# Generated by iptables-save v1.4.7 on Thu Oct  9 15:25:19 2014
*mangle
:PREROUTING ACCEPT [1184525:854838322]
:INPUT ACCEPT [240:48616]
:FORWARD ACCEPT [1184284:854788294]
:OUTPUT ACCEPT [200:34067]
:POSTROUTING ACCEPT [1184484:854822361]
COMMIT
# Completed on Thu Oct  9 15:25:19 2014
# Generated by iptables-save v1.4.7 on Thu Oct  9 15:25:19 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [200:34067]
-A INPUT -m comment --comment "002 accept related established rules" -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m multiport --ports 22 -m comment --comment "005 ssh" -j ACCEPT 
-A INPUT -i eth0 -p tcp -m multiport --ports 123 -m comment --comment "006 ntp" -j ACCEPT 
-A INPUT -i eth0 -p udp -m multiport --ports 123 -m comment --comment "007 ntp_udp" -j ACCEPT 
-A INPUT -p udp -m multiport --ports 162 -m comment --comment "008 snmp" -j ACCEPT 
-A INPUT -p tcp -m multiport --ports 8000 -m comment --comment "009 nailgun_web" -j ACCEPT 
-A INPUT -i docker0 -p tcp -m multiport --ports 8001 -m comment --comment "010 nailgun_internal" -j ACCEPT 
-A INPUT -p tcp -m multiport --ports 8001 -m addrtype --src-type LOCAL -m comment --comment "011 nailgun_internal_local" -j ACCEPT 
-A INPUT -p tcp -m multiport --ports 8001 -m comment --comment "012 nailgun_internal_block_ext" -j REJECT --reject-with icmp-port-unreachable 
-A INPUT -p tcp -m multiport --ports 5432 -m addrtype --src-type LOCAL -m comment --comment "013 postgres_local" -j ACCEPT 
-A INPUT -i docker0 -p tcp -m multiport --ports 5432 -m comment --comment "014 postgres" -j ACCEPT 
-A INPUT -p tcp -m multiport --ports 5432 -m comment --comment "015 postgres_block_ext" -j REJECT --reject-with icmp-port-unreachable 
-A INPUT -i eth0 -p tcp -m multiport --ports 8777 -m comment --comment "020 ostf_admin" -j ACCEPT 
-A INPUT -p tcp -m multiport --ports 8777 -m addrtype --src-type LOCAL -m comment --comment "021 ostf_local" -j ACCEPT 
-A INPUT -p tcp -m multiport --ports 8777 -m comment --comment "022 ostf_block_ext" -j REJECT --reject-with icmp-port-unreachable 
-A INPUT -p tcp -m multiport --ports 873 -m comment --comment "023 rsync" -j ACCEPT 
-A INPUT -i eth0 -p tcp -m multiport --ports 873 -m comment --comment "024 rsyslog" -j ACCEPT 
-A INPUT -i eth0 -p tcp -m multiport --ports 4369,5672,15672,61613 -m comment --comment "040 rabbitmq_admin" -j ACCEPT 
-A INPUT -p tcp -m multiport --ports 4369,5672,15672,61613 -m addrtype --src-type LOCAL -m comment --comment "041 rabbitmq_local" -j ACCEPT 
-A INPUT -p tcp -m multiport --ports 4369,5672,15672,61613 -m comment --comment "042 rabbitmq_block_ext" -j REJECT --reject-with icmp-port-unreachable 
-A INPUT -p tcp -m multiport --ports 53 -m comment --comment "101 dns_tcp" -j ACCEPT 
-A INPUT -p udp -m multiport --ports 53 -m comment --comment "102 dns_udp" -j ACCEPT 
-A INPUT -p udp -m multiport --ports 67,68 -m comment --comment "103 dhcp" -j ACCEPT 
-A INPUT -p udp -m multiport --ports 69 -m comment --comment "104 tftp" -j ACCEPT 
-A INPUT -p tcp -m multiport --ports 3128 -m comment --comment "110 squidproxy" -j ACCEPT 
-A INPUT -p tcp -m multiport --ports 80,443 -m comment --comment "111 cobbler_web" -j ACCEPT 
