weizhouapache commented on pull request #5397: URL: https://github.com/apache/cloudstack/pull/5397#issuecomment-918917548
@ravening I want to be clear about (1) is 10.32.22.125 configured as gateway in dedicated servers (10.32.22.96/27) (2) does ping from vm to dedicated server work ? I notice there are many rules in ACL for private gateway, ssh from vm to dedicated server might not work, but ping should work. ``` -A FORWARD -d 10.32.22.96/27 -o eth2 -j ACL_INBOUND_eth2 -A ACL_INBOUND_eth2 -p icmp -m icmp --icmp-type any -j ACCEPT -A ACL_INBOUND_eth2 -s 10.69.3.0/24 -p tcp -m tcp --dport 22 -j ACCEPT -A ACL_INBOUND_eth2 -s 10.0.0.0/16 -p tcp -m tcp --dport 22 -j ACCEPT ``` > @weizhouapache below are the details > > ``` > # ip a > 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 > link/ether 1e:00:8f:00:8d:76 brd ff:ff:ff:ff:ff:ff > inet 10.32.22.125/27 brd 10.32.22.127 scope global eth2 > valid_lft forever preferred_lft forever > > # ip route > default via 5.79.116.62 dev eth1 > 5.79.116.32/27 dev eth1 proto kernel scope link src 5.79.116.33 > 10.32.22.96/27 dev eth2 proto kernel scope link src 10.32.22.125 > 10.69.0.0/24 dev eth3 proto kernel scope link src 10.69.0.252 > 10.69.1.0/24 dev eth4 proto kernel scope link src 10.69.1.252 > 10.69.2.0/24 dev eth5 proto kernel scope link src 10.69.2.251 > 10.69.3.0/24 dev eth6 proto kernel scope link src 10.69.3.252 > 169.254.0.0/16 dev eth0 proto kernel scope link src 169.254.0.255 > > > # iptables-save | grep eth2 > :ACL_INBOUND_eth2 - [0:0] > :NETWORK_STATS_eth2 - [0:0] > -A FORWARD -j NETWORK_STATS_eth2 > -A FORWARD -d 10.32.22.96/27 -o eth2 -j ACL_INBOUND_eth2 > -A ACL_INBOUND_eth2 -p icmp -m icmp --icmp-type any -j ACCEPT > -A ACL_INBOUND_eth2 -s 66.55.152.67/32 -p tcp -m tcp --dport 22002 -j ACCEPT > -A ACL_INBOUND_eth2 -s 10.69.3.0/24 -p tcp -m tcp --dport 22 -j ACCEPT > -A ACL_INBOUND_eth2 -s 10.69.3.0/24 -p tcp -m tcp --dport 3389 -j ACCEPT > -A ACL_INBOUND_eth2 -s 10.69.3.0/24 -p tcp -m tcp --dport 9000 -j ACCEPT > -A ACL_INBOUND_eth2 -s 10.69.3.0/24 -p tcp -m tcp --dport 1433 -j ACCEPT > -A ACL_INBOUND_eth2 -s 10.69.3.0/24 -p tcp -m tcp --dport 111 -j ACCEPT > -A ACL_INBOUND_eth2 -s 10.69.3.0/24 -p tcp -m tcp --dport 2049 -j ACCEPT > -A ACL_INBOUND_eth2 -s 10.69.3.0/24 -p tcp -m tcp --dport 6379 -j ACCEPT > -A ACL_INBOUND_eth2 -s 10.69.3.0/24 -p tcp -m tcp --dport 9090 -j ACCEPT > -A ACL_INBOUND_eth2 -s 10.69.3.0/24 -p tcp -m tcp --dport 3306 -j ACCEPT > -A ACL_INBOUND_eth2 -s 10.69.3.0/24 -p tcp -m tcp --dport 139 -j ACCEPT > -A ACL_INBOUND_eth2 -s 10.69.3.0/24 -p tcp -m tcp --dport 145 -j ACCEPT > -A ACL_INBOUND_eth2 -s 10.69.3.0/24 -p tcp -m tcp --dport 5900:5910 -j ACCEPT > -A ACL_INBOUND_eth2 -s 10.69.3.0/24 -p tcp -m tcp --dport 80 -j ACCEPT > -A ACL_INBOUND_eth2 -s 