Inter-communication between machine in the same bridge network lost after reboots

justonemoretime · April 28, 2025, 5:42pm

Hi guys,

I’m trying to create a cyber-range using Incus and I got some problems with the networking setting. Some context about my environment:

I’m using Ubuntu 24.04 inside VMware Workstation as host machine
I’m running Incus 6.12

My environment that I intended to create can be described like this:

A router VM having 1 NAT bridge network (for internet connection), N (N being a number) bridge networks for N teams (assuming team1 will have team1-net), this network does not have NAT
In the team network, I usually set the router VM the IP 10.254.X.1 (X = team number), the team1 vulnbox (vulnerable machine) at 10.254.X.2
Therefore, this can be understand as a Attack-Defense scenario when a player defends their machines and attacks other machine, all traffic routed through the Router and get to the destination.

This setup works normally after setup (provision VM, netplan, iptables…), but after a few reboots, the machines in the same network (teamX-net) unable to ping/find each other.

This is what I have tried:

arp -n at the router machine

root@router:~# arp -n
Address                  HWtype  HWaddress           Flags Mask            Iface
1.1.1.1                          (incomplete)                              enp6s0
8.8.8.8                          (incomplete)                              enp6s0
10.50.0.2                ether   10:66:6a:54:59:04   C                     enp5s0
10.254.2.2                       (incomplete)                              enp7s0
10.254.2.2               ether   10:66:6a:e5:e3:e8   C                     enp8s0
10.50.0.2                        (incomplete)                              enp8s0
10.0.0.254               ether   10:66:6a:8d:7d:ae   C                     enp5s0
10.254.1.2                       (incomplete)                              enp6s0
1.1.1.1                          (incomplete)                              enp7s0
8.8.8.8                          (incomplete)                              enp7s0
10.0.0.254               ether   10:66:6a:91:30:5c   C                     enp6s0
10.254.1.2               ether   10:66:6a:b0:da:79   C                     enp7s0

tcpdump on the vulnbox shows diffrent - it’s looking for an IP that it does not own (10.254.1.0/24 looking for 10.254.2.0/24)

root@team1-vulnbox:~# sudo tcpdump -eni enp5s0 arp or icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on enp5s0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
17:41:34.618042 10:66:6a:2d:aa:95 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 10.254.2.2 tell 10.254.2.1, length 28
17:41:41.258329 10:66:6a:2d:aa:95 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 10.254.2.2 tell 10.254.2.1, length 28
17:41:42.266028 10:66:6a:2d:aa:95 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 10.254.2.2 tell 10.254.2.1, length 28
17:41:43.290871 10:66:6a:2d:aa:95 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 10.254.2.2 tell 10.254.2.1, length 28

I also read the document on bridge network, install firewalld and add all interface into trusted mode.

Here is the incus settings:

