cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jayapal Reddy Uradi <jayapalreddy.ur...@citrix.com>
Subject Re: How to create a network offering without firewall?
Date Fri, 28 Jun 2013 02:56:58 GMT
I thought iptables rules you send from router iptables-save.
in /etc/iptables/rules we won't have SNAT rule.

Please send iptables rules from your router not the /etc/iptables/rules.

iptables -t nat -L -nv, iptables -L -nv and iptables -t mangle -L -nv.

Thanks,
Jayapal

On 28-Jun-2013, at 8:21 AM, WXR <474745079@qq.com> wrote:

> When I added the guest network I selected the system default network offering with source
NAT.
> There is a default ip "x.x.x.x[source NAT]" in the list when I click the "view ip addresses".
> 
> 
> 
> 
> ------------------ Original ------------------
> From:  ""<jayapalreddy.uradi@citrix.com>;
> Date:  Fri, Jun 28, 2013 10:45 AM
> To:  "<users@cloudstack.apache.org>"<users@cloudstack.apache.org>; 
> 
> Subject:  Re: How to create a network offering without firewall?
> 
> 
> 
> THe problem is there is no source NAT rule added in iptables nat table on router.
> Why the source NAT rule is not added on the router ?
> In your network ip address do you have source NAT ip ?
> 
> Thanks,
> Jayapal
> 
> 
> On 28-Jun-2013, at 8:06 AM, WXR <474745079@qq.com>
> wrote:
> 
>> I try to add the rule "iptables -A FW_OUTBOUND -j ACCEPT" to the vrouter firewall
but unfortunately it takes no effect.
>> 
>> This is the iptables rules in file "/etc/iptables/rules"
>> 
>> *nat
>> :PREROUTING ACCEPT [0:0]
>> :POSTROUTING ACCEPT [0:0]
>> :OUTPUT ACCEPT [0:0]
>> COMMIT
>> *filter
>> :INPUT DROP [0:0]
>> :FORWARD DROP [0:0]
>> :OUTPUT ACCEPT [0:0]
>> :FW_OUTBOUND - [0:0]
>> -A INPUT -d 224.0.0.18/32 -j ACCEPT
>> -A INPUT -d 225.0.0.50/32 -j ACCEPT
>> -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
>> -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
>> -A INPUT -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
>> -A INPUT -p icmp -j ACCEPT
>> -A INPUT -i lo -j ACCEPT
>> -A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT
>> -A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
>> -A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
>> -A INPUT -i eth1 -p tcp -m state --state NEW --dport 3922 -j ACCEPT
>> -A INPUT -i eth0 -p tcp -m state --state NEW --dport 80 -j ACCEPT
>> -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
>> -A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
>> -A FORWARD -i eth0 -o eth0 -m state --state NEW -j ACCEPT
>> -A FORWARD -i eth0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
>> -A FORWARD -i eth0 -o eth2 -j FW_OUTBOUND
>> -I FW_OUTBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT
>> COMMIT
>> *mangle
>> :PREROUTING ACCEPT [0:0]
>> :INPUT ACCEPT [0:0]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [0:0]
>> :POSTROUTING ACCEPT [0:0]
>> -A PREROUTING -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark
>> -A POSTROUTING -p udp --dport bootpc -j CHECKSUM --checksum-fill
>> COMMIT
>> 
>> Is there anything wrong?
>> 
>> 
>> 
>> ------------------ Original ------------------
>> From:  ""<emunoz@intecom.ad>;
>> Date:  Thu, Jun 27, 2013 06:40 PM
>> To:  "users@cloudstack.apache.org"<users@cloudstack.apache.org>; 
>> 
>> Subject:  RE: How to create a network offering without firewall?
>> 
>> 
>> 
>> I had this issue too some days ago. I solved it by logging into the Virtual Router
