Hello Vittal, Here is how I define the vlans.
eth1 - br0 management network 192.168.100.0/24 NO vlan eth1.1200 - cloudVirBr1200 public network 198.105.xxx.0/24 vlan 1200 eth1.1300 - cloudVirBr1300 guest network 10.1.1.0/24 vlan 1300 I have all in one computer. One NIC for all the 3 traffic type. Should this be a problem? Thank you very much. On Thu, May 23, 2013 at 9:27 AM, Chiradeep Vittal < chiradeep.vit...@citrix.com> wrote: > It looks like you have defined 3 public vlans all with the same range? > > On 5/22/13 2:20 PM, "wq meng" <wqm...@gmail.com> wrote: > > >Hello jayapal, > > > >I have reload and reinstalled CS4.02, Still have the problem. > > > >Please see the router vm, why so many ethx? > > > >eth0 is for guest, eth1 is link-local, eth2 should be the public? > > > >I have tried > > > >iptables -A FORWARD -i eth0 -o eth2 -j ACCEPT > > > >Still no luck. > > > >Any problem with my install? I use one box for the management server and > >also the KVM host. > > > >Thank you very much. > > > > > > > >root@r-4-VM:~# route -n > >Kernel IP routing table > >Destination Gateway Genmask Flags Metric Ref Use > >Iface > >198.105.191.0 0.0.0.0 255.255.255.0 U 0 0 0 > >eth2 > >198.105.191.0 0.0.0.0 255.255.255.0 U 0 0 0 > >eth3 > >198.105.191.0 0.0.0.0 255.255.255.0 U 0 0 0 > >eth4 > >10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 > >eth0 > >169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 > >eth1 > >0.0.0.0 198.105.191.1 0.0.0.0 UG 0 0 0 > >eth2 > >root@r-4-VM:~# ifconfig > >eth0 Link encap:Ethernet HWaddr 02:00:5b:79:00:02 > > inet addr:10.1.1.1 Bcast:10.1.1.255 Mask:255.255.255.0 > > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > > RX packets:386 errors:0 dropped:0 overruns:0 frame:0 > > TX packets:29 errors:0 dropped:0 overruns:0 carrier:0 > > collisions:0 txqueuelen:1000 > > RX bytes:38794 (37.8 KiB) TX bytes:2754 (2.6 KiB) > > > >eth1 Link encap:Ethernet HWaddr 0e:00:a9:fe:02:e9 > > inet addr:169.254.2.233 Bcast:169.254.255.255 Mask:255.255.0.0 > > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > > RX packets:2327 errors:0 dropped:0 overruns:0 frame:0 > > TX packets:2051 errors:0 dropped:0 overruns:0 carrier:0 > > collisions:0 txqueuelen:1000 > > RX bytes:390750 (381.5 KiB) TX bytes:383291 (374.3 KiB) > > > >eth2 Link encap:Ethernet HWaddr 06:eb:d8:00:00:2b > > inet addr:198.105.191.25 Bcast:198.105.191.255 > >Mask:255.255.255.0 > > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > > RX packets:3368 errors:0 dropped:0 overruns:0 frame:0 > > TX packets:331 errors:0 dropped:0 overruns:0 carrier:0 > > collisions:0 txqueuelen:1000 > > RX bytes:198359 (193.7 KiB) TX bytes:31594 (30.8 KiB) > > > >eth3 Link encap:Ethernet HWaddr 06:80:0e:00:00:2b > > inet addr:198.105.191.25 Bcast:0.0.0.0 Mask:255.255.255.0 > > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > > RX packets:3260 errors:0 dropped:0 overruns:0 frame:0 > > TX packets:2 errors:0 dropped:0 overruns:0 carrier:0 > > collisions:0 txqueuelen:1000 > > RX bytes:179843 (175.6 KiB) TX bytes:84 (84.0 B) > > > >eth4 Link encap:Ethernet HWaddr 06:b8:9a:00:00:2b > > inet addr:198.105.191.25 Bcast:0.0.0.0 Mask:255.255.255.0 > > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > > RX packets:3255 errors:0 dropped:0 overruns:0 frame:0 > > TX packets:2 errors:0 dropped:0 overruns:0 carrier:0 > > collisions:0 txqueuelen:1000 > > RX bytes:179567 (175.3 KiB) TX bytes:84 (84.0 B) > > > >lo Link encap:Local Loopback > > inet addr:127.0.0.1 Mask:255.0.0.0 > > UP LOOPBACK RUNNING MTU:16436 Metric:1 > > RX packets:6 errors:0 dropped:0 overruns:0 frame:0 > > TX packets:6 errors:0 dropped:0 overruns:0 carrier:0 > > collisions:0 txqueuelen:0 > > RX bytes:414 (414.0 B) TX bytes:414 (414.0 B) > > > >root@r-4-VM:~# iptables -L > >Chain INPUT (policy DROP) > >target prot opt source destination > >NETWORK_STATS all -- anywhere anywhere > >ACCEPT all -- anywhere