cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "WXR" <474745...@qq.com>
Subject Re:RE: How to create a network offering without firewall?
Date Fri, 28 Jun 2013 02:36:20 GMT
I try to add the rule "iptables -A FW_OUTBOUND -j ACCEPT" to the vrouter firewall but unfortunately
it takes no effect.

This is the iptables rules in file "/etc/iptables/rules"

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:FW_OUTBOUND - [0:0]
-A INPUT -d 224.0.0.18/32 -j ACCEPT
-A INPUT -d 225.0.0.50/32 -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i eth1 -p tcp -m state --state NEW --dport 3922 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW --dport 80 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth0 -m state --state NEW -j ACCEPT
-A FORWARD -i eth0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth2 -j FW_OUTBOUND
-I FW_OUTBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark
-A POSTROUTING -p udp --dport bootpc -j CHECKSUM --checksum-fill
COMMIT

Is there anything wrong?



------------------ Original ------------------
From:  ""<emunoz@intecom.ad>;
Date:  Thu, Jun 27, 2013 06:40 PM
To:  "users@cloudstack.apache.org"<users@cloudstack.apache.org>; 

Subject:  RE: How to create a network offering without firewall?



I had this issue too some days ago. I solved it by logging into the Virtual Router over ssh
and adding this rule to the Firewall: 

iptables -A FW_OUTBOUND -j ACCEPT

I hope this helps.

Regards

-----Mensaje original-----
De: Jayapal Reddy Uradi [mailto:jayapalreddy.uradi@citrix.com] 
Enviado el: jueves, 27 de junio de 2013 12:37
Para: <users@cloudstack.apache.org>
Asunto: Re: How to create a network offering without firewall?

Is internet accessible from from router ?
If it is accessible please send router iptables rules on pastebin.com

Thanks,
jayapal

On 27-Jun-2013, at 3:34 PM, WXR <474745079@qq.com>
 wrote:

> Sorry,the instance can access the vrouter gateway ip ,but can not access the Internet.
> 
> 
> ------------------ Original ------------------
> From:  "WXR"<474745079@qq.com>;
> Date:  Thu, Jun 27, 2013 06:01 PM
> To:  "users"<users@cloudstack.apache.org>;
> 
> Subject:  Re: How to create a network offering without firewall?
> 
> 
> 
> I have added a egress rule like this:
> Source CIDR    Protocol    Start Port    End Port 
> 0.0.0.0/0         All            All                All
> 
> The vrouter vm can also access the Internet.
> But the instance vm is still able to access the vrouter gateway ip and the Internet.
> 
> 
> 
> 
> ------------------ Original ------------------
> From:  "Murali Reddy"<Murali.Reddy@citrix.com>;
> Date:  Thu, Jun 27, 2013 05:21 PM
> To:  "users@cloudstack.apache.org"<users@cloudstack.apache.org>;
> 
> Subject:  Re: How to create a network offering without firewall?
> 
> 
> 
> 
> Yes, egress firewall default action is 'BLOCK'. Here is a nice blog 
> from Radhika 
> http://writersopendiary.wordpress.com/2013/05/27/egress-firewall-rules
> -in-a
> pache-cloudstack/
> 
> On 27/06/13 2:21 PM, "WXR" <474745079@qq.com> wrote:
> 
>> By the way , when I select the default guestnetworkwithsourceNAT and 
>> create an instance,the vm can not access to the Internet,is this a 
>> default setting?how can I let the vm access the Internet?
>> 
>> 
>> 
>> 
>> ------------------ Original ------------------
>> From:  "Murali Reddy"<Murali.Reddy@citrix.com>;
>> Date:  Thu, Jun 27, 2013 04:46 PM
>> To:  "users@cloudstack.apache.org"<users@cloudstack.apache.org>;
>> 
>> Subject:  Re: How to create a network offering without firewall?
>> 
>> 
>> 
>> 
>> Also, by default all the ports that will be used by edge services are 
>> blocked by iptable config in the router VM templates. They needed to 
>> be opened explicitly with firewall rules.
>> 
>> On 27/06/13 2:08 PM, "Jayapal Reddy Uradi" 
>> <jayapalreddy.uradi@citrix.com>
>> wrote:
>> 
>>> With out firewall provider you can't have sourceNAT and static NAT 
>>> services because these services are provided by firewall provider only.
>>> 
>>> Thanks,
>>> Jayapal
>>> 
>>> On 27-Jun-2013, at 1:35 PM, WXR <474745079@qq.com>
>>> wrote:
>>> 
>>>> If I create a new network offering and check 
>>>> dns,dhcp,userdata,sourceNAT,staticNAT,not check the firewall 
>>>> service.But the firewall will be added into it automatically.
>>>> I don't need the firewall service ,how can I create a network 
>>>> offering without firewall?
>>> 
>>> 
>> 
>> 
>> .
> 
> 
> .

.
Mime
  • Unnamed multipart/alternative (inline, 8-Bit, 0 bytes)
View raw message