You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cloudstack.apache.org by "Wei Zhou (JIRA)" <ji...@apache.org> on 2017/01/23 07:25:26 UTC
[jira] [Commented] (CLOUDSTACK-9754) Egress rules missing in shared
network
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9754?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15834004#comment-15834004 ]
Wei Zhou commented on CLOUDSTACK-9754:
--------------------------------------
if shared network is created in advanced zone, ingress/egress/security group are all missing
if in advanced zone with security groups, you have to create security group rules.
> Egress rules missing in shared network
> --------------------------------------
>
> Key: CLOUDSTACK-9754
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9754
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the default.)
> Components: Virtual Router
> Affects Versions: 4.9.0.1
> Reporter: DeepthiMachiraju
> Fix For: 4.10.0.0
>
>
> - Navigate to network and create a shared network.
> - deploy a guest vm with the above network.
> - Try to ssh to the vm which is successful.
> - Post login to the guest vm , try reaching the outside traffic.
> Observations :
> - User cannot reach the outside traffic as Egress rules are missing :
> ======================================================================================
> Chain FW_EGRESS_RULES (0 references)
> pkts bytes target prot opt in out source destination
> Chain FW_OUTBOUND (1 references)
> pkts bytes target prot opt in out source destination
> 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
> =======================================================================================
> complete rules below :
> root@r-223-VM:~# iptables -L -n -v
> Chain INPUT (policy DROP 190 packets, 10327 bytes)
> pkts bytes target prot opt in out source destination
> 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 10.147.52.201 tcp dpt:443 state NEW
> 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 10.147.52.201 tcp dpt:80 state NEW
> 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 10.147.52.201 tcp dpt:53
> 7 468 ACCEPT udp -- eth0 * 0.0.0.0/0 10.147.52.201 udp dpt:53
> 4 1312 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
> 675 67079 NETWORK_STATS all -- * * 0.0.0.0/0 0.0.0.0/0
> 344 46076 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3922 state NEW,ESTABLISHED
> 0 0 ACCEPT all -- * * 0.0.0.0/0 224.0.0.18
> 0 0 ACCEPT all -- * * 0.0.0.0/0 225.0.0.50
> 114 8452 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
> 9 756 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
> 18 1468 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
> 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
> 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
> 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
> 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW
> 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 state NEW
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
> 0 0 NETWORK_STATS all -- * * 0.0.0.0/0 0.0.0.0/0
> 0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
> 0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0 0.0.0.0/0 state NEW
> 0 0 ACCEPT all -- eth2 eth0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
> 0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
> 0 0 FW_OUTBOUND all -- eth0 eth2 0.0.0.0/0 0.0.0.0/0
> Chain OUTPUT (policy ACCEPT 478 packets, 63694 bytes)
> pkts bytes target prot opt in out source destination
> 478 63694 NETWORK_STATS all -- * * 0.0.0.0/0 0.0.0.0/0
> Chain FW_EGRESS_RULES (0 references)
> pkts bytes target prot opt in out source destination
> Chain FW_OUTBOUND (1 references)
> pkts bytes target prot opt in out source destination
> 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
> Chain NETWORK_STATS (3 references)
> pkts bytes target prot opt in out source destination
> 0 0 all -- eth0 eth2 0.0.0.0/0 0.0.0.0/0
> 0 0 all -- eth2 eth0 0.0.0.0/0 0.0.0.0/0
> 0 0 tcp -- !eth0 eth2 0.0.0.0/0 0.0.0.0/0
> 0 0 tcp -- eth2 !eth0 0.0.0.0/0 0.0.0.0/0
> ===============================================================================================================
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)