cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jayapal Reddy Uradi <jayapalreddy.ur...@citrix.com>
Subject Re: CS4.02 KVM Advanced Network, VM instance can not access public IP. NAT(Source)
Date Wed, 22 May 2013 10:23:04 GMT
>From VM if you are not able to ping public side then it is your setup issue.
It can be debugged by capturing packets on the router guest interface and public interface
to see wether the packets are reaching to router or not 

Thanks,
Jayapal

On 22-May-2013, at 3:49 PM, Jayapal Reddy Uradi <jayapalreddy.uradi@citrix.com>
 wrote:

> 
> You need pining router VM public IP from public network/subnet ?
> - You need to add icmp firewall rule on the public IP to enable ping request on the public
ip
> 
> Thanks,
> Jayapal
> 
> 
> On 22-May-2013, at 3:45 PM, wq meng <wqmeng@gmail.com>
> wrote:
> 
>> Hello Jayapal
>> 
>> There is no problem to ping Google from the Router VM, Only problem is that
>> I can not ping the Router VM public IP from outside.
>> 
>> root@r-4-VM:~# ping www.google.com
>> PING www.google.com (173.194.64.147): 56 data bytes
>> 64 bytes from 173.194.64.147: icmp_seq=0 ttl=48 time=53.194 ms
>> 64 bytes from 173.194.64.147: icmp_seq=1 ttl=48 time=53.190 ms
>> 64 bytes from 173.194.64.147: icmp_seq=2 ttl=48 time=53.286 ms
>> 64 bytes from 173.194.64.147: icmp_seq=3 ttl=48 time=53.207 ms
>> ^C--- www.google.com ping statistics ---
>> 4 packets transmitted, 4 packets received, 0% packet loss
>> round-trip min/avg/max/stddev = 53.190/53.219/53.286/0.039 ms
>> 
>> root@r-4-VM:~# iptables -L -nv
>> Chain INPUT (policy DROP 583 packets, 18656 bytes)
>> pkts bytes target     prot opt in     out     source
>> destination
>> 7009 1074K NETWORK_STATS  all  --  *      *       0.0.0.0/0
>> 0.0.0.0/0
>>   0     0 ACCEPT     all  --  *      *       0.0.0.0/0
>> 224.0.0.18
>>   0     0 ACCEPT     all  --  *      *       0.0.0.0/0
>> 225.0.0.50
>>   0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0
>> 0.0.0.0/0           state RELATED,ESTABLISHED
>> 5619 1007K ACCEPT     all  --  eth1   *       0.0.0.0/0
>> 0.0.0.0/0           state RELATED,ESTABLISHED
>>  24  2906 ACCEPT     all  --  eth2   *       0.0.0.0/0
>> 0.0.0.0/0           state RELATED,ESTABLISHED
>>  57  4825 ACCEPT     icmp --  *      *       0.0.0.0/0
>> 0.0.0.0/0
>>   5   293 ACCEPT     all  --  lo     *       0.0.0.0/0
>> 0.0.0.0/0
>>   0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0
>> 0.0.0.0/0           udp dpt:67
>> 349 24753 ACCEPT     udp  --  eth0   *       0.0.0.0/0
>> 0.0.0.0/0           udp dpt:53
>> 318 19080 ACCEPT     tcp  --  eth1   *       0.0.0.0/0
>> 0.0.0.0/0           state NEW tcp dpt:3922
>>   0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0
>> 0.0.0.0/0           state NEW tcp dpt:8080
>>   0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0
>> 0.0.0.0/0           state NEW tcp dpt:80
>> 
>> Chain FORWARD (policy DROP 0 packets, 0 bytes)
>> pkts bytes target     prot opt in     out     source
>> destination
>> 8735 1159K NETWORK_STATS  all  --  *      *       0.0.0.0/0
>> 0.0.0.0/0
>>   0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0
>> 0.0.0.0/0           state RELATED,ESTABLISHED
>> 4746  775K ACCEPT     all  --  eth0   eth2    0.0.0.0/0
>> 0.0.0.0/0
>> 3657  364K ACCEPT     all  --  eth2   eth0    0.0.0.0/0
>> 0.0.0.0/0           state RELATED,ESTABLISHED
>>   0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0
>> 0.0.0.0/0           state NEW
>>   0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0
>> 0.0.0.0/0           state RELATED,ESTABLISHED
