, which can be used for sending encrypted email to me also, can be found at - https://keys.openpgp.org/search?q=marc@marcchamberlin.com or just ask me for it and I will send it to you as an attachment. If you don't understand all this geek speak, no worries, just ignore this explanation and ignore the OpenPGP signature key attached to this email (it will look like gibberish if you open it) and/or ask me to explain it further if you like./)

On 1/10/23 20:13, Andrei Borzenkov wrote:

On 10.01.2023 23:38, Marc Chamberlin wrote:

...

On 1/9/23 14:26, Carlos E. R. wrote:

...

On 2023-01-09 23:23, Marc Chamberlin wrote:

...

Hi -  I am running an OpenSuSE 15.4 x64 using Firewalld with iptables as the backend.

firewall-cmd -V 0.9.3

I also use Knockd and port knocks to open and close various ports on this system. (and yes I understand the drawbacks of using port knocking!) The trouble is, Firewalld is blocking the knocks and preventing the knockd.service daemon from hearing them.

Maybe just open the ports used for knocking?

Thanks Carlos for your reply, yeah I tried that already

You forgot to show your firewalld configuration that you tried.

...

😁, no joy... 😭

Hi Andrei, I am not sure which firewalld configuration file you want me to show, but I will take a stab at it and show /etc/firewalld/firewalld.conf  (without comments) Let me know if you want to see the Zone file(s) or anything else.   Marc....

# firewalld config file DefaultZone=public CleanupOnExit=yes Lockdown=no IPv6_rpfilter=yes IndividualCalls=no LogDenied=off FirewallBackend=iptables FlushAllOnReload=no RFC3964_IPv4=yes AllowZoneDrifting=no -- *"The Truth is out there" - Spooky* *_   _   .   .   .       .   .   .   _ _       .   _   _   _   _   .       .   .   .           _   .   .       .           .   _   _       .   _       _ _   .   .   .       .   _   _   .       _   .   .   _   .   _   _           _   _       .   _       .   _   .     _   .   _   . * Computers: the final frontier. These are the voyages of the user Marc. His mission: to explore strange new hardware. To seek out new software and new applications. To boldly go where no Marc has gone before! (/This email is digitally signed and the OpenPGP electronic signature is added as an attachment. If you know how, you can use my public key to prove this email indeed came from me and has not been modified in transit. My public key, which can be used for sending encrypted email to me also, can be found at - https://keys.openpgp.org/search?q=marc@marcchamberlin.com or just ask me for it and I will send it to you as an attachment. If you don't understand all this geek speak, no worries, just ignore this explanation and ignore the OpenPGP signature key attached to this email (it will look like gibberish if you open it) and/or ask me to explain it further if you like./)

On 2023-01-11 07:46, Andrei Borzenkov wrote:

On Wed, Jan 11, 2023 at 8:14 AM Marc Chamberlin <marc@marcchamberlin.com> wrote:

...

On 1/10/23 20:13, Andrei Borzenkov wrote:

...

On 10.01.2023 23:38, Marc Chamberlin wrote:

...

On 1/9/23 14:26, Carlos E. R. wrote:

...

On 2023-01-09 23:23, Marc Chamberlin wrote:

...

Hi - I am running an OpenSuSE 15.4 x64 using Firewalld with iptables as the backend.

firewall-cmd -V 0.9.3

I also use Knockd and port knocks to open and close various ports on this system. (and yes I understand the drawbacks of using port knocking!) The trouble is, Firewalld is blocking the knocks and preventing the knockd.service daemon from hearing them.

Maybe just open the ports used for knocking?

Thanks Carlos for your reply, yeah I tried that already

You forgot to show your firewalld configuration that you tried.

...

😁, no joy... 😭

Hi Andrei, I am not sure which firewalld configuration file you want me to show,

You claimed you "tried to open ports". You show whatever you did to make firewalld to open ports.

I would open them in the GUI. No idea whatsoever of how to show that, except photos. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)

An internet search via duck-duck-go for 'firewalld knockd' provides this link: https://rtmoran.org/port-knocking-with-knockd/ You could adapt the configuration to fit your use. - You could check to see which backend (iptables,nftables) firewalld is using by checking /etc/firewalld/firewalld.conf Mark January 11, 2023 2:20 PM, "Marc Chamberlin" <marc@marcchamberlin.com> wrote:

On 1/10/23 22:46, Andrei Borzenkov wrote:

...

On Wed, Jan 11, 2023 at 8:14 AM Marc Chamberlin <marc@marcchamberlin.com> wrote:

On 1/10/23 20:13, Andrei Borzenkov wrote:

...

On 10.01.2023 23:38, Marc Chamberlin wrote: On 1/9/23 14:26, Carlos E. R. wrote: On 2023-01-09 23:23, Marc Chamberlin wrote: Hi - I am running an OpenSuSE 15.4 x64 using Firewalld with iptables as the backend.

firewall-cmd -V 0.9.3

I also use Knockd and port knocks to open and close various ports on this system. (and yes I understand the drawbacks of using port knocking!) The trouble is, Firewalld is blocking the knocks and preventing the knockd.service daemon from hearing them. Maybe just open the ports used for knocking?

Thanks Carlos for your reply, yeah I tried that already You forgot to show your firewalld configuration that you tried.

😁, no joy... 😭

Hi Andrei, I am not sure which firewalld configuration file you want me to show,

...

You claimed you "tried to open ports". You show whatever you did to make firewalld to open ports.

but I will take a stab at it and show /etc/firewalld/firewalld.conf (without comments)

...

Which has nothing to do with opening ports.

Let me know if you want to see the Zone file(s) or anything else.

...

Again - you need to show what you did to open ports.

Andrei - I am not sure how to show you what I did to open the ports, unless you want me to send you a bunch of screen capture photos. I used the firewall-config GUI, selected my internal zone, and then added the ports I knock on to the Ports section of the GUI. I also selected the TCP protocol because that is what my knock client is using to send the knocks to these ports. This did not work.

If the knockd.service daemon had heard the knocks then it would have used the following command configuration to open that actual port for the service I am trying to access. For example, for SSH, I send the port knock sequence to the ports xxxx,yyyy,zzzz (obscured) and it is these same ports I tried to add to the firewall-config->internal->Ports

[SSH] sequence = xxxx,yyyy,zzzz seq_timeout = 15 tcpflags = syn start_command = /usr/sbin/iptables -I INPUT 1 -s %IP% -p tcp --dport 22 -j ACCEPT cmd_timeout = 300 stop_command = /usr/sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

This has and does work on OpenSuSE 15.3 without the need to add the knock ports to firewall. It appears that firewalld has changed somehow in OpenSuSE 15.4 and is blocking the knockd.service daemon from hearing them. Something unexpected is happening, it also appears that firewalld.service itself is not hearing the knocks. I added the firewalld debug argument to the list of arguments sent to the firewalld app, and monitored the output to the firewalld log file. No messages about the knocks are reported to the log file!

Marc..

P.S. to all who shared their opinion about my signature, think of it as art. Many artists break the rules, Picasso certainly comes to mind! So I too break a few rules when my artistic side shows up! 😉

--

*"The Truth is out there" - Spooky*

*_ _ . . . . . . _ _ . _ _ _ _ . . . . _ . . . . _ _ . _ _ _ . . . . _ _ . _ . . _ . _ _ _ _ . _ . _ . _ . _ . *

Computers: the final frontier. These are the voyages of the user Marc. His mission: to explore strange new hardware. To seek out new software and new applications. To boldly go where no Marc has gone before!

(/This email is digitally signed and the OpenPGP electronic signature is added as an attachment. If you know how, you can use my public key to prove this email indeed came from me and has not been modified in transit. My public key, which can be used for sending encrypted email to me also, can be found at - https://keys.openpgp.org/search?q=marc@marcchamberlin.com or just ask me for it and I will send it to you as an attachment. If you don't understand all this geek speak, no worries, just ignore this explanation and ignore the OpenPGP signature key attached to this email (it will look like gibberish if you open it) and/or ask me to explain it further if you like./)

* Marc Chamberlin <marc@marcchamberlin.com> [01-13-23 18:56]:

On 1/11/23 13:04, Mark Petersen wrote:

...