roooter@roooter:~$ incus profile show attack-defense
config:
  limits.memory: 2GiB
description: ""
devices:
  root:
    path: /
    pool: default
    type: disk
name: attack-defense
used_by:
- /1.0/instances/router
- /1.0/instances/team1-vulnbox
- /1.0/instances/team2-vulnbox
- /1.0/instances/gameserver
project: default
roooter@roooter:~$ incus network show mgmt-net
config:
  ipv4.address: 10.0.0.254/24
  ipv4.nat: "true"
  ipv6.address: none
description: ""
name: mgmt-net
type: bridge
used_by:
- /1.0/instances/router
managed: true
status: Created
locations:
- none
project: default
roooter@roooter:~$ incus network show team1-net
config:
  ipv4.address: 10.254.1.254/24
  ipv4.nat: "false"
  ipv6.address: none
description: ""
name: team1-net
type: bridge
used_by:
- /1.0/instances/router
- /1.0/instances/team1-vulnbox
managed: true
status: Created
locations:
- none
project: default
roooter@roooter:~$ incus network show team2-net
config:
  ipv4.address: 10.254.2.254/24
  ipv4.nat: "false"
  ipv6.address: none
description: ""
name: team2-net
type: bridge
used_by:
- /1.0/instances/router
- /1.0/instances/team2-vulnbox
managed: true
status: Created
locations:
- none
project: default
roooter@roooter:~$ incus network show gameserver-net
config:
  ipv4.address: 10.50.0.254/24
  ipv4.nat: "false"
  ipv6.address: none
description: ""
name: gameserver-net
type: bridge
used_by:
- /1.0/instances/gameserver
- /1.0/instances/router
managed: true
status: Created
locations:
- none
project: default
roooter@roooter:~$ incus exec router bash
root@router:~# ip -br a
lo               UNKNOWN        127.0.0.1/8 ::1/128 
enp5s0           UP             10.0.0.1/24 fe80::1266:6aff:fe0d:3e10/64 
enp6s0           UP             10.254.1.1/24 fe80::1266:6aff:fe0b:33ae/64 
enp7s0           UP             10.254.2.1/24 fe80::1266:6aff:fe2d:aa95/64 
enp8s0           UP             10.50.0.1/24 fe80::1266:6aff:fea9:4917/64 
root@router:~# ping 10.254.1.2
PING 10.254.1.2 (10.254.1.2): 56 data bytes
^C^C^C^C92 bytes from 10.254.1.1: Destination Host Unreachable
--- 10.254.1.2 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
root@router:~# iptables-save
# Generated by iptables-save v1.8.7 on Mon Apr 28 17:37:45 2025
*nat
:PREROUTING ACCEPT [591:36896]
:INPUT ACCEPT [1:84]
:OUTPUT ACCEPT [30:2317]
:POSTROUTING ACCEPT [4:309]
-A POSTROUTING -o enp5s0 -j MASQUERADE
-A POSTROUTING -o enp6s0 -j MASQUERADE
-A POSTROUTING -o enp7s0 -j MASQUERADE
COMMIT
# Completed on Mon Apr 28 17:37:45 2025
root@router:~# cat /etc/netplan/10-lxc.yaml 
network:
  version: 2
  ethernets:
    enp5s0:
      addresses:
        - 10.0.0.1/24
      nameservers:
        addresses:
          - 8.8.8.8
          - 1.1.1.1
      routes:
        - to: default
          via: 10.0.0.254
    # team 1
    enp6s0:
      addresses:
        - 10.254.1.1/24
      nameservers:
        addresses:
          - 8.8.8.8
          - 1.1.1.1
    # team 2
    enp7s0:
      addresses:
        - 10.254.2.1/24
      nameservers:
        addresses:
          - 8.8.8.8
          - 1.1.1.1
    # gameserver
    enp8s0:
      addresses:
        - 10.50.0.1/24

root@router:~# 
exit
roooter@roooter:~$ incus exec team1-vulnbox bash
root@team1-vulnbox:~# ip -br a
lo               UNKNOWN        127.0.0.1/8 ::1/128 
enp5s0           UP             10.254.1.2/24 fe80::1266:6aff:feb0:da79/64 
root@team1-vulnbox:~# ping 10.254.1.1
PING 10.254.1.1 (10.254.1.1): 56 data bytes
^C--- 10.254.1.1 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
root@team1-vulnbox:~#

I have been desperate for the solution. I hope to get some insights and how to debug this problem from the community. Have a good day guys!

justonemoretime · April 28, 2025, 5:45pm

I forgot to include my nft information:

root@roooter:~# nft list ruleset
table inet firewalld {
	chain mangle_PREROUTING {
		type filter hook prerouting priority mangle + 10; policy accept;
		jump mangle_PREROUTING_POLICIES
	}

	chain mangle_PREROUTING_POLICIES {
		iifname "ens33" jump mangle_PRE_policy_allow-host-ipv6
		iifname "ens33" jump mangle_PRE_public
		iifname "ens33" return
		iifname "gameserver-net" jump mangle_PRE_policy_allow-host-ipv6
		iifname "gameserver-net" jump mangle_PRE_trusted
		iifname "gameserver-net" return
		iifname "mgmt-net" jump mangle_PRE_policy_allow-host-ipv6
		iifname "mgmt-net" jump mangle_PRE_trusted
		iifname "mgmt-net" return
		iifname "team1-net" jump mangle_PRE_policy_allow-host-ipv6
		iifname "team1-net" jump mangle_PRE_trusted
		iifname "team1-net" return
		iifname "team2-net" jump mangle_PRE_policy_allow-host-ipv6
		iifname "team2-net" jump mangle_PRE_trusted
		iifname "team2-net" return
		jump mangle_PRE_policy_allow-host-ipv6
		jump mangle_PRE_public
		return
	}

	chain nat_PREROUTING {
		type nat hook prerouting priority dstnat + 10; policy accept;
		jump nat_PREROUTING_POLICIES
	}

	chain nat_PREROUTING_POLICIES {
		iifname "ens33" jump nat_PRE_policy_allow-host-ipv6
		iifname "ens33" jump nat_PRE_public
		iifname "ens33" return
		iifname "gameserver-net" jump nat_PRE_policy_allow-host-ipv6
		iifname "gameserver-net" jump nat_PRE_trusted
		iifname "gameserver-net" return
		iifname "mgmt-net" jump nat_PRE_policy_allow-host-ipv6
		iifname "mgmt-net" jump nat_PRE_trusted
		iifname "mgmt-net" return
		iifname "team1-net" jump nat_PRE_policy_allow-host-ipv6
		iifname "team1-net" jump nat_PRE_trusted
		iifname "team1-net" return
		iifname "team2-net" jump nat_PRE_policy_allow-host-ipv6
		iifname "team2-net" jump nat_PRE_trusted
		iifname "team2-net" return
		jump nat_PRE_policy_allow-host-ipv6
		jump nat_PRE_public
		return
	}

