Changes between Version 37 and Version 38 of SystemAdministration/Hosts/idp1-clarin.esc.rzg.mpg.de


Ignore:
Timestamp:
04/03/17 08:10:01 (7 years ago)
Author:
Willem Elbers
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • SystemAdministration/Hosts/idp1-clarin.esc.rzg.mpg.de

    v37 v38  
    3030Managed by sysops.
    3131
    32 <TODO: describe>
     32Iptable configuration:
    3333
     34{{{
     35# Generated by iptables-save v1.4.21 on Mon Apr  3 09:46:42 2017
     36*nat
     37:PREROUTING ACCEPT [817555:52862503]
     38:INPUT ACCEPT [3511:681602]
     39:OUTPUT ACCEPT [3037:216840]
     40:POSTROUTING ACCEPT [71166:4304532]
     41:DOCKER - [0:0]
     42-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
     43-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
     44-A POSTROUTING -s 172.17.42.0/24 ! -o docker0 -j MASQUERADE
     45-A POSTROUTING -s 172.17.42.3/32 -d 172.17.42.3/32 -p tcp -m tcp --dport 8443 -j MASQUERADE
     46-A POSTROUTING -s 172.17.42.2/32 -d 172.17.42.2/32 -p tcp -m tcp --dport 8080 -j MASQUERADE
     47-A POSTROUTING -s 172.17.42.3/32 -d 172.17.42.3/32 -p tcp -m tcp --dport 8443 -j MASQUERADE
     48-A POSTROUTING -s 172.17.42.3/32 -d 172.17.42.3/32 -p tcp -m tcp --dport 8443 -j MASQUERADE
     49-A POSTROUTING -s 172.17.42.4/32 -d 172.17.42.4/32 -p tcp -m tcp --dport 8080 -j MASQUERADE
     50-A POSTROUTING -s 172.17.42.3/32 -d 172.17.42.3/32 -p tcp -m tcp --dport 8080 -j MASQUERADE
     51-A POSTROUTING -s 172.17.42.4/32 -d 172.17.42.4/32 -p tcp -m tcp --dport 8443 -j MASQUERADE
     52-A POSTROUTING -s 172.17.42.4/32 -d 172.17.42.4/32 -p tcp -m tcp --dport 8443 -j MASQUERADE
     53-A POSTROUTING -s 172.17.42.2/32 -d 172.17.42.2/32 -p tcp -m tcp --dport 8443 -j MASQUERADE
     54-A POSTROUTING -s 172.17.42.2/32 -d 172.17.42.2/32 -p tcp -m tcp --dport 8443 -j MASQUERADE
     55-A POSTROUTING -s 172.17.42.2/32 -d 172.17.42.2/32 -p tcp -m tcp --dport 8443 -j MASQUERADE
     56-A POSTROUTING -s 172.17.42.5/32 -d 172.17.42.5/32 -p tcp -m tcp --dport 10000 -j MASQUERADE
     57-A POSTROUTING -s 172.17.42.5/32 -d 172.17.42.5/32 -p tcp -m tcp --dport 2443 -j MASQUERADE
     58-A DOCKER -d 172.17.42.1/32 ! -i docker0 -p tcp -m tcp --dport 8081 -j DNAT --to-destination 172.17.42.3:8080
     59-A DOCKER ! -i docker0 -p tcp -m tcp --dport 8444 -j DNAT --to-destination 172.17.42.4:8443
     60-A DOCKER ! -i docker0 -p tcp -m tcp --dport 8443 -j DNAT --to-destination 172.17.42.2:8443
     61-A DOCKER ! -i docker0 -p tcp -m tcp --dport 10000 -j DNAT --to-destination 172.17.42.5:10000
     62-A DOCKER ! -i docker0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 172.17.42.5:2443
     63COMMIT
     64# Completed on Mon Apr  3 09:46:42 2017
     65# Generated by iptables-save v1.4.21 on Mon Apr  3 09:46:42 2017
     66*filter
     67:INPUT ACCEPT [119:10421]
     68:FORWARD ACCEPT [0:0]
     69:OUTPUT ACCEPT [126:78492]
     70:DOCKER - [0:0]
     71-A FORWARD -o docker0 -j DOCKER
     72-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
     73-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
     74-A FORWARD -i docker0 -o docker0 -j ACCEPT
     75-A DOCKER -s 37.97.184.230/32 -p tcp -m tcp --dport 10000 -j ACCEPT
     76-A DOCKER -s 37.97.154.156/32 -p tcp -m tcp --dport 10000 -j ACCEPT
     77-A DOCKER -s 192.87.79.165/32 -p tcp -m tcp --dport 10000 -j ACCEPT
     78-A DOCKER -p tcp -s 0.0.0.0/0 --dport 10000 -j DROP
     79-A DOCKER -d 172.17.42.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8443 -j ACCEPT
     80-A DOCKER -d 172.17.42.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8080 -j ACCEPT
     81-A DOCKER -d 172.17.42.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8443 -j ACCEPT
     82-A DOCKER -d 172.17.42.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8443 -j ACCEPT
     83-A DOCKER -d 172.17.42.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8080 -j ACCEPT
     84-A DOCKER -d 172.17.42.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8080 -j ACCEPT
     85-A DOCKER -d 172.17.42.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8443 -j ACCEPT
     86-A DOCKER -d 172.17.42.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8443 -j ACCEPT
     87-A DOCKER -d 172.17.42.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8443 -j ACCEPT
     88-A DOCKER -d 172.17.42.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8443 -j ACCEPT
     89-A DOCKER -d 172.17.42.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8443 -j ACCEPT
     90-A DOCKER -d 172.17.42.5/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 10000 -j ACCEPT
     91-A DOCKER -d 172.17.42.5/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 2443 -j ACCEPT
     92COMMIT
     93# Completed on Mon Apr  3 09:46:42 2017
     94}}}
     95
     96Note that docker uses it's own DOCKER chain, this is where we add block or allow rules for specific container ports.
     97
     98Load iptable rules:
     99{{{
     100iptables-restore < iptables.new
     101}}}
    34102=== Virtual Hosts ===
    35103None