На мой непрофессиональный взгляд в iptables все в порядке...
Эти правила описываются как:
-A FI-vnet0 -s 192.168.122.100/32 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -m conntrack --ctdir REPLY -j RETURN
-A FI-vnet0 -p icmp -m state --state NEW,ESTABLISHED -m conntrack --ctdir REPLY -j RETURN
-A FI-vnet0 -s 192.168.122.100/32 -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -m conntrack --ctdir REPLY -j RETURN
-A FI-vnet0 -p tcp -j DROP
-A FO-vnet0 -d 192.168.122.100/32 -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -m conntrack --ctdir ORIGINAL -j ACCEPT
-A FO-vnet0 -p icmp -m state --state ESTABLISHED -m conntrack --ctdir ORIGINAL -j ACCEPT
-A FO-vnet0 -d 192.168.122.100/32 -p udp -m udp --sport 53 -m state --state ESTABLISHED -m conntrack --ctdir ORIGINAL -j ACCEPT
-A FO-vnet0 -p tcp -j DROP
-A HI-vnet0 -s 192.168.122.100/32 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -m conntrack --ctdir REPLY -j RETURN
-A HI-vnet0 -p icmp -m state --state NEW,ESTABLISHED -m conntrack --ctdir REPLY -j RETURN
-A HI-vnet0 -s 192.168.122.100/32 -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -m conntrack --ctdir REPLY -j RETURN
-A HI-vnet0 -p tcp -j DROP
Если не сложно, укажите хотя бы направление куда копать. Проверяю работоспособность подключаясь к 192.168.1.232:80. Не работает.
Полный выхлоп тут:
# Generated by iptables-save v1.4.12 on Fri Aug 16 17:53:33 2013
*mangle
:PREROUTING ACCEPT [8118472:581732662]
:INPUT ACCEPT [8000710:475713395]
:FORWARD ACCEPT [106356:105444647]
:OUTPUT ACCEPT [7563363:21566053433]
:POSTROUTING ACCEPT [7688000:21673526644]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Fri Aug 16 17:53:33 2013
# Generated by iptables-save v1.4.12 on Fri Aug 16 17:53:33 2013
*nat
:PREROUTING ACCEPT [160:17054]
:INPUT ACCEPT [135:15878]
:OUTPUT ACCEPT [40:6771]
:POSTROUTING ACCEPT [18:4152]
-A PREROUTING -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.122.100:3389
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.1.232
COMMIT
# Completed on Fri Aug 16 17:53:33 2013
# Generated by iptables-save v1.4.12 on Fri Aug 16 17:53:33 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1:52]
:FI-vnet0 - [0:0]
:FO-vnet0 - [0:0]
:HI-vnet0 - [0:0]
:libvirt-host-in - [0:0]
:libvirt-in - [0:0]
:libvirt-in-post - [0:0]
:libvirt-out - [0:0]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
-A INPUT -j libvirt-host-in
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -d 192.168.122.100/32 -p tcp -m state --state NEW -m tcp --dport 3389 -j ACCEPT
-A FORWARD -j libvirt-in
-A FORWARD -j libvirt-out
-A FORWARD -j libvirt-in-post
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 10.7.10.0/24 -j ACCEPT
-A FORWARD -s 10.7.10.0/24 -j ACCEPT
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A FI-vnet0 -s 192.168.122.100/32 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -m conntrack --ctdir REPLY -j RETURN
-A FI-vnet0 -p icmp -m state --state NEW,ESTABLISHED -m conntrack --ctdir REPLY -j RETURN
-A FI-vnet0 -s 192.168.122.100/32 -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -m conntrack --ctdir REPLY -j RETURN
-A FI-vnet0 -p tcp -j DROP
-A FO-vnet0 -d 192.168.122.100/32 -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -m conntrack --ctdir ORIGINAL -j ACCEPT
-A FO-vnet0 -p icmp -m state --state ESTABLISHED -m conntrack --ctdir ORIGINAL -j ACCEPT
-A FO-vnet0 -d 192.168.122.100/32 -p udp -m udp --sport 53 -m state --state ESTABLISHED -m conntrack --ctdir ORIGINAL -j ACCEPT
-A FO-vnet0 -p tcp -j DROP
-A HI-vnet0 -s 192.168.122.100/32 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -m conntrack --ctdir REPLY -j RETURN
-A HI-vnet0 -p icmp -m state --state NEW,ESTABLISHED -m conntrack --ctdir REPLY -j RETURN
-A HI-vnet0 -s 192.168.122.100/32 -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -m conntrack --ctdir REPLY -j RETURN
-A HI-vnet0 -p tcp -j DROP
-A libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0
-A libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0
-A libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT
-A libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m state --state INVALID -j ufw-logging-deny
-A ufw-before-input -m state --state INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m state --state INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j ACCEPT
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-input -p tcp -m state --state NEW -j ACCEPT
-A ufw-track-input -p udp -m state --state NEW -j ACCEPT
-A ufw-track-output -p tcp -m state --state NEW -j ACCEPT
-A ufw-track-output -p udp -m state --state NEW -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 3389 -m state --state NEW -m recent --set --name DEFAULT --rsource
-A ufw-user-input -p tcp -m tcp --dport 3389 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 --name DEFAULT --rsource -j ufw-user-limit
-A ufw-user-input -p tcp -m tcp --dport 3389 -j ufw-user-limit-accept
-A ufw-user-input -p udp -m udp --dport 3389 -m state --state NEW -m recent --set --name DEFAULT --rsource
-A ufw-user-input -p udp -m udp --dport 3389 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 --name DEFAULT --rsource -j ufw-user-limit
-A ufw-user-input -p udp -m udp --dport 3389 -j ufw-user-limit-accept
-A ufw-user-input -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource
-A ufw-user-input -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 --name DEFAULT --rsource -j ufw-user-limit
-A ufw-user-input -p tcp -m tcp --dport 22 -j ufw-user-limit-accept
-A ufw-user-input -p udp -m udp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource
-A ufw-user-input -p udp -m udp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 --name DEFAULT --rsource -j ufw-user-limit
-A ufw-user-input -p udp -m udp --dport 22 -j ufw-user-limit-accept
-A ufw-user-input -p tcp -m tcp --dport 21 -m state --state NEW -m recent --set --name DEFAULT --rsource
-A ufw-user-input -p tcp -m tcp --dport 21 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 --name DEFAULT --rsource -j ufw-user-limit
-A ufw-user-input -p tcp -m tcp --dport 21 -j ufw-user-limit-accept
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
COMMIT
# Completed on Fri Aug 16 17:53:33 2013