Return-Path: X-Original-To: apmail-cloudstack-issues-archive@www.apache.org Delivered-To: apmail-cloudstack-issues-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 07EF218DCD for ; Mon, 3 Aug 2015 09:28:05 +0000 (UTC) Received: (qmail 27294 invoked by uid 500); 3 Aug 2015 09:28:04 -0000 Delivered-To: apmail-cloudstack-issues-archive@cloudstack.apache.org Received: (qmail 27252 invoked by uid 500); 3 Aug 2015 09:28:04 -0000 Mailing-List: contact issues-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list issues@cloudstack.apache.org Received: (qmail 27242 invoked by uid 500); 3 Aug 2015 09:28:04 -0000 Delivered-To: apmail-incubator-cloudstack-issues@incubator.apache.org Received: (qmail 27239 invoked by uid 99); 3 Aug 2015 09:28:04 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 03 Aug 2015 09:28:04 +0000 Date: Mon, 3 Aug 2015 09:28:04 +0000 (UTC) From: "Wilder Rodrigues (JIRA)" To: cloudstack-issues@incubator.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (CLOUDSTACK-8688) Defualt policy for INPUT and FORWARD chain is ACCEPT in VR filter table MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/CLOUDSTACK-8688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14651643#comment-14651643 ] Wilder Rodrigues commented on CLOUDSTACK-8688: ---------------------------------------------- I updated the CsAddress.py file and deployed a KVM datacenter, with new agent/common RPM packages. The router has now INPUT/FORWARD with DROP instead of ACCEPT. However, it seems to block communication with the host, since the router stays stuck on "starting" state on ACS management server. I managed to access the router via libvirt console command. See details below: [root@kvm2 ~]# virsh console 4 Connected to domain r-4-VM Escape character is ^] root@r-4-VM:~# iptables --list Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:10086 NETWORK_STATS all -- anywhere anywhere ACCEPT all -- anywhere vrrp.mcast.net ACCEPT all -- anywhere 225.0.0.50 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere vrrp.mcast.net ACCEPT all -- anywhere 225.0.0.50 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt state NEW Chain FORWARD (policy DROP) target prot opt source destination NETWORK_STATS all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere state NEW ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED Chain OUTPUT (policy ACCEPT) target prot opt source destination NETWORK_STATS all -- anywhere anywhere Chain NETWORK_STATS (3 references) target prot opt source destination all -- anywhere anywhere all -- anywhere anywhere tcp -- anywhere anywhere tcp -- anywhere anywhere root@r-4-VM:~# I will compare the new iptables configuration with the old iptables-vpcrouter/iptables-router files. > Defualt policy for INPUT and FORWARD chain is ACCEPT in VR filter table > ----------------------------------------------------------------------- > > Key: CLOUDSTACK-8688 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8688 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the default.) > Components: Virtual Router > Affects Versions: 4.6.0 > Environment: Latest build from ACS master. > Zone type: Advanced > Reporter: Sanjeev N > Assignee: Wilder Rodrigues > Priority: Critical > > Defualt policy for INPUT and FORWARD chain is ACCEPT in VR filter table > Steps to reproduce the issue: > ======================= > 1.Bring up CS in advanced zone with any supported hypervisor (e.g. Xenserver) > 2.Create an isolated network with Network Offering "DefaultIsolatedNetworkOfferingWithSourceNatService" > 3.Deploy one guest vm within that network > Result: > ======= > IP tables rules on the VR created are as follows: > root@r-7-VM:~# iptables --list > Chain INPUT (policy ACCEPT) > target prot opt source destination > NETWORK_STATS all -- anywhere anywhere > ACCEPT all -- anywhere vrrp.mcast.net > ACCEPT all -- anywhere 225.0.0.50 > ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED > ACCEPT icmp -- anywhere anywhere > ACCEPT all -- anywhere anywhere > ACCEPT all -- anywhere vrrp.mcast.net > ACCEPT all -- anywhere 225.0.0.50 > ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED > ACCEPT icmp -- anywhere anywhere > ACCEPT all -- anywhere anywhere > ACCEPT udp -- anywhere anywhere udp dpt:bootps > ACCEPT udp -- anywhere anywhere udp dpt:domain > ACCEPT tcp -- anywhere anywhere tcp dpt:domain > ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW > ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt state NEW > Chain FORWARD (policy ACCEPT) > target prot opt source destination > NETWORK_STATS all -- anywhere anywhere > ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED > ACCEPT all -- anywhere anywhere state NEW > ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED > ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > NETWORK_STATS all -- anywhere anywhere > Chain NETWORK_STATS (3 references) > target prot opt source destination > all -- anywhere anywhere > all -- anywhere anywhere > tcp -- anywhere anywhere > tcp -- anywhere anywhere > But the Default policy for INPUT and FORWARD chain should be DROP instead of ACCEPT. Otherwise all the traffic would be allowed to VR. > Same is the case with VPC and Shared network as well. -- This message was sent by Atlassian JIRA (v6.3.4#6332)