	chain nat_POSTROUTING {
		type nat hook postrouting priority srcnat + 10; policy accept;
		jump nat_POSTROUTING_POLICIES
	}

	chain nat_POSTROUTING_POLICIES {
		iifname "ens33" oifname "ens33" jump nat_POST_public
		iifname "ens33" oifname "ens33" return
		iifname "gameserver-net" oifname "ens33" jump nat_POST_public
		iifname "gameserver-net" oifname "ens33" return
		iifname "mgmt-net" oifname "ens33" jump nat_POST_public
		iifname "mgmt-net" oifname "ens33" return
		iifname "team1-net" oifname "ens33" jump nat_POST_public
		iifname "team1-net" oifname "ens33" return
		iifname "team2-net" oifname "ens33" jump nat_POST_public
		iifname "team2-net" oifname "ens33" return
		oifname "ens33" jump nat_POST_public
		oifname "ens33" return
		iifname "ens33" oifname "gameserver-net" jump nat_POST_trusted
		iifname "ens33" oifname "gameserver-net" return
		iifname "gameserver-net" oifname "gameserver-net" jump nat_POST_trusted
		iifname "gameserver-net" oifname "gameserver-net" return
		iifname "mgmt-net" oifname "gameserver-net" jump nat_POST_trusted
		iifname "mgmt-net" oifname "gameserver-net" return
		iifname "team1-net" oifname "gameserver-net" jump nat_POST_trusted
		iifname "team1-net" oifname "gameserver-net" return
		iifname "team2-net" oifname "gameserver-net" jump nat_POST_trusted
		iifname "team2-net" oifname "gameserver-net" return
		oifname "gameserver-net" jump nat_POST_trusted
		oifname "gameserver-net" return
		iifname "ens33" oifname "mgmt-net" jump nat_POST_trusted
		iifname "ens33" oifname "mgmt-net" return
		iifname "gameserver-net" oifname "mgmt-net" jump nat_POST_trusted
		iifname "gameserver-net" oifname "mgmt-net" return
		iifname "mgmt-net" oifname "mgmt-net" jump nat_POST_trusted
		iifname "mgmt-net" oifname "mgmt-net" return
		iifname "team1-net" oifname "mgmt-net" jump nat_POST_trusted
		iifname "team1-net" oifname "mgmt-net" return
		iifname "team2-net" oifname "mgmt-net" jump nat_POST_trusted
		iifname "team2-net" oifname "mgmt-net" return
		oifname "mgmt-net" jump nat_POST_trusted
		oifname "mgmt-net" return
		iifname "ens33" oifname "team1-net" jump nat_POST_trusted
		iifname "ens33" oifname "team1-net" return
		iifname "gameserver-net" oifname "team1-net" jump nat_POST_trusted
		iifname "gameserver-net" oifname "team1-net" return
		iifname "mgmt-net" oifname "team1-net" jump nat_POST_trusted
		iifname "mgmt-net" oifname "team1-net" return
		iifname "team1-net" oifname "team1-net" jump nat_POST_trusted
		iifname "team1-net" oifname "team1-net" return
		iifname "team2-net" oifname "team1-net" jump nat_POST_trusted
		iifname "team2-net" oifname "team1-net" return
		oifname "team1-net" jump nat_POST_trusted
		oifname "team1-net" return
		iifname "ens33" oifname "team2-net" jump nat_POST_trusted
		iifname "ens33" oifname "team2-net" return
		iifname "gameserver-net" oifname "team2-net" jump nat_POST_trusted
		iifname "gameserver-net" oifname "team2-net" return
		iifname "mgmt-net" oifname "team2-net" jump nat_POST_trusted
		iifname "mgmt-net" oifname "team2-net" return
		iifname "team1-net" oifname "team2-net" jump nat_POST_trusted
		iifname "team1-net" oifname "team2-net" return
		iifname "team2-net" oifname "team2-net" jump nat_POST_trusted
		iifname "team2-net" oifname "team2-net" return
		oifname "team2-net" jump nat_POST_trusted
		oifname "team2-net" return
		iifname "ens33" jump nat_POST_public
		iifname "ens33" return
		iifname "gameserver-net" jump nat_POST_public
		iifname "gameserver-net" return
		iifname "mgmt-net" jump nat_POST_public
		iifname "mgmt-net" return
		iifname "team1-net" jump nat_POST_public
		iifname "team1-net" return
		iifname "team2-net" jump nat_POST_public
		iifname "team2-net" return
		jump nat_POST_public
		return
	}

