You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cloudstack.apache.org by "venkata swamybabu budumuru (JIRA)" <ji...@apache.org> on 2013/07/22 15:06:48 UTC
[jira] [Closed] (CLOUDSTACK-1850) IPTABLE default rules are not
configured in the INPUT chain & FW_OUTBOUND chain is not present
[ https://issues.apache.org/jira/browse/CLOUDSTACK-1850?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
venkata swamybabu budumuru closed CLOUDSTACK-1850.
--------------------------------------------------
Verified with the latest systemVM template on latest CloudStack. Didn't see any issues as reported here. This issue is not reproducible on the latest builds.
> IPTABLE default rules are not configured in the INPUT chain & FW_OUTBOUND chain is not present
> -----------------------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-1850
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-1850
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the default.)
> Components: Network Controller
> Affects Versions: 4.2.0
> Environment: - Commit Id # 94de31ebada689a766809e0b73faf567a079c79a
> - Advanced zone with Xen Cluster
> root@r-6-VM:~# cat /etc/cloudstack-release
> Cloudstack Release 4.2.0 Thu Mar 28 04:09:55 UTC 2013
> Reporter: venkata swamybabu budumuru
> Assignee: Jayapal Reddy
> Priority: Blocker
> Fix For: 4.2.0
>
> Attachments: logs.29.tgz
>
>
> Steps to reproduce :
> 1. Have at least one ISLOATED network created
> 2. Deploy a VM with at least one nic connected to the above isolate network
> 3. Verify iptables on the newly deployed router VM for the above isolated network
> Observations :
> 1. It doesn't have any default outbound rules (like for ports 53,67 etc..,) configured. but, things go fine because the policy for INPUT chain is set to ACCEPT by default.
> 2. All the egress from VM is by default working / allowed because FORWARD chain is not configured with "FW_OUTBOUND" Chain.
> Here is the snippet of router vm for "iptables -L -nv"
> root@r-6-VM:~# iptables -L -nv
> Chain INPUT (policy ACCEPT 2032 packets, 305K bytes)
> pkts bytes target prot opt in out source destination
> 2149 320K NETWORK_STATS all -- * * 0.0.0.0/0 0.0.0.0/0
> Chain FORWARD (policy ACCEPT 18 packets, 1419 bytes)
> pkts bytes target prot opt in out source destination
> 36 8380 NETWORK_STATS all -- * * 0.0.0.0/0 0.0.0.0/0
> 18 6961 ACCEPT all -- eth2 eth0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
> 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.1.2.235 state RELATED,ESTABLISHED /* 10.147.44.61:22:22 */
> 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.1.2.235 tcp dpt:22 state NEW /* 10.147.44.61:22:22 */
> Chain OUTPUT (policy ACCEPT 1930 packets, 340K bytes)
> pkts bytes target prot opt in out source destination
> 2056 358K NETWORK_STATS all -- * * 0.0.0.0/0 0.0.0.0/0
> Chain NETWORK_STATS (3 references)
> pkts bytes target prot opt in out source destination
> 18 1419 all -- eth0 eth2 0.0.0.0/0 0.0.0.0/0
> 18 6961 all -- eth2 eth0 0.0.0.0/0 0.0.0.0/0
> 0 0 tcp -- !eth0 eth2 0.0.0.0/0 0.0.0.0/0
> 0 0 tcp -- eth2 !eth0 0.0.0.0/0 0.0.0.0/0
> Attaching vmops.log, api.log, /var/log/messages, cloud.log from router etc..,
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira