By looking at the iptables rules, there is no egress rules feature in your deployment. In your case the issue seems to be different.
Please do the below trouble shooting. Ping from the guest vm to public subnet/google and try to capture the packets on the router guest interface and public interface. Check wether the packets are reaching to public interface of VR or not. Also send iptables -L -nv output. Thanks, Jayapal On 22-May-2013, at 1:18 PM, wq meng <wqm...@gmail.com> wrote: > Hello Jayapal > > I know very little about api yet. > > I login to the VRouter VM, Can I change the rules to get work? > > On > https://cwiki.apache.org/confluence/display/CLOUDSTACK/Egress+firewall+rules+for+guest+network > > It says some Chains , but I can not find them inside my VRouter VM. > > ==================== > > firewallRule_egress.sh script get called on the virtual router. > > The egress rules are added in filter table table, FW_EGRESS_RULES chain. > > All the traffic from eth0 eth2 (public interface) will be send to the > FW_OUTBOUND chain. > > *iptables rules:* > > *Default rules:* > > ipassoc.sh adding rule to ACCEPT traffic from eth0 to public interface. > > Modified the rule to send egress traffic to the FW_OUTBOUND chain. > > *iptables -A FORWARD -i eth0 -o eth2 -j FW_OUTBOUND* > > *Rules added while configuring:* > > Ex: Egress rule to block the port 22 (ssh) traffic from 10.1.1.31/32 > > *iptables -A **FW_OUTBOUND **-j EGRESS_FWRULES* > > *iptables -A EGRESS_FWRULES -s 10.1.1.31/32 -p tcp --dport 22:22 -j > ACCEPT* > ====================== > > > > > > Here is how the current iptables shows. > > -------------------------------------------------------------------------------- > root@r-4-VM:~# iptables -L > Chain INPUT (policy DROP) > target prot opt source destination > NETWORK_STATS all -- anywhere anywhere > ACCEPT all -- anywhere vrrp.mcast.net > ACCEPT all -- anywhere 225.0.0.50 > ACCEPT all -- anywhere anywhere state > RELATED,ESTABLISHED > ACCEPT all -- anywhere anywhere state > RELATED,ESTABLISHED > ACCEPT all -- anywhere anywhere state > RELATED,ESTABLISHED > ACCEPT icmp -- anywhere anywhere > ACCEPT all -- anywhere anywhere > ACCEPT udp -- anywhere anywhere udp dpt:bootps > ACCEPT udp -- anywhere anywhere udp dpt:domain > ACCEPT tcp -- anywhere anywhere state NEW tcp > dpt:3922 > ACCEPT tcp -- anywhere anywhere state NEW tcp > dpt:http-alt > ACCEPT tcp -- anywhere anywhere state NEW tcp > dpt:www > > Chain FORWARD (policy DROP) > target prot opt source destination > NETWORK_STATS all -- anywhere anywhere > ACCEPT all -- anywhere anywhere state > RELATED,ESTABLISHED > ACCEPT all -- anywhere anywhere > ACCEPT all -- anywhere anywhere state > RELATED,ESTABLISHED > ACCEPT all -- anywhere anywhere state NEW > ACCEPT all -- anywhere anywhere state > RELATED,ESTABLISHED > ACCEPT all -- anywhere anywhere state > RELATED,ESTABLISHED > ACCEPT all -- anywhere anywhere > ACCEPT all -- anywhere anywhere state > RELATED,ESTABLISHED > ACCEPT all -- anywhere anywhere > ACCEPT all -- anywhere anywhere state > RELATED,ESTABLISHED > ACCEPT all -- anywhere anywhere > ACCEPT all -- anywhere anywhere state > RELATED,ESTABLISHED > ACCEPT all -- anywhere anywhere > ACCEPT all -- anywhere anywhere state > RELATED,ESTABLISHED > ACCEPT all -- anywhere anywhere > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > NETWORK_STATS all -- anywhere anywhere > > Chain NETWORK_STATS (3 references) > target prot opt source destination > all -- anywhere anywhere > all -- anywhere anywhere > tcp -- anywhere anywhere > tcp -- anywhere anywhere > all -- anywhere anywhere > all -- anywhere anywhere > tcp -- anywhere anywhere > tcp -- anywhere anywhere > all -- anywhere anywhere > all -- anywhere anywhere > tcp -- anywhere anywhere > tcp -- anywhere anywhere > all -- anywhere anywhere > all -- anywhere anywhere > tcp -- anywhere anywhere > tcp -- anywhere anywhere > all -- anywhere anywhere > all -- anywhere anywhere > tcp -- anywhere anywhere > tcp -- anywhere anywhere > all -- anywhere anywhere > all -- anywhere anywhere > tcp -- anywhere anywhere > tcp -- anywhere anywhere > > > And the link have been fixed in the Git ? > > Thank you so much. > > > On Wed, May 22, 2013 at 2:55 PM, Jayapal Reddy Uradi < > jayapalreddy.ur...@citrix.com> wrote: > >> >> I think UI link is missed but it is fixed after that. >> Try to add rules using the API 'createEgressFirewallRule' >> >> Thanks, >> Jayapal >> >> On 22-May-2013, at 12:05 PM, wq meng <wqm...@gmail.com> >> wrote: >> >>> Hello Jayapal, >>> >>> >>> >> https://cwiki.apache.org/CLOUDSTACK/egress-firewall-rules-for-guest-network.html >>> