Bitbull Tech Notes - home of free minds ...

OpenWRT Parental control WLAN Router

Recently I had to search a secure WLAN solution for disabled Kids.

 

Keypoints:

  • Kids get WLAN on their own devices
  • Kids get LAN for own devices (Workstations/Playstations, ...)
  • Internet Access should be as secure as possbile
  • WLAN needs time based scheduling (Web configurator)
  • Restrict WAN Access to ports: 80,443,8080,8443 + 587,110,143,993,995
  • Restrict internet site access:
    • No porn
    • No violence
    • Secure Google search
    • Restricted Youtube
    • No proxy sites

 

Solution:

  • Buy TP-Link TL-WR1043ND, power on
  • Connect PC to LAN port and set manual IP: 192.168.0.100/24
    Log into the Router: admin/admin
    http://192.168.0.1
  • upload Firmware: wr1043nd.bin (original name zu lang -> umbenennen)
    Get Firmware here
    System > Firmware Upgrade > Upload
  • Router is booting, PC LAN reconnect LAN
    PC gets IP in range: 192.168.1.0/24
  • Log into OpenWRT Luci: root/"no pw"
    http://192.168.1.1
  • Restore KidsNet Router config:
    Backup-KidsNet-2017-02-02.tar.gz
  • Router is booting, PC LAN reconnect LAN
    PC gets IP in range: 192.168.77.0/24
  • Log into OpenWRT Luci: root/toor
    http://192.168.77.1
  • WLAN: KidsNet
    PW: SecureNet

Now, router configuration is finished:

  • Change Password
  • Change WLAN SSID and PW
  • Modify Wifi scheduling

 

Want to know how it works?
Examine Backup or see install draft below:

####################################################################################                                                                                                  
# PROJEKT: openwrt-parental                                                                                                                                                                                              
# VERSION: 20170201                                                                                                                                                                                                      
####################################################################################                                                                                                                                     
DESCRIPTION:                                                                                                                                                                                                             
----------------------                                                                                                                                                                                                   
HW: TP-Link TL-WR1043ND                                                                                                                                                                                                  
OS: OpenWrt Chaos Calmer 15.05                                                                                                                                                                                           
DESC: Parental Control Router                                                                                                                                                                                            
                                                                                                                                                                                                                         
IMPORTANT NOTES:                                                                                                                                                                                                         
------------------------------                                                                                                                                                                                           
mv openwrt-15.05.1-ar71xx-generic-tl-wr1043nd-v2-squashfs-factory.bin wr1043nd.bin                                                                                                                                       

ifconfig eth0 192.168.0.100 netmask 255.255.255.0
http://192.168.0.1
user: admin
pw: admin
System > Firmware Upgrade > Upload wr1043nd.bin

telnet 192.168.1.1
passwd # set new root password
uci set network.lan.proto=static
uci set network.lan.ipaddr=192.168.77.1
uci set network.lan.netmask=255.255.255.0
network.wan.peerdns=0   
network.wan.dns='208.67.220.123 208.67.222.123'

uci commit network
reboot
ssh -lroot 192.168.77.1

# --------------------------------------------------------------------------------------------------------------------
cp /etc/config/dhcp /etc/config/dhcp.orig
cat > /etc/config/dhcp << EOF
config dnsmasq
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option rebind_protection '0'
list server '208.67.222.123'
list server '208.67.220.123'
option local '/lan/'
option domain 'lan'
option authoritative '1'
option logqueries '0'

config dhcp 'lan'
option interface 'lan'
option leasetime '12h'
option start '20'
option limit '50'
option force '1'
#option dhcp_option '3,192.168.77.1' #default route
EOF

