Ubuntu iptables и ipset

И так в данной статье речь пойдет о высоконагруженных серверах с фильтрацией большого количества правил IPTABLES

Суть проблемы в том что каждый пакет должен пройти через N количество правил — что влечет за собой утилизацию ресурсов, значительно уменьшить утилизацию ресурсов которые тратит система на обработку правил может IPSET  и использование -m multiport  и —dports/—sports   к примеру :

Можно сделать 3 правила вида :

-A RH-Firewall-eth5-FORWARD -i eth5 -s 172.16.49.0/24 -j ACCEPT
-A RH-Firewall-eth5-FORWARD -i eth5 -s 172.16.50.0/24 -j ACCEPT
-A RH-Firewall-eth5-FORWARD -i eth5 -s 172.16.51.0/24 -j ACCEPT

 

Или тоже самое но с использование группировки правил в цепочку

 

ipset -N OG_TEST nethash
ipset -A OG_TEST 172.16.49.0/24
ipset -A OG_TEST 172.16.50.0/24
ipset -A OG_TEST 172.16.51.0/24

-A RH-Firewall-eth5-FORWARD -i eth5 -m set --match-set OG_OPENSTACK_PROJECT_TEST src  -j ACCEPT

Тем самым если группировать правила в обьектные группы для сетей , хостов , порт — ваш конфиг может сильно уменьшиться

Прохождение пакета в Linux происходит по след схеме :

 

И так будет конфигурить  IPSET  — как правила уже входит в Ubuntu 14 и 16 version , ну а если нет

 

#apt-get install ipset

Если к примеру обьектная группа IPSET OG_MANAGEMENT есть в конфиге IPTABLES но она при этом не загружена в память — IPTABLES  сообщит вам об ошибке и не загрузит конфиг 

 

Создание обьектной группы и загрузка ее в память происходит след образом :

ipset -N OG_LOOPBACK nethash  # (create)
ipset -A OG_LOOPBACK 172.16.48.254/32  #(add to object-group IP network)
ipset -A OG_LOOPBACK 172.16.49.254/32 #(add to object-group IP network)
ipset -A OG_LOOPBACK 172.16.50.254/32 #(add to object-group IP network)
ipset -A OG_LOOPBACK 172.16.51.254/32 #(add to object-group IP network)

 

Посмотреть что содерживать в обьектной группе и его размер  можно так :

 

# ipset --list OG_LOOPBACK
Name: OG_LOOPBACK
Type: hash:net
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16888
References: 0
Members:
172.16.48.254
172.16.51.254
172.16.49.254
172.16.50.254


Добавляем (A – add) ip адреса blacklist и смотрим (L – list) содержимое set:

# ipset -A blacklist 192.168.0.211
# ipset -A blacklist 10.10.0.23
# ipset -L blacklist

Name: blacklist
Type: hash:ip
Revision: 0
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16512
References: 0
Members:
10.10.0.23
192.168.0.222

 

Удаляем ip адреса из blacklist set (D – delete):
# ipset -D blacklist 192.168.0.222
# ipset -L blacklist
Name: blacklist
Type: hash:ip
Revision: 0
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16512
References: 0
Members:
10.10.0.23

Проверяем, есть ли ip в blacklist set (T – test):
# ipset -T blacklist 10.10.0.23
10.10.0.23 is in set blacklist.

Удаляем все ip адреса из blacklist set (F – flush):
# ipset -F blacklist

Удаляем сам set (X):
# ipset -X blacklist

Что б наша система при загрузке смогла сформировать обьектные группы сделаем конфиг который будет загрузаться в IPSET при старте системы

 

# ls -l
total 20
-rw-r—r— 1 root root 2445 Oct 31 10:16 ipsetrules.v4
-rw-r—r— 1 root root 0 Oct 23 14:21 ipsetrules.v6
-rw-r—r— 1 root root 11287 Oct 31 11:33 rules.v4
-rw-r—r— 1 root root 184 Oct 11 19:44 rules.v6