-A INPUT -p tcp -m comment --comment "999 iptables denied" -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 
-A FORWARD -d 172.17.0.11/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT 
-A FORWARD -d 172.17.0.11/32 ! -i docker0 -o docker0 -p udp -m udp --dport 69 -j ACCEPT 
-A FORWARD -d 172.17.0.11/32 ! -i docker0 -o docker0 -p udp -m udp --dport 69 -j ACCEPT 
-A FORWARD -d 172.17.0.11/32 ! -i docker0 -o docker0 -p udp -m udp --dport 53 -j ACCEPT 
-A FORWARD -d 172.17.0.11/32 ! -i docker0 -o docker0 -p udp -m udp --dport 53 -j ACCEPT 
-A FORWARD -d 172.17.0.11/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 443 -j ACCEPT 
-A FORWARD -d 172.17.0.9/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8777 -j ACCEPT 
-A FORWARD -d 172.17.0.9/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8777 -j ACCEPT 
-A FORWARD -d 172.17.0.7/32 ! -i docker0 -o docker0 -p udp -m udp --dport 514 -j ACCEPT 
-A FORWARD -d 172.17.0.7/32 ! -i docker0 -o docker0 -p udp -m udp --dport 514 -j ACCEPT 
-A FORWARD -d 172.17.0.7/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 514 -j ACCEPT 
-A FORWARD -d 172.17.0.7/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 514 -j ACCEPT 
-A FORWARD -d 172.17.0.7/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 25150 -j ACCEPT 
-A FORWARD -d 172.17.0.7/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 25150 -j ACCEPT 
-A FORWARD -d 172.17.0.5/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 873 -j ACCEPT 
-A FORWARD -d 172.17.0.5/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 873 -j ACCEPT 
-A FORWARD -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 5000 -j ACCEPT 
-A FORWARD -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 35357 -j ACCEPT 
-A FORWARD -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 61613 -j ACCEPT 
-A FORWARD -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 61613 -j ACCEPT 
-A FORWARD -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 5672 -j ACCEPT 
-A FORWARD -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 5672 -j ACCEPT 
-A FORWARD -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 4369 -j ACCEPT 
-A FORWARD -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 4369 -j ACCEPT 
-A FORWARD -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 15672 -j ACCEPT 
-A FORWARD -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 15672 -j ACCEPT 
-A FORWARD -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 5432 -j ACCEPT 
-A FORWARD -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 5432 -j ACCEPT 
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT 
-A FORWARD -i docker0 -o docker0 -j ACCEPT 
-A FORWARD -i eth0 -o docker0 -p tcp -m state --state NEW -m tcp --dport 514 -m comment --comment "rsyslog-tcp-514-accept" -j ACCEPT 
-A FORWARD -i eth0 -o docker0 -p udp -m state --state NEW -m udp --dport 514 -m comment --comment "rsyslog-udp-514-accept" -j ACCEPT 
COMMIT
# Completed on Thu Oct  9 15:25:19 2014
# Generated by iptables-save v1.4.7 on Thu Oct  9 15:25:19 2014
*nat
:PREROUTING ACCEPT [17:1663]
:POSTROUTING ACCEPT [3:228]
:OUTPUT ACCEPT [4:654]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER 