An internet search via duck-duck-go for 'firewalld knockd' provides this link: https://rtmoran.org/port-knocking-with-knockd/

You could adapt the configuration to fit your use.

- You could check to see which backend (iptables,nftables) firewalld is using by checking /etc/firewalld/firewalld.conf

Mark

[...]

...

...

Marc..

P.S. to all who shared their opinion about my signature, think of it as art. Many artists break the rules, Picasso certainly comes to mind! So I too break a few rules when my artistic side shows up! 😉

[-- Error: unable to create PGP subprocess! --] you also refuse to trim your posts and are just generally (my opinion) inconsiderate. #plonk :0: * ^From:.*marc@marcchamberlin.com /dev/null -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet oftc

On 11.01.2023 23:20, Marc Chamberlin wrote:

...

On 1/10/23 22:46, Andrei Borzenkov wrote:

...

On Wed, Jan 11, 2023 at 8:14 AM Marc Chamberlin <marc@marcchamberlin.com> wrote:

...

On 1/10/23 20:13, Andrei Borzenkov wrote:

...

On 10.01.2023 23:38, Marc Chamberlin wrote:

...

On 1/9/23 14:26, Carlos E. R. wrote: > On 2023-01-09 23:23, Marc Chamberlin wrote: >> Hi -  I am running an OpenSuSE 15.4 x64 using Firewalld with >> iptables >> as the backend. >> >> firewall-cmd -V >> 0.9.3 >> >> I also use Knockd and port knocks to open and close various >> ports on >> this system. (and yes I understand the drawbacks of using port >> knocking!) The trouble is, Firewalld is blocking the knocks and >> preventing the knockd.service daemon from hearing them. > Maybe just open the ports used for knocking? > Thanks Carlos for your reply, yeah I tried that already You forgot to show your firewalld configuration that you tried.

...

😁, no joy... 😭

Hi Andrei, I am not sure which firewalld configuration file you want me to show, You claimed you "tried to open ports". You show whatever you did to make firewalld to open ports.

...

   but I will take a stab at it and show /etc/firewalld/firewalld.conf  (without comments) Which has nothing to do with opening ports.

...

Let me know if you want to see the Zone file(s) or anything else. Again - you need to show what you did to open ports. Andrei - I am not sure how to show you what I did to open the ports, unless you want me to send you a bunch of screen capture photos.

Well, if this is the only way you can do it ... Andrei - The equivalent command line, for what I did to open the ports

On 1/11/23 20:34, Andrei Borzenkov wrote: that I knock on, is this - nova:/srv/firewall # firewall-cmd --add-port=xxxx/tcp --add-port=yyyy/tcp --add-port=zzzz/tcp --zone=internal success No matter whether I use the GUI or the command line, to open these ports I use to knock on, it makes no difference. The port knock daemon is not seeing the knocks that occur on these ports, and therefore not inserting a rule into the ip tables for actually opening the service port that I want it to do, when given the right knock sequence.

...

I used the firewall-config GUI, selected my internal zone, and then added the ports I knock on to the Ports section of the GUI. I also selected the TCP protocol because that is what my knock client is using to send the knocks to these ports. This did not work.

What is "internal zone"? Is it the literal name of firewalld zone? Is it colloquial name for some zone you use for internal interfaces? Do you have more than one zone? What zone is assigned to interface used to access you knockd?

The internal zone is a pre-configured zone that the firewall GUI (firewall-config) already knows about after it is installed. I assigned my NIC (eth0) that is connected to my internal private network, (192.168.10.0/24) to the internal zone.

...

If the knockd.service daemon had heard the knocks then it would have used the following command configuration to open that actual port for the service I am trying to access. For example, for SSH, I send the port knock sequence to the ports xxxx,yyyy,zzzz (obscured) and it is these same ports I tried to add to the firewall-config->internal->Ports

[SSH] sequence      = xxxx,yyyy,zzzz seq_timeout   = 15 tcpflags      = syn start_command = /usr/sbin/iptables -I INPUT 1 -s %IP% -p tcp --dport 22 -j ACCEPT cmd_timeout   = 300 stop_command  = /usr/sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

This has and does work on OpenSuSE 15.3 without the need to add the knock ports to firewall. It appears that firewalld has changed somehow in OpenSuSE 15.4 and is blocking the knockd.service daemon from hearing them.

