Add iptables-save/restore entry
by mackowiakp from LinuxQuestions.org on (#58T8H)
I have a QNAP NAS with several dockers and LXC containers. NAS and its dockers and LXC container are configored as bridge. That is, all are in the same network but of course with different IP addresses.
Below output from iptables-save:
Code:[~] # iptables-save > /etc/iptables.back
[~] # cat /etc/iptables.back
# Generated by iptables-save v1.4.21 on Mon Oct 5 10:35:50 2020
*nat
:PREROUTING ACCEPT [1108:140525]
:INPUT ACCEPT [570:74489]
:OUTPUT ACCEPT [4824:500981]
:POSTROUTING ACCEPT [5140:530691]
:DOCKER - [0:0]
:SYSDOCKER - [0:0]
:SYSNAT - [0:0]
:VPNNAT - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j SYSDOCKER
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT -m addrtype --dst-type LOCAL -j SYSDOCKER
-A OUTPUT -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -o lxcbr0 -m addrtype --src-type LOCAL -j MASQUERADE
-A POSTROUTING -o docker0 -m addrtype --src-type LOCAL -j MASQUERADE
-A POSTROUTING -m mark ! --mark 0x0/0xffff -j MASQUERADE
-A POSTROUTING -j VPNNAT
-A POSTROUTING -j SYSNAT
-A SYSNAT -s 10.0.5.0/24 ! -o docker0 -j MASQUERADE
-A SYSNAT -s 10.0.3.0/24 ! -o lxcbr0 -j MASQUERADE
COMMIT
# Completed on Mon Oct 5 10:35:50 2020
# Generated by iptables-save v1.4.21 on Mon Oct 5 10:35:50 2020
*mangle
:PREROUTING ACCEPT [4390576:3758337958]
:INPUT ACCEPT [3945661:3476892783]
:FORWARD ACCEPT [529198:309091977]
:OUTPUT ACCEPT [3043429:1624932647]
:POSTROUTING ACCEPT [3720477:1979152288]
:CHECKHOST - [0:0]
:VPNCHECKHOST - [0:0]
:VPNCUSSETMARK - [0:0]
:VPNDEFSETMARK - [0:0]
:VPNSETMARKENTRANCE - [0:0]
:VPNTCPMSS - [0:0]
-A PREROUTING -m set --match-set VPNSET src -m set ! --match-set HOSTSET dst -j VPNSETMARKENTRANCE
-A INPUT ! -d 169.254.0.0/16 -j CHECKHOST
-A INPUT -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A OUTPUT -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A OUTPUT -m set --match-set HOSTSET dst -j MARK --set-xmark 0x10000/0xf0000
-A POSTROUTING -p tcp -m mark ! --mark 0x0/0xffff -m tcp --tcp-flags SYN,RST SYN -j VPNTCPMSS
-A CHECKHOST -m set --match-set NATSET src -j MARK --set-xmark 0x10000/0xf0000
-A CHECKHOST -j VPNCHECKHOST
-A VPNCHECKHOST -m set --match-set VPNSET src -j MARK --set-xmark 0x10000/0xf0000
-A VPNCUSSETMARK -m set --match-set vpndocker0 src -j MARK --set-xmark 0x900/0xff00
-A VPNCUSSETMARK -m set --match-set vpnlxcbr0 src -j MARK --set-xmark 0xa00/0xff00
-A VPNCUSSETMARK -m set --match-set vpnqvs0 src -j MARK --set-xmark 0xb00/0xff00
-A VPNDEFSETMARK -s 10.8.0.0/24 -j MARK --set-xmark 0x80/0xff
-A VPNSETMARKENTRANCE -j VPNCUSSETMARK
-A VPNSETMARKENTRANCE -m mark --mark 0x0/0xffff -j VPNDEFSETMARK
COMMIT
# Completed on Mon Oct 5 10:35:50 2020
# Generated by iptables-save v1.4.21 on Mon Oct 5 10:35:50 2020
*filter
:INPUT ACCEPT [9676755:8727305882]
:FORWARD ACCEPT [1216873:934113200]
:OUTPUT ACCEPT [7426345:3628538832]
:DOCKER - [0:0]
:DOCKER-ISOLATION - [0:0]
:DOCKER-USER - [0:0]
:SYSDOCKER - [0:0]
:SYSDOCKER-ISOLATION - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o lxcbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o lxcbr0 -j DOCKER
-A FORWARD -i lxcbr0 ! -o lxcbr0 -j ACCEPT
-A FORWARD -i lxcbr0 -o lxcbr0 -j ACCEPT
-A FORWARD -j SYSDOCKER-ISOLATION
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j SYSDOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A OUTPUT -m set --match-set BRNOIPSET src,dst -j DROP
-A DOCKER-ISOLATION -j RETURN
-A DOCKER-USER -j RETURN
-A SYSDOCKER-ISOLATION -j RETURN
COMMIT
# Completed on Mon Oct 5 10:35:50 2020The main NAS address is 192.168.0.7.
I not so experience in iptables, so please help me.
How to redirect all traffic coming to 192.168.0.7 on port 4443 to address 192.168.0.202 port 443, by modifying the file above. But dont know what to enter and in what place in this file.
