Firewall blocks ikev2 traffic but logs no drops or rejects

gregrwm · May 6, 2025, 10:13pm

Trying to upgrade my ikev1/l2tp connection to ikev2.

Fwiw my ikev1/l2tp client config only works once i add a route after the connection comes up. Tho i didn’t need to do anything about the firewall. (All i’ve ever done with the firewall is --add-port=24800/tcp for synergy.)

The ikev2 config is different tho. No l2tp. My strongswan client config gets the ikev2 connection up but gets no traffic through. Strangely meanwhile firewall-cmd --set-log-denied=all shows no related drops or rejects.

Yet traffic does get through, without me adding a route, if i either disable firewalld or move enp3s0 to the trusted zone, neither of which is smart. Can anyone tell me what to do so the firewall allows ikev2 tunnel traffic?

firewalld|2.1.2-4.2
strongswan-ipsec|6.0.1-1.1

arvidjaar · May 7, 2025, 4:42am

Does enabling ipsec service help?

gregrwm · May 7, 2025, 5:17pm

strictly speaking it’s not enabled, i start it and bring up the connection with a simple script.

+ systemctl status strongswan-starter
? strongswan-starter.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
     Loaded: loaded (/usr/lib/systemd/system/strongswan-starter.service; disabled; preset: disabled)
     Active: active (running) since Tue 2025-05-06 21:52:48 CDT; 14h ago
 Invocation: 81552e4ed85247d096d5187993038419
   Main PID: 566610 (starter)
      Tasks: 18 (limit: 9276)
        CPU: 1min 13.735s
     CGroup: /system.slice/strongswan-starter.service
             ??566610 /usr/libexec/ipsec/starter --daemon charon --nofork
             ??566614 /usr/libexec/ipsec/charon

+ ipsec statusall
Status of IKE charon daemon (strongSwan 6.0.1, Linux 6.14.1-1-default, x86_64):
  uptime: 18 seconds, since May 07 12:00:24 2025
  malloc: sbrk 3223552, mmap 0, used 1318448, free 1905104
  worker threads: 10 of 16 idle, 6/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
  loaded plugins: charon ldap pkcs11 blowfish md4 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pgp dnskey sshkey pem openssl gcrypt pkcs8 af-alg fips-prf gmp agent xcbc cmac kdf ctr ccm gcm dr>
Listening IP addresses:
  10.3.3.7
  10.3.7.7
  10.3.1.7
Connections:
           7:  %any...209.23.153.217  IKEv1/2
           7:   local:  [mg010000] uses EAP_MSCHAPV2 authentication
           7:   remote: [green] uses pre-shared key authentication
           7:   child:  dynamic === 192.168.128.0/21 TUNNEL
           8:  %any...209.23.153.218  IKEv1/2
           8:   local:  [mg010000] uses EAP_MSCHAPV2 authentication
           8:   remote: [green] uses pre-shared key authentication
           8:   child:  dynamic === 192.168.128.0/21 TUNNEL
Security Associations (1 up, 0 connecting):
           7[1]: ESTABLISHED 12 seconds ago, 10.3.3.7[mg010000]...209.23.153.217[green]
           7[1]: IKEv2 SPIs: 900df81d21abed3d_i* 0ab75be35cfa3d51_r, EAP reauthentication in 2 hours
           7[1]: IKE proposal: AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384
           7{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c12d25e1_i cb2b6c31_o
           7{1}:  AES_GCM_16_256, 0 bytes_i, 0 bytes_o, rekeying in 43 minutes
           7{1}:   192.168.128.242/32 === 192.168.128.0/21

i’m using strongswan-ipsec for direct access to strongswan features, and configuring PSK, tho at this point i’m wondering if perhaps NetworkManager-strongswan implements the missing firewall magic, tho annoyingly it does not support PSK.

+ zypper --color --no-refresh se ngsw
Loading repository data...
 Reading installed packages...
 S  | Name                             | Summary                                                     | Type
 ---+----------------------------------+-------------------------------------------------------------+--------
    | NetworkManager-applet-strongswan | NetworkManager VPN support for strongSwan                   | package
    | NetworkManager-strongswan        | NetworkManager VPN support for strongSwan                   | package
    | NetworkManager-strongswan-lang   | Translations for package NetworkManager-strongswan          | package
    | plasma6-nm-strongswan            | strongSwan support for plasma6-nm                           | package
 i  | strongswan                       | IPsec-based VPN solution                                    | package
    | strongswan-doc                   | Documentation for strongSwan                                | package
    | strongswan-fips                  | Config file to disable non FIPS-140-2 algos in strongSwan   | package
 i+ | strongswan-ipsec                 | Old-style "ipsec" interface (stroke/starter) for strongSwan | package
    | strongswan-mysql                 | MySQL plugin for strongSwan                                 | package
    | strongswan-nm                    | NetworkManager plugin for strongSwan                        | package
    | strongswan-sqlite                | SQLite plugin for strongSwan                                | package

arvidjaar · May 7, 2025, 5:44pm

I mean firewalld service. Does adding it to your zone change anything?

gregrwm · May 7, 2025, 9:22pm

can you clarify, adding what exactly?

as in the OP if i move enp3s0 to the trusted zone it works, but that’s effectively disabling the firewall completely.

arvidjaar · May 8, 2025, 4:22am

firewall-cmd --add-service=ipsec ...

Read man firewall-cmd for details.

gregrwm · May 10, 2025, 1:49pm

nope, still no packets get through the tunnel (without disabling the firewall).

gregrwm · May 12, 2025, 1:17pm

i just installed NetworkManager-applet-strongswan-1.6.0-2.4.x86_64, when it brings up the tunnel i see these promising looking logs:

May 10 14:59:23 e540 charon-nm[754273]: 07[IKE] installed bypass policy for 10.3.1.0/25
May 10 14:59:23 e540 charon-nm[754273]: 07[IKE] installed bypass policy for 10.3.3.0/27
May 10 14:59:23 e540 charon-nm[754273]: 07[IKE] installed bypass policy for 10.3.7.0/28

but traffic still does no go through the tunnel while the firewall is active.

Does nobody else use ikev2 on tumbleweed? Am i just missing a howto, or is this a bug?

arvidjaar · May 12, 2025, 1:26pm

Show the interfaces before and after the tunnel is established.

ip -a
ip -4 r
ip -6 r

Explain between which addresses (interfaces) traffic should go.

gregrwm · May 12, 2025, 4:55pm

…might mean there’s a hope it might handle whatever the firewall needs, but something amidst NetworkManager-strongswan, NetworkManager-applet-strongswan or plasma6-nm-strongswan is hitting some authorization agent issue:

May 10 08:54:49 e540 NetworkManager[1565]: <warn>  [1746885289.8246] vpn[0x55b77a72b180,686a2149-0e04-4b4e-9663-e5db74132ab6,"7nm"]: secrets: failed to request VPN secrets #3: No agents were available for this request.
May 10 08:54:49 e540 kded6[4245]: org.kde.plasma.nm.kded: Unhandled VPN connection state change:  NetworkManager::VpnConnection::NeedAuth

if i ignore networkmanager and just use ipsec up it passes authorization, but, traffic only gets through if the firewall is disabled.

When the tunnel comes up enp3s0 gets an additional address, from the leftsourceip pool on the remote network, and table 220 gets a route for it. Traffic flows properly through that route but only when the firewall is disabled.

(This box is the gateway for 3 separate wifi zones, hence the 3 addresses. in the route tables you can see the gateway for this box, and said gateway, not wlp4s0, also handles the wifi.)

before tunnel:

+2025-05-12Mon09:28:06+ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: wlp4s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 26:e8:81:7f:5c:15 brd ff:ff:ff:ff:ff:ff permaddr 48:51:b7:b1:da:14
    altname wlx4851b7b1da14
3: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 68:f7:28:40:f3:46 brd ff:ff:ff:ff:ff:ff
    altname enx68f72840f346
    inet 10.3.3.7/27 brd 10.3.3.31 scope global noprefixroute enp3s0
       valid_lft forever preferred_lft forever
    inet 10.3.7.7/28 brd 10.3.7.15 scope global noprefixroute enp3s0
       valid_lft forever preferred_lft forever
    inet 10.3.1.7/25 brd 10.3.1.127 scope global noprefixroute enp3s0
       valid_lft forever preferred_lft forever
+2025-05-12Mon09:28:06+ ip -4 r
default via 10.3.3.3 dev enp3s0 proto static metric 100 
10.3.1.0/25 dev enp3s0 proto kernel scope link src 10.3.1.7 metric 100 
10.3.3.0/27 dev enp3s0 proto kernel scope link src 10.3.3.7 metric 100 
10.3.7.0/28 dev enp3s0 proto kernel scope link src 10.3.7.7 metric 100 
+2025-05-12Mon09:28:06+ ip r show table all
default via 10.3.3.3 dev enp3s0 proto static metric 100 
10.3.1.0/25 dev enp3s0 proto kernel scope link src 10.3.1.7 metric 100 
10.3.3.0/27 dev enp3s0 proto kernel scope link src 10.3.3.7 metric 100 
10.3.7.0/28 dev enp3s0 proto kernel scope link src 10.3.7.7 metric 100 
local 10.3.1.7 dev enp3s0 table local proto kernel scope host src 10.3.1.7 
broadcast 10.3.1.127 dev enp3s0 table local proto kernel scope link src 10.3.1.7 
local 10.3.3.7 dev enp3s0 table local proto kernel scope host src 10.3.3.7 
broadcast 10.3.3.31 dev enp3s0 table local proto kernel scope link src 10.3.3.7 
local 10.3.7.7 dev enp3s0 table local proto kernel scope host src 10.3.7.7 
broadcast 10.3.7.15 dev enp3s0 table local proto kernel scope link src 10.3.7.7 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
+2025-05-12Mon09:28:06+ ip -6 r
+2025-05-12Mon09:28:06+ ip xfrm policy
src ::/0 dst ::/0 
        socket in priority 0 ptype main 
src ::/0 dst ::/0 
        socket out priority 0 ptype main 
src ::/0 dst ::/0 
        socket in priority 0 ptype main 
src ::/0 dst ::/0 
        socket out priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
        socket in priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
        socket out priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
        socket in priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
        socket out priority 0 ptype main 
+2025-05-12Mon09:28:06+ ip xfrm state
+2025-05-12Mon09:28:06+ ipsec statusall
Status of IKE charon daemon (strongSwan 6.0.1, Linux 6.14.1-1-default, x86_64):
  uptime: 28 minutes, since May 12 09:00:00 2025
  malloc: sbrk 3080192, mmap 0, used 997232, free 2082960                                                                                                                                                           
  worker threads: 10 of 16 idle, 6/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
  loaded plugins: charon ldap pkcs11 blowfish md4 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pgp dnskey sshkey pem openssl gcrypt pkcs8 af-alg fips-prf gmp agent xcbc cmac kdf ctr ccm gcm dr>
Listening IP addresses:
  10.3.3.7
  10.3.7.7
  10.3.1.7
Connections:
           7:  %any...209.23.153.217  IKEv1/2
           7:   local:  [mg010000] uses EAP_MSCHAPV2 authentication
           7:   remote: [green] uses pre-shared key authentication
           7:   child:  dynamic === 192.168.128.0/21 TUNNEL
           8:  %any...209.23.153.218  IKEv1/2
           8:   local:  [mg010000] uses EAP_MSCHAPV2 authentication
           8:   remote: [green] uses pre-shared key authentication
           8:   child:  dynamic === 192.168.128.0/21 TUNNEL
Security Associations (0 up, 0 connecting):
  none

with tunnel:

+2025-05-12Mon11:04:25+ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: wlp4s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 26:e8:81:7f:5c:15 brd ff:ff:ff:ff:ff:ff permaddr 48:51:b7:b1:da:14
    altname wlx4851b7b1da14
3: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 68:f7:28:40:f3:46 brd ff:ff:ff:ff:ff:ff
    altname enx68f72840f346
    inet 10.3.3.7/27 brd 10.3.3.31 scope global noprefixroute enp3s0
       valid_lft forever preferred_lft forever
    inet 10.3.7.7/28 brd 10.3.7.15 scope global noprefixroute enp3s0
       valid_lft forever preferred_lft forever
    inet 10.3.1.7/25 brd 10.3.1.127 scope global noprefixroute enp3s0
       valid_lft forever preferred_lft forever
    inet 192.168.128.242/32 scope global enp3s0
       valid_lft forever preferred_lft forever
+2025-05-12Mon11:04:25+ ip -4 r
default via 10.3.3.3 dev enp3s0 proto static metric 100 
10.3.1.0/25 dev enp3s0 proto kernel scope link src 10.3.1.7 metric 100 
10.3.3.0/27 dev enp3s0 proto kernel scope link src 10.3.3.7 metric 100 
10.3.7.0/28 dev enp3s0 proto kernel scope link src 10.3.7.7 metric 100 
+2025-05-12Mon11:04:25+ ip r show table all
192.168.128.0/21 via 10.3.3.3 dev enp3s0 table 220 proto static src 192.168.128.242 
default via 10.3.3.3 dev enp3s0 proto static metric 100 
10.3.1.0/25 dev enp3s0 proto kernel scope link src 10.3.1.7 metric 100 
10.3.3.0/27 dev enp3s0 proto kernel scope link src 10.3.3.7 metric 100 
10.3.7.0/28 dev enp3s0 proto kernel scope link src 10.3.7.7 metric 100 
local 10.3.1.7 dev enp3s0 table local proto kernel scope host src 10.3.1.7 
broadcast 10.3.1.127 dev enp3s0 table local proto kernel scope link src 10.3.1.7 
local 10.3.3.7 dev enp3s0 table local proto kernel scope host src 10.3.3.7 
broadcast 10.3.3.31 dev enp3s0 table local proto kernel scope link src 10.3.3.7 
local 10.3.7.7 dev enp3s0 table local proto kernel scope host src 10.3.7.7 
broadcast 10.3.7.15 dev enp3s0 table local proto kernel scope link src 10.3.7.7 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
local 192.168.128.242 dev enp3s0 table local proto kernel scope host src 192.168.128.242 
+2025-05-12Mon11:04:25+ ip -6 r
+2025-05-12Mon11:04:25+ ip xfrm policy
src 192.168.128.242/32 dst 192.168.128.0/21 
        dir out priority 372863 ptype main 
        tmpl src 10.3.3.7 dst 209.23.153.217
                proto esp spi 0xc90a9054 reqid 1 mode tunnel
src 192.168.128.0/21 dst 192.168.128.242/32 
        dir fwd priority 372863 ptype main 
        tmpl src 209.23.153.217 dst 10.3.3.7
                proto esp reqid 1 mode tunnel
src 192.168.128.0/21 dst 192.168.128.242/32 
        dir in priority 372863 ptype main 
        tmpl src 209.23.153.217 dst 10.3.3.7
                proto esp reqid 1 mode tunnel
src ::/0 dst ::/0 
        socket in priority 0 ptype main 
src ::/0 dst ::/0 
        socket out priority 0 ptype main
src ::/0 dst ::/0                                                                                                                                                                                                   
        socket in priority 0 ptype main 
src ::/0 dst ::/0 
        socket out priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
        socket in priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
        socket out priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
        socket in priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
        socket out priority 0 ptype main 
+2025-05-12Mon11:04:25+ ip xfrm state
src 10.3.3.7 dst 209.23.153.217
        proto esp spi 0xc90a9054 reqid 1 mode tunnel
        replay-window 0 flag af-unspec
        aead rfc4106(gcm(aes)) 0xa21863a42381a2525a0802b697555c054a951167e60a93e28a492e5120ab0652567f333a 128
        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
        dir out
src 209.23.153.217 dst 10.3.3.7
        proto esp spi 0xc41696a9 reqid 1 mode tunnel
        replay-window 32 flag af-unspec
        aead rfc4106(gcm(aes)) 0x248417b322cf3200d96c94fa737bfac1c985bdf1757b5a1df5da902434837c6ce5213881 128
        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
        dir in
+2025-05-12Mon11:04:25+ ipsec statusall
Status of IKE charon daemon (strongSwan 6.0.1, Linux 6.14.1-1-default, x86_64):
  uptime: 25 seconds, since May 12 11:04:00 2025
  malloc: sbrk 3223552, mmap 0, used 1319120, free 1904432
  worker threads: 10 of 16 idle, 6/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
  loaded plugins: charon ldap pkcs11 blowfish md4 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pgp dnskey sshkey pem openssl gcrypt pkcs8 af-alg fips-prf gmp agent xcbc cmac kdf ctr ccm gcm dr>
Listening IP addresses:
  10.3.3.7
  10.3.7.7
  10.3.1.7
Connections:
           7:  %any...209.23.153.217  IKEv1/2
           7:   local:  [mg010000] uses EAP_MSCHAPV2 authentication
           7:   remote: [green] uses pre-shared key authentication
           7:   child:  dynamic === 192.168.128.0/21 TUNNEL
           8:  %any...209.23.153.218  IKEv1/2
           8:   local:  [mg010000] uses EAP_MSCHAPV2 authentication
           8:   remote: [green] uses pre-shared key authentication
           8:   child:  dynamic === 192.168.128.0/21 TUNNEL
Security Associations (1 up, 0 connecting):
           7[1]: ESTABLISHED 10 seconds ago, 10.3.3.7[mg010000]...209.23.153.217[green]
           7[1]: IKEv2 SPIs: 862a2cb777d6afb1_i* a9bd0ec4f7eca07d_r, EAP reauthentication in 2 hours
           7[1]: IKE proposal: AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384
           7{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c41696a9_i c90a9054_o
           7{1}:  AES_GCM_16_256, 0 bytes_i, 0 bytes_o, rekeying in 44 minutes
           7{1}:   192.168.128.242/32 === 192.168.128.0/21

