cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rajani Karuturi (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-8795) outgoing public traffic blocked in vm created using DefaultIsolatedNetworkOfferingWithSourceNatService
Date Fri, 11 Sep 2015 06:50:46 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-8795?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14740298#comment-14740298
] 

Rajani Karuturi commented on CLOUDSTACK-8795:
---------------------------------------------

This issue still exists on the latest master. tested it on commit 2d90f18b82a0c52fdfc815e0f8efb565f96788e3
with the latest systemvm template 

{noformat}
# cat /etc/cloudstack-release
Cloudstack Release 4.6.0 Thu Sep 10 23:29:03 UTC 2015

# iptables -n -L -v
Chain INPUT (policy DROP 1 packets, 32 bytes)
 pkts bytes target     prot opt in     out     source               destination
  134 19552 NETWORK_STATS  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            224.0.0.18
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            225.0.0.50
   27  2052 ACCEPT     all  --  eth2   *       0.0.0.0/0            0.0.0.0/0            state
RELATED,ESTABLISHED
    3   252 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
  103 17216 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0            tcp
dpt:3922 state NEW,ESTABLISHED
    0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0            tcp
dpt:3922 state NEW,ESTABLISHED
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            224.0.0.18
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            225.0.0.50
    0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            state
RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            udp
dpt:67
    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            udp
dpt:53
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp
dpt:53
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp
dpt:80 state NEW
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp
dpt:8080 state NEW
    0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0            tcp
dpt:3922 state NEW,ESTABLISHED

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 NETWORK_STATS  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0            state
RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0            state
NEW
    0     0 ACCEPT     all  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0            state
RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0            state
RELATED,ESTABLISHED
    0     0 FW_OUTBOUND  all  --  eth0   eth2    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 17 packets, 1348 bytes)
 pkts bytes target     prot opt in     out     source               destination
  121 17699 NETWORK_STATS  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FIREWALL_EGRESS_RULES (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FW_OUTBOUND (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state
RELATED,ESTABLISHED

Chain NETWORK_STATS (3 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0            all  --  eth0   eth2    0.0.0.0/0            0.0.0.0/0
    0     0            all  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0
    0     0            tcp  --  !eth0  eth2    0.0.0.0/0            0.0.0.0/0
    0     0            tcp  --  eth2   !eth0   0.0.0.0/0            0.0.0.0/0
{noformat}

> outgoing public traffic blocked in vm created using DefaultIsolatedNetworkOfferingWithSourceNatService

> -------------------------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-8795
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8795
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>    Affects Versions: 4.6.0
>         Environment: Xenserver 6.5, advanced zone, CS 4.6.0
>            Reporter: Rajani Karuturi
>            Priority: Critical
>
> in case of vm launched in vpc, outgoing public traffic worked (I was able to ping google.com)
> But, in case of default isolated network(DefaultIsolatedNetworkOfferingWithSourceNatService)
vm, outgoing public traffic was blocked even after adding egress rule.
> It only worked after running the following on isolated VR
> iptables -I FW_OUTBOUND -j FIREWALL_EGRESS_RULES
> This issue is observed while reviewing PR #765 https://github.com/apache/cloudstack/pull/765#issuecomment-136962555



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message