Well, show full output of

iptables -L -n -v

OK, rather lengthy,  This shows the ports used by knockd for opening up my SSH port, obscured as xxxx, yyyy, zzzz to keep them private. nova:/srv/firewall # iptables -L -n -v Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target     prot opt in     out     source destination 6032  428K ACCEPT     all  --  *      *       0.0.0.0/0 0.0.0.0/0            ctstate RELATED,ESTABLISHED,DNAT 0     0 ACCEPT     all  --  lo     *       0.0.0.0/0 0.0.0.0/0 3067  228K INPUT_direct  all  --  *      * 0.0.0.0/0            0.0.0.0/0 3067  228K INPUT_POLICIES_pre  all  --  *      * 0.0.0.0/0            0.0.0.0/0 3067  228K INPUT_ZONES  all  --  *      * 0.0.0.0/0            0.0.0.0/0 2044  160K INPUT_POLICIES_post  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 DROP       all  --  *      *       0.0.0.0/0 0.0.0.0/0            ctstate INVALID 2044  160K REJECT     all  --  *      *       0.0.0.0/0 0.0.0.0/0            reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target     prot opt in     out     source destination 0     0 ACCEPT     all  --  *      *       0.0.0.0/0 0.0.0.0/0            ctstate RELATED,ESTABLISHED,DNAT 0     0 ACCEPT     all  --  lo     *       0.0.0.0/0 0.0.0.0/0 27637 2717K FORWARD_direct  all  --  *      * 0.0.0.0/0            0.0.0.0/0 27637 2717K FORWARD_POLICIES_pre  all  --  *      * 0.0.0.0/0            0.0.0.0/0 27637 2717K FORWARD_IN_ZONES  all  --  *      * 0.0.0.0/0            0.0.0.0/0 27637 2717K FORWARD_OUT_ZONES  all  --  *      * 0.0.0.0/0            0.0.0.0/0 27615 2710K FORWARD_POLICIES_post  all  --  *      * 0.0.0.0/0            0.0.0.0/0 130  8514 DROP       all  --  *      *       0.0.0.0/0 0.0.0.0/0            ctstate INVALID 27485 2702K REJECT     all  --  *      * 0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 10768 packets, 2011K bytes) pkts bytes target     prot opt in     out     source destination 0     0 ACCEPT     all  --  *      lo      0.0.0.0/0 0.0.0.0/0 18659 5752K OUTPUT_direct  all  --  *      * 0.0.0.0/0            0.0.0.0/0 18659 5752K OUTPUT_POLICIES_pre  all  --  *      * 0.0.0.0/0            0.0.0.0/0 18659 5752K OUTPUT_POLICIES_post  all  --  *      * 0.0.0.0/0            0.0.0.0/0 Chain FORWARD_IN_ZONES (1 references) pkts bytes target     prot opt in     out     source destination 0     0 FWDI_trusted  all  --  lo     *       0.0.0.0/0 0.0.0.0/0           [goto] 0     0 FWDI_internal  all  --  eth0   * 0.0.0.0/0            0.0.0.0/0           [goto] 0     0 FWDI_external  all  --  eth1   * 0.0.0.0/0            0.0.0.0/0           [goto] 0     0 FWDI_docker  all  --  docker0 *       0.0.0.0/0 0.0.0.0/0           [goto] 27637 2717K FWDI_cameras  all  --  eth3   * 0.0.0.0/0            0.0.0.0/0           [goto] 0     0 FWDI_block  all  --  eth2   *       0.0.0.0/0 0.0.0.0/0           [goto] 0     0 FWDI_public  all  --  +      *       0.0.0.0/0 0.0.0.0/0           [goto] Chain FORWARD_OUT_ZONES (1 references) pkts bytes target     prot opt in     out     source destination 0     0 FWDO_trusted  all  --  *      lo      0.0.0.0/0 0.0.0.0/0           [goto] 10839 1567K FWDO_internal  all  --  *      eth0 0.0.0.0/0            0.0.0.0/0           [goto] 16651 1135K FWDO_external  all  --  *      eth1 0.0.0.0/0            0.0.0.0/0           [goto] 0     0 FWDO_docker  all  --  *      docker0  0.0.0.0/0 0.0.0.0/0           [goto] 147 14584 FWDO_cameras  all  --  *      eth3 0.0.0.0/0            0.0.0.0/0           [goto] 0     0 FWDO_block  all  --  *      eth2    0.0.0.0/0 0.0.0.0/0           [goto] 0     0 FWDO_public  all  --  *      +       0.0.0.0/0 0.0.0.0/0           [goto] Chain FORWARD_POLICIES_post (1 references) pkts bytes target     prot opt in     out     source destination Chain FORWARD_POLICIES_pre (1 references) pkts bytes target     prot opt in     out     source destination Chain FORWARD_direct (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDI_block (1 references) pkts bytes target     prot opt in     out     source destination 0     0 FWDI_block_pre  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 FWDI_block_log  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 FWDI_block_deny  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 FWDI_block_allow  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 FWDI_block_post  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 REJECT     all  --  *      *       0.0.0.0/0 0.0.0.0/0            reject-with icmp-host-prohibited Chain FWDI_block_allow (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDI_block_deny (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDI_block_log (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDI_block_post (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDI_block_pre (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDI_cameras (1 references) pkts bytes target     prot opt in     out     source destination 27637 2717K FWDI_cameras_pre  all  --  *      * 0.0.0.0/0            0.0.0.0/0 27637 2717K FWDI_cameras_log  all  --  *      * 0.0.0.0/0            0.0.0.0/0 27637 2717K FWDI_cameras_deny  all  --  *      * 0.0.0.0/0            0.0.0.0/0 27637 2717K FWDI_cameras_allow  all  --  *      * 0.0.0.0/0            0.0.0.0/0 27637 2717K FWDI_cameras_post  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 ACCEPT     icmp --  *      *       0.0.0.0/0 0.0.0.0/0 Chain FWDI_cameras_allow (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDI_cameras_deny (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDI_cameras_log (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDI_cameras_post (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDI_cameras_pre (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDI_docker (1 references) pkts bytes target     prot opt in     out     source destination 0     0 FWDI_docker_pre  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 FWDI_docker_log  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 FWDI_docker_deny  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 FWDI_docker_allow  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 FWDI_docker_post  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 ACCEPT     all  --  *      *       0.0.0.0/0 0.0.0.0/0 Chain FWDI_docker_allow (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDI_docker_deny (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDI_docker_log (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDI_docker_post (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDI_docker_pre (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDI_external (1 references) pkts bytes target     prot opt in     out     source destination 0     0 FWDI_external_pre  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 FWDI_external_log  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 FWDI_external_deny  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 FWDI_external_allow  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 FWDI_external_post  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 ACCEPT     icmp --  *      *       0.0.0.0/0 0.0.0.0/0 Chain FWDI_external_allow (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDI_external_deny (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDI_external_log (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDI_external_post (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDI_external_pre (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDI_internal (1 references) pkts bytes target     prot opt in     out     source destination 0     0 FWDI_internal_pre  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 FWDI_internal_log  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 FWDI_internal_deny  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 FWDI_internal_allow  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 FWDI_internal_post  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 ACCEPT     icmp --  *      *       0.0.0.0/0 0.0.0.0/0 Chain FWDI_internal_allow (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDI_internal_deny (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDI_internal_log (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDI_internal_post (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDI_internal_pre (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDI_public (1 references) pkts bytes target     prot opt in     out     source destination 0     0 FWDI_public_pre  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 FWDI_public_log  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 FWDI_public_deny  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 FWDI_public_allow  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 FWDI_public_post  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 ACCEPT     icmp --  *      *       0.0.0.0/0 0.0.0.0/0 Chain FWDI_public_allow (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDI_public_deny (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDI_public_log (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDI_public_post (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDI_public_pre (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDI_trusted (1 references) pkts bytes target     prot opt in     out     source destination 0     0 FWDI_trusted_pre  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 FWDI_trusted_log  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 FWDI_trusted_deny  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 FWDI_trusted_allow  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 FWDI_trusted_post  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 ACCEPT     all  --  *      *       0.0.0.0/0 0.0.0.0/0 Chain FWDI_trusted_allow (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDI_trusted_deny (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDI_trusted_log (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDI_trusted_post (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDI_trusted_pre (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDO_block (1 references) pkts bytes target     prot opt in     out     source destination 0     0 FWDO_block_pre  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 FWDO_block_log  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 FWDO_block_deny  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 FWDO_block_allow  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 FWDO_block_post  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 REJECT     all  --  *      *       0.0.0.0/0 0.0.0.0/0            reject-with icmp-host-prohibited Chain FWDO_block_allow (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDO_block_deny (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDO_block_log (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDO_block_post (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDO_block_pre (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDO_cameras (1 references) pkts bytes target     prot opt in     out     source destination 147 14584 FWDO_cameras_pre  all  --  *      * 0.0.0.0/0            0.0.0.0/0 147 14584 FWDO_cameras_log  all  --  *      * 0.0.0.0/0            0.0.0.0/0 147 14584 FWDO_cameras_deny  all  --  *      * 0.0.0.0/0            0.0.0.0/0 147 14584 FWDO_cameras_allow  all  --  *      * 0.0.0.0/0            0.0.0.0/0 125  7500 FWDO_cameras_post  all  --  *      * 0.0.0.0/0            0.0.0.0/0 Chain FWDO_cameras_allow (1 references) pkts bytes target     prot opt in     out     source destination 22  7084 ACCEPT     all  --  *      *       0.0.0.0/0 0.0.0.0/0            ctstate NEW,UNTRACKED Chain FWDO_cameras_deny (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDO_cameras_log (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDO_cameras_post (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDO_cameras_pre (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDO_docker (1 references) pkts bytes target     prot opt in     out     source destination 0     0 FWDO_docker_pre  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 FWDO_docker_log  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 FWDO_docker_deny  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 FWDO_docker_allow  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 FWDO_docker_post  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 ACCEPT     all  --  *      *       0.0.0.0/0 0.0.0.0/0 Chain FWDO_docker_allow (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDO_docker_deny (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDO_docker_log (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDO_docker_post (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDO_docker_pre (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDO_external (1 references) pkts bytes target     prot opt in     out     source destination 16651 1135K FWDO_external_pre  all  --  *      * 0.0.0.0/0            0.0.0.0/0 16651 1135K FWDO_external_log  all  --  *      * 0.0.0.0/0            0.0.0.0/0 16651 1135K FWDO_external_deny  all  --  *      * 0.0.0.0/0            0.0.0.0/0 16651 1135K FWDO_external_allow  all  --  *      * 0.0.0.0/0            0.0.0.0/0 16651 1135K FWDO_external_post  all  --  *      * 0.0.0.0/0            0.0.0.0/0 Chain FWDO_external_allow (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDO_external_deny (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDO_external_log (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDO_external_post (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDO_external_pre (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDO_internal (1 references) pkts bytes target     prot opt in     out     source destination 10839 1567K FWDO_internal_pre  all  --  *      * 0.0.0.0/0            0.0.0.0/0 10839 1567K FWDO_internal_log  all  --  *      * 0.0.0.0/0            0.0.0.0/0 10839 1567K FWDO_internal_deny  all  --  *      * 0.0.0.0/0            0.0.0.0/0 10839 1567K FWDO_internal_allow  all  --  *      * 0.0.0.0/0            0.0.0.0/0 10839 1567K FWDO_internal_post  all  --  *      * 0.0.0.0/0            0.0.0.0/0 Chain FWDO_internal_allow (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDO_internal_deny (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDO_internal_log (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDO_internal_post (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDO_internal_pre (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDO_public (1 references) pkts bytes target     prot opt in     out     source destination 0     0 FWDO_public_pre  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 FWDO_public_log  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 FWDO_public_deny  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 FWDO_public_allow  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 FWDO_public_post  all  --  *      * 0.0.0.0/0            0.0.0.0/0 Chain FWDO_public_allow (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDO_public_deny (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDO_public_log (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDO_public_post (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDO_public_pre (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDO_trusted (1 references) pkts bytes target     prot opt in     out     source destination 0     0 FWDO_trusted_pre  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 FWDO_trusted_log  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 FWDO_trusted_deny  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 FWDO_trusted_allow  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 FWDO_trusted_post  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 ACCEPT     all  --  *      *       0.0.0.0/0 0.0.0.0/0 Chain FWDO_trusted_allow (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDO_trusted_deny (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDO_trusted_log (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDO_trusted_post (1 references) pkts bytes target     prot opt in     out     source destination Chain FWDO_trusted_pre (1 references) pkts bytes target     prot opt in     out     source destination Chain INPUT_POLICIES_post (1 references) pkts bytes target     prot opt in     out     source destination Chain INPUT_POLICIES_pre (1 references) pkts bytes target     prot opt in     out     source destination 3067  228K IN_allow-host-ipv6  all  --  *      * 0.0.0.0/0            0.0.0.0/0 Chain INPUT_ZONES (1 references) pkts bytes target     prot opt in     out     source destination 0     0 IN_trusted  all  --  lo     *       0.0.0.0/0 0.0.0.0/0           [goto] 923 70422 IN_internal  all  --  eth0   * 0.0.0.0/0            0.0.0.0/0           [goto] 1998  120K IN_external  all  --  eth1   * 0.0.0.0/0            0.0.0.0/0           [goto] 0     0 IN_docker  all  --  docker0 *       0.0.0.0/0 0.0.0.0/0           [goto] 146 38020 IN_cameras  all  --  eth3   *       0.0.0.0/0 0.0.0.0/0           [goto] 0     0 IN_block   all  --  eth2   *       0.0.0.0/0 0.0.0.0/0           [goto] 0     0 IN_public  all  --  +      *       0.0.0.0/0 0.0.0.0/0           [goto] Chain INPUT_direct (1 references) pkts bytes target     prot opt in     out     source destination Chain IN_allow-host-ipv6 (1 references) pkts bytes target     prot opt in     out     source destination 3067  228K IN_allow-host-ipv6_pre  all  --  *      * 0.0.0.0/0            0.0.0.0/0 3067  228K IN_allow-host-ipv6_log  all  --  *      * 0.0.0.0/0            0.0.0.0/0 3067  228K IN_allow-host-ipv6_deny  all  --  *      * 0.0.0.0/0            0.0.0.0/0 3067  228K IN_allow-host-ipv6_allow  all  --  *      * 0.0.0.0/0            0.0.0.0/0 3067  228K IN_allow-host-ipv6_post  all  --  *      * 0.0.0.0/0            0.0.0.0/0 Chain IN_allow-host-ipv6_allow (1 references) pkts bytes target     prot opt in     out     source destination Chain IN_allow-host-ipv6_deny (1 references) pkts bytes target     prot opt in     out     source destination Chain IN_allow-host-ipv6_log (1 references) pkts bytes target     prot opt in     out     source destination Chain IN_allow-host-ipv6_post (1 references) pkts bytes target     prot opt in     out     source destination Chain IN_allow-host-ipv6_pre (1 references) pkts bytes target     prot opt in     out     source destination Chain IN_block (1 references) pkts bytes target     prot opt in     out     source destination 0     0 IN_block_pre  all  --  *      *       0.0.0.0/0 0.0.0.0/0 0     0 IN_block_log  all  --  *      *       0.0.0.0/0 0.0.0.0/0 0     0 IN_block_deny  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 IN_block_allow  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 IN_block_post  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 REJECT     all  --  *      *       0.0.0.0/0 0.0.0.0/0            reject-with icmp-host-prohibited Chain IN_block_allow (1 references) pkts bytes target     prot opt in     out     source destination Chain IN_block_deny (1 references) pkts bytes target     prot opt in     out     source destination Chain IN_block_log (1 references) pkts bytes target     prot opt in     out     source destination Chain IN_block_post (1 references) pkts bytes target     prot opt in     out     source destination Chain IN_block_pre (1 references) pkts bytes target     prot opt in     out     source destination Chain IN_cameras (1 references) pkts bytes target     prot opt in     out     source destination 146 38020 IN_cameras_pre  all  --  *      * 0.0.0.0/0            0.0.0.0/0 146 38020 IN_cameras_log  all  --  *      * 0.0.0.0/0            0.0.0.0/0 146 38020 IN_cameras_deny  all  --  *      * 0.0.0.0/0            0.0.0.0/0 146 38020 IN_cameras_allow  all  --  *      * 0.0.0.0/0            0.0.0.0/0 66 19462 IN_cameras_post  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 ACCEPT     icmp --  *      *       0.0.0.0/0 0.0.0.0/0 Chain IN_cameras_allow (1 references) pkts bytes target     prot opt in     out     source destination 47 14595 ACCEPT     udp  --  *      *       0.0.0.0/0 0.0.0.0/0            udp dpt:67 ctstate NEW,UNTRACKED 0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            tcp dpt:80 ctstate NEW,UNTRACKED 0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            tcp dpt:443 ctstate NEW,UNTRACKED 20  1560 ACCEPT     udp  --  *      *       0.0.0.0/0 0.0.0.0/0            udp dpt:137 ctstate NEW,UNTRACKED 9  2163 ACCEPT     udp  --  *      *       0.0.0.0/0 0.0.0.0/0            udp dpt:138 ctstate NEW,UNTRACKED 0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            tcp dpt:25 ctstate NEW,UNTRACKED 0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            tcp dpt:465 ctstate NEW,UNTRACKED 0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            tcp dpt:587 ctstate NEW,UNTRACKED 0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            tcp dpt:80 ctstate NEW,UNTRACKED 0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            tcp dpt:443 ctstate NEW,UNTRACKED 4   240 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            tcp dpt:111 ctstate NEW,UNTRACKED 0     0 ACCEPT     udp  --  *      *       0.0.0.0/0 0.0.0.0/0            udp dpt:111 ctstate NEW,UNTRACKED 0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            tcp dpt:2049 ctstate NEW,UNTRACKED 0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            tcp dpt:2049 