Re: [openstack-dev] [neutron] Firewall is ineffective with floating ip?
Yes, right, but why can't use floating ip? Administrator or user should care the floating ip for instance rather fix ip. So i think firewall also take effect about floating ip. Thanks, Xurong Yang 2014-06-05 19:32 GMT+08:00 ZZelle : > Hi, > > When the router receives packets from the external network, iptables does > sequentially: > 1) NAT PREROUTING table: translate floatingip to fixed ip > 2) FILTER FORWARD table: apply FW rules ... on fixed ips because > floatingip has been translated to fixed ip > > > So disabling the ping to the floatingip has no effect, you should instead > disable ping to associated fixed ip. > > > More generally in (iptables) FW rules, you should use fixed-ips/cidrs as > source/target not floatingips > > > Cheers, > > Cedric > > > On Thu, Jun 5, 2014 at 1:15 PM, Xurong Yang wrote: > >> Hi, Stackers, >> >> Use case description: >> >> Firewal is not working when setting the destination-ip-address as VM's >> floating ip >> Steps to Reproduce: >> 1. create one network and attached it to the newly created router >> 2. Create VMs on the above network >> 3. create security group rule for icmp >> 4. create an external network and attach it to the router as gateway >> 5. create floating ip and associate it to the VMs >> 6. create a first firewall rule as protocol=icmp , action =deny and >> desitination-ip-address as floatingip >> 7. create second firewall rule as protocol=any action=allow >> 8. attach the rule to the policy and the policy to the firewall >> 9. ping the VMs floating ip from network node which is having the >> external network configured. >> >> Actual Results: >> Ping succeeds >> >> Expected Results: >> Ping should fail as per the firewall rule >> >> router's functionality both NAT and Firewall, so , although we have >> created firewall rule, DNAT will take action(change floating ip to fix ip) >> in PREROUTING chain preferentially when network node ping vm's floating ip, >> so firewall rules in FORWARD chain couldn't match because packet's ip has >> been changed to fix ip. >> >> additional case: >> if we change firewall rule protocol=icmp , action =deny and >> desitination-ip-address as fix ip, ping fail. >> >> in short , router firewall can't take effect about floating ip. >> >> what do you think? >> >> Cheers, >> >> Xurong Yang >> >> >> >> >> ___ >> OpenStack-dev mailing list >> OpenStack-dev@lists.openstack.org >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> > > ___ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [neutron] Firewall is ineffective with floating ip?
Hi, When the router receives packets from the external network, iptables does sequentially: 1) NAT PREROUTING table: translate floatingip to fixed ip 2) FILTER FORWARD table: apply FW rules ... on fixed ips because floatingip has been translated to fixed ip So disabling the ping to the floatingip has no effect, you should instead disable ping to associated fixed ip. More generally in (iptables) FW rules, you should use fixed-ips/cidrs as source/target not floatingips Cheers, Cedric On Thu, Jun 5, 2014 at 1:15 PM, Xurong Yang wrote: > Hi, Stackers, > > Use case description: > > Firewal is not working when setting the destination-ip-address as VM's > floating ip > Steps to Reproduce: > 1. create one network and attached it to the newly created router > 2. Create VMs on the above network > 3. create security group rule for icmp > 4. create an external network and attach it to the router as gateway > 5. create floating ip and associate it to the VMs > 6. create a first firewall rule as protocol=icmp , action =deny and > desitination-ip-address as floatingip > 7. create second firewall rule as protocol=any action=allow > 8. attach the rule to the policy and the policy to the firewall > 9. ping the VMs floating ip from network node which is having the external > network configured. > > Actual Results: > Ping succeeds > > Expected Results: > Ping should fail as per the firewall rule > > router's functionality both NAT and Firewall, so , although we have > created firewall rule, DNAT will take action(change floating ip to fix ip) > in PREROUTING chain preferentially when network node ping vm's floating ip, > so firewall rules in FORWARD chain couldn't match because packet's ip has > been changed to fix ip. > > additional case: > if we change firewall rule protocol=icmp , action =deny and > desitination-ip-address as fix ip, ping fail. > > in short , router firewall can't take effect about floating ip. > > what do you think? > > Cheers, > > Xurong Yang > > > > > ___ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [neutron] Firewall is ineffective with floating ip?
Hi, Stackers, Use case description: Firewal is not working when setting the destination-ip-address as VM's floating ip Steps to Reproduce: 1. create one network and attached it to the newly created router 2. Create VMs on the above network 3. create security group rule for icmp 4. create an external network and attach it to the router as gateway 5. create floating ip and associate it to the VMs 6. create a first firewall rule as protocol=icmp , action =deny and desitination-ip-address as floatingip 7. create second firewall rule as protocol=any action=allow 8. attach the rule to the policy and the policy to the firewall 9. ping the VMs floating ip from network node which is having the external network configured. Actual Results: Ping succeeds Expected Results: Ping should fail as per the firewall rule router's functionality both NAT and Firewall, so , although we have created firewall rule, DNAT will take action(change floating ip to fix ip) in PREROUTING chain preferentially when network node ping vm's floating ip, so firewall rules in FORWARD chain couldn't match because packet's ip has been changed to fix ip. additional case: if we change firewall rule protocol=icmp , action =deny and desitination-ip-address as fix ip, ping fail. in short , router firewall can't take effect about floating ip. what do you think? Cheers, Xurong Yang ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
