# Generated by iptables-save v1.4.21 on Sat Mar 28 05:15:46 2020
*raw
:PREROUTING ACCEPT [95363:13285937]
:OUTPUT ACCEPT [96371:13325969]
COMMIT
# Completed on Sat Mar 28 05:15:46 2020
# Generated by iptables-save v1.4.21 on Sat Mar 28 05:15:46 2020
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:BOOTSTACK_MASQ - [0:0]
:DOCKER - [0:0]
-A PREROUTING -d 169.254.169.254/32 -i br-ctlplane -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8775
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -j BOOTSTACK_MASQ
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A BOOTSTACK_MASQ -s 192.168.24.0/24 -d 192.168.24.0/24 -j RETURN
-A BOOTSTACK_MASQ -s 192.168.24.0/24 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
COMMIT
# Completed on Sat Mar 28 05:15:46 2020
# Generated by iptables-save v1.4.21 on Sat Mar 28 05:15:46 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2514:379350]
:DOCKER - [0:0]
:DOCKER-ISOLATION - [0:0]
:openstack-INPUT - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "000 accept related established rules ipv4" -j ACCEPT
-A INPUT -p icmp -m state --state NEW -m comment --comment "001 accept all icmp ipv4" -j ACCEPT
-A INPUT -i lo -m state --state NEW -m comment --comment "002 accept all to lo interface ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 22 -m state --state NEW -m comment --comment "003 ssh ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8042 -m state --state NEW -m comment --comment "100 aodh_haproxy ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 13042 -m state --state NEW -m comment --comment "100 aodh_haproxy_ssl ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8787 -m state --state NEW -m comment --comment "100 docker-registry_haproxy ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 13787 -m state --state NEW -m comment --comment "100 docker-registry_haproxy_ssl ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 9292 -m state --state NEW -m comment --comment "100 glance_api_haproxy ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 13292 -m state --state NEW -m comment --comment "100 glance_api_haproxy_ssl ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8041 -m state --state NEW -m comment --comment "100 gnocchi_haproxy ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 13041 -m state --state NEW -m comment --comment "100 gnocchi_haproxy_ssl ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8004 -m state --state NEW -m comment --comment "100 heat_api_haproxy ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 13004 -m state --state NEW -m comment --comment "100 heat_api_haproxy_ssl ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 5050 -m state --state NEW -m comment --comment "100 ironic-inspector_haproxy ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 13050 -m state --state NEW -m comment --comment "100 ironic-inspector_haproxy_ssl ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 6385 -m state --state NEW -m comment --comment "100 ironic_haproxy ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 13385 -m state --state NEW -m comment --comment "100 ironic_haproxy_ssl ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 35357 -m state --state NEW -m comment --comment "100 keystone_admin_haproxy ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 5000 -m state --state NEW -m comment --comment "100 keystone_public_haproxy ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 13000 -m state --state NEW -m comment --comment "100 keystone_public_haproxy_ssl ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8989 -m state --state NEW -m comment --comment "100 mistral_haproxy ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 13989 -m state --state NEW -m comment --comment "100 mistral_haproxy_ssl ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 9696 -m state --state NEW -m comment --comment "100 neutron_haproxy ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 13696 -m state --state NEW -m comment --comment "100 neutron_haproxy_ssl ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8775 -m state --state NEW -m comment --comment "100 nova_metadata_haproxy ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8774 -m state --state NEW -m comment --comment "100 nova_osapi_haproxy ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 13774 -m state --state NEW -m comment --comment "100 nova_osapi_haproxy_ssl ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8778 -m state --state NEW -m comment --comment "100 nova_placement_haproxy ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 13778 -m state --state NEW -m comment --comment "100 nova_placement_haproxy_ssl ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8977 -m state --state NEW -m comment --comment "100 panko_haproxy ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 13977 -m state --state NEW -m comment --comment "100 panko_haproxy_ssl ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8080 -m state --state NEW -m comment --comment "100 swift_proxy_server_haproxy ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 13808 -m state --state NEW -m comment --comment "100 swift_proxy_server_haproxy_ssl ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 3000 -m state --state NEW -m comment --comment "100 ui_haproxy ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 443 -m state --state NEW -m comment --comment "100 ui_haproxy_ssl ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8888 -m state --state NEW -m comment --comment "100 zaqar_api_haproxy ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 13888 -m state --state NEW -m comment --comment "100 zaqar_api_haproxy_ssl ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 9000 -m state --state NEW -m comment --comment "100 zaqar_ws_haproxy ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 9000 -m state --state NEW -m comment --comment "100 zaqar_ws_haproxy_ssl ipv4" -j ACCEPT