>>   0     0 ACCEPT     all  --  eth3   eth0    0.0.0.0/0
>> 0.0.0.0/0           state RELATED,ESTABLISHED
>>   0     0 ACCEPT     all  --  eth0   eth3    0.0.0.0/0
>> 0.0.0.0/0
>>   0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
>> 10.1.1.5            state RELATED,ESTABLISHED /* 198.105.191.245:22:22 */
>> 332 19920 ACCEPT     tcp  --  *      *       0.0.0.0/0
>> 10.1.1.5            tcp dpt:22 state NEW /* 198.105.191.245:22:22 */
>>   0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
>> 10.1.1.5            state RELATED,ESTABLISHED /* 198.105.191.245:80:80 */
>>   0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
>> 10.1.1.5            tcp dpt:80 state NEW /* 198.105.191.245:80:80 */
>>   0     0 ACCEPT     all  --  eth4   eth0    0.0.0.0/0
>> 0.0.0.0/0           state RELATED,ESTABLISHED
>>   0     0 ACCEPT     all  --  eth0   eth4    0.0.0.0/0
>> 0.0.0.0/0
>>   0     0 ACCEPT     all  --  eth5   eth0    0.0.0.0/0
>> 0.0.0.0/0           state RELATED,ESTABLISHED
>>   0     0 ACCEPT     all  --  eth0   eth5    0.0.0.0/0
>> 0.0.0.0/0
>>   0     0 ACCEPT     all  --  eth6   eth0    0.0.0.0/0
>> 0.0.0.0/0           state RELATED,ESTABLISHED
>>   0     0 ACCEPT     all  --  eth0   eth6    0.0.0.0/0
>> 0.0.0.0/0
>>   0     0 ACCEPT     all  --  eth7   eth0    0.0.0.0/0
>> 0.0.0.0/0           state RELATED,ESTABLISHED
>>   0     0 ACCEPT     all  --  eth0   eth7    0.0.0.0/0
>> 0.0.0.0/0
>> 
>> Chain OUTPUT (policy ACCEPT 704 packets, 122K bytes)
>> pkts bytes target     prot opt in     out     source
>> destination
>> 6195 1039K NETWORK_STATS  all  --  *      *       0.0.0.0/0
>> 0.0.0.0/0
>> 
>> Chain NETWORK_STATS (3 references)
>> pkts bytes target     prot opt in     out     source
>> destination
>> 4746  775K            all  --  eth0   eth2    0.0.0.0/0
>> 0.0.0.0/0
>> 3989  384K            all  --  eth2   eth0    0.0.0.0/0
>> 0.0.0.0/0
>>   0     0            tcp  --  !eth0  eth2    0.0.0.0/0
>> 0.0.0.0/0
>>   2   100            tcp  --  eth2   !eth0   0.0.0.0/0
>> 0.0.0.0/0
>>   0     0            all  --  eth0   eth3    0.0.0.0/0
>> 0.0.0.0/0
>>   0     0            all  --  eth3   eth0    0.0.0.0/0
>> 0.0.0.0/0
>>   0     0            tcp  --  !eth0  eth3    0.0.0.0/0
>> 0.0.0.0/0
>>   0     0            tcp  --  eth3   !eth0   0.0.0.0/0
>> 0.0.0.0/0
>>   0     0            all  --  eth0   eth4    0.0.0.0/0
>> 0.0.0.0/0
>>   0     0            all  --  eth4   eth0    0.0.0.0/0
>> 0.0.0.0/0
>>   0     0            tcp  --  !eth0  eth4    0.0.0.0/0
>> 0.0.0.0/0
>>   0     0            tcp  --  eth4   !eth0   0.0.0.0/0
>> 0.0.0.0/0
>>   0     0            all  --  eth0   eth5    0.0.0.0/0
>> 0.0.0.0/0
>>   0     0            all  --  eth5   eth0    0.0.0.0/0
>> 0.0.0.0/0
>>   0     0            tcp  --  !eth0  eth5    0.0.0.0/0
>> 0.0.0.0/0
>>   0     0            tcp  --  eth5   !eth0   0.0.0.0/0
>> 0.0.0.0/0
>>   0     0            all  --  eth0   eth6    0.0.0.0/0
>> 0.0.0.0/0
>>   0     0            all  --  eth6   eth0    0.0.0.0/0
>> 0.0.0.0/0
>>   0     0            tcp  --  !eth0  eth6    0.0.0.0/0
>> 0.0.0.0/0
>>   0     0            tcp  --  eth6   !eth0   0.0.0.0/0
>> 0.0.0.0/0
>>   0     0            all  --  eth0   eth7    0.0.0.0/0
>> 0.0.0.0/0
>>   0     0            all  --  eth7   eth0    0.0.0.0/0
>> 0.0.0.0/0
>>   0     0            tcp  --  !eth0  eth7    0.0.0.0/0
>> 0.0.0.0/0
>>   0     0            tcp  --  eth7   !eth0   0.0.0.0/0
>> 0.0.0.0/0
>> root@r-4-VM:~#
>> 
>> 
>> 
>> ------------------------------------------------------------------------------------
>> Below is from the Guest VM instance.
>> 
>> Not sure how to capture the package .
>> 
>> But I do a tracepath  www.google.com inside the guest VM.
>> 
>> From the output,
>> 
>> [root@CentOS5-5 ~]# tracepath www.google.com
>> 1:  r-4-VM.cs2cloud.internal (10.1.1.1)                    0.149ms
>> 2:  no reply
>> 3:  no reply
>> 4:  no reply
>> 
>> [root@CentOS5-5 ~]# iptables -L -nv
>> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
>> pkts bytes target     prot opt in     out     source
>> destination
>> 15198 1412K RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0
>> 0.0.0.0/0
>> 
>> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>> pkts bytes target     prot opt in     out     source
>> destination
>>   0     0 RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0
>> 0.0.0.0/0
>> 
>> Chain OUTPUT (policy ACCEPT 17238 packets, 7377K bytes)
>> pkts bytes target     prot opt in     out     source
>> destination
>> 
>> Chain RH-Firewall-1-INPUT (2 references)
>> pkts bytes target     prot opt in     out     source
>> destination
>>  56  9116 ACCEPT     all  --  lo     *       0.0.0.0/0
>> 0.0.0.0/0
>>  22  3360 ACCEPT     icmp --  *      *       0.0.0.0/0
>> 0.0.0.0/0           icmp type 255
>>   0     0 ACCEPT     esp  --  *      *       0.0.0.0/0
>> 0.0.0.0/0
>>   0     0 ACCEPT     ah   --  *      *       0.0.0.0/0
>> 0.0.0.0/0
>>  13  2124 ACCEPT     udp  --  *      *       0.0.0.0/0
>> 224.0.0.251         udp dpt:5353
>>   0     0 ACCEPT     udp  --  *      *       0.0.0.0/0
>> 0.0.0.0/0           udp dpt:631
>>   0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
>> 0.0.0.0/0           tcp dpt:631
>> 13536 1320K ACCEPT     all  --  *      *       0.0.0.0/0
>> 0.0.0.0/0           state RELATED,ESTABLISHED
>> 931 55796 ACCEPT     tcp  --  *      *       0.0.0.0/0
>> 0.0.0.0/0           state NEW tcp dpt:22
>> 640 21690 REJECT     all  --  *      *       0.0.0.0/0
>> 0.0.0.0/0           reject-with icmp-host-prohibited
>> 
>> 
>> Inside the VM, Can ping other VMs' guest IP.
>> 
>> 
>> [root@CentOS5-5 ~]# ping 10.1.1.36
>> PING 10.1.1.36 (10.1.1.36) 56(84) bytes of data.
