[jira] [Commented] (CLOUDSTACK-106) Inter Vlan - When Vms are deployed as part of VPC , all egress traffic is blocked. It should be open for all egress traffic until first egress rule is added.

sadhu suresh (JIRA) Thu, 20 Sep 2012 06:30:12 -0700

    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13459591#comment-13459591
 ]


sadhu suresh commented on CLOUDSTACK-106:
-----------------------------------------

Am still seeing by default outgoing traffic is blocked.

Git Revision: 2a5e5b2e62a9f35d674f016e02abc1da77b95745
Git URL: https://git-wip-us.apache.org/repos/asf/incubator-cloudstack.git



root@r-3-VM:~# iptables-save
# Generated by iptables-save v1.4.8 on Thu Sep 20 13:27:33 2012
*mangle
:PREROUTING ACCEPT [2457:361780]
:INPUT ACCEPT [2457:361780]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2164:384946]
:POSTROUTING ACCEPT [2164:384946]
:ACL_OUTBOUND_eth2 - [0:0]
:VPN_STATS_eth1 - [0:0]
-A PREROUTING -i eth1 -m state --state NEW -j CONNMARK --set-xmark 
0x1/0xffffffff
-A PREROUTING -i eth2 -m state --state RELATED,ESTABLISHED -j CONNMARK 
--restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A PREROUTING -s 10.1.1.0/24 ! -d 10.1.1.1/32 -i eth2 -m state --state NEW -j 
ACL_OUTBOUND_eth2
-A FORWARD -j VPN_STATS_eth1
-A OUTPUT -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A ACL_OUTBOUND_eth2 -j DROP
-A VPN_STATS_eth1 -o eth1 -m mark --mark 0x525
-A VPN_STATS_eth1 -i eth1 -m mark --mark 0x524
COMMIT
# Completed on Thu Sep 20 13:27:33 2012
# Generated by iptables-save v1.4.8 on Thu Sep 20 13:27:33 2012
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [2159:384766]
:ACL_INBOUND_eth2 - [0:0]
:NETWORK_STATS_eth1 - [0:0]
-A INPUT -d 224.0.0.18/32 -j ACCEPT
-A INPUT -d 225.0.0.50/32 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 3922 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth2 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i eth2 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -d 10.1.1.1/32 -i eth2 -p tcp -m state --state NEW -m tcp --dport 80 
-j ACCEPT
-A FORWARD -j NETWORK_STATS_eth1
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.1.0.0/16 ! -d 10.1.0.0/16 -j ACCEPT
-A FORWARD -d 10.1.1.0/24 -o eth2 -j ACL_INBOUND_eth2
-A ACL_INBOUND_eth2 -j DROP
-A NETWORK_STATS_eth1 -s 10.1.0.0/16 -o eth1
-A NETWORK_STATS_eth1 -d 10.1.0.0/16 -i eth1
COMMIT
# Completed on Thu Sep 20 13:27:33 2012
# Generated by iptables-save v1.4.8 on Thu Sep 20 13:27:33 2012
*nat
:PREROUTING ACCEPT [137:8982]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [45:3292]
-A POSTROUTING -o eth1 -j SNAT --to-source 10.147.49.33
-A POSTROUTING -s 10.1.1.0/24 -o eth2 -j SNAT --to-source 10.1.1.1
COMMIT
# Completed on Thu Sep 20 13:27:33 2012

                
> Inter Vlan - When Vms are deployed as part of VPC , all egress traffic is 
> blocked. It should be open for all egress traffic until first egress rule is 
> added. 
> --------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-106
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-106
>             Project: CloudStack
>          Issue Type: Bug
>          Components: Management Server
>    Affects Versions: pre-4.0.0
>         Environment: Tested with:
> Git Revision: 03df2fa9dd45c938f72cd1866044b09d1b0cc978
> Git URL: https://git-wip-us.apache.org/repos/asf/incubator-cloudstack.git
>  
>            Reporter: Sangeetha Hariharan
>            Assignee: Anthony Xu
>             Fix For: pre-4.0.0
>
>
> Inter Vlan - When Vms are deployed as part of VPC , all egress traffic is 
> blocked. Its should be open for all egress traffic until first egress rule is 
> added.
> Steps to reproduce the problem:
> Create a VPC.
> Create few networks in this VPC.
> Deploy few vms as part of this VPC.
> From with in these Vms , try to access any server like ping google.com
> We are NOT allowed access.
> Expected Behavior:
> By default , It should be open for all egress traffic until first egress rule 
> is added. 
> root@r-10-ASF:/opt/cloud/bin# iptables-save | grep OUTBOUND
> :ACL_OUTBOUND_eth2 - [0:0]
> :ACL_OUTBOUND_eth3 - [0:0]
> -A PREROUTING -s 10.1.1.0/24 ! -d 10.1.1.1/32 -i eth2 -m state --state NEW -j 
> ACL_OUTBOUND_eth2 
> -A PREROUTING -s 10.1.2.0/24 ! -d 10.1.2.1/32 -i eth3 -m state --state NEW -j 
> ACL_OUTBOUND_eth3 
> -A ACL_OUTBOUND_eth2 -j DROP 
> -A ACL_OUTBOUND_eth3 -j DROP
>  

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (CLOUDSTACK-106) Inter Vlan - When Vms are deployed as part of VPC , all egress traffic is blocked. It should be open for all egress traffic until first egress rule is added.

Reply via email to