 

#cat  > /etc/iptables/ipsetrules.v4


-N OG_MANAGEMENT nethash
-A OG_MANAGEMENT XX.XXX.XXX.XX/XX
-A OG_MANAGEMENT XXX.XXX.XX.XX/XX
-A OG_MANAGEMENT XXX.XX.XX.X/XX
-A OG_MANAGEMENT X.XXX.XX.XXX/XX
-A OG_MANAGEMENT XX.XXX.XX.XXX/XX
-A OG_MANAGEMENT XXX.XX.XXX.XXX/XX
-A OG_MANAGEMENT XX.XXX.XXX.XXX/XX
###
-N OG_IPSEC nethash
-A OG_IPSEC XXX.XX.XX.XXX/XX
-A OG_IPSEC XX.XXX.XXX.XX/XX
-A OG_IPSEC XXX.XXX.XX.XX/XX
-A OG_IPSEC XX.XXX.XX.XXX/XX
-A OG_IPSEC XX.XXX.XXX.XXX/XX
-A OG_IPSEC XX.XXX.XX.XX/XX
-A OG_IPSEC XX.XXX.XXX.XX/XX
-A OG_IPSEC XXX.XX.XXX.XX/XX
###
-N OG_ADMINS nethash
-A OG_ADMINS XXX.XXX.XX.X/XX
-A OG_ADMINS XX.XX.XXX.X/XX
-A OG_ADMINS XXX.XX.XX.X/XX
-A OG_ADMINS XXX.XX.X.XX/XX
-A OG_ADMINS XXX.XXX.XXX.X/XX
-A OG_ADMINS XXX.XX.XX.XXX/XX
-A OG_ADMINS XXX.XX.X.XX/XX
###
-N OG_LOOPBACK nethash
-A OG_LOOPBACK XXX.XX.XX.XXX/XX
-A OG_LOOPBACK XXX.XX.XX.XXX/XX
-A OG_LOOPBACK XXX.XX.XX.XXX/XX
-A OG_LOOPBACK XXX.XX.XX.XXX/XX
##
-N OG_OPENSTACK_GWX nethash
-A OG_OPENSTACK_GWX XXX.XX.XX.X/XX
##
-N OG_OPENSTACK_PROJECT_TEST nethash
-A OG_OPENSTACK_PROJECT_TEST XXX.XX.XX.X/XX
##
-N OG_OPENSTACK_PROJECT_DEVEL nethash
-A OG_OPENSTACK_PROJECT_DEVEL XXX.XX.XX.X/XX
##
-N OG_OPENSTACK_PROJECT_SYSADM nethash
-A OG_OPENSTACK_PROJECT_SYSADM XXX.XX.XX.X/XX
##
-N OG_OPENSTACK_PROJECT_STAGE nethash
-A OG_OPENSTACK_PROJECT_STAGE XXX.XX.XX.X/XX
##
-N OG_OPENSTACK_SENLA nethash
-A OG_OPENSTACK_SENLA XXX.XX.XX.X/XX
###
-N OG_OPENSTACK_HE nethash
-A OG_OPENSTACK_HE XX.XXX.X.X/XX
##
-N OG_XLES-BRANCH nethash
-A OG_XLES-BRANCH XXX.XXX.XX.X/XX
##
-N OG_HE_BRANCH nethash
-A OG_HE_BRANCH XXX.XX.X.X/XX
##
-N OG_SELECTEL_BRANCH nethash
-A OG_SELECTEL_BRANCH XXX.XX.X.X/XX
##
-N OG_ZABBIX_AGENT nethash
-A OG_ZABBIX_AGENT XXX.XXX.XX.XX/XX
##
-N OG_DEVELOPERS nethash
-A OG_DEVELOPERS XXX.XXX.XX.X/XX
##
-N OG_OPENSTACK_AD nethash
-A OG_OPENSTACK_AD XXX.XX.XX.X/XX
##
-N OG_ALL_AD nethash
-A OG_ALL_AD XX.X.XXX.XX/XX
-A OG_ALL_AD XXX.XXX.XX.XX/XX
-A OG_ALL_AD XXX.XXX.XX.XX/XX
-A OG_ALL_AD XXX.XXX.XXX.XXX/XX
-A OG_ALL_AD XXX.XXX.XXX.X/XX
-A OG_ALL_AD XXX.XX.XX.XX/XX
-A OG_ALL_AD XXX.XX.X.XX/XX
-A OG_ALL_AD XXX.XX.X.XX/XX
##
-N OG_BOGONS nethash
-A OG_BOGONS XX.X.X.X/X
-A OG_BOGONS XXX.XX.X.X/XX
-A OG_BOGONS XXX.XXX.X.X/XX
-A OG_BOGONS XXX.X.X.X/X
-A OG_BOGONS XXX.X.X.X/X
-A OG_BOGONS XXX.XXX.X.X/XX
-A OG_BOGONS X.X.X.X/X
-A OG_BOGONS XXX.X.X.X/X
-A OG_BOGONS XXX.XXX.XXX.XXX/XX
-A OG_BOGONS XXX.XXX.X.X/XX
-A OG_BOGONS XXX.X.X.X/X
##
-N OG_ANY nethash
-A OG_ANY X.X.X.X
##
COMMIT


Далее я добавляю в скрипт управления и автозагрузки iptables-persistent

 

#vi  /etc/init.d/iptables-persistent

#В секцию load :

load_rules()
{
 log_action_begin_msg "Loading iptables rules"

#load IPv4 rules
 #ipset restore < /etc/iptables/ipsetrules.v4 > /dev/null
 if [ ! -f /etc/iptables/rules.v4 ]; then
 log_action_cont_msg " skipping IPv4 (no rules to load)"
 else
 log_action_cont_msg " IPv4"
 ipset restore < /etc/iptables/ipsetrules.v4 > /dev/null
 iptables-restore < /etc/iptables/rules.v4 2> /dev/null
 if [ $? -ne 0 ]; then
 rc=1
 fi

 

Ниже представлены сами правила IPTABLES с использование ipset` ов (обьектных групп)

 

# cat rules.v4
# Generated by iptables-save v1.4.21 on Wed Oct 11 16:44:29 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
#:LOGDROP - [0:0]
COMMIT
# Completed on Wed Oct 11 16:44:29 2017
*nat
#:PREROUTING ACCEPT [214:11160]
#:INPUT ACCEPT [8:916]
#:OUTPUT ACCEPT [3:200]
#:POSTROUTING ACCEPT [6:380]
#-A POSTROUTING -s 172.16.16.0/23 -d 172.16.0.0/16 -j ACCEPT
-N NAT
-A POSTROUTING -s 172.16.48.0/21 ! -d 172.16.48.0/21 -j NAT
#-A POSTROUTING -s 172.16.48.0/21 ! -d 192.168.8.18/32 -j NAT
-A NAT -d 192.168.8.18/32 -j SNAT --to-source 23.111.X.X
-A NAT -d 10.0.0.0/8 -j RETURN
-A NAT -d 172.16.0.0/12 -j RETURN
-A NAT -d 192.168.0.0/16 -j RETURN
-A NAT -o eth1 -s 172.16.48.0/21 -j SNAT --to-source 23.111.X.X
-A NAT -o eth0 -s 172.16.48.0/21 -j SNAT --to-source 23.111.X.X2
-A PREROUTING -p tcp -d 23.111.X.X2 -m tcp --dport 2222 -j DNAT --to-destination 172.16.48.5:22
#-A PREROUTING -p tcp -d 23.111.X.X2 -m tcp --dport 3333 --to-destination 172.16.48.5:3333 -j LOG --log-prefix "XXXXXXXXXXXXX"
-A PREROUTING -p tcp -d 23.111.X.X2 -m tcp --dport 3333 -j DNAT --to-destination 172.16.48.5:3333
#-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT

# Completed on Thu Jun 8 12:18:50 2017
# Generated by iptables-save v1.4.21 on Thu Jun 8 12:18:50 2017
*filter
#:INPUT ACCEPT [79368:66359594]
#:FORWARD ACCEPT [112502:65311151]
#:OUTPUT ACCEPT [52746:6960713]
#:LOGDROP - [52746:6960713]

:RH-Firewall-eth0-INPUT - [0:0]
:RH-Firewall-eth1-INPUT - [0:0]
:RH-Firewall-eth2-INPUT - [0:0]
:RH-Firewall-eth3-INPUT - [0:0]
:RH-Firewall-eth4-INPUT - [0:0]
:RH-Firewall-eth5-INPUT - [0:0]
:RH-Firewall-eth0-FORWARD - [0:0]
:RH-Firewall-eth1-FORWARD - [0:0]
:RH-Firewall-eth2-FORWARD - [0:0]
:RH-Firewall-eth3-FORWARD - [0:0]
:RH-Firewall-eth4-FORWARD - [0:0]
:RH-Firewall-eth5-FORWARD - [0:0]
:RH-Firewall-eth0-OUTPUT - [0:0]
:RH-Firewall-eth1-OUTPUT - [0:0]
:RH-Firewall-eth2-OUTPUT - [0:0]
:RH-Firewall-eth3-OUTPUT - [0:0]
:RH-Firewall-eth4-OUTPUT - [0:0]
:RH-Firewall-eth5-OUTPUT - [0:0]
-A INPUT -j RH-Firewall-eth0-INPUT
-A INPUT -i eth0 -p icmp -j LOG --log-level 7
#-A INPUT -i eth0 -p tcp -j LOGDROP
#-A INPUT -i eth0 -p udp -j LOGDROP
-A INPUT -j RH-Firewall-eth1-INPUT
-A INPUT -i eth1 -p icmp -j LOG --log-level 7
#-A INPUT -i eth1 -p tcp -j LOGDROP
#-A INPUT -i eth1 -p udp -j LOGDROP
-A INPUT -j RH-Firewall-eth2-INPUT
-A INPUT -i eth2 -p icmp -j LOG --log-level 7
#-A INPUT -i eth2 -p tcp -j LOGDROP
#-A INPUT -i eth2 -p udp -j LOGDROP
-A INPUT -j RH-Firewall-eth3-INPUT
-A INPUT -i eth3 -p icmp -j LOG --log-level 7
#-A INPUT -i eth3 -p tcp -j LOGDROP
#-A INPUT -i eth3 -p udp -j LOGDROP
-A INPUT -j RH-Firewall-eth4-INPUT
-A INPUT -i eth4 -p icmp -j LOG --log-level 7
#-A INPUT -i eth4 -p tcp -j LOGDROP
#-A INPUT -i eth4 -p udp -j LOGDROP
-A INPUT -j RH-Firewall-eth5-INPUT
-A INPUT -i eth5 -p icmp -j LOG --log-level 7
#-A INPUT -i eth5 -p tcp -j LOGDROP
#-A INPUT -i eth5 -p udp -j LOGDROP
-A FORWARD -j RH-Firewall-eth0-FORWARD
-A FORWARD -j RH-Firewall-eth1-FORWARD
-A FORWARD -j RH-Firewall-eth2-FORWARD
-A FORWARD -j RH-Firewall-eth3-FORWARD
-A FORWARD -j RH-Firewall-eth4-FORWARD
-A FORWARD -j RH-Firewall-eth5-FORWARD
###
-A RH-Firewall-eth0-INPUT -i lo -j ACCEPT
-A RH-Firewall-eth1-INPUT -i lo -j ACCEPT
-A RH-Firewall-eth2-INPUT -i lo -j ACCEPT
-A RH-Firewall-eth3-INPUT -i lo -j ACCEPT
-A RH-Firewall-eth4-INPUT -i lo -j ACCEPT
-A RH-Firewall-eth5-INPUT -i lo -j ACCEPT
-A RH-Firewall-eth0-INPUT -i eth0 -m set --match-set OG_BOGONS src -j LOG --log-prefix " [ DROP BOGONS INPUT ETH0 ] "
-A RH-Firewall-eth0-INPUT -i eth0 -m set --match-set OG_BOGONS src -j DROP
