Return-Path: X-Original-To: apmail-cloudstack-issues-archive@www.apache.org Delivered-To: apmail-cloudstack-issues-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 1150618EE1 for ; Mon, 3 Aug 2015 10:02:06 +0000 (UTC) Received: (qmail 83840 invoked by uid 500); 3 Aug 2015 10:02:05 -0000 Delivered-To: apmail-cloudstack-issues-archive@cloudstack.apache.org Received: (qmail 83811 invoked by uid 500); 3 Aug 2015 10:02:05 -0000 Mailing-List: contact issues-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list issues@cloudstack.apache.org Received: (qmail 83797 invoked by uid 500); 3 Aug 2015 10:02:05 -0000 Delivered-To: apmail-incubator-cloudstack-issues@incubator.apache.org Received: (qmail 83794 invoked by uid 99); 3 Aug 2015 10:02:05 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 03 Aug 2015 10:02:05 +0000 Date: Mon, 3 Aug 2015 10:02:05 +0000 (UTC) From: "Wilder Rodrigues (JIRA)" To: cloudstack-issues@incubator.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (CLOUDSTACK-8688) Defualt policy for INPUT and FORWARD chain is ACCEPT in VR filter table MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/CLOUDSTACK-8688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14651698#comment-14651698 ] Wilder Rodrigues commented on CLOUDSTACK-8688: ---------------------------------------------- The vpc-router is now fixed. Just the normal isolated and shared router to go: [root@kvm2 ~]# ssh -i ~/.ssh/id_rsa.cloud -p 3922 169.254.1.135 Linux r-5-VM 3.2.0-4-amd64 #1 SMP Debian 3.2.68-1+deb7u2 x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Mon Aug 3 09:59:04 2015 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. root@r-5-VM:~# root@r-5-VM:~# root@r-5-VM:~# root@r-5-VM:~# iptables --list Chain INPUT (policy DROP) target prot opt source destination NETWORK_STATS all -- anywhere anywhere ACCEPT all -- anywhere 224.0.0.18 ACCEPT all -- anywhere 225.0.0.50 ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:3922 state NEW ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED Chain FORWARD (policy DROP) target prot opt source destination NETWORK_STATS_eth1 all -- anywhere anywhere NETWORK_STATS all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- 10.0.1.0/24 !10.0.1.0/24 Chain OUTPUT (policy ACCEPT) target prot opt source destination NETWORK_STATS all -- anywhere anywhere Chain NETWORK_STATS (3 references) target prot opt source destination tcp -- anywhere anywhere tcp -- anywhere anywhere tcp -- anywhere anywhere tcp -- anywhere anywhere Chain NETWORK_STATS_eth1 (1 references) target prot opt source destination all -- 10.0.1.0/24 anywhere all -- anywhere 10.0.1.0/24 root@r-5-VM:~# > Defualt policy for INPUT and FORWARD chain is ACCEPT in VR filter table > ----------------------------------------------------------------------- > > Key: CLOUDSTACK-8688 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8688 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the default.) > Components: Virtual Router > Affects Versions: 4.6.0 > Environment: Latest build from ACS master. > Zone type: Advanced > Reporter: Sanjeev N > Assignee: Wilder Rodrigues > Priority: Critical > > Defualt policy for INPUT and FORWARD chain is ACCEPT in VR filter table > Steps to reproduce the issue: > ======================= > 1.Bring up CS in advanced zone with any supported hypervisor (e.g. Xenserver) > 2.Create an isolated network with Network Offering "DefaultIsolatedNetworkOfferingWithSourceNatService" > 3.Deploy one guest vm within that network > Result: > ======= > IP tables rules on the VR created are as follows: > root@r-7-VM:~# iptables --list > Chain INPUT (policy ACCEPT) > target prot opt source destination > NETWORK_STATS all -- anywhere anywhere > ACCEPT all -- anywhere vrrp.mcast.net > ACCEPT all -- anywhere 225.0.0.50 > ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED > ACCEPT icmp -- anywhere anywhere > ACCEPT all -- anywhere anywhere > ACCEPT all -- anywhere vrrp.mcast.net > ACCEPT all -- anywhere 225.0.0.50 > ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED > ACCEPT icmp -- anywhere anywhere > ACCEPT all -- anywhere anywhere > ACCEPT udp -- anywhere anywhere udp dpt:bootps > ACCEPT udp -- anywhere anywhere udp dpt:domain > ACCEPT tcp -- anywhere anywhere tcp dpt:domain > ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW > ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt state NEW > Chain FORWARD (policy ACCEPT) > target prot opt source destination > NETWORK_STATS all -- anywhere anywhere > ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED > ACCEPT all -- anywhere anywhere state NEW > ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED > ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > NETWORK_STATS all -- anywhere anywhere > Chain NETWORK_STATS (3 references) > target prot opt source destination > all -- anywhere anywhere > all -- anywhere anywhere > tcp -- anywhere anywhere > tcp -- anywhere anywhere > But the Default policy for INPUT and FORWARD chain should be DROP instead of ACCEPT. Otherwise all the traffic would be allowed to VR. > Same is the case with VPC and Shared network as well. -- This message was sent by Atlassian JIRA (v6.3.4#6332)