refactor socks redirection firewall rules
Closed, ResolvedPublic
Actions

Description

As mentioned in T462, Whonix's socks redirection firewall rules size should be shrinked. Same rules. Less script code.

Code in question:

We can do firewall refactoring with virtually zero risk of changing actual rules by adhering the following instructions:
https://www.whonix.org/wiki/Dev/Firewall_Refactoring

Details

Impact: Normal

Related Objects

Mentioned Here: T462: Gateway PREROUTING rules for SOCKS ports may interfere with trans port traffic

Event Timeline

Patrick created this task.Jan 10 2016, 4:45 PM

Patrick raised the priority of this task from to Normal.

Patrick updated the task description. (Show Details)

Patrick added projects: Whonix, whonix-gw-firewall, Whonix 13, refactoring.

Patrick set Impact to Normal.

Patrick added subscribers: nrgaway, marmarek, HulaHoop and 3 others.

https://github.com/Whonix/whonix-gw-firewall/commit/e6ed118ede2bd012f5b869cd4b864262472aa9a9

https://github.com/Whonix/whonix-gw-firewall/commit/14c6e5ad3c37022be1acaa19cc327969d46aef27

https://github.com/Whonix/whonix-gw-firewall/commit/14c6e5ad3c37022be1acaa19cc327969d46aef27#commitcomment-15395031

https://github.com/Whonix/whonix-gw-firewall/commit/7ef15d52e4d61a80f82df0e02b0b3f3ba21c942d

Whonix 13. iptables-save-deterministic

*mangle
:PREROUTING ACCEPT [0,0]
:INPUT ACCEPT [0,0]
:FORWARD ACCEPT [0,0]
:OUTPUT ACCEPT [0,0]
:POSTROUTING ACCEPT [0,0]
COMMIT
*nat
:PREROUTING ACCEPT [0,0]
:INPUT ACCEPT [0,0]
:OUTPUT ACCEPT [0,0]
:POSTROUTING ACCEPT [0,0]
:PR-QBS-SERVICES - [0,0]
-A PREROUTING -j PR-QBS-SERVICES
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9052 -j REDIRECT --to-ports 9052
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9124 -j REDIRECT --to-ports 9124
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9104 -j REDIRECT --to-ports 9104
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9111 -j REDIRECT --to-ports 9111
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9117 -j REDIRECT --to-ports 9117
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9107 -j REDIRECT --to-ports 9107
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9123 -j REDIRECT --to-ports 9123
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9105 -j REDIRECT --to-ports 9105
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9103 -j REDIRECT --to-ports 9103
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9101 -j REDIRECT --to-ports 9101
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9122 -j REDIRECT --to-ports 9122
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9121 -j REDIRECT --to-ports 9121
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9120 -j REDIRECT --to-ports 9120
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9113 -j REDIRECT --to-ports 9113
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9112 -j REDIRECT --to-ports 9112
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9118 -j REDIRECT --to-ports 9118
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9108 -j REDIRECT --to-ports 9108
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9106 -j REDIRECT --to-ports 9106
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9100 -j REDIRECT --to-ports 9100
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9150 -j REDIRECT --to-ports 9150
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9115 -j REDIRECT --to-ports 9115
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9116 -j REDIRECT --to-ports 9116
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9102 -j REDIRECT --to-ports 9102
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9119 -j REDIRECT --to-ports 9119
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9050 -j REDIRECT --to-ports 9050
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9109 -j REDIRECT --to-ports 9109
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9110 -j REDIRECT --to-ports 9110
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9114 -j REDIRECT --to-ports 9114
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9125 -j REDIRECT --to-ports 9125
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9152 -j REDIRECT --to-ports 9152
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9153 -j REDIRECT --to-ports 9153
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9154 -j REDIRECT --to-ports 9154
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9155 -j REDIRECT --to-ports 9155
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9156 -j REDIRECT --to-ports 9156
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9157 -j REDIRECT --to-ports 9157
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9158 -j REDIRECT --to-ports 9158
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9159 -j REDIRECT --to-ports 9159
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9160 -j REDIRECT --to-ports 9160
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9161 -j REDIRECT --to-ports 9161
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9162 -j REDIRECT --to-ports 9162
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9163 -j REDIRECT --to-ports 9163
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9164 -j REDIRECT --to-ports 9164
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9165 -j REDIRECT --to-ports 9165
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9166 -j REDIRECT --to-ports 9166