arvidjaar · May 12, 2025, 5:46pm

OK, and the output of

nft list ruleset

(unless you changed the default firewalld backend to iptables). It probably will be long, so better upload to the https://paste.opensuse.org/

gregrwm · May 12, 2025, 8:22pm

table ip filter {
        chain FORWARD {
                type filter hook forward priority filter; policy accept;
        }
        chain INPUT {
                type filter hook input priority filter; policy accept;
        }
        chain OUTPUT {
                type filter hook output priority filter; policy accept;
        }
}
table inet firewalld {
        chain mangle_PREROUTING {
                type filter hook prerouting priority mangle + 10; policy accept;
                jump mangle_PREROUTING_POLICIES
        }
        chain mangle_PREROUTING_POLICIES {
                iifname "docker0" jump mangle_PRE_policy_allow-host-ipv6
                iifname "docker0" jump mangle_PRE_docker
                iifname "docker0" return
                iifname "enp3s0" jump mangle_PRE_policy_allow-host-ipv6
                iifname "enp3s0" jump mangle_PRE_public
                iifname "enp3s0" return
                jump mangle_PRE_policy_allow-host-ipv6
                jump mangle_PRE_public
                return
        }
        chain nat_PREROUTING {
                type nat hook prerouting priority dstnat + 10; policy accept;
                jump nat_PREROUTING_POLICIES
        }
        chain nat_PREROUTING_POLICIES {
                iifname "docker0" jump nat_PRE_policy_allow-host-ipv6
                iifname "docker0" jump nat_PRE_docker
                iifname "docker0" return
                iifname "enp3s0" jump nat_PRE_policy_allow-host-ipv6
                iifname "enp3s0" jump nat_PRE_public
                iifname "enp3s0" return
                jump nat_PRE_policy_allow-host-ipv6
                jump nat_PRE_public
                return
        }
        chain nat_POSTROUTING {
                type nat hook postrouting priority srcnat + 10; policy accept;
                jump nat_POSTROUTING_POLICIES
        }
        chain nat_POSTROUTING_POLICIES {
                iifname "docker0" oifname "docker0" jump nat_POST_docker
                iifname "docker0" oifname "docker0" return
                iifname "enp3s0" oifname "docker0" jump nat_POST_docker
                iifname "enp3s0" oifname "docker0" return
                oifname "docker0" jump nat_POST_docker
                oifname "docker0" return
                iifname "docker0" oifname "enp3s0" jump nat_POST_public
                iifname "docker0" oifname "enp3s0" return
                iifname "enp3s0" oifname "enp3s0" jump nat_POST_public
                iifname "enp3s0" oifname "enp3s0" return
                oifname "enp3s0" jump nat_POST_public
                oifname "enp3s0" return                                                                                                                                                                             
                iifname "docker0" jump nat_POST_public
                iifname "docker0" return
                iifname "enp3s0" jump nat_POST_public
                iifname "enp3s0" return
                jump nat_POST_public
                return
        }
        chain nat_OUTPUT {
                type nat hook output priority dstnat + 10; policy accept;
                jump nat_OUTPUT_POLICIES
        }
        chain nat_OUTPUT_POLICIES {
                oifname "docker0" jump nat_OUT_docker
                oifname "docker0" return
                oifname "enp3s0" jump nat_OUT_public
                oifname "enp3s0" return
                jump nat_OUT_public
                return
        }
        chain filter_PREROUTING {
                type filter hook prerouting priority filter + 10; policy accept;
                icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
                meta nfproto ipv6 fib saddr . mark . iif oif missing log prefix "rpfilter_DROP: " drop
        }
        chain filter_INPUT {
                type filter hook input priority filter + 10; policy accept;
                ct state { established, related } accept
                ct status dnat accept
                iifname "lo" accept
                ct state invalid log prefix "STATE_INVALID_DROP: "
                ct state invalid drop
                jump filter_INPUT_POLICIES
                log prefix "FINAL_REJECT: "
                reject with icmpx admin-prohibited
        }
        chain filter_FORWARD {
                type filter hook forward priority filter + 10; policy accept;
                ct state { established, related } accept