vrrp.mcast.net > >ACCEPT all -- anywhere 225.0.0.50 > >ACCEPT all -- anywhere anywhere state > >RELATED,ESTABLISHED > >ACCEPT all -- anywhere anywhere state > >RELATED,ESTABLISHED > >ACCEPT all -- anywhere anywhere state > >RELATED,ESTABLISHED > >ACCEPT icmp -- anywhere anywhere > >ACCEPT all -- anywhere anywhere > >ACCEPT udp -- anywhere anywhere udp > >dpt:bootps > >ACCEPT udp -- anywhere anywhere udp > >dpt:domain > >ACCEPT tcp -- anywhere anywhere state NEW tcp > >dpt:3922 > >ACCEPT tcp -- anywhere anywhere state NEW tcp > >dpt:http-alt > >ACCEPT tcp -- anywhere anywhere state NEW tcp > >dpt:www > > > >Chain FORWARD (policy DROP) > >target prot opt source destination > >NETWORK_STATS all -- anywhere anywhere > >ACCEPT all -- anywhere anywhere state > >RELATED,ESTABLISHED > >ACCEPT all -- anywhere anywhere > >ACCEPT all -- anywhere anywhere state > >RELATED,ESTABLISHED > >ACCEPT all -- anywhere anywhere state NEW > >ACCEPT all -- anywhere anywhere state > >RELATED,ESTABLISHED > >ACCEPT all -- anywhere anywhere state > >RELATED,ESTABLISHED > >ACCEPT all -- anywhere anywhere > >ACCEPT all -- anywhere anywhere state > >RELATED,ESTABLISHED > >ACCEPT all -- anywhere anywhere > >ACCEPT all -- anywhere anywhere > >ACCEPT all -- anywhere anywhere > >ACCEPT all -- anywhere anywhere > >ACCEPT all -- anywhere anywhere > > > >Chain OUTPUT (policy ACCEPT) > >target prot opt source destination > >NETWORK_STATS all -- anywhere anywhere > > > >Chain NETWORK_STATS (3 references) > >target prot opt source destination > > all -- anywhere anywhere > > all -- anywhere anywhere > > tcp -- anywhere anywhere > > tcp -- anywhere anywhere > > all -- anywhere anywhere > > all -- anywhere anywhere > > tcp -- anywhere anywhere > > tcp -- anywhere anywhere > > all -- anywhere anywhere > > all -- anywhere anywhere > > tcp -- anywhere anywhere > > tcp -- anywhere anywhere > > > > > >On Wed, May 22, 2013 at 6:41 PM, Jayapal Reddy Uradi < > >jayapalreddy.ur...@citrix.com> wrote: > > > >> In your CS version egress rules feature is not present. > >> Thats the reason CS says Unknown API. > >> I checked your iptables rules also, egress rules default block rules are > >> not present. > >> You can ignore the egress firewall rules. > >> > >> check the in your router is there rule to accept guest traffic to > >>public. > >> If not add below iptables rule on router. This rules make allowing guest > >> traffic to public network. > >> > >> iptables -A FORWARD -i <guest interface name> -o <public interface > >>name> > >> -j ACCEPT > >> > >> > >> Thanks, > >> jayapal > >> On 22-May-2013, at 4:03 PM, wq meng <wqm...@gmail.com> > >> wrote: > >> > >> > Hello Jayapal > >> > > >> > If CS4.02 default is block the VM to access public side, and on the > >>UC , > >> > there is no link to change it. As you saw, the API have no API > >>Names to > >> > change it too. > >> > > >> > > >> > How to fix the problem? > >> > > >> > > >> > > >> > > >> > I will reload the OS and re-setup CS4.02 again to check if it will > >>fix. > >> > > >> > > >> > > >> > Thank you so much. > >> > > >> > > >> > > >> > On Wed, May 22, 2013 at 6:23 PM, Jayapal Reddy Uradi < > >> > jayapalreddy.ur...@citrix.com> wrote: > >> > > >> >> From VM if you are not able to ping public side then it is your setup > >> >> issue. > >> >> It can be debugged by capturing packets on the router guest interface > >> and > >> >> public interface to see wether the packets are reaching to router or > >>not > >> >> > >> >> Thanks, > >> >> Jayapal > >> >> > >> >> On 22-May-2013, at 3:49 PM, Jayapal Reddy Uradi < > >> >> jayapalreddy.ur...@citrix.com> > >> >> wrote: > >> >> > >> >>> > >> >>> You need pining router VM public IP from public network/subnet ? > >> >>> - You need to add icmp firewall rule on the public IP to enable ping > >> >> request on the public ip > >> >>> > >> >>> Thanks, > >> >>> Jayapal > >> >>> > >> >>> > >> >>> On 22-May-2013, at 3:45 PM, wq meng <wqm...