[
https://issues.apache.org/jira/browse/CLOUDSTACK-8681?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14905888#comment-14905888
]
Rajani Karuturi commented on CLOUDSTACK-8681:
---------------------------------------------
I see that the default policy is set to drop
tested this on management server running on master commit
13b29bac5a1778e295df7e9fb21c502fcf017183
and systemvm template from Cloudstack Release 4.6.0 Thu Sep 10 23:29:03 UTC 2015
{noformat}
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 NETWORK_STATS all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0 0.0.0.0/0
state NEW
0 0 ACCEPT all -- eth2 eth0 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 FW_OUTBOUND all -- eth0 eth2 0.0.0.0/0 0.0.0.0/0
{noformat}
> [Egress_Rules] CS does not honor the default deny egress policy in isolated
> network
> -----------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-8681
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8681
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Network Controller
> Affects Versions: 4.6.0
> Environment: Latest build from master with commit
> ac9c2a224a78f413945e25fd7cf23364fbef00b5
> Zone: Advanced
> Reporter: Sanjeev N
> Priority: Critical
>
> [Egress_Rules] CS does not honor the default deny egress policy in isolated
> network
> Steps to reproduce:
> =================
> 1.Bring up CS in advanced zone with any of the supported hypervisors
> 2.Create an isolated network with network offering
> "DefaultIsolatedNetworkOfferingWithSourceNatService" so that defaul egress
> policy would be "deny all"
> 3.Deploy one guest vm in that network
> Expected Result:
> =============
> VR forward chain in filter table should have the defualt DROP policy.
> Actual Result:
> ===========
> Following is the FORWARD chain from the VR:
> Chain FORWARD (policy ACCEPT 10282 packets, 1743K bytes)
> pkts bytes target prot opt in out source
> destination
> 46405 27M NETWORK_STATS all -- * * 0.0.0.0/0
> 0.0.0.0/0
> 0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0
> state RELATED,ESTABLISHED
> 0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0 0.0.0.0/0
> state NEW
> 27468 25M ACCEPT all -- eth2 eth0 0.0.0.0/0 0.0.0.0/0
> state RELATED,ESTABLISHED
> 0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0 0.0.0.0/0
> state RELATED,ESTABLISHED
> 2 104 ACCEPT tcp -- eth2 eth0 0.0.0.0/0 0.0.0.0/0
> tcp dpt:22 state NEW
> It should be in the following way:
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
>
> 0 0 NETWORK_STATS all -- * * 0.0.0.0/0
> 0.0.0.0/
> 0
> 0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0
>
> state RELATED,ESTABLISHED
> 0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0 0.0.0.0/0
>
> state NEW
> 0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0 0.0.0.0/0
>
> state RELATED,ESTABLISHED
> 0 0 ACCEPT all -- eth2 eth0 0.0.0.0/0 0.0.0.0/0
>
> state RELATED,ESTABLISHED
> 0 0 FW_OUTBOUND all -- eth0 eth2 0.0.0.0/0
> 0.0.0.0/0
>
> Chain FW_EGRESS_RULES (1 references)
> pkts bytes target prot opt in out source
> destination
>
> 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
>
>
> Chain FW_OUTBOUND (1 references)
> pkts bytes target prot opt in out source
> destination
>
> 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
>
> state RELATED,ESTABLISHED
> 0 0 FW_EGRESS_RULES all -- * * 0.0.0.0/0
> 0.0.0.
> 0/0
> Looks like now we are loading ip tables from "/etc/iptables/router_rules.v4"
> . But the base for this file should be "/etc/iptables/rules.v4" to persist
> the default behavior.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
