cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "venkata swamybabu budumuru (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (CLOUDSTACK-1850) IPTABLE default rules are not configured in the INPUT chain & FW_OUTBOUND chain is not present
Date Fri, 29 Mar 2013 11:43:16 GMT

     [ https://issues.apache.org/jira/browse/CLOUDSTACK-1850?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

venkata swamybabu budumuru updated CLOUDSTACK-1850:
---------------------------------------------------

    Attachment: logs.29.tgz
    
> IPTABLE default rules are not configured in the INPUT chain & FW_OUTBOUND chain is
not present 
> -----------------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-1850
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-1850
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Network Controller
>    Affects Versions: 4.2.0
>         Environment: - Commit Id # 94de31ebada689a766809e0b73faf567a079c79a
> - Advanced zone with Xen Cluster 
> root@r-6-VM:~# cat /etc/cloudstack-release 
> Cloudstack Release 4.2.0 Thu Mar 28 04:09:55 UTC 2013
>            Reporter: venkata swamybabu budumuru
>            Assignee: Jayapal Reddy
>            Priority: Critical
>             Fix For: 4.2.0
>
>         Attachments: logs.29.tgz
>
>
> Steps to reproduce :
> 1. Have at least one ISLOATED network created
> 2. Deploy a VM with at least one nic connected to the above isolate network
> 3. Verify iptables on the newly deployed router VM for the above isolated network
> Observations :
> 1. It doesn't have any default outbound rules (like for ports 53,67 etc..,) configured.
but, things go fine because the policy for INPUT chain is set to ACCEPT  by default.
> 2. All the egress from VM is by default working / allowed because FORWARD chain is not
configured with "FW_OUTBOUND" Chain.
> Here is the snippet of router vm for "iptables -L -nv"
> root@r-6-VM:~# iptables -L -nv
> Chain INPUT (policy ACCEPT 2032 packets, 305K bytes)
>  pkts bytes target     prot opt in     out     source               destination     
   
>  2149  320K NETWORK_STATS  all  --  *      *       0.0.0.0/0            0.0.0.0/0   
       
> Chain FORWARD (policy ACCEPT 18 packets, 1419 bytes)
>  pkts bytes target     prot opt in     out     source               destination     
   
>    36  8380 NETWORK_STATS  all  --  *      *       0.0.0.0/0            0.0.0.0/0   
       
>    18  6961 ACCEPT     all  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0       
    state RELATED,ESTABLISHED
>     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.1.2.235      
    state RELATED,ESTABLISHED /* 10.147.44.61:22:22 */
>     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.1.2.235      
    tcp dpt:22 state NEW /* 10.147.44.61:22:22 */
> Chain OUTPUT (policy ACCEPT 1930 packets, 340K bytes)
>  pkts bytes target     prot opt in     out     source               destination     
   
>  2056  358K NETWORK_STATS  all  --  *      *       0.0.0.0/0            0.0.0.0/0   
       
> Chain NETWORK_STATS (3 references)
>  pkts bytes target     prot opt in     out     source               destination     
   
>    18  1419            all  --  eth0   eth2    0.0.0.0/0            0.0.0.0/0       
   
>    18  6961            all  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0       
   
>     0     0            tcp  --  !eth0  eth2    0.0.0.0/0            0.0.0.0/0       
   
>     0     0            tcp  --  eth2   !eth0   0.0.0.0/0            0.0.0.0/0   
> Attaching vmops.log, api.log, /var/log/messages, cloud.log from router etc..,

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message