[GitHub] [cloudstack] ravening commented on pull request #5397: Allow traffic from private gateway to internet

Tue, 14 Sep 2021 00:45:48 -0700 


ravening commented on pull request #5397:
URL: https://github.com/apache/cloudstack/pull/5397#issuecomment-918898092


   @weizhouapache below are the details
   
   ```
   # ip a
   4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state 
UP group default qlen 1000
       link/ether 1e:00:8f:00:8d:76 brd ff:ff:ff:ff:ff:ff
       inet 10.32.22.125/27 brd 10.32.22.127 scope global eth2
          valid_lft forever preferred_lft forever
   
   # ip route
   default via 5.79.116.62 dev eth1
   5.79.116.32/27 dev eth1 proto kernel scope link src 5.79.116.33
   10.32.22.96/27 dev eth2 proto kernel scope link src 10.32.22.125
   10.69.0.0/24 dev eth3 proto kernel scope link src 10.69.0.252
   10.69.1.0/24 dev eth4 proto kernel scope link src 10.69.1.252
   10.69.2.0/24 dev eth5 proto kernel scope link src 10.69.2.251
   10.69.3.0/24 dev eth6 proto kernel scope link src 10.69.3.252
   169.254.0.0/16 dev eth0 proto kernel scope link src 169.254.0.255
   
   
   # iptables-save | grep eth2
   :ACL_INBOUND_eth2 - [0:0]
   :NETWORK_STATS_eth2 - [0:0]
   -A FORWARD -j NETWORK_STATS_eth2
   -A FORWARD -d 10.32.22.96/27 -o eth2 -j ACL_INBOUND_eth2
   -A ACL_INBOUND_eth2 -p icmp -m icmp --icmp-type any -j ACCEPT
   -A ACL_INBOUND_eth2 -s 66.55.152.67/32 -p tcp -m tcp --dport 22002 -j ACCEPT
   -A ACL_INBOUND_eth2 -s 10.69.3.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
   -A ACL_INBOUND_eth2 -s 10.69.3.0/24 -p tcp -m tcp --dport 3389 -j ACCEPT
   -A ACL_INBOUND_eth2 -s 10.69.3.0/24 -p tcp -m tcp --dport 9000 -j ACCEPT
   -A ACL_INBOUND_eth2 -s 10.69.3.0/24 -p tcp -m tcp --dport 1433 -j ACCEPT
   -A ACL_INBOUND_eth2 -s 10.69.3.0/24 -p tcp -m tcp --dport 111 -j ACCEPT
   -A ACL_INBOUND_eth2 -s 10.69.3.0/24 -p tcp -m tcp --dport 2049 -j ACCEPT
   -A ACL_INBOUND_eth2 -s 10.69.3.0/24 -p tcp -m tcp --dport 6379 -j ACCEPT
   -A ACL_INBOUND_eth2 -s 10.69.3.0/24 -p tcp -m tcp --dport 9090 -j ACCEPT
   -A ACL_INBOUND_eth2 -s 10.69.3.0/24 -p tcp -m tcp --dport 3306 -j ACCEPT
   -A ACL_INBOUND_eth2 -s 10.69.3.0/24 -p tcp -m tcp --dport 139 -j ACCEPT
   -A ACL_INBOUND_eth2 -s 10.69.3.0/24 -p tcp -m tcp --dport 145 -j ACCEPT
   -A ACL_INBOUND_eth2 -s 10.69.3.0/24 -p tcp -m tcp --dport 5900:5910 -j ACCEPT
   -A ACL_INBOUND_eth2 -s 10.69.3.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
   -A ACL_INBOUND_eth2 -s 10.69.3.0/24 -p tcp -m tcp --dport 443 -j ACCEPT
   -A ACL_INBOUND_eth2 -s 10.69.3.0/24 -p tcp -m tcp --dport 873 -j ACCEPT
   -A ACL_INBOUND_eth2 -s 10.69.1.0/24 -p tcp -m tcp --dport 1433 -j ACCEPT