-A INPUT -p udp -m multiport --dports 123 -m state --state NEW -m comment --comment "105 ntp ipv4" -j ACCEPT
-A INPUT -p vrrp -m state --state NEW -m comment --comment "106 vrrp ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 1993 -m state --state NEW -m comment --comment "107 haproxy stats ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 6379,26379 -m state --state NEW -m comment --comment "108 redis ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 6789,6800:6810 -m state --state NEW -m comment --comment "110 ceph ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 5000,13000,35357,13357 -m state --state NEW -m comment --comment "111 keystone ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 9292,9191,13292 -m state --state NEW -m comment --comment "112 glance ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 6080,13080,8773,13773,8774,13774,8778,13778,8775,13775 -m state --state NEW -m comment --comment "113 nova ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 9696,13696 -m state --state NEW -m comment --comment "114 neutron server ipv4" -j ACCEPT
-A INPUT -p udp -m multiport --dports 67 -m state --state NEW -m comment --comment "115 neutron dhcp input ipv4" -j ACCEPT
-A INPUT -p udp -m multiport --dports 4789 -m state --state NEW -m comment --comment "118 neutron vxlan networks ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8776,13776 -m state --state NEW -m comment --comment "119 cinder ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 3260 -m state --state NEW -m comment --comment "120 iscsi initiator ipv4" -j ACCEPT
-A INPUT -s 127.0.0.1/32 -p tcp -m multiport --dports 11211 -m state --state NEW -m comment --comment "121 memcached ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8080,13808 -m state --state NEW -m comment --comment "122 swift proxy ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 873,6000,6001,6002 -m state --state NEW -m comment --comment "123 swift storage ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8000,13800,8003,13003,8004,13004 -m state --state NEW -m comment --comment "125 heat ipv4" -j ACCEPT
-A INPUT -p udp -m multiport --dports 161 -m state --state NEW -m comment --comment "127 snmp ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8042,13042 -m state --state NEW -m comment --comment "128 aodh ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8041,13041 -m state --state NEW -m comment --comment "129 gnocchi-api ipv4" -j ACCEPT
-A INPUT -p udp -m multiport --dports 69 -m state --state NEW -m comment --comment "130 tftp ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 5900:5999 -m state --state NEW -m comment --comment "131 novnc ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8989,13989 -m state --state NEW -m comment --comment "132 mistral ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8888,13888 -m state --state NEW -m comment --comment "133 zaqar ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 9000 -m state --state NEW -m comment --comment "134 zaqar websockets ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 6385,13385 -m state --state NEW -m comment --comment "135 ironic ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8779,13779 -m state --state NEW -m comment --comment "136 trove ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 5050 -m state --state NEW -m comment --comment "137 ironic-inspector ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8787,13787 -m state --state NEW -m comment --comment "138 docker registry ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8088 -m state --state NEW -m comment --comment "139 apache vhost ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 3000,443 -m state --state NEW -m comment --comment "142 tripleo-ui ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8977,13977 -m state --state NEW -m comment --comment "143 panko-api ipv4" -j ACCEPT
-A INPUT -s 38.102.83.167/32 -j ACCEPT
-A INPUT -s 192.168.100.109/32 -j ACCEPT
-A INPUT -j openstack-INPUT
-A INPUT -m state --state NEW -m comment --comment "998 log all ipv4" -j LOG
-A INPUT -m state --state NEW -m comment --comment "999 drop all ipv4" -j DROP
-A FORWARD -d 192.168.24.0/24 -m state --state NEW -m comment --comment "140 destination ctlplane-subnet cidr nat ipv4" -j ACCEPT
-A FORWARD -s 192.168.24.0/24 -m state --state NEW -m comment --comment "140 source ctlplane-subnet cidr nat ipv4" -j ACCEPT
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A OUTPUT -p udp -m multiport --dports 68 -m state --state NEW -m comment --comment "116 neutron dhcp output ipv4" -j ACCEPT
-A DOCKER-ISOLATION -j RETURN
-A openstack-INPUT -i lo -j ACCEPT
-A openstack-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A openstack-INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A openstack-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 19885 -j ACCEPT
-A openstack-INPUT -s 172.24.4.0/23 -p udp -m udp --dport 69 -j ACCEPT
-A openstack-INPUT -s 172.24.4.0/23 -p tcp -m tcp --dport 6385 -j ACCEPT
-A openstack-INPUT -s 172.24.4.0/23 -p tcp -m tcp --dport 80 -j ACCEPT
-A openstack-INPUT -s 172.24.4.0/23 -p tcp -m tcp --dport 8000 -j ACCEPT
-A openstack-INPUT -s 172.24.4.0/23 -p tcp -m tcp --dport 8003 -j ACCEPT
-A openstack-INPUT -s 172.24.4.0/23 -p tcp -m tcp --dport 8004 -j ACCEPT
-A openstack-INPUT -m limit --limit 2/min -j LOG --log-prefix "iptables dropped: "
-A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Sat Mar 28 05:15:46 2020