@gmail.com> > >> >>> wrote: > >> >>> > >> >>>> Hello Jayapal > >> >>>> > >> >>>> There is no problem to ping Google from the Router VM, Only > >>problem is > >> >> that > >> >>>> I can not ping the Router VM public IP from outside. > >> >>>> > >> >>>> root@r-4-VM:~# ping www.google.com > >> >>>> PING www.google.com (173.194.64.147): 56 data bytes > >> >>>> 64 bytes from 173.194.64.147: icmp_seq=0 ttl=48 time=53.194 ms > >> >>>> 64 bytes from 173.194.64.147: icmp_seq=1 ttl=48 time=53.190 ms > >> >>>> 64 bytes from 173.194.64.147: icmp_seq=2 ttl=48 time=53.286 ms > >> >>>> 64 bytes from 173.194.64.147: icmp_seq=3 ttl=48 time=53.207 ms > >> >>>> ^C--- www.google.com ping statistics --- > >> >>>> 4 packets transmitted, 4 packets received, 0% packet loss > >> >>>> round-trip min/avg/max/stddev = 53.190/53.219/53.286/0.039 ms > >> >>>> > >> >>>> root@r-4-VM:~# iptables -L -nv > >> >>>> Chain INPUT (policy DROP 583 packets, 18656 bytes) > >> >>>> pkts bytes target prot opt in out source > >> >>>> destination > >> >>>> 7009 1074K NETWORK_STATS all -- * * 0.0.0.0/0 > >> >>>> 0.0.0.0/0 > >> >>>> 0 0 ACCEPT all -- * * 0.0.0.0/0 > >> >>>> 224.0.0.18 > >> >>>> 0 0 ACCEPT all -- * * 0.0.0.0/0 > >> >>>> 225.0.0.50 > >> >>>> 0 0 ACCEPT all -- eth0 * 0.0.0.0/0 > >> >>>> 0.0.0.0/0 state RELATED,ESTABLISHED > >> >>>> 5619 1007K ACCEPT all -- eth1 * 0.0.0.0/0 > >> >>>> 0.0.0.0/0 state RELATED,ESTABLISHED > >> >>>> 24 2906 ACCEPT all -- eth2 * 0.0.0.0/0 > >> >>>> 0.0.0.0/0 state RELATED,ESTABLISHED > >> >>>> 57 4825 ACCEPT icmp -- * * 0.0.0.0/0 > >> >>>> 0.0.0.0/0 > >> >>>> 5 293 ACCEPT all -- lo * 0.0.0.0/0 > >> >>>> 0.0.0.0/0 > >> >>>> 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 > >> >>>> 0.0.0.0/0 udp dpt:67 > >> >>>> 349 24753 ACCEPT udp -- eth0 * 0.0.0.0/0 > >> >>>> 0.0.0.0/0 udp dpt:53 > >> >>>> 318 19080 ACCEPT tcp -- eth1 * 0.0.0.0/0 > >> >>>> 0.0.0.0/0 state NEW tcp dpt:3922 > >> >>>> 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 > >> >>>> 0.0.0.0/0 state NEW tcp dpt:8080 > >> >>>> 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 > >> >>>> 0.0.0.0/0 state NEW tcp dpt:80 > >> >>>> > >> >>>> Chain FORWARD (policy DROP 0 packets, 0 bytes) > >> >>>> pkts bytes target prot opt in out source > >> >>>> destination > >> >>>> 8735 1159K NETWORK_STATS all -- * * 0.0.0.0/0 > >> >>>> 0.0.0.0/0 > >> >>>> 0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 > >> >>>> 0.0.0.0/0 state RELATED,ESTABLISHED > >> >>>> 4746 775K ACCEPT all -- eth0 eth2 0.0.0.0/0 > >> >>>> 0.0.0.0/0 > >> >>>> 3657 364K ACCEPT all -- eth2 eth0 0.0.0.0/0 > >> >>>> 0.0.0.0/0 state RELATED,ESTABLISHED > >> >>>> 0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0 > >> >>>> 0.0.0.0/0 state NEW > >> >>>> 0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0 > >> >>>> 0.0.0.0/0 state RELATED,ESTABLISHED > >> >>>> 0 0 ACCEPT all -- eth3 eth0 0.0.0.0/0 > >> >>>> 0.0.0.0/0 state RELATED,ESTABLISHED > >> >>>> 0 0 ACCEPT all -- eth0 eth3 0.0.0.0/0 > >> >>>> 0.0.0.0/0 > >> >>>> 0 0 ACCEPT tcp -- * * 0.0.0.0/0 > >> >>>> 10.1.1.5 state RELATED,ESTABLISHED /* > 198.105.191.245:22 > >> :22 > >> >> */ > >> >>>> 332 19920 ACCEPT tcp -- * * 0.0.0.0/0 > >> >>>> 10.1.1.5 tcp dpt:22 state NEW /* 198.105.191.245:22:22 > >>*/ > >> >>>> 0 0 ACCEPT tcp -- * * 0.0.0.0/0 > >> >>>> 10.1.1.5 state RELATED,ESTABLISHED /* > 198.105.191.245:80 > >> :80 > >> >> */ > >> >>>> 0 0 ACCEPT tcp -- * * 0.0.0.0/0 > >> >>>> 10.1.1.5 tcp dpt:80 state NEW /* 198.105.191.245:80:80 > >>*/ > >> >>>> 0 0 ACCEPT all -- eth4 eth0 0.0.0.0/0 > >> >>>> 0.0.0.0/0 state RELATED,ESTABLISHED > >> >>>> 0 0 ACCEPT all -- eth0 eth4 0.0.0.0/0 > >> >>>> 0.0.0.0/0 > >> >>>> 0 0 ACCEPT all -- eth5 eth0 0.0.0.0/0 > >> >>>> 0.0.0.0/0 state RELATED,ESTABLISHED > >> >>>> 0 0 ACCEPT all -- eth0 eth5 0.0.0.0/0 > >> >>>> 0.0.0.0/0 > >> >>>> 0 0 ACCEPT all -- eth6 eth0 0.0.0.0/0 > >> >>>> 0.0.0.0/0 state RELATED,ESTABLISHED > >> >>>> 0 0 ACCEPT all -- eth0 eth6 0.0.0.0/0 > >> >>>> 0.0.0.0/0 > >> >>>> 0 0 ACCEPT all -- eth7 eth0 0.0.0.0/0 > >> >>>> 0.0.0.0/0 state RELATED,ESTABLISHED > >> >>>> 0 0 ACCEPT all -- eth0 eth7 0.0.0.0/0 > >> >>>> 0.0.0.0/0 > >> >>>> > >> >>>> Chain OUTPUT (policy ACCEPT 704 packets, 122K bytes) > >> >>>> pkts bytes target prot opt in out source > >> >>>> destination > >> >>>> 6195 1039K NETWORK_STATS all -- * * 0.0.0.0/0 > >> >>>> 0.0.0.0/0 > >> >>>> > >> >>>> Chain NETWORK_STATS (3 references) > >> >>>> pkts bytes target prot opt in out source > >> >>>> destination > >> >>>> 4746 775K all -- eth0 eth2 0.0.0.0/0 > >> >>>> 0.0.0.0/0 > >> >>>> 3989 384K all -- eth2 eth0 0.0.0.0/0 > >> >>>> 0.0.0.0/0 > >> >>>> 0 0 tcp -- !eth0 eth2 0.0.0.0/0 > >> >>>> 0.0.0.0/0 > >> >>>> 2 100 tcp -- eth2 !eth0 0.0.0.0/0 > >> >>>> 0.0.0.0/0 > >> >>>> 0 0 all -- eth0 eth3 0.0.0.0/0 > >> >>>> 0.0.0.0/0 > >> >>>> 0 0 all -- eth3 eth0 0.0.0.0/0 > >> >>>> 0.0.0.0/0 > >> >>>> 0 0 tcp -- !eth0 eth3 0.0.0.0/0 > >> >>>> 0.0.0.0/0 > >> >>>> 0 0 tcp -- eth3 !eth0 0.0.0.0/0 > >> >>>> 0.0.0.0/0 > >> >>>> 0 0 all -- eth0 eth4 0.0.0.0/0 > >> >>>> 0.0.0.0/0 > >> >>>> 0 0 all -- eth4 eth0 0.0.0.0/0 > >> >>>> 0.0.0.0/0 > >> >>>> 0 0 tcp -- !eth0 eth4 0.0.0.0/0 > >> >>>> 0.0.0.0/0 > >> >>>> 0 0 tcp -- eth4 !eth0 0.0.0.0/0 > >> >>>> 0.0.0.0/0 > >> >>>> 0 0 all -- eth0 eth5 0.0.0.0/0 > >> >>>> 0.0.0.0/0 > >> >>>> 0 0 all -- eth5 eth0 0.0.0.0/0 > >> >>>> 0.0.0.0/0 > >> >>>> 0 0 tcp -- !eth0 eth5 0.0.0.0/0 > >> >>>> 0.0.0.0/0 > >> >>>> 0 0 tcp -- eth5 !eth0 0.0.0.0/0 > >> >>>> 0.0.0.0/0 > >> >>>> 0 0 all -- eth0 eth6 0.0.0.0/0 > >> >>>> 0.0.0.0/0 > >> >>>> 0 0 all -- eth6 eth0 0.0.0.0/0 > >> >>>> 0.0.0.0/0 > >> >>>> 0 0 tcp -- !eth0 eth6 0.0.0.0/0 > >> >>>> 0.0.0.0/0 > >> >>>> 0 0 tcp -- eth6 !eth0 0.0.0.0/0 > >> >>>> 0.0.0.0/0 > >> >>>> 0 0 all -- eth0 eth7 0.0.0.0/0 > >> >>>> 0.0.0.0/0 > >> >>>> 0 0 all -- eth7 eth0 0.0.0.0/0 > >> >>>> 0.0.0.0/0 > >> >>>> 0 0 tcp -- !eth0 eth7 0.0.0.0/0 > >> >>>> 0.0.0.0/0 > >> >>>> 0 0 tcp -- eth7 !eth0 0.0.0.0/0 > >> >>>> 0.0.0.0/0 > >> >>>> root@r-4-VM:~# > >> >>>> > >> >>>> > >> >>>> > >> >>>> > >> >> > >> > >>------------------------------------------------------------------------- > >>----------- > >> >>>> Below is from the Guest VM instance. > >> >>>> > >> >>>> Not sure how to capture the package . > >> >>>> > >> >>>> But I do a tracepath www.google.com inside the guest VM. > >> >>>> > >> >>>> From the output, > >> >>>> > >> >>>> [root@CentOS5-5 ~]# tracepath www.google.com > >> >>>> 1: r-4-VM.cs2cloud.internal (10.1.1.1) 0.149ms > >> >>>> 2: no reply > >> >>>> 3: no reply > >> >>>> 4: no reply > >> >>>> > >> >>>> [root@CentOS5-5 ~]# iptables -L -nv > >> >>>> Chain INPUT (policy ACCEPT 0 packets, 0 bytes) > >> >>>> pkts bytes target prot opt in out source > >> >>>> destination > >> >>>> 15198 1412K RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 > >> >>>> 0.0.0.0/0 > >> >>>> > >> >>>> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) > >> >>>> pkts bytes target prot opt in out source > >> >>>> destination > >> >>>> 0 0 RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 > >> >>>> 0.0.0.0/0 > >> >>>> > >> >>>> Chain OUTPUT (policy ACCEPT 17238 packets, 7377K bytes) > >> >>>> pkts bytes target prot opt in out source > >> >>>> destination > >> >>>> > >> >>>> Chain RH-Firewall-1-INPUT (2 references) > >> >>>> pkts bytes target prot opt in out source > >> >>>> destination > >> >>>> 56 9116 ACCEPT all -- lo * 0.0.0.0/0 > >> >>>> 0.0.0.0/0 > >> >>>> 22 3360 ACCEPT icmp -- * * 0.0.0.0/0 > >> >>>> 0.0.0.0/0 icmp type 255 > >> >>>> 0 0 ACCEPT esp -- * * 0.0.0.0/0 > >> >>>> 0.0.0.0/0 > >> >>>> 0 0 ACCEPT ah -- * * 0.0.0.0/0 > >> >>>> 0.0.0.0/0 > >> >>>> 13 2124 ACCEPT udp -- * * 0.0.0.0/0 > >> >>>> 224.0.0.251 udp dpt:5353 > >> >>>> 0 0 ACCEPT