cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "WXR" <474745...@qq.com>
Subject Re: How to create a network offering without firewall?
Date Fri, 28 Jun 2013 02:51:27 GMT
When I added the guest network I selected the system default network offering with source NAT.
There is a default ip "x.x.x.x[source NAT]" in the list when I click the "view ip addresses".




------------------ Original ------------------
From:  ""<jayapalreddy.uradi@citrix.com>;
Date:  Fri, Jun 28, 2013 10:45 AM
To:  "<users@cloudstack.apache.org>"<users@cloudstack.apache.org>; 

Subject:  Re: How to create a network offering without firewall?



THe problem is there is no source NAT rule added in iptables nat table on router.
Why the source NAT rule is not added on the router ?
In your network ip address do you have source NAT ip ?

Thanks,
Jayapal


On 28-Jun-2013, at 8:06 AM, WXR <474745079@qq.com>
 wrote:

> I try to add the rule "iptables -A FW_OUTBOUND -j ACCEPT" to the vrouter firewall but
unfortunately it takes no effect.
> 
> This is the iptables rules in file "/etc/iptables/rules"
> 
> *nat
> :PREROUTING ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> COMMIT
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT ACCEPT [0:0]
> :FW_OUTBOUND - [0:0]
> -A INPUT -d 224.0.0.18/32 -j ACCEPT
> -A INPUT -d 225.0.0.50/32 -j ACCEPT
> -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -p icmp -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT
> -A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
> -A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
> -A INPUT -i eth1 -p tcp -m state --state NEW --dport 3922 -j ACCEPT
> -A INPUT -i eth0 -p tcp -m state --state NEW --dport 80 -j ACCEPT
> -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -i eth0 -o eth0 -m state --state NEW -j ACCEPT
> -A FORWARD -i eth0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -i eth0 -o eth2 -j FW_OUTBOUND
> -I FW_OUTBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT
> COMMIT
> *mangle
> :PREROUTING ACCEPT [0:0]
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> -A PREROUTING -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark
> -A POSTROUTING -p udp --dport bootpc -j CHECKSUM --checksum-fill
> COMMIT
> 
> Is there anything wrong?
> 
> 
> 
> ------------------ Original ------------------
> From:  ""<emunoz@intecom.ad>;
> Date:  Thu, Jun 27, 2013 06:40 PM
> To:  "users@cloudstack.apache.org"<users@cloudstack.apache.org>; 
> 
> Subject:  RE: How to create a network offering without firewall?
> 
> 
> 
> I had this issue too some days ago. I solved it by logging into the Virtual Router over
ssh and adding this rule to the Firewall: 
> 
> iptables -A FW_OUTBOUND -j ACCEPT
> 
> I hope this helps.
> 
> Regards
> 
> -----Mensaje original-----
> De: Jayapal Reddy Uradi [mailto:jayapalreddy.uradi@citrix.com] 
> Enviado el: jueves, 27 de junio de 2013 12:37
> Para: <users@cloudstack.apache.org>
> Asunto: Re: How to create a network offering without firewall?
> 
> Is internet accessible from from router ?
> If it is accessible please send router iptables rules on pastebin.com
> 
> Thanks,
> jayapal
> 
> On 27-Jun-2013, at 3:34 PM, WXR <474745079@qq.com>
> wrote:
> 
>> Sorry,the instance can access the vrouter gateway ip ,but can not access the Internet.
>> 
>> 
>> ------------------ Original ------------------
>> From:  "WXR"<474745079@qq.com>;
>> Date:  Thu, Jun 27, 2013 06:01 PM
>> To:  "users"<users@cloudstack.apache.org>;
>> 
>> Subject:  Re: How to create a network offering without firewall?
>> 
>> 
>> 
>> I have added a egress rule like this:
>> Source CIDR    Protocol    Start Port    End Port 
>> 0.0.0.0/0         All            All                All
>> 
>> The vrouter vm can also access the Internet.
>> But the instance vm is still able to access the vrouter gateway ip and the Internet.
>> 
>> 
>> 
>> 
>> ------------------ Original ------------------
>> From:  "Murali Reddy"<Murali.Reddy@citrix.com>;
>> Date:  Thu, Jun 27, 2013 05:21 PM
>> To:  "users@cloudstack.apache.org"<users@cloudstack.apache.org>;
>> 
>> Subject:  Re: How to create a network offering without firewall?
>> 
>> 
>> 
>> 
>> Yes, egress firewall default action is 'BLOCK'. Here is a nice blog 
>> from Radhika 
>> http://writersopendiary.wordpress.com/2013/05/27/egress-firewall-rules
>> -in-a
>> pache-cloudstack/
>> 
>> On 27/06/13 2:21 PM, "WXR" <474745079@qq.com> wrote:
>> 
>>> By the way , when I select the default guestnetworkwithsourceNAT and 
>>> create an instance,the vm can not access to the Internet,is this a 
>>> default setting?how can I let the vm access the Internet?
>>> 
>>> 
>>> 
>>> 
>>> ------------------ Original ------------------
>>> From:  "Murali Reddy"<Murali.Reddy@citrix.com>;
>>> Date:  Thu, Jun 27, 2013 04:46 PM
>>> To:  "users@cloudstack.apache.org"<users@cloudstack.apache.org>;
>>> 
>>> Subject:  Re: How to create a network offering without firewall?
>>> 
>>> 
>>> 
>>> 
>>> Also, by default all the ports that will be used by edge services are 
>>> blocked by iptable config in the router VM templates. They needed to 
>>> be opened explicitly with firewall rules.
>>> 
>>> On 27/06/13 2:08 PM, "Jayapal Reddy Uradi" 
>>> <jayapalreddy.uradi@citrix.com>
>>> wrote:
>>> 
>>>> With out firewall provider you can't have sourceNAT and static NAT 
>>>> services because these services are provided by firewall provider only.
>>>> 
>>>> Thanks,
>>>> Jayapal
>>>> 
>>>> On 27-Jun-2013, at 1:35 PM, WXR <474745079@qq.com>
>>>> wrote:
>>>> 
>>>>> If I create a new network offering and check 
>>>>> dns,dhcp,userdata,sourceNAT,staticNAT,not check the firewall 
>>>>> service.But the firewall will be added into it automatically.
>>>>> I don't need the firewall service ,how can I create a network 
>>>>> offering without firewall?
>>>> 
>>>> 
>>> 
>>> 
>>> .
>> 
>> 
>> .
> 
> .

.
Mime
  • Unnamed multipart/alternative (inline, 8-Bit, 0 bytes)
View raw message