[GitHub] [cloudstack] weizhouapache edited a comment on pull request #4847: Restricting http access on VR to internal network

[GitBox <gi...@apache.org>]

weizhouapache edited a comment on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-805591607


   > > > -A INPUT -s 192.168.10.11/32 -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
   > > > -A INPUT -s 192.168.10.11/32 -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
   > > > -A INPUT -d 192.168.10.11/32 -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
   > > > -A INPUT -d 192.168.10.11/32 -i eth0 -p udp -m udp --dport 53 -j ACCEPT
   > > 
   > > 
   > > @Spaceman1984 are you testing with shared network, isolated network or vpc ?
   > > this looks like a critical issue with shared network.
   > > for vpc and isolated network, it is not.
   > 
   > @weizhouapache I'm testing with a shared network.
   
   @Spaceman1984 ok. I see
   
   
   1. the line you change for port 80, can be removed as well.
   
   ```
   -A INPUT -s 192.168.10.11/32 -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
   ```
   is not needed.
   
   because there is a rule below
   ```
   -A INPUT -s 192.168.10.0/24 -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
   ```
   
   2.  the line you change for port 443, is not ok.
   ```
   -A INPUT -s 192.168.10.11/32 -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
   ```
   
   it should be 
   ```
   -A INPUT -s 192.168.10.0/24 -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
   ```
   you can add rules in CsAddress.py, not CsApp.py
   
   3. line 40 in systemvm/debian/etc/iptables/iptables-dhcpsrvr can be removed, as it is not used. it is not an issue to keep it.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org