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9167 -j REDIRECT --to-ports 9167
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9168 -j REDIRECT --to-ports 9168
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9169 -j REDIRECT --to-ports 9169
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9170 -j REDIRECT --to-ports 9170
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9171 -j REDIRECT --to-ports 9171
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9172 -j REDIRECT --to-ports 9172
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9173 -j REDIRECT --to-ports 9173
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9174 -j REDIRECT --to-ports 9174
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9175 -j REDIRECT --to-ports 9175
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9176 -j REDIRECT --to-ports 9176
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9177 -j REDIRECT --to-ports 9177
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9178 -j REDIRECT --to-ports 9178
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9179 -j REDIRECT --to-ports 9179
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9180 -j REDIRECT --to-ports 9180
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9181 -j REDIRECT --to-ports 9181
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9182 -j REDIRECT --to-ports 9182
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9183 -j REDIRECT --to-ports 9183
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9184 -j REDIRECT --to-ports 9184
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9185 -j REDIRECT --to-ports 9185
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9186 -j REDIRECT --to-ports 9186
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9187 -j REDIRECT --to-ports 9187
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9188 -j REDIRECT --to-ports 9188
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9189 -j REDIRECT --to-ports 9189
-A PREROUTING -i vif+ -p udp -m udp --dport 53 -j REDIRECT --to-ports 5300
-A PREROUTING -i vif+ -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040
-A OUTPUT -p udp -m owner --uid-owner 999 -m conntrack --ctstate NEW -j DNAT --to-destination 127.0.0.1:5400
-A OUTPUT -p tcp -m owner --uid-owner 999 -m conntrack --ctstate NEW -j DNAT --to-destination 127.0.0.1:9041
-A OUTPUT -m owner --uid-owner 1002 -j RETURN
-A OUTPUT -m owner --uid-owner 106 -j RETURN
-A OUTPUT -m iprange --dst-range 127.0.0.0-127.0.0.24 -j RETURN
-A OUTPUT -m iprange --dst-range 10.137.0.0-10.138.255.255 -j RETURN
-A PR-QBS-SERVICES -d 10.137.255.254/32 -i vif+ -p tcp -m tcp --dport 8082 -j REDIRECT
COMMIT
*filter
:INPUT DROP [0,0]
:FORWARD DROP [0,0]
:OUTPUT DROP [0,0]
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -f -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -i vif+ -p tcp -m tcp --dport 8082 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j DROP
-A INPUT -i vif+ -p udp -m udp --dport 5300 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9040 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9052 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9124 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9104 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9111 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9117 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9107 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9123 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9105 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9103 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9101 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9122 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9121 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9120 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9113 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9112 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9118 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9108 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9106 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9100 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9150 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9115 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9116 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9102 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9119 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9050 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9109 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9110 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9114 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9125 -j ACCEPT
-A INPUT -i vif+ -p tcp -m multiport --dports 9152:9189 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -o vif+ -p tcp -m tcp --sport 8082 -j ACCEPT
-A OUTPUT -m conntrack --ctstate INVALID -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -m state --state INVALID -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -f -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -m iprange --dst-range 127.0.0.0-127.0.0.24 -j ACCEPT
-A OUTPUT -m iprange --dst-range 10.137.0.0-10.138.255.255 -j ACCEPT
-A OUTPUT -m owner --uid-owner 1002 -j ACCEPT
-A OUTPUT -m owner --uid-owner 106 -j ACCEPT
-A OUTPUT -j REJECT --reject-with icmp-admin-prohibited
COMMIT