>> 64 bytes from 10.1.1.36: icmp_seq=1 ttl=64 time=1.32 ms
>> 64 bytes from 10.1.1.36: icmp_seq=2 ttl=64 time=0.156 ms
>> 64 bytes from 10.1.1.36: icmp_seq=3 ttl=64 time=0.134 ms
>> 
>> --- 10.1.1.36 ping statistics ---
>> 3 packets transmitted, 3 received, 0% packet loss, time 2000ms
>> rtt min/avg/max/mdev = 0.134/0.538/1.326/0.557 ms
>> [root@CentOS5-5 ~]# ifconfig
>> eth0      Link encap:Ethernet  HWaddr 02:00:2D:C8:00:01
>>         inet addr:10.1.1.5  Bcast:10.1.1.255  Mask:255.255.255.0
>>         inet6 addr: fe80::2dff:fec8:1/64 Scope:Link
>>         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>         RX packets:16846 errors:0 dropped:0 overruns:0 frame:0
>>         TX packets:18252 errors:0 dropped:0 overruns:0 carrier:0
>>         collisions:0 txqueuelen:1000
>>         RX bytes:1716037 (1.6 MiB)  TX bytes:7661658 (7.3 MiB)
>> 
>> lo        Link encap:Local Loopback
>>         inet addr:127.0.0.1  Mask:255.0.0.0
>>         inet6 addr: ::1/128 Scope:Host
>>         UP LOOPBACK RUNNING  MTU:16436  Metric:1
>>         RX packets:56 errors:0 dropped:0 overruns:0 frame:0
>>         TX packets:56 errors:0 dropped:0 overruns:0 carrier:0
>>         collisions:0 txqueuelen:0
>>         RX bytes:9116 (8.9 KiB)  TX bytes:9116 (8.9 KiB)
>> 
>> 
>> 
>> [root@CentOS5-5 ~]# ping www.google.com
>> PING www.google.com (173.194.64.104) 56(84) bytes of data.
>> ^C
>> --- www.google.com ping statistics ---
>> 6 packets transmitted, 0 received, 100% packet loss, time 5000ms
>> 
>> 
>> 
>> Any problems?
>> 
>> Thank you so much.
>> 
>> 
>> 
>> On Wed, May 22, 2013 at 4:14 PM, Jayapal Reddy Uradi <
>> jayapalreddy.uradi@citrix.com> wrote:
>> 
>>> By looking at the iptables rules, there is no egress rules feature in your
>>> deployment.
>>> In your case the issue seems to be different.
>>> 
>>> Please do the below trouble shooting.
>>> Ping from the guest vm to public subnet/google and try to capture the
>>> packets on the router guest interface and public interface.
>>> Check wether the packets are reaching to public interface of VR or not.
>>> 
>>> Also send iptables -L -nv output.
>>> 
>>> Thanks,
>>> Jayapal
>>> 
>>> On 22-May-2013, at 1:18 PM, wq meng <wqmeng@gmail.com>
>>> wrote:
>>> 
>>>> Hello Jayapal
>>>> 
>>>> I know very little about api yet.
>>>> 
>>>> I login to the VRouter VM, Can I change the rules to get work?
>>>> 
>>>> On
>>>> 
>>> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Egress+firewall+rules+for+guest+network
>>>> 
>>>> It says some Chains , but I can not find them inside my VRouter VM.
>>>> 
>>>> ====================
>>>> 
>>>> firewallRule_egress.sh script get called on the virtual router.
>>>> 
>>>> The egress rules are added in filter table table, FW_EGRESS_RULES chain.
>>>> 
>>>> All the traffic from eth0 eth2 (public interface) will be send to the
>>>> FW_OUTBOUND  chain.
>>>> 
>>>> *iptables rules:*
>>>> 
>>>> *Default rules:*
>>>> 
>>>> ipassoc.sh adding rule to ACCEPT traffic from eth0 to public interface.
>>>> 
>>>> Modified the rule to send egress traffic to the FW_OUTBOUND chain.
>>>> 
>>>> *iptables -A FORWARD -i eth0 -o eth2 -j FW_OUTBOUND*
>>>> 
>>>> *Rules added while configuring:*
>>>> 
>>>> Ex: Egress rule  to block the port 22 (ssh) traffic from 10.1.1.31/32
>>>> 
>>>> *iptables -A  **FW_OUTBOUND **-j EGRESS_FWRULES*
>>>> 
>>>> *iptables -A EGRESS_FWRULES   -s   10.1.1.31/32 -p tcp  --dport 22:22
>>> -j
>>>> ACCEPT*
>>>> ======================
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> Here is how the current iptables shows.