udp -- * * 0.0.0.0/0 > >> >>>> 0.0.0.0/0 udp dpt:631 > >> >>>> 0 0 ACCEPT tcp -- * * 0.0.0.0/0 > >> >>>> 0.0.0.0/0 tcp dpt:631 > >> >>>> 13536 1320K ACCEPT all -- * * 0.0.0.0/0 > >> >>>> 0.0.0.0/0 state RELATED,ESTABLISHED > >> >>>> 931 55796 ACCEPT tcp -- * * 0.0.0.0/0 > >> >>>> 0.0.0.0/0 state NEW tcp dpt:22 > >> >>>> 640 21690 REJECT all -- * * 0.0.0.0/0 > >> >>>> 0.0.0.0/0 reject-with icmp-host-prohibited > >> >>>> > >> >>>> > >> >>>> Inside the VM, Can ping other VMs' guest IP. > >> >>>> > >> >>>> > >> >>>> [root@CentOS5-5 ~]# ping 10.1.1.36 > >> >>>> PING 10.1.1.36 (10.1.1.36) 56(84) bytes of data. > >> >>>> 64 bytes from 10.1.1.36: icmp_seq=1 ttl=64 time=1.32 ms > >> >>>> 64 bytes from 10.1.1.36: icmp_seq=2 ttl=64 time=0.156 ms > >> >>>> 64 bytes from 10.1.1.36: icmp_seq=3 ttl=64 time=0.134 ms > >> >>>> > >> >>>> --- 10.1.1.36 ping statistics --- > >> >>>> 3 packets transmitted, 3 received, 0% packet loss, time 2000ms > >> >>>> rtt min/avg/max/mdev = 0.134/0.538/1.326/0.557 ms > >> >>>> [root@CentOS5-5 ~]# ifconfig > >> >>>> eth0 Link encap:Ethernet HWaddr 02:00:2D:C8:00:01 > >> >>>> inet addr:10.1.1.5 Bcast:10.1.1.255 Mask:255.255.255.0 > >> >>>> inet6 addr: fe80::2dff:fec8:1/64 Scope:Link > >> >>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > >> >>>> RX packets:16846 errors:0 dropped:0 overruns:0 frame:0 > >> >>>> TX packets:18252 errors:0 dropped:0 overruns:0 carrier:0 > >> >>>> collisions:0 txqueuelen:1000 > >> >>>> RX bytes:1716037 (1.6 MiB) TX bytes:7661658 (7.3 MiB) > >> >>>> > >> >>>> lo Link encap:Local Loopback > >> >>>> inet addr:127.0.0.1 Mask:255.0.0.0 > >> >>>> inet6 addr: ::1/128 Scope:Host > >> >>>> UP LOOPBACK RUNNING MTU:16436 Metric:1 > >> >>>> RX packets:56 errors:0 dropped:0 overruns:0 frame:0 > >> >>>> TX packets:56 errors:0 dropped:0 overruns:0 carrier:0 > >> >>>> collisions:0 txqueuelen:0 > >> >>>> RX bytes:9116 (8.9 KiB) TX bytes:9116 (8.9 KiB) > >> >>>> > >> >>>> > >> >>>> > >> >>>> [root@CentOS5-5 ~]# ping www.google.com > >> >>>> PING www.google.com (173.194.64.104) 56(84) bytes of data. > >> >>>> ^C > >> >>>> --- www.google.com ping statistics --- > >> >>>> 6 packets transmitted, 0 received, 100% packet loss, time 5000ms > >> >>>> > >> >>>> > >> >>>> > >> >>>> Any problems? > >> >>>> > >> >>>> Thank you so much. > >> >>>> > >> >>>> > >> >>>> > >> >>>> On Wed, May 22, 2013 at 4:14 PM, Jayapal Reddy Uradi < > >> >>>> jayapalreddy.ur...@citrix.com> wrote: > >> >>>> > >> >>>>> By looking at the iptables rules, there is no egress rules > >>feature in > >> >> your > >> >>>>> deployment. > >> >>>>> In your case the issue seems to be different. > >> >>>>> > >> >>>>> Please do the below trouble shooting. > >> >>>>> Ping from the guest vm to public subnet/google and try to capture > >>the > >> >>>>> packets on the router guest interface and public interface. > >> >>>>> Check wether the packets are reaching to public interface of VR or > >> not. > >> >>>>> > >> >>>>> Also send iptables -L -nv output. > >> >>>>> > >> >>>>> Thanks, > >> >>>>> Jayapal > >> >>>>> > >> >>>>> On 22-May-2013, at 1:18 PM, wq meng <wqm...@gmail.com> > >> >>>>> wrote: > >> >>>>> > >> >>>>>> Hello Jayapal > >> >>>>>> > >> >>>>>> I know very little about api yet. > >> >>>>>> > >> >>>>>> I login to the VRouter VM, Can I change the rules to get work? > >> >>>>>> > >> >>>>>> On > >> >>>>>> > >> >>>>> > >> >> > >> > >> > https://cwiki.apache.org/confluence/display/CLOUDSTACK/Egress+firewall+ru > >>les+for+guest+network > >> >>>>>> > >> >>>>>> It says some Chains , but I can not find them inside my VRouter > >>VM. > >> >>>>>> > >> >>>>>> ==================== > >> >>>>>> > >> >>>>>> firewallRule_egress.sh script get called on the virtual router. > >> >>>>>> > >> >>>>>> The egress rules are added in filter table table, FW_EGRESS_RULES > >> >> chain. > >> >>>>>> > >> >>>>>> All the traffic from eth0 eth2 (public