cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "WXR" <474745...@qq.com>
Subject Re:RE: How to create a network offering without firewall?
Date Fri, 28 Jun 2013 05:55:53 GMT
When I create a new guest network with source NAT service.I can find these lines in management-server.log


2013-06-28 13:34:01,468 DEBUG [network.router.VirtualNetworkApplianceManagerImpl] (Job-Executor-1:job-236)
Resending ipAssoc, port forwarding, load balancing rules as a part of Virtual router start

2013-06-28 13:35:04,920 DEBUG [agent.transport.Request] (Job-Executor-1:job-236) Seq 12-142344210:
Sending  { Cmd , MgmtId: 119377525801125, via: 12, Ver: v1, Flags: 100001, [{"routing.IpAssocCommand":{"ipAddresses":[{"accountId":2,"publicIp":"192.168.30.77","sourceNat":true,"add":true,"oneToOneNat":false,"firstIP":true,"vlanId":"30","vlanGateway":"192.168.30.1","vlanNetmask":"255.255.255.0","vifMacAddress":"06:28:14:00:00:4e","networkRate":200,"trafficType":"Public","networkName":"breth1-30"}],"accessDetails":{"router.guest.ip":"10.10.3.1","zone.network.type":"Advanced","router.ip":"169.254.0.190","router.name":"r-65-VM"},"wait":0}}]
}

2013-06-28 13:35:07,519 DEBUG [agent.transport.Request] (AgentManager-Handler-1:null) Seq
12-142344210: Processing:  { Ans: , MgmtId: 119377525801125, via: 12, Ver: v1, Flags: 0, [{"routing.IpAssocAnswer":{"results":["192.168.30.77
- success"],"result":true,"wait":0}}] }

2013-06-28 13:35:07,520 DEBUG [agent.transport.Request] (Job-Executor-1:job-236) Seq 12-142344210:
Received:  { Ans: , MgmtId: 119377525801125, via: 12, Ver: v1, Flags: 0, { IpAssocAnswer }
}


Does that mean the sourceNAT rule has been added to the vroute iptables?


------------------ Original ------------------
From:  ""<jayapalreddy.uradi@citrix.com>;
Date:  Fri, Jun 28, 2013 12:17 PM
To:  "users"<users@cloudstack.apache.org>; 

Subject:  RE: How to create a network offering without firewall?



From the iptables rules it is clear that in router source NAT ip is not configured
Management server logs will help to understand what is went wrong

Please see logs for ipassoc command during guest network implementation.
Ipassoc command will set the source nat ip on the router.

