Hello jayapal, I downloaded the lastest 4.02 source code. is the 4.02 removed the egress ?
I will try the iptables trick . Thank you so much. On Wed, May 22, 2013 at 6:41 PM, Jayapal Reddy Uradi < jayapalreddy.ur...@citrix.com> wrote: > In your CS version egress rules feature is not present. > Thats the reason CS says Unknown API. > I checked your iptables rules also, egress rules default block rules are > not present. > You can ignore the egress firewall rules. > > check the in your router is there rule to accept guest traffic to public. > If not add below iptables rule on router. This rules make allowing guest > traffic to public network. > > iptables -A FORWARD -i <guest interface name> -o <public interface name> > -j ACCEPT > > > Thanks, > jayapal > On 22-May-2013, at 4:03 PM, wq meng <wqm...@gmail.com> > wrote: > > > Hello Jayapal > > > > If CS4.02 default is block the VM to access public side, and on the UC , > > there is no link to change it. As you saw, the API have no API Names to > > change it too. > > > > > > How to fix the problem? > > > > > > > > > > I will reload the OS and re-setup CS4.02 again to check if it will fix. > > > > > > > > Thank you so much. > > > > > > > > On Wed, May 22, 2013 at 6:23 PM, Jayapal Reddy Uradi < > > jayapalreddy.ur...@citrix.com> wrote: > > > >> From VM if you are not able to ping public side then it is your setup > >> issue. > >> It can be debugged by capturing packets on the router guest interface > and > >> public interface to see wether the packets are reaching to router or not > >> > >> Thanks, > >> Jayapal > >> > >> On 22-May-2013, at 3:49 PM, Jayapal Reddy Uradi < > >> jayapalreddy.ur...@citrix.com> > >> wrote: > >> > >>> > >>> You need pining router VM public IP from public network/subnet ? > >>> - You need to add icmp firewall rule on the public IP to enable ping > >> request on the public ip > >>> > >>> Thanks, > >>> Jayapal > >>> > >>> > >>> On 22-May-2013, at 3:45 PM, wq meng <wqm...@gmail.com> > >>> wrote: > >>> > >>>> Hello Jayapal > >>>> > >>>> There is no problem to ping Google from the Router VM, Only problem is > >> that > >>>> I can not ping the Router VM public IP from outside. > >>>> > >>>> root@r-4-VM:~# ping www.google.com > >>>> PING www.google.com (173.194.64.147): 56 data bytes > >>>> 64 bytes from 173.194.64.147: icmp_seq=0 ttl=48 time=53.194 ms > >>>> 64 bytes from 173.194.64.147: icmp_seq=1 ttl=48 time=53.190 ms > >>>> 64 bytes from 173.194.64.147: icmp_seq=2 ttl=48 time=53.286 ms > >>>> 64 bytes from 173.194.64.147: icmp_seq=3 ttl=48 time=53.207 ms > >>>> ^C--- www.google.com ping statistics --- > >>>> 4 packets transmitted, 4 packets received, 0% packet loss > >>>> round-trip min/avg/max/stddev = 53.190/53.219/53.286/0.039 ms > >>>> > >>>> root@r-4-VM:~# iptables -L -nv > >>>> Chain INPUT (policy DROP 583 packets, 18656 bytes) > >>>> pkts bytes target prot opt in out source > >>>> destination > >>>> 7009 1074K NETWORK_STATS all -- * * 0.0.0.0/0 > >>>> 0.0.0.0/0 > >>>> 0 0 ACCEPT all -- * * 0.0.0.0/0 > >>>> 224.0.0.18 > >>>> 0 0 ACCEPT all -- * * 0.0.0.0/0 > >>>> 225.0.0.50 > >>>> 0 0 ACCEPT all -- eth0 * 0.0.0.0/0 > >>>> 0.0.0.0/0 state RELATED,ESTABLISHED > >>>> 5619 1007K ACCEPT all -- eth1 * 0.0.0.0/0 > >>>> 0.0.0.0/0 state RELATED,ESTABLISHED > >>>> 24 2906 ACCEPT all -- eth2 * 0.0.0.0/0 > >>>> 0.0.0.0/0 state RELATED,ESTABLISHED > >>>> 57 4825 ACCEPT icmp -- * * 0.0.0.0/0 > >>>> 0.0.0.0/0 > >>>> 5 293 ACCEPT all -- lo * 0.0.0.0/0 > >>>> 0.0.0.0/0 > >>>> 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 > >>>> 0.0.0.0/0 udp dpt:67 > >>>> 349 24753 ACCEPT udp -- eth0 * 0.0.0.0/0 > >>>> 0.0.0.0/0 udp dpt:53 > >>>> 318 19080 ACCEPT tcp -- eth1 * 0.0.0.0/0 > >>>> 0.0.0.0/0 state NEW tcp dpt:3922 > >>>> 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 > >>>> 0.0.0.0/0 state NEW tcp dpt:8080 > >>>> 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 > >>>> 0.0.0.0/0 state NEW tcp dpt:80 > >>>> > >>>> Chain FORWARD (policy DROP 0 packets, 0 bytes) > >>>> pkts bytes target prot opt in out source > >>>> destination > >>>> 8735 1159K NETWORK_STATS all -- * * 0.0.0.0/0 > >>>> 0.0.0.0/0 > >>>> 0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 > >>>> 0.0.0.0/0 state RELATED,ESTABLISHED > >>>> 4746 775K ACCEPT all -- eth0 eth2 0.0.0.0/0 > >>>> 0.0.0.0/0 > >>>> 3657 364K ACCEPT all -- eth2 eth0 0.0.0.0/0 > >>>> 0.0.0.0/0 state RELATED,ESTABLISHED > >>>> 0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0 > >>>> 0.0.0.0/0 state NEW > >>>> 0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0 > >>>> 0.0.0.0/0 state RELATED,ESTABLISHED > >>>> 0 0 ACCEPT all -- eth3 eth0 0.0.0.0/0 > >>>> 0.0.0.0/0 state RELATED,ESTABLISHED > >>>> 0 0 ACCEPT all -- eth0 eth3 0.0.0.0/0 > >>>> 0.0.0.0/0 > >>>> 0 0 ACCEPT tcp -- * * 0.0.0.0/0 > >>>> 10.1.1.5 state RELATED,ESTABLISHED /* 198.105.191.245:22 > :22 > >> */ > >>>> 332 19920 ACCEPT tcp -- * * 0.0.0.0/0 > >>>> 10.1.1.5 tcp dpt:22 state NEW /* 198.105.191.245:22:22 */ > >>>> 0 0 ACCEPT tcp -- * * 0.0.0.0/0 > >>>> 10.1.1.5 state RELATED,ESTABLISHED /* 198.105.191.245:80 > :80 > >> */ > >>>> 0 0 ACCEPT tcp -- * * 0.0.0.0/0 > >>>> 10.1.1.5 tcp dpt:80 state NEW /* 198.105.191.245:80:80 */ > >>>> 0 0 ACCEPT all -- eth4 eth0 0.0.0.0/0 > >>>> 0.0.0.0/0 state RELATED,ESTABLISHED > >>>> 0 0 ACCEPT all -- eth0 eth4 0.0.0.0/0 > >>>> 0.0.0.0/0 > >>>> 0 0 ACCEPT all -- eth5 eth0 0.0.0.0/0 > >>>> 0.0.0.0/0 state RELATED,ESTABLISHED > >>>> 0 0 ACCEPT all -- eth0 eth5 0.0.0.0/0 > >>>> 0.0.0.0/0 > >>>> 0 0 ACCEPT all -- eth6 eth0 0.0.0.0/0 > >>>> 0.0.0.0/0 state RELATED,ESTABLISHED > >>>> 0 0 ACCEPT all -- eth0 eth6 0.0.0.0/0 > >>>> 0.0.0.0/0 > >>>> 0 0 ACCEPT all -- eth7 eth0 0.0.0.0/0 > >>>> 0.0.0.0/0 state RELATED,ESTABLISHED > >>>> 0 0 ACCEPT all -- eth0 eth7 0.0.0.0/0 > >>>> 0.0.0.0/0 > >>>> > >>>> Chain OUTPUT (policy ACCEPT 704 packets, 122K bytes) > >>>> pkts bytes target prot opt in out source > >>>> destination > >>>> 6195 1039K NETWORK_STATS all -- * * 0.0.0.0/0 > >>>> 0.0.0.0/0 > >>>> > >>>> Chain NETWORK_STATS (3 references) > >>>> pkts bytes target prot opt in out source > >>>> destination > >>>> 4746 775K all -- eth0 eth2 0.0.0.0/0 > >>>> 0.0.0.0/0 > >>>> 3989 384K all -- eth2 eth0 0.0.0.0/0 > >>>> 0.0.0.0/0 > >>>> 0 0 tcp -- !eth0 eth2 0.0.0.0/0 > >>>> 0.0.0.0/0 > >>>> 2 100 tcp -- eth2 !eth0 0.0.0.0/0 > >>>> 0.0.0.0/0 > >>>> 0 0 all -- eth0 eth3 0.0.0.0/0 > >>>> 0.0.0.0/0 > >>>> 0 0 all -- eth3 eth0 0.0.0.0/0 > >>>> 0.0.0.0/0 > >>>> 0 0 tcp -- !eth0 eth3 0.0.0.0/0 > >>>> 0.0.0.0/0 > >>>> 0 0 tcp -- eth3 !eth0 0.0.0.0/0 > >>>> 0.0.0.0/0 > >>>> 0 0 all -- eth0 eth4 0.0.0.0/0 > >>>> 0.0.0.0/0 > >>>> 0 0 all -- eth4 eth0 0.0.0.0/0 > >>>> 0.0.0.0/0 > >>>> 0 0 tcp -- !eth0 eth4 0.0.0.0/0 > >>>> 0.0.0.0/0 > >>>> 0 0 tcp -- eth4 !eth0 0.0.0.0/0 > >>>> 0.0.0.0/0 > >>>> 0 0 all -- eth0 eth5 0.0.0.0/0 > >>>> 0.0.0.0/0 > >>>> 0 0 all -- eth5 eth0 0.0.0.0/0 > >>>> 0.0.0.0/0 > >>>> 0 0 tcp -- !eth0 eth5 0.0.0.0/0 > >>>> 0.0.0.0/0 > >>>> 0 0 tcp -- eth5 !eth0 0.0.0.0/0 > >>>> 0.0.0.0/0 > >>>> 0 0 all -- eth0 eth6 0.0.0.0/0 > >>>> 0.0.0.0/0 > >>>> 0 0 all -- eth6 eth0 0.0.0.0/0 > >>>> 0.0.0.0/0 > >>>> 0 0 tcp -- !eth0 eth6 0.0.0.0/0 > >>>> 0.0.0.0/0 > >>>> 0 0 tcp -- eth6 !eth0 0.0.0.0/0 > >>>> 0.0.0.0/0 > >>>> 0 0 all -- eth0 eth7 0.0.0.0/0 > >>>> 0.0.0.0/0 > >>>> 0 0 all -- eth7 eth0 0.0.0.0/0 > >>>> 0.0.0.0/0 > >>>> 0 0 tcp -- !eth0 eth7 0.0.0.0/0 > >>>> 0.0.0.0/0 > >>>> 0 0 tcp -- eth7 !eth0 0.0.0.0/0 > >>>> 0.0.0.0/0 > >>>> root@r-4-VM:~# > >>>> > >>>> > >>>> > >>>> > >> > ------------------------------------------------------------------------------------ > >>>> Below is from the Guest VM instance. > >>>> > >>>> Not sure how to capture the package . > >>>> > >>>> But I do a tracepath www.google.com inside the guest VM. > >>>> > >>>> From the output, > >>>> > >>>> [root@CentOS5-5 ~]# tracepath www.google.com > >>>> 1: r-4-VM.cs2cloud.internal (10.1.1.1) 0.149ms > >>>> 2: no reply > >>>> 3: no reply > >>>> 4: no reply > >>>> > >>>> [root@CentOS5-5 ~]# iptables -L -nv > >>>> Chain INPUT (policy ACCEPT 0 packets, 0 bytes) > >>>> pkts bytes target prot opt in out source > >>>> destination > >>>> 15198 1412K RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 > >>>> 0.0.0.0/0 > >>>> > >>>> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) > >>>> pkts bytes target prot opt in out source > >>>> destination > >>>> 0 0 RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 > >>>> 0.0.0.0/0 > >>>> > >>>> Chain OUTPUT (policy ACCEPT 17238 packets, 7377K bytes) > >>>> pkts bytes target prot opt in out source > >>>> destination > >>>> > >>>> Chain RH-Firewall-1-INPUT (2 references) > >>>> pkts bytes target prot opt in out source > >>>> destination > >>>> 56 9116 ACCEPT all -- lo * 0.0.0.0/0 > >>>> 0.0.0.0/0 > >>>> 22 3360 ACCEPT icmp -- * * 0.0.0.0/0 > >>>> 0.0.0.0/0 icmp type 255 > >>>> 0 0 ACCEPT esp -- * * 0.0.0.0/0 > >>>> 0.0.0.0/0 > >>>> 0 0 ACCEPT ah -- * * 0.0.0.0/0 > >>>> 0.0.0.0/0 > >>>> 13 2124 ACCEPT udp -- * * 0.0.0.0/0 > >>>> 224.0.0.251 udp dpt:5353 > >>>> 0 0 ACCEPT udp -- * * 0.0.0.0/0 > >>>> 0.0.0.0/0 udp dpt:631 > >>>> 0 0 ACCEPT tcp -- * * 0.0.0.0/0 > >>>> 0.0.0.0/0 tcp dpt:631 > >>>> 13536 1320K ACCEPT all -- * * 0.0.0.0/0 > >>>> 0.0.0.0/0 state RELATED,ESTABLISHED > >>>> 931 55796 ACCEPT tcp -- * * 0.0.0.0/0 > >>>> 0.0.0.0/0 state NEW tcp dpt:22 > >>>> 640 21690 REJECT all -- * * 0.0.0.0/0 > >>>> 0.0.0.0/0 reject-with icmp-host-prohibited > >>>> > >>>> > >>>> Inside the VM, Can ping other VMs' guest IP. > >>>> > >>>> > >>>> [root@CentOS5-5 ~]# ping 10.1.1.36 > >>>> PING 10.1.1.36 (10.1.1.36) 56(84) bytes of data. > >>>> 64 bytes from 10.1.1.36: icmp_seq=1 ttl=64 time=1.32 ms > >>>> 64 bytes from 10.1.1.36: icmp_seq=2 ttl=64 time=0.156 ms > >>>> 64 bytes from 10.1.1.36: icmp_seq=3 ttl=64 time=0.134 ms > >>>> > >>>> --- 10.1.1.36 ping statistics --- > >>>> 3 packets transmitted, 3 received, 0% packet loss, time 2000ms > >>>> rtt min/avg/max/mdev = 0.134/0.538/1.326/0.557 ms > >>>> [root@CentOS5-5 ~]# ifconfig > >>>> eth0 Link encap:Ethernet HWaddr 02:00:2D:C8:00:01 > >>>> inet addr:10.1.1.5 Bcast:10.1.1.255 Mask:255.255.255.0 > >>>> inet6 addr: fe80::2dff:fec8:1/64 Scope:Link > >>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > >>>> RX packets:16846 errors:0 dropped:0 overruns:0 frame:0 > >>>> TX packets:18252 errors:0 dropped:0 overruns:0 carrier:0 > >>>> collisions:0 txqueuelen:1000 > >>>> RX bytes:1716037 (1.6 MiB) TX bytes:7661658 (7.3 MiB) > >>>> > >>>> lo Link encap:Local Loopback > >>>> inet addr:127.0.0.1 Mask:255.0.0.0 > >>>> inet6 addr: ::1/128 Scope:Host > >>>> UP LOOPBACK RUNNING MTU:16436 Metric:1 > >>>> RX packets:56 errors:0 dropped:0 overruns:0 frame:0 > >>>> TX packets:56 errors:0 dropped:0 overruns:0 carrier:0 > >>>> collisions:0 txqueuelen:0 > >>>> RX bytes:9116 (8.9 KiB) TX bytes:9116 (8.9 KiB) > >>>> > >>>> > >>>> > >>>> [root@CentOS5-5 ~]# ping www.google.com > >>>> PING www.google.com (173.194.64.104) 56(84) bytes of data. > >>>> ^C > >>>> --- www.google.com ping statistics --- > >>>> 6 packets transmitted, 0 received, 100% packet loss, time 5000ms > >>>> > >>>> > >>>> > >>>> Any problems? > >>>> > >>>> Thank you so much. > >>>> > >>>> > >>>> > >>>> On Wed, May 22, 2013 at 4:14 PM, Jayapal Reddy Uradi < > >>>> jayapalreddy.ur...@citrix.com> wrote: > >>>> > >>>>> By looking at the iptables rules, there is no egress rules feature in > >> your > >>>>> deployment. > >>>>> In your case the issue seems to be different. > >>>>> > >>>>> Please do the below trouble shooting. > >>>>> Ping from the guest vm to public subnet/google and try to capture the > >>>>> packets on the router guest interface and public interface. > >>>>> Check wether the packets are reaching to public interface of VR or > not. > >>>>> > >>>>> Also send iptables -L -nv output. > >>>>> > >>>>> Thanks, > >>>>> Jayapal > >>>>> > >>>>> On 22-May-2013, at 1:18 PM, wq meng <wqm...@gmail.com> > >>>>> wrote: > >>>>> > >>>>>> Hello Jayapal > >>>>>> > >>>>>> I know very little about api yet. > >>>>>> > >>>>>> I login to the VRouter VM, Can I change the rules to get work? > >>>>>> > >>>>>> On > >>>>>> > >>>>> > >> > https://cwiki.apache.org/confluence/display/CLOUDSTACK/Egress+firewall+rules+for+guest+network > >>>>>> > >>>>>> It says some Chains , but I can not find them inside my VRouter VM. > >>>>>> > >>>>>> ==================== > >>>>>> > >>>>>> firewallRule_egress.sh script get called on the virtual router. > >>>>>> > >>>>>> The egress rules are added in filter table table, FW_EGRESS_RULES > >> chain. > >>>>>> > >>>>>> All the traffic from eth0 eth2 (public interface) will be send to > the > >>>>>> FW_OUTBOUND chain. > >>>>>> > >>>>>> *iptables rules:* > >>>>>> > >>>>>> *Default rules:* > >>>>>> > >>>>>> ipassoc.sh adding rule to ACCEPT traffic from eth0 to public > >> interface. > >>>>>> > >>>>>> Modified the rule to send egress traffic to the FW_OUTBOUND chain. > >>>>>> > >>>>>> *iptables -A FORWARD -i eth0 -o eth2 -j FW_OUTBOUND* > >>>>>> > >>>>>> *Rules added while configuring:* > >>>>>> > >>>>>> Ex: Egress rule to block the port 22 (ssh) traffic from > 10.1.1.31/32 > >>>>>> > >>>>>> *iptables -A **FW_OUTBOUND **-j EGRESS_FWRULES* > >>>>>> > >>>>>> *iptables -A EGRESS_FWRULES -s 10.1.1.31/32 -p tcp --dport > 22:22 > >>>>> -j > >>>>>> ACCEPT* > >>>>>> ====================== > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> Here is how the current iptables shows. > >>>>>> > >>>>>> > >>>>> > >> > -------------------------------------------------------------------------------- > >>>>>> root@r-4-VM:~# iptables -L > >>>>>> Chain INPUT (policy DROP) > >>>>>> target prot opt source destination > >>>>>> NETWORK_STATS all -- anywhere anywhere > >>>>>> ACCEPT all -- anywhere vrrp.mcast.net > >>>>>> ACCEPT all -- anywhere 225.0.0.50 > >>>>>> ACCEPT all -- anywhere anywhere state > >>>>>> RELATED,ESTABLISHED > >>>>>> ACCEPT all -- anywhere anywhere state > >>>>>> RELATED,ESTABLISHED > >>>>>> ACCEPT all -- anywhere anywhere state > >>>>>> RELATED,ESTABLISHED > >>>>>> ACCEPT icmp -- anywhere anywhere > >>>>>> ACCEPT all -- anywhere anywhere > >>>>>> ACCEPT udp -- anywhere anywhere udp > >>>>> dpt:bootps > >>>>>> ACCEPT udp -- anywhere anywhere udp > >>>>> dpt:domain > >>>>>> ACCEPT tcp -- anywhere anywhere state > NEW > >>>>> tcp > >>>>>> dpt:3922 > >>>>>> ACCEPT tcp -- anywhere anywhere state > NEW > >>>>> tcp > >>>>>> dpt:http-alt > >>>>>> ACCEPT tcp -- anywhere anywhere state > NEW > >>>>> tcp > >>>>>> dpt:www > >>>>>> > >>>>>> Chain