cloudstack-users mailing list archives

Site index · List index

Message view	« Date » · « Thread »
Top	« Date » · « Thread »
From	"WXR" <474745...@qq.com>
Subject	Re: How to create a network offering without firewall?
Date	Fri, 28 Jun 2013 03:03:04 GMT
root@r-60-VM:~# iptables -t nat -L -nv Chain PREROUTING (policy ACCEPT 149 packets, 13502 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 6 packets, 419 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 6 packets, 419 bytes) pkts bytes target prot opt in out source destination ---- root@r-60-VM:~# iptables -t mangle -L -nv Chain PREROUTING (policy ACCEPT 641 packets, 74208 bytes) pkts bytes target prot opt in out source destination 466 59141 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED CONNMARK restore Chain INPUT (policy ACCEPT 619 packets, 72888 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 22 packets, 1320 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 400 packets, 66973 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 400 packets, 66973 bytes) pkts bytes target prot opt in out source destination 0 0 CHECKSUM udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68 CHECKSUM fill -- root@r-60-VM:~# iptables -L -nv Chain INPUT (policy DROP 125 packets, 11746 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 224.0.0.18 0 0 ACCEPT all -- * * 0.0.0.0/0 225.0.0.50 0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 416 54881 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 3 347 ACCEPT all -- eth2 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 13 1129 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 5 293 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 13 780 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3922 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 0 0 ACCEPT tcp -- eth0 * 10.10.2.0/24 0.0.0.0/0 state NEW tcp dpt:8080 Chain FORWARD (policy DROP 22 packets, 1320 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- eth2 eth0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0 0.0.0.0/0 state NEW 0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 22 1320 FW_OUTBOUND all -- eth0 eth2 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 368 packets, 60175 bytes) pkts bytes target prot opt in out source destination Chain FW_OUTBOUND (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED root@r-60-VM:~# iptables -t mangle -L -nv Chain PREROUTING (policy ACCEPT 625 packets, 72976 bytes) pkts bytes target prot opt in out source destination 450 57909 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED CONNMARK restore Chain INPUT (policy ACCEPT 603 packets, 71656 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 22 packets, 1320 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 392 packets, 65149 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 392 packets, 65149 bytes) pkts bytes target prot opt in out source destination 0 0 CHECKSUM udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68 CHECKSUM fill root@r-60-VM:~# clear root@r-60-VM:~# iptables -t mangle -L -nv Chain PREROUTING (policy ACCEPT 641 packets, 74208 bytes) pkts bytes target prot opt in out source destination 466 59141 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED CONNMARK restore Chain INPUT (policy ACCEPT 619 packets, 72888 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 22 packets, 1320 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 400 packets, 66973 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 400 packets, 66973 bytes) pkts bytes target prot opt in out source destination 0 0 CHECKSUM udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68 CHECKSUM fill root@r-60-VM:~# iptables -L -nv Chain INPUT (policy DROP 125 packets, 11746 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 224.0.0.18 0 0 ACCEPT all -- * * 0.0.0.0/0 225.0.0.50 0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 506 65459 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 3 347 ACCEPT all -- eth2 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 15 1297 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 5 293 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 15 900 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3922 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 0 0 ACCEPT tcp -- eth0 * 10.10.2.0/24 0.0.0.0/0 state NEW tcp dpt:8080 Chain FORWARD (policy DROP 22 packets, 1320 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- eth2 eth0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0 0.0.0.0/0 state NEW 0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 22 1320 FW_OUTBOUND all -- eth0 eth2 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 441 packets, 74901 bytes) pkts bytes target prot opt in out source destination Chain FW_OUTBOUND (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ------------------ Original ------------------ From: ""<jayapalreddy.uradi@citrix.com>; Date: Fri, Jun 28, 2013 10:56 AM To: "<users@cloudstack.apache.org>"<users@cloudstack.apache.org>; Subject: Re: How to create a network offering without firewall? I thought iptables rules you send from router iptables-save. in /etc/iptables/rules we won't have SNAT rule. Please send iptables rules from your router not the /etc/iptables/rules. iptables -t nat -L -nv, iptables -L -nv and iptables -t mangle -L -nv. Thanks, Jayapal On 28-Jun-2013, at 8:21 AM, WXR <474745079@qq.com> wrote: > When I added the guest network I selected the system default network offering with source NAT. > There is a default ip "x.x.x.x[source NAT]" in the list when I click the "view ip addresses". > > > > > ------------------ Original ------------------ > From: ""<jayapalreddy.uradi@citrix.com>; > Date: Fri, Jun 28, 2013 10:45 AM > To: "<users@cloudstack.apache.org>"<users@cloudstack.apache.org>; > > Subject: Re: How to create a network offering without firewall? > > > > THe problem is there is no source NAT rule added in iptables nat table on router. > Why the source NAT rule is not added on the router ? > In your network ip address do you have source NAT ip ? > > Thanks, > Jayapal > > > On 28-Jun-2013, at 8:06 AM, WXR <474745079@qq.com> > wrote: > >> I try to add the rule "iptables -A FW_OUTBOUND -j ACCEPT" to the vrouter firewall but unfortunately it takes no effect. >> >> This is the iptables rules in file "/etc/iptables/rules" >> >> nat >> :PREROUTING ACCEPT [0:0] >> :POSTROUTING ACCEPT [0:0] >> :OUTPUT ACCEPT [0:0] >> COMMIT >> filter >> :INPUT DROP [0:0] >> :FORWARD DROP [0:0] >> :OUTPUT ACCEPT [0:0] >> :FW_OUTBOUND - [0:0] >> -A INPUT -d 224.0.0.18/32 -j ACCEPT >> -A INPUT -d 225.0.0.50/32 -j ACCEPT >> -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT >> -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT >> -A INPUT -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT >> -A INPUT -p icmp -j ACCEPT >> -A INPUT -i lo -j ACCEPT >> -A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT >> -A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT >> -A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT >> -A INPUT -i eth1 -p tcp -m state --state NEW --dport 3922 -j ACCEPT >> -A INPUT -i eth0 -p tcp -m state --state NEW --dport 80 -j ACCEPT >> -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT >> -A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT >> -A FORWARD -i eth0 -o eth0 -m state --state NEW -j ACCEPT >> -A FORWARD -i eth0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT >> -A FORWARD -i eth0 -o eth2 -j FW_OUTBOUND >> -I FW_OUTBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT >> COMMIT >> *mangle >> :PREROUTING ACCEPT [0:0] >> :INPUT ACCEPT [0:0] >> :FORWARD ACCEPT [0:0] >> :OUTPUT ACCEPT [0:0] >> :POSTROUTING ACCEPT [0:0] >> -A PREROUTING -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark >> -A POSTROUTING -p udp --dport bootpc -j CHECKSUM --checksum-fill >> COMMIT >> >> Is there anything wrong? >> >> >> >> ------------------ Original ------------------ >> From: ""<emunoz@intecom.ad>; >> Date: Thu, Jun 27, 2013 06:40 PM >> To: "users@cloudstack.apache.org"<users@cloudstack.apache.org>; >> >> Subject: RE: How to create a network offering without firewall? >> >> >> >> I had this issue too some days ago. I solved it by logging into the Virtual Router over ssh and adding this rule to the Firewall: >> >> iptables -A FW_OUTBOUND -j ACCEPT >> >> I hope this helps. >> >> Regards >> >> -----Mensaje original----- >> De: Jayapal Reddy Uradi [mailto:jayapalreddy.uradi@citrix.com] >> Enviado el: jueves, 27 de junio de 2013 12:37 >> Para: <users@cloudstack.apache.org> >> Asunto: Re: How to create a network offering without firewall? >> >> Is internet accessible from from router ? >> If it is accessible please send router iptables rules on pastebin.com >> >> Thanks, >> jayapal >> >> On 27-Jun-2013, at 3:34 PM, WXR <474745079@qq.com> >> wrote: >> >>> Sorry,the instance can access the vrouter gateway ip ,but can not access the Internet. >>> >>> >>> ------------------ Original ------------------ >>> From: "WXR"<474745079@qq.com>; >>> Date: Thu, Jun 27, 2013 06:01 PM >>> To: "users"<users@cloudstack.apache.org>; >>> >>> Subject: Re: How to create a network offering without firewall? >>> >>> >>> >>> I have added a egress rule like this: >>> Source CIDR Protocol Start Port End Port >>> 0.0.0.0/0 All All All >>> >>> The vrouter vm can also access the Internet. >>> But the instance vm is still able to access the vrouter gateway ip and the Internet. >>> >>> >>> >>> >>> ------------------ Original ------------------ >>> From: "Murali Reddy"<Murali.Reddy@citrix.com>; >>> Date: Thu, Jun 27, 2013 05:21 PM >>> To: "users@cloudstack.apache.org"<users@cloudstack.apache.org>; >>> >>> Subject: Re: How to create a network offering without firewall? >>> >>> >>> >>> >>> Yes, egress firewall default action is 'BLOCK'. Here is a nice blog >>> from Radhika >>> http://writersopendiary.wordpress.com/2013/05/27/egress-firewall-rules >>> -in-a >>> pache-cloudstack/ >>> >>> On 27/06/13 2:21 PM, "WXR" <474745079@qq.com> wrote: >>> >>>> By the way , when I select the default guestnetworkwithsourceNAT and >>>> create an instance,the vm can not access to the Internet,is this a >>>> default setting?how can I let the vm access the Internet? >>>> >>>> >>>> >>>> >>>> ------------------ Original ------------------ >>>> From: "Murali Reddy"<Murali.Reddy@citrix.com>; >>>> Date: Thu, Jun 27, 2013 04:46 PM >>>> To: "users@cloudstack.apache.org"<users@cloudstack.apache.org>; >>>> >>>> Subject: Re: How to create a network offering without firewall? >>>> >>>> >>>> >>>> >>>> Also, by default all the ports that will be used by edge services are >>>> blocked by iptable config in the router VM templates. They needed to >>>> be opened explicitly with firewall rules. >>>> >>>> On 27/06/13 2:08 PM, "Jayapal Reddy Uradi" >>>> <jayapalreddy.uradi@citrix.com> >>>> wrote: >>>> >>>>> With out firewall provider you can't have sourceNAT and static NAT >>>>> services because these services are provided by firewall provider only. >>>>> >>>>> Thanks, >>>>> Jayapal >>>>> >>>>> On 27-Jun-2013, at 1:35 PM, WXR <474745079@qq.com> >>>>> wrote: >>>>> >>>>>> If I create a new network offering and check >>>>>> dns,dhcp,userdata,sourceNAT,staticNAT,not check the firewall >>>>>> service.But the firewall will be added into it automatically. >>>>>> I don't need the firewall service ,how can I create a network >>>>>> offering without firewall? >>>>> >>>>> >>>> >>>> >>>> . >>> >>> >>> . >> >> . > > .
Mime	Unnamed multipart/alternative (inline, 8-Bit, 0 bytes) Unnamed text/plain (inline, Base64, 21476 bytes)
	View raw message