Hello Jayapal,
Thanks for the update, I will try that. And some more information for you. I have tried the API. createEgressFirewallRule But it shows "Unknown API command: listEgressFirewallRules" , Is it should be do not have the APIs, in 4.0.2.20130521045123 ? Very confused. <errorresponse cloud-stack-version="4.0.2.20130521045123"><errorcode>432</errorcode><cserrorcode>9999</cserrorcode><errortext>Unknown API command: createEgressFirewallRule</errortext></errorresponse> <errorresponse cloud-stack-version="4.0.2.20130521045123"><errorcode>432</errorcode><cserrorcode>9999</cserrorcode><errortext>Unknown API command: listEgressFirewallRules</errortext></errorresponse> Thank you so much. On Wed, May 22, 2013 at 4:14 PM, Jayapal Reddy Uradi < jayapalreddy.ur...@citrix.com> wrote: > By looking at the iptables rules, there is no egress rules feature in your > deployment. > In your case the issue seems to be different. > > Please do the below trouble shooting. > Ping from the guest vm to public subnet/google and try to capture the > packets on the router guest interface and public interface. > Check wether the packets are reaching to public interface of VR or not. > > Also send iptables -L -nv output. > > Thanks, > Jayapal > > On 22-May-2013, at 1:18 PM, wq meng <wqm...@gmail.com> > wrote: > > > Hello Jayapal > > > > I know very little about api yet. > > > > I login to the VRouter VM, Can I change the rules to get work? > > > > On > > > https://cwiki.apache.org/confluence/display/CLOUDSTACK/Egress+firewall+rules+for+guest+network > > > > It says some Chains , but I can not find them inside my VRouter VM. > > > > ==================== > > > > firewallRule_egress.sh script get called on the virtual router. > > > > The egress rules are added in filter table table, FW_EGRESS_RULES chain. > > > > All the traffic from eth0 eth2 (public interface) will be send to the > > FW_OUTBOUND chain. > > > > *iptables rules:* > > > > *Default rules:* > > > > ipassoc.sh adding rule to ACCEPT traffic from eth0 to public interface. > > > > Modified the rule to send egress traffic to the FW_OUTBOUND chain. > > > > *iptables -A FORWARD -i eth0 -o eth2 -j FW_OUTBOUND* > > > > *Rules added while configuring:* > > > > Ex: Egress rule to block the port 22 (ssh) traffic from 10.1.1.31/32 > > > > *iptables -A **FW_OUTBOUND **-j EGRESS_FWRULES* > > > > *iptables -A EGRESS_FWRULES -s 10.1.1.31/32 -p tcp --dport 22:22 > -j > > ACCEPT* > > ====================== > > > > > > > > > > > > Here is how the current iptables shows. > > > > > -------------------------------------------------------------------------------- > > root@r-4-VM:~# iptables -L > > Chain INPUT (policy DROP) > > target prot opt source destination > > NETWORK_STATS all -- anywhere anywhere > > ACCEPT all -- anywhere vrrp.mcast.net > > ACCEPT all -- anywhere 225.0.0.50 > > ACCEPT all -- anywhere anywhere state > > RELATED,ESTABLISHED > > ACCEPT all -- anywhere anywhere state > > RELATED,ESTABLISHED > > ACCEPT all -- anywhere anywhere state > > RELATED,ESTABLISHED > > ACCEPT icmp -- anywhere anywhere > > ACCEPT all -- anywhere anywhere > > ACCEPT udp -- anywhere anywhere udp > dpt:bootps > > ACCEPT udp -- anywhere anywhere udp > dpt:domain > > ACCEPT tcp -- anywhere anywhere state NEW > tcp > > dpt:3922 > > ACCEPT tcp -- anywhere anywhere state NEW > tcp > > dpt:http-alt > > ACCEPT tcp -- anywhere anywhere state NEW > tcp > > dpt:www > > > > Chain FORWARD (policy DROP) > > target prot opt source destination > > NETWORK_STATS all -- anywhere anywhere > > ACCEPT all -- anywhere