[jira] [Created] (CLOUDSTACK-1850) IPTABLE default rules are not configured in the INPUT chain & FW_OUTBOUND chain is not present

Fri, 29 Mar 2013 04:21:23 -0700 

venkata swamybabu budumuru created CLOUDSTACK-1850:
------------------------------------------------------

             Summary: IPTABLE default rules are not configured in the INPUT 
chain & FW_OUTBOUND chain is not present 
                 Key: CLOUDSTACK-1850
                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-1850
             Project: CloudStack
          Issue Type: Bug
      Security Level: Public (Anyone can view this level - this is the default.)
          Components: Network Controller
    Affects Versions: 4.2.0
         Environment: - Commit Id # 94de31ebada689a766809e0b73faf567a079c79a
- Advanced zone with Xen Cluster 
root@r-6-VM:~# cat /etc/cloudstack-release 
Cloudstack Release 4.2.0 Thu Mar 28 04:09:55 UTC 2013
            Reporter: venkata swamybabu budumuru
            Priority: Critical
             Fix For: 4.2.0


Steps to reproduce :

1. Have at least one ISLOATED network created
2. Deploy a VM with at least one nic connected to the above isolate network
3. Verify iptables on the newly deployed router VM for the above isolated 
network

Observations :

1. It doesn't have any default outbound rules (like for ports 53,67 etc..,) 
configured. but, things go fine because the policy for INPUT chain is set to 
ACCEPT  by default.
2. All the egress from VM is by default working / allowed because FORWARD chain 
is not configured with "FW_OUTBOUND" Chain.

Here is the snippet of router vm for "iptables -L -nv"

root@r-6-VM:~# iptables -L -nv
Chain INPUT (policy ACCEPT 2032 packets, 305K bytes)
 pkts bytes target     prot opt in     out     source               destination 
        
 2149  320K NETWORK_STATS  all  --  *      *       0.0.0.0/0            
0.0.0.0/0           

Chain FORWARD (policy ACCEPT 18 packets, 1419 bytes)
 pkts bytes target     prot opt in     out     source               destination 
        
   36  8380 NETWORK_STATS  all  --  *      *       0.0.0.0/0            
0.0.0.0/0           
   18  6961 ACCEPT     all  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0   
         state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.1.2.235  
         state RELATED,ESTABLISHED /* 10.147.44.61:22:22 */
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.1.2.235  
         tcp dpt:22 state NEW /* 10.147.44.61:22:22 */

Chain OUTPUT (policy ACCEPT 1930 packets, 340K bytes)
 pkts bytes target     prot opt in     out     source               destination 
        
 2056  358K NETWORK_STATS  all  --  *      *       0.0.0.0/0            
0.0.0.0/0           

Chain NETWORK_STATS (3 references)
 pkts bytes target     prot opt in     out     source               destination 
        
   18  1419            all  --  eth0   eth2    0.0.0.0/0            0.0.0.0/0   
        
   18  6961            all  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0   
        
    0     0            tcp  --  !eth0  eth2    0.0.0.0/0            0.0.0.0/0   
        
    0     0            tcp  --  eth2   !eth0   0.0.0.0/0            0.0.0.0/0   

Attaching vmops.log, api.log, /var/log/messages, cloud.log from router etc..,

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to