THe problem is there is no source NAT rule added in iptables nat table on router. Why the source NAT rule is not added on the router ? In your network ip address do you have source NAT ip ?
Thanks, Jayapal On 28-Jun-2013, at 8:06 AM, WXR <474745...@qq.com> wrote: > I try to add the rule "iptables -A FW_OUTBOUND -j ACCEPT" to the vrouter > firewall but unfortunately it takes no effect. > > This is the iptables rules in file "/etc/iptables/rules" > > *nat > :PREROUTING ACCEPT [0:0] > :POSTROUTING ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > COMMIT > *filter > :INPUT DROP [0:0] > :FORWARD DROP [0:0] > :OUTPUT ACCEPT [0:0] > :FW_OUTBOUND - [0:0] > -A INPUT -d 224.0.0.18/32 -j ACCEPT > -A INPUT -d 225.0.0.50/32 -j ACCEPT > -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT > -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT > -A INPUT -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT > -A INPUT -p icmp -j ACCEPT > -A INPUT -i lo -j ACCEPT > -A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT > -A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT > -A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT > -A INPUT -i eth1 -p tcp -m state --state NEW --dport 3922 -j ACCEPT > -A INPUT -i eth0 -p tcp -m state --state NEW --dport 80 -j ACCEPT > -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT > -A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT > -A FORWARD -i eth0 -o eth0 -m state --state NEW -j ACCEPT > -A FORWARD -i eth0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT > -A FORWARD -i eth0 -o eth2 -j FW_OUTBOUND > -I FW_OUTBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT > COMMIT > *mangle > :PREROUTING ACCEPT [0:0] > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > :POSTROUTING ACCEPT [0:0] > -A PREROUTING -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark > -A POSTROUTING -p udp --dport bootpc -j CHECKSUM --checksum-fill > COMMIT > > Is there anything wrong? > > > > ------------------ Original ------------------ > From: ""<emu...@intecom.ad>; > Date: Thu, Jun 27, 2013 06:40 PM > To: "users@cloudstack.apache.org"<users@cloudstack.apache.org>; > > Subject: RE: How to create a network offering without firewall? > > > > I had this issue too some days ago. I solved it by logging into the Virtual > Router over ssh and adding this rule to the Firewall: > > iptables -A FW_OUTBOUND -j ACCEPT > > I hope this helps. > > Regards > > -----Mensaje original----- > De: Jayapal Reddy Uradi [mailto:jayapalreddy.ur...@citrix.com] > Enviado el: jueves, 27 de junio de 2013 12:37 > Para: <users@cloudstack.apache.org> > Asunto: Re: How to create a network offering without firewall? > > Is internet accessible from from router ? > If it is accessible please send router iptables rules on pastebin.com > > Thanks, > jayapal > > On 27-Jun-2013, at 3:34 PM, WXR <474745...@qq.com> > wrote: > >> Sorry,the instance can access the vrouter gateway ip ,but can not access the >> Internet. >> >> >> ------------------ Original ------------------ >> From: "WXR"<474745...@qq.com>; >> Date: Thu, Jun 27, 2013 06:01 PM >> To: "users"<users@cloudstack.apache.org>; >> >> Subject: Re: How to create a network offering without firewall? >> >> >> >> I have added a egress rule like this: >> Source CIDR Protocol Start Port End Port >> 0.0.0.0/0 All All All >> >> The vrouter vm can also access the Internet. >> But the instance vm is still able to access the vrouter gateway ip and the >> Internet. >> >> >> >> >> ------------------ Original ------------------ >> From: "Murali Reddy"<murali.re...@citrix.com>; >> Date: Thu, Jun 27, 2013 05:21 PM >> To: "users@cloudstack.apache.org"<users@cloudstack.apache.org>; >> >> Subject: Re: How to create a network offering without firewall? >> >> >> >> >> Yes, egress firewall default action is 'BLOCK'. Here is a nice blog >> from Radhika >> http://writersopendiary.wordpress.com/2013/05/27/egress-firewall-rules >> -in-a >> pache-cloudstack/ >> >> On 27/06/13 2:21 PM, "WXR" <474745...@qq.com> wrote: >> >>> By the way , when I select the default guestnetworkwithsourceNAT and >>> create an instance,the vm can not access to the Internet,is this a >>> default setting?how can I let the vm access the Internet? >>> >>> >>> >>> >>> ------------------ Original ------------------ >>> From: "Murali Reddy"<murali.re...@citrix.com>; >>> Date: Thu, Jun 27, 2013 04:46 PM >>> To: "users@cloudstack.apache.org"<users@cloudstack.apache.org>; >>> >>> Subject: Re: How to create a network offering without firewall? >>> >>> >>> >>> >>> Also, by default all the ports that will be used by edge services are >>> blocked by iptable config in the router VM templates. They needed to >>> be opened explicitly with firewall rules. >>> >>> On 27/06/13 2:08 PM, "Jayapal Reddy Uradi" >>> <jayapalreddy.ur...@citrix.com> >>> wrote: >>> >>>> With out firewall provider you can't have sourceNAT and static NAT >>>> services because these services are provided by firewall provider only. >>>> >>>> Thanks, >>>> Jayapal >>>> >>>> On 27-Jun-2013, at 1:35 PM, WXR <474745...@qq.com> >>>> wrote: >>>> >>>>> If I create a new network offering and check >>>>> dns,dhcp,userdata,sourceNAT,staticNAT,not check the firewall >>>>> service.But the firewall will be added into it automatically. >>>>> I don't need the firewall service ,how can I create a network >>>>> offering without firewall? >>>> >>>> >>> >>> >>> . >> >> >> . > > .