                ct status dnat accept
                iifname "lo" accept
                ct state invalid log prefix "STATE_INVALID_DROP: "
                ct state invalid drop
                ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } log prefix "RFC3964_IPv4_REJECT: " reject with icmp>
                jump filter_FORWARD_POLICIES
                log prefix "FINAL_REJECT: "
                reject with icmpx admin-prohibited
        }
        chain filter_OUTPUT {
                type filter hook output priority filter + 10; policy accept;
                ct state { established, related } accept
                oifname "lo" accept
                ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } log prefix "RFC3964_IPv4_REJECT: " reject with icmp>
                jump filter_OUTPUT_POLICIES
        }
        chain filter_INPUT_POLICIES {
                iifname "docker0" jump filter_IN_policy_allow-host-ipv6
                iifname "docker0" jump filter_IN_docker                                                                                                                                                             
                iifname "docker0" accept
                iifname "enp3s0" jump filter_IN_policy_allow-host-ipv6
                iifname "enp3s0" jump filter_IN_public
                iifname "enp3s0" log prefix "filter_IN_public_REJECT: "
                iifname "enp3s0" reject with icmpx admin-prohibited
                jump filter_IN_policy_allow-host-ipv6
                jump filter_IN_public
                log prefix "filter_IN_public_REJECT: "
                reject with icmpx admin-prohibited
        }
        chain filter_FORWARD_POLICIES {
                iifname "docker0" oifname "docker0" jump filter_FWD_docker
                iifname "docker0" oifname "docker0" accept
                iifname "docker0" oifname "enp3s0" jump filter_FWD_docker
                iifname "docker0" oifname "enp3s0" accept
                iifname "docker0" jump filter_FWD_docker
                iifname "docker0" accept
                iifname "enp3s0" oifname "docker0" jump filter_FWD_public
                iifname "enp3s0" oifname "docker0" log prefix "filter_FWD_public_REJECT: "
                iifname "enp3s0" oifname "docker0" reject with icmpx admin-prohibited
                iifname "enp3s0" oifname "enp3s0" jump filter_FWD_public
                iifname "enp3s0" oifname "enp3s0" log prefix "filter_FWD_public_REJECT: "
                iifname "enp3s0" oifname "enp3s0" reject with icmpx admin-prohibited
                iifname "enp3s0" jump filter_FWD_public
                iifname "enp3s0" log prefix "filter_FWD_public_REJECT: "
                iifname "enp3s0" reject with icmpx admin-prohibited
                oifname "docker0" jump filter_FWD_public
                oifname "docker0" log prefix "filter_FWD_public_REJECT: "
                oifname "docker0" reject with icmpx admin-prohibited
                oifname "enp3s0" jump filter_FWD_public
                oifname "enp3s0" log prefix "filter_FWD_public_REJECT: "
                oifname "enp3s0" reject with icmpx admin-prohibited
                jump filter_FWD_public
                log prefix "filter_FWD_public_REJECT: "
                reject with icmpx admin-prohibited
        }
        chain filter_OUTPUT_POLICIES {
                oifname "docker0" jump filter_OUT_docker
                oifname "docker0" return
                oifname "enp3s0" jump filter_OUT_public
                oifname "enp3s0" return
                jump filter_OUT_public
                return
        }
        chain filter_IN_public {
                jump filter_IN_public_pre
                jump filter_IN_public_log
                jump filter_IN_public_deny
                jump filter_IN_public_allow
                jump filter_IN_public_post
                meta l4proto { icmp, ipv6-icmp } accept
        }
        chain filter_IN_public_pre {
        }
        chain filter_IN_public_log {
        }
        chain filter_IN_public_deny {                                                                                                                                                                               
        }
        chain filter_IN_public_allow {
                tcp dport 22 accept
                ip6 daddr fe80::/64 udp dport 546 accept
                udp dport 67 accept
                tcp dport 24800 accept
                tcp dport 993 accept
        }
        chain filter_IN_public_post {
        }
        chain filter_OUT_public {
                meta nftrace set 1
                jump filter_OUT_public_pre
                jump filter_OUT_public_log