FORWARD (policy DROP) > >>>>>> target prot opt source destination > >>>>>> NETWORK_STATS all -- anywhere anywhere > >>>>>> ACCEPT all -- anywhere anywhere state > >>>>>> RELATED,ESTABLISHED > >>>>>> ACCEPT all -- anywhere anywhere > >>>>>> ACCEPT all -- anywhere anywhere state > >>>>>> RELATED,ESTABLISHED > >>>>>> ACCEPT all -- anywhere anywhere state > NEW > >>>>>> ACCEPT all -- anywhere anywhere state > >>>>>> RELATED,ESTABLISHED > >>>>>> ACCEPT all -- anywhere anywhere state > >>>>>> RELATED,ESTABLISHED > >>>>>> ACCEPT all -- anywhere anywhere > >>>>>> ACCEPT all -- anywhere anywhere state > >>>>>> RELATED,ESTABLISHED > >>>>>> ACCEPT all -- anywhere anywhere > >>>>>> ACCEPT all -- anywhere anywhere state > >>>>>> RELATED,ESTABLISHED > >>>>>> ACCEPT all -- anywhere anywhere > >>>>>> ACCEPT all -- anywhere anywhere state > >>>>>> RELATED,ESTABLISHED > >>>>>> ACCEPT all -- anywhere anywhere > >>>>>> ACCEPT all -- anywhere anywhere state > >>>>>> RELATED,ESTABLISHED > >>>>>> ACCEPT all -- anywhere anywhere > >>>>>> > >>>>>> Chain OUTPUT (policy ACCEPT) > >>>>>> target prot opt source destination > >>>>>> NETWORK_STATS all -- anywhere anywhere > >>>>>> > >>>>>> Chain NETWORK_STATS (3 references) > >>>>>> target prot opt source destination > >>>>>> all -- anywhere anywhere > >>>>>> all -- anywhere anywhere > >>>>>> tcp -- anywhere anywhere > >>>>>> tcp -- anywhere anywhere > >>>>>> all -- anywhere anywhere > >>>>>> all -- anywhere anywhere > >>>>>> tcp -- anywhere anywhere > >>>>>> tcp -- anywhere anywhere > >>>>>> all -- anywhere anywhere > >>>>>> all -- anywhere anywhere > >>>>>> tcp -- anywhere anywhere > >>>>>> tcp -- anywhere anywhere > >>>>>> all -- anywhere anywhere > >>>>>> all -- anywhere anywhere > >>>>>> tcp -- anywhere anywhere > >>>>>> tcp -- anywhere anywhere > >>>>>> all -- anywhere anywhere > >>>>>> all -- anywhere anywhere > >>>>>> tcp -- anywhere anywhere > >>>>>> tcp -- anywhere anywhere > >>>>>> all -- anywhere anywhere > >>>>>> all -- anywhere anywhere > >>>>>> tcp -- anywhere anywhere > >>>>>> tcp -- anywhere anywhere > >>>>>> > >>>>>> > >>>>>> And the link have been fixed in the Git ? > >>>>>> > >>>>>> Thank you so much. > >>>>>> > >>>>>> > >>>>>> On Wed, May 22, 2013 at 2:55 PM, Jayapal Reddy Uradi < > >>>>>> jayapalreddy.ur...@citrix.com> wrote: > >>>>>> > >>>>>>> > >>>>>>> I think UI link is missed but it is fixed after that. > >>>>>>> Try to add rules using the API 'createEgressFirewallRule' > >>>>>>> > >>>>>>> Thanks, > >>>>>>> Jayapal > >>>>>>> > >>>>>>> On 22-May-2013, at 12:05 PM, wq meng <wqm...@gmail.com> > >>>>>>> wrote: > >>>>>>> > >>>>>>>> Hello Jayapal, > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>> > >>>>> > >> > https://cwiki.apache.org/CLOUDSTACK/egress-firewall-rules-for-guest-network.html > >>>>>>>> > >>>>>>>> I have checked Network -> Guest Network (Name) -> > >>>>>>>> > >>>>>>>> I can not find out any Egress fire rule tab. > >>>>>>>> > >>>>>>>> > >>>>>>>> Have I missed something? > >>>>>>>> > >>>>>>>> > >>>>>>>> Thank you very much. > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> On Wed, May 22, 2013 at 1:23 PM, Jayapal Reddy Uradi < > >>>>>>>> jayapalreddy.ur...