# --------------------------------------------------------------------------------------------------------------------
cp /etc/config/firewall /etc/config/firewall.orig
cat > /etc/config/firewall << EOF

config defaults 
option syn_flood '1' 
option input 'ACCEPT' 
option output 'ACCEPT' 
option forward 'REJECT' 
option drop_invalid '1'

config zone 
option name 'lan' 
list network 'lan' 
option input 'ACCEPT' 
option output 'ACCEPT' 
option forward 'REJECT'

config zone 
option name 'wan' 
list network 'wan' 
list network 'wan6' 
option input 'REJECT' 
option output 'ACCEPT' 
option forward 'REJECT' 
option masq '1' 
option mtu_fix '1'

config forwarding 
option src 'lan' 
option dest 'wan'

config rule 
option name 'Allow-DHCP-Renew' 
option src 'wan' 
option proto 'udp' 
option dest_port '68' 
option target 'ACCEPT' 
option family 'ipv4'

config rule 
option name 'Allow-Ping' 
option src 'wan' 
option proto 'icmp' 
option icmp_type 'echo-request' 
option family 'ipv4' 
option target 'ACCEPT'

config include 
option path '/etc/firewall.user'

config rule 
option target 'ACCEPT' 
option src 'lan' 
option dest 'wan' 
option family 'ipv4' 
option proto 'tcp' 
option name 'web traffic' 
option dest_port '80 8080 443 8443'

config rule 
option target 'ACCEPT' 
option src 'lan' 
option dest 'wan' 
option family 'ipv4' 
option proto 'tcp' 
option name 'mail traffic' 
option dest_port '587 110 143 993 995'

config rule 
option src 'lan' 
option dest 'wan' 
option name 'deny any' 
option target 'REJECT'

EOF

# --------------------------------------------------------------------------------------------------------------------
cp /etc/config/wireless /etc/config/wireless.orig
cat > /etc/config/wireless << EOF

config wifi-device 'radio0' 
option type 'mac80211' 
option channel '11' 
option hwmode '11g' 
option path 'platform/qca955x_wmac' 
option htmode 'HT20' 
option country 'CA' 
option txpower '25'

config wifi-iface 
option device 'radio0' 
option network 'lan' 
option mode 'ap' 
option ssid 'KidsNet' 
option encryption 'psk2+ccmp' 
option key 'SecureNet' 
option wmm '0'

EOF

# --------------------------------------------------------------------------------------------------------------------
cp /etc/dnsmasq.conf /etc/dnsmasq.conf.orig
SIP="216.239.38.120"
echo '# youtube restricted search' > /etc/dnsmasq.conf
for u in www.youtube.com m.youtube.com youtubei.googleapis.com youtube.googleapis.com www.youtube-nocookie.com
do
   echo "address=/$u/$SIP" >> /etc/dnsmasq.conf
done
echo >> /etc/dnsmasq.conf
echo "# mobile client restrictions" >> /etc/dnsmasq.conf
for u in android.googleapis.com www.googleapis.com android.clients.google.com 
do
   echo "address=/$u/$SIP" >> /etc/dnsmasq.conf
done
echo >> /etc/dnsmasq.conf
echo "# google safe search" >> /etc/dnsmasq.conf
for u in com ac ad ae af ag al am as at az ba be bf bg bi bj bs bt by ca cat cc cd cf cg ch ci cl cm cn co.ao co.bw co.ck co.cr co.hu co.id co.il co.im co.in co.je co.jp co.ke co.kr co.ls co.ma co.mz co.nz co.th co.tz co.ug co.uk co.uz co.ve co.vi co.za co.zm co.zw com.af com.ag com.ai com.ar com.au com.bd com.bh com.bn com.bo com.br com.by com.bz com.cn com.co com.cu com.cy com.do com.ec com.eg com.et com.fj com.ge com.gh com.gi com.gr com.gt com.hk com.iq com.jm com.jo com.kh com.kw com.lb com.ly com.mm com.mt com.mx com.my com.na com.nf com.ng com.ni com.np com.nr com.om com.pa com.pe com.pg com.ph com.pk com.pl com.pr com.py com.qa com.ru com.sa com.sb com.sg com.sl com.sv com.tj com.tn com.tr com.tw com.ua com.uy com.vc com.ve com.vn cv cz de dj dk dm dz ee es eus fi fm fr frl ga gal ge gg gl gm gp gr gy hk hn hr ht hu ie im in info iq ir is it it.ao je jo jobs jp kg ki kz la li lk lt lu lv md me mg mk ml mn ms mu mv mw ne ne.jp net ng nl no nr nu off.ai pk pl pn ps pt ro rs ru rw sc se sh si sk sm sn so sr st td tel tg tk tl tm tn to tt ua us uz vg vu ws
do
   echo "address=/www.google.$u/$SIP" >> /etc/dnsmasq.conf
done

