Return-Path: X-Original-To: apmail-cloudstack-users-archive@www.apache.org Delivered-To: apmail-cloudstack-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 0178B10E3B for ; Fri, 28 Jun 2013 02:46:03 +0000 (UTC) Received: (qmail 9314 invoked by uid 500); 28 Jun 2013 02:46:02 -0000 Delivered-To: apmail-cloudstack-users-archive@cloudstack.apache.org Received: (qmail 9028 invoked by uid 500); 28 Jun 2013 02:46:01 -0000 Mailing-List: contact users-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@cloudstack.apache.org Delivered-To: mailing list users@cloudstack.apache.org Received: (qmail 9020 invoked by uid 99); 28 Jun 2013 02:46:01 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 28 Jun 2013 02:46:01 +0000 X-ASF-Spam-Status: No, hits=-2.3 required=5.0 tests=RCVD_IN_DNSWL_MED,SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of jayapalreddy.uradi@citrix.com designates 203.166.19.134 as permitted sender) Received: from [203.166.19.134] (HELO SMTP.CITRIX.COM.AU) (203.166.19.134) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 28 Jun 2013 02:45:57 +0000 X-IronPort-AV: E=Sophos;i="4.87,955,1363132800"; d="scan'208";a="3403968" Received: from sinpex01cl02.citrite.net ([10.151.46.33]) by SYDPIPO01.CITRIX.COM.AU with ESMTP/TLS/AES128-SHA; 28 Jun 2013 02:45:33 +0000 Received: from SINPEX01CL01.citrite.net ([169.254.1.101]) by SINPEX01CL02.citrite.net ([169.254.2.136]) with mapi id 14.02.0342.004; Fri, 28 Jun 2013 10:45:32 +0800 From: Jayapal Reddy Uradi To: "" Subject: Re: How to create a network offering without firewall? Thread-Topic: How to create a network offering without firewall? Thread-Index: AQHOc6mOTYP2krLVNUiXbeDpM/l9ag== Date: Fri, 28 Jun 2013 02:45:31 +0000 Message-ID: <618CCD9A-F716-42DA-86CC-296973C4F96A@citrix.com> References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.13.112.13] Content-Type: text/plain; charset="iso-8859-1" Content-ID: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Virus-Checked: Checked by ClamAV on apache.org THe problem is there is no source NAT rule added in iptables nat table on r= outer. Why the source NAT rule is not added on the router ? In your network ip address do you have source NAT ip ? Thanks, Jayapal On 28-Jun-2013, at 8:06 AM, WXR <474745079@qq.com> wrote: > I try to add the rule "iptables -A FW_OUTBOUND -j ACCEPT" to the vrouter = firewall but unfortunately it takes no effect. >=20 > This is the iptables rules in file "/etc/iptables/rules" >=20 > *nat > :PREROUTING ACCEPT [0:0] > :POSTROUTING ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > COMMIT > *filter > :INPUT DROP [0:0] > :FORWARD DROP [0:0] > :OUTPUT ACCEPT [0:0] > :FW_OUTBOUND - [0:0] > -A INPUT -d 224.0.0.18/32 -j ACCEPT > -A INPUT -d 225.0.0.50/32 -j ACCEPT > -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT > -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT > -A INPUT -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT > -A INPUT -p icmp -j ACCEPT > -A INPUT -i lo -j ACCEPT > -A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT > -A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT > -A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT > -A INPUT -i eth1 -p tcp -m state --state NEW --dport 3922 -j ACCEPT > -A INPUT -i eth0 -p tcp -m state --state NEW --dport 80 -j ACCEPT > -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT > -A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT > -A FORWARD -i eth0 -o eth0 -m state --state NEW -j ACCEPT > -A FORWARD -i eth0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT > -A FORWARD -i eth0 -o eth2 -j FW_OUTBOUND > -I FW_OUTBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT > COMMIT > *mangle > :PREROUTING