Hi,
Sorry if this was already answered, but I didn't find the answer with google.
I'm a new OMV user and still discover this software, on a fresh install on a x86 platform, version 6.3.4-1 (Shaitan), OMV has setup a virtual network interface named vethb14b8798 with ip 172.16.16.1, this ip isn't shown in the GUI, only the interface.
I don't have docker or any other virtualization/containerisation running on this machine and my LAN is 192.168.x.x based, additionally there is a list of rules in iptables I never setup and they are not listed in the GUI, they look to be linked to this virtual interface.
So my question is what is the purpose of this interface ? Can it be removed ? Same question for these iptables rules?
Below the output of my iptables-save, I added only rules in lines 8 to 37:
- # Generated by iptables-save v1.8.7 on Sun Mar 19 01:37:45 2023
- *filter
- :INPUT ACCEPT [3:156]
- :FORWARD ACCEPT [0:0]
- :OUTPUT ACCEPT [3503:1762309]
- :CNI-ADMIN - [0:0]
- :CNI-FORWARD - [0:0]
- -A INPUT -s 192.168.0.0/16 -p icmp -j ACCEPT
- -A INPUT -s 192.168.100.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
- -A INPUT -s 192.168.100.0/24 -p tcp -m tcp --dport 443 -j ACCEPT
- -A INPUT -s 192.168.100.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
- -A INPUT -s 192.168.100.0/24 -p tcp -m tcp --dport 3670 -j ACCEPT
- -A INPUT -s 192.168.100.0/24 -p tcp -m tcp --dport 137 -j ACCEPT
- -A INPUT -s 192.168.100.0/24 -p udp -m udp --dport 137:138 -j ACCEPT
- -A INPUT -s 192.168.100.0/24 -p tcp -m tcp --dport 139 -j ACCEPT
- -A INPUT -s 192.168.100.0/24 -p tcp -m tcp --dport 445 -j ACCEPT
- -A INPUT -s 192.168.101.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
- -A INPUT -s 192.168.101.0/24 -p tcp -m tcp --dport 443 -j ACCEPT
- -A INPUT -s 192.168.101.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
- -A INPUT -s 192.168.101.0/24 -p tcp -m tcp --dport 3670 -j ACCEPT
- -A INPUT -s 192.168.101.0/24 -p tcp -m tcp --dport 137 -j ACCEPT
- -A INPUT -s 192.168.101.0/24 -p udp -m udp --dport 137:138 -j ACCEPT
- -A INPUT -s 192.168.101.0/24 -p tcp -m tcp --dport 139 -j ACCEPT
- -A INPUT -s 192.168.101.0/24 -p tcp -m tcp --dport 445 -j ACCEPT
- -A INPUT -s 192.168.250.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
- -A INPUT -s 192.168.250.0/24 -p tcp -m tcp --dport 443 -j ACCEPT
- -A INPUT -s 192.168.250.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
- -A INPUT -s 192.168.250.0/24 -p tcp -m tcp --dport 3670 -j ACCEPT
- -A INPUT -s 192.168.250.0/24 -p tcp -m tcp --dport 137 -j ACCEPT
- -A INPUT -s 192.168.250.0/24 -p udp -m udp --dport 137:138 -j ACCEPT
- -A INPUT -s 192.168.250.0/24 -p tcp -m tcp --dport 139 -j ACCEPT
- -A INPUT -s 192.168.250.0/24 -p tcp -m tcp --dport 445 -j ACCEPT
- -A INPUT -s 192.168.105.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
- -A INPUT -s 192.168.110.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
- -A INPUT -s 192.168.254.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
- -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A INPUT -j DROP
- -A FORWARD -m comment --comment "CNI firewall plugin rules" -j CNI-FORWARD
- -A CNI-FORWARD -m comment --comment "CNI firewall plugin admin overrides" -j CNI-ADMIN
- -A CNI-FORWARD -d 172.16.16.12/32 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A CNI-FORWARD -s 172.16.16.12/32 -j ACCEPT
- COMMIT
- # Completed on Sun Mar 19 01:37:46 2023
- # Generated by iptables-save v1.8.7 on Sun Mar 19 01:37:46 2023
- *nat
- :PREROUTING ACCEPT [0:0]
- :INPUT ACCEPT [0:0]
- :OUTPUT ACCEPT [0:0]
- :POSTROUTING ACCEPT [0:0]
- :CNI-6db8a19062897a12ab5f624d - [0:0]
- :CNI-DN-6db8a19062897a12ab5f6 - [0:0]
- :CNI-HOSTPORT-DNAT - [0:0]
- :CNI-HOSTPORT-MASQ - [0:0]
- :CNI-HOSTPORT-SETMARK - [0:0]
- -A PREROUTING -m addrtype --dst-type LOCAL -j CNI-HOSTPORT-DNAT
- -A OUTPUT -m addrtype --dst-type LOCAL -j CNI-HOSTPORT-DNAT
- -A POSTROUTING -m comment --comment "CNI portfwd requiring masquerade" -j CNI-HOSTPORT-MASQ
- -A POSTROUTING -s 172.16.16.12/32 -m comment --comment "name: \"podman\" id: \"8c5d3b0a9616a6e3be969fb733bf2becfd331056756e7599826c1c0f3549d67d\"" -j CNI-6db8a19062897a12ab5f624d
- -A CNI-6db8a19062897a12ab5f624d -d 172.16.16.0/24 -m comment --comment "name: \"podman\" id: \"8c5d3b0a9616a6e3be969fb733bf2becfd331056756e7599826c1c0f3549d67d\"" -j ACCEPT
- -A CNI-6db8a19062897a12ab5f624d ! -d 224.0.0.0/4 -m comment --comment "name: \"podman\" id: \"8c5d3b0a9616a6e3be969fb733bf2becfd331056756e7599826c1c0f3549d67d\"" -j MASQUERADE
- -A CNI-DN-6db8a19062897a12ab5f6 -s 172.16.16.0/24 -p tcp -m tcp --dport 3670 -j CNI-HOSTPORT-SETMARK
- -A CNI-DN-6db8a19062897a12ab5f6 -s 127.0.0.1/32 -p tcp -m tcp --dport 3670 -j CNI-HOSTPORT-SETMARK
- -A CNI-DN-6db8a19062897a12ab5f6 -p tcp -m tcp --dport 3670 -j DNAT --to-destination 172.16.16.12:8443
- -A CNI-HOSTPORT-DNAT -p tcp -m comment --comment "dnat name: \"podman\" id: \"8c5d3b0a9616a6e3be969fb733bf2becfd331056756e7599826c1c0f3549d67d\"" -m multiport --dports 3670 -j CNI-DN-6db8a19062897a12ab5f6
- -A CNI-HOSTPORT-MASQ -m mark --mark 0x2000/0x2000 -j MASQUERADE
- -A CNI-HOSTPORT-SETMARK -m comment --comment "CNI portfwd masquerade mark" -j MARK --set-xmark 0x2000/0x2000
- COMMIT
- # Completed on Sun Mar 19 01:37:46 2023
Thank you for your support.