After modifying the file I want to load new rules set by commands:
Code:iptables -F
iptables-restore < /etc/iptables.backAny help?
Below output from iptables-save:
Code:[~] # iptables-save > /etc/iptables.back
[~] # cat /etc/iptables.back
# Generated by iptables-save v1.4.21 on Mon Oct 5 10:35:50 2020
*nat
:PREROUTING ACCEPT [1108:140525]
:INPUT ACCEPT [570:74489]
:OUTPUT ACCEPT [4824:500981]
:POSTROUTING ACCEPT [5140:530691]
:DOCKER - [0:0]
:SYSDOCKER - [0:0]
:SYSNAT - [0:0]
:VPNNAT - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j SYSDOCKER
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT -m addrtype --dst-type LOCAL -j SYSDOCKER
-A OUTPUT -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -o lxcbr0 -m addrtype --src-type LOCAL -j MASQUERADE
-A POSTROUTING -o docker0 -m addrtype --src-type LOCAL -j MASQUERADE
-A POSTROUTING -m mark ! --mark 0x0/0xffff -j MASQUERADE
-A POSTROUTING -j VPNNAT
-A POSTROUTING -j SYSNAT
-A SYSNAT -s 10.0.5.0/24 ! -o docker0 -j MASQUERADE
-A SYSNAT -s 10.0.3.0/24 ! -o lxcbr0 -j MASQUERADE
COMMIT
# Completed on Mon Oct 5 10:35:50 2020
# Generated by iptables-save v1.4.21 on Mon Oct 5 10:35:50 2020
*mangle
:PREROUTING ACCEPT [4390576:3758337958]
:INPUT ACCEPT [3945661:3476892783]
:FORWARD ACCEPT [529198:309091977]
:OUTPUT ACCEPT [3043429:1624932647]
:POSTROUTING ACCEPT [3720477:1979152288]
:CHECKHOST - [0:0]
:VPNCHECKHOST - [0:0]
:VPNCUSSETMARK - [0:0]
:VPNDEFSETMARK - [0:0]
:VPNSETMARKENTRANCE - [0:0]
:VPNTCPMSS - [0:0]
-A PREROUTING -m set --match-set VPNSET src -m set ! --match-set HOSTSET dst -j VPNSETMARKENTRANCE
-A INPUT ! -d 169.254.0.0/16 -j CHECKHOST
-A INPUT -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A OUTPUT -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A OUTPUT -m set --match-set HOSTSET dst -j MARK --set-xmark 0x10000/0xf0000
-A POSTROUTING -p tcp -m mark ! --mark 0x0/0xffff -m tcp --tcp-flags SYN,RST SYN -j VPNTCPMSS
-A CHECKHOST -m set --match-set NATSET src -j MARK --set-xmark 0x10000/0xf0000
-A CHECKHOST -j VPNCHECKHOST
-A VPNCHECKHOST -m set --match-set VPNSET src -j MARK --set-xmark 0x10000/0xf0000
-A VPNCUSSETMARK -m set --match-set vpndocker0 src -j MARK --set-xmark 0x900/0xff00
-A VPNCUSSETMARK -m set --match-set vpnlxcbr0 src -j MARK --set-xmark 0xa00/0xff00
-A VPNCUSSETMARK -m set --match-set vpnqvs0 src -j MARK --set-xmark 0xb00/0xff00
-A VPNDEFSETMARK -s 10.8.0.0/24 -j MARK --set-xmark 0x80/0xff
-A VPNSETMARKENTRANCE -j VPNCUSSETMARK
-A VPNSETMARKENTRANCE -m mark --mark 0x0/0xffff -j VPNDEFSETMARK
COMMIT
# Completed on Mon Oct 5 10:35:50 2020
# Generated by iptables-save v1.4.21 on Mon Oct 5 10:35:50 2020
*filter
:INPUT ACCEPT [9676755:8727305882]
:FORWARD ACCEPT [1216873:934113200]
:OUTPUT ACCEPT [7426345:3628538832]
:DOCKER - [0:0]
:DOCKER-ISOLATION - [0:0]
:DOCKER-USER - [0:0]
:SYSDOCKER - [0:0]
:SYSDOCKER-ISOLATION - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o lxcbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o lxcbr0 -j DOCKER
-A FORWARD -i lxcbr0 ! -o lxcbr0 -j ACCEPT
-A FORWARD -i lxcbr0 -o lxcbr0 -j ACCEPT
-A FORWARD -j SYSDOCKER-ISOLATION
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j SYSDOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A OUTPUT -m set --match-set BRNOIPSET src,dst -j DROP
-A DOCKER-ISOLATION -j RETURN
-A DOCKER-USER -j RETURN
-A SYSDOCKER-ISOLATION -j RETURN
COMMIT
# Completed on Mon Oct 5 10:35:50 2020The main NAS address is 192.168.0.7.
I not so experience in iptables, so please help me.
How to redirect all traffic coming to 192.168.0.7 on port 4443 to address 192.168.0.202 port 443, by modifying the file above. But dont know what to enter and in what place in this file.
After modifying the file I want to load new rules set by commands:
Code:iptables -F
iptables-restore < /etc/iptables.backAny help?