Return-Path: X-Original-To: apmail-cloudstack-users-archive@www.apache.org Delivered-To: apmail-cloudstack-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 229FDF8C9 for ; Sun, 2 Jun 2013 01:27:06 +0000 (UTC) Received: (qmail 37360 invoked by uid 500); 2 Jun 2013 01:25:12 -0000 Delivered-To: apmail-cloudstack-users-archive@cloudstack.apache.org Received: (qmail 31421 invoked by uid 500); 2 Jun 2013 01:24:38 -0000 Mailing-List: contact users-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@cloudstack.apache.org Delivered-To: mailing list users@cloudstack.apache.org Received: (qmail 2473 invoked by uid 99); 1 Jun 2013 21:37:40 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 01 Jun 2013 21:37:40 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,NORMAL_HTTP_TO_IP,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of wqmeng@gmail.com designates 209.85.212.41 as permitted sender) Received: from [209.85.212.41] (HELO mail-vb0-f41.google.com) (209.85.212.41) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 01 Jun 2013 21:01:48 +0000 Received: by mail-vb0-f41.google.com with SMTP id p14so1864216vbm.28 for ; Sat, 01 Jun 2013 14:01:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=3Bq9+kNQyQjlMX/3vS0CCiNCNUWUvxhNQu8wazEzMRk=; b=VwhUiRwB0kwTwH9SNcbrjPP1nBBmQmofrCaeABjN73pPzA0pwxxoQ83XtF4v+o/vSe vNNvNncJqwg1Ej1guEVPxuTu+xE0Hl12wLSIq8r8lyZODS34uSBFNP9sUFXV13PaeMGB OAhlD3nkj1AYDHCIQ3wr8DW+MJ74dNCkRg5bbG2gNx/bUcP5wCfb9fQkj9UEnB2RfTxb OsWDK2u/2w55bcIlzWl4NBJqmCZLRqTjTOoH/ykxFk9RQjzgIg4Xflp/YJTl0nIXXaml xLXT3zrlsiy0eZZ9QCqmSujzeu9XoJAuoAmCFxuLe+itYZoSD1KBAgia6JjbekNbCwHo FY0g== MIME-Version: 1.0 X-Received: by 10.52.68.161 with SMTP id x1mr12564003vdt.83.1370120487552; Sat, 01 Jun 2013 14:01:27 -0700 (PDT) Received: by 10.220.188.73 with HTTP; Sat, 1 Jun 2013 14:01:27 -0700 (PDT) In-Reply-To: References: <47235080A1B40C4CBECC926D7A05DDC856E47FD9@DC4HS14EXMBX02.os.local> Date: Sun, 2 Jun 2013 05:01:27 +0800 Message-ID: Subject: Re: allow outbound access by default on virtual routers From: wq meng To: users@cloudstack.apache.org Content-Type: multipart/alternative; boundary=20cf307f30a0f5cdd504de1e083a X-Virus-Checked: Checked by ClamAV on apache.org --20cf307f30a0f5cdd504de1e083a Content-Type: text/plain; charset=UTF-8 Hello Jayapal, I add a iptables rule iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o eth2 -j SNAT --to xxx.105.191.147 And it seems works now. I can ping Google inside the Guest VM. Just a few questions, Why in my VR-VM, it have eth3, eth4? Where are they come from, in the interface file, there is not configuration for eth3 and eth4 at all. Sometimes, I reboot the VR-VM, the eth4 is disappear, only left eth3, but as you can know, it still not work, As eth3 is not a NIC at all. Then maybe the VR-VM have some buggy scripts when the VR-VM start , and which mis-configuration the NICs and also the NAT rules for VRouter? As the CS4.1 will be release soon on Monday, I am not sure, if it need spend more time to look deep. Thank you very much. On Sat, Jun 1, 2013 at 6:38 PM, wq meng wrote: > Hello, > > Sorry for the delay, > > Here is the NAT table. Please check. > The xxx.105.191.147 IP is the public IP for the VRouter-VM. > > root@r-6-VM:~# iptables -t nat -L -nv > Chain PREROUTING (policy ACCEPT 258 packets, 13822 bytes) > pkts bytes target prot opt in out source > destination > > Chain POSTROUTING (policy ACCEPT 4 packets, 532 bytes) > pkts bytes target prot opt in out source > destination > 0 0 SNAT all -- * eth3 0.0.0.0/0 > 0.0.0.0/0 to:xxx.105.191.147 > 0 0 SNAT all -- * eth4 0.0.0.0/0 > 0.0.0.0/0 to:xxx.105.191.147 > > Chain OUTPUT (policy ACCEPT 3 packets, 448 bytes) > pkts bytes target prot opt in out source > destination > > root@r-6-VM:~# > > > Thanks a lot. > > > On Mon, May 27, 2013 at 1:09 PM, Jayapal Reddy Uradi < > jayapalreddy.uradi@citrix.com> wrote: > >> From the packet captures on eth2, the vm IP seems to be not NATed. >> 13:39:41.991966 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, seq 126, length 64 >> >> Can you also share iptables -t nat -L -nv output. >> >> Thanks, >> Jayapal >> >> > -----Original Message----- >> > From: wq meng [mailto:wqmeng@gmail.com] >> > Sent: Friday, 24 May 2013 7:13 PM >> > To: users@cloudstack.apache.org >> > Subject: Re: allow outbound access by default on virtual routers >> > >> > Hello Jayapal >> > >> > >> > >> > >> > I ping google.com on the Guest VM, >> > >> > Here is the dump data from the router - VM. >> > >> > Please review. >> > >> > And the 2.*.2 is public IP, which I replace to the real ip. >> > >> > >> > Thank you very much. >> > >> > >> > >> > >> > root@r-7-VM:~# >> > root@r-7-VM:~# tcpdump -i eth0 -nq >> > tcpdump: verbose output suppressed, use -v or -vv for full protocol >> decode >> > listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes >> > 13:38:52.979198 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 77, length 64 >> > 13:38:53.979203 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 78, length 64 >> > 13:38:54.979205 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 79, length 64 >> > 13:38:55.978182 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 80, length 64 >> > 13:38:56.979188 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 81, length 64 >> > 13:38:57.979299 ARP, Request who-has 10.1.1.1 tell 10.1.1.4, length 28 >> > 13:38:57.979307 ARP, Reply 10.1.1.1 is-at 02:00:00:b1:00:05, length 28 >> > 13:38:57.979315 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 82, length 64 >> > 13:38:58.979250 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 83, length 64 >> > 13:38:59.979297 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 84, length 64 >> > 13:39:00.979313 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 85, length 64 >> > 13:39:01.978311 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 86, length 64 >> > 13:39:02.979282 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 87, length 64 >> > 13:39:03.979323 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 88, length 64 >> > 13:39:04.979315 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 89, length 64 >> > 13:39:05.979364 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 90, length 64 >> > 13:39:06.979420 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 91, length 64 >> > 13:39:07.978421 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 92, length 64 >> > 13:39:08.978432 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 93, length 64 >> > 13:39:09.979447 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 94, length 64 >> > 13:39:10.979437 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 95, length 64 >> > 13:39:11.979474 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 96, length 64 >> > 13:39:12.979473 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 97, length 64 >> > 13:39:13.978525 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 98, length 64 >> > 13:39:14.978535 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 99, length 64 >> > 13:39:15.979562 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 100, length 64 >> > 13:39:16.979575 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 101, length 64 >> > 13:39:17.979602 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 102, length 64 >> > 13:39:18.979584 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 103, length 64 >> > 13:39:19.988541 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 104, length 64 >> > 13:39:20.988615 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 105, length 64 >> > 13:39:21.988598 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 106, length 64 >> > 13:39:22.989582 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 