	chain nat_OUTPUT {
		type nat hook output priority dstnat + 10; policy accept;
		jump nat_OUTPUT_POLICIES
	}

	chain nat_OUTPUT_POLICIES {
		oifname "ens33" jump nat_OUT_public
		oifname "ens33" return
		oifname "gameserver-net" jump nat_OUT_trusted
		oifname "gameserver-net" return
		oifname "mgmt-net" jump nat_OUT_trusted
		oifname "mgmt-net" return
		oifname "team1-net" jump nat_OUT_trusted
		oifname "team1-net" return
		oifname "team2-net" jump nat_OUT_trusted
		oifname "team2-net" return
		jump nat_OUT_public
		return
	}

	chain filter_PREROUTING {
		type filter hook prerouting priority filter + 10; policy accept;
		icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
		meta nfproto ipv6 fib saddr . mark . iif oif missing drop
	}

	chain filter_INPUT {
		type filter hook input priority filter + 10; policy accept;
		ct state { established, related } accept
		ct status dnat accept
		iifname "lo" accept
		ct state invalid drop
		jump filter_INPUT_POLICIES
		reject with icmpx admin-prohibited
	}

	chain filter_FORWARD {
		type filter hook forward priority filter + 10; policy accept;
		ct state { established, related } accept
		ct status dnat accept
		iifname "lo" accept
		ct state invalid drop
		ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
		jump filter_FORWARD_POLICIES
		reject with icmpx admin-prohibited
	}

	chain filter_OUTPUT {
		type filter hook output priority filter + 10; policy accept;
		ct state { established, related } accept
		oifname "lo" accept
		ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
		jump filter_OUTPUT_POLICIES
	}

	chain filter_INPUT_POLICIES {
		iifname "ens33" jump filter_IN_policy_allow-host-ipv6
		iifname "ens33" jump filter_IN_public
		iifname "ens33" reject with icmpx admin-prohibited
		iifname "gameserver-net" jump filter_IN_policy_allow-host-ipv6
		iifname "gameserver-net" jump filter_IN_trusted
		iifname "gameserver-net" accept
		iifname "mgmt-net" jump filter_IN_policy_allow-host-ipv6
		iifname "mgmt-net" jump filter_IN_trusted
		iifname "mgmt-net" accept
		iifname "team1-net" jump filter_IN_policy_allow-host-ipv6
		iifname "team1-net" jump filter_IN_trusted
		iifname "team1-net" accept
		iifname "team2-net" jump filter_IN_policy_allow-host-ipv6
		iifname "team2-net" jump filter_IN_trusted
		iifname "team2-net" accept
		jump filter_IN_policy_allow-host-ipv6
		jump filter_IN_public
		reject with icmpx admin-prohibited
	}

