[
https://issues.apache.org/jira/browse/CLOUDSTACK-6432?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15291185#comment-15291185
]
Nux commented on CLOUDSTACK-6432:
---------------------------------
This is still an issue, I've got a relatively recent VR (v4.6) in an Adv zone +
Security Groups and this is the default iptables ruleset.
/etc/iptables/rules.v4 seems to have appropriate rules, but this file is not
loaded.
root@r-39-VM:~# iptables-save
# Generated by iptables-save v1.4.14 on Thu May 19 14:05:57 2016
*nat
:PREROUTING ACCEPT [28128385:1907214241]
:INPUT ACCEPT [27869676:1892074637]
:OUTPUT ACCEPT [38664974:2609751259]
:POSTROUTING ACCEPT [38664974:2609751259]
COMMIT
# Completed on Thu May 19 14:05:57 2016
# Generated by iptables-save v1.4.14 on Thu May 19 14:05:57 2016
*mangle
:PREROUTING ACCEPT [459089371:792763542339]
:INPUT ACCEPT [459089337:792763540435]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [270221711:125968904842]
:POSTROUTING ACCEPT [270221711:125968904842]
-A PREROUTING -m state --state RELATED,ESTABLISHED -j CONNMARK --restore-mark
--nfmask 0xffffffff --ctmask 0xffffffff
-A PREROUTING -i eth0 -m state --state NEW -j CONNMARK --set-xmark
0x0/0xffffffff
-A PREROUTING -i eth0 -m state --state NEW -j CONNMARK --set-xmark
0x0/0xffffffff
COMMIT
# Completed on Thu May 19 14:05:57 2016
# Generated by iptables-save v1.4.14 on Thu May 19 14:05:57 2016
*filter
:INPUT DROP [261517:15261324]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [270221736:125968907608]
:FW_OUTBOUND - [0:0]
:NETWORK_STATS - [0:0]
-A INPUT -i eth0 -p tcp -m tcp --dport 10086 -j ACCEPT
-A INPUT -j NETWORK_STATS
-A INPUT -i eth1 -p tcp -m tcp --dport 3922 -m state --state NEW,ESTABLISHED -j
ACCEPT
-A INPUT -d 224.0.0.18/32 -j ACCEPT
-A INPUT -d 225.0.0.50/32 -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 8080 -m state --state NEW -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 3922 -m state --state NEW,ESTABLISHED -j
ACCEPT
-A FORWARD -j NETWORK_STATS
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth0 -m state --state NEW -j ACCEPT
-A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth2 -j FW_OUTBOUND
-A OUTPUT -j NETWORK_STATS
-A FW_OUTBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FW_OUTBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT
-A NETWORK_STATS -i eth0 -o eth2
-A NETWORK_STATS -i eth2 -o eth0
-A NETWORK_STATS ! -i eth0 -o eth2 -p tcp
-A NETWORK_STATS -i eth2 ! -o eth0 -p tcp
COMMIT
> Prevent VR from response to DNS request from outside of network
> ---------------------------------------------------------------
>
> Key: CLOUDSTACK-6432
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6432
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Affects Versions: 4.4.0, 4.5.0
> Reporter: Sheng Yang
> Assignee: Sheng Yang
> Fix For: 4.4.0, 4.5.0
>
>
> In basic and shared network, VR use private network nic for dhcp/dns
> services. But if private network is on the internet as well, it would make VR
> facing outside network.
> We would restrain the VR DNS service inside CloudStack managed network.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
