[jira] [Commented] (CLOUDSTACK-8688) Default policy for INPUT and FORWARD chain is ACCEPT in VR filter table

ASF GitHub Bot (JIRA) Mon, 07 Sep 2015 08:10:55 -0700

    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14733824#comment-14733824
 ]


ASF GitHub Bot commented on CLOUDSTACK-8688:
--------------------------------------------

Github user wilderrodrigues commented on the pull request:

    https://github.com/apache/cloudstack/pull/765#issuecomment-138321248
  
    @miguelaferreira @remibergsma @karuturi @DaanHoogland 
    
    The test is done!
    
    Results:
    
    Test iptables default INPUT/FORWARD policy on RouterVM ... === TestName: 
test_02_routervm_iptables_policies | Status : SUCCESS ===
    ok
    Test iptables default INPUT/FORWARD policies on VPC router ... === 
TestName: test_01_single_VPC_iptables_policies | Status : SUCCESS ===
    ok
    
    ----------------------------------------------------------------------
    Ran 2 tests in 663.540s
    
    OK
    /tmp//MarvinLogs/test_routers_iptables_default_policy_RC3AMZ/results.txt 
(END)
    
    
    The tests were done only for single VPC and Isolated Network because the 
python code executed is also used by Redundant VPC and Shared Network. We can 
come back to this test later and add more cases, I already added some service 
for the above mentioned networks in the test.
    
    You can run this test by doing so:
    ```
    nosetests --with-marvin 
--marvin-config=/data/shared/marvin/mct-zone2-kvm2-ISOLATED.cfg -s -a 
tags=advanced,required_hardware=true 
component/test_routers_iptables_default_policy.py
    ```
    
    Make sure you do the following before running the test agains a KVM 
hypervisor:
    
    * Copy the systemvm.iso:
      * 
cloudstack/client/target/cloud-client-ui-4.6.0-SNAPSHOT/WEB-INF/classes/vms/systemvm.iso
    * To:
      * /usr/share/cloudstack-common/vms/systemvm.iso
    
    Cheers,
    Wilder


> Default policy for INPUT and FORWARD chain is ACCEPT in VR filter table
> -----------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-8688
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8688
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>          Components: Virtual Router
>    Affects Versions: 4.6.0
>         Environment: Latest build from ACS master.
> Zone type: Advanced
>            Reporter: Sanjeev N
>            Assignee: Wilder Rodrigues
>            Priority: Blocker
>             Fix For: 4.6.0
>
>
> Defualt policy for INPUT and FORWARD chain is ACCEPT in VR filter table
> Steps to reproduce the issue:
> =======================
> 1.Bring up CS in advanced zone with any supported hypervisor (e.g. Xenserver)
> 2.Create an isolated network with Network Offering 
> "DefaultIsolatedNetworkOfferingWithSourceNatService"
> 3.Deploy one guest vm within that network
> Result:
> =======
> IP tables rules on the VR created are as follows:
> root@r-7-VM:~# iptables --list
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> NETWORK_STATS  all  --  anywhere             anywhere
> ACCEPT     all  --  anywhere             vrrp.mcast.net
> ACCEPT     all  --  anywhere             225.0.0.50
> ACCEPT     all  --  anywhere             anywhere             state 
> RELATED,ESTABLISHED
> ACCEPT     icmp --  anywhere             anywhere
> ACCEPT     all  --  anywhere             anywhere
> ACCEPT     all  --  anywhere             vrrp.mcast.net
> ACCEPT     all  --  anywhere             225.0.0.50
> ACCEPT     all  --  anywhere             anywhere             state 
> RELATED,ESTABLISHED
> ACCEPT     icmp --  anywhere             anywhere
> ACCEPT     all  --  anywhere             anywhere
> ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
> ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
> ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
> ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http 
> state NEW
> ACCEPT     tcp  --  anywhere             anywhere             tcp 
> dpt:http-alt state NEW
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> NETWORK_STATS  all  --  anywhere             anywhere
> ACCEPT     all  --  anywhere             anywhere             state 
> RELATED,ESTABLISHED
> ACCEPT     all  --  anywhere             anywhere             state NEW
> ACCEPT     all  --  anywhere             anywhere             state 
> RELATED,ESTABLISHED
> ACCEPT     all  --  anywhere             anywhere             state 
> RELATED,ESTABLISHED
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> NETWORK_STATS  all  --  anywhere             anywhere
> Chain NETWORK_STATS (3 references)
> target     prot opt source               destination
>            all  --  anywhere             anywhere
>            all  --  anywhere             anywhere
>            tcp  --  anywhere             anywhere
>            tcp  --  anywhere             anywhere
> But the Default policy for INPUT and FORWARD chain should be DROP instead of 
> ACCEPT. Otherwise all the traffic would be allowed to VR.
> Same is the case with VPC and Shared network as well.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-8688) Default policy for INPUT and FORWARD chain is ACCEPT in VR filter table

Reply via email to