	chain filter_FORWARD_POLICIES {
		iifname "ens33" oifname "ens33" jump filter_FWD_public
		iifname "ens33" oifname "ens33" reject with icmpx admin-prohibited
		iifname "ens33" oifname "gameserver-net" jump filter_FWD_public
		iifname "ens33" oifname "gameserver-net" reject with icmpx admin-prohibited
		iifname "ens33" oifname "mgmt-net" jump filter_FWD_public
		iifname "ens33" oifname "mgmt-net" reject with icmpx admin-prohibited
		iifname "ens33" oifname "team1-net" jump filter_FWD_public
		iifname "ens33" oifname "team1-net" reject with icmpx admin-prohibited
		iifname "ens33" oifname "team2-net" jump filter_FWD_public
		iifname "ens33" oifname "team2-net" reject with icmpx admin-prohibited
		iifname "ens33" jump filter_FWD_public
		iifname "ens33" reject with icmpx admin-prohibited
		iifname "gameserver-net" oifname "ens33" jump filter_FWD_trusted
		iifname "gameserver-net" oifname "ens33" accept
		iifname "gameserver-net" oifname "gameserver-net" jump filter_FWD_trusted
		iifname "gameserver-net" oifname "gameserver-net" accept
		iifname "gameserver-net" oifname "mgmt-net" jump filter_FWD_trusted
		iifname "gameserver-net" oifname "mgmt-net" accept
		iifname "gameserver-net" oifname "team1-net" jump filter_FWD_trusted
		iifname "gameserver-net" oifname "team1-net" accept
		iifname "gameserver-net" oifname "team2-net" jump filter_FWD_trusted
		iifname "gameserver-net" oifname "team2-net" accept
		iifname "gameserver-net" jump filter_FWD_trusted
		iifname "gameserver-net" accept
		iifname "mgmt-net" oifname "ens33" jump filter_FWD_trusted
		iifname "mgmt-net" oifname "ens33" accept
		iifname "mgmt-net" oifname "gameserver-net" jump filter_FWD_trusted
		iifname "mgmt-net" oifname "gameserver-net" accept
		iifname "mgmt-net" oifname "mgmt-net" jump filter_FWD_trusted
		iifname "mgmt-net" oifname "mgmt-net" accept
		iifname "mgmt-net" oifname "team1-net" jump filter_FWD_trusted
		iifname "mgmt-net" oifname "team1-net" accept
		iifname "mgmt-net" oifname "team2-net" jump filter_FWD_trusted
		iifname "mgmt-net" oifname "team2-net" accept
		iifname "mgmt-net" jump filter_FWD_trusted
		iifname "mgmt-net" accept
		iifname "team1-net" oifname "ens33" jump filter_FWD_trusted
		iifname "team1-net" oifname "ens33" accept
		iifname "team1-net" oifname "gameserver-net" jump filter_FWD_trusted
		iifname "team1-net" oifname "gameserver-net" accept
		iifname "team1-net" oifname "mgmt-net" jump filter_FWD_trusted
		iifname "team1-net" oifname "mgmt-net" accept
		iifname "team1-net" oifname "team1-net" jump filter_FWD_trusted
		iifname "team1-net" oifname "team1-net" accept
		iifname "team1-net" oifname "team2-net" jump filter_FWD_trusted
		iifname "team1-net" oifname "team2-net" accept
		iifname "team1-net" jump filter_FWD_trusted
		iifname "team1-net" accept
		iifname "team2-net" oifname "ens33" jump filter_FWD_trusted
		iifname "team2-net" oifname "ens33" accept
		iifname "team2-net" oifname "gameserver-net" jump filter_FWD_trusted
		iifname "team2-net" oifname "gameserver-net" accept
		iifname "team2-net" oifname "mgmt-net" jump filter_FWD_trusted
		iifname "team2-net" oifname "mgmt-net" accept
		iifname "team2-net" oifname "team1-net" jump filter_FWD_trusted
		iifname "team2-net" oifname "team1-net" accept
		iifname "team2-net" oifname "team2-net" jump filter_FWD_trusted
		iifname "team2-net" oifname "team2-net" accept
		iifname "team2-net" jump filter_FWD_trusted
		iifname "team2-net" accept
		oifname "ens33" jump filter_FWD_public
		oifname "ens33" reject with icmpx admin-prohibited
		oifname "gameserver-net" jump filter_FWD_public
		oifname "gameserver-net" reject with icmpx admin-prohibited
		oifname "mgmt-net" jump filter_FWD_public
		oifname "mgmt-net" reject with icmpx admin-prohibited
		oifname "team1-net" jump filter_FWD_public
		oifname "team1-net" reject with icmpx admin-prohibited
		oifname "team2-net" jump filter_FWD_public
		oifname "team2-net" reject with icmpx admin-prohibited
		jump filter_FWD_public
		reject with icmpx admin-prohibited
	}

	chain filter_OUTPUT_POLICIES {
		oifname "ens33" jump filter_OUT_public
		oifname "ens33" return
		oifname "gameserver-net" jump filter_OUT_trusted
		oifname "gameserver-net" return
		oifname "mgmt-net" jump filter_OUT_trusted
		oifname "mgmt-net" return
		oifname "team1-net" jump filter_OUT_trusted
		oifname "team1-net" return
		oifname "team2-net" jump filter_OUT_trusted
		oifname "team2-net" return
		jump filter_OUT_public
		return
	}

	chain filter_IN_public {
		jump filter_IN_public_pre
		jump filter_IN_public_log
		jump filter_IN_public_deny
		jump filter_IN_public_allow
		jump filter_IN_public_post
		meta l4proto { icmp, ipv6-icmp } accept
	}

	chain filter_IN_public_pre {
	}

	chain filter_IN_public_log {
	}

	chain filter_IN_public_deny {
	}

	chain filter_IN_public_allow {
		tcp dport 22 accept
		ip6 daddr fe80::/64 udp dport 546 accept
	}

	chain filter_IN_public_post {
	}

	chain filter_OUT_public {
		jump filter_OUT_public_pre
		jump filter_OUT_public_log
		jump filter_OUT_public_deny
		jump filter_OUT_public_allow
		jump filter_OUT_public_post
	}

	chain filter_OUT_public_pre {
	}

	chain filter_OUT_public_log {
	}

	chain filter_OUT_public_deny {
	}

	chain filter_OUT_public_allow {
	}

	chain filter_OUT_public_post {
	}

	chain nat_OUT_public {
		jump nat_OUT_public_pre
		jump nat_OUT_public_log
		jump nat_OUT_public_deny
		jump nat_OUT_public_allow
		jump nat_OUT_public_post
	}