107, length 64 >> > 13:39:23.989666 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 108, length 64 >> > 13:39:24.989695 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 109, length 64 >> > 13:39:25.989725 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 110, length 64 ^C >> > 36 packets captured >> > 36 packets received by filter >> > 0 packets dropped by kernel >> > root@r-7-VM:~# tcpdump -i eth2 -nq >> > tcpdump: verbose output suppressed, use -v or -vv for full protocol >> decode >> > listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes >> > 13:39:38.380208 ARP, Request who-has 2.*.2.22 tell 2.*.2.1, length 42 >> > 13:39:38.982570 STP 802.1d, Config, Flags [none], bridge-id >> > 8000.00:25:90:a4:98:3e.8004, length 35 >> > 13:39:38.987877 ARP, Request who-has 2.*.2.35 tell 2.*.2.1, length 42 >> > 13:39:38.991937 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 123, length 64 >> > 13:39:39.194709 ARP, Request who-has 2.*.2.22 tell 2.*.2.1, length 42 >> > 13:39:39.599296 ARP, Request who-has 2.*.2.35 tell 2.*.2.1, length 42 >> > 13:39:39.904508 ARP, Request who-has 2.*.2.22 tell 2.*.2.1, length 42 >> > 13:39:39.991931 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 124, length 64 >> > 13:39:40.417287 ARP, Request who-has 2.*.2.35 tell 2.*.2.1, length 42 >> > 13:39:40.730305 ARP, Request who-has 2.*.2.22 tell 2.*.2.1, length 42 >> > 13:39:40.982552 STP 802.1d, Config, Flags [none], bridge-id >> > 8000.00:25:90:a4:98:3e.8004, length 35 >> > 13:39:40.991980 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 125, length 64 >> > 13:39:41.337501 ARP, Request who-has 2.*.2.35 tell 2.*.2.1, length 42 >> > 13:39:41.437224 ARP, Request who-has 2.*.2.22 tell 2.*.2.1, length 42 >> > 13:39:41.991966 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 126, length 64 >> > 13:39:42.903756 ARP, Request who-has 2.*.2.248 tell 2.*.2.1, length 42 >> > 13:39:42.982539 STP 802.1d, Config, Flags [none], bridge-id >> > 8000.00:25:90:a4:98:3e.8004, length 35 >> > 13:39:42.992996 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 127, length 64 >> > 13:39:43.682772 ARP, Request who-has 2.*.2.248 tell 2.*.2.1, length 42 >> > 13:39:43.993009 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 128, length 64 >> > 13:39:44.502714 ARP, Request who-has 2.*.2.248 tell 2.*.2.1, length 42 >> > 13:39:44.509679 ARP, Request who-has 2.*.2.228 tell 2.*.2.1, length 42 >> > 13:39:44.585413 ARP, Request who-has 2.*.2.70 tell 2.*.2.1, length 42 >> > 13:39:44.982554 STP 802.1d, Config, Flags [none], bridge-id >> > 8000.00:25:90:a4:98:3e.8004, length 35 >> > 13:39:44.993017 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 129, length 64 >> > 13:39:45.160097 ARP, Request who-has 2.*.2.53 tell 2.*.2.1, length 42 >> > 13:39:45.215168 ARP, Request who-has 2.*.2.70 tell 2.*.2.1, length 42 >> > 13:39:45.318277 ARP, Request who-has 2.*.2.228 tell 2.*.2.1, length 42 >> > 13:39:45.325738 ARP, Request who-has 2.*.2.34 tell 2.*.2.1, length 42 >> > 13:39:45.421375 ARP, Request who-has 2.*.2.248 tell 2.*.2.1, length 42 >> > 13:39:45.826574 ARP, Request who-has 2.*.2.70 tell 2.*.2.1, length 42 >> > 13:39:45.928821 ARP, Request who-has 2.*.2.228 tell 2.*.2.1, length 42 >> > 13:39:45.930246 ARP, Request who-has 2.*.2.53 tell 2.*.2.1, length 42 >> > 13:39:45.993039 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 130, length 64 >> > 13:39:46.030400 ARP, Request who-has 2.*.2.248 tell 2.*.2.1, length 42 >> > 13:39:46.031609 ARP, Request who-has 2.*.2.34 tell 2.*.2.1, length 42 >> > 13:39:46.349636 ARP, Request who-has 2.*.2.3 tell 2.*.2.1, length 42 >> > 13:39:46.439927 ARP, Request who-has 2.*.2.70 tell 2.*.2.1, length 42 >> > 13:39:46.486265 ARP, Request who-has 2.*.2.32 tell 2.*.2.1, length 42 >> > 13:39:46.541822 ARP, Request who-has 2.*.2.228 tell 2.