You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cloudstack.apache.org by "Wei Zhou (JIRA)" <ji...@apache.org> on 2017/01/23 07:25:26 UTC
[jira] [Commented] (CLOUDSTACK-9754) Egress rules missing in shared network

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-9754?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15834004#comment-15834004 ] 

Wei Zhou commented on CLOUDSTACK-9754:
--------------------------------------

if shared network is created in advanced zone, ingress/egress/security group are all missing
if in advanced zone with security groups, you have to create security group rules.




> Egress rules missing in shared network
> --------------------------------------
>
>                 Key: CLOUDSTACK-9754
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9754
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Virtual Router
>    Affects Versions: 4.9.0.1
>            Reporter: DeepthiMachiraju
>             Fix For: 4.10.0.0
>
>
> - Navigate to network and create a shared network.
> - deploy a guest vm with the above network.
> - Try to ssh to the vm which is successful.
> - Post login to the guest vm , try reaching the outside traffic.
> Observations : 
> - User cannot reach the outside traffic as Egress rules are missing : 
> ======================================================================================
> Chain FW_EGRESS_RULES (0 references)
>  pkts bytes target     prot opt in     out     source               destination
> Chain FW_OUTBOUND (1 references)
>  pkts bytes target     prot opt in     out     source               destination
>     0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
> =======================================================================================
> complete rules below : 
> root@r-223-VM:~# iptables -L -n -v
> Chain INPUT (policy DROP 190 packets, 10327 bytes)
>  pkts bytes target     prot opt in     out     source               destination
>     0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            10.147.52.201        tcp dpt:443 state NEW
>     0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            10.147.52.201        tcp dpt:80 state NEW
>     0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            10.147.52.201        tcp dpt:53
>     7   468 ACCEPT     udp  --  eth0   *       0.0.0.0/0            10.147.52.201        udp dpt:53
>     4  1312 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
>   675 67079 NETWORK_STATS  all  --  *      *       0.0.0.0/0            0.0.0.0/0
>   344 46076 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3922 state NEW,ESTABLISHED
>     0     0 ACCEPT     all  --  *      *       0.0.0.0/0            224.0.0.18
>     0     0 ACCEPT     all  --  *      *       0.0.0.0/0            225.0.0.50
>   114  8452 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
>     9   756 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
>    18  1468 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
>     0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
>     0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
>     0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
>     0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 state NEW
>     0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8080 state NEW
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source               destination
>     0     0 NETWORK_STATS  all  --  *      *       0.0.0.0/0            0.0.0.0/0
>     0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
>     0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0            state NEW
>     0     0 ACCEPT     all  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
>     0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
>     0     0 FW_OUTBOUND  all  --  eth0   eth2    0.0.0.0/0            0.0.0.0/0
> Chain OUTPUT (policy ACCEPT 478 packets, 63694 bytes)
>  pkts bytes target     prot opt in     out     source               destination
>   478 63694 NETWORK_STATS  all  --  *      *       0.0.0.0/0            0.0.0.0/0
> Chain FW_EGRESS_RULES (0 references)
>  pkts bytes target     prot opt in     out     source               destination
> Chain FW_OUTBOUND (1 references)
>  pkts bytes target     prot opt in     out     source               destination
>     0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
> Chain NETWORK_STATS (3 references)
>  pkts bytes target     prot opt in     out     source               destination
>     0     0            all  --  eth0   eth2    0.0.0.0/0            0.0.0.0/0
>     0     0            all  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0
>     0     0            tcp  --  !eth0  eth2    0.0.0.0/0            0.0.0.0/0
>     0     0            tcp  --  eth2   !eth0   0.0.0.0/0            0.0.0.0/0
> ===============================================================================================================



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)