10.69.3.0/24 -p tcp -m tcp --dport 443 -j ACCEPT > -A ACL_INBOUND_eth2 -s 10.69.3.0/24 -p tcp -m tcp --dport 873 -j ACCEPT > -A ACL_INBOUND_eth2 -s 10.69.1.0/24 -p tcp -m tcp --dport 1433 -j ACCEPT > -A ACL_INBOUND_eth2 -s 10.69.1.0/24 -p tcp -m tcp --dport 111 -j ACCEPT > -A ACL_INBOUND_eth2 -s 10.69.1.0/24 -p tcp -m tcp --dport 2049 -j ACCEPT > -A ACL_INBOUND_eth2 -s 10.69.1.0/24 -p tcp -m tcp --dport 139 -j ACCEPT > -A ACL_INBOUND_eth2 -s 10.69.1.0/24 -p tcp -m tcp --dport 445 -j ACCEPT > -A ACL_INBOUND_eth2 -s 10.69.1.0/24 -p tcp -m tcp --dport 6379 -j ACCEPT > -A ACL_INBOUND_eth2 -s 10.69.1.0/24 -p tcp -m tcp --dport 9000 -j ACCEPT > -A ACL_INBOUND_eth2 -s 10.69.1.0/24 -p tcp -m tcp --dport 3306 -j ACCEPT > -A ACL_INBOUND_eth2 -s 10.69.1.0/24 -p tcp -m tcp --dport 10933 -j ACCEPT > -A ACL_INBOUND_eth2 -s 10.69.1.0/24 -p tcp -m tcp --dport 80 -j ACCEPT > -A ACL_INBOUND_eth2 -s 10.69.1.0/24 -p tcp -m tcp --dport 443 -j ACCEPT > -A ACL_INBOUND_eth2 -s 10.69.0.0/24 -p tcp -m tcp --dport 9000 -j ACCEPT > -A ACL_INBOUND_eth2 -s 10.69.0.0/24 -p tcp -m tcp --dport 111 -j ACCEPT > -A ACL_INBOUND_eth2 -s 10.69.0.0/24 -p tcp -m tcp --dport 2049 -j ACCEPT > -A ACL_INBOUND_eth2 -s 10.69.0.0/24 -p tcp -m tcp --dport 80 -j ACCEPT > -A ACL_INBOUND_eth2 -s 10.69.0.0/24 -p tcp -m tcp --dport 443 -j ACCEPT > -A ACL_INBOUND_eth2 -s 10.69.0.0/16 -p tcp -m tcp --dport 8086 -j ACCEPT > -A ACL_INBOUND_eth2 -s 10.0.0.0/16 -p tcp -m tcp --dport 3306 -j ACCEPT > -A ACL_INBOUND_eth2 -s 10.0.0.0/16 -p tcp -m tcp --dport 873 -j ACCEPT > -A ACL_INBOUND_eth2 -s 10.0.0.0/16 -p tcp -m tcp --dport 8086 -j ACCEPT > -A ACL_INBOUND_eth2 -s 10.0.0.0/16 -p tcp -m tcp --dport 1433 -j ACCEPT > -A ACL_INBOUND_eth2 -s 10.0.0.0/16 -p tcp -m tcp --dport 22001 -j ACCEPT > -A ACL_INBOUND_eth2 -s 10.0.0.0/16 -p tcp -m tcp --dport 22002 -j ACCEPT > -A ACL_INBOUND_eth2 -s 10.0.0.0/16 -p tcp -m tcp --dport 9000 -j ACCEPT > -A ACL_INBOUND_eth2 -s 10.0.0.0/16 -p tcp -m tcp --dport 22 -j ACCEPT > -A ACL_INBOUND_eth2 -s 10.32.22.96/27 -j ACCEPT > -A ACL_INBOUND_eth2 -s 10.69.2.0/24 -j ACCEPT > -A ACL_INBOUND_eth2 -s 52.2.55.172/32 -p tcp -m tcp --dport 22001 -j ACCEPT > -A ACL_INBOUND_eth2 -j DROP > -A ACL_INBOUND_eth2 -j DROP > -A NETWORK_STATS_eth2 -d 10.69.0.0/16 -i eth2 > -A NETWORK_STATS_eth2 -s 10.69.0.0/16 -o eth2 > -A NETWORK_STATS -i eth0 -o eth2 -p tcp > -A NETWORK_STATS -i eth2 -o eth0 -p tcp > -A NETWORK_STATS ! -i eth0 -o eth2 -p tcp > -A NETWORK_STATS -i eth2 ! -o eth0 -p tcp > :VPN_STATS_eth2 - [0:0] > -A PREROUTING -i eth2 -m state --state NEW -j CONNMARK --set-xmark 0x66/0xffffffff > -A FORWARD -j VPN_STATS_eth2 > -A VPN_STATS_eth2 -o eth2 -m mark --mark 0x525 > -A VPN_STATS_eth2 -i eth2 -m mark --mark 0x524 > ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