mv /etc/dnsmasq.conf /etc/config/
ln -s /etc/config/dnsmasq.conf /etc/dnsmasq.conf
ls -l /etc/dnsmasq.conf

for d in /etc/init.d/cron /etc/init.d/dnsmasq /etc/init.d/uhttpd
do
   $d enable
   $d restart
done
# --------------------------------------------------------------------------------------------------------------------
cd /
wget http://www.bitbull.ch/dl/wifischedule-root.tar
tar vxf wifischedule-root.tar
rm -f wifischedule-root.tar

cp /etc/sysupgrade.conf /etc/sysupgrade.conf.orig
cat > /etc/sysupgrade.conf << EOF
/usr/bin/wifi_schedule.sh
/usr/lib/lua/luci/view/wifischedule/file_viewer.htm
/usr/lib/lua/luci/model/cbi/wifischedule/wifi_schedule.lua
/usr/lib/lua/luci/controller/wifischedule/wifi_schedule.lua
EOF

reboot

 

 

Zimbra upgrade from 8.6.0 to 8.7.1

This Zimbra upgrade drove me crazy:

- You need memchache and reverse proxy installed and active

- zimbraReverseProxySSLToUpstreamEnabled is enforced
  if ssl cert is not matching server name, ldaps querys fail
  no useable infos on zimbra page for single server instances (do they really need ssl for localhost querys :)

hope this helps ... looks so easy ... took me hours :-(

cheers

 

ssh -lroot mail01
vi /etc/rc.local
------
/sbin/iptables -I INPUT 1 -s 10.1.12.111 -j ACCEPT # my workstation
/sbin/iptables -I INPUT 2 -s 10.1.1.101 -j ACCEPT  # this mailserver 
/sbin/iptables -I INPUT 3 -s 10.1.1.24 -j ACCEPT   # monitoring
/sbin/iptables -I INPUT 4 -s 127.0.0.0/8 -j ACCEPT # guess
/sbin/iptables -I INPUT 5 -p tcp -m multiport --destination-ports 25,110,143,443,587,993,995 -j REJECT # block other traffic 
------

# start it now
/sbin/iptables -I INPUT 1 -s 10.1.12.111 -j ACCEPT # my workstation
/sbin/iptables -I INPUT 2 -s 10.1.1.101 -j ACCEPT  # this mailserver 
/sbin/iptables -I INPUT 3 -s 10.1.1.24 -j ACCEPT   # monitoring
/sbin/iptables -I INPUT 4 -s 127.0.0.0/8 -j ACCEPT # guess
/sbin/iptables -I INPUT 5 -p tcp -m multiport --destination-ports 25,110,143,443,587,993,995 -j REJECT # block other traffic 

# create VM snapshot

root@mail01:~/update/zcs-NETWORK-8.6.0_GA_1153.UBUNTU12_64.20141215195643# dpkg -i ./packages/zimbra-memcached_8.6.0.GA.1153.UBUNTU12.64_amd64.deb ./packages/zimbra-proxy_8.6.0.GA.1153.UBUNTU12.64_amd64.deb
root@mail01:~/update/zcs-NETWORK-8.6.0_GA_1153.UBUNTU12_64.20141215195643# su - zimbra
zimbra@mail01:~$ zmcontrol restart

zimbra@mail01:~$ zmprov gs mail01.domain.ch zimbraReverseProxySSLToUpstreamEnabled
# name mail01.domain.com
zimbraReverseProxySSLToUpstreamEnabled: TRUE

zimbra@mail01:~$ ./libexec/zmproxyconfig -e -w -o -a 8080:80:8443:443 -x both  -H `zmhostname`
zimbra@mail01:~$ zmproxyctl restart


root@mail01:~/update/zcs-NETWORK-8.7.1_GA_1670.UBUNTU12_64.20161025050804# lsof -i :443
COMMAND   PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
nginx   16695 zimbra   11u  IPv4 356460      0t0  TCP *:https (LISTEN)
...


