You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by "Kumar, Varun" <va...@virtela.net> on 2018/03/06 11:56:27 UTC
Iptables on Virtual router
Hello,
Is it possible to write custom iptables on the Virtual router that's created by cloudstack and make it persistent across restarts ?
It looks like /etc/iptables/router_rules.v4 on the VR is the file that's being created but I am looking for the script that creates this file.
Any insight is appreciated.
Thanks,
Varun
Re: Iptables on Virtual router
Posted by Marc-Aurèle Brothier <ma...@exoscale.ch>.
Hi Varun,
The file is for the firewall are all comig from the system VM image, you
can find them here depending on the type of the system:
https://github.com/apache/cloudstack/tree/master/systemvm/debian/etc/iptables.
After the system vm has booted and the SSH is available, the agent daemon
sends a command through ssh to setup the system VM with its correspondig
type (consoleproxy, dhcpsrv, secstorage...) which configures it differently
for each use case. To overcome this, you're best bet is to build a custom
systemVM on which you add an extra systemd script to set up the rules you
need.
On Wed, Mar 7, 2018 at 10:05 AM, Dag Sonstebo <Da...@shapeblue.com>
wrote:
> Hi Varun,
>
> Not sure if I follow your use case – the VR is built to provide services
> to VMs on the internal isolated network / VPC tier, the public interface is
> there for port forwarding / NATing to services hosted on the VMs.
> Hosting DHCP on the VR for clients on the public interface isn’t a
> supported use case – anything on the public interface is by definition
> considered untrusted.
>
> I may have misunderstood you though?
>
> Regards,
> Dag Sonstebo
> Cloud Architect
> ShapeBlue
>
> On 07/03/2018, 03:21, "Kumar, Varun" <va...@virtela.net> wrote:
>
> Thanks Dag.
>
> I am running into a scenario where a VR is required for dhcp service
> on the public Internet facing vlan and want to restrict connections to
> known trusted sources only.
>
> Has anyone in the community run into such a situation before and found
> a workaround ?
>
> Thanks,
> Varun
>
>
> -----Original Message-----
> From: Dag Sonstebo [mailto:Dag.Sonstebo@shapeblue.com]
> Sent: Tuesday, March 06, 2018 05:41 PM
> To: users@cloudstack.apache.org
> Subject: Re: Iptables on Virtual router
>
> EXTERNAL EMAIL
>
> Hi Varun,
>
> No there’s no method for this, all firewall rules for the VR are
> contained in the CloudStack database and written on demand when the VR is
> created or firewall changes made.
>
> Regards,
> Dag Sonstebo
> Cloud Architect
> ShapeBlue
>
> On 06/03/2018, 11:56, "Kumar, Varun" <va...@virtela.net> wrote:
>
> Hello,
>
> Is it possible to write custom iptables on the Virtual router
> that's created by cloudstack and make it persistent across restarts ?
>
> It looks like /etc/iptables/router_rules.v4 on the VR is the file
> that's being created but I am looking for the script that creates this
> file.
>
> Any insight is appreciated.
>
> Thanks,
> Varun
>
>
>
>
> Dag.Sonstebo@shapeblue.com
> www.shapeblue.com
> 53 Chandos Place, Covent Garden, London WC2N 4HSUK
> @shapeblue
>
>
>
>
>
>
> Dag.Sonstebo@shapeblue.com
> www.shapeblue.com
> 53 Chandos Place, Covent Garden, London WC2N 4HSUK
> @shapeblue
>
>
>
>
Re: Iptables on Virtual router
Posted by Dag Sonstebo <Da...@shapeblue.com>.
Hi Varun,
Not sure if I follow your use case – the VR is built to provide services to VMs on the internal isolated network / VPC tier, the public interface is there for port forwarding / NATing to services hosted on the VMs.
Hosting DHCP on the VR for clients on the public interface isn’t a supported use case – anything on the public interface is by definition considered untrusted.
I may have misunderstood you though?
Regards,
Dag Sonstebo
Cloud Architect
ShapeBlue
On 07/03/2018, 03:21, "Kumar, Varun" <va...@virtela.net> wrote:
Thanks Dag.
I am running into a scenario where a VR is required for dhcp service on the public Internet facing vlan and want to restrict connections to known trusted sources only.
Has anyone in the community run into such a situation before and found a workaround ?
Thanks,
Varun
-----Original Message-----
From: Dag Sonstebo [mailto:Dag.Sonstebo@shapeblue.com]
Sent: Tuesday, March 06, 2018 05:41 PM
To: users@cloudstack.apache.org
Subject: Re: Iptables on Virtual router
EXTERNAL EMAIL
Hi Varun,
No there’s no method for this, all firewall rules for the VR are contained in the CloudStack database and written on demand when the VR is created or firewall changes made.