>>>> 
>>>> 
>>> --------------------------------------------------------------------------------
>>>> root@r-4-VM:~# iptables -L
>>>> Chain INPUT (policy DROP)
>>>> target     prot opt source               destination
>>>> NETWORK_STATS  all  --  anywhere             anywhere
>>>> ACCEPT     all  --  anywhere             vrrp.mcast.net
>>>> ACCEPT     all  --  anywhere             225.0.0.50
>>>> ACCEPT     all  --  anywhere             anywhere            state
>>>> RELATED,ESTABLISHED
>>>> ACCEPT     all  --  anywhere             anywhere            state
>>>> RELATED,ESTABLISHED
>>>> ACCEPT     all  --  anywhere             anywhere            state
>>>> RELATED,ESTABLISHED
>>>> ACCEPT     icmp --  anywhere             anywhere
>>>> ACCEPT     all  --  anywhere             anywhere
>>>> ACCEPT     udp  --  anywhere             anywhere            udp
>>> dpt:bootps
>>>> ACCEPT     udp  --  anywhere             anywhere            udp
>>> dpt:domain
>>>> ACCEPT     tcp  --  anywhere             anywhere            state NEW
>>> tcp
>>>> dpt:3922
>>>> ACCEPT     tcp  --  anywhere             anywhere            state NEW
>>> tcp
>>>> dpt:http-alt
>>>> ACCEPT     tcp  --  anywhere             anywhere            state NEW
>>> tcp
>>>> dpt:www
>>>> 
>>>> Chain FORWARD (policy DROP)
>>>> target     prot opt source               destination
>>>> NETWORK_STATS  all  --  anywhere             anywhere
>>>> ACCEPT     all  --  anywhere             anywhere            state
>>>> RELATED,ESTABLISHED
>>>> ACCEPT     all  --  anywhere             anywhere
>>>> ACCEPT     all  --  anywhere             anywhere            state
>>>> RELATED,ESTABLISHED
>>>> ACCEPT     all  --  anywhere             anywhere            state NEW
>>>> ACCEPT     all  --  anywhere             anywhere            state
>>>> RELATED,ESTABLISHED
>>>> ACCEPT     all  --  anywhere             anywhere            state
>>>> RELATED,ESTABLISHED
>>>> ACCEPT     all  --  anywhere             anywhere
>>>> ACCEPT     all  --  anywhere             anywhere            state
>>>> RELATED,ESTABLISHED
>>>> ACCEPT     all  --  anywhere             anywhere
>>>> ACCEPT     all  --  anywhere             anywhere            state
>>>> RELATED,ESTABLISHED
>>>> ACCEPT     all  --  anywhere             anywhere
>>>> ACCEPT     all  --  anywhere             anywhere            state
>>>> RELATED,ESTABLISHED
>>>> ACCEPT     all  --  anywhere             anywhere
>>>> ACCEPT     all  --  anywhere             anywhere            state
>>>> RELATED,ESTABLISHED
>>>> ACCEPT     all  --  anywhere             anywhere
>>>> 
>>>> Chain OUTPUT (policy ACCEPT)
>>>> target     prot opt source               destination
>>>> NETWORK_STATS  all  --  anywhere             anywhere
>>>> 
>>>> Chain NETWORK_STATS (3 references)
>>>> target     prot opt source               destination
>>>>         all  --  anywhere             anywhere
>>>>         all  --  anywhere             anywhere
>>>>         tcp  --  anywhere             anywhere
>>>>         tcp  --  anywhere             anywhere
>>>>         all  --  anywhere             anywhere
>>>>         all  --  anywhere             anywhere
>>>>         tcp  --  anywhere             anywhere
>>>>         tcp  --  anywhere             anywhere
>>>>         all  --  anywhere             anywhere
>>>>         all  --  anywhere             anywhere
>>>>         tcp  --  anywhere             anywhere
>>>>         tcp  --  anywhere             anywhere
>>>>         all  --  anywhere             anywhere
>>>>         all  --  anywhere             anywhere
>>>>         tcp  --  anywhere             anywhere
>>>>         tcp  --  anywhere             anywhere
>>>>         all  --  anywhere             anywhere
>>>>         all  --  anywhere             anywhere
>>>>         tcp  --  anywhere             anywhere
>>>>         tcp  --  anywhere             anywhere
>>>>         all  --  anywhere             anywhere
>>>>         all  --  anywhere             anywhere
>>>>         tcp  --  anywhere             anywhere
>>>>         tcp  --  anywhere             anywhere
>>>> 
>>>> 
>>>> And the link have been fixed in the Git ?
>>>> 
>>>> Thank you so much.
>>>> 
>>>> 
>>>> On Wed, May 22, 2013 at 2:55 PM, Jayapal Reddy Uradi <
>>>> jayapalreddy.uradi@citrix.com> wrote:
>>>> 
>>>>> 
>>>>> I think UI link is missed but it is fixed after that.