interface) will be send to > >> the > >> >>>>>> FW_OUTBOUND chain. > >> >>>>>> > >> >>>>>> *iptables rules:* > >> >>>>>> > >> >>>>>> *Default rules:* > >> >>>>>> > >> >>>>>> ipassoc.sh adding rule to ACCEPT traffic from eth0 to public > >> >> interface. > >> >>>>>> > >> >>>>>> Modified the rule to send egress traffic to the FW_OUTBOUND > >>chain. > >> >>>>>> > >> >>>>>> *iptables -A FORWARD -i eth0 -o eth2 -j FW_OUTBOUND* > >> >>>>>> > >> >>>>>> *Rules added while configuring:* > >> >>>>>> > >> >>>>>> Ex: Egress rule to block the port 22 (ssh) traffic from > >> 10.1.1.31/32 > >> >>>>>> > >> >>>>>> *iptables -A **FW_OUTBOUND **-j EGRESS_FWRULES* > >> >>>>>> > >> >>>>>> *iptables -A EGRESS_FWRULES -s 10.1.1.31/32 -p tcp --dport > >> 22:22 > >> >>>>> -j > >> >>>>>> ACCEPT* > >> >>>>>> ====================== > >> >>>>>> > >> >>>>>> > >> >>>>>> > >> >>>>>> > >> >>>>>> > >> >>>>>> Here is how the current iptables shows. > >> >>>>>> > >> >>>>>> > >> >>>>> > >> >> > >> > >>------------------------------------------------------------------------- > >>------- > >> >>>>>> root@r-4-VM:~# iptables -L > >> >>>>>> Chain INPUT (policy DROP) > >> >>>>>> target prot opt source destination > >> >>>>>> NETWORK_STATS all -- anywhere anywhere > >> >>>>>> ACCEPT all -- anywhere vrrp.mcast.net > >> >>>>>> ACCEPT all -- anywhere 225.0.0.50 > >> >>>>>> ACCEPT all -- anywhere anywhere > >>state > >> >>>>>> RELATED,ESTABLISHED > >> >>>>>> ACCEPT all -- anywhere anywhere > >>state > >> >>>>>> RELATED,ESTABLISHED > >> >>>>>> ACCEPT all -- anywhere anywhere > >>state > >> >>>>>> RELATED,ESTABLISHED > >> >>>>>> ACCEPT icmp -- anywhere anywhere > >> >>>>>> ACCEPT all -- anywhere anywhere > >> >>>>>> ACCEPT udp -- anywhere anywhere udp > >> >>>>> dpt:bootps > >> >>>>>> ACCEPT udp -- anywhere anywhere udp > >> >>>>> dpt:domain > >> >>>>>> ACCEPT tcp -- anywhere anywhere > >>state > >> NEW > >> >>>>> tcp > >> >>>>>> dpt:3922 > >> >>>>>> ACCEPT tcp -- anywhere anywhere > >>state > >> NEW > >> >>>>> tcp > >> >>>>>> dpt:http-alt > >> >>>>>> ACCEPT tcp -- anywhere anywhere > >>state > >> NEW > >> >>>>> tcp > >> >>>>>> dpt:www > >> >>>>>> > >> >>>>>> Chain FORWARD (policy DROP) > >> >>>>>> target prot opt source destination > >> >>>>>> NETWORK_STATS all -- anywhere anywhere > >> >>>>>> ACCEPT all -- anywhere anywhere > >>state > >> >>>>>> RELATED,ESTABLISHED > >> >>>>>> ACCEPT all -- anywhere anywhere > >> >>>>>> ACCEPT all -- anywhere anywhere > >>state > >> >>>>>> RELATED,ESTABLISHED > >> >>>>>> ACCEPT all -- anywhere anywhere > >>state > >> NEW > >> >>>>>> ACCEPT all -- anywhere anywhere > >>state > >> >>>>>> RELATED,ESTABLISHED > >> >>>>>> ACCEPT all -- anywhere anywhere > >>state > >> >>>>>> RELATED,ESTABLISHED > >> >>>>>> ACCEPT all -- anywhere anywhere > >> >>>>>> ACCEPT all -- anywhere anywhere > >>state > >> >>>>>> RELATED,ESTABLISHED > >> >>>>>> ACCEPT all -- anywhere anywhere > >> >>>>>> ACCEPT all -- anywhere anywhere > >>state > >> >>>>>> RELATED,ESTABLISHED > >> >>>>>> ACCEPT all -- anywhere anywhere > >> >>>>>> ACCEPT all -- anywhere anywhere > >>state > >> >>>>>> RELATED,ESTABLISHED > >> >>>>>> ACCEPT all -- anywhere anywhere > >> >>>>>> ACCEPT all -- anywhere anywhere > >>state > >> >>>>>> RELATED,ESTABLISHED > >> >>>>>> ACCEPT all -- anywhere anywhere > >> >>>>>> > >> >>>>>> Chain OUTPUT (policy ACCEPT) > >> >>>>>> target prot opt source destination > >> >>>>>> NETWORK_STATS all -- anywhere anywhere > >> >>>>>> > >> >>>>>> Chain NETWORK_STATS (3 references) > >> >>>>>> target prot opt source destination > >> >>>>>> all -- anywhere anywhere > >> >>>>>> all -- anywhere anywhere > >> >>>>>> tcp -- anywhere anywhere > >> >>>>>> tcp -- anywhere anywhere > >> >>>>>> all -- anywhere anywhere > >> >>>>>> all -- anywhere anywhere > >> >>>>>> tcp -- anywhere anywhere > >> >>>>>> tcp -- anywhere anywhere > >> >>>>>> all -- anywhere anywhere > >> >>>>>> all -- anywhere anywhere > >> >>>>>> tcp -- anywhere anywhere > >> >>>>>> tcp -- anywhere anywhere > >> >>>>>> all -- anywhere anywhere > >> >>>>>> all -- anywhere anywhere > >> >>>>>> tcp -- anywhere anywhere > >> >>>>>> tcp -- anywhere anywhere > >> >>>>>> all -- anywhere anywhere > >> >>>>>> all -- anywhere anywhere > >> >>>>>> tcp -- anywhere anywhere > >> >>>>>> tcp -- anywhere anywhere > >> >>>>>> all -- anywhere anywhere > >> >>>>>> all -- anywhere anywhere > >> >>>>>> tcp -- anywhere anywhere > >> >>>>>> tcp -- anywhere anywhere > >> >>>>>> > >> >>>>>> > >> >>>>>> And the link have been fixed in the Git ? > >> >>>>>> > >> >>>>>> Thank you so much. > >> >>>>>> > >> >>>>>> > >> >>>>>> On Wed, May 22, 2013 at 2:55 PM, Jayapal Reddy Uradi < > >> >>>>>> jayapalreddy.ur...@citrix.com> wrote: > >> >>>>>> > >> >>>>>>> > >> >>>>>>> I think UI link is missed but it is fixed after that. > >> >>>>>>> Try to add rules using the API 'createEgressFirewallRule' > >> >>>>>>> > >> >>>>>>> Thanks, > >> >>>>>>> Jayapal > >> >>>>>>> > >> >>>>>>> On 22-May-2013, at 12:05 PM, wq meng <wqm...@gmail.com> > >> >>>>>>> wrote: > >> >>>>>>> > >> >>>>>>>> Hello Jayapal, > >> >>>>>>>> > >> >>>>>>>> > >> >>>>>>>> > >> >>>>>>> > >> >>>>> > >> >> > >> > >> > https://cwiki.apache.org/CLOUDSTACK/egress-firewall-rules-for-guest-netwo > >>rk.html > >> >>>>>>>> > >> >>>>>>>> I have checked Network -> Guest Network (Name) -> > >> >>>>>>>> > >> >>>>>>>> I can not find out any Egress fire rule tab. > >> >>>>>>>> > >> >>>>>>>> > >> >>>>>>>> Have I missed something? > >> >>>>>>>> > >> >>>>>>>> > >> >>>>>>>> Thank you very much. > >> >>>>>>>> > >> >>>>>>>> > >> >>>>>>>> > >> >>>>>>>> > >> >>>>>>>> On Wed, May 22, 2013 at 1:23 PM, Jayapal Reddy Uradi < > >> >>>>>>>> jayapalreddy.ur...@citrix.com> wrote: > >> >>>>>>>> > >> >>>>>>>>> Hi, > >> >>>>>>>>> > >> >>>>>>>>> Did you configure the egress firewall rules on the guest > >>network > >> ? > >> >>>>>>>>> You need to add egress rules to allow guest traffic. > >> >>>>>>>>> > >> >>>>>>>>> After adding egress rule it not works, please send router > >> iptables > >> >>>>>>> rules. > >> >>>>>>>>> > >> >>>>>>>>> Thanks, > >> >>>>>>>>> Jayapal > >> >>>>>>>>> > >> >>>>>>>>> On 22-May-2013, at 4:10 AM, wq meng <wqm...@gmail.com> wrote: > >> >>>>>>>>> > >> >>>>>>>>>> Hello > >> >>>>>>>>>> > >> >>>>>>>>>> Anyone have faced this problem? CS4.02 KVM Advanced > >>Network, VM > >> >>>>>>> instance > >> >>>>>>>>>> can not access public IP. NAT(Source) > >> >>>>>>>>>> > >> >>>>>>>>>> > >> >>>>>>>>>> That the VM instance running, but inside the VM instance, it > >>is > >> >> not > >> >>>>>>>>>> possible to access outside. > >> >>>>>>>>>> > >> >>>>>>>>>> > >> >>>>>>>>>> It can ping VMs each other, It can ping google.com in the* > >> >> Virtual > >> >>>>>>>>> Router > >> >>>>>>>>>> VM.* > >> >>>>>>>>>> > >> >>>>>>>>>> But just can not ping Google.com inside the VM instance. > >> >>>>>>>>>> > >> >>>>>>>>>> > >> >>>>>>>>>> Seems inside the VM instance, It can resolve the Google.com > >>'s > >> IP > >> >>>>>>>>> address. > >> >>>>>>>>>> BUT can not do others. > >> >>>>>>>>>> > >> >>>>>>>>>> Please see the following output. > >> >>>>>>>>>> > >> >>>>>>>>>> > >> >>>>>>>>>> ------------------------ > >> >>>>>>>>>> [root@CentOS5-5 ~]# wget www.google.com > >> >>>>>>>>>> --2013-05-21 08:30:39-- http://www.google.com/ > >> >>>>>>>>>> Resolving www.google.com... 173.194.64.104, 173.194.64.99, > >> >>>>>>>>> 173.194.64.105, > >> >>>>>>>>>> ... > >> >>>>>>>>>> Connecting to www.google.com|173.194.64.104|:80... > >> >>>>>>>>>> [root@CentOS5-5 ~]# ls > >> >>>>>>>>>> > >> >>>>>>>>>> ------------------------- > >> >>>>>>>>>> [root@CentOS5-5 ~]# iptables -L > >> >>>>>>>>>> Chain INPUT (policy ACCEPT) > >> >>>>>>>>>> target prot opt source destination > >> >>>>>>>>>> RH-Firewall-1-INPUT all -- anywhere anywhere > >> >>>>>>>>>> > >> >>>>>>>>>> Chain