cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sanjeev N <sanj...@apache.org>
Subject Re: Guest VMs cannot access Internet
Date Mon, 08 Feb 2016 05:14:40 GMT
Can you check the iptable rules on VR? By default all the egress traffic is
blocked. When you allow the egress traffic, make sure that these newly
added rules are being placed on top of the default deny rules in the
egress_outbound chain inside VR.

-Sanjeev

On Sun, Feb 7, 2016 at 5:25 AM, Sean Lair <slair@ippathways.com> wrote:

> Here is the output:
>
> -----------------------------------------
> [root@dc01cloudkvm01 ~]# systemctl status firewalld
> รข firewalld.service
>    Loaded: not-found (Reason: No such file or directory)
>    Active: inactive (dead)
>
> ---------------------------------------------
>
> [root@dc01cloudkvm01 ~]# iptables-save
> # Generated by iptables-save v1.4.21 on Sat Feb  6 23:46:44 2016
> *mangle
> :PREROUTING ACCEPT [1306448:4376908074]
> :INPUT ACCEPT [1185701:4364833786]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [1294026:2863147676]
> :POSTROUTING ACCEPT [1294026:2863147676]
> -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM
> --checksum-fill
> COMMIT
> # Completed on Sat Feb  6 23:46:44 2016
> # Generated by iptables-save v1.4.21 on Sat Feb  6 23:46:44 2016
> *nat
> :PREROUTING ACCEPT [120793:12078892]
> :INPUT ACCEPT [46:4604]
> :OUTPUT ACCEPT [1446:103514]
> :POSTROUTING ACCEPT [1446:103514]
> -A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
> -A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
> -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j
> MASQUERADE --to-ports 1024-65535
> -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j
> MASQUERADE --to-ports 1024-65535
> -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
> COMMIT
> # Completed on Sat Feb  6 23:46:44 2016
> # Generated by iptables-save v1.4.21 on Sat Feb  6 23:46:44 2016
> *filter
> :INPUT ACCEPT [1185701:4364833786]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [1294026:2863147676]
> -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
> -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
> -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
> -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
> -A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate
> RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
> -A FORWARD -i virbr0 -o virbr0 -j ACCEPT
> -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
> -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
> -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
> COMMIT
> # Completed on Sat Feb  6 23:46:44 2016
> -----------------------
>
> -----Original Message-----
> From: Nux! [mailto:nux@li.nux.ro]
> Sent: Saturday, February 6, 2016 5:38 PM
> To: users@cloudstack.apache.org
> Subject: Re: Guest VMs cannot access Internet
>
> That's not you check it, CentOS 7 now comes with firewalld and the
> iptables-services are not installed by defaut.
> "iptables-save" will output the current state of the firewall
>
> --
> Sent from the Delta quadrant using Borg technology!
>
> Nux!
> www.nux.ro
>
> ----- Original Message -----
> > From: "Sean Lair" <slair@ippathways.com>
> > To: users@cloudstack.apache.org
> > Sent: Saturday, 6 February, 2016 22:56:23
> > Subject: RE: Guest VMs cannot access Internet
>
> > Thanks for the response!  the iptables service is currently stopped:
> >
> > # systemctl stop iptables
> > Failed to stop iptables.service: Unit iptables.service not loaded.
> >
> > -----Original Message-----
> > From: Nux! [mailto:nux@li.nux.ro]
> > Sent: Saturday, February 6, 2016 4:13 PM
> > To: users@cloudstack.apache.org
> > Subject: Re: Guest VMs cannot access Internet
> >
> > Hi Sean,
> >
> > Have you double checked iptables rules are correct (or disabled) on
> > the underlying KVM hypervisor?
> >
> > Lucian
> >
> > --
> > Sent from the Delta quadrant using Borg technology!
> >
> > Nux!
> > www.nux.ro
> >
> > ----- Original Message -----
> >> From: "Sean Lair" <slair@ippathways.com>
> >> To: users@cloudstack.apache.org
> >> Sent: Saturday, 6 February, 2016 21:47:19
> >> Subject: Guest VMs cannot access Internet
> >
> >> Hi all,
> >>
> >> I'm having an issue I'm hoping you can assist with.  Brand new
> >> Cloudstack 4.8 deployment running on CentOS7 and KVM hypervisors.
> >> Using advanced networking with VLAN isolation.
> >>
> >> Deploying new VMs using the default CentOS5.5 instance works great.
> >> The virtual router is deployed as expected to perform source NAT.  If
> >> I log into the virtual router, it can ping the Internet and the guest
> >> VMs.  The guest VMs can ping each other as they are on the same
> >> subnet.  The virtual router has an Internet public IP it is using for
> >> Source NAT.
> >>
> >> The guest VMs however cannot access the Internet.  Under the public
> >> IP address [Source NAT] -> Firewall, I'm allowing 0.0.0.0/0 ICMP with
> >> "-1" for ICMP Type and code.  For the Egress rules for the guest
> >> network, I have 0.0.0.0/0 All protocols and All ports.  I can ping
> >> the outside of the virtual router (public
> >> IP) from the Internet.
> >>
> >> From my troubleshooting above I'm guessing it is something to do with
> >> the virtual router, but am not sure how to troubleshoot next.
> >>
> >> Thanks in advance for any assistance.
> >>
> >> Thanks
> > > Sean
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message