[
https://issues.apache.org/jira/browse/CLOUDSTACK-8688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14651698#comment-14651698
]
Wilder Rodrigues commented on CLOUDSTACK-8688:
----------------------------------------------
The vpc-router is now fixed. Just the normal isolated and shared router to go:
[root@kvm2 ~]# ssh -i ~/.ssh/id_rsa.cloud -p 3922 169.254.1.135
Linux r-5-VM 3.2.0-4-amd64 #1 SMP Debian 3.2.68-1+deb7u2 x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Aug 3 09:59:04 2015
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
root@r-5-VM:~#
root@r-5-VM:~#
root@r-5-VM:~#
root@r-5-VM:~# iptables --list
Chain INPUT (policy DROP)
target prot opt source destination
NETWORK_STATS all -- anywhere anywhere
ACCEPT all -- anywhere 224.0.0.18
ACCEPT all -- anywhere 225.0.0.50
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:3922
state NEW
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
Chain FORWARD (policy DROP)
target prot opt source destination
NETWORK_STATS_eth1 all -- anywhere anywhere
NETWORK_STATS all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all -- 10.0.1.0/24 !10.0.1.0/24
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
NETWORK_STATS all -- anywhere anywhere
Chain NETWORK_STATS (3 references)
target prot opt source destination
tcp -- anywhere anywhere
tcp -- anywhere anywhere
tcp -- anywhere anywhere
tcp -- anywhere anywhere
Chain NETWORK_STATS_eth1 (1 references)
target prot opt source destination
all -- 10.0.1.0/24 anywhere
all -- anywhere 10.0.1.0/24
root@r-5-VM:~#
> Defualt policy for INPUT and FORWARD chain is ACCEPT in VR filter table
> -----------------------------------------------------------------------
>
> Key: CLOUDSTACK-8688
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8688
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Virtual Router
> Affects Versions: 4.6.0
> Environment: Latest build from ACS master.
> Zone type: Advanced
> Reporter: Sanjeev N
> Assignee: Wilder Rodrigues
> Priority: Critical
>
> Defualt policy for INPUT and FORWARD chain is ACCEPT in VR filter table
> Steps to reproduce the issue:
> =======================
> 1.Bring up CS in advanced zone with any supported hypervisor (e.g. Xenserver)
> 2.Create an isolated network with Network Offering
> "DefaultIsolatedNetworkOfferingWithSourceNatService"
> 3.Deploy one guest vm within that network
> Result:
> =======
> IP tables rules on the VR created are as follows:
> root@r-7-VM:~# iptables --list
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> NETWORK_STATS all -- anywhere anywhere
> ACCEPT all -- anywhere vrrp.mcast.net
> ACCEPT all -- anywhere 225.0.0.50
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT icmp -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
> ACCEPT all -- anywhere vrrp.mcast.net
> ACCEPT all -- anywhere 225.0.0.50
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT icmp -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
> ACCEPT udp -- anywhere anywhere udp dpt:bootps
> ACCEPT udp -- anywhere anywhere udp dpt:domain
> ACCEPT tcp -- anywhere anywhere tcp dpt:domain
> ACCEPT tcp -- anywhere anywhere tcp dpt:http
> state NEW
> ACCEPT tcp -- anywhere anywhere tcp
> dpt:http-alt state NEW
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> NETWORK_STATS all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT all -- anywhere anywhere state NEW
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> NETWORK_STATS all -- anywhere anywhere
> Chain NETWORK_STATS (3 references)
> target prot opt source destination
> all -- anywhere anywhere
> all -- anywhere anywhere
> tcp -- anywhere anywhere
> tcp -- anywhere anywhere
> But the Default policy for INPUT and FORWARD chain should be DROP instead of
> ACCEPT. Otherwise all the traffic would be allowed to VR.
> Same is the case with VPC and Shared network as well.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