ctstate NEW,UNTRACKED 0     0 ACCEPT     udp  --  *      *       0.0.0.0/0 0.0.0.0/0            udp dpt:2049 ctstate NEW,UNTRACKED 0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            tcp dpt:554 ctstate NEW,UNTRACKED 0     0 ACCEPT     udp  --  *      *       0.0.0.0/0 0.0.0.0/0            udp dpt:554 ctstate NEW,UNTRACKED Chain IN_cameras_deny (1 references) pkts bytes target     prot opt in     out     source destination Chain IN_cameras_log (1 references) pkts bytes target     prot opt in     out     source destination Chain IN_cameras_post (1 references) pkts bytes target     prot opt in     out     source destination Chain IN_cameras_pre (1 references) pkts bytes target     prot opt in     out     source destination Chain IN_docker (1 references) pkts bytes target     prot opt in     out     source destination 0     0 IN_docker_pre  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 IN_docker_log  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 IN_docker_deny  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 IN_docker_allow  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 IN_docker_post  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 ACCEPT     all  --  *      *       0.0.0.0/0 0.0.0.0/0 Chain IN_docker_allow (1 references) pkts bytes target     prot opt in     out     source destination Chain IN_docker_deny (1 references) pkts bytes target     prot opt in     out     source destination Chain IN_docker_log (1 references) pkts bytes target     prot opt in     out     source destination Chain IN_docker_post (1 references) pkts bytes target     prot opt in     out     source destination Chain IN_docker_pre (1 references) pkts bytes target     prot opt in     out     source destination Chain IN_external (1 references) pkts bytes target     prot opt in     out     source destination 1998  120K IN_external_pre  all  --  *      * 0.0.0.0/0            0.0.0.0/0 1998  120K IN_external_log  all  --  *      * 0.0.0.0/0            0.0.0.0/0 1998  120K IN_external_deny  all  --  *      * 0.0.0.0/0            0.0.0.0/0 1998  120K IN_external_allow  all  --  *      * 0.0.0.0/0            0.0.0.0/0 1994  120K IN_external_post  all  --  *      * 0.0.0.0/0            0.0.0.0/0 790 32564 ACCEPT     icmp --  *      *       0.0.0.0/0 0.0.0.0/0 Chain IN_external_allow (1 references) pkts bytes target     prot opt in     out     source destination 1    40 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            tcp dpt:80 ctstate NEW,UNTRACKED 2    80 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            tcp dpt:443 ctstate NEW,UNTRACKED 1    40 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            tcp dpt:25 ctstate NEW,UNTRACKED 0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            tcp dpt:465 ctstate NEW,UNTRACKED 0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            tcp dpt:587 ctstate NEW,UNTRACKED 0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            tcp dpt:8081 ctstate NEW,UNTRACKED Chain IN_external_deny (1 references) pkts bytes target     prot opt in     out     source destination Chain IN_external_log (1 references) pkts bytes target     prot opt in     out     source destination Chain IN_external_post (1 references) pkts bytes target     prot opt in     out     source destination Chain IN_external_pre (1 references) pkts bytes target     prot opt in     out     source destination Chain IN_internal (1 references) pkts bytes target     prot opt in     out     source destination 923 70422 IN_internal_pre  all  --  *      * 0.0.0.0/0            0.0.0.0/0 923 70422 IN_internal_log  all  --  *      * 0.0.0.0/0            0.0.0.0/0 923 70422 IN_internal_deny  all  --  *      * 0.0.0.0/0            0.0.0.0/0 923 70422 IN_internal_allow  all  --  *      * 0.0.0.0/0            0.0.0.0/0 774 53025 IN_internal_post  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 ACCEPT     icmp --  *      *       0.0.0.0/0 0.0.0.0/0 Chain IN_internal_allow (1 references) pkts bytes target     prot opt in     out     source destination 110  8580 ACCEPT     udp  --  *      *       0.0.0.0/0 0.0.0.0/0            udp dpt:137 ctstate NEW,UNTRACKED 39  8817 ACCEPT     udp  --  *      *       0.0.0.0/0 0.0.0.0/0            udp dpt:138 ctstate NEW,UNTRACKED 0     0 ACCEPT     udp  --  *      *       0.0.0.0/0 0.0.0.0/0            udp dpt:137 ctstate NEW,UNTRACKED 0     0 ACCEPT     udp  --  *      *       0.0.0.0/0 0.0.0.0/0            udp dpt:138 ctstate NEW,UNTRACKED 0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            tcp dpt:139 ctstate NEW,UNTRACKED 0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            tcp dpt:445 ctstate NEW,UNTRACKED 0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            tcp dpt:80 ctstate NEW,UNTRACKED 0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            tcp dpt:443 ctstate NEW,UNTRACKED 0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            tcp dpt:25 ctstate NEW,UNTRACKED 0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            tcp dpt:465 ctstate NEW,UNTRACKED 0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            tcp dpt:587 ctstate NEW,UNTRACKED 0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            tcp dpt:9102 ctstate NEW,UNTRACKED 0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            tcp dpt:427 ctstate NEW,UNTRACKED 0     0 ACCEPT     udp  --  *      *       0.0.0.0/0 0.0.0.0/0            udp dpt:427 ctstate NEW,UNTRACKED 0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            tcp dpt:2049 ctstate NEW,UNTRACKED 0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            tcp dpt:2049 ctstate NEW,UNTRACKED 0     0 ACCEPT     udp  --  *      *       0.0.0.0/0 0.0.0.0/0            udp dpt:2049 ctstate NEW,UNTRACKED 0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            tcp dpt:111 ctstate NEW,UNTRACKED 0     0 ACCEPT     udp  --  *      *       0.0.0.0/0 0.0.0.0/0            udp dpt:111 ctstate NEW,UNTRACKED 0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            tcp dpt:80 ctstate NEW,UNTRACKED 0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            tcp dpt:443 ctstate NEW,UNTRACKED 0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            tcp dpts:1714:1764 ctstate NEW,UNTRACKED 0     0 ACCEPT     udp  --  *      *       0.0.0.0/0 0.0.0.0/0            udp dpts:1714:1764 ctstate NEW,UNTRACKED 0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            tcp dpt:554 ctstate NEW,UNTRACKED 0     0 ACCEPT     udp  --  *      *       0.0.0.0/0 0.0.0.0/0            udp dpt:554 ctstate NEW,UNTRACKED 0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            tcp dpt:3052 ctstate NEW,UNTRACKED 0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            tcp dpt:8081 ctstate NEW,UNTRACKED 0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            tcp dpt:xxxx ctstate NEW,UNTRACKED 0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            tcp dpt:yyyy ctstate NEW,UNTRACKED 0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            tcp dpt:zzzz ctstate NEW,UNTRACKED Chain IN_internal_deny (1 references) pkts bytes target     prot opt in     out     source destination Chain IN_internal_log (1 references) pkts bytes target     prot opt in     out     source destination Chain IN_internal_post (1 references) pkts bytes target     prot opt in     out     source destination Chain IN_internal_pre (1 references) pkts bytes target     prot opt in     out     source destination Chain IN_public (1 references) pkts bytes target     prot opt in     out     source destination 0     0 IN_public_pre  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 IN_public_log  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 IN_public_deny  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 IN_public_allow  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 IN_public_post  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 ACCEPT     icmp --  *      *       0.0.0.0/0 0.0.0.0/0 Chain IN_public_allow (1 references) pkts bytes target     prot opt in     out     source destination 0     0 ACCEPT     udp  --  *      *       0.0.0.0/0 0.0.0.0/0            udp dpt:161 ctstate NEW,UNTRACKED 0     0 ACCEPT     udp  --  *      *       0.0.0.0/0 0.0.0.0/0            udp dpt:162 ctstate NEW,UNTRACKED 0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            tcp dpt:3052 ctstate NEW,UNTRACKED 0     0 ACCEPT     udp  --  *      *       0.0.0.0/0 0.0.0.0/0            udp dpt:3052 ctstate NEW,UNTRACKED 0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            tcp dpt:53568 ctstate NEW,UNTRACKED 0     0 ACCEPT     udp  --  *      *       0.0.0.0/0 0.0.0.0/0            udp dpt:53566 ctstate NEW,UNTRACKED Chain IN_public_deny (1 references) pkts bytes target     prot opt in     out     source destination Chain IN_public_log (1 references) pkts bytes target     prot opt in     out     source destination Chain IN_public_post (1 references) pkts bytes target     prot opt in     out     source destination Chain IN_public_pre (1 references) pkts bytes target     prot opt in     out     source destination Chain IN_trusted (1 references) pkts bytes target     prot opt in     out     source destination 0     0 IN_trusted_pre  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 IN_trusted_log  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 IN_trusted_deny  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 IN_trusted_allow  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 IN_trusted_post  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 ACCEPT     all  --  *      *       0.0.0.0/0 0.0.0.0/0 Chain IN_trusted_allow (1 references) pkts bytes target     prot opt in     out     source destination 0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            tcp dpt:9102 ctstate NEW,UNTRACKED 0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            tcp dpt:3052 ctstate NEW,UNTRACKED Chain IN_trusted_deny (1 references) pkts bytes target     prot opt in     out     source destination Chain IN_trusted_log (1 references) pkts bytes target     prot opt in     out     source destination Chain IN_trusted_post (1 references) pkts bytes target     prot opt in     out     source destination Chain IN_trusted_pre (1 references) pkts bytes target     prot opt in     out     source destination Chain OUTPUT_POLICIES_post (1 references) pkts bytes target     prot opt in     out     source destination Chain OUTPUT_POLICIES_pre (1 references) pkts bytes target     prot opt in     out     source destination Chain OUTPUT_direct (1 references) pkts bytes target     prot opt in     out     source destination

iptables -t nat -L -n -v

nova:/srv/firewall # iptables -t nat -L -n -v Chain PREROUTING (policy ACCEPT 47108 packets, 4509K bytes) pkts bytes target     prot opt in     out     source destination 47108 4509K PREROUTING_direct  all  --  *      * 0.0.0.0/0            0.0.0.0/0 47108 4509K PREROUTING_POLICIES_pre  all  --  *      * 0.0.0.0/0            0.0.0.0/0 47108 4509K PREROUTING_ZONES  all  --  *      * 0.0.0.0/0            0.0.0.0/0 47108 4509K PREROUTING_POLICIES_post  all  --  *      * 0.0.0.0/0            0.0.0.0/0 Chain INPUT (policy ACCEPT 1186 packets, 64587 bytes) pkts bytes target     prot opt in     out     source destination Chain OUTPUT (policy ACCEPT 2330 packets, 150K bytes) pkts bytes target     prot opt in     out     source destination 2330  150K OUTPUT_direct  all  --  *      * 0.0.0.0/0            0.0.0.0/0 Chain POSTROUTING (policy ACCEPT 2311 packets, 147K bytes) pkts bytes target     prot opt in     out     source destination 2341  153K POSTROUTING_direct  all  --  *      * 0.0.0.0/0            0.0.0.0/0 2341  153K POSTROUTING_POLICIES_pre  all  --  *      * 0.0.0.0/0            0.0.0.0/0 2341  153K POSTROUTING_ZONES  all  --  *      * 0.0.0.0/0            0.0.0.0/0 2311  147K POSTROUTING_POLICIES_post  all  --  *      * 0.0.0.0/0            0.0.0.0/0 Chain OUTPUT_direct (1 references) pkts bytes target     prot opt in     out     source destination Chain POSTROUTING_POLICIES_post (1 references) pkts bytes target     prot opt in     out     source destination Chain POSTROUTING_POLICIES_pre (1 references) pkts bytes target     prot opt in     out     source destination Chain POSTROUTING_ZONES (1 references) pkts bytes target     prot opt in     out     source destination 1    60 POST_trusted  all  --  *      lo      0.0.0.0/0 0.0.0.0/0           [goto] 381 28940 POST_internal  all  --  *      eth0 0.0.0.0/0            0.0.0.0/0           [goto] 1929  118K POST_external  all  --  *      eth1 0.0.0.0/0            0.0.0.0/0           [goto] 0     0 POST_docker  all  --  *      docker0  0.0.0.0/0 0.0.0.0/0           [goto] 30  6883 POST_cameras  all  --  *      eth3 0.0.0.0/0            0.0.0.0/0           [goto] 0     0 POST_block  all  --  *      eth2    0.0.0.0/0 0.0.0.0/0           [goto] 0     0 POST_public  all  --  *      +       0.0.0.0/0 0.0.0.0/0           [goto] Chain POSTROUTING_direct (1 references) pkts bytes target     prot opt in     out     source destination Chain POST_block (1 references) pkts bytes target     prot opt in     out     source destination 0     0 POST_block_pre  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 POST_block_log  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 POST_block_deny  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 POST_block_allow  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 POST_block_post  all  --  *      * 0.0.0.0/0            0.0.0.0/0 Chain POST_block_allow (1 references) pkts bytes target     prot opt in     out     source destination Chain POST_block_deny (1 references) pkts bytes target     prot opt in     out     source destination Chain POST_block_log (1 references) pkts bytes target     prot opt in     out     source destination Chain POST_block_post (1 references) pkts bytes target     prot opt in     out     source destination Chain POST_block_pre (1 references) pkts bytes target     prot opt in     out     source destination Chain POST_cameras (1 references) pkts bytes target     prot opt in     out     source destination 30  6883 POST_cameras_pre  all  --  *      * 0.0.0.0/0            0.0.0.0/0 30  6883 POST_cameras_log  all  --  *      * 0.0.0.0/0            0.0.0.0/0 30  6883 POST_cameras_deny  all  --  *      * 0.0.0.0/0            0.0.0.0/0 30  6883 POST_cameras_allow  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 POST_cameras_post  all  --  *      * 0.0.0.0/0            0.0.0.0/0 Chain POST_cameras_allow (1 references) pkts bytes target     prot opt in     out     source destination 30  6883 MASQUERADE  all  --  *      !lo     0.0.0.0/0 0.0.0.0/0 Chain POST_cameras_deny (1 references) pkts bytes target     prot opt in     out     source destination Chain POST_cameras_log (1 references) pkts bytes target     prot opt in     out     source destination Chain POST_cameras_post (1 references) pkts bytes target     prot opt in     out     source destination Chain POST_cameras_pre (1 references) pkts bytes target     prot opt in     out     source destination Chain POST_docker (1 references) pkts bytes target     prot opt in     out     source destination 0     0 POST_docker_pre  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 POST_docker_log  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 POST_docker_deny  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 POST_docker_allow  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 POST_docker_post  all  --  *      * 0.0.0.0/0            0.0.0.0/0 Chain POST_docker_allow (1 references) pkts bytes target     prot opt in     out     source destination Chain POST_docker_deny (1 references) pkts bytes target     prot opt in     out     source destination Chain POST_docker_log (1 references) pkts bytes target     prot opt in     out     source destination Chain POST_docker_post (1 references) pkts bytes target     prot opt in     out     source destination Chain POST_docker_pre (1 references) pkts bytes target     prot opt in     out     source destination Chain POST_external (1 references) pkts bytes target     prot opt in     out     source destination 1929  118K POST_external_pre  all  --  *      * 0.0.0.0/0            0.0.0.0/0 1929  118K POST_external_log  all  --  *      * 0.0.0.0/0            0.0.0.0/0 1929  118K POST_external_deny  all  --  *      * 0.0.0.0/0            0.0.0.0/0 1929  118K POST_external_allow  all  --  *      * 0.0.0.0/0            0.0.0.0/0 1929  118K POST_external_post  all  --  *      * 0.0.0.0/0            0.0.0.0/0 Chain POST_external_allow (1 references) pkts bytes target     prot opt in     out     source destination Chain POST_external_deny (1 references) pkts bytes target     prot opt in     out     source destination Chain POST_external_log (1 references) pkts bytes target     prot opt in     out     source destination Chain POST_external_post (1 references) pkts bytes target     prot opt in     out     source destination Chain POST_external_pre (1 references) pkts bytes target     prot opt in     out     source destination Chain POST_internal (1 references) pkts bytes target     prot opt in     out     source destination 381 28940 POST_internal_pre  all  --  *      * 0.0.0.0/0            0.0.0.0/0 381 28940 POST_internal_log  all  --  *      * 0.0.0.0/0            0.0.0.0/0 381 28940 POST_internal_deny  all  --  *      * 0.0.0.0/0            0.0.0.0/0 381 28940 POST_internal_allow  all  --  *      * 0.0.0.0/0            0.0.0.0/0 381 28940 POST_internal_post  all  --  *      * 0.0.0.0/0            0.0.0.0/0 Chain POST_internal_allow (1 references) pkts bytes target     prot opt in     out     source destination Chain POST_internal_deny (1 references) pkts bytes target     prot opt in     out     source destination Chain POST_internal_log (1 references) pkts bytes target     prot opt in     out     source destination Chain POST_internal_post (1 references) pkts bytes target     prot opt in     out     source destination Chain POST_internal_pre (1 references) pkts bytes target     prot opt in     out     source destination Chain POST_public (1 references) pkts bytes target     prot opt in     out     source destination 0     0 POST_public_pre  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 POST_public_log  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 POST_public_deny  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 POST_public_allow  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 POST_public_post  all  --  *      * 0.0.0.0/0            0.0.0.0/0 Chain POST_public_allow (1 references) pkts bytes target     prot opt in     out     source destination Chain POST_public_deny (1 references) pkts bytes target     prot opt in     out     source destination Chain POST_public_log (1 references) pkts bytes target     prot opt in     out     source destination Chain POST_public_post (1 references) pkts bytes target     prot opt in     out     source destination Chain POST_public_pre (1 references) pkts bytes target     prot opt in     out     source destination Chain POST_trusted (1 references) pkts bytes target     prot opt in     out     source destination 1    60 POST_trusted_pre  all  --  *      * 0.0.0.0/0            0.0.0.0/0 1    60 POST_trusted_log  all  --  *      * 0.0.0.0/0            0.0.0.0/0 1    60 POST_trusted_deny  all  --  *      * 0.0.0.0/0            0.0.0.0/0 1    60 POST_trusted_allow  all  --  *      * 0.0.0.0/0            0.0.0.0/0 1    60 POST_trusted_post  all  --  *      * 0.0.0.0/0            0.0.0.0/0 Chain POST_trusted_allow (1 references) pkts bytes target     prot opt in     out     source destination Chain POST_trusted_deny (1 references) pkts bytes target     prot opt in     out     source destination Chain POST_trusted_log (1 references) pkts bytes target     prot opt in     out     source destination Chain POST_trusted_post (1 references) pkts bytes target     prot opt in     out     source destination Chain POST_trusted_pre (1 references) pkts bytes target     prot opt in     out     source destination Chain PREROUTING_POLICIES_post (1 references) pkts bytes target     prot opt in     out     source destination Chain PREROUTING_POLICIES_pre (1 references) pkts bytes target     prot opt in     out     source destination 47108 4509K PRE_allow-host-ipv6  all  --  *      * 0.0.0.0/0            0.0.0.0/0 Chain PREROUTING_ZONES (1 references) pkts bytes target     prot opt in     out     source destination 0     0 PRE_trusted  all  --  lo     *       0.0.0.0/0 0.0.0.0/0           [goto] 1276 94146 PRE_internal  all  --  eth0   * 0.0.0.0/0            0.0.0.0/0           [goto] 2728  161K PRE_external  all  --  eth1   * 0.0.0.0/0            0.0.0.0/0           [goto] 0     0 PRE_docker  all  --  docker0 *       0.0.0.0/0 0.0.0.0/0           [goto] 43104 4253K PRE_cameras  all  --  eth3   * 0.0.0.0/0            0.0.0.0/0           [goto] 0     0 PRE_block  all  --  eth2   *       0.0.0.0/0 0.0.0.0/0           [goto] 0     0 PRE_public  all  --  +      *       0.0.0.0/0 0.0.0.0/0           [goto] Chain PREROUTING_direct (1 references) pkts bytes target     prot opt in     out     source destination Chain PRE_allow-host-ipv6 (1 references) pkts bytes target     prot opt in     out     source destination 47108 4509K PRE_allow-host-ipv6_pre  all  --  *      * 0.0.0.0/0            0.0.0.0/0 47108 4509K PRE_allow-host-ipv6_log  all  --  *      * 0.0.0.0/0            0.0.0.0/0 47108 4509K PRE_allow-host-ipv6_deny  all  --  *      * 0.0.0.0/0            0.0.0.0/0 47108 4509K PRE_allow-host-ipv6_allow  all  --  *      * 0.0.0.0/0            0.0.0.0/0 47108 4509K PRE_allow-host-ipv6_post  all  --  *      * 0.0.0.0/0            0.0.0.0/0 Chain PRE_allow-host-ipv6_allow (1 references) pkts bytes target     prot opt in     out     source destination Chain PRE_allow-host-ipv6_deny (1 references) pkts bytes target     prot opt in     out     source destination Chain PRE_allow-host-ipv6_log (1 references) pkts bytes target     prot opt in     out     source destination Chain PRE_allow-host-ipv6_post (1 references) pkts bytes target     prot opt in     out     source destination Chain PRE_allow-host-ipv6_pre (1 references) pkts bytes target     prot opt in     out     source destination Chain PRE_block (1 references) pkts bytes target     prot opt in     out     source destination 0     0 PRE_block_pre  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 PRE_block_log  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 PRE_block_deny  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 PRE_block_allow  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 PRE_block_post  all  --  *      * 0.0.0.0/0            0.0.0.0/0 Chain PRE_block_allow (1 references) pkts bytes target     prot opt in     out     source destination Chain PRE_block_deny (1 references) pkts bytes target     prot opt in     out     source destination Chain PRE_block_log (1 references) pkts bytes target     prot opt in     out     source destination Chain PRE_block_post (1 references) pkts bytes target     prot opt in     out     source destination Chain PRE_block_pre (1 references) pkts bytes target     prot opt in     out     source destination Chain PRE_cameras (1 references) pkts bytes target     prot opt in     out     source destination 43104 4253K PRE_cameras_pre  all  --  *      * 0.0.0.0/0            0.0.0.0/0 43104 4253K PRE_cameras_log  all  --  *      * 0.0.0.0/0            0.0.0.0/0 43104 4253K PRE_cameras_deny  all  --  *      * 0.0.0.0/0            0.0.0.0/0 43104 4253K PRE_cameras_allow  all  --  *      * 0.0.0.0/0            0.0.0.0/0 43104 4253K PRE_cameras_post  all  --  *      * 0.0.0.0/0            0.0.0.0/0 Chain PRE_cameras_allow (1 references) pkts bytes target     prot opt in     out     source destination Chain PRE_cameras_deny (1 references) pkts bytes target     prot opt in     out     source destination Chain PRE_cameras_log (1 references) pkts bytes target     prot opt in     out     source destination Chain PRE_cameras_post (1 references) pkts bytes target     prot opt in     out     source destination Chain PRE_cameras_pre (1 references) pkts bytes target     prot opt in     out     source destination Chain PRE_docker (1 references) pkts bytes target     prot opt in     out     source destination 0     0 PRE_docker_pre  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 PRE_docker_log  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 PRE_docker_deny  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 PRE_docker_allow  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 PRE_docker_post  all  --  *      * 0.0.0.0/0            0.0.0.0/0 Chain PRE_docker_allow (1 references) pkts bytes target     prot opt in     out     source destination Chain PRE_docker_deny (1 references) pkts bytes target     prot opt in     out     source destination Chain PRE_docker_log (1 references) pkts bytes target     prot opt in     out     source destination Chain PRE_docker_post (1 references) pkts bytes target     prot opt in     out     source destination Chain PRE_docker_pre (1 references) pkts bytes target     prot opt in     out     source destination Chain PRE_external (1 references) pkts bytes target     prot opt in     out     source destination 2728  161K PRE_external_pre  all  --  *      * 0.0.0.0/0            0.0.0.0/0 2728  161K PRE_external_log  all  --  *      * 0.0.0.0/0            0.0.0.0/0 2728  161K PRE_external_deny  all  --  *      * 0.0.0.0/0            0.0.0.0/0 2728  161K PRE_external_allow  all  --  *      * 0.0.0.0/0            0.0.0.0/0 2728  161K PRE_external_post  all  --  *      * 0.0.0.0/0            0.0.0.0/0 Chain PRE_external_allow (1 references) pkts bytes target     prot opt in     out     source destination Chain PRE_external_deny (1 references) pkts bytes target     prot opt in     out     source destination Chain PRE_external_log (1 references) pkts bytes target     prot opt in     out     source destination Chain PRE_external_post (1 references) pkts bytes target     prot opt in     out     source destination Chain PRE_external_pre (1 references) pkts bytes target     prot opt in     out     source destination Chain PRE_internal (1 references) pkts bytes target     prot opt in     out     source destination 1276 94146 PRE_internal_pre  all  --  *      * 0.0.0.0/0            0.0.0.0/0 1276 94146 PRE_internal_log  all  --  *      * 0.0.0.0/0            0.0.0.0/0 1276 94146 PRE_internal_deny  all  --  *      * 0.0.0.0/0            0.0.0.0/0 1276 94146 PRE_internal_allow  all  --  *      * 0.0.0.0/0            0.0.0.0/0 1276 94146 PRE_internal_post  all  --  *      * 0.0.0.0/0            0.0.0.0/0 Chain PRE_internal_allow (1 references) pkts bytes target     prot opt in     out     source destination Chain PRE_internal_deny (1 references) pkts bytes target     prot opt in     out     source destination Chain PRE_internal_log (1 references) pkts bytes target     prot opt in     out     source destination Chain PRE_internal_post (1 references) pkts bytes target     prot opt in     out     source destination Chain PRE_internal_pre (1 references) pkts bytes target     prot opt in     out     source destination Chain PRE_public (1 references) pkts bytes target     prot opt in     out     source destination 0     0 PRE_public_pre  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 PRE_public_log  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 PRE_public_deny  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 PRE_public_allow  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 PRE_public_post  all  --  *      * 0.0.0.0/0            0.0.0.0/0 Chain PRE_public_allow (1 references) pkts bytes target     prot opt in     out     source destination Chain PRE_public_deny (1 references) pkts bytes target     prot opt in     out     source destination Chain PRE_public_log (1 references) pkts bytes target     prot opt in     out     source destination Chain PRE_public_post (1 references) pkts bytes target     prot opt in     out     source destination Chain PRE_public_pre (1 references) pkts bytes target     prot opt in     out     source destination Chain PRE_trusted (1 references) pkts bytes target     prot opt in     out     source destination 0     0 PRE_trusted_pre  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 PRE_trusted_log  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 PRE_trusted_deny  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 PRE_trusted_allow  all  --  *      * 0.0.0.0/0            0.0.0.0/0 0     0 PRE_trusted_post  all  --  *      * 0.0.0.0/0            0.0.0.0/0 Chain PRE_trusted_allow (1 references) pkts bytes target     prot opt in     out     source destination Chain PRE_trusted_deny (1 references) pkts bytes target     prot opt in     out     source destination Chain PRE_trusted_log (1 references) pkts bytes target     prot opt in     out     source destination Chain PRE_trusted_post (1 references) pkts bytes target     prot opt in     out     source destination Chain PRE_trusted_pre (1 references) pkts bytes target     prot opt in     out     source destination