FORWARD (policy ACCEPT) > >> >>>>>>>>>> target prot opt source destination > >> >>>>>>>>>> RH-Firewall-1-INPUT all -- anywhere anywhere > >> >>>>>>>>>> > >> >>>>>>>>>> Chain OUTPUT (policy ACCEPT) > >> >>>>>>>>>> target prot opt source destination > >> >>>>>>>>>> > >> >>>>>>>>>> Chain RH-Firewall-1-INPUT (2 references) > >> >>>>>>>>>> target prot opt source destination > >> >>>>>>>>>> ACCEPT all -- anywhere anywhere > >> >>>>>>>>>> ACCEPT icmp -- anywhere anywhere > >> icmp > >> >> any > >> >>>>>>>>>> ACCEPT esp -- anywhere anywhere > >> >>>>>>>>>> ACCEPT ah -- anywhere anywhere > >> >>>>>>>>>> ACCEPT udp -- anywhere 224.0.0.251 > >>udp > >> >>>>>>> dpt:mdns > >> >>>>>>>>>> ACCEPT udp -- anywhere anywhere > >>udp > >> >>>>>>> dpt:ipp > >> >>>>>>>>>> ACCEPT tcp -- anywhere anywhere > >>tcp > >> >>>>>>> dpt:ipp > >> >>>>>>>>>> ACCEPT all -- anywhere anywhere > >> state > >> >>>>>>>>>> RELATED,ESTABLISHED > >> >>>>>>>>>> ACCEPT tcp -- anywhere anywhere > >> state > >> >>>>> NEW > >> >>>>>>>>> tcp > >> >>>>>>>>>> dpt:ssh > >> >>>>>>>>>> REJECT all -- anywhere anywhere > >> >>>>>>> reject-with > >> >>>>>>>>>> icmp-host-prohibited > >> >>>>>>>>>> [root@CentOS5-5 ~]# ping 8.8.8.8 > >> >>>>>>>>>> PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. > >> >>>>>>>>>> > >> >>>>>>>>>> --- 8.8.8.8 ping statistics --- > >> >>>>>>>>>> 3 packets transmitted, 0 received, 100% packet loss, time > >>2000ms > >> >>>>>>>>>> > >> >>>>>>>>>> -------------------------- > >> >>>>>>>>>> [root@CentOS5-5 ~]# ifconfig > >> >>>>>>>>>> eth0 Link encap:Ethernet HWaddr 02:00:2D:C8:00:01 > >> >>>>>>>>>> inet addr:10.1.1.5 Bcast:10.1.1.255 Mask:255.255.255.0 > >> >>>>>>>>>> inet6 addr: fe80::2dff:fec8:1/64 Scope:Link > >> >>>>>>>>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > >> >>>>>>>>>> RX packets:2442 errors:0 dropped:0 overruns:0 frame:0 > >> >>>>>>>>>> TX packets:2261 errors:0 dropped:0 overruns:0 carrier:0 > >> >>>>>>>>>> collisions:0 txqueuelen:1000 > >> >>>>>>>>>> RX bytes:174960 (170.8 KiB) TX bytes:154159 (150.5 KiB) > >> >>>>>>>>>> > >> >>>>>>>>>> lo Link encap:Local Loopback > >> >>>>>>>>>> inet addr:127.0.0.1 Mask:255.0.0.0 > >> >>>>>>>>>> inet6 addr: ::1/128 Scope:Host > >> >>>>>>>>>> UP LOOPBACK RUNNING MTU:16436 Metric:1 > >> >>>>>>>>>> RX packets:32 errors:0 dropped:0 overruns:0 frame:0 > >> >>>>>>>>>> TX packets:32 errors:0 dropped:0 overruns:0 carrier:0 > >> >>>>>>>>>> collisions:0 txqueuelen:0 > >> >>>>>>>>>> RX bytes:3913 (3.8 KiB) TX bytes:3913 (3.8 KiB) > >> >>>>>>>>>> > >> >>>>>>>>>> ---------------------------- > >> >>>>>>>>>> > >> >>>>>>>>>> [root@CentOS5-5 ~]# tracert www.google.com > >> >>>>>>>>>> traceroute to www.google.com (173.194.64.106), 30 hops max, > >>40 > >> >> byte > >> >>>>>>>>> packets > >> >>>>>>>>>> 1 r-4-VM.cs2cloud.internal (10.1.1.1) 0.158 ms 0.136 ms > >> 0.134 > >> >> ms > >> >>>>>>>>>> 2 * * * > >> >>>>>>>>>> 3 * * * > >> >>>>>>>>>> 4 * * * > >> >>>>>>>>>> 5 * * * > >> >>>>>>>>>> 6 * * * > >> >>>>>>>>>> 7 * * * > >> >>>>>>>>>> 8 * * * > >> >>>>>>>>>> 9 * * * > >> >>>>>>>>>> 10 * * * > >> >>>>>>>>>> 11 * * * > >> >>>>>>>>>> 12 * * * > >> >>>>>>>>>> 13 * * * > >> >>>>>>>>>> 14 * * * > >> >>>>>>>>>> 15 * * * > >> >>>>>>>>>> 16 * * * > >> >>>>>>>>>> 17 * * * > >> >>>>>>>>>> 18 * * * > >> >>>>>>>>>> 19 * * * > >> >>>>>>>>>> 20 * * * > >> >>>>>>>>>> 21 * * * > >> >>>>>>>>>> 22 * * * > >> >>>>>>>>>> 23 * * * > >> >>>>>>>>>> 24 * * * > >> >>>>>>>>>> 25 * * * > >> >>>>>>>>>> 26 * * * > >> >>>>>>>>>> 27 * * * > >> >>>>>>>>>> 28 * * * > >> >>>>>>>>>> 29 * * * > >> >>>>>>>>>> 30 * * * > >> >>>>>>>>>> > >> >>>>>>>>>> ---------------- > >> >>>>>>>>>> > >> >>>>>>>>>> > >> >>>>>>>>>> Any thoughts? > >> >>>>>>>>>> > >> >>>>>>>>>> > >> >>>>>>>>>> > >> >>>>>>>>>> > >> >>>>>>>>>> Thank you very much. > >> >>>>>>>>> > >> >>>>>>>>> > >> >>>>>>> > >> >>>>>>> > >> >>>>> > >> >>>>> > >> >>> > >> >> > >> >> > >> > >> > >