                jump filter_OUT_public_deny
                jump filter_OUT_public_allow
                jump filter_OUT_public_post
        }
        chain filter_OUT_public_pre {
        }
        chain filter_OUT_public_log {
        }
        chain filter_OUT_public_deny {
        }
        chain filter_OUT_public_allow {
        }
        chain filter_OUT_public_post {
        }
        chain nat_OUT_public {
                jump nat_OUT_public_pre
                jump nat_OUT_public_log
                jump nat_OUT_public_deny
                jump nat_OUT_public_allow
                jump nat_OUT_public_post
        }
        chain nat_OUT_public_pre {
        }
        chain nat_OUT_public_log {
        }
        chain nat_OUT_public_deny {
        }
        chain nat_OUT_public_allow {
        }
        chain nat_OUT_public_post {
        }
        chain nat_POST_public {
                jump nat_POST_public_pre
                jump nat_POST_public_log
                jump nat_POST_public_deny
                jump nat_POST_public_allow
                jump nat_POST_public_post
        }
        chain nat_POST_public_pre {
        }
        chain nat_POST_public_log {
        }
        chain nat_POST_public_deny {                                                                                                                                                                                
        }
        chain nat_POST_public_allow {
                meta nfproto ipv4 oifname != "lo" masquerade
        }
        chain nat_POST_public_post {
        }
        chain filter_FWD_public {
                jump filter_FWD_public_pre
                jump filter_FWD_public_log
                jump filter_FWD_public_deny
                jump filter_FWD_public_allow
                jump filter_FWD_public_post
        }
        chain filter_FWD_public_pre {
        }
        chain filter_FWD_public_log {
        }
        chain filter_FWD_public_deny {
        }
        chain filter_FWD_public_allow {
                oifname "enp3s0" accept
        }
        chain filter_FWD_public_post {
        }
        chain nat_PRE_public {
                jump nat_PRE_public_pre
                jump nat_PRE_public_log
                jump nat_PRE_public_deny
                jump nat_PRE_public_allow
                jump nat_PRE_public_post
        }
        chain nat_PRE_public_pre {
        }
        chain nat_PRE_public_log {
        }
        chain nat_PRE_public_deny {
        }
        chain nat_PRE_public_allow {
                meta nfproto ipv4 tcp dport 995 dnat ip to 10.3.8.87:995
        }
        chain nat_PRE_public_post {
        }
        chain mangle_PRE_public {
                jump mangle_PRE_public_pre
                jump mangle_PRE_public_log
                jump mangle_PRE_public_deny
                jump mangle_PRE_public_allow
                jump mangle_PRE_public_post
        }
        chain mangle_PRE_public_pre {
        }
        chain mangle_PRE_public_log {
        }
        chain mangle_PRE_public_deny {
        }
        chain mangle_PRE_public_allow {
        }                                                                                                                                                                                                           
        chain mangle_PRE_public_post {
        }
        chain filter_IN_docker {
                jump filter_IN_docker_pre
                jump filter_IN_docker_log
                jump filter_IN_docker_deny
                jump filter_IN_docker_allow
                jump filter_IN_docker_post
        }
        chain filter_IN_docker_pre {
        }
        chain filter_IN_docker_log {
        }
        chain filter_IN_docker_deny {
        }
        chain filter_IN_docker_allow {
        }
        chain filter_IN_docker_post {
        }
        chain filter_OUT_docker {
                jump filter_OUT_docker_pre
                jump filter_OUT_docker_log
                jump filter_OUT_docker_deny
                jump filter_OUT_docker_allow
                jump filter_OUT_docker_post
        }
        chain filter_OUT_docker_pre {
        }
        chain filter_OUT_docker_log {
        }
        chain filter_OUT_docker_deny {
        }
        chain filter_OUT_docker_allow {
        }
        chain filter_OUT_docker_post {
        }
        chain nat_OUT_docker {
                jump nat_OUT_docker_pre
                jump nat_OUT_docker_log
                jump nat_OUT_docker_deny
                jump nat_OUT_docker_allow
                jump nat_OUT_docker_post
        }
        chain nat_OUT_docker_pre {
        }