   -A ACL_INBOUND_eth2 -s 10.69.1.0/24 -p tcp -m tcp --dport 111 -j ACCEPT
   -A ACL_INBOUND_eth2 -s 10.69.1.0/24 -p tcp -m tcp --dport 2049 -j ACCEPT
   -A ACL_INBOUND_eth2 -s 10.69.1.0/24 -p tcp -m tcp --dport 139 -j ACCEPT
   -A ACL_INBOUND_eth2 -s 10.69.1.0/24 -p tcp -m tcp --dport 445 -j ACCEPT
   -A ACL_INBOUND_eth2 -s 10.69.1.0/24 -p tcp -m tcp --dport 6379 -j ACCEPT
   -A ACL_INBOUND_eth2 -s 10.69.1.0/24 -p tcp -m tcp --dport 9000 -j ACCEPT
   -A ACL_INBOUND_eth2 -s 10.69.1.0/24 -p tcp -m tcp --dport 3306 -j ACCEPT
   -A ACL_INBOUND_eth2 -s 10.69.1.0/24 -p tcp -m tcp --dport 10933 -j ACCEPT
   -A ACL_INBOUND_eth2 -s 10.69.1.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
   -A ACL_INBOUND_eth2 -s 10.69.1.0/24 -p tcp -m tcp --dport 443 -j ACCEPT
   -A ACL_INBOUND_eth2 -s 10.69.0.0/24 -p tcp -m tcp --dport 9000 -j ACCEPT
   -A ACL_INBOUND_eth2 -s 10.69.0.0/24 -p tcp -m tcp --dport 111 -j ACCEPT
   -A ACL_INBOUND_eth2 -s 10.69.0.0/24 -p tcp -m tcp --dport 2049 -j ACCEPT
   -A ACL_INBOUND_eth2 -s 10.69.0.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
   -A ACL_INBOUND_eth2 -s 10.69.0.0/24 -p tcp -m tcp --dport 443 -j ACCEPT
   -A ACL_INBOUND_eth2 -s 10.69.0.0/16 -p tcp -m tcp --dport 8086 -j ACCEPT
   -A ACL_INBOUND_eth2 -s 10.0.0.0/16 -p tcp -m tcp --dport 3306 -j ACCEPT
   -A ACL_INBOUND_eth2 -s 10.0.0.0/16 -p tcp -m tcp --dport 873 -j ACCEPT
   -A ACL_INBOUND_eth2 -s 10.0.0.0/16 -p tcp -m tcp --dport 8086 -j ACCEPT
   -A ACL_INBOUND_eth2 -s 10.0.0.0/16 -p tcp -m tcp --dport 1433 -j ACCEPT
   -A ACL_INBOUND_eth2 -s 10.0.0.0/16 -p tcp -m tcp --dport 22001 -j ACCEPT
   -A ACL_INBOUND_eth2 -s 10.0.0.0/16 -p tcp -m tcp --dport 22002 -j ACCEPT
   -A ACL_INBOUND_eth2 -s 10.0.0.0/16 -p tcp -m tcp --dport 9000 -j ACCEPT
   -A ACL_INBOUND_eth2 -s 10.0.0.0/16 -p tcp -m tcp --dport 22 -j ACCEPT
   -A ACL_INBOUND_eth2 -s 10.32.22.96/27 -j ACCEPT
   -A ACL_INBOUND_eth2 -s 10.69.2.0/24 -j ACCEPT
   -A ACL_INBOUND_eth2 -s 52.2.55.172/32 -p tcp -m tcp --dport 22001 -j ACCEPT
   -A ACL_INBOUND_eth2 -j DROP
   -A ACL_INBOUND_eth2 -j DROP
   -A NETWORK_STATS_eth2 -d 10.69.0.0/16 -i eth2
   -A NETWORK_STATS_eth2 -s 10.69.0.0/16 -o eth2
   -A NETWORK_STATS -i eth0 -o eth2 -p tcp
   -A NETWORK_STATS -i eth2 -o eth0 -p tcp
   -A NETWORK_STATS ! -i eth0 -o eth2 -p tcp
   -A NETWORK_STATS -i eth2 ! -o eth0 -p tcp
   :VPN_STATS_eth2 - [0:0]
   -A PREROUTING -i eth2 -m state --state NEW -j CONNMARK --set-xmark 
0x66/0xffffffff
   -A FORWARD -j VPN_STATS_eth2
   -A VPN_STATS_eth2 -o eth2 -m mark --mark 0x525
   -A VPN_STATS_eth2 -i eth2 -m mark --mark 0x524
   
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to