cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-8925) Default allow for Egress rules is not being configured properly in VR iptables rules
Date Tue, 03 Nov 2015 09:52:27 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-8925?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14986993#comment-14986993
] 

ASF GitHub Bot commented on CLOUDSTACK-8925:
--------------------------------------------

Github user karuturi commented on the pull request:

    https://github.com/apache/cloudstack/pull/1023#issuecomment-153301644
  
    @wilderrodrigues apart from the issue mentioned in CLOUDSTACK-9018, I found the below
issue.
    The egress rule added in a default egress ALLOW network doesnt block the traffic.
    
    On default egress DENY network, I added a rule to allow 22. iptables rules look fine and
I am able to ssh from a vm created in this network
    ```
    Chain FW_EGRESS_RULES (1 references)
     pkts bytes target     prot opt in     out     source               destination
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0        
   tcp dpt:22
        4   288 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
    ```
    
    ```
    [root@egress-deny-vm ~]# ssh 10.147.28.48
    root@10.147.28.48's password:
    Last login: Tue Nov  3 08:49:09 2015 from 10.147.30.176
    ```
    once I delete the rule, I am not able to ssh from the vm anymore and iptables rule is
deleted. Which is expected. 
    
    But, incase of default egress ALLLOW network, any egress rule added should be to block
the traffic. ie) rules should be added with target DROP
    when I add egress rule to block 22, iptables rule created is to accept 22 and the port
is not blocked
    ```
    Chain FW_EGRESS_RULES (1 references)
     pkts bytes target     prot opt in     out     source               destination
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0        
   tcp dpt:22
        1    84 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    ```
    and ssh is not blocked from a vm created in this network(even after creating the egress
rule to block it).
    ```
    root@10.147.28.48's password:
    Last login: Tue Nov  3 08:55:04 2015 from 10.147.30.173
    ```


> Default allow for Egress rules is not being configured properly in VR iptables rules
> ------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-8925
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8925
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Virtual Router
>    Affects Versions: 4.6.0
>            Reporter: Pavan Kumar Bandarupally
>            Assignee: Wilder Rodrigues
>            Priority: Blocker
>             Fix For: 4.6.0
>
>
> When we create a network with Egress rules set to default allow, the rules created in
FW_OUTBOUND table should have a reference to FW_EGRESS_RULES chain which has a rule to accept
NEW packets from the guest instances. Without that rule only RELATED , ESTABLISHED rule in
FW_OUTBOUND chain will result in Drop of packets.
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source               destination
>    44  2832 NETWORK_STATS  all  --  *      *       0.0.0.0/0            0.0.0.0/0
>     0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0       
    state RELATED,ESTABLISHED
>     0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0       
    state NEW
>     4   336 ACCEPT     all  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0       
    state RELATED,ESTABLISHED
>     0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0       
    state RELATED,ESTABLISHED
>    40  2496 FW_OUTBOUND  all  --  eth0   eth2    0.0.0.0/0            0.0.0.0/0
> Chain OUTPUT (policy ACCEPT 20 packets, 1888 bytes)
>  pkts bytes target     prot opt in     out     source               destination
>  2498  369K NETWORK_STATS  all  --  *      *       0.0.0.0/0            0.0.0.0/0
> Chain FIREWALL_EGRESS_RULES (0 references)
>  pkts bytes target     prot opt in     out     source               destination
> Chain FW_OUTBOUND (1 references)
>  pkts bytes target     prot opt in     out     source               destination
>     3   252 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0       
    state RELATED,ESTABLISHED



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message