        chain nat_OUT_docker_log {
        }
        chain nat_OUT_docker_deny {
        }
        chain nat_OUT_docker_allow {
        }
        chain nat_OUT_docker_post {
        }
        chain nat_POST_docker {
                jump nat_POST_docker_pre
                jump nat_POST_docker_log
                jump nat_POST_docker_deny                                                                                                                                                                           
                jump nat_POST_docker_allow
                jump nat_POST_docker_post
        }
        chain nat_POST_docker_pre {
        }
        chain nat_POST_docker_log {
        }
        chain nat_POST_docker_deny {
        }
        chain nat_POST_docker_allow {
        }
        chain nat_POST_docker_post {
        }
        chain filter_FWD_docker {
                jump filter_FWD_docker_pre
                jump filter_FWD_docker_log
                jump filter_FWD_docker_deny
                jump filter_FWD_docker_allow
                jump filter_FWD_docker_post
        }
        chain filter_FWD_docker_pre {
        }
        chain filter_FWD_docker_log {
        }
        chain filter_FWD_docker_deny {
        }
        chain filter_FWD_docker_allow {
        }
        chain filter_FWD_docker_post {
        }
        chain nat_PRE_docker {
                jump nat_PRE_docker_pre
                jump nat_PRE_docker_log
                jump nat_PRE_docker_deny
                jump nat_PRE_docker_allow
                jump nat_PRE_docker_post
        }
        chain nat_PRE_docker_pre {
        }
        chain nat_PRE_docker_log {
        }
        chain nat_PRE_docker_deny {
        }
        chain nat_PRE_docker_allow {
        }
        chain nat_PRE_docker_post {
        }
        chain mangle_PRE_docker {
                jump mangle_PRE_docker_pre
                jump mangle_PRE_docker_log
                jump mangle_PRE_docker_deny
                jump mangle_PRE_docker_allow
                jump mangle_PRE_docker_post
        }
        chain mangle_PRE_docker_pre {
        }
        chain mangle_PRE_docker_log {                                                                                                                                                                               
        }
        chain mangle_PRE_docker_deny {
        }
        chain mangle_PRE_docker_allow {
        }
        chain mangle_PRE_docker_post {
        }
        chain filter_IN_policy_allow-host-ipv6 {
                jump filter_IN_policy_allow-host-ipv6_pre
                jump filter_IN_policy_allow-host-ipv6_log
                jump filter_IN_policy_allow-host-ipv6_deny
                jump filter_IN_policy_allow-host-ipv6_allow
                jump filter_IN_policy_allow-host-ipv6_post
        }
        chain filter_IN_policy_allow-host-ipv6_pre {
        }
        chain filter_IN_policy_allow-host-ipv6_log {
        }
        chain filter_IN_policy_allow-host-ipv6_deny {
        }
        chain filter_IN_policy_allow-host-ipv6_allow {
                icmpv6 type nd-neighbor-advert accept
                icmpv6 type nd-neighbor-solicit accept
                icmpv6 type nd-router-advert accept
                icmpv6 type nd-redirect accept
        }
        chain filter_IN_policy_allow-host-ipv6_post {
        }
        chain nat_PRE_policy_allow-host-ipv6 {
                jump nat_PRE_policy_allow-host-ipv6_pre
                jump nat_PRE_policy_allow-host-ipv6_log
                jump nat_PRE_policy_allow-host-ipv6_deny
                jump nat_PRE_policy_allow-host-ipv6_allow
                jump nat_PRE_policy_allow-host-ipv6_post
        }
        chain nat_PRE_policy_allow-host-ipv6_pre {
        }
        chain nat_PRE_policy_allow-host-ipv6_log {
        }
        chain nat_PRE_policy_allow-host-ipv6_deny {
        }
        chain nat_PRE_policy_allow-host-ipv6_allow {
        }
        chain nat_PRE_policy_allow-host-ipv6_post {
        }
        chain mangle_PRE_policy_allow-host-ipv6 {
                jump mangle_PRE_policy_allow-host-ipv6_pre
                jump mangle_PRE_policy_allow-host-ipv6_log
                jump mangle_PRE_policy_allow-host-ipv6_deny
                jump mangle_PRE_policy_allow-host-ipv6_allow
                jump mangle_PRE_policy_allow-host-ipv6_post
        }
        chain mangle_PRE_policy_allow-host-ipv6_pre {
        }
        chain mangle_PRE_policy_allow-host-ipv6_log {
        }
        chain mangle_PRE_policy_allow-host-ipv6_deny {
        }
        chain mangle_PRE_policy_allow-host-ipv6_allow {
        }
        chain mangle_PRE_policy_allow-host-ipv6_post {
        }
}