root@mail01:~/update/zcs-NETWORK-8.7.1_GA_1670.UBUNTU12_64.20161025050804# lsof -i :80
COMMAND   PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
nginx   16695 zimbra   10u  IPv4 356459      0t0  TCP *:http (LISTEN)
...


root@mail01:~/update/zcs-NETWORK-8.7.1_GA_1670.UBUNTU12_64.20161025050804# su - zimbra
zimbra@mail01:~$ zmprov ms `zmhostname` +zimbraServiceEnabled memcached
zimbra@mail01:~$ zmcontrol restart


root@mail01:~/update/zcs-NETWORK-8.7.1_GA_1670.UBUNTU12_64.20161025050804# lsof -i :11211
   COMMAND    PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
   memcached 2383 zimbra   26u  IPv4 451107      0t0  TCP *:11211 (LISTEN)
   ...

# ldap can not be accessed after upgrade:
# Unable to start TLS: hostname verification failed when connecting to ldap master
# do this before upgrade
zimbra@mail01:~$ zmprov ms  `zmhostname` zimbraReverseProxySSLToUpstreamEnabled FALSE

root@mail01:~/update/zcs-NETWORK-8.7.1_GA_1670.UBUNTU12_64.20161025050804#
    cd ~/update/zcs-NETWORK-8.7.1_GA_1670.UBUNTU12_64.20161025050804
   ./install.sh --skip-activation-check --skip-upgrade-check

Check SMART Disk Status in ESXi (6.5)

Hi there

I use a ESXi 6.5 with cheap Hardware for home lab.
Disks are not in RAID so it is nice to know if disks are healthy

I found a info in VMware portal, here is a simple while loop to check all disks

 

esxcli storage core device list | grep '  Display Name:' | cut -d'(' -f2 | cut -d')' -f1 | while read DISK
do 
   echo "********** $DISK **********"
   esxcli storage core device smart get -d $DISK
done

 

Some example output:

[root@esxi2:~] esxcli storage core device list | grep '  Display Name:'
   Display Name: Local ATA Disk (t10.ATA_____Corsair_Force_LS_SSD____________________14518168000101670094)
   Display Name: Local ATA Disk (t10.ATA_____WDC_WD20EARX2D00PASB0_________________________WD2DWCAZA9976744)
   Display Name: Local ATA Disk (t10.ATA_____SanDisk_SSD_i100_16GB___________________i00000000000000000000000000000000000000)
[root@esxi2:~] esxcli storage core device list | grep '  Display Name:' | cut -d'(' -f2 | cut -d')' -f1 | while read DISK
> do echo "********** $DISK **********" ; esxcli storage core device smart get -d $DISK
> done
********** t10.ATA_____Corsair_Force_LS_SSD____________________14518168000101670094 **********
Parameter                     Value  Threshold  Worst
----------------------------  -----  ---------  -----
Health Status                 OK     N/A        N/A  
Media Wearout Indicator       100    0          100  
Write Error Count             100    0          100  
Read Error Count              N/A    N/A        N/A  
Power-on Hours                100    0          100  
Power Cycle Count             100    0          100  
Reallocated Sector Count      100    50         100  
Raw Read Error Rate           100    50         100  
Drive Temperature             70     30         70   
Driver Rated Max Temperature  N/A    N/A        N/A  
Write Sectors TOT Count       100    0          100  
Read Sectors TOT Count        100    0          100  
Initial Bad Block Count       N/A    N/A        N/A  
********** t10.ATA_____WDC_WD20EARX2D00PASB0_________________________WD2DWCAZA9976744 **********
Parameter                     Value  Threshold  Worst
----------------------------  -----  ---------  -----
Health Status                 OK     N/A        N/A  
Media Wearout Indicator       N/A    N/A        N/A  
Write Error Count             0      0          N/A  
Read Error Count              0      51         N/A  
Power-on Hours                94     0          94   
Power Cycle Count             247    0          N/A  
Reallocated Sector Count      0      140        N/A  
Raw Read Error Rate           0      51         N/A  
Drive Temperature             33     0          N/A  
Driver Rated Max Temperature  N/A    N/A        N/A  
Write Sectors TOT Count       N/A    N/A        N/A  
Read Sectors TOT Count        N/A    N/A        N/A  
Initial Bad Block Count       N/A    N/A        N/A  
********** t10.ATA_____SanDisk_SSD_i100_16GB___________________i00000000000000000000000000000000000000 **********
Parameter                     Value  Threshold  Worst
----------------------------  -----  ---------  -----
Health Status                 OK     N/A        N/A  
Media Wearout Indicator       N/A    N/A        N/A  
Write Error Count             N/A    N/A        N/A  
Read Error Count              N/A    N/A        N/A  
Power-on Hours                100    0          100  
Power Cycle Count             100    0          100  
Reallocated Sector Count      100    0          100  
Raw Read Error Rate           N/A    N/A        N/A  
Drive Temperature             N/A    N/A        N/A  
Driver Rated Max Temperature  N/A    N/A        N/A  
Write Sectors TOT Count       100    0          100  
Read Sectors TOT Count        100    0          100  
Initial Bad Block Count       N/A    N/A        N/A  

