[jira] [Comment Edited] (CLOUDSTACK-8795) outgoing public traffic blocked in vm created using DefaultIsolatedNetworkOfferingWithSourceNatService

Rajani Karuturi (JIRA) Thu, 10 Sep 2015 23:54:07 -0700

    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8795?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14740298#comment-14740298
 ]


Rajani Karuturi edited comment on CLOUDSTACK-8795 at 9/11/15 6:52 AM:
----------------------------------------------------------------------

This issue still exists on the latest master. tested it on commit 
2d90f18b82a0c52fdfc815e0f8efb565f96788e3 with the latest systemvm template 

on VR
{noformat}
# cat /etc/cloudstack-release
Cloudstack Release 4.6.0 Thu Sep 10 23:29:03 UTC 2015

# iptables -n -L -v
Chain INPUT (policy DROP 1 packets, 32 bytes)
 pkts bytes target     prot opt in     out     source               destination
  134 19552 NETWORK_STATS  all  --  *      *       0.0.0.0/0            
0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            224.0.0.18
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            225.0.0.50
   27  2052 ACCEPT     all  --  eth2   *       0.0.0.0/0            0.0.0.0/0   
         state RELATED,ESTABLISHED
    3   252 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
  103 17216 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0   
         tcp dpt:3922 state NEW,ESTABLISHED
    0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0   
         tcp dpt:3922 state NEW,ESTABLISHED
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            224.0.0.18
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            225.0.0.50
    0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0   
         state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0   
         udp dpt:67
    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0   
         udp dpt:53
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0   
         tcp dpt:53
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0   
         tcp dpt:80 state NEW
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0   
         tcp dpt:8080 state NEW
    0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0   
         tcp dpt:3922 state NEW,ESTABLISHED

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 NETWORK_STATS  all  --  *      *       0.0.0.0/0            
0.0.0.0/0
    0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0   
         state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0   
         state NEW
    0     0 ACCEPT     all  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0   
         state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0   
         state RELATED,ESTABLISHED
    0     0 FW_OUTBOUND  all  --  eth0   eth2    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 17 packets, 1348 bytes)
 pkts bytes target     prot opt in     out     source               destination
  121 17699 NETWORK_STATS  all  --  *      *       0.0.0.0/0            
0.0.0.0/0

Chain FIREWALL_EGRESS_RULES (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FW_OUTBOUND (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
         state RELATED,ESTABLISHED

Chain NETWORK_STATS (3 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0            all  --  eth0   eth2    0.0.0.0/0            0.0.0.0/0
    0     0            all  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0
    0     0            tcp  --  !eth0  eth2    0.0.0.0/0            0.0.0.0/0
    0     0            tcp  --  eth2   !eth0   0.0.0.0/0            0.0.0.0/0
{noformat}

on user vm
{noformat}
# ping google.com
PING google.com (216.58.220.46) 56(84) bytes of data.

--- google.com ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 5010ms
{noformat}


was (Author: rajanik):
This issue still exists on the latest master. tested it on commit 
2d90f18b82a0c52fdfc815e0f8efb565f96788e3 with the latest systemvm template 

{noformat}
# cat /etc/cloudstack-release
Cloudstack Release 4.6.0 Thu Sep 10 23:29:03 UTC 2015

# iptables -n -L -v
Chain INPUT (policy DROP 1 packets, 32 bytes)
 pkts bytes target     prot opt in     out     source               destination
  134 19552 NETWORK_STATS  all  --  *      *       0.0.0.0/0            
0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            224.0.0.18
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            225.0.0.50
   27  2052 ACCEPT     all  --  eth2   *       0.0.0.0/0            0.0.0.0/0   
         state RELATED,ESTABLISHED
    3   252 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
  103 17216 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0   
         tcp dpt:3922 state NEW,ESTABLISHED
    0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0   
         tcp dpt:3922 state NEW,ESTABLISHED
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            224.0.0.18
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            225.0.0.50
    0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0   
         state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0   
         udp dpt:67
    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0   
         udp dpt:53
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0   
         tcp dpt:53
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0   
         tcp dpt:80 state NEW
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0   
         tcp dpt:8080 state NEW
    0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0   
         tcp dpt:3922 state NEW,ESTABLISHED

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 NETWORK_STATS  all  --  *      *       0.0.0.0/0            
0.0.0.0/0
    0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0   
         state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0   
         state NEW
    0     0 ACCEPT     all  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0   
         state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0   
         state RELATED,ESTABLISHED
    0     0 FW_OUTBOUND  all  --  eth0   eth2    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 17 packets, 1348 bytes)
 pkts bytes target     prot opt in     out     source               destination
  121 17699 NETWORK_STATS  all  --  *      *       0.0.0.0/0            
0.0.0.0/0

Chain FIREWALL_EGRESS_RULES (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FW_OUTBOUND (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
         state RELATED,ESTABLISHED

Chain NETWORK_STATS (3 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0            all  --  eth0   eth2    0.0.0.0/0            0.0.0.0/0
    0     0            all  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0
    0     0            tcp  --  !eth0  eth2    0.0.0.0/0            0.0.0.0/0
    0     0            tcp  --  eth2   !eth0   0.0.0.0/0            0.0.0.0/0
{noformat}

> outgoing public traffic blocked in vm created using 
> DefaultIsolatedNetworkOfferingWithSourceNatService 
> -------------------------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-8795
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8795
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>    Affects Versions: 4.6.0
>         Environment: Xenserver 6.5, advanced zone, CS 4.6.0
>            Reporter: Rajani Karuturi
>            Priority: Critical
>
> in case of vm launched in vpc, outgoing public traffic worked (I was able to 
> ping google.com)
> But, in case of default isolated 
> network(DefaultIsolatedNetworkOfferingWithSourceNatService) vm, outgoing 
> public traffic was blocked even after adding egress rule.
> It only worked after running the following on isolated VR
> iptables -I FW_OUTBOUND -j FIREWALL_EGRESS_RULES
> This issue is observed while reviewing PR #765 
> https://github.com/apache/cloudstack/pull/765#issuecomment-136962555



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Comment Edited] (CLOUDSTACK-8795) outgoing public traffic blocked in vm created using DefaultIsolatedNetworkOfferingWithSourceNatService

Reply via email to