over ssh and adding this rule to the Firewall: 
>> 
>> iptables -A FW_OUTBOUND -j ACCEPT
>> 
>> I hope this helps.
>> 
>> Regards
>> 
>> -----Mensaje original-----
>> De: Jayapal Reddy Uradi [mailto:jayapalreddy.uradi@citrix.com] 
>> Enviado el: jueves, 27 de junio de 2013 12:37
>> Para: <users@cloudstack.apache.org>
>> Asunto: Re: How to create a network offering without firewall?
>> 
>> Is internet accessible from from router ?
>> If it is accessible please send router iptables rules on pastebin.com
>> 
>> Thanks,
>> jayapal
>> 
>> On 27-Jun-2013, at 3:34 PM, WXR <474745079@qq.com>
>> wrote:
>> 
>>> Sorry,the instance can access the vrouter gateway ip ,but can not access the
Internet.
>>> 
>>> 
>>> ------------------ Original ------------------
>>> From:  "WXR"<474745079@qq.com>;
>>> Date:  Thu, Jun 27, 2013 06:01 PM
>>> To:  "users"<users@cloudstack.apache.org>;
>>> 
>>> Subject:  Re: How to create a network offering without firewall?
>>> 
>>> 
>>> 
>>> I have added a egress rule like this:
>>> Source CIDR    Protocol    Start Port    End Port 
>>> 0.0.0.0/0         All            All                All
>>> 
>>> The vrouter vm can also access the Internet.
>>> But the instance vm is still able to access the vrouter gateway ip and the Internet.
>>> 
>>> 
>>> 
>>> 
>>> ------------------ Original ------------------
>>> From:  "Murali Reddy"<Murali.Reddy@citrix.com>;
>>> Date:  Thu, Jun 27, 2013 05:21 PM
>>> To:  "users@cloudstack.apache.org"<users@cloudstack.apache.org>;
>>> 
>>> Subject:  Re: How to create a network offering without firewall?
>>> 
>>> 
>>> 
>>> 
>>> Yes, egress firewall default action is 'BLOCK'. Here is a nice blog 
>>> from Radhika 
>>> http://writersopendiary.wordpress.com/2013/05/27/egress-firewall-rules
>>> -in-a
>>> pache-cloudstack/
>>> 
>>> On 27/06/13 2:21 PM, "WXR" <474745079@qq.com> wrote:
>>> 
>>>> By the way , when I select the default guestnetworkwithsourceNAT and 
>>>> create an instance,the vm can not access to the Internet,is this a 
>>>> default setting?how can I let the vm access the Internet?
>>>> 
>>>> 
>>>> 
>>>> 
>>>> ------------------ Original ------------------
>>>> From:  "Murali Reddy"<Murali.Reddy@citrix.com>;
>>>> Date:  Thu, Jun 27, 2013 04:46 PM
>>>> To:  "users@cloudstack.apache.org"<users@cloudstack.apache.org>;
>>>> 
>>>> Subject:  Re: How to create a network offering without firewall?
>>>> 
>>>> 
>>>> 
>>>> 
>>>> Also, by default all the ports that will be used by edge services are 
>>>> blocked by iptable config in the router VM templates. They needed to 
>>>> be opened explicitly with firewall rules.
>>>> 
>>>> On 27/06/13 2:08 PM, "Jayapal Reddy Uradi" 
>>>> <jayapalreddy.uradi@citrix.com>
>>>> wrote:
>>>> 
>>>>> With out firewall provider you can't have sourceNAT and static NAT 
>>>>> services because these services are provided by firewall provider only.
>>>>> 
>>>>> Thanks,
>>>>> Jayapal
>>>>> 
>>>>> On 27-Jun-2013, at 1:35 PM, WXR <474745079@qq.com>
>>>>> wrote:
>>>>> 
>>>>>> If I create a new network offering and check 
>>>>>> dns,dhcp,userdata,sourceNAT,staticNAT,not check the firewall 
>>>>>> service.But the firewall will be added into it automatically.
>>>>>> I don't need the firewall service ,how can I create a network 
>>>>>> offering without firewall?
>>>>> 
>>>>> 
>>>> 
>>>> 
>>>> .
>>> 
>>> 
>>> .
>> 
>> .
> 
> .


Mime
View raw message