-A POSTROUTING -s 10.20.203.0/24 -p udp -m udp --dport 514 -m comment --comment "rsyslog-udp-514-unmasquerade" -j ACCEPT 
-A POSTROUTING -s 10.20.203.0/24 -p tcp -m tcp --dport 514 -m comment --comment "rsyslog-tcp-514-unmasquerade" -j ACCEPT 
-A POSTROUTING -s 10.20.203.0/24 -o eth+ -p tcp -m comment --comment "004 forward_admin_net" -j MASQUERADE 
-A POSTROUTING -s 172.17.0.0/16 ! -d 172.17.0.0/16 -j MASQUERADE 
-A POSTROUTING -o docker0 -j MASQUERADE 
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER 
-A DOCKER -d 10.20.203.2/32 -p tcp -m tcp --dport 5432 -j DNAT --to-destination 172.17.0.2:5432 
-A DOCKER -d 127.0.0.1/32 -p tcp -m tcp --dport 5432 -j DNAT --to-destination 172.17.0.2:5432 
-A DOCKER -d 10.20.203.2/32 -p tcp -m tcp --dport 15672 -j DNAT --to-destination 172.17.0.3:15672 
-A DOCKER -d 127.0.0.1/32 -p tcp -m tcp --dport 15672 -j DNAT --to-destination 172.17.0.3:15672 
-A DOCKER -d 10.20.203.2/32 -p tcp -m tcp --dport 4369 -j DNAT --to-destination 172.17.0.3:4369 
-A DOCKER -d 127.0.0.1/32 -p tcp -m tcp --dport 4369 -j DNAT --to-destination 172.17.0.3:4369 
-A DOCKER -d 10.20.203.2/32 -p tcp -m tcp --dport 5672 -j DNAT --to-destination 172.17.0.3:5672 
-A DOCKER -d 127.0.0.1/32 -p tcp -m tcp --dport 5672 -j DNAT --to-destination 172.17.0.3:5672 
-A DOCKER -d 10.20.203.2/32 -p tcp -m tcp --dport 61613 -j DNAT --to-destination 172.17.0.3:61613 
-A DOCKER -d 127.0.0.1/32 -p tcp -m tcp --dport 61613 -j DNAT --to-destination 172.17.0.3:61613 
-A DOCKER -p tcp -m tcp --dport 35357 -j DNAT --to-destination 172.17.0.4:35357 
-A DOCKER -p tcp -m tcp --dport 5000 -j DNAT --to-destination 172.17.0.4:5000 
-A DOCKER -d 10.20.203.2/32 -p tcp -m tcp --dport 873 -j DNAT --to-destination 172.17.0.5:873 
-A DOCKER -d 127.0.0.1/32 -p tcp -m tcp --dport 873 -j DNAT --to-destination 172.17.0.5:873 
-A DOCKER -d 10.20.203.2/32 -p tcp -m tcp --dport 25150 -j DNAT --to-destination 172.17.0.7:25150 
-A DOCKER -d 127.0.0.1/32 -p tcp -m tcp --dport 25150 -j DNAT --to-destination 172.17.0.7:25150 
-A DOCKER -d 10.20.203.2/32 -p tcp -m tcp --dport 514 -j DNAT --to-destination 172.17.0.7:514 
-A DOCKER -d 127.0.0.1/32 -p tcp -m tcp --dport 514 -j DNAT --to-destination 172.17.0.7:514 
-A DOCKER -d 10.20.203.2/32 -p udp -m udp --dport 514 -j DNAT --to-destination 172.17.0.7:514 
-A DOCKER -d 127.0.0.1/32 -p udp -m udp --dport 514 -j DNAT --to-destination 172.17.0.7:514 
-A DOCKER -d 10.20.203.2/32 -p tcp -m tcp --dport 8777 -j DNAT --to-destination 172.17.0.9:8777 
-A DOCKER -d 127.0.0.1/32 -p tcp -m tcp --dport 8777 -j DNAT --to-destination 172.17.0.9:8777 
-A DOCKER -p tcp -m tcp --dport 443 -j DNAT --to-destination 172.17.0.11:443 
-A DOCKER -d 10.20.203.2/32 -p udp -m udp --dport 53 -j DNAT --to-destination 172.17.0.11:53 
-A DOCKER -d 127.0.0.1/32 -p udp -m udp --dport 53 -j DNAT --to-destination 172.17.0.11:53 
-A DOCKER -d 10.20.203.2/32 -p udp -m udp --dport 69 -j DNAT --to-destination 172.17.0.11:69 
-A DOCKER -d 127.0.0.1/32 -p udp -m udp --dport 69 -j DNAT --to-destination 172.17.0.11:69 
-A DOCKER -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.17.0.11:80 
COMMIT
# Completed on Thu Oct  9 15:25:19 2014