Regards,
Dag Sonstebo
Cloud Architect
ShapeBlue
On 06/03/2018, 11:56, "Kumar, Varun" <va...@virtela.net> wrote:
Hello,
Is it possible to write custom iptables on the Virtual router that's created by cloudstack and make it persistent across restarts ?
It looks like /etc/iptables/router_rules.v4 on the VR is the file that's being created but I am looking for the script that creates this file.
Any insight is appreciated.
Thanks,
Varun
Dag.Sonstebo@shapeblue.com
www.shapeblue.com
53 Chandos Place, Covent Garden, London WC2N 4HSUK
@shapeblue
Dag.Sonstebo@shapeblue.com
www.shapeblue.com
53 Chandos Place, Covent Garden, London WC2N 4HSUK
@shapeblue
Re: Iptables on Virtual router
Posted by Makrand <ma...@gmail.com>.
Varun,
If you're talking about allowing access to VMs behind VR from specific
Internet sources, that is as simple as adding source in firewall (by
clicking on public IP of network or VM) at cloud-stack level where you
define TCP/UDP protocol and port number etc. I know this is very simple,
but just thought I would mention it anyways.
--
Makrand
On Wed, Mar 7, 2018 at 8:51 AM, Kumar, Varun <va...@virtela.net> wrote:
> Thanks Dag.
>
> I am running into a scenario where a VR is required for dhcp service on
> the public Internet facing vlan and want to restrict connections to known
> trusted sources only.
>
> Has anyone in the community run into such a situation before and found a
> workaround ?
>
> Thanks,
> Varun
>
>
> -----Original Message-----
> From: Dag Sonstebo [mailto:Dag.Sonstebo@shapeblue.com]
> Sent: Tuesday, March 06, 2018 05:41 PM
> To: users@cloudstack.apache.org
> Subject: Re: Iptables on Virtual router
>
> EXTERNAL EMAIL
>
> Hi Varun,
>
> No there’s no method for this, all firewall rules for the VR are contained
> in the CloudStack database and written on demand when the VR is created or
> firewall changes made.
>
> Regards,
> Dag Sonstebo
> Cloud Architect
> ShapeBlue
>
> On 06/03/2018, 11:56, "Kumar, Varun" <va...@virtela.net> wrote:
>
> Hello,
>
> Is it possible to write custom iptables on the Virtual router that's
> created by cloudstack and make it persistent across restarts ?
>
> It looks like /etc/iptables/router_rules.v4 on the VR is the file
> that's being created but I am looking for the script that creates this
> file.
>
> Any insight is appreciated.
>
> Thanks,
> Varun
>
>
>
>
> Dag.Sonstebo@shapeblue.com
> www.shapeblue.com
> 53 Chandos Place, Covent Garden, London WC2N 4HSUK
> @shapeblue
>
>
>
>
RE: Iptables on Virtual router
Posted by "Kumar, Varun" <va...@virtela.net>.
Thanks Dag.
I am running into a scenario where a VR is required for dhcp service on the public Internet facing vlan and want to restrict connections to known trusted sources only.
Has anyone in the community run into such a situation before and found a workaround ?
Thanks,
Varun
-----Original Message-----
From: Dag Sonstebo [mailto:Dag.Sonstebo@shapeblue.com]
Sent: Tuesday, March 06, 2018 05:41 PM
To: users@cloudstack.apache.org
Subject: Re: Iptables on Virtual router
EXTERNAL EMAIL
Hi Varun,
No there’s no method for this, all firewall rules for the VR are contained in the CloudStack database and written on demand when the VR is created or firewall changes made.
Regards,
Dag Sonstebo
Cloud Architect
ShapeBlue
On 06/03/2018, 11:56, "Kumar, Varun" <va...@virtela.net> wrote:
Hello,
Is it possible to write custom iptables on the Virtual router that's created by cloudstack and make it persistent across restarts ?
It looks like /etc/iptables/router_rules.v4 on the VR is the file that's being created but I am looking for the script that creates this file.
Any insight is appreciated.
Thanks,
Varun
Dag.Sonstebo@shapeblue.com
www.shapeblue.com
53 Chandos Place, Covent Garden, London WC2N 4HSUK
@shapeblue
Re: Iptables on Virtual router
Posted by Dag Sonstebo <Da...@shapeblue.com>.
Hi Varun,
No there’s no method for this, all firewall rules for the VR are contained in the CloudStack database and written on demand when the VR is created or firewall changes made.
Regards,
Dag Sonstebo
Cloud Architect
ShapeBlue
On 06/03/2018, 11:56, "Kumar, Varun" <va...@virtela.net> wrote:
Hello,
Is it possible to write custom iptables on the Virtual router that's created by cloudstack and make it persistent across restarts ?
It looks like /etc/iptables/router_rules.v4 on the VR is the file that's being created but I am looking for the script that creates this file.
Any insight is appreciated.
Thanks,
Varun
Dag.Sonstebo@shapeblue.com
www.shapeblue.com
53 Chandos Place, Covent Garden, London WC2N 4HSUK
@shapeblue