cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wilder Rodrigues (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-8688) Defualt policy for INPUT and FORWARD chain is ACCEPT in VR filter table
Date Mon, 03 Aug 2015 10:02:05 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-8688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14651698#comment-14651698
] 

Wilder Rodrigues commented on CLOUDSTACK-8688:
----------------------------------------------

The vpc-router is now fixed. Just the normal isolated and shared router to go:

[root@kvm2 ~]# ssh -i ~/.ssh/id_rsa.cloud -p 3922 169.254.1.135
Linux r-5-VM 3.2.0-4-amd64 #1 SMP Debian 3.2.68-1+deb7u2 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Aug  3 09:59:04 2015

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
root@r-5-VM:~# 
root@r-5-VM:~# 
root@r-5-VM:~# 
root@r-5-VM:~# iptables --list
Chain INPUT (policy DROP)
target     prot opt source               destination         
NETWORK_STATS  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             224.0.0.18          
ACCEPT     all  --  anywhere             225.0.0.50          
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:3922 state NEW
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

Chain FORWARD (policy DROP)
target     prot opt source               destination         
NETWORK_STATS_eth1  all  --  anywhere             anywhere            
NETWORK_STATS  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  10.0.1.0/24         !10.0.1.0/24         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
NETWORK_STATS  all  --  anywhere             anywhere            

Chain NETWORK_STATS (3 references)
target     prot opt source               destination         
           tcp  --  anywhere             anywhere            
           tcp  --  anywhere             anywhere            
           tcp  --  anywhere             anywhere            
           tcp  --  anywhere             anywhere            

Chain NETWORK_STATS_eth1 (1 references)
target     prot opt source               destination         
           all  --  10.0.1.0/24          anywhere            
           all  --  anywhere             10.0.1.0/24         
root@r-5-VM:~# 


> Defualt policy for INPUT and FORWARD chain is ACCEPT in VR filter table
> -----------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-8688
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8688
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Virtual Router
>    Affects Versions: 4.6.0
>         Environment: Latest build from ACS master.
> Zone type: Advanced
>            Reporter: Sanjeev N
>            Assignee: Wilder Rodrigues
>            Priority: Critical
>
> Defualt policy for INPUT and FORWARD chain is ACCEPT in VR filter table
> Steps to reproduce the issue:
> =======================
> 1.Bring up CS in advanced zone with any supported hypervisor (e.g. Xenserver)
> 2.Create an isolated network with Network Offering "DefaultIsolatedNetworkOfferingWithSourceNatService"
> 3.Deploy one guest vm within that network
> Result:
> =======
> IP tables rules on the VR created are as follows:
> root@r-7-VM:~# iptables --list
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> NETWORK_STATS  all  --  anywhere             anywhere
> ACCEPT     all  --  anywhere             vrrp.mcast.net
> ACCEPT     all  --  anywhere             225.0.0.50
> ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
> ACCEPT     icmp --  anywhere             anywhere
> ACCEPT     all  --  anywhere             anywhere
> ACCEPT     all  --  anywhere             vrrp.mcast.net
> ACCEPT     all  --  anywhere             225.0.0.50
> ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
> ACCEPT     icmp --  anywhere             anywhere
> ACCEPT     all  --  anywhere             anywhere
> ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
> ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
> ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
> ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http state NEW
> ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http-alt state
NEW
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> NETWORK_STATS  all  --  anywhere             anywhere
> ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
> ACCEPT     all  --  anywhere             anywhere             state NEW
> ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
> ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> NETWORK_STATS  all  --  anywhere             anywhere
> Chain NETWORK_STATS (3 references)
> target     prot opt source               destination
>            all  --  anywhere             anywhere
>            all  --  anywhere             anywhere
>            tcp  --  anywhere             anywhere
>            tcp  --  anywhere             anywhere
> But the Default policy for INPUT and FORWARD chain should be DROP instead of ACCEPT.
Otherwise all the traffic would be allowed to VR.
> Same is the case with VPC and Shared network as well.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message