>>>>> Try to add rules using the API 'createEgressFirewallRule'
>>>>> 
>>>>> Thanks,
>>>>> Jayapal
>>>>> 
>>>>> On 22-May-2013, at 12:05 PM, wq meng <wqmeng@gmail.com>
>>>>> wrote:
>>>>> 
>>>>>> Hello Jayapal,
>>>>>> 
>>>>>> 
>>>>>> 
>>>>> 
>>> https://cwiki.apache.org/CLOUDSTACK/egress-firewall-rules-for-guest-network.html
>>>>>> 
>>>>>> I have checked  Network  ->  Guest Network (Name) ->
>>>>>> 
>>>>>> I can not find out any  Egress fire rule tab.
>>>>>> 
>>>>>> 
>>>>>> Have I missed something?
>>>>>> 
>>>>>> 
>>>>>> Thank you very much.
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> On Wed, May 22, 2013 at 1:23 PM, Jayapal Reddy Uradi <
>>>>>> jayapalreddy.uradi@citrix.com> wrote:
>>>>>> 
>>>>>>> Hi,
>>>>>>> 
>>>>>>> Did you configure the egress firewall rules on the guest network
?
>>>>>>> You need to add egress rules to allow guest traffic.
>>>>>>> 
>>>>>>> After adding egress rule it not works, please send router iptables
>>>>> rules.
>>>>>>> 
>>>>>>> Thanks,
>>>>>>> Jayapal
>>>>>>> 
>>>>>>> On 22-May-2013, at 4:10 AM, wq meng <wqmeng@gmail.com>
wrote:
>>>>>>> 
>>>>>>>> Hello
>>>>>>>> 
>>>>>>>> Anyone have faced this problem?  CS4.02 KVM Advanced Network,
VM
>>>>> instance
>>>>>>>> can not access public IP.  NAT(Source)
>>>>>>>> 
>>>>>>>> 
>>>>>>>> That the VM instance running, but inside the VM instance,
it is not
>>>>>>>> possible to access outside.
>>>>>>>> 
>>>>>>>> 
>>>>>>>> It can ping VMs each other,   It can ping google.com in the*
Virtual
>>>>>>> Router
>>>>>>>> VM.*
>>>>>>>> 
>>>>>>>> But just can not ping Google.com inside the VM instance.
>>>>>>>> 
>>>>>>>> 
>>>>>>>> Seems inside the VM instance,  It can resolve the Google.com
's IP
>>>>>>> address.
>>>>>>>> BUT can not do others.
>>>>>>>> 
>>>>>>>> Please see the following output.
>>>>>>>> 
>>>>>>>> 
>>>>>>>> ------------------------
>>>>>>>> [root@CentOS5-5 ~]# wget www.google.com
>>>>>>>> --2013-05-21 08:30:39--  http://www.google.com/
>>>>>>>> Resolving www.google.com... 173.194.64.104, 173.194.64.99,
>>>>>>> 173.194.64.105,
>>>>>>>> ...
>>>>>>>> Connecting to www.google.com|173.194.64.104|:80...
>>>>>>>> [root@CentOS5-5 ~]# ls
>>>>>>>> 
>>>>>>>> -------------------------
>>>>>>>> [root@CentOS5-5 ~]# iptables -L
>>>>>>>> Chain INPUT (policy ACCEPT)
>>>>>>>> target     prot opt source               destination
>>>>>>>> RH-Firewall-1-INPUT  all  --  anywhere             anywhere
>>>>>>>> 
>>>>>>>> Chain FORWARD (policy ACCEPT)
>>>>>>>> target     prot opt source               destination
>>>>>>>> RH-Firewall-1-INPUT  all  --  anywhere             anywhere
>>>>>>>> 
>>>>>>>> Chain OUTPUT (policy ACCEPT)
>>>>>>>> target     prot opt source               destination
>>>>>>>> 
>>>>>>>> Chain RH-Firewall-1-INPUT (2 references)
>>>>>>>> target     prot opt source               destination
>>>>>>>> ACCEPT     all  --  anywhere             anywhere
>>>>>>>> ACCEPT     icmp --  anywhere             anywhere       
    icmp any
>>>>>>>> ACCEPT     esp  --  anywhere             anywhere