@citrix.com> wrote: > >>>>>>>> > >>>>>>>>> Hi, > >>>>>>>>> > >>>>>>>>> Did you configure the egress firewall rules on the guest network > ? > >>>>>>>>> You need to add egress rules to allow guest traffic. > >>>>>>>>> > >>>>>>>>> After adding egress rule it not works, please send router > iptables > >>>>>>> rules. > >>>>>>>>> > >>>>>>>>> Thanks, > >>>>>>>>> Jayapal > >>>>>>>>> > >>>>>>>>> On 22-May-2013, at 4:10 AM, wq meng <wqm...@gmail.com> wrote: > >>>>>>>>> > >>>>>>>>>> Hello > >>>>>>>>>> > >>>>>>>>>> Anyone have faced this problem? CS4.02 KVM Advanced Network, VM > >>>>>>> instance > >>>>>>>>>> can not access public IP. NAT(Source) > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> That the VM instance running, but inside the VM instance, it is > >> not > >>>>>>>>>> possible to access outside. > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> It can ping VMs each other, It can ping google.com in the* > >> Virtual > >>>>>>>>> Router > >>>>>>>>>> VM.* > >>>>>>>>>> > >>>>>>>>>> But just can not ping Google.com inside the VM instance. > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> Seems inside the VM instance, It can resolve the Google.com 's > IP > >>>>>>>>> address. > >>>>>>>>>> BUT can not do others. > >>>>>>>>>> > >>>>>>>>>> Please see the following output. > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> ------------------------ > >>>>>>>>>> [root@CentOS5-5 ~]# wget www.google.com > >>>>>>>>>> --2013-05-21 08:30:39-- http://www.google.com/ > >>>>>>>>>> Resolving www.google.com... 173.194.64.104, 173.194.64.99, > >>>>>>>>> 173.194.64.105, > >>>>>>>>>> ... > >>>>>>>>>> Connecting to www.google.com|173.194.64.104|:80... > >>>>>>>>>> [root@CentOS5-5 ~]# ls > >>>>>>>>>> > >>>>>>>>>> ------------------------- > >>>>>>>>>> [root@CentOS5-5 ~]# iptables -L > >>>>>>>>>> Chain INPUT (policy ACCEPT) > >>>>>>>>>> target prot opt source destination > >>>>>>>>>> RH-Firewall-1-INPUT all -- anywhere anywhere > >>>>>>>>>> > >>>>>>>>>> Chain FORWARD (policy ACCEPT) > >>>>>>>>>> target prot opt source destination > >>>>>>>>>> RH-Firewall-1-INPUT all -- anywhere anywhere > >>>>>>>>>> > >>>>>>>>>> Chain OUTPUT (policy ACCEPT) > >>>>>>>>>> target prot opt source destination > >>>>>>>>>> > >>>>>>>>>> Chain RH-Firewall-1-INPUT (2 references) > >>>>>>>>>> target prot opt source destination > >>>>>>>>>> ACCEPT all -- anywhere anywhere > >>>>>>>>>> ACCEPT icmp -- anywhere anywhere > icmp > >> any > >>>>>>>>>> ACCEPT esp -- anywhere anywhere > >>>>>>>>>> ACCEPT ah -- anywhere anywhere > >>>>>>>>>> ACCEPT udp -- anywhere 224.0.0.251 udp > >>>>>>> dpt:mdns > >>>>>>>>>> ACCEPT