Hello Jayapal I know very little about api yet.
I login to the VRouter VM, Can I change the rules to get work? On https://cwiki.apache.org/confluence/display/CLOUDSTACK/Egress+firewall+rules+for+guest+network It says some Chains , but I can not find them inside my VRouter VM. ==================== firewallRule_egress.sh script get called on the virtual router. The egress rules are added in filter table table, FW_EGRESS_RULES chain. All the traffic from eth0 eth2 (public interface) will be send to the FW_OUTBOUND chain. *iptables rules:* *Default rules:* ipassoc.sh adding rule to ACCEPT traffic from eth0 to public interface. Modified the rule to send egress traffic to the FW_OUTBOUND chain. *iptables -A FORWARD -i eth0 -o eth2 -j FW_OUTBOUND* *Rules added while configuring:* Ex: Egress rule to block the port 22 (ssh) traffic from 10.1.1.31/32 *iptables -A **FW_OUTBOUND **-j EGRESS_FWRULES* *iptables -A EGRESS_FWRULES -s 10.1.1.31/32 -p tcp --dport 22:22 -j ACCEPT* ====================== Here is how the current iptables shows. -------------------------------------------------------------------------------- root@r-4-VM:~# iptables -L Chain INPUT (policy DROP) target prot opt source destination NETWORK_STATS all -- anywhere anywhere ACCEPT all -- anywhere vrrp.mcast.net ACCEPT all -- anywhere 225.0.0.50 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:3922 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http-alt ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:www Chain FORWARD (policy DROP) target prot opt source destination NETWORK_STATS all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere state NEW ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination NETWORK_STATS all -- anywhere anywhere Chain NETWORK_STATS (3 references) target prot opt source destination all -- anywhere anywhere all -- anywhere anywhere tcp -- anywhere anywhere tcp -- anywhere anywhere all -- anywhere anywhere all -- anywhere anywhere tcp -- anywhere anywhere tcp -- anywhere anywhere all -- anywhere anywhere all -- anywhere anywhere tcp -- anywhere anywhere tcp -- anywhere anywhere all -- anywhere anywhere all -- anywhere anywhere tcp -- anywhere anywhere tcp -- anywhere anywhere all -- anywhere anywhere all -- anywhere anywhere tcp -- anywhere anywhere tcp -- anywhere anywhere all -- anywhere anywhere all -- anywhere anywhere tcp -- anywhere anywhere tcp -- anywhere anywhere And the link have been fixed in the Git ? Thank you so much. On Wed, May 22, 2013 at 2:55 PM, Jayapal Reddy Uradi < jayapalreddy.ur...@citrix.com> wrote: > > I think UI link is missed but it is fixed after that. > Try to add rules using the API 'createEgressFirewallRule' > > Thanks, > Jayapal > > On 22-May-2013, at 12:05 PM, wq meng <wqm...@gmail.com> > wrote: > > > Hello Jayapal, > > > > > > > https://cwiki.apache.org/CLOUDSTACK/egress-firewall-rules-for-guest-network.html > > > > I have checked Network -> Guest Network (Name) -> > > > > I can not find out any Egress fire rule tab. > > > > > > Have I missed something? > > > > > > Thank you very much. > > > > > > > > > > On Wed, May 22, 2013 at 1:23 PM, Jayapal Reddy Uradi < > > jayapalreddy.ur...@citrix.com> wrote: > > > >> Hi, > >> > >> Did you configure the egress firewall rules on the guest network ? > >> You need to add egress rules to allow guest traffic. > >> > >> After adding egress rule it not works, please send router iptables > rules. > >> > >> Thanks, > >> Jayapal > >> > >> On 22-May-2013, at 4:10 AM, wq meng <wqm...@gmail.com> wrote: > >> > >>> Hello > >>> > >>> Anyone have faced this problem? CS4.02 KVM Advanced Network, VM > instance > >>> can not access public IP. NAT(Source) > >>> > >>> > >>> That the VM instance running, but inside the VM instance, it is not > >>> possible to access outside. > >>> > >>> > >>> It can ping VMs each other, It can ping google.com in the* Virtual > >> Router > >>> VM.* > >>> > >>> But just can not ping Google.com inside the VM instance. > >>> > >>> > >>> Seems inside the VM instance, It can resolve the Google.com 's IP > >> address. > >>> BUT can not do others. > >>> > >>> Please see the following output. > >>> > >>> > >>> ------------------------ > >>> [root@CentOS5-5 ~]# wget www.google.com > >>> --2013-05-21 08:30:39-- http://www.google.com/ > >>> Resolving www.google.com... 173.194.64.104, 173.194.64.99, > >> 173.194.64.105, > >>> ... > >>> Connecting to www.google.com|173.194.64.104|:80... > >>> [root@CentOS5-5 ~]# ls > >>> > >>> ------------------------- > >>> [root@CentOS5-5 ~]# iptables -L > >>> Chain INPUT (policy ACCEPT) > >>> target prot opt source destination > >>> RH-Firewall-1-INPUT all -- anywhere anywhere > >>> > >>> Chain FORWARD (policy ACCEPT) > >>> target prot opt source destination > >>> RH-Firewall-1-INPUT all -- anywhere anywhere > >>> > >>> Chain OUTPUT (policy ACCEPT) > >>> target prot opt source destination > >>> > >>> Chain RH-Firewall-1-INPUT (2 references) > >>> target prot opt source destination > >>> ACCEPT all -- anywhere anywhere > >>> ACCEPT icmp -- anywhere anywhere icmp any > >>> ACCEPT esp -- anywhere anywhere > >>> ACCEPT ah -- anywhere anywhere > >>> ACCEPT udp -- anywhere 224.0.0.251 udp > dpt:mdns > >>> ACCEPT udp -- anywhere anywhere udp > dpt:ipp > >>> ACCEPT tcp -- anywhere anywhere tcp > dpt:ipp > >>> ACCEPT all -- anywhere anywhere state > >>> RELATED,ESTABLISHED > >>> ACCEPT tcp -- anywhere anywhere state NEW > >> tcp > >>> dpt:ssh > >>> REJECT all -- anywhere anywhere > reject-with > >>> icmp-host-prohibited > >>> [root@CentOS5-5 ~]# ping 8.8.8.8 > >>> PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. > >>> > >>> --- 8.8.8.8 ping statistics --- > >>> 3 packets transmitted, 0 received, 100% packet loss, time 2000ms > >>> > >>> -------------------------- > >>> [root@CentOS5-5 ~]# ifconfig > >>> eth0 Link encap:Ethernet HWaddr 02:00:2D:C8:00:01 > >>> inet addr:10.1.1.5 Bcast:10.1.1.255 Mask:255.255.255.0 > >>> inet6 addr: fe80::2dff:fec8:1/64 Scope:Link > >>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > >>> RX packets:2442 errors:0 dropped:0 overruns:0 frame:0 > >>> TX packets:2261 errors:0 dropped:0 overruns:0 carrier:0 > >>> collisions:0 txqueuelen:1000 > >>> RX bytes:174960 (170.8 KiB) TX bytes:154159 (150.5 KiB) > >>> > >>> lo Link encap:Local Loopback > >>> inet addr:127.0.0.1 Mask:255.0.0.0 > >>> inet6 addr: ::1/128 Scope:Host > >>> UP LOOPBACK RUNNING MTU:16436 Metric:1 > >>> RX packets:32 errors:0 dropped:0 overruns:0 frame:0 > >>> TX packets:32 errors:0 dropped:0 overruns:0 carrier:0 > >>> collisions:0 txqueuelen:0 > >>> RX bytes:3913 (3.8 KiB) TX bytes:3913 (3.8 KiB) > >>> > >>> ---------------------------- > >>> > >>> [root@CentOS5-5 ~]# tracert www.google.com > >>> traceroute to www.google.com (173.194.64.106), 30 hops max, 40 byte > >> packets > >>> 1 r-4-VM.cs2cloud.internal (10.1.1.1) 0.158 ms 0.136 ms 0.134 ms > >>> 2 * * * > >>> 3 * * * > >>> 4 * * * > >>> 5 * * * > >>> 6 * * * > >>> 7 * * * > >>> 8 * * * > >>> 9 * * * > >>> 10 * * * > >>> 11 * * * > >>> 12 * * * > >>> 13 * * * > >>> 14 * * * > >>> 15 * * * > >>> 16 * * * > >>> 17 * * * > >>> 18 * * * > >>> 19 * * * > >>> 20 * * * > >>> 21 * * * > >>> 22 * * * > >>> 23 * * * > >>> 24 * * * > >>> 25 * * * > >>> 26 * * * > >>> 27 * * * > >>> 28 * * * > >>> 29 * * * > >>> 30 * * * > >>> > >>> ---------------- > >>> > >>> > >>> Any thoughts? > >>> > >>> > >>> > >>> > >>> Thank you very much. > >> > >> > >
