THe problem is there is no source NAT rule added in iptables nat table on router.
Why the source NAT rule is not added on the router ?
In your network ip address do you have source NAT ip ?
Thanks,
Jayapal
On 28-Jun-2013, at 8:06 AM, WXR <474745079@qq.com>
wrote:
> I try to add the rule "iptables -A FW_OUTBOUND -j ACCEPT" to the vrouter firewall but
unfortunately it takes no effect.
>
> This is the iptables rules in file "/etc/iptables/rules"
>
> *nat
> :PREROUTING ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> COMMIT
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT ACCEPT [0:0]
> :FW_OUTBOUND - [0:0]
> -A INPUT -d 224.0.0.18/32 -j ACCEPT
> -A INPUT -d 225.0.0.50/32 -j ACCEPT
> -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -p icmp -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT
> -A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
> -A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
> -A INPUT -i eth1 -p tcp -m state --state NEW --dport 3922 -j ACCEPT
> -A INPUT -i eth0 -p tcp -m state --state NEW --dport 80 -j ACCEPT
> -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -i eth0 -o eth0 -m state --state NEW -j ACCEPT
> -A FORWARD -i eth0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -i eth0 -o eth2 -j FW_OUTBOUND
> -I FW_OUTBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT
> COMMIT
> *mangle
> :PREROUTING ACCEPT [0:0]
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> -A PREROUTING -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark
> -A POSTROUTING -p udp --dport bootpc -j CHECKSUM --checksum-fill
> COMMIT
>
> Is there anything wrong?
>
>
>
> ------------------ Original ------------------
> From: ""<emunoz@intecom.ad>;
> Date: Thu, Jun 27, 2013 06:40 PM
> To: "users@cloudstack.apache.org"<users@cloudstack.apache.org>;
>
> Subject: RE: How to create a network offering without firewall?
>
>
>
> I had this issue too some days ago. I solved it by logging into the Virtual Router over
ssh and adding this rule to the Firewall:
>
> iptables -A FW_OUTBOUND -j ACCEPT
>
> I hope this helps.
>
> Regards
>
> -----Mensaje original-----
> De: Jayapal Reddy Uradi [mailto:jayapalreddy.uradi@citrix.com]
> Enviado el: jueves, 27 de junio de 2013 12:37
> Para: <users@cloudstack.apache.org>
> Asunto: Re: How to create a network offering without firewall?
>
> Is internet accessible from from router ?
> If it is accessible please send router iptables rules on pastebin.com
>
> Thanks,
> jayapal
>
> On 27-Jun-2013, at 3:34 PM, WXR <474745079@qq.com>
> wrote:
>
>> Sorry,the instance can access the vrouter gateway ip ,but can not access the Internet.
>>
>>
>> ------------------ Original ------------------
>> From: "WXR"<474745079@qq.com>;
>> Date: Thu, Jun 27, 2013 06:01 PM
>> To: "users"<users@cloudstack.apache.org>;
>>
>> Subject: Re: How to create a network offering without firewall?
>>
>>
>>
>> I have added a egress rule like this:
>> Source CIDR Protocol Start Port End Port
>> 0.0.0.0/0 All All All
>>
>> The vrouter vm can also access the Internet.
>> But the instance vm is still able to access the vrouter gateway ip and the Internet.
>>
>>
>>
>>
>> ------------------ Original ------------------
>> From: "Murali Reddy"<Murali.Reddy@citrix.com>;
>> Date: Thu, Jun 27, 2013 05:21 PM
>> To: "users@cloudstack.apache.org"<users@cloudstack.apache.org>;
>>
>> Subject: Re: How to create a network offering without firewall?
>>
>>
>>
>>
>> Yes, egress firewall default action is 'BLOCK'. Here is a nice blog
>> from Radhika
>> http://writersopendiary.wordpress.com/2013/05/27/egress-firewall-rules
>> -in-a
>> pache-cloudstack/
>>
>> On 27/06/13 2:21 PM, "WXR" <474745079@qq.com> wrote:
>>
>>> By the way , when I select the default guestnetworkwithsourceNAT and
>>> create an instance,the vm can not access to the Internet,is this a
>>> default setting?how can I let the vm access the Internet?
>>>
>>>
>>>
>>>
>>> ------------------ Original ------------------
>>> From: "Murali Reddy"<Murali.Reddy@citrix.com>;
>>> Date: Thu, Jun 27, 2013 04:46 PM
>>> To: "users@cloudstack.apache.org"<users@cloudstack.apache.org>;
>>>
>>> Subject: Re: How to create a network offering without firewall?
>>>
>>>
>>>
>>>
>>> Also, by default all the ports that will be used by edge services are
>>> blocked by iptable config in the router VM templates. They needed to
>>> be opened explicitly with firewall rules.
>>>
>>> On 27/06/13 2:08 PM, "Jayapal Reddy Uradi"
>>> <jayapalreddy.uradi@citrix.com>
>>> wrote:
>>>
>>>> With out firewall provider you can't have sourceNAT and static NAT
>>>> services because these services are provided by firewall provider only.
>>>>
>>>> Thanks,
>>>> Jayapal
>>>>
>>>> On 27-Jun-2013, at 1:35 PM, WXR <474745079@qq.com>
>>>> wrote:
>>>>
>>>>> If I create a new network offering and check
>>>>> dns,dhcp,userdata,sourceNAT,staticNAT,not check the firewall
>>>>> service.But the firewall will be added into it automatically.
>>>>> I don't need the firewall service ,how can I create a network
>>>>> offering without firewall?
>>>>
>>>>
>>>
>>>
>>> .
>>
>>
>> .
>
> .
|