5:28 p.m.
On 5/26/20 2:15 PM, Felder, Christian wrote:
>> Sorry. You’re right and I mixed things up. Indeed there is a new
>> rule in PREROUTING and this is the rule which bypasses the INPUT chain.
>> I cannot explicitly configure ports on the INPUT chain as the
>> packets are forwarded to the CNI-HOSTPORT-DNAT target directly.
$ iptables -L -nv
Chain FORWARD (policy ACCEPT 9 packets, 488 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * virbr0 0.0.0.0/0
192.168.122.0/24 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- virbr0 * 192.168.122.0/24
0.0.0.0/0
0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0
0.0.0.0/0
0 0 REJECT all -- * virbr0 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- virbr0 * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
Your FORWARD rules only govern traffic that crosses the "virbr0"
interface specifically, so anything that doesn't uses the default
"ACCEPT" policy.
Set your policy to DENY, or add a REJECT rule that matches all packets
at the end of that chain.