#-A RH-Firewall-eth1-INPUT -i eth1 -m set --match-set OG_BOGONS src -m set --match-set OG_LOOPBACK dst -j ACCEPT
#-A RH-Firewall-eth1-INPUT -i eth1 -m set --match-set OG_BOGONS src -j ACCEPT
#-A RH-Firewall-eth1-INPUT -i eth1 -m set --match-set OG_BOGONS src -j LOG --log-prefix " [ DROP BOGONS INPUT ETH1 ] "
#-A RH-Firewall-eth1-INPUT -i eth1 -m set --match-set OG_BOGONS src -j DROP
-A RH-Firewall-eth0-INPUT -i eth0 -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-eth1-INPUT -i eth1 -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-eth2-INPUT -i eth2 -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-eth3-INPUT -i eth3 -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-eth4-INPUT -i eth4 -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-eth5-INPUT -i eth5 -p icmp -m icmp --icmp-type any -j ACCEPT
###
###
-A RH-Firewall-eth0-INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-eth1-INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-eth2-INPUT -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-eth3-INPUT -i eth3 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-eth4-INPUT -i eth4 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-eth5-INPUT -i eth5 -m state --state RELATED,ESTABLISHED -j ACCEPT
#-A RH-Firewall-eth0-INPUT -i eth0 -m set --match-set OG_MANAGEMENT src -p TCP --destination-port 22 -j ACCEPT
-A RH-Firewall-eth0-INPUT -i eth0 -s 0.0.0.0/0 -j LOG --log-prefix " [ DROP DEFAULT INPUT ETH0 ] "
-A RH-Firewall-eth0-INPUT -i eth0 -s 0.0.0.0/0 -j DROP
#-A RH-Firewall-eth0-INPUT -s 0.0.0.0/0 -j ACCEPT
-A RH-Firewall-eth1-INPUT -i eth1 -m set --match-set OG_MANAGEMENT src -p TCP --destination-port 22 -j ACCEPT
-A RH-Firewall-eth1-INPUT -i eth1 -m set --match-set OG_IPSEC src -p UDP --destination-port 500 -j ACCEPT
-A RH-Firewall-eth1-INPUT -i eth1 -m set --match-set OG_IPSEC src -p UDP --destination-port 4500 -j ACCEPT
-A RH-Firewall-eth1-INPUT -i eth1 -m set --match-set OG_ZABBIX_AGENT src -p TCP --destination-port 10050 -j ACCEPT
-A RH-Firewall-eth1-INPUT -i eth1 -s 0.0.0.0/0 -j LOG --log-prefix " [ DROP DEFAULT INPUT ETH1 ] "
-A RH-Firewall-eth1-INPUT -i eth1 -s 0.0.0.0/0 -j DROP
-A RH-Firewall-eth2-INPUT -i eth2 -s 0.0.0.0/0 -j LOG --log-prefix " [ DROP DEFAULT INPUT ETH2 ] "
-A RH-Firewall-eth2-INPUT -i eth2 -s 0.0.0.0/0 -j DROP
-A RH-Firewall-eth3-INPUT -i eth3 -s 0.0.0.0/0 -j LOG --log-prefix " [ DROP DEFAULT INPUT ETH3 ] "
-A RH-Firewall-eth3-INPUT -i eth3 -s 0.0.0.0/0 -j DROP