 

 

iptables config to isolate and route networks on KVM hosts for testing

here I have isolated and nated 3 networks: 192.168.{10,15.33}.x

 

# Generated by iptables-save v1.4.21 on Sat Nov 26 12:02:53 2016
*mangle
:PREROUTING ACCEPT [2855:275135]
:INPUT ACCEPT [2238:219430]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1484:256521]
:POSTROUTING ACCEPT [1484:256521]
-A POSTROUTING -o virbr2 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr1 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr3 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Sat Nov 26 12:02:53 2016
# Generated by iptables-save v1.4.21 on Sat Nov 26 12:02:53 2016
*nat
:PREROUTING ACCEPT [977:101237]
:INPUT ACCEPT [513:58953]
:OUTPUT ACCEPT [120:9090]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -o enp5s0 -j MASQUERADE
-A POSTROUTING -s 192.168.10.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.10.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.10.0/24 ! -d 192.168.10.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.10.0/24 ! -d 192.168.10.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.10.0/24 ! -d 192.168.10.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.33.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.33.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.33.0/24 ! -d 192.168.33.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.33.0/24 ! -d 192.168.33.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.33.0/24 ! -d 192.168.33.0/24 -j MASQUERADE
-A POSTROUTING ! -s 192.168.33.0/24 -d 192.168.33.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.15.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.15.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.15.0/24 ! -d 192.168.15.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.15.0/24 ! -d 192.168.15.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.15.0/24 ! -d 192.168.15.0/24 -j MASQUERADE
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
COMMIT
# Completed on Sat Nov 26 12:02:53 2016
# Generated by iptables-save v1.4.21 on Sat Nov 26 12:02:53 2016
*filter
:INPUT ACCEPT [2238:219430]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1484:256521]
:DOCKER - [0:0]
:DOCKER-ISOLATION - [0:0]
-A INPUT -i virbr2 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr2 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr2 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr2 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i virbr1 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr1 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i virbr3 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr3 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr3 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr3 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -d 192.168.10.0/24 -o virbr2 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.10.0/24 -i virbr2 -j ACCEPT
-A FORWARD -i virbr2 -o virbr2 -j ACCEPT
-A FORWARD -o virbr2 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr2 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 192.168.33.0/24 -o virbr1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.33.0/24 -i virbr1 -j ACCEPT
-A FORWARD -i virbr1 -o virbr1 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 192.168.15.0/24 -o virbr3 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.15.0/24 -i virbr3 -j ACCEPT
-A FORWARD -i virbr3 -o virbr3 -j ACCEPT
-A FORWARD -o virbr3 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr3 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A OUTPUT -o virbr2 -p udp -m udp --dport 68 -j ACCEPT
-A OUTPUT -o virbr1 -p udp -m udp --dport 68 -j ACCEPT
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A OUTPUT -o virbr3 -p udp -m udp --dport 68 -j ACCEPT
-A DOCKER-ISOLATION -j RETURN
COMMIT
# Completed on Sat Nov 26 12:02:53 2016
Newer posts → Home ← Older posts