>>>>>>>> ACCEPT     ah   --  anywhere             anywhere
>>>>>>>> ACCEPT     udp  --  anywhere             224.0.0.251    
    udp
>>>>> dpt:mdns
>>>>>>>> ACCEPT     udp  --  anywhere             anywhere       
    udp
>>>>> dpt:ipp
>>>>>>>> ACCEPT     tcp  --  anywhere             anywhere       
    tcp
>>>>> dpt:ipp
>>>>>>>> ACCEPT     all  --  anywhere             anywhere       
    state
>>>>>>>> RELATED,ESTABLISHED
>>>>>>>> ACCEPT     tcp  --  anywhere             anywhere       
    state
>>> NEW
>>>>>>> tcp
>>>>>>>> dpt:ssh
>>>>>>>> REJECT     all  --  anywhere             anywhere
>>>>> reject-with
>>>>>>>> icmp-host-prohibited
>>>>>>>> [root@CentOS5-5 ~]# ping 8.8.8.8
>>>>>>>> PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
>>>>>>>> 
>>>>>>>> --- 8.8.8.8 ping statistics ---
>>>>>>>> 3 packets transmitted, 0 received, 100% packet loss, time
2000ms
>>>>>>>> 
>>>>>>>> --------------------------
>>>>>>>> [root@CentOS5-5 ~]# ifconfig
>>>>>>>> eth0      Link encap:Ethernet  HWaddr 02:00:2D:C8:00:01
>>>>>>>>      inet addr:10.1.1.5  Bcast:10.1.1.255  Mask:255.255.255.0
>>>>>>>>      inet6 addr: fe80::2dff:fec8:1/64 Scope:Link
>>>>>>>>      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>>>>>>>      RX packets:2442 errors:0 dropped:0 overruns:0 frame:0
>>>>>>>>      TX packets:2261 errors:0 dropped:0 overruns:0 carrier:0
>>>>>>>>      collisions:0 txqueuelen:1000
>>>>>>>>      RX bytes:174960 (170.8 KiB)  TX bytes:154159 (150.5
KiB)
>>>>>>>> 
>>>>>>>> lo        Link encap:Local Loopback
>>>>>>>>      inet addr:127.0.0.1  Mask:255.0.0.0
>>>>>>>>      inet6 addr: ::1/128 Scope:Host
>>>>>>>>      UP LOOPBACK RUNNING  MTU:16436  Metric:1
>>>>>>>>      RX packets:32 errors:0 dropped:0 overruns:0 frame:0
>>>>>>>>      TX packets:32 errors:0 dropped:0 overruns:0 carrier:0
>>>>>>>>      collisions:0 txqueuelen:0
>>>>>>>>      RX bytes:3913 (3.8 KiB)  TX bytes:3913 (3.8 KiB)
>>>>>>>> 
>>>>>>>> ----------------------------
>>>>>>>> 
>>>>>>>> [root@CentOS5-5 ~]# tracert www.google.com
>>>>>>>> traceroute to www.google.com (173.194.64.106), 30 hops max,
40 byte
>>>>>>> packets
>>>>>>>> 1  r-4-VM.cs2cloud.internal (10.1.1.1)  0.158 ms  0.136 ms
 0.134 ms
>>>>>>>> 2  * * *
>>>>>>>> 3  * * *
>>>>>>>> 4  * * *
>>>>>>>> 5  * * *
>>>>>>>> 6  * * *
>>>>>>>> 7  * * *
>>>>>>>> 8  * * *
>>>>>>>> 9  * * *
>>>>>>>> 10  * * *
>>>>>>>> 11  * * *
>>>>>>>> 12  * * *
>>>>>>>> 13  * * *
>>>>>>>> 14  * * *
>>>>>>>> 15  * * *
>>>>>>>> 16  * * *
>>>>>>>> 17  * * *
>>>>>>>> 18  * * *
>>>>>>>> 19  * * *
>>>>>>>> 20  * * *
>>>>>>>> 21  * * *
>>>>>>>> 22  * * *
>>>>>>>> 23  * * *
>>>>>>>> 24  * * *
>>>>>>>> 25  * * *
>>>>>>>> 26  * * *
>>>>>>>> 27  * * *
>>>>>>>> 28  * * *
>>>>>>>> 29  * * *
>>>>>>>> 30  * * *
>>>>>>>> 
>>>>>>>> ----------------
>>>>>>>> 
>>>>>>>> 
>>>>>>>> Any thoughts?
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> Thank you very much.
>>>>>>> 
>>>>>>> 
>>>>> 
>>>>> 
>>> 
>>> 
> 


Mime
View raw message