*.2.1, length 42 >> > 13:39:46.850884 ARP, Request who-has 2.*.2.53 tell 2.*.2.1, length 42 >> > 13:39:46.952230 ARP, Request who-has 2.*.2.34 tell 2.*.2.1, length 42 >> > 13:39:46.982553 STP 802.1d, Config, Flags [none], bridge-id >> > 8000.00:25:90:a4:98:3e.8004, length 35 >> > 13:39:46.993050 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 131, length 64 >> > 13:39:47.051629 ARP, Request who-has 2.*.2.70 tell 2.*.2.1, length 42 >> > 13:39:47.154197 ARP, Request who-has 2.*.2.228 tell 2.*.2.1, length 42 >> > 13:39:47.155893 ARP, Request who-has 2.*.2.3 tell 2.*.2.1, length 42 >> > 13:39:47.258228 ARP, Request who-has 2.*.2.32 tell 2.*.2.1, length 42 >> > 13:39:47.459210 ARP, Request who-has 2.*.2.53 tell 2.*.2.1, length 42 >> > 13:39:47.561218 ARP, Request who-has 2.*.2.34 tell 2.*.2.1, length 42 >> > 13:39:47.970622 ARP, Request who-has 2.*.2.32 tell 2.*.2.1, length 42 >> > 13:39:47.971612 ARP, Request who-has 2.*.2.3 tell 2.*.2.1, length 42 >> > 13:39:47.993074 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 132, length 64 >> > 13:39:48.380271 ARP, Request who-has 2.*.2.34 tell 2.*.2.1, length 42 >> > 13:39:48.381173 ARP, Request who-has 2.*.2.53 tell 2.*.2.1, length 42 >> > 13:39:48.581498 ARP, Request who-has 2.*.2.32 tell 2.*.2.1, length 42 >> > 13:39:48.890259 ARP, Request who-has 2.*.2.3 tell 2.*.2.1, length 42 >> > 13:39:48.982519 STP 802.1d, Config, Flags [none], bridge-id >> > 8000.00:25:90:a4:98:3e.8004, length 35 >> > 13:39:48.994081 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 133, length 64 >> > 13:39:49.290934 ARP, Request who-has 2.*.2.42 tell 2.*.2.1, length 42 >> > 13:39:49.302649 ARP, Request who-has 2.*.2.32 tell 2.*.2.1, length 42 >> > 13:39:49.433752 ARP, Request who-has 2.*.2.116 tell 2.*.2.1, length 42 >> > 13:39:49.812965 ARP, Request who-has 2.*.2.3 tell 2.*.2.1, length 42 >> > 13:39:49.994099 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 134, length 64 >> > 13:39:50.014695 ARP, Request who-has 2.*.2.42 tell 2.*.2.1, length 42 >> > 13:39:50.118276 ARP, Request who-has 2.*.2.116 tell 2.*.2.1, length 42 >> > 13:39:50.933507 ARP, Request who-has 2.*.2.116 tell 2.*.2.1, length 42 >> > 13:39:50.934227 ARP, Request who-has 2.*.2.42 tell 2.*.2.1, length 42 >> > 13:39:50.982526 STP 802.1d, Config, Flags [none], bridge-id >> > 8000.00:25:90:a4:98:3e.8004, length 35 >> > 13:39:50.994092 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 135, length 64 >> > 13:39:51.643878 ARP, Request who-has 2.*.2.42 tell 2.*.2.1, length 42 >> > 13:39:51.848044 ARP, Request who-has 2.*.2.116 tell 2.*.2.1, length 42 >> > 13:39:51.994151 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 136, length 64 >> > 13:39:52.452001 ARP, Request who-has 2.*.2.116 tell 2.*.2.1, length 42 >> > 13:39:52.453417 ARP, Request who-has 2.*.2.42 tell 2.*.2.1, length 42 >> > 13:39:52.982496 STP 802.1d, Config, Flags [none], bridge-id >> > 8000.00:25:90:a4:98:3e.8004, length 35 >> > 13:39:52.994150 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 137, length 64 >> > 13:39:53.994171 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 138, length 64 >> > 13:39:54.982573 STP 802.1d, Config, Flags [none], bridge-id >> > 8000.00:25:90:a4:98:3e.8004, length 35 >> > 13:39:54.994188 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 139, length 64 >> > 13:39:55.995186 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 140, length 64 >> > 13:39:56.982561 STP 802.1d, Config, Flags [none], bridge-id >> > 8000.00:25:90:a4:98:3e.8004, length 35 >> > 13:39:56.995215 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 141, length 64 >> > 13:39:57.991661 ARP, Request who-has 2.*.2.1 tell 2.*.2.25, length 28 >> > 13:39:57.992092 ARP, Reply 2.