Thanks,
Jayapal 
> -----Original Message-----
> From: WXR [mailto:474745079@qq.com]
> Sent: Friday, 28 June 2013 8:33 AM
> To: users
> Subject: Re: How to create a network offering without firewall?
> 
> root@r-60-VM:~# iptables -t nat -L -nv
> Chain PREROUTING (policy ACCEPT 149 packets, 13502 bytes)
>  pkts bytes target     prot opt in     out     source               destination
> 
> Chain POSTROUTING (policy ACCEPT 6 packets, 419 bytes)
>  pkts bytes target     prot opt in     out     source               destination
> 
> Chain OUTPUT (policy ACCEPT 6 packets, 419 bytes)
>  pkts bytes target     prot opt in     out     source               destination
> 
> ----
> 
> root@r-60-VM:~# iptables -t mangle -L -nv Chain PREROUTING (policy
> ACCEPT 641 packets, 74208 bytes)
>  pkts bytes target     prot opt in     out     source               destination
>   466 59141 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0       
   state
> RELATED,ESTABLISHED CONNMARK restore
> 
> Chain INPUT (policy ACCEPT 619 packets, 72888 bytes)
>  pkts bytes target     prot opt in     out     source               destination
> 
> Chain FORWARD (policy ACCEPT 22 packets, 1320 bytes)
>  pkts bytes target     prot opt in     out     source               destination
> 
> Chain OUTPUT (policy ACCEPT 400 packets, 66973 bytes)
>  pkts bytes target     prot opt in     out     source               destination
> 
> Chain POSTROUTING (policy ACCEPT 400 packets, 66973 bytes)
>  pkts bytes target     prot opt in     out     source               destination
>     0     0 CHECKSUM   udp  --  *      *       0.0.0.0/0            0.0.0.0/0       
   udp dpt:68
> CHECKSUM fill
> 
> --
> 
> root@r-60-VM:~# iptables -L -nv
> Chain INPUT (policy DROP 125 packets, 11746 bytes)
>  pkts bytes target     prot opt in     out     source               destination
>     0     0 ACCEPT     all  --  *      *       0.0.0.0/0            224.0.0.18
>     0     0 ACCEPT     all  --  *      *       0.0.0.0/0            225.0.0.50
>     0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0       
   state
> RELATED,ESTABLISHED
>   416 54881 ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0       
   state
> RELATED,ESTABLISHED
>     3   347 ACCEPT     all  --  eth2   *       0.0.0.0/0            0.0.0.0/0       
   state
> RELATED,ESTABLISHED
>    13  1129 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
>     5   293 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
>     0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0       
   udp dpt:67
>     0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0       
   udp dpt:53
>     0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0       
   tcp dpt:53
>    13   780 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0       
   state NEW
> tcp dpt:3922
>     0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0       
   state NEW
> tcp dpt:80
>     0     0 ACCEPT     tcp  --  eth0   *       10.10.2.0/24         0.0.0.0/0       
   state NEW
> tcp dpt:8080
> 
> Chain FORWARD (policy DROP 22 packets, 1320 bytes)
>  pkts bytes target     prot opt in     out     source               destination
>     0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0       
   state
> RELATED,ESTABLISHED
>     0     0 ACCEPT     all  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0       
   state
> RELATED,ESTABLISHED
>     0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0       
   state NEW
>     0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0       
   state
> RELATED,ESTABLISHED
>    22  1320 FW_OUTBOUND  all  --  eth0   eth2    0.0.0.0/0            0.0.0.0/0
> 
> Chain OUTPUT (policy ACCEPT 368 packets, 60175 bytes)
>  pkts bytes target     prot opt in     out     source               destination
> 
> Chain FW_OUTBOUND (1 references)
>  pkts bytes target     prot opt in     out     source               destination
>     0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0       
   state
> RELATED,ESTABLISHED
> root@r-60-VM:~# iptables -t mangle -L -nv Chain PREROUTING (policy
> ACCEPT 625 packets, 72976 bytes)
>  pkts bytes target     prot opt in     out     source               destination
>   450 57909 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0       
   state
> RELATED,ESTABLISHED CONNMARK restore
> 
> Chain INPUT (policy ACCEPT 603 packets, 71656 bytes)
>  pkts bytes target     prot opt in     out     source               destination
> 
> Chain FORWARD (policy ACCEPT 22 packets, 1320 bytes)
>  pkts bytes target     prot opt in     out     source               destination
> 
> Chain OUTPUT (policy ACCEPT 392 packets, 65149 bytes)
>  pkts bytes target     prot opt in     out     source               destination
> 
> Chain POSTROUTING (policy ACCEPT 392 packets, 65149 bytes)
>  pkts bytes target     prot opt in     out     source               destination
>     0     0 CHECKSUM   udp  --  *      *       0.0.0.0/0            0.0.0.0/0       
   udp dpt:68
> CHECKSUM fill
> root@r-60-VM:~# clear
> root@r-60-VM:~# iptables -t mangle -L -nv Chain PREROUTING (policy
> ACCEPT 641 packets, 74208 bytes)
>  pkts bytes target     prot opt in     out     source               destination
