[
https://issues.apache.org/jira/browse/CLOUDSTACK-8925?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14986993#comment-14986993
]
ASF GitHub Bot commented on CLOUDSTACK-8925:
--------------------------------------------
Github user karuturi commented on the pull request:
https://github.com/apache/cloudstack/pull/1023#issuecomment-153301644
@wilderrodrigues apart from the issue mentioned in CLOUDSTACK-9018, I found
the below issue.
The egress rule added in a default egress ALLOW network doesnt block the
traffic.
On default egress DENY network, I added a rule to allow 22. iptables rules
look fine and I am able to ssh from a vm created in this network
```
Chain FW_EGRESS_RULES (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22
4 288 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
```
```
[root@egress-deny-vm ~]# ssh 10.147.28.48
root@10.147.28.48's password:
Last login: Tue Nov 3 08:49:09 2015 from 10.147.30.176
```
once I delete the rule, I am not able to ssh from the vm anymore and
iptables rule is deleted. Which is expected.
But, incase of default egress ALLLOW network, any egress rule added should
be to block the traffic. ie) rules should be added with target DROP
when I add egress rule to block 22, iptables rule created is to accept 22
and the port is not blocked
```
Chain FW_EGRESS_RULES (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22
1 84 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
```
and ssh is not blocked from a vm created in this network(even after
creating the egress rule to block it).
```
root@10.147.28.48's password:
Last login: Tue Nov 3 08:55:04 2015 from 10.147.30.173
```
> Default allow for Egress rules is not being configured properly in VR
> iptables rules
> ------------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-8925
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8925
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Virtual Router
> Affects Versions: 4.6.0
> Reporter: Pavan Kumar Bandarupally
> Assignee: Wilder Rodrigues
> Priority: Blocker
> Fix For: 4.6.0
>
>
> When we create a network with Egress rules set to default allow, the rules
> created in FW_OUTBOUND table should have a reference to FW_EGRESS_RULES chain
> which has a rule to accept NEW packets from the guest instances. Without that
> rule only RELATED , ESTABLISHED rule in FW_OUTBOUND chain will result in Drop
> of packets.
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 44 2832 NETWORK_STATS all -- * * 0.0.0.0/0
> 0.0.0.0/0
> 0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0
> state RELATED,ESTABLISHED
> 0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0 0.0.0.0/0
> state NEW
> 4 336 ACCEPT all -- eth2 eth0 0.0.0.0/0 0.0.0.0/0
> state RELATED,ESTABLISHED
> 0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0 0.0.0.0/0
> state RELATED,ESTABLISHED
> 40 2496 FW_OUTBOUND all -- eth0 eth2 0.0.0.0/0
> 0.0.0.0/0
> Chain OUTPUT (policy ACCEPT 20 packets, 1888 bytes)
> pkts bytes target prot opt in out source
> destination
> 2498 369K NETWORK_STATS all -- * * 0.0.0.0/0
> 0.0.0.0/0
> Chain FIREWALL_EGRESS_RULES (0 references)
> pkts bytes target prot opt in out source
> destination
> Chain FW_OUTBOUND (1 references)
> pkts bytes target prot opt in out source
> destination
> 3 252 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
> state RELATED,ESTABLISHED
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
