Comment 6 for bug 1870590

Hm... interesting point. Indeed worker nodes should not need to go through GW as they are on the same subnet. However it might be because my workstation is a training ground for various stuff. I also have docker deployed on this host. As well as MaaS itself. As I have not enough money to run up my personal DC I have to run all in one solution. But I have some future ideas regarding one dark corner in my house. 19" rack is already there . :D

Here is iptables. Note: I cut off lots of crap IP addresses inserted by fail2ban

root@juodas:/home/bacila# iptables-save
# Generated by iptables-save v1.6.1 on Thu Apr 9 19:17:26 2020
*mangle
:PREROUTING ACCEPT [84002114:41938433452]
:INPUT ACCEPT [28876446:22838428054]
:FORWARD ACCEPT [54283218:19050383319]
:OUTPUT ACCEPT [27677762:24122793349]
:POSTROUTING ACCEPT [82173660:43230321739]
-A POSTROUTING -o virbr1 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Thu Apr 9 19:17:26 2020
# Generated by iptables-save v1.6.1 on Thu Apr 9 19:17:26 2020
*nat
:PREROUTING ACCEPT [493405:31870381]
:INPUT ACCEPT [81386:7674088]
:OUTPUT ACCEPT [295675:39671491]
:POSTROUTING ACCEPT [505514:52291054]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 192.168.101.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.101.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.101.0/24 ! -d 192.168.101.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.101.0/24 ! -d 192.168.101.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.101.0/24 ! -d 192.168.101.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.123.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.123.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -j MASQUERADE
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.18.0.0/16 ! -o br-03ebb1003d68 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i br-03ebb1003d68 -j RETURN
COMMIT
# Completed on Thu Apr 9 19:17:26 2020
# Generated by iptables-save v1.6.1 on Thu Apr 9 19:17:26 2020
*filter
:INPUT ACCEPT [11946:5027672]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [11399:4530630]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
:f2b-sshd - [0:0]
-A INPUT -i virbr1 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr1 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i virbr2 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr2 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr2 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr2 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A FORWARD -i virbr1 -o virbr1 -j ACCEPT
-A FORWARD -o virbr1 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr1 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 192.168.101.0/24 -o virbr2 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.101.0/24 -i virbr2 -j ACCEPT
-A FORWARD -i virbr2 -o virbr2 -j ACCEPT
-A FORWARD -o virbr2 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr2 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 192.168.123.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.123.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-03ebb1003d68 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-03ebb1003d68 -j DOCKER
-A FORWARD -i br-03ebb1003d68 ! -o br-03ebb1003d68 -j ACCEPT
-A FORWARD -i br-03ebb1003d68 -o br-03ebb1003d68 -j ACCEPT
-A OUTPUT -o virbr1 -p udp -m udp --dport 68 -j ACCEPT
-A OUTPUT -o virbr2 -p udp -m udp --dport 68 -j ACCEPT
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-03ebb1003d68 ! -o br-03ebb1003d68 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-03ebb1003d68 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
-A f2b-sshd -s 111.229.101.220/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 35.185.145.238/32 -j REJECT --reject-with icmp-port-unreachable
.....
-A f2b-sshd -s 142.93.239.197/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -j RETURN
COMMIT
# Completed on Thu Apr 9 19:17:26 2020