DeepthiMachiraju created CLOUDSTACK-9754:
--------------------------------------------
Summary: Egress rules missing in shared network
Key: CLOUDSTACK-9754
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9754
Project: CloudStack
Issue Type: Bug
Security Level: Public (Anyone can view this level - this is the default.)
Components: Virtual Router
Affects Versions: 4.9.0.1
Reporter: DeepthiMachiraju
Fix For: 4.10.0.0
- Navigate to network and create a shared network.
- deploy a guest vm with the above network.
- Try to ssh to the vm which is successful.
- Post login to the guest vm , try reaching the outside traffic.
Observations :
- User cannot reach the outside traffic as Egress rules are missing :
======================================================================================
Chain FW_EGRESS_RULES (0 references)
pkts bytes target prot opt in out source destination
Chain FW_OUTBOUND (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
=======================================================================================
complete rules below :
root@r-223-VM:~# iptables -L -n -v
Chain INPUT (policy DROP 190 packets, 10327 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0
10.147.52.201 tcp dpt:443 state NEW
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0
10.147.52.201 tcp dpt:80 state NEW
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0
10.147.52.201 tcp dpt:53
7 468 ACCEPT udp -- eth0 * 0.0.0.0/0
10.147.52.201 udp dpt:53
4 1312 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0
udp dpt:67
675 67079 NETWORK_STATS all -- * * 0.0.0.0/0
0.0.0.0/0
344 46076 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0
tcp dpt:3922 state NEW,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 224.0.0.18
0 0 ACCEPT all -- * * 0.0.0.0/0 225.0.0.50
114 8452 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
9 756 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
18 1468 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0
udp dpt:67
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0
udp dpt:53
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0
tcp dpt:53
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0
tcp dpt:80 state NEW
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0
tcp dpt:8080 state NEW
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 NETWORK_STATS all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0 0.0.0.0/0
state NEW
0 0 ACCEPT all -- eth2 eth0 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 FW_OUTBOUND all -- eth0 eth2 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 478 packets, 63694 bytes)
pkts bytes target prot opt in out source destination
478 63694 NETWORK_STATS all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FW_EGRESS_RULES (0 references)
pkts bytes target prot opt in out source destination
Chain FW_OUTBOUND (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
Chain NETWORK_STATS (3 references)
pkts bytes target prot opt in out source destination
0 0 all -- eth0 eth2 0.0.0.0/0 0.0.0.0/0
0 0 all -- eth2 eth0 0.0.0.0/0 0.0.0.0/0
0 0 tcp -- !eth0 eth2 0.0.0.0/0 0.0.0.0/0
0 0 tcp -- eth2 !eth0 0.0.0.0/0 0.0.0.0/0
===============================================================================================================
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