>   466 59141 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0       
   state
> RELATED,ESTABLISHED CONNMARK restore
> 
> Chain INPUT (policy ACCEPT 619 packets, 72888 bytes)
>  pkts bytes target     prot opt in     out     source               destination
> 
> Chain FORWARD (policy ACCEPT 22 packets, 1320 bytes)
>  pkts bytes target     prot opt in     out     source               destination
> 
> Chain OUTPUT (policy ACCEPT 400 packets, 66973 bytes)
>  pkts bytes target     prot opt in     out     source               destination
> 
> Chain POSTROUTING (policy ACCEPT 400 packets, 66973 bytes)
>  pkts bytes target     prot opt in     out     source               destination
>     0     0 CHECKSUM   udp  --  *      *       0.0.0.0/0            0.0.0.0/0       
   udp dpt:68
> CHECKSUM fill
> root@r-60-VM:~# iptables -L -nv
> Chain INPUT (policy DROP 125 packets, 11746 bytes)
>  pkts bytes target     prot opt in     out     source               destination
>     0     0 ACCEPT     all  --  *      *       0.0.0.0/0            224.0.0.18
>     0     0 ACCEPT     all  --  *      *       0.0.0.0/0            225.0.0.50
>     0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0       
   state
> RELATED,ESTABLISHED
>   506 65459 ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0       
   state
> RELATED,ESTABLISHED
>     3   347 ACCEPT     all  --  eth2   *       0.0.0.0/0            0.0.0.0/0       
   state
> RELATED,ESTABLISHED
>    15  1297 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
>     5   293 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
>     0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0       
   udp dpt:67
>     0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0       
   udp dpt:53
>     0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0       
   tcp dpt:53
>    15   900 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0       
   state NEW
> tcp dpt:3922
>     0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0       
   state NEW
> tcp dpt:80
>     0     0 ACCEPT     tcp  --  eth0   *       10.10.2.0/24         0.0.0.0/0       
   state NEW
> tcp dpt:8080
> 
> Chain FORWARD (policy DROP 22 packets, 1320 bytes)
>  pkts bytes target     prot opt in     out     source               destination
>     0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0       
   state
> RELATED,ESTABLISHED
>     0     0 ACCEPT     all  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0       
   state
> RELATED,ESTABLISHED
>     0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0       
   state NEW
>     0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0       
   state
> RELATED,ESTABLISHED
>    22  1320 FW_OUTBOUND  all  --  eth0   eth2    0.0.0.0/0            0.0.0.0/0
> 
> Chain OUTPUT (policy ACCEPT 441 packets, 74901 bytes)
>  pkts bytes target     prot opt in     out     source               destination
> 
> Chain FW_OUTBOUND (1 references)
>  pkts bytes target     prot opt in     out     source               destination
>     0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0       
   state
> RELATED,ESTABLISHED
> 
> 
> 
> 
> ------------------ Original ------------------
> From:  ""<jayapalreddy.uradi@citrix.com>;
> Date:  Fri, Jun 28, 2013 10:56 AM
> To:  "<users@cloudstack.apache.org>"<users@cloudstack.apache.org>;
> 
> Subject:  Re: How to create a network offering without firewall?
> 
> 
> 
> I thought iptables rules you send from router iptables-save.
> in /etc/iptables/rules we won't have SNAT rule.
> 
> Please send iptables rules from your router not the /etc/iptables/rules.
> 
> iptables -t nat -L -nv, iptables -L -nv and iptables -t mangle -L -nv.
> 
> Thanks,
> Jayapal
> 
> On 28-Jun-2013, at 8:21 AM, WXR <474745079@qq.com> wrote:
> 
> > When I added the guest network I selected the system default network
> offering with source NAT.
> > There is a default ip "x.x.x.x[source NAT]" in the list when I click the "view
> ip addresses".
> >
> >
> >
> >
> > ------------------ Original ------------------
> > From:  ""<jayapalreddy.uradi@citrix.com>;
> > Date:  Fri, Jun 28, 2013 10:45 AM
> > To:  "<users@cloudstack.apache.org>"<users@cloudstack.apache.org>;
> >
> > Subject:  Re: How to create a network offering without firewall?
> >
> >
> >
> > THe problem is there is no source NAT rule added in iptables nat table on
> router.
> > Why the source NAT rule is not added on the router ?
> > In your network ip address do you have source NAT ip ?
> >
> > Thanks,
> > Jayapal
> >
> >
> > On 28-Jun-2013, at 8:06 AM, WXR <474745079@qq.com>
> > wrote:
> >
> >> I try to add the rule "iptables -A FW_OUTBOUND -j ACCEPT" to the
> vrouter firewall but unfortunately it takes no effect.
> >>
> >> This is the iptables rules in file "/etc/iptables/rules"
> >>
> >> *nat
> >> :PREROUTING ACCEPT [0:0]
> >> :POSTROUTING ACCEPT [0:0]
> >> :OUTPUT ACCEPT [0:0]
> >> COMMIT
> >> *filter
> >> :INPUT DROP [0:0]
> >> :FORWARD DROP [0:0]
> >> :OUTPUT ACCEPT [0:0]
> >> :FW_OUTBOUND - [0:0]
> >> -A INPUT -d 224.0.0.18/32 -j ACCEPT
> >> -A INPUT -d 225.0.0.50/32 -j ACCEPT
> >> -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A
