[GitHub] cloudstack pull request: CLOUDSTACK-8925 - Default allow for Egres...

[karuturi]

Github user karuturi commented on the pull request:

    https://github.com/apache/cloudstack/pull/1023#issuecomment-153572067
  
    testing steps same as above.
    
    iptables rules on default egress ALLOW router
    ```
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               
destination
        0     0 NETWORK_STATS  all  --  *      *       0.0.0.0/0            
0.0.0.0/0
        0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            
0.0.0.0/0            state RELATED,ESTABLISHED
        0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            
0.0.0.0/0            state NEW
        0     0 ACCEPT     all  --  eth2   eth0    0.0.0.0/0            
0.0.0.0/0            state RELATED,ESTABLISHED
        0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            
0.0.0.0/0            state RELATED,ESTABLISHED
        0     0 FW_OUTBOUND  all  --  eth0   eth2    0.0.0.0/0            
0.0.0.0/0
    
    Chain OUTPUT (policy ACCEPT 76 packets, 10157 bytes)
     pkts bytes target     prot opt in     out     source               
destination
      436 61159 NETWORK_STATS  all  --  *      *       0.0.0.0/0            
0.0.0.0/0
    
    Chain FW_OUTBOUND (1 references)
     pkts bytes target     prot opt in     out     source               
destination
        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            
0.0.0.0/0            state RELATED,ESTABLISHED
    
    ```
    iptables rules on default egress DENY router
    ```
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               
destination
        0     0 NETWORK_STATS  all  --  *      *       0.0.0.0/0            
0.0.0.0/0
        0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            
0.0.0.0/0            state RELATED,ESTABLISHED
        0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            
0.0.0.0/0            state NEW
        0     0 ACCEPT     all  --  eth2   eth0    0.0.0.0/0            
0.0.0.0/0            state RELATED,ESTABLISHED
        0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            
0.0.0.0/0            state RELATED,ESTABLISHED
        0     0 FW_OUTBOUND  all  --  eth0   eth2    0.0.0.0/0            
0.0.0.0/0
    
    Chain OUTPUT (policy ACCEPT 39 packets, 3932 bytes)
     pkts bytes target     prot opt in     out     source               
destination
      436 61098 NETWORK_STATS  all  --  *      *       0.0.0.0/0            
0.0.0.0/0
    
    Chain FW_EGRESS_RULES (1 references)
     pkts bytes target     prot opt in     out     source               
destination
        0     0 DROP       all  --  *      *       0.0.0.0/0            
0.0.0.0/0
    
    Chain FW_OUTBOUND (1 references)
     pkts bytes target     prot opt in     out     source               
destination
        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            
0.0.0.0/0            state RELATED,ESTABLISHED
        0     0 FW_EGRESS_RULES  all  --  *      *       0.0.0.0/0            
0.0.0.0/0
    ```
    
    uservms in both the networks are not able to ping google.com
    ```
    specific tools.
    [root@egress-allow-vm ~]# ping google.com
    PING google.com (216.58.192.110) 56(84) bytes of data.
    
    --- google.com ping statistics ---
    16 packets transmitted, 0 received, 100% packet loss, time 15007ms
    
    [root@egress-deny-vm ~]# ping google.com
    PING google.com (216.58.192.110) 56(84) bytes of data.
    
    --- google.com ping statistics ---
    3 packets transmitted, 0 received, 100% packet loss, time 2010ms
    ```
    
    FW_EGRESS_RULES is missing in the default egress allow vr
    I executed the following on the egress allow router
    ```
    iptables -N FW_EGRESS_RULES
    iptables -A FW_OUTBOUND -j FW_EGRESS_RULES
    iptables -A FW_EGRESS_RULES -j ACCEPT
    ```
    now the new iptables
    ```
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               
destination
       16  1344 NETWORK_STATS  all  --  *      *       0.0.0.0/0            
0.0.0.0/0
        0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            
0.0.0.0/0            state RELATED,ESTABLISHED
        0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            
0.0.0.0/0            state NEW
        0     0 ACCEPT     all  --  eth2   eth0    0.0.0.0/0            
0.0.0.0/0            state RELATED,ESTABLISHED
        0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            
0.0.0.0/0            state RELATED,ESTABLISHED
       16  1344 FW_OUTBOUND  all  --  eth0   eth2    0.0.0.0/0            
0.0.0.0/0
    
    Chain OUTPUT (policy ACCEPT 4 packets, 432 bytes)
     pkts bytes target     prot opt in     out     source               
destination
      930  124K NETWORK_STATS  all  --  *      *       0.0.0.0/0            
0.0.0.0/0
    
    Chain FW_EGRESS_RULES (1 references)
     pkts bytes target     prot opt in     out     source               
destination
        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            
0.0.0.0/0
    
    Chain FW_OUTBOUND (1 references)
     pkts bytes target     prot opt in     out     source               
destination
        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            
0.0.0.0/0            state RELATED,ESTABLISHED
        0     0 FW_EGRESS_RULES  all  --  *      *       0.0.0.0/0            
0.0.0.0/0
    ```
    I can ping google.com from the user vm in this network after doing the 
above.
    
    after this change everything else(new rules to block/allow traffic) is 
working as expected.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---