-A RH-Firewall-eth4-INPUT -i eth4 -s 0.0.0.0/0 -j LOG --log-prefix " [ DROP DEFAULT INPUT ETH4 ] "
-A RH-Firewall-eth4-INPUT -i eth4 -s 0.0.0.0/0 -j DROP
-A RH-Firewall-eth5-INPUT -i eth5 -s 0.0.0.0/0 -j LOG --log-prefix " [ DROP DEFAULT INPUT ETH5 ] "
-A RH-Firewall-eth5-INPUT -i eth5 -s 0.0.0.0/0 -j DROP
###
-A RH-Firewall-eth0-FORWARD -i eth0 -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-eth0-FORWARD -i eth0 -s 0.0.0.0/0 -j LOG --log-prefix " [ FORWARD ETH0 ] "
-A RH-Firewall-eth0-FORWARD -i eth0 -s 0.0.0.0/0 -j ACCEPT
#-A RH-Firewall-eth1-FORWARD -m set --set OG_ADMINS src -m set --set OG_OPENSTACK_GW2 dst -j ACCEPT
#-A RH-Firewall-eth1-FORWARD -s 0.0.0.0/0 -j LOG
-A RH-Firewall-eth1-FORWARD -i eth1 -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-eth1-FORWARD -i eth1 -s 0.0.0.0/0 -j ACCEPT
-A RH-Firewall-eth2-FORWARD -i eth2 -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-eth2-FORWARD -i eth2 -m set --match-set OG_MANAGEMENT src -j ACCEPT
-A RH-Firewall-eth2-FORWARD -i eth2 -m set --match-set OG_ZABBIX_AGENT src -j ACCEPT
-A RH-Firewall-eth2-FORWARD -i eth2 -m state --state RELATED,ESTABLISHED -m set --match-set OG_OPENSTACK_PROJECT_DEVEL src -m set --match-set OG_ADMINS dst -j ACCEPT
-A RH-Firewall-eth2-FORWARD -i eth2 -m set --match-set OG_OPENSTACK_PROJECT_DEVEL src -m set --match-set OG_DEVELOPERS dst -j ACCEPT
## ADM-5960
-A RH-Firewall-eth2-FORWARD -i eth2 -m set --match-set OG_OPENSTACK_PROJECT_DEVEL src -m set --match-set OG_OPENSTACK_AD dst -j ACCEPT
##
-A RH-Firewall-eth2-FORWARD -i eth2 -m set --match-set OG_OPENSTACK_PROJECT_DEVEL src -m set --match-set OG_BOGONS dst -j DROP
#-A RH-Firewall-eth2-FORWARD -i eth2 -s 0.0.0.0/0 -j LOG --log-prefix " [ DROP DEFAULT FORWARD ETH2 ] "
-A RH-Firewall-eth2-FORWARD -i eth2 -s 0.0.0.0/0 -j ACCEPT
-A RH-Firewall-eth3-FORWARD -i eth3 -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-eth3-FORWARD -i eth3 -m state --state RELATED,ESTABLISHED -m set --match-set OG_OPENSTACK_PROJECT_STAGE src -m set --match-set OG_ADMINS dst -j ACCEPT
## ADM-5960
-A RH-Firewall-eth3-FORWARD -i eth3 -m set --match-set OG_OPENSTACK_PROJECT_STAGE src -m set --match-set OG_OPENSTACK_AD dst -j ACCEPT
##
-A RH-Firewall-eth3-FORWARD -i eth3 -m set --match-set OG_OPENSTACK_PROJECT_STAGE src -m set --match-set OG_BOGONS dst -j DROP
#-A RH-Firewall-eth3-FORWARD -i eth3 -s 0.0.0.0/0 -j LOG --log-prefix " [ DROP DEFAULT FORWARD ETH3 ] "
-A RH-Firewall-eth3-FORWARD -i eth3 -s 0.0.0.0/0 -j ACCEPT
-A RH-Firewall-eth4-FORWARD -i eth4 -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-eth4-FORWARD -i eth4 -m state --state RELATED,ESTABLISHED -m set --match-set OG_OPENSTACK_PROJECT_SYSADM src -m set --match-set OG_ADMINS dst -j ACCEPT
## ADM-5960
-A RH-Firewall-eth4-FORWARD -i eth4 -m set --match-set OG_OPENSTACK_AD src -m set --match-set OG_OPENSTACK_PROJECT_DEVEL dst -j ACCEPT
-A RH-Firewall-eth4-FORWARD -i eth4 -m set --match-set OG_OPENSTACK_AD src -m set --match-set OG_OPENSTACK_PROJECT_STAGE dst -j ACCEPT
-A RH-Firewall-eth4-FORWARD -i eth4 -m set --match-set OG_OPENSTACK_AD src -m set --match-set OG_OPENSTACK_PROJECT_TEST dst -j ACCEPT
-A RH-Firewall-eth4-FORWARD -i eth4 -m set --match-set OG_OPENSTACK_AD src -m set --match-set OG_ALL_AD dst -j ACCEPT
##
-A RH-Firewall-eth4-FORWARD -i eth4 -m set --match-set OG_OPENSTACK_PROJECT_SYSADM src -m set --match-set OG_BOGONS dst -j DROP
#-A RH-Firewall-eth4-FORWARD -i eth4 -s 0.0.0.0/0 -j LOG --log-prefix " [ DROP DEFAULT FORWARD ETH4 ] "
-A RH-Firewall-eth4-FORWARD -i eth4 -s 0.0.0.0/0 -j ACCEPT
-A RH-Firewall-eth5-FORWARD -i eth5 -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-eth5-FORWARD -i eth5 -m state --state RELATED,ESTABLISHED -m set --match-set OG_OPENSTACK_PROJECT_TEST src -m set --match-set OG_ADMINS dst -j ACCEPT
## ADM-5960
-A RH-Firewall-eth5-FORWARD -i eth5 -m set --match-set OG_OPENSTACK_PROJECT_TEST src -m set --match-set OG_OPENSTACK_AD dst -j ACCEPT
##
-A RH-Firewall-eth5-FORWARD -i eth5 -m set --match-set OG_OPENSTACK_PROJECT_TEST src -m set --match-set OG_BOGONS dst -j DROP
#-A RH-Firewall-eth5-FORWARD -i eth5 -s 0.0.0.0/0 -j DROP
#-A RH-Firewall-eth4-FORWARD -i eth5 -s 0.0.0.0/0 -j LOG --log-prefix " [ DROP DEFAULT FORWARD ETH5 ] "
-A RH-Firewall-eth5-FORWARD -i eth5 -s 0.0.0.0/0 -j ACCEPT
-A RH-Firewall-eth0-OUTPUT -i eth0 -s 0.0.0.0/0 -j ACCEPT
-A RH-Firewall-eth1-OUTPUT -i eth1 -s 0.0.0.0/0 -j ACCEPT
-A RH-Firewall-eth2-OUTPUT -i eth2 -s 0.0.0.0/0 -j ACCEPT
-A RH-Firewall-eth3-OUTPUT -i eth3 -s 0.0.0.0/0 -j ACCEPT
-A RH-Firewall-eth4-OUTPUT -i eth4 -s 0.0.0.0/0 -j ACCEPT
-A RH-Firewall-eth5-OUTPUT -i eth5 -s 0.0.0.0/0 -j ACCEPT
COMMIT
# Completed on Thu Jun 8 12:18:50 2017
# Generated by iptables-save v1.4.21 on Thu Jun 8 12:18:50 2017
*mangle
:PREROUTING ACCEPT [206211:132359849]
:INPUT ACCEPT [79423:66362970]
:FORWARD ACCEPT [112502:65311151]
:OUTPUT ACCEPT [52775:6978709]
:POSTROUTING ACCEPT [165277:72289860]
COMMIT
# Completed on Thu Jun 8 12:18:50 2017