cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "WXR" <474745...@qq.com>
Subject Re: How to create a network offering without firewall?
Date Fri, 28 Jun 2013 03:03:04 GMT
root@r-60-VM:~# iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 149 packets, 13502 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 6 packets, 419 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 6 packets, 419 bytes)
 pkts bytes target     prot opt in     out     source               destination     

----

root@r-60-VM:~# iptables -t mangle -L -nv
Chain PREROUTING (policy ACCEPT 641 packets, 74208 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  466 59141 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           state
RELATED,ESTABLISHED CONNMARK restore 

Chain INPUT (policy ACCEPT 619 packets, 72888 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 22 packets, 1320 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 400 packets, 66973 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 400 packets, 66973 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 CHECKSUM   udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp
dpt:68 CHECKSUM fill 

--

root@r-60-VM:~# iptables -L -nv
Chain INPUT (policy DROP 125 packets, 11746 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            224.0.0.18          
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            225.0.0.50          
    0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           state
RELATED,ESTABLISHED 
  416 54881 ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           state
RELATED,ESTABLISHED 
    3   347 ACCEPT     all  --  eth2   *       0.0.0.0/0            0.0.0.0/0           state
RELATED,ESTABLISHED 
   13  1129 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    5   293 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp
dpt:67 
    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp
dpt:53 
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp
dpt:53 
   13   780 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           state
NEW tcp dpt:3922 
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           state
NEW tcp dpt:80 
    0     0 ACCEPT     tcp  --  eth0   *       10.10.2.0/24         0.0.0.0/0           state
NEW tcp dpt:8080 

Chain FORWARD (policy DROP 22 packets, 1320 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0           state
RELATED,ESTABLISHED 
    0     0 ACCEPT     all  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0           state
RELATED,ESTABLISHED 
    0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0           state
NEW 
    0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0           state
RELATED,ESTABLISHED 
   22  1320 FW_OUTBOUND  all  --  eth0   eth2    0.0.0.0/0            0.0.0.0/0          


Chain OUTPUT (policy ACCEPT 368 packets, 60175 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FW_OUTBOUND (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state
RELATED,ESTABLISHED 
root@r-60-VM:~# iptables -t mangle -L -nv
Chain PREROUTING (policy ACCEPT 625 packets, 72976 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  450 57909 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           state
RELATED,ESTABLISHED CONNMARK restore 

Chain INPUT (policy ACCEPT 603 packets, 71656 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 22 packets, 1320 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 392 packets, 65149 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 392 packets, 65149 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 CHECKSUM   udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp
dpt:68 CHECKSUM fill 
root@r-60-VM:~# clear
root@r-60-VM:~# iptables -t mangle -L -nv
Chain PREROUTING (policy ACCEPT 641 packets, 74208 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  466 59141 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           state
RELATED,ESTABLISHED CONNMARK restore 

Chain INPUT (policy ACCEPT 619 packets, 72888 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 22 packets, 1320 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 400 packets, 66973 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 400 packets, 66973 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 CHECKSUM   udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp
dpt:68 CHECKSUM fill 
root@r-60-VM:~# iptables -L -nv
Chain INPUT (policy DROP 125 packets, 11746 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            224.0.0.18          
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            225.0.0.50          
    0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           state
RELATED,ESTABLISHED 
  506 65459 ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           state
RELATED,ESTABLISHED 
    3   347 ACCEPT     all  --  eth2   *       0.0.0.0/0            0.0.0.0/0           state
RELATED,ESTABLISHED 
   15  1297 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    5   293 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp
dpt:67 
    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp
dpt:53 
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp
dpt:53 
   15   900 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           state
NEW tcp dpt:3922 
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           state
NEW tcp dpt:80 
    0     0 ACCEPT     tcp  --  eth0   *       10.10.2.0/24         0.0.0.0/0           state
NEW tcp dpt:8080 

Chain FORWARD (policy DROP 22 packets, 1320 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0           state
RELATED,ESTABLISHED 
    0     0 ACCEPT     all  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0           state
RELATED,ESTABLISHED 
    0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0           state
NEW 
    0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0           state
RELATED,ESTABLISHED 
   22  1320 FW_OUTBOUND  all  --  eth0   eth2    0.0.0.0/0            0.0.0.0/0          


Chain OUTPUT (policy ACCEPT 441 packets, 74901 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FW_OUTBOUND (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state
RELATED,ESTABLISHED 




------------------ Original ------------------
From:  ""<jayapalreddy.uradi@citrix.com>;
Date:  Fri, Jun 28, 2013 10:56 AM
To:  "<users@cloudstack.apache.org>"<users@cloudstack.apache.org>; 

Subject:  Re: How to create a network offering without firewall?



I thought iptables rules you send from router iptables-save.
in /etc/iptables/rules we won't have SNAT rule.

Please send iptables rules from your router not the /etc/iptables/rules.

iptables -t nat -L -nv, iptables -L -nv and iptables -t mangle -L -nv.

Thanks,
Jayapal

On 28-Jun-2013, at 8:21 AM, WXR <474745079@qq.com> wrote:

> When I added the guest network I selected the system default network offering with source
NAT.
> There is a default ip "x.x.x.x[source NAT]" in the list when I click the "view ip addresses".
> 
> 
> 
> 
> ------------------ Original ------------------
> From:  ""<jayapalreddy.uradi@citrix.com>;
> Date:  Fri, Jun 28, 2013 10:45 AM
> To:  "<users@cloudstack.apache.org>"<users@cloudstack.apache.org>; 
> 
> Subject:  Re: How to create a network offering without firewall?
> 
> 
> 
> THe problem is there is no source NAT rule added in iptables nat table on router.
> Why the source NAT rule is not added on the router ?
> In your network ip address do you have source NAT ip ?
> 
> Thanks,
> Jayapal
> 
> 
> On 28-Jun-2013, at 8:06 AM, WXR <474745079@qq.com>
> wrote:
> 
>> I try to add the rule "iptables -A FW_OUTBOUND -j ACCEPT" to the vrouter firewall
but unfortunately it takes no effect.
>> 
>> This is the iptables rules in file "/etc/iptables/rules"
>> 
>> *nat
>> :PREROUTING ACCEPT [0:0]
>> :POSTROUTING ACCEPT [0:0]
>> :OUTPUT ACCEPT [0:0]
>> COMMIT
>> *filter
>> :INPUT DROP [0:0]
>> :FORWARD DROP [0:0]
>> :OUTPUT ACCEPT [0:0]
>> :FW_OUTBOUND - [0:0]
>> -A INPUT -d 224.0.0.18/32 -j ACCEPT
>> -A INPUT -d 225.0.0.50/32 -j ACCEPT
>> -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
>> -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
>> -A INPUT -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
>> -A INPUT -p icmp -j ACCEPT
>> -A INPUT -i lo -j ACCEPT
>> -A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT
>> -A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
>> -A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
>> -A INPUT -i eth1 -p tcp -m state --state NEW --dport 3922 -j ACCEPT
>> -A INPUT -i eth0 -p tcp -m state --state NEW --dport 80 -j ACCEPT
>> -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
>> -A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
>> -A FORWARD -i eth0 -o eth0 -m state --state NEW -j ACCEPT
>> -A FORWARD -i eth0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
>> -A FORWARD -i eth0 -o eth2 -j FW_OUTBOUND
>> -I FW_OUTBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT
>> COMMIT
>> *mangle
>> :PREROUTING ACCEPT [0:0]
>> :INPUT ACCEPT [0:0]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [0:0]
>> :POSTROUTING ACCEPT [0:0]
>> -A PREROUTING -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark
>> -A POSTROUTING -p udp --dport bootpc -j CHECKSUM --checksum-fill
>> COMMIT
>> 
>> Is there anything wrong?
>> 
>> 
>> 
>> ------------------ Original ------------------
>> From:  ""<emunoz@intecom.ad>;
>> Date:  Thu, Jun 27, 2013 06:40 PM
>> To:  "users@cloudstack.apache.org"<users@cloudstack.apache.org>; 
>> 
>> Subject:  RE: How to create a network offering without firewall?
>> 
>> 
>> 
>> I had this issue too some days ago. I solved it by logging into the Virtual Router
over ssh and adding this rule to the Firewall: 
>> 
>> iptables -A FW_OUTBOUND -j ACCEPT
>> 
>> I hope this helps.
>> 
>> Regards
>> 
>> -----Mensaje original-----
>> De: Jayapal Reddy Uradi [mailto:jayapalreddy.uradi@citrix.com] 
>> Enviado el: jueves, 27 de junio de 2013 12:37
>> Para: <users@cloudstack.apache.org>
>> Asunto: Re: How to create a network offering without firewall?
>> 
>> Is internet accessible from from router ?
>> If it is accessible please send router iptables rules on pastebin.com
>> 
>> Thanks,
>> jayapal
>> 
>> On 27-Jun-2013, at 3:34 PM, WXR <474745079@qq.com>
>> wrote:
>> 
>>> Sorry,the instance can access the vrouter gateway ip ,but can not access the
Internet.
>>> 
>>> 
>>> ------------------ Original ------------------
>>> From:  "WXR"<474745079@qq.com>;
>>> Date:  Thu, Jun 27, 2013 06:01 PM
>>> To:  "users"<users@cloudstack.apache.org>;
>>> 
>>> Subject:  Re: How to create a network offering without firewall?
>>> 
>>> 
>>> 
>>> I have added a egress rule like this:
>>> Source CIDR    Protocol    Start Port    End Port 
>>> 0.0.0.0/0         All            All                All
>>> 
>>> The vrouter vm can also access the Internet.
>>> But the instance vm is still able to access the vrouter gateway ip and the Internet.
>>> 
>>> 
>>> 
>>> 
>>> ------------------ Original ------------------
>>> From:  "Murali Reddy"<Murali.Reddy@citrix.com>;
>>> Date:  Thu, Jun 27, 2013 05:21 PM
>>> To:  "users@cloudstack.apache.org"<users@cloudstack.apache.org>;
>>> 
>>> Subject:  Re: How to create a network offering without firewall?
>>> 
>>> 
>>> 
>>> 
>>> Yes, egress firewall default action is 'BLOCK'. Here is a nice blog 
>>> from Radhika 
>>> http://writersopendiary.wordpress.com/2013/05/27/egress-firewall-rules
>>> -in-a
>>> pache-cloudstack/
>>> 
>>> On 27/06/13 2:21 PM, "WXR" <474745079@qq.com> wrote:
>>> 
>>>> By the way , when I select the default guestnetworkwithsourceNAT and 
>>>> create an instance,the vm can not access to the Internet,is this a 
>>>> default setting?how can I let the vm access the Internet?
>>>> 
>>>> 
>>>> 
>>>> 
>>>> ------------------ Original ------------------
>>>> From:  "Murali Reddy"<Murali.Reddy@citrix.com>;
>>>> Date:  Thu, Jun 27, 2013 04:46 PM
>>>> To:  "users@cloudstack.apache.org"<users@cloudstack.apache.org>;
>>>> 
>>>> Subject:  Re: How to create a network offering without firewall?
>>>> 
>>>> 
>>>> 
>>>> 
>>>> Also, by default all the ports that will be used by edge services are 
>>>> blocked by iptable config in the router VM templates. They needed to 
>>>> be opened explicitly with firewall rules.
>>>> 
>>>> On 27/06/13 2:08 PM, "Jayapal Reddy Uradi" 
>>>> <jayapalreddy.uradi@citrix.com>
>>>> wrote:
>>>> 
>>>>> With out firewall provider you can't have sourceNAT and static NAT 
>>>>> services because these services are provided by firewall provider only.
>>>>> 
>>>>> Thanks,
>>>>> Jayapal
>>>>> 
>>>>> On 27-Jun-2013, at 1:35 PM, WXR <474745079@qq.com>
>>>>> wrote:
>>>>> 
>>>>>> If I create a new network offering and check 
>>>>>> dns,dhcp,userdata,sourceNAT,staticNAT,not check the firewall 
>>>>>> service.But the firewall will be added into it automatically.
>>>>>> I don't need the firewall service ,how can I create a network 
>>>>>> offering without firewall?
>>>>> 
>>>>> 
>>>> 
>>>> 
>>>> .
>>> 
>>> 
>>> .
>> 
>> .
> 
> .
Mime
  • Unnamed multipart/alternative (inline, 8-Bit, 0 bytes)
View raw message