Here is VR iptables rules:
root@r-17-VRDLAB:~# iptables -nL -v --line-numbers -t filter
Chain INPUT (policy DROP 124 packets, 9432 bytes)
num pkts bytes target prot opt in out source
destination
1 0 0 ACCEPT all -- * * 0.0.0.0/0
224.0.0.18
2 0 0 ACCEPT all -- * * 0.0.0.0/0
225.0.0.50
3 38 3648 ACCEPT all -- eth0 * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
4 11168 1852K ACCEPT all -- eth1 * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
5 5 526 ACCEPT all -- eth2 * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
6 102 8520 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
7 5 293 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
8 29 9614 ACCEPT udp -- eth0 * 0.0.0.0/0
0.0.0.0/0 udp dpt:67
9 23 1787 ACCEPT udp -- eth0 * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
10 629 37740 ACCEPT tcp -- eth1 * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:3922
11 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:8080
12 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:80
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source
destination
1 0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
2 1 60 ACCEPT all -- eth2 eth0 0.0.0.0/0
10.1.1.118 state NEW
3 3 164 ACCEPT all -- eth2 eth0 0.0.0.0/0
10.1.1.132 state NEW
4 21 9986 ACCEPT all -- eth2 eth0 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
5 29 1600 ACCEPT all -- eth0 eth2 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 280 packets, 48879 bytes)
num pkts bytes target prot opt in out source
destination
root@r-17-VRDLAB:~# iptables -nL -v --line-numbers -t nat
Chain PREROUTING (policy ACCEPT 143 packets, 10644 bytes)
num pkts bytes target prot opt in out source
destination
1 1 60 DNAT all -- eth2 * 0.0.0.0/0
192.168.3.120 to:10.1.1.118
2 3 164 DNAT all -- eth2 * 0.0.0.0/0
192.168.3.115 to:10.1.1.132
Chain POSTROUTING (policy ACCEPT 4 packets, 224 bytes)
num pkts bytes target prot opt in out source
destination
1 2 96 SNAT all -- * eth2 10.1.1.132
0.0.0.0/0 to:192.168.3.115
2 4 192 SNAT all -- * eth2 10.1.1.118
0.0.0.0/0 to:192.168.3.120
3 2 138 SNAT all -- * eth2 0.0.0.0/0
0.0.0.0/0 to:192.168.3.116
Chain OUTPUT (policy ACCEPT 2 packets, 138 bytes)
num pkts bytes target prot opt in out source
destination
root@r-17-VRDLAB:~# iptables -nL -v --line-numbers -t mangle
Chain PREROUTING (policy ACCEPT 543 packets, 44292 bytes)
num pkts bytes target prot opt in out source
destination
1 552 346K VPN_192.168.3.116 all -- * * 0.0.0.0/0
192.168.3.116
2 13 5167 FIREWALL_192.168.3.120 all -- * *
0.0.0.0/0 192.168.3.120
3 22 5571 FIREWALL_192.168.3.115 all -- * *
0.0.0.0/0 192.168.3.115
4 118 5980 FIREWALL_192.168.3.116 all -- * *
0.0.0.0/0 192.168.3.116
5 11705 1887K CONNMARK all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED CONNMARK restore
6 1 60 MARK all -- eth2 * 0.0.0.0/0
192.168.3.120 state NEW MARK set 0x2
7 1 60 CONNMARK all -- eth2 * 0.0.0.0/0
192.168.3.120 state NEW CONNMARK save
8 124 10012 MARK all -- eth0 * 10.1.1.118
0.0.0.0/0 state NEW MARK set 0x2
9 124 10012 CONNMARK all -- eth0 * 10.1.1.118
0.0.0.0/0 state NEW CONNMARK save
10 3 164 MARK all -- eth2 * 0.0.0.0/0
192.168.3.115 state NEW MARK set 0x2
11 3 164 CONNMARK all -- eth2 * 0.0.0.0/0
192.168.3.115 state NEW CONNMARK save
12 17 1445 MARK all -- eth0 * 10.1.1.132
0.0.0.0/0 state NEW MARK set 0x2
13 17 1445 CONNMARK all -- eth0 * 10.1.1.132
0.0.0.0/0 state NEW CONNMARK save
Chain INPUT (policy ACCEPT 514 packets, 42811 bytes)
num pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 54 packets, 11810 bytes)
num pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 231 packets, 42784 bytes)
num pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 285 packets, 54594 bytes)
num pkts bytes target prot opt in out source
destination
1 27 9270 CHECKSUM udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:68 CHECKSUM fill
Chain FIREWALL_192.168.3.115 (1 references)
num pkts bytes target prot opt in out source
destination
1 15 5203 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
2 0 0 RETURN udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:1:65535
3 5 248 RETURN tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpts:1:65535
4 2 120 RETURN icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 255
5 0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FIREWALL_192.168.3.116 (1 references)
num pkts bytes target prot opt in out source
destination
1 0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
2 118 5980 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FIREWALL_192.168.3.120 (1 references)
num pkts bytes target prot opt in out source
destination
1 8 4903 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
2 2 120 RETURN icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 255
3 3 144 RETURN tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpts:1:65535
4 0 0 RETURN udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:1:65535
5 0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain VPN_192.168.3.116 (1 references)
num pkts bytes target prot opt in out source
destination
1 434 340K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
2 118 5980 RETURN all -- * * 0.0.0.0/0
0.0.0.0/0
root@r-17-VRDLAB:~#
On Tue, Sep 25, 2012 at 12:37 PM, Jayapal Reddy Uradi <
[email protected]> wrote:
> Debug the traffic flow ... whether the traffic sent to VR guest network
> interface then public interface .