*.2.1 is-at 5c:5e:ab:da:b9:c0, length 42 >> > 13:39:57.995220 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 142, length 64 >> > 13:39:58.982566 STP 802.1d, Config, Flags [none], bridge-id >> > 8000.00:25:90:a4:98:3e.8004, length 35 >> > 13:39:58.995244 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 143, length 64 >> > 13:39:59.995280 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 144, length 64 >> > 13:40:00.417613 ARP, Request who-has 2.*.2.4 tell 2.*.2.1, length 42 >> > 13:40:00.982547 STP 802.1d, Config, Flags [none], bridge-id >> > 8000.00:25:90:a4:98:3e.8004, length 35 >> > 13:40:00.995274 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 145, length 64 >> > 13:40:01.170853 ARP, Request who-has 2.*.2.4 tell 2.*.2.1, length 42 >> > 13:40:01.996303 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 146, length 64 >> > 13:40:02.074725 ARP, Request who-has 2.*.2.4 tell 2.*.2.1, length 42 >> > 13:40:02.359140 ARP, Request who-has 2.*.2.161 tell 2.*.2.1, length 42 >> > 13:40:02.982500 STP 802.1d, Config, Flags [none], bridge-id >> > 8000.00:25:90:a4:98:3e.8004, length 35 >> > 13:40:02.985123 ARP, Request who-has 2.*.2.4 tell 2.*.2.1, length 42 >> > 13:40:02.996303 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 147, length 64 >> > 13:40:03.186378 ARP, Request who-has 2.*.2.161 tell 2.*.2.1, length 42 >> > 13:40:03.417268 ARP, Request who-has 2.*.2.20 tell 2.*.2.1, length 42 >> > 13:40:03.699414 ARP, Request who-has 2.*.2.4 tell 2.*.2.1, length 42 >> > 13:40:03.996329 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 148, length 64 >> > 13:40:03.998677 ARP, Request who-has 2.*.2.161 tell 2.*.2.1, length 42 >> > 13:40:04.301363 ARP, Request who-has 2.*.2.20 tell 2.*.2.1, length 42 >> > 13:40:04.432828 ARP, Request who-has 2.*.2.115 tell 2.*.2.1, length 42 >> > 13:40:04.435467 ARP, Request who-has 2.*.2.23 tell 2.*.2.1, length 42 >> > 13:40:04.820262 ARP, Request who-has 2.*.2.161 tell 2.*.2.1, length 42 >> > 13:40:04.920378 ARP, Request who-has 2.*.2.20 tell 2.*.2.1, length 42 >> > 13:40:04.982690 STP 802.1d, Config, Flags [none], bridge-id >> > 8000.00:25:90:a4:98:3e.8004, length 35 >> > 13:40:04.996336 IP 10.1.1.4 > 74.125.224.228: ICMP echo request, id >> 56879, >> > seq 149, length 64 >> > 13:40:05.124674 ARP, Request who-has 2.*.2.23 tell 2.*.2.1, length 42 >> > 13:40:05.124678 ARP, Request who-has 2.*.2.115 tell 2.*.2.1, length 42 >> > 13:40:05.399662 ARP, Request who-has 2.*.2.12 tell 2.*.2.1, length 42 >> > 13:40:05.429940 ARP, Request who-has 2.*.2.161 tell 2.*.2.1, length 42 >> ^C >> > 115 packets captured >> > 115 packets received by filter >> > 0 packets dropped by kernel >> > root@r-7-VM:~# >> > >> > >> > On Fri, May 24, 2013 at 12:55 PM, Jayapal Reddy Uradi >> > wrote: >> > > Iptables rules are looking fine. >> > > Can you please do the following. >> > > 1. ping google.com from vm >> > > 2. run the tcpdump command on the router eth0, eth2 and see the >> > packets are reaching to guest interface >> > > tcpdump -i eth0 -nq >> > > tcpdump -i eth2 -nq >> > > >> > > If guest vm icmp packets are not reaching to eth0 and eth2 then there >> is >> > issue in your network setup. >> > > >> > > Thanks, >> > > Jayapal >> > > >> > > >> > >> -----Original Message----- >> > >> From: wq meng [mailto:wqmeng@gmail.com] >> > >> Sent: Friday, 24 May 2013 1:27 AM >> > >> To: users@cloudstack.apache.org >> > >> Subject: Re: allow outbound access by default on virtual routers >> > >> >> > >> Hello, >> > >> >> > >> Have you tried this and get this to work? >> > >> >> > >> I think I have the same problem just can not get the Guest VM to >> > >> access outbound by the V-router vm. >> > >> >> > >> my guest NIC is eth0, the public NIC is eth2. >> > >> >> > >> Here is the default rules in the Router VM. How to apply the rules >> > >> to get the Guest VM can access outbound? >> > >> >> > >> Could you help me to show how? I have tried many times, just no >> luck of >> > it. >> > >> >> > >> Thank you very much. >> > >> >> > >> >> > >> root@r-7-VM:~# cat /etc/iptables/rules >> > >> >> > >> >> > >> # Licensed to the Apache Software Foundation (ASF) under one # or >> > >> more contributor license agreements. See the NOTICE file # >> > >> distributed with this work for additional information # regarding >> > >> copyright ownership. The ASF licenses this file # to you under the >> > >> Apache License, Version 2.0 (the # "License"); you may not use this >> file >> > except in compliance # with the License. >> > >> You may obtain a copy of the License at # >> > >> # http://www.apache.org/licenses/LICENSE-2.0 >> > >> # >> > >> # Unless required by applicable law or agreed to in writing, # >> > >> software distributed under the License is distributed on an # "AS IS" >> > >> BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY # KIND, either >> > express or implied. >> > >> See the License for the # specific language governing permissions and >> > >> limitations # under the License. >> > >> >> > >> *nat >> > >> :PREROUTING ACCEPT [0:0] >> > >> :POSTROUTING ACCEPT [0:0] >> > >> :OUTPUT ACCEPT [0:0] >> > >> COMMIT >> > >> *filter >> > >> :INPUT DROP [0:0] >> > >> :FORWARD DROP [0:0] >> > >> :OUTPUT ACCEPT [0:0] >> > >> -A INPUT -d 224.0.0.18/32 -j ACCEPT >> > >> -A INPUT -d 225.0.0.50/32 -j ACCEPT >> > >> -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A >> > >> INPUT -i >> > >> eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth2 >> > >> -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j >> > >> ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i eth0 -p udp -m udp >> > >> --dport 67 -j ACCEPT -A INPUT -i eth0 -p udp -m udp --dport 53 -j >> > >> ACCEPT -A INPUT -i eth1 -p tcp -m state --state NEW --dport 3922 -j >> > >> ACCEPT -A INPUT -i eth0 -p tcp -m state -- state NEW --dport 8080 -j >> > >> ACCEPT -A INPUT -i eth0 -p tcp -m state --state NEW --dport 80 -j >> > >> ACCEPT -A FORWARD -i eth0 -o eth1 -m state --state >> > >> RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth0 -o eth2 -j ACCEPT -A >> > >> FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j >> > >> ACCEPT -A FORWARD -i eth0 -o eth0 -m state --state NEW -j ACCEPT -A >> > >> FORWARD -i >> > >> eth0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT COMMIT >> > >> *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD >> > ACCEPT >> > >> [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A PREROUTING >> > -m >> > >> state --state ESTABLISHED,RELATED -j CONNMARK -- restore-mark -A >> > >> POSTROUTING -p udp --dport bootpc -j CHECKSUM -- checksum-fill >> > COMMIT >> > >> >> > >> >> > >> root@r-7-VM:~# ifconfig >> > >> >> > >> >> > >> On Mon, May 20, 2013 at 5:29 PM, Jayapal Reddy Uradi >> > >> wrote: >> > >> > >> > >> > Currently we don't have the configurable option. >> > >> > >> > >> > 1. You can add egress rule on network with protocol 'all' to allow >> > >> > all >> > >> outbound traffic once the network is created. >> > >> > >> > >> > 2. If you want to allow traffic by default when ever router is >> > >> > created One work around will be add the below line into the >> > >> > iptables-router file >> > >> after the this line -I FW_OUTBOUND -m state --state >> > RELATED,ESTABLISHED >> > >> -j ACCEPT >> > >> > >> > >> > -A FW_OUTBOUND -j ACCEPT >> > >> > >> > >> > >> > >> > Thanks, >> > >> > Jayapal >> > >> > >> > >> > >> > >> > On 20-May-2013, at 2:18 PM, Len Bellemore >> > >> wrote: >> > >> > >> > >> >> Hi Guys >> > >> >> >> > >> >> Anyone know if it's possible to change some of the default options >> > >> >> on a >> > >> virtual router, so that every time it gets created it has particular >> rules? >> > >> >> >> > >> >> My main issue is that I want to allow outbound access by default >> > >> >> to every >> > >> account. >> > >> >> >> > >> >> Thanks >> > >> >> Len >> > >> >> >> > >> > >> > > --20cf307f30a0f5cdd504de1e083a--