cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Raja Pullela (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CLOUDSTACK-8905) [Blocker] Egress rules are not configured in VR
Date Thu, 24 Sep 2015 06:19:04 GMT
Raja Pullela created CLOUDSTACK-8905:
----------------------------------------

             Summary: [Blocker] Egress rules are not configured in VR
                 Key: CLOUDSTACK-8905
                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8905
             Project: CloudStack
          Issue Type: Bug
      Security Level: Public (Anyone can view this level - this is the default.)
    Affects Versions: 4.6.0
            Reporter: Raja Pullela
            Priority: Blocker
             Fix For: 4.6.0


1. Deployed CS Advanced zone.
 2. Created an isolated network.
 3. Navigate to Egress rule:
 Observing a pop up message:
 "Configure the rules to allow Traffic"

Inside VR :

root@r-9-VM:~# iptables-save
1.Generated by iptables-save v1.4.14 on Wed Sep 23 10:46:46 2015
 *filter
 :INPUT DROP [0:0]
 :FORWARD DROP [0:0]
 :OUTPUT ACCEPT [65:7867]
 :FW_OUTBOUND - [0:0]
 :NETWORK_STATS - [0:0]
 -A INPUT -j NETWORK_STATS
 -A INPUT -d 224.0.0.18/32 -j ACCEPT
 -A INPUT -d 225.0.0.50/32 -j ACCEPT
 -A INPUT -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A INPUT -p icmp -j ACCEPT
 -A INPUT -i lo -j ACCEPT
 -A INPUT -i eth1 -p tcp -m tcp --dport 3922 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A INPUT -i eth1 -p tcp -m tcp --dport 3922 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A INPUT -d 224.0.0.18/32 -j ACCEPT
 -A INPUT -d 225.0.0.50/32 -j ACCEPT
 -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A INPUT -p icmp -j ACCEPT
 -A INPUT -i lo -j ACCEPT
 -A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT
 -A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
 -A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
 -A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
 -A INPUT -i eth0 -p tcp -m tcp --dport 8080 -m state --state NEW -j ACCEPT
 -A INPUT -i eth1 -p tcp -m tcp --dport 3922 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A FORWARD -j NETWORK_STATS
 -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A FORWARD -i eth0 -o eth0 -m state --state NEW -j ACCEPT
 -A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A FORWARD -i eth0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A FORWARD -i eth0 -o eth2 -j FW_OUTBOUND
 -A OUTPUT -j NETWORK_STATS
 -A FW_OUTBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A NETWORK_STATS -i eth0 -o eth2
 -A NETWORK_STATS -i eth2 -o eth0
 -A NETWORK_STATS ! -i eth0 -o eth2 -p tcp
 -A NETWORK_STATS -i eth2 ! -o eth0 -p tcp
 COMMIT
2.Completed on Wed Sep 23 10:46:46 2015
3.Generated by iptables-save v1.4.14 on Wed Sep 23 10:46:46 2015
 *nat
 :PREROUTING ACCEPT [21:1428]
 :INPUT ACCEPT [21:1428]
 :OUTPUT ACCEPT [2:152]
 :POSTROUTING ACCEPT [0:0]
 -A POSTROUTING -o eth2 -j SNAT --to-source 10.147.47.9
 COMMIT
4.Completed on Wed Sep 23 10:46:46 2015
5.Generated by iptables-save v1.4.14 on Wed Sep 23 10:46:46 2015
 *mangle
 :PREROUTING ACCEPT [331:33456]
 :INPUT ACCEPT [352:35052]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [331:44643]
 :POSTROUTING ACCEPT [331:44643]
 :FIREWALL_10.147.47.9 - [0:0]
 :VPN_10.147.47.9 - [0:0]
 -A PREROUTING -m state --state RELATED,ESTABLISHED -j CONNMARK --restore-mark --nfmask 0xffffffff
--ctmask 0xffffffff
 -A PREROUTING -d 10.147.47.9/32 -j FIREWALL_10.147.47.9
 -A PREROUTING -d 10.147.47.9/32 -j VPN_10.147.47.9
 -A PREROUTING -m state --state RELATED,ESTABLISHED -j CONNMARK --restore-mark --nfmask 0xffffffff
--ctmask 0xffffffff
 -A PREROUTING -i eth2 -m state --state NEW -j CONNMARK --set-xmark 0x2/0xffffffff
 -A PREROUTING -i eth0 -m state --state NEW -j CONNMARK --set-xmark 0x0/0xffffffff
 -A POSTROUTING -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
 -A FIREWALL_10.147.47.9 -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A FIREWALL_10.147.47.9 -j DROP
 -A VPN_10.147.47.9 -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A VPN_10.147.47.9 -j RETURN
 COMMIT
6.Completed on Wed Sep 23 10:46:46 2015
 root@r-9-VM:~#




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message