	chain nat_OUT_public_pre {
	}

	chain nat_OUT_public_log {
	}

	chain nat_OUT_public_deny {
	}

	chain nat_OUT_public_allow {
	}

	chain nat_OUT_public_post {
	}

	chain nat_POST_public {
		jump nat_POST_public_pre
		jump nat_POST_public_log
		jump nat_POST_public_deny
		jump nat_POST_public_allow
		jump nat_POST_public_post
	}

	chain nat_POST_public_pre {
	}

	chain nat_POST_public_log {
	}

	chain nat_POST_public_deny {
	}

	chain nat_POST_public_allow {
	}

	chain nat_POST_public_post {
	}

	chain filter_FWD_public {
		jump filter_FWD_public_pre
		jump filter_FWD_public_log
		jump filter_FWD_public_deny
		jump filter_FWD_public_allow
		jump filter_FWD_public_post
	}

	chain filter_FWD_public_pre {
	}

	chain filter_FWD_public_log {
	}

	chain filter_FWD_public_deny {
	}

	chain filter_FWD_public_allow {
		oifname "ens33" accept
	}

	chain filter_FWD_public_post {
	}

	chain nat_PRE_public {
		jump nat_PRE_public_pre
		jump nat_PRE_public_log
		jump nat_PRE_public_deny
		jump nat_PRE_public_allow
		jump nat_PRE_public_post
	}

	chain nat_PRE_public_pre {
	}

	chain nat_PRE_public_log {
	}

	chain nat_PRE_public_deny {
	}

	chain nat_PRE_public_allow {
	}

	chain nat_PRE_public_post {
	}

	chain mangle_PRE_public {
		jump mangle_PRE_public_pre
		jump mangle_PRE_public_log
		jump mangle_PRE_public_deny
		jump mangle_PRE_public_allow
		jump mangle_PRE_public_post
	}

	chain mangle_PRE_public_pre {
	}

	chain mangle_PRE_public_log {
	}

	chain mangle_PRE_public_deny {
	}

	chain mangle_PRE_public_allow {
	}

	chain mangle_PRE_public_post {
	}

	chain filter_IN_trusted {
		jump filter_IN_trusted_pre
		jump filter_IN_trusted_log
		jump filter_IN_trusted_deny
		jump filter_IN_trusted_allow
		jump filter_IN_trusted_post
	}

	chain filter_IN_trusted_pre {
	}

	chain filter_IN_trusted_log {
	}

	chain filter_IN_trusted_deny {
	}

	chain filter_IN_trusted_allow {
	}

	chain filter_IN_trusted_post {
	}

	chain filter_OUT_trusted {
		jump filter_OUT_trusted_pre
		jump filter_OUT_trusted_log
		jump filter_OUT_trusted_deny
		jump filter_OUT_trusted_allow
		jump filter_OUT_trusted_post
	}

	chain filter_OUT_trusted_pre {
	}

	chain filter_OUT_trusted_log {
	}

	chain filter_OUT_trusted_deny {
	}

	chain filter_OUT_trusted_allow {
	}

	chain filter_OUT_trusted_post {
	}

	chain nat_OUT_trusted {
		jump nat_OUT_trusted_pre
		jump nat_OUT_trusted_log
		jump nat_OUT_trusted_deny
		jump nat_OUT_trusted_allow
		jump nat_OUT_trusted_post
	}

	chain nat_OUT_trusted_pre {
	}

	chain nat_OUT_trusted_log {
	}

	chain nat_OUT_trusted_deny {
	}

	chain nat_OUT_trusted_allow {
	}

	chain nat_OUT_trusted_post {
	}

	chain nat_POST_trusted {
		jump nat_POST_trusted_pre
		jump nat_POST_trusted_log
		jump nat_POST_trusted_deny
		jump nat_POST_trusted_allow
		jump nat_POST_trusted_post
	}

	chain nat_POST_trusted_pre {
	}

	chain nat_POST_trusted_log {
	}

	chain nat_POST_trusted_deny {
	}

	chain nat_POST_trusted_allow {
	}

	chain nat_POST_trusted_post {
	}

	chain filter_FWD_trusted {
		jump filter_FWD_trusted_pre
		jump filter_FWD_trusted_log
		jump filter_FWD_trusted_deny
		jump filter_FWD_trusted_allow
		jump filter_FWD_trusted_post
	}