Whonix 12. iptables-save-deterministic

*mangle
:PREROUTING ACCEPT [0,0]
:INPUT ACCEPT [0,0]
:FORWARD ACCEPT [0,0]
:OUTPUT ACCEPT [0,0]
:POSTROUTING ACCEPT [0,0]
COMMIT
*nat
:PREROUTING ACCEPT [0,0]
:INPUT ACCEPT [0,0]
:OUTPUT ACCEPT [0,0]
:POSTROUTING ACCEPT [0,0]
:PR-QBS-SERVICES - [0,0]
-A PREROUTING -j PR-QBS-SERVICES
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9052 -j REDIRECT --to-ports 9052
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9050 -j REDIRECT --to-ports 9050
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9100 -j REDIRECT --to-ports 9100
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9101 -j REDIRECT --to-ports 9101
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9102 -j REDIRECT --to-ports 9102
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9103 -j REDIRECT --to-ports 9103
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9104 -j REDIRECT --to-ports 9104
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9105 -j REDIRECT --to-ports 9105
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9106 -j REDIRECT --to-ports 9106
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9107 -j REDIRECT --to-ports 9107
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9108 -j REDIRECT --to-ports 9108
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9109 -j REDIRECT --to-ports 9109
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9110 -j REDIRECT --to-ports 9110
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9111 -j REDIRECT --to-ports 9111
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9112 -j REDIRECT --to-ports 9112
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9113 -j REDIRECT --to-ports 9113
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9114 -j REDIRECT --to-ports 9114
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9115 -j REDIRECT --to-ports 9115
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9116 -j REDIRECT --to-ports 9116
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9117 -j REDIRECT --to-ports 9117
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9118 -j REDIRECT --to-ports 9118
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9119 -j REDIRECT --to-ports 9119
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9120 -j REDIRECT --to-ports 9120
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9121 -j REDIRECT --to-ports 9121
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9122 -j REDIRECT --to-ports 9122
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9123 -j REDIRECT --to-ports 9123
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9124 -j REDIRECT --to-ports 9124
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9125 -j REDIRECT --to-ports 9125
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9150 -j REDIRECT --to-ports 9150
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9152 -j REDIRECT --to-ports 9152
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9153 -j REDIRECT --to-ports 9153
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9154 -j REDIRECT --to-ports 9154
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9155 -j REDIRECT --to-ports 9155
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9156 -j REDIRECT --to-ports 9156
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9157 -j REDIRECT --to-ports 9157
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9158 -j REDIRECT --to-ports 9158
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9159 -j REDIRECT --to-ports 9159
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9160 -j REDIRECT --to-ports 9160
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9161 -j REDIRECT --to-ports 9161
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9162 -j REDIRECT --to-ports 9162
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9163 -j REDIRECT --to-ports 9163
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9164 -j REDIRECT --to-ports 9164
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9165 -j REDIRECT --to-ports 9165
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9166 -j REDIRECT --to-ports 9166
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9167 -j REDIRECT --to-ports 9167
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9168 -j REDIRECT --to-ports 9168
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9169 -j REDIRECT --to-ports 9169
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9170 -j REDIRECT --to-ports 9170
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9171 -j REDIRECT --to-ports 9171
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9172 -j REDIRECT --to-ports 9172
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9173 -j REDIRECT --to-ports 9173
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9174 -j REDIRECT --to-ports 9174
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9175 -j REDIRECT --to-ports 9175
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9176 -j REDIRECT --to-ports 9176
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9177 -j REDIRECT --to-ports 9177
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9178 -j REDIRECT --to-ports 9178
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9179 -j REDIRECT --to-ports 9179
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9180 -j REDIRECT --to-ports 9180
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9181 -j REDIRECT --to-ports 9181
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9182 -j REDIRECT --to-ports 9182
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9183 -j REDIRECT --to-ports 9183
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9184 -j REDIRECT --to-ports 9184
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9185 -j REDIRECT --to-ports 9185
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9186 -j REDIRECT --to-ports 9186
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9187 -j REDIRECT --to-ports 9187
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9188 -j REDIRECT --to-ports 9188
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9189 -j REDIRECT --to-ports 9189
-A PREROUTING -i vif+ -p udp -m udp --dport 53 -j REDIRECT --to-ports 5300
-A PREROUTING -i vif+ -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040
-A OUTPUT -p udp -m owner --uid-owner 999 -m conntrack --ctstate NEW -j DNAT --to-destination 10.137.3.1:5300
-A OUTPUT -p tcp -m owner --uid-owner 999 -m conntrack --ctstate NEW -j DNAT --to-destination 10.137.3.1:9040
-A OUTPUT -m owner --uid-owner 107 -j RETURN
-A OUTPUT -m owner --uid-owner 1001 -j RETURN
-A OUTPUT -m iprange --dst-range 127.0.0.0-127.0.0.24 -j RETURN
-A OUTPUT -m iprange --dst-range 10.137.0.0-10.137.255.255 -j RETURN
-A PR-QBS-SERVICES -d 10.137.255.254/32 -i vif+ -p tcp -m tcp --dport 8082 -j REDIRECT
COMMIT
*filter
:INPUT DROP [0,0]
:FORWARD DROP [0,0]
:OUTPUT DROP [0,0]
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -f -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -i vif+ -p tcp -m tcp --dport 8082 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j DROP
-A INPUT -i vif+ -p udp -m udp --dport 5300 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9040 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9052 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9050 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9100 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9101 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9102 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9103 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9104 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9105 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9106 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9107 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9108 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9109 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9110 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9111 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9112 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9113 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9114 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9115 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9116 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9117 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9118 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9119 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9120 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9121 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9122 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9123 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9124 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9125 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9150 -j ACCEPT
-A INPUT -i vif+ -p tcp -m multiport --dports 9152:9159 -j ACCEPT
-A INPUT -i vif+ -p tcp -m multiport --dports 9160:9169 -j ACCEPT
-A INPUT -i vif+ -p tcp -m multiport --dports 9170:9179 -j ACCEPT
-A INPUT -i vif+ -p tcp -m multiport --dports 9180:9189 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -o vif+ -p tcp -m tcp --sport 8082 -j ACCEPT
-A OUTPUT -m conntrack --ctstate INVALID -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -m state --state INVALID -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -f -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -m iprange --dst-range 127.0.0.0-127.0.0.24 -j ACCEPT
-A OUTPUT -m iprange --dst-range 10.137.0.0-10.137.255.255 -j ACCEPT
-A OUTPUT -m owner --uid-owner 107 -j ACCEPT
-A OUTPUT -m owner --uid-owner 1001 -j ACCEPT
-A OUTPUT -j REJECT --reject-with icmp-admin-prohibited
COMMIT

The diff looks sane.

refactor socks redirection firewall rulesClosed, ResolvedPublicActions

Description

Details

Related Objects

Event Timeline

refactor socks redirection firewall rules
Closed, ResolvedPublic
Actions