iptables \ -w \ --table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol tcp \ --destination-port 67 \ --jump ACCEPT iptables \ -w \ --table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol udp \ --destination-port 67 \ --jump ACCEPT iptables \ -w \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ --protocol tcp \ --destination-port 68 \ --jump ACCEPT iptables \ -w \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ --protocol udp \ --destination-port 68 \ --jump ACCEPT iptables \ -w \ --table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol tcp \ --destination-port 53 \ --jump ACCEPT iptables \ -w \ --table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol udp \ --destination-port 53 \ --jump ACCEPT iptables \ -w \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ --protocol tcp \ --destination-port 53 \ --jump ACCEPT iptables \ -w \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ --protocol udp \ --destination-port 53 \ --jump ACCEPT iptables \ -w \ --table filter \ --insert LIBVIRT_FWO \ --in-interface virbr0 \ --jump REJECT iptables \ -w \ --table filter \ --insert LIBVIRT_FWI \ --out-interface virbr0 \ --jump REJECT iptables \ -w \ --table filter \ --insert LIBVIRT_FWX \ --in-interface virbr0 \ --out-interface virbr0 \ --jump ACCEPT ip6tables \ -w \ --table filter \ --insert LIBVIRT_FWO \ --in-interface virbr0 \ --jump REJECT ip6tables \ -w \ --table filter \ --insert LIBVIRT_FWI \ --out-interface virbr0 \ --jump REJECT ip6tables \ -w \ --table filter \ --insert LIBVIRT_FWX \ --in-interface virbr0 \ --out-interface virbr0 \ --jump ACCEPT ip6tables \ -w \ --table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol tcp \ --destination-port 53 \ --jump ACCEPT ip6tables \ -w \ --table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol udp \ --destination-port 53 \ --jump ACCEPT ip6tables \ -w \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ --protocol tcp \ --destination-port 53 \ --jump ACCEPT ip6tables \ -w \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ --protocol udp \ --destination-port 53 \ --jump ACCEPT ip6tables \ -w \ --table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol udp \ --destination-port 547 \ --jump ACCEPT ip6tables \ -w \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ --protocol udp \ --destination-port 546 \ --jump ACCEPT iptables \ -w \ --table filter \ --insert LIBVIRT_FWO \ --source 192.168.122.0/24 \ --in-interface virbr0 \ --jump ACCEPT iptables \ -w \ --table filter \ --insert LIBVIRT_FWI \ --destination 192.168.122.0/24 \ --out-interface virbr0 \ --match conntrack \ --ctstate ESTABLISHED,RELATED \ --jump ACCEPT iptables \ -w \ --table nat \ --insert LIBVIRT_PRT \ --source 192.168.122.0/24 '!' \ --destination 192.168.122.0/24 \ --jump MASQUERADE iptables \ -w \ --table nat \ --insert LIBVIRT_PRT \ --source 192.168.122.0/24 \ -p udp '!' \ --destination 192.168.122.0/24 \ --jump MASQUERADE \ --to-ports 500-1000 iptables \ -w \ --table nat \ --insert LIBVIRT_PRT \ --source 192.168.122.0/24 \ -p tcp '!' \ --destination 192.168.122.0/24 \ --jump MASQUERADE \ --to-ports 500-1000 iptables \ -w \ --table nat \ --insert LIBVIRT_PRT \ --source 192.168.122.0/24 \ --destination 255.255.255.255/32 \ --jump RETURN iptables \ -w \ --table nat \ --insert LIBVIRT_PRT \ --source 192.168.122.0/24 \ --destination 224.0.0.0/24 \ --jump RETURN iptables \ -w \ --table filter \ --insert LIBVIRT_FWO \ --source 192.168.128.0/24 \ --in-interface virbr0 \ --jump ACCEPT iptables \ -w \ --table filter \ --insert LIBVIRT_FWI \ --destination 192.168.128.0/24 \ --out-interface virbr0 \ --match conntrack \ --ctstate ESTABLISHED,RELATED \ --jump ACCEPT iptables \ -w \ --table nat \ --insert LIBVIRT_PRT \ --source 192.168.128.0/24 '!' \ --destination 192.168.128.0/24 \ --jump MASQUERADE iptables \ -w \ --table nat \ --insert LIBVIRT_PRT \ --source 192.168.128.0/24 \ -p udp '!' \ --destination 192.168.128.0/24 \ --jump MASQUERADE \ --to-ports 500-1000 iptables \ -w \ --table nat \ --insert LIBVIRT_PRT \ --source 192.168.128.0/24 \ -p tcp '!' \ --destination 192.168.128.0/24 \ --jump MASQUERADE \ --to-ports 500-1000 iptables \ -w \ --table nat \ --insert LIBVIRT_PRT \ --source 192.168.128.0/24 \ --destination 255.255.255.255/32 \ --jump RETURN iptables \ -w \ --table nat \ --insert LIBVIRT_PRT \ --source 192.168.128.0/24 \ --destination 224.0.0.0/24 \ --jump RETURN ip6tables \ -w \ --table filter \ --insert LIBVIRT_FWO \ --source 2001:db8:ca2:2::/64 \ --in-interface virbr0 \ --jump ACCEPT ip6tables \ -w \ --table filter \ --insert LIBVIRT_FWI \ --destination 2001:db8:ca2:2::/64 \ --out-interface virbr0 \ --match conntrack \ --ctstate ESTABLISHED,RELATED \ --jump ACCEPT ip6tables \ -w \ --table nat \ --insert LIBVIRT_PRT \ --source 2001:db8:ca2:2::/64 '!' \ --destination 2001:db8:ca2:2::/64 \ --jump MASQUERADE ip6tables \ -w \ --table nat \ --insert LIBVIRT_PRT \ --source 2001:db8:ca2:2::/64 \ -p udp '!' \ --destination 2001:db8:ca2:2::/64 \ --jump MASQUERADE \ --to-ports 500-1000 ip6tables \ -w \ --table nat \ --insert LIBVIRT_PRT \ --source 2001:db8:ca2:2::/64 \ -p tcp '!' \ --destination 2001:db8:ca2:2::/64 \ --jump MASQUERADE \ --to-ports 500-1000 ip6tables \ -w \ --table nat \ --insert LIBVIRT_PRT \ --source 2001:db8:ca2:2::/64 \ --destination ff02::/16 \ --jump RETURN iptables \ -w \ --table mangle \ --insert LIBVIRT_PRT \ --out-interface virbr0 \ --protocol udp \ --destination-port 68 \ --jump CHECKSUM \ --checksum-fill