	chain filter_FWD_trusted_pre {
	}

	chain filter_FWD_trusted_log {
	}

	chain filter_FWD_trusted_deny {
	}

	chain filter_FWD_trusted_allow {
		oifname "mgmt-net" accept
		oifname "team1-net" accept
		oifname "team2-net" accept
		oifname "gameserver-net" accept
	}

	chain filter_FWD_trusted_post {
	}

	chain nat_PRE_trusted {
		jump nat_PRE_trusted_pre
		jump nat_PRE_trusted_log
		jump nat_PRE_trusted_deny
		jump nat_PRE_trusted_allow
		jump nat_PRE_trusted_post
	}

	chain nat_PRE_trusted_pre {
	}

	chain nat_PRE_trusted_log {
	}

	chain nat_PRE_trusted_deny {
	}

	chain nat_PRE_trusted_allow {
	}

	chain nat_PRE_trusted_post {
	}

	chain mangle_PRE_trusted {
		jump mangle_PRE_trusted_pre
		jump mangle_PRE_trusted_log
		jump mangle_PRE_trusted_deny
		jump mangle_PRE_trusted_allow
		jump mangle_PRE_trusted_post
	}

	chain mangle_PRE_trusted_pre {
	}

	chain mangle_PRE_trusted_log {
	}

	chain mangle_PRE_trusted_deny {
	}

	chain mangle_PRE_trusted_allow {
	}

	chain mangle_PRE_trusted_post {
	}

	chain filter_IN_policy_allow-host-ipv6 {
		jump filter_IN_policy_allow-host-ipv6_pre
		jump filter_IN_policy_allow-host-ipv6_log
		jump filter_IN_policy_allow-host-ipv6_deny
		jump filter_IN_policy_allow-host-ipv6_allow
		jump filter_IN_policy_allow-host-ipv6_post
	}

	chain filter_IN_policy_allow-host-ipv6_pre {
	}

	chain filter_IN_policy_allow-host-ipv6_log {
	}

	chain filter_IN_policy_allow-host-ipv6_deny {
	}

	chain filter_IN_policy_allow-host-ipv6_allow {
		icmpv6 type nd-neighbor-advert accept
		icmpv6 type nd-neighbor-solicit accept
		icmpv6 type nd-router-advert accept
		icmpv6 type nd-redirect accept
	}

	chain filter_IN_policy_allow-host-ipv6_post {
	}

	chain nat_PRE_policy_allow-host-ipv6 {
		jump nat_PRE_policy_allow-host-ipv6_pre
		jump nat_PRE_policy_allow-host-ipv6_log
		jump nat_PRE_policy_allow-host-ipv6_deny
		jump nat_PRE_policy_allow-host-ipv6_allow
		jump nat_PRE_policy_allow-host-ipv6_post
	}

	chain nat_PRE_policy_allow-host-ipv6_pre {
	}

	chain nat_PRE_policy_allow-host-ipv6_log {
	}

	chain nat_PRE_policy_allow-host-ipv6_deny {
	}

	chain nat_PRE_policy_allow-host-ipv6_allow {
	}

	chain nat_PRE_policy_allow-host-ipv6_post {
	}

	chain mangle_PRE_policy_allow-host-ipv6 {
		jump mangle_PRE_policy_allow-host-ipv6_pre
		jump mangle_PRE_policy_allow-host-ipv6_log
		jump mangle_PRE_policy_allow-host-ipv6_deny
		jump mangle_PRE_policy_allow-host-ipv6_allow
		jump mangle_PRE_policy_allow-host-ipv6_post
	}

	chain mangle_PRE_policy_allow-host-ipv6_pre {
	}

	chain mangle_PRE_policy_allow-host-ipv6_log {
	}

	chain mangle_PRE_policy_allow-host-ipv6_deny {
	}

	chain mangle_PRE_policy_allow-host-ipv6_allow {
	}

	chain mangle_PRE_policy_allow-host-ipv6_post {
	}
}
table inet incus {
	chain pstrt.mgmt-net {
		type nat hook postrouting priority srcnat; policy accept;
		ip saddr 10.0.0.0/24 ip daddr != 10.0.0.0/24 masquerade
	}

	chain fwd.mgmt-net {
		type filter hook forward priority filter; policy accept;
		ip version 4 oifname "mgmt-net" accept
		ip version 4 iifname "mgmt-net" accept
	}

	chain in.mgmt-net {
		type filter hook input priority filter; policy accept;
		iifname "mgmt-net" tcp dport 53 accept
		iifname "mgmt-net" udp dport 53 accept
		iifname "mgmt-net" icmp type { destination-unreachable, time-exceeded, parameter-problem } accept
		iifname "mgmt-net" udp dport 67 accept
	}