udp -- anywhere anywhere udp > >>>>>>> dpt:ipp > >>>>>>>>>> ACCEPT tcp -- anywhere anywhere tcp > >>>>>>> dpt:ipp > >>>>>>>>>> ACCEPT all -- anywhere anywhere > state > >>>>>>>>>> RELATED,ESTABLISHED > >>>>>>>>>> ACCEPT tcp -- anywhere anywhere > state > >>>>> NEW > >>>>>>>>> tcp > >>>>>>>>>> dpt:ssh > >>>>>>>>>> REJECT all -- anywhere anywhere > >>>>>>> reject-with > >>>>>>>>>> icmp-host-prohibited > >>>>>>>>>> [root@CentOS5-5 ~]# ping 8.8.8.8 > >>>>>>>>>> PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. > >>>>>>>>>> > >>>>>>>>>> --- 8.8.8.8 ping statistics --- > >>>>>>>>>> 3 packets transmitted, 0 received, 100% packet loss, time 2000ms > >>>>>>>>>> > >>>>>>>>>> -------------------------- > >>>>>>>>>> [root@CentOS5-5 ~]# ifconfig > >>>>>>>>>> eth0 Link encap:Ethernet HWaddr 02:00:2D:C8:00:01 > >>>>>>>>>> inet addr:10.1.1.5 Bcast:10.1.1.255 Mask:255.255.255.0 > >>>>>>>>>> inet6 addr: fe80::2dff:fec8:1/64 Scope:Link > >>>>>>>>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > >>>>>>>>>> RX packets:2442 errors:0 dropped:0 overruns:0 frame:0 > >>>>>>>>>> TX packets:2261 errors:0 dropped:0 overruns:0 carrier:0 > >>>>>>>>>> collisions:0 txqueuelen:1000 > >>>>>>>>>> RX bytes:174960 (170.8 KiB) TX bytes:154159 (150.5 KiB) > >>>>>>>>>> > >>>>>>>>>> lo Link encap:Local Loopback > >>>>>>>>>> inet addr:127.0.0.1 Mask:255.0.0.0 > >>>>>>>>>> inet6 addr: ::1/128 Scope:Host > >>>>>>>>>> UP LOOPBACK RUNNING MTU:16436 Metric:1 > >>>>>>>>>> RX packets:32 errors:0 dropped:0 overruns:0 frame:0 > >>>>>>>>>> TX packets:32 errors:0 dropped:0 overruns:0 carrier:0 > >>>>>>>>>> collisions:0 txqueuelen:0 > >>>>>>>>>> RX bytes:3913 (3.8 KiB) TX bytes:3913 (3.8 KiB) > >>>>>>>>>> > >>>>>>>>>> ---------------------------- > >>>>>>>>>> > >>>>>>>>>> [root@CentOS5-5 ~]# tracert www.google.com > >>>>>>>>>> traceroute to www.google.com (173.194.64.106), 30 hops max, 40 > >> byte > >>>>>>>>> packets > >>>>>>>>>> 1 r-4-VM.cs2cloud.internal (10.1.1.1) 0.158 ms 0.136 ms > 0.134 > >> ms > >>>>>>>>>> 2 * * * > >>>>>>>>>> 3 * * * > >>>>>>>>>> 4 * * * > >>>>>>>>>> 5 * * * > >>>>>>>>>> 6 * * * > >>>>>>>>>> 7 * * * > >>>>>>>>>> 8 * * * > >>>>>>>>>> 9 * * * > >>>>>>>>>> 10 * * * > >>>>>>>>>> 11 * * * > >>>>>>>>>> 12 * * * > >>>>>>>>>> 13 * * * > >>>>>>>>>> 14 * * * > >>>>>>>>>> 15 * * * > >>>>>>>>>> 16 * * * > >>>>>>>>>> 17 * * * > >>>>>>>>>> 18 * * * > >>>>>>>>>> 19 * * * > >>>>>>>>>> 20 * * * > >>>>>>>>>> 21 * * * > >>>>>>>>>> 22 * * * > >>>>>>>>>> 23 * * * > >>>>>>>>>> 24 * * * > >>>>>>>>>> 25 * * * > >>>>>>>>>> 26 * * * > >>>>>>>>>> 27 * * * > >>>>>>>>>> 28 * * * > >>>>>>>>>> 29 * * * > >>>>>>>>>> 30 * * * > >>>>>>>>>> > >>>>>>>>>> ---------------- > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> Any thoughts? > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> Thank you very much. > >>>>>>>>> > >>>>>>>>> > >>>>>>> > >>>>>>> > >>>>> > >>>>> > >>> > >> > >> > >
