Github user karuturi commented on the pull request: https://github.com/apache/cloudstack/pull/1023#issuecomment-153572067 testing steps same as above. iptables rules on default egress ALLOW router ``` Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 NETWORK_STATS all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0 0.0.0.0/0 state NEW 0 0 ACCEPT all -- eth2 eth0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 FW_OUTBOUND all -- eth0 eth2 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 76 packets, 10157 bytes) pkts bytes target prot opt in out source destination 436 61159 NETWORK_STATS all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FW_OUTBOUND (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ``` iptables rules on default egress DENY router ``` Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 NETWORK_STATS all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0 0.0.0.0/0 state NEW 0 0 ACCEPT all -- eth2 eth0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 FW_OUTBOUND all -- eth0 eth2 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 39 packets, 3932 bytes) pkts bytes target prot opt in out source destination 436 61098 NETWORK_STATS all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FW_EGRESS_RULES (1 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FW_OUTBOUND (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 FW_EGRESS_RULES all -- * * 0.0.0.0/0 0.0.0.0/0 ``` uservms in both the networks are not able to ping google.com ``` specific tools. [root@egress-allow-vm ~]# ping google.com PING google.com (216.58.192.110) 56(84) bytes of data. --- google.com ping statistics --- 16 packets transmitted, 0 received, 100% packet loss, time 15007ms [root@egress-deny-vm ~]# ping google.com PING google.com (216.58.192.110) 56(84) bytes of data. --- google.com ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 2010ms ``` FW_EGRESS_RULES is missing in the default egress allow vr I executed the following on the egress allow router ``` iptables -N FW_EGRESS_RULES iptables -A FW_OUTBOUND -j FW_EGRESS_RULES iptables -A FW_EGRESS_RULES -j ACCEPT ``` now the new iptables ``` Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 16 1344 NETWORK_STATS all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0 0.0.0.0/0 state NEW 0 0 ACCEPT all -- eth2 eth0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 16 1344 FW_OUTBOUND all -- eth0 eth2 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 4 packets, 432 bytes) pkts bytes target prot opt in out source destination 930 124K NETWORK_STATS all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FW_EGRESS_RULES (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FW_OUTBOUND (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 FW_EGRESS_RULES all -- * * 0.0.0.0/0 0.0.0.0/0 ``` I can ping google.com from the user vm in this network after doing the above. after this change everything else(new rules to block/allow traffic) is working as expected.
--- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---