	chain out.mgmt-net {
		type filter hook output priority filter; policy accept;
		oifname "mgmt-net" tcp sport 53 accept
		oifname "mgmt-net" udp sport 53 accept
		oifname "mgmt-net" icmp type { destination-unreachable, time-exceeded, parameter-problem } accept
		oifname "mgmt-net" udp sport 67 accept
	}

	chain fwd.team1-net {
		type filter hook forward priority filter; policy accept;
		ip version 4 oifname "team1-net" accept
		ip version 4 iifname "team1-net" accept
	}

	chain in.team1-net {
		type filter hook input priority filter; policy accept;
		iifname "team1-net" tcp dport 53 accept
		iifname "team1-net" udp dport 53 accept
		iifname "team1-net" icmp type { destination-unreachable, time-exceeded, parameter-problem } accept
		iifname "team1-net" udp dport 67 accept
	}

	chain out.team1-net {
		type filter hook output priority filter; policy accept;
		oifname "team1-net" tcp sport 53 accept
		oifname "team1-net" udp sport 53 accept
		oifname "team1-net" icmp type { destination-unreachable, time-exceeded, parameter-problem } accept
		oifname "team1-net" udp sport 67 accept
	}

	chain fwd.team2-net {
		type filter hook forward priority filter; policy accept;
		ip version 4 oifname "team2-net" accept
		ip version 4 iifname "team2-net" accept
	}

	chain in.team2-net {
		type filter hook input priority filter; policy accept;
		iifname "team2-net" tcp dport 53 accept
		iifname "team2-net" udp dport 53 accept
		iifname "team2-net" icmp type { destination-unreachable, time-exceeded, parameter-problem } accept
		iifname "team2-net" udp dport 67 accept
	}

	chain out.team2-net {
		type filter hook output priority filter; policy accept;
		oifname "team2-net" tcp sport 53 accept
		oifname "team2-net" udp sport 53 accept
		oifname "team2-net" icmp type { destination-unreachable, time-exceeded, parameter-problem } accept
		oifname "team2-net" udp sport 67 accept
	}

	chain fwd.gameserver-net {
		type filter hook forward priority filter; policy accept;
		ip version 4 oifname "gameserver-net" accept
		ip version 4 iifname "gameserver-net" accept
	}

	chain in.gameserver-net {
		type filter hook input priority filter; policy accept;
		iifname "gameserver-net" tcp dport 53 accept
		iifname "gameserver-net" udp dport 53 accept
		iifname "gameserver-net" icmp type { destination-unreachable, time-exceeded, parameter-problem } accept
		iifname "gameserver-net" udp dport 67 accept
	}

	chain out.gameserver-net {
		type filter hook output priority filter; policy accept;
		oifname "gameserver-net" tcp sport 53 accept
		oifname "gameserver-net" udp sport 53 accept
		oifname "gameserver-net" icmp type { destination-unreachable, time-exceeded, parameter-problem } accept
		oifname "gameserver-net" udp sport 67 accept
	}

	chain pstrt.incusbr0 {
		type nat hook postrouting priority srcnat; policy accept;
		ip saddr 10.59.16.0/24 ip daddr != 10.59.16.0/24 masquerade
		ip6 saddr fd42:6942:e80d:44b5::/64 ip6 daddr != fd42:6942:e80d:44b5::/64 masquerade
	}

	chain fwd.incusbr0 {
		type filter hook forward priority filter; policy accept;
		ip version 4 oifname "incusbr0" accept
		ip version 4 iifname "incusbr0" accept
		ip6 version 6 oifname "incusbr0" accept
		ip6 version 6 iifname "incusbr0" accept
	}

	chain in.incusbr0 {
		type filter hook input priority filter; policy accept;
		iifname "incusbr0" tcp dport 53 accept
		iifname "incusbr0" udp dport 53 accept
		iifname "incusbr0" icmp type { destination-unreachable, time-exceeded, parameter-problem } accept
		iifname "incusbr0" udp dport 67 accept
		iifname "incusbr0" icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-solicit, nd-neighbor-solicit, nd-neighbor-advert, mld2-listener-report } accept
		iifname "incusbr0" udp dport 547 accept
	}

	chain out.incusbr0 {
		type filter hook output priority filter; policy accept;
		oifname "incusbr0" tcp sport 53 accept
		oifname "incusbr0" udp sport 53 accept
		oifname "incusbr0" icmp type { destination-unreachable, time-exceeded, parameter-problem } accept
		oifname "incusbr0" udp sport 67 accept
		oifname "incusbr0" icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, mld2-listener-report } accept
		oifname "incusbr0" udp sport 547 accept
	}
}
root@roooter:~# firewall-cmd --get-active-zones
public (default)
  interfaces: ens33
trusted
  interfaces: mgmt-net team1-net team2-net gameserver-net