ACCEPT [0:0] > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > :POSTROUTING ACCEPT [0:0] > -A PREROUTING -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-= mark > -A POSTROUTING -p udp --dport bootpc -j CHECKSUM --checksum-fill > COMMIT >=20 > Is there anything wrong? >=20 >=20 >=20 > ------------------ Original ------------------ > From: ""; > Date: Thu, Jun 27, 2013 06:40 PM > To: "users@cloudstack.apache.org";=20 >=20 > Subject: RE: How to create a network offering without firewall? >=20 >=20 >=20 > I had this issue too some days ago. I solved it by logging into the Virtu= al Router over ssh and adding this rule to the Firewall:=20 >=20 > iptables -A FW_OUTBOUND -j ACCEPT >=20 > I hope this helps. >=20 > Regards >=20 > -----Mensaje original----- > De: Jayapal Reddy Uradi [mailto:jayapalreddy.uradi@citrix.com]=20 > Enviado el: jueves, 27 de junio de 2013 12:37 > Para: > Asunto: Re: How to create a network offering without firewall? >=20 > Is internet accessible from from router ? > If it is accessible please send router iptables rules on pastebin.com >=20 > Thanks, > jayapal >=20 > On 27-Jun-2013, at 3:34 PM, WXR <474745079@qq.com> > wrote: >=20 >> Sorry,the instance can access the vrouter gateway ip ,but can not access= the Internet. >>=20 >>=20 >> ------------------ Original ------------------ >> From: "WXR"<474745079@qq.com>; >> Date: Thu, Jun 27, 2013 06:01 PM >> To: "users"; >>=20 >> Subject: Re: How to create a network offering without firewall? >>=20 >>=20 >>=20 >> I have added a egress rule like this: >> Source CIDR Protocol Start Port End Port=20 >> 0.0.0.0/0 All All All >>=20 >> The vrouter vm can also access the Internet. >> But the instance vm is still able to access the vrouter gateway ip and t= he Internet. >>=20 >>=20 >>=20 >>=20 >> ------------------ Original ------------------ >> From: "Murali Reddy"; >> Date: Thu, Jun 27, 2013 05:21 PM >> To: "users@cloudstack.apache.org"; >>=20 >> Subject: Re: How to create a network offering without firewall? >>=20 >>=20 >>=20 >>=20 >> Yes, egress firewall default action is 'BLOCK'. Here is a nice blog=20 >> from Radhika=20 >> http://writersopendiary.wordpress.com/2013/05/27/egress-firewall-rules >> -in-a >> pache-cloudstack/ >>=20 >> On 27/06/13 2:21 PM, "WXR" <474745079@qq.com> wrote: >>=20 >>> By the way , when I select the default guestnetworkwithsourceNAT and=20 >>> create an instance,the vm can not access to the Internet,is this a=20 >>> default setting?how can I let the vm access the Internet? >>>=20 >>>=20 >>>=20 >>>=20 >>> ------------------ Original ------------------ >>> From: "Murali Reddy"; >>> Date: Thu, Jun 27, 2013 04:46 PM >>> To: "users@cloudstack.apache.org"; >>>=20 >>> Subject: Re: How to create a network offering without firewall? >>>=20 >>>=20 >>>=20 >>>=20 >>> Also, by default all the ports that will be used by edge services are=20 >>> blocked by iptable config in the router VM templates. They needed to=20 >>> be opened explicitly with firewall rules. >>>=20 >>> On 27/06/13 2:08 PM, "Jayapal Reddy Uradi"=20 >>> >>> wrote: >>>=20 >>>> With out firewall provider you can't have sourceNAT and static NAT=20 >>>> services because these services are provided by firewall provider only= . >>>>=20 >>>> Thanks, >>>> Jayapal >>>>=20 >>>> On 27-Jun-2013, at 1:35 PM, WXR <474745079@qq.com> >>>> wrote: >>>>=20 >>>>> If I create a new network offering and check=20 >>>>> dns,dhcp,userdata,sourceNAT,staticNAT,not check the firewall=20 >>>>> service.But the firewall will be added into it automatically. >>>>> I don't need the firewall service ,how can I create a network=20 >>>>> offering without firewall? >>>>=20 >>>>=20 >>>=20 >>>=20 >>> . >>=20 >>=20 >> . >=20 > .