[
https://issues.apache.org/jira/browse/CLOUDSTACK-8925?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14988869#comment-14988869
]
ASF GitHub Bot commented on CLOUDSTACK-8925:
--------------------------------------------
Github user karuturi commented on the pull request:
https://github.com/apache/cloudstack/pull/1023#issuecomment-153572067
testing steps same as above.
iptables rules on default egress ALLOW router
```
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 NETWORK_STATS all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0
0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth2 eth0 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 FW_OUTBOUND all -- eth0 eth2 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 76 packets, 10157 bytes)
pkts bytes target prot opt in out source
destination
436 61159 NETWORK_STATS all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FW_OUTBOUND (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
```
iptables rules on default egress DENY router
```
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 NETWORK_STATS all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0
0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth2 eth0 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 FW_OUTBOUND all -- eth0 eth2 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 39 packets, 3932 bytes)
pkts bytes target prot opt in out source
destination
436 61098 NETWORK_STATS all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FW_EGRESS_RULES (1 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FW_OUTBOUND (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 FW_EGRESS_RULES all -- * * 0.0.0.0/0
0.0.0.0/0
```
uservms in both the networks are not able to ping google.com
```
specific tools.
[root@egress-allow-vm ~]# ping google.com
PING google.com (216.58.192.110) 56(84) bytes of data.
--- google.com ping statistics ---
16 packets transmitted, 0 received, 100% packet loss, time 15007ms
[root@egress-deny-vm ~]# ping google.com
PING google.com (216.58.192.110) 56(84) bytes of data.
--- google.com ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2010ms
```
FW_EGRESS_RULES is missing in the default egress allow vr
I executed the following on the egress allow router
```
iptables -N FW_EGRESS_RULES
iptables -A FW_OUTBOUND -j FW_EGRESS_RULES
iptables -A FW_EGRESS_RULES -j ACCEPT
```
now the new iptables
```
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
16 1344 NETWORK_STATS all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0
0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth2 eth0 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
16 1344 FW_OUTBOUND all -- eth0 eth2 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 4 packets, 432 bytes)
pkts bytes target prot opt in out source
destination
930 124K NETWORK_STATS all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FW_EGRESS_RULES (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FW_OUTBOUND (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 FW_EGRESS_RULES all -- * * 0.0.0.0/0
0.0.0.0/0
```
I can ping google.com from the user vm in this network after doing the
above.
after this change everything else(new rules to block/allow traffic) is
working as expected.
> Default allow for Egress rules is not being configured properly in VR
> iptables rules
> ------------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-8925
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8925
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Virtual Router
> Affects Versions: 4.6.0
> Reporter: Pavan Kumar Bandarupally
> Assignee: Wilder Rodrigues
> Priority: Blocker
> Fix For: 4.6.0
>
>
> When we create a network with Egress rules set to default allow, the rules
> created in FW_OUTBOUND table should have a reference to FW_EGRESS_RULES chain
> which has a rule to accept NEW packets from the guest instances. Without that
> rule only RELATED , ESTABLISHED rule in FW_OUTBOUND chain will result in Drop
> of packets.
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 44 2832 NETWORK_STATS all -- * * 0.0.0.0/0
> 0.0.0.0/0
> 0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0
> state RELATED,ESTABLISHED
> 0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0 0.0.0.0/0
> state NEW
> 4 336 ACCEPT all -- eth2 eth0 0.0.0.0/0 0.0.0.0/0
> state RELATED,ESTABLISHED
> 0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0 0.0.0.0/0
> state RELATED,ESTABLISHED
> 40 2496 FW_OUTBOUND all -- eth0 eth2 0.0.0.0/0
> 0.0.0.0/0
> Chain OUTPUT (policy ACCEPT 20 packets, 1888 bytes)
> pkts bytes target prot opt in out source
> destination
> 2498 369K NETWORK_STATS all -- * * 0.0.0.0/0
> 0.0.0.0/0
> Chain FIREWALL_EGRESS_RULES (0 references)
> pkts bytes target prot opt in out source
> destination
> Chain FW_OUTBOUND (1 references)
> pkts bytes target prot opt in out source
> destination
> 3 252 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
> state RELATED,ESTABLISHED
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