> Please share the VR iptables rules.
>
> Thanks,
> Jayapal
>
> -----Original Message-----
> From: Hieu Le [mailto:[email protected]]
> Sent: Tuesday, September 25, 2012 8:42 AM
> To: [email protected]
> Subject: Re: Problem with VM private IP
>
> Yep, I have read the admin guide and setup firewall rule + enable static
> NAT for all tested VM and still facing this problem.
>
> On Tue, Sep 25, 2012 at 10:01 AM, Ahmad Emneina <[email protected]
> >wrote:
>
> > Have you looked at the Administration Guide[1]? See page 75 and see if
> > that solves your connectivity issue. You still need to poke the hole
> > in the firewal and setup a NAT rule from within cloudstack.
> >
> > [1]:
> > http://download.cloud.com/releases/3.0.0/CloudStack3.0AdminGuide.pdf
> >
> > On 9/24/12 7:56 PM, "Hieu Le" <[email protected]> wrote:
> >
> > >Hi,
> > >
> > >The telnet packets are not reaching the telnet server VM.
> > >
> > >I'm using CS 3.0.2.
> > >
> > >Thanks for replying !
> > >
> > >On Mon, Sep 24, 2012 at 5:52 PM, Jayapal Reddy Uradi <
> > >[email protected]> wrote:
> > >
> > >> Using firewall and port forwarding rules only we can access the VM
> > >>services from the public network also from the VMs using the Public
> IPs.
> > >> For you telnet from outside network success but from failed from
> > >>VM to VM using public IP.
> > >> Seems hair pin NAT got failed ...
> > >>
> > >> Please capture the packets on the telnet server VM to see whether
> > >> telnet packets are reaching or not ?
> > >>
> > >> Which version of cloudstack Is it ?
> > >>
> > >> Thanks,
> > >> Jayapal
> > >>
> > >> -----Original Message-----
> > >> From: Hieu Le [mailto:[email protected]]
> > >> Sent: Monday, September 24, 2012 3:39 PM
> > >> To: [email protected]
> > >> Subject: Problem with VM private IP
> > >>
> > >> Hi everyone,
> > >>
> > >> I have a problem while working with VM private IP. My Cloud system
> > >>run 2 VMs in advance zone with private IP is 10.1.1.20 and
> > >>10.1.1.21 and VM NAT IP is 192.168.50.160 and 192.168.50.165. From
> > >>outside network, I can ping and telnet port 80 to both VMs with
> > >>public IPs. But from VM 10.1.1.21, I can't telnet to other VM with
> > >>its public IP.
> > >>
> > >> For details:
> > >> From VM1: 10.1.1.20 and 192.168.50.160.
> > >> ping 192.168.50.165 and ping 10.1.1.21 success telnet 10.1.1.21 80
> > >>success telnet 192.168.50.165 80 fail
> > >>
> > >> From VM2: 10.1.1.21 and 192.168.50.165 ping 192.168.50.160 and ping
> > >> 10.1.1.20 success telnet 10.1.1.20 success telnet 192.168.50.160 80
> > >> fail
> > >>
> > >> And I can't telnet another ports with public IP.
> > >>
> > >> Can you suggest some solutions for me to telnet VM from another VM
> > >> via public IP.
> > >>
> > >> Thank !
> > >>
> > >
> > >
> > >
> > >--
> > >..:: Hieu LE ::..
> > >
> > >Class: Information System - Course 52 School of Information and
> > >Communication Technology Hanoi University of Technology No 1, Dai Co
> > >Viet street - Hai Ba Trung district - Hanoi
> > >
> > >High Performance Computing Center
> > >Cloud Computing Group
> > >Gmail: [email protected]
> > >
> >
> >
> > --
> > Æ
> >
> >
> >
> >
>
>
> --
> ..:: Hieu LE ::..
>
> Class: Information System - Course 52
> School of Information and Communication Technology Hanoi University of
> Technology No 1, Dai Co Viet street - Hai Ba Trung district - Hanoi
>
> High Performance Computing Center
> Cloud Computing Group
> Gmail: [email protected]
>
--
..:: Hieu LE ::..
Class: Information System - Course 52
School of Information and Communication Technology
Hanoi University of Technology
No 1, Dai Co Viet street - Hai Ba Trung district - Hanoi
High Performance Computing Center
Cloud Computing Group
Gmail: [email protected]