anywhere state > > RELATED,ESTABLISHED > > ACCEPT all -- anywhere anywhere > > ACCEPT all -- anywhere anywhere state > > RELATED,ESTABLISHED > > ACCEPT all -- anywhere anywhere state NEW > > ACCEPT all -- anywhere anywhere state > > RELATED,ESTABLISHED > > ACCEPT all -- anywhere anywhere state > > RELATED,ESTABLISHED > > ACCEPT all -- anywhere anywhere > > ACCEPT all -- anywhere anywhere state > > RELATED,ESTABLISHED > > ACCEPT all -- anywhere anywhere > > ACCEPT all -- anywhere anywhere state > > RELATED,ESTABLISHED > > ACCEPT all -- anywhere anywhere > > ACCEPT all -- anywhere anywhere state > > RELATED,ESTABLISHED > > ACCEPT all -- anywhere anywhere > > ACCEPT all -- anywhere anywhere state > > RELATED,ESTABLISHED > > ACCEPT all -- anywhere anywhere > > > > Chain OUTPUT (policy ACCEPT) > > target prot opt source destination > > NETWORK_STATS all -- anywhere anywhere > > > > Chain NETWORK_STATS (3 references) > > target prot opt source destination > > all -- anywhere anywhere > > all -- anywhere anywhere > > tcp -- anywhere anywhere > > tcp -- anywhere anywhere > > all -- anywhere anywhere > > all -- anywhere anywhere > > tcp -- anywhere anywhere > > tcp -- anywhere anywhere > > all -- anywhere anywhere > > all -- anywhere anywhere > > tcp -- anywhere anywhere > > tcp -- anywhere anywhere > > all -- anywhere anywhere > > all -- anywhere anywhere > > tcp -- anywhere anywhere > > tcp -- anywhere anywhere > > all -- anywhere anywhere > > all -- anywhere anywhere > > tcp -- anywhere anywhere > > tcp -- anywhere anywhere > > all -- anywhere anywhere > > all -- anywhere anywhere > > tcp -- anywhere anywhere > > tcp -- anywhere anywhere > > > > > > And the link have been fixed in the Git ? > > > > Thank you so much. > > > > > > On Wed, May 22, 2013 at 2:55 PM, Jayapal Reddy Uradi < > > jayapalreddy.ur...@citrix.com> wrote: > > > >> > >> I think UI link is missed but it is fixed after that. > >> Try to add rules using the API 'createEgressFirewallRule' > >> > >> Thanks, > >> Jayapal > >> > >> On 22-May-2013, at 12:05 PM, wq meng <wqm...@gmail.com> > >> wrote: > >> > >>> Hello Jayapal, > >>> > >>> > >>> > >> > https://cwiki.apache.org/CLOUDSTACK/egress-firewall-rules-for-guest-network.html > >>> > >>> I have checked Network -> Guest Network (Name) -> > >>> > >>> I can not find out any Egress fire rule tab. > >>> > >>> > >>> Have I missed something? > >>> > >>> > >>> Thank you very much. > >>> > >>> > >>> > >>> > >>> On Wed, May 22, 2013 at 1:23 PM, Jayapal Reddy Uradi < > >>> jayapalreddy.ur...@citrix.com> wrote: > >>> > >>>> Hi, > >>>> > >>>> Did you configure the egress firewall rules on the guest network ? > >>>> You need to add egress rules to allow guest traffic. > >>>> > >>>> After adding egress rule it not works, please send router iptables > >> rules. > >>>> > >>>> Thanks, > >>>> Jayapal > >>>> > >>>> On 22-May-2013, at 4:10 AM, wq meng <wqm...@gmail.com> wrote: > >>>> > >>>>> Hello > >>>>> > >>>>> Anyone have faced this problem? CS4.02 KVM Advanced Network, VM > >> instance > >>>>> can not access public IP. NAT(Source) > >>>>> > >>>>> > >>>>> That the VM instance running, but inside the VM instance, it is not > >>>>> possible to access outside. > >>>>> > >>>>> > >>>>> It can ping VMs each other, It can ping google.com in the* Virtual > >>>> Router > >>>>> VM.* > >>>>> > >>>>> But just can not ping Google.com inside the VM instance. > >>>>> > >>>>> > >>>>> Seems inside the VM instance, It can resolve the Google.com 's IP > >>>> address. > >>>>> BUT can not do others. > >>>>> > >>>>> Please see the following output. > >>>>> > >>>>> > >>>>> ------------------------ > >>>>> [root@CentOS5-5 ~]# wget www.google.com > >>>>> --2013-05-21 08:30:39-- http://www.google.com/ > >>>>> Resolving www.google.com... 173.194.64.104, 173.194.64.99, > >>>> 173.194.64.105, > >>>>> ... > >>>>> Connecting to www.google.com|173.194.64.104|:80... > >>>>> [root@CentOS5-5 ~]# ls > >>>>> > >>>>> ------------------------- > >>>>> [root@CentOS5-5 ~]# iptables -L > >>>>> Chain INPUT (policy ACCEPT) > >>>>> target prot opt source destination > >>>>> RH-Firewall-1-INPUT all -- anywhere anywhere > >>>>> > >>>>> Chain FORWARD (policy ACCEPT) > >>>>> target prot opt source destination > >>>>> RH-Firewall-1-INPUT all -- anywhere anywhere > >>>>> > >>>>> Chain OUTPUT (policy ACCEPT) > >>>>> target prot opt source destination > >>>>> > >>>>> Chain RH-Firewall-1-INPUT (2 references) > >>>>> target prot opt source destination > >>>>> ACCEPT all -- anywhere anywhere > >>>>> ACCEPT icmp -- anywhere anywhere icmp any > >>>>> ACCEPT esp -- anywhere anywhere > >>>>> ACCEPT ah -- anywhere anywhere > >>>>> ACCEPT udp -- anywhere 224.0.0.251 udp > >> dpt:mdns > >>>>> ACCEPT udp -- anywhere anywhere udp > >> dpt:ipp > >>>>> ACCEPT tcp -- anywhere anywhere tcp > >> dpt:ipp > >>>>> ACCEPT all -- anywhere anywhere state > >>>>> RELATED,ESTABLISHED > >>>>> ACCEPT tcp -- anywhere anywhere state > NEW > >>>> tcp > >>>>> dpt:ssh > >>>>> REJECT all -- anywhere anywhere > >> reject-with > >>>>> icmp-host-prohibited > >>>>> [root@CentOS5-5 ~]# ping 8.8.8.8 > >>>>> PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. > >>>>> > >>>>> --- 8.8.8.8 ping statistics --- > >>>>> 3 packets transmitted, 0 received, 100% packet loss, time 2000ms > >>>>> > >>>>> -------------------------- > >>>>> [root@CentOS5-5 ~]# ifconfig > >>>>> eth0 Link encap:Ethernet HWaddr 02:00:2D:C8:00:01 > >>>>> inet addr:10.1.1.5 Bcast:10.1.1.255 Mask:255.255.255.0 > >>>>> inet6 addr: fe80::2dff:fec8:1/64 Scope:Link > >>>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > >>>>> RX packets:2442 errors:0 dropped:0 overruns:0 frame:0 > >>>>> TX packets:2261 errors:0 dropped:0 overruns:0 carrier:0 > >>>>> collisions:0 txqueuelen:1000 > >>>>> RX bytes:174960 (170.8 KiB) TX bytes:154159 (150.5 KiB) > >>>>> > >>>>> lo Link encap:Local Loopback > >>>>> inet addr:127.0.0.1 Mask:255.0.0.0 > >>>>> inet6 addr: ::1/128 Scope:Host > >>>>> UP LOOPBACK RUNNING MTU:16436 Metric:1 > >>>>> RX packets:32 errors:0 dropped:0 overruns:0 frame:0 > >>>>> TX packets:32 errors:0 dropped:0 overruns:0 carrier:0 > >>>>> collisions:0 txqueuelen:0 > >>>>> RX bytes:3913 (3.8 KiB) TX bytes:3913 (3.8 KiB) > >>>>> > >>>>> ---------------------------- > >>>>> > >>>>> [root@CentOS5-5 ~]# tracert www.google.com > >>>>> traceroute to www.google.com (173.194.64.106), 30 hops max, 40 byte > >>>> packets > >>>>> 1 r-4-VM.cs2cloud.internal (10.1.1.1) 0.158 ms 0.136 ms 0.134 ms > >>>>> 2 * * * > >>>>> 3 * * * > >>>>> 4 * * * > >>>>> 5 * * * > >>>>> 6 * * * > >>>>> 7 * * * > >>>>> 8 * * * > >>>>> 9 * * * > >>>>> 10 * * * > >>>>> 11 * * * > >>>>> 12 * * * > >>>>> 13 * * * > >>>>> 14 * * * > >>>>> 15 * * * > >>>>> 16 * * * > >>>>> 17 * * * > >>>>> 18 * * * > >>>>> 19 * * * > >>>>> 20 * * * > >>>>> 21 * * * > >>>>> 22 * * * > >>>>> 23 * * * > >>>>> 24 * * * > >>>>> 25 * * * > >>>>> 26 * * * > >>>>> 27 * * * > >>>>> 28 * * * > >>>>> 29 * * * > >>>>> 30 * * * > >>>>> > >>>>> ---------------- > >>>>> > >>>>> > >>>>> Any thoughts? > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> Thank you very much. > >>>> > >>>> > >> > >> > >
