# Generated by iptables-save v1.4.21 on Sat Mar 28 06:10:07 2020
*nat
:PREROUTING ACCEPT [570:58403]
:INPUT ACCEPT [565:58140]
:OUTPUT ACCEPT [1062:83562]
:POSTROUTING ACCEPT [1062:83562]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
COMMIT
# Completed on Sat Mar 28 06:10:07 2020
# Generated by iptables-save v1.4.21 on Sat Mar 28 06:10:07 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [38:6320]
:DOCKER - [0:0]
:DOCKER-ISOLATION - [0:0]
:openstack-INPUT - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "000 accept related established rules ipv4" -j ACCEPT
-A INPUT -p icmp -m state --state NEW -m comment --comment "001 accept all icmp ipv4" -j ACCEPT
-A INPUT -i lo -m state --state NEW -m comment --comment "002 accept all to lo interface ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 22 -m state --state NEW -m comment --comment "003 accept ssh from any ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 1789 -m state --state NEW -m comment --comment "100 congress_haproxy ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 13789 -m state --state NEW -m comment --comment "100 congress_haproxy_ssl ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 9292 -m state --state NEW -m comment --comment "100 glance_api_haproxy ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 13292 -m state --state NEW -m comment --comment "100 glance_api_haproxy_ssl ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8004 -m state --state NEW -m comment --comment "100 heat_api_haproxy ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 13004 -m state --state NEW -m comment --comment "100 heat_api_haproxy_ssl ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8000 -m state --state NEW -m comment --comment "100 heat_cfn_haproxy ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 13005 -m state --state NEW -m comment --comment "100 heat_cfn_haproxy_ssl ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 35357 -m state --state NEW -m comment --comment "100 keystone_admin_haproxy ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 5000 -m state --state NEW -m comment --comment "100 keystone_public_haproxy ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 13000 -m state --state NEW -m comment --comment "100 keystone_public_haproxy_ssl ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 3306 -m state --state NEW -m comment --comment "100 mysql_haproxy ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 9696 -m state --state NEW -m comment --comment "100 neutron_haproxy ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 13696 -m state --state NEW -m comment --comment "100 neutron_haproxy_ssl ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8775 -m state --state NEW -m comment --comment "100 nova_metadata_haproxy ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8774 -m state --state NEW -m comment --comment "100 nova_osapi_haproxy ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 13774 -m state --state NEW -m comment --comment "100 nova_osapi_haproxy_ssl ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8778 -m state --state NEW -m comment --comment "100 nova_placement_haproxy ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 13778 -m state --state NEW -m comment --comment "100 nova_placement_haproxy_ssl ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 6641 -m state --state NEW -m comment --comment "100 ovn_nbdb_haproxy ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 13641 -m state --state NEW -m comment --comment "100 ovn_nbdb_haproxy_ssl ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 6642 -m state --state NEW -m comment --comment "100 ovn_sbdb_haproxy ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 9890 -m state --state NEW -m comment --comment "100 tacker_haproxy ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 13989 -m state --state NEW -m comment --comment "100 tacker_haproxy_ssl ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 873,3123,3306,4444,4567,4568,9200 -m state --state NEW -m comment --comment "104 mysql galera-bundle ipv4" -j ACCEPT
-A INPUT -p udp -m multiport --dports 123 -m state --state NEW -m comment --comment "105 ntp ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 1993 -m state --state NEW -m comment --comment "107 haproxy stats ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 3122,4369,5672,25672 -m state --state NEW -m comment --comment "109 rabbitmq-bundle ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 5000,13000,35357 -m state --state NEW -m comment --comment "111 keystone ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 9292,13292 -m state --state NEW -m comment --comment "112 glance_api ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 1789,13789 -m state --state NEW -m comment --comment "113 congress ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8774,13774,8775 -m state --state NEW -m comment --comment "113 nova_api ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 9890,13989 -m state --state NEW -m comment --comment "113 tacker ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 9696,13696 -m state --state NEW -m comment --comment "114 neutron api ipv4" -j ACCEPT
-A INPUT -p udp -m multiport --dports 4789 -m state --state NEW -m comment --comment "118 neutron vxlan networks ipv4" -j ACCEPT
-A INPUT -p udp -m multiport --dports 6081 -m state --state NEW -m comment --comment "119 neutron geneve networks ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 6641,6642 -m state --state NEW -m comment --comment "121 OVN DB server ports ipv4" -j ACCEPT
-A INPUT -s 192.168.24.0/24 -p tcp -m multiport --dports 11211 -m state --state NEW -m comment --comment "121 memcached ipv4" -j ACCEPT
-A INPUT -s 192.168.24.0/24 -p udp -m multiport --dports 161 -m state --state NEW -m comment --comment "124 snmp ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8004,13004 -m state --state NEW -m comment --comment "125 heat_api ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8000,13800 -m state --state NEW -m comment --comment "125 heat_cfn ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 2224,3121,21064 -m state --state NEW -m comment --comment "130 pacemaker tcp ipv4" -j ACCEPT
-A INPUT -p udp -m multiport --dports 5405 -m state --state NEW -m comment --comment "131 pacemaker udp ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8778,13778 -m state --state NEW -m comment --comment "138 nova_placement ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8775,13775 -m state --state NEW -m comment --comment "139 nova_metadata ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 16514,61152:61215,5900:6923 -m state --state NEW -m comment --comment "200 nova_libvirt ipv4" -j ACCEPT
-A INPUT -s 38.102.83.98/32 -j ACCEPT
-A INPUT -s 38.102.83.5/32 -j ACCEPT
-A INPUT -s 192.168.103.77/32 -j ACCEPT
-A INPUT -s 192.168.100.61/32 -j ACCEPT
-A INPUT -j openstack-INPUT
-A INPUT -m state --state NEW -m limit --limit 20/min --limit-burst 15 -m comment --comment "998 log all ipv4" -j LOG
-A INPUT -m state --state NEW -m comment --comment "999 drop all ipv4" -j DROP
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER-ISOLATION -j RETURN
-A openstack-INPUT -i lo -j ACCEPT
-A openstack-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A openstack-INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A openstack-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 19885 -j ACCEPT
-A openstack-INPUT -s 172.24.4.0/23 -p udp -m udp --dport 69 -j ACCEPT
-A openstack-INPUT -s 172.24.4.0/23 -p tcp -m tcp --dport 6385 -j ACCEPT
-A openstack-INPUT -s 172.24.4.0/23 -p tcp -m tcp --dport 80 -j ACCEPT
-A openstack-INPUT -s 172.24.4.0/23 -p tcp -m tcp --dport 8000 -j ACCEPT
-A openstack-INPUT -s 172.24.4.0/23 -p tcp -m tcp --dport 8003 -j ACCEPT
-A openstack-INPUT -s 172.24.4.0/23 -p tcp -m tcp --dport 8004 -j ACCEPT
-A openstack-INPUT -m limit --limit 2/min -j LOG --log-prefix "iptables dropped: "
-A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Sat Mar 28 06:10:07 2020