> >> INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT
> >> -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p
> >> icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i eth0 -p udp -m
> >> udp --dport 67 -j ACCEPT -A INPUT -i eth0 -p udp -m udp --dport 53 -j
> >> ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT
> >> -i eth1 -p tcp -m state --state NEW --dport 3922 -j ACCEPT -A INPUT
> >> -i eth0 -p tcp -m state --state NEW --dport 80 -j ACCEPT -A FORWARD
> >> -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A
> >> FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j
> >> ACCEPT -A FORWARD -i eth0 -o eth0 -m state --state NEW -j ACCEPT -A
> >> FORWARD -i eth0 -o eth0 -m state --state RELATED,ESTABLISHED -j
> >> ACCEPT -A FORWARD -i eth0 -o eth2 -j FW_OUTBOUND -I
> FW_OUTBOUND -m
> >> state --state RELATED,ESTABLISHED -j ACCEPT COMMIT *mangle
> >> :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0]
> >> :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A PREROUTING -m
> state
> >> --state ESTABLISHED,RELATED -j CONNMARK --restore-mark -A
> POSTROUTING
> >> -p udp --dport bootpc -j CHECKSUM --checksum-fill COMMIT
> >>
> >> Is there anything wrong?
> >>
> >>
> >>
> >> ------------------ Original ------------------
> >> From:  ""<emunoz@intecom.ad>;
> >> Date:  Thu, Jun 27, 2013 06:40 PM
> >> To:  "users@cloudstack.apache.org"<users@cloudstack.apache.org>;
> >>
> >> Subject:  RE: How to create a network offering without firewall?
> >>
> >>
> >>
> >> I had this issue too some days ago. I solved it by logging into the Virtual
> Router over ssh and adding this rule to the Firewall:
> >>
> >> iptables -A FW_OUTBOUND -j ACCEPT
> >>
> >> I hope this helps.
> >>
> >> Regards
> >>
> >> -----Mensaje original-----
> >> De: Jayapal Reddy Uradi [mailto:jayapalreddy.uradi@citrix.com]
> >> Enviado el: jueves, 27 de junio de 2013 12:37
> >> Para: <users@cloudstack.apache.org>
> >> Asunto: Re: How to create a network offering without firewall?
> >>
> >> Is internet accessible from from router ?
> >> If it is accessible please send router iptables rules on pastebin.com
> >>
> >> Thanks,
> >> jayapal
> >>
> >> On 27-Jun-2013, at 3:34 PM, WXR <474745079@qq.com>
> >> wrote:
> >>
> >>> Sorry,the instance can access the vrouter gateway ip ,but can not access
> the Internet.
> >>>
> >>>
> >>> ------------------ Original ------------------
> >>> From:  "WXR"<474745079@qq.com>;
> >>> Date:  Thu, Jun 27, 2013 06:01 PM
> >>> To:  "users"<users@cloudstack.apache.org>;
> >>>
> >>> Subject:  Re: How to create a network offering without firewall?
> >>>
> >>>
> >>>
> >>> I have added a egress rule like this:
> >>> Source CIDR    Protocol    Start Port    End Port
> >>> 0.0.0.0/0         All            All                All
> >>>
> >>> The vrouter vm can also access the Internet.
> >>> But the instance vm is still able to access the vrouter gateway ip and the
> Internet.
> >>>
> >>>
> >>>
> >>>
> >>> ------------------ Original ------------------
> >>> From:  "Murali Reddy"<Murali.Reddy@citrix.com>;
> >>> Date:  Thu, Jun 27, 2013 05:21 PM
> >>> To:  "users@cloudstack.apache.org"<users@cloudstack.apache.org>;
> >>>
> >>> Subject:  Re: How to create a network offering without firewall?
> >>>
> >>>
> >>>
> >>>
> >>> Yes, egress firewall default action is 'BLOCK'. Here is a nice blog
> >>> from Radhika
> >>> http://writersopendiary.wordpress.com/2013/05/27/egress-firewall-rul
> >>> es
> >>> -in-a
> >>> pache-cloudstack/
> >>>
> >>> On 27/06/13 2:21 PM, "WXR" <474745079@qq.com> wrote:
> >>>
> >>>> By the way , when I select the default guestnetworkwithsourceNAT
> >>>> and create an instance,the vm can not access to the Internet,is
> >>>> this a default setting?how can I let the vm access the Internet?
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> ------------------ Original ------------------
> >>>> From:  "Murali Reddy"<Murali.Reddy@citrix.com>;
> >>>> Date:  Thu, Jun 27, 2013 04:46 PM
> >>>> To:  "users@cloudstack.apache.org"<users@cloudstack.apache.org>;
> >>>>
> >>>> Subject:  Re: How to create a network offering without firewall?
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> Also, by default all the ports that will be used by edge services
> >>>> are blocked by iptable config in the router VM templates. They
> >>>> needed to be opened explicitly with firewall rules.
> >>>>
> >>>> On 27/06/13 2:08 PM, "Jayapal Reddy Uradi"
> >>>> <jayapalreddy.uradi@citrix.com>
> >>>> wrote:
> >>>>
> >>>>> With out firewall provider you can't have sourceNAT and static NAT
> >>>>> services because these services are provided by firewall provider
only.
> >>>>>
> >>>>> Thanks,
> >>>>> Jayapal
> >>>>>
> >>>>> On 27-Jun-2013, at 1:35 PM, WXR <474745079@qq.com>
> >>>>> wrote:
> >>>>>
> >>>>>> If I create a new network offering and check
> >>>>>> dns,dhcp,userdata,sourceNAT,staticNAT,not check the firewall
> >>>>>> service.But the firewall will be added into it automatically.
> >>>>>> I don't need the firewall service ,how can I create a network
> >>>>>> offering without firewall?
> >>>>>
> >>>>>
> >>>>
> >>>>
> >>>> .
> >>>
> >>>
> >>> .
> >>
> >> .
> >
> > .
.
Mime
  • Unnamed multipart/alternative (inline, 8-Bit, 0 bytes)
View raw message