nft list ruleset

No output was produced.

and explain what exact port is supposed to be opened

If/when the knockd.service daemon hears the knocks, in the correct order, it inserts a rule into the iptables to open port 22 (ssh). Here is the content of the knockd.conf configuration file - marc@nova:/srv/knockd/etc> more knockd.conf [options] logfile = /var/log/knockd.log interface = eth0 [SSH] sequence      = xxxx,yyyy,zzzz seq_timeout   = 15 tcpflags      = syn start_command = /usr/sbin/iptables -I INPUT 1 -s %IP% -p tcp --dport 22 -j ACCEPT cmd_timeout   = 300 stop_command  = /usr/sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

...

Something unexpected is happening, it also appears that firewalld.service itself is not hearing the knocks. I added the

I do not understand what "firewalld.service is not hearing the knocks" means.

It means what I said below in the next paragraph. There is no recognition, or messages in the firewalld.log file reporting that a link level connection attempt was made on any of the ports that the knockd.service daemon is looking for knocks on.

...

firewalld debug argument to the list of arguments sent to the firewalld app, and monitored the output to the firewalld log file. No messages about the knocks are reported to the log file!

I have been using tcpdump to try an see what is going on at the link level, when I send knocks from my laptop to the system I have having troubles with. It is showing me something surprising/interesting/unexpected. I send the knocks to eth0 on the target system but tcpdump does not show the knocks when I set it up to monitor just eth0. # tcpdump -i eth0 'src 192.168.10.10 and portrange xxxx-zzzz and tcp' -nn tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes ^C 0 packets captured 0 packets received by filter 0 packets dropped by kernel I then set up tcpdump to monitor all interfaces for incoming knocks and  I got a surprise, tcpdump showed me that the knocks were being heard on eth1, not eth0 like I expected! eth0 is assigned the address of 192.168.10.20 and used for my internal firewall zone, eth1 is assigned the address of 192.168.10.21, assigned to my external firewall zone, and is for something I plan for in the future but not using it at the moment. Nevertheless, when I monitor eth1 with tcpdump, send the knocks, I get this - tcpdump -i eth1 'src 192.168.10.10 and portrange xxxx-zzzz and tcp' -nn tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on eth1, link-type EN10MB (Ethernet), snapshot length 262144 bytes 10:54:22.992496 IP 192.168.10.10.51646 > 192.168.10.20.xxxx: Flags [S], seq 767482099, win 64240, options [mss 1460,sackOK,TS val 3057886337 ecr 0,nop,wscale 7], length 0 10:54:24.008921 IP 192.168.10.10.50170 > 192.168.10.20.yyyy: Flags [S], seq 3733321455, win 64240, options [mss 1460,sackOK,TS val 3057887354 ecr 0,nop,wscale 7], length 0 10:54:25.023226 IP 192.168.10.10.42834 > 192.168.10.20.zzzz: Flags [S], seq 2867229806, win 64240, options [mss 1460,sackOK,TS val 3057888368 ecr 0,nop,wscale 7], length 0 ^C 3 packets captured 3 packets received by filter 0 packets dropped by kernel So the knocks did show up, but on the wrong interface. Both tcpdump and my own double checking of the knocks being sent from my laptop, show that the knocks are being sent to 192.168.10.20. Why they are showing up on 192.168.10.21 is beyond my ability to grok, but both of these interfaces are handled by a dual NIC card, so I am now thinking there is something wrong with this card. It is a dual port RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller card. If anyone wants to know the particulars about the card, I can send a link to Amazon for the one I purchased. Using YaST I disabled eth1 for now and that seems to have done the trick, but I won't know for certain until I have done more testing. That will not be a long term solution but buying another NIC will be the permanent solution.

...

     Marc..

P.S. I tried to format my response with both fixed and variable width fonts to make it easier to read. Dunno if it will survive the transition to the list server, if not, can't say I didn't try....

On 2023-01-15 09:23, Andrei Borzenkov wrote:

On 15.01.2023 08:26, Marc Chamberlin wrote: ...

...

...

...

If the knockd.service daemon had heard the knocks then it would have used the following command configuration to open that actual port for the service I am trying to access. For example, for SSH, I send the port knock sequence to the ports xxxx,yyyy,zzzz (obscured) and it is these

Well, as you preferred to hide ports that you really need to open, the whole copious output of current netfilter configuration becomes entirely useless as we do not even know what to check it for.

It is easy to see them: 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:xxxx ctstate NEW,UNTRACKED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:yyyy ctstate NEW,UNTRACKED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:zzzz ctstate NEW,UNTRACKED :-) -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)

On 2023-01-15 06:26, Marc Chamberlin wrote:

On 1/11/23 20:34, Andrei Borzenkov wrote:

...

I then set up tcpdump to monitor all interfaces for incoming knocks and I got a surprise, tcpdump showed me that the knocks were being heard on eth1, not eth0 like I expected! eth0 is assigned the address of 192.168.10.20 and used for my internal firewall zone, eth1 is assigned the address of 192.168.10.21, assigned to my external firewall zone, and is for something I plan for in the future but not using it at the moment. Nevertheless, when I monitor eth1 with tcpdump, send the knocks,

I am afraid you can not set two zones yet use IPs that are on the same zone. Maybe if you define subzones.

P.S. I tried to format my response with both fixed and variable width fonts to make it easier to read. Dunno if it will survive the transition to the list server, if not, can't say I didn't try....

Only if you use html mail, and html is frowned upon by many list users here. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)