cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wilder Rodrigues (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-8925) Default allow for Egress rules is not being configured properly in VR iptables rules
Date Mon, 02 Nov 2015 14:04:27 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-8925?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14985254#comment-14985254
] 

Wilder Rodrigues commented on CLOUDSTACK-8925:
----------------------------------------------

Enough said:

VM 1 default egress ALLOW:

# telnet ekholabs.org 80
GET
<html><body><h1>It works!</h1>
<p>This is the default web page for this server.</p>
<p>The web server software is running but no content has been added, yet.</p>
</body></html>
Connection closed by foreign host
# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 02:00:1b:d4:00:02 brd ff:ff:ff:ff:ff:ff
    inet 10.1.1.161/24 brd 10.1.1.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::1bff:fed4:2/64 scope link 
       valid_lft forever preferred_lft forever
# 

VM 2 default egress DENY:

# telnet ekholabs.org 80
GET
<html><body><h1>It works!</h1>
<p>This is the default web page for this server.</p>
<p>The web server software is running but no content has been added, yet.</p>
</body></html>
Connection closed by foreign host
# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 02:00:48:ac:00:01 brd ff:ff:ff:ff:ff:ff
    inet 10.1.1.180/24 brd 10.1.1.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::48ff:feac:1/64 scope link 
       valid_lft forever preferred_lft forever
# 

Time to fix thi!

Cheers,
Wilder

> Default allow for Egress rules is not being configured properly in VR iptables rules
> ------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-8925
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8925
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Virtual Router
>    Affects Versions: 4.6.0
>            Reporter: Pavan Kumar Bandarupally
>            Assignee: Wilder Rodrigues
>            Priority: Critical
>             Fix For: 4.6.0
>
>
> When we create a network with Egress rules set to default allow, the rules created in
FW_OUTBOUND table should have a reference to FW_EGRESS_RULES chain which has a rule to accept
NEW packets from the guest instances. Without that rule only RELATED , ESTABLISHED rule in
FW_OUTBOUND chain will result in Drop of packets.
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source               destination
>    44  2832 NETWORK_STATS  all  --  *      *       0.0.0.0/0            0.0.0.0/0
>     0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0       
    state RELATED,ESTABLISHED
>     0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0       
    state NEW
>     4   336 ACCEPT     all  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0       
    state RELATED,ESTABLISHED
>     0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0       
    state RELATED,ESTABLISHED
>    40  2496 FW_OUTBOUND  all  --  eth0   eth2    0.0.0.0/0            0.0.0.0/0
> Chain OUTPUT (policy ACCEPT 20 packets, 1888 bytes)
>  pkts bytes target     prot opt in     out     source               destination
>  2498  369K NETWORK_STATS  all  --  *      *       0.0.0.0/0            0.0.0.0/0
> Chain FIREWALL_EGRESS_RULES (0 references)
>  pkts bytes target     prot opt in     out     source               destination
> Chain FW_OUTBOUND (1 references)
>  pkts bytes target     prot opt in     out     source               destination
>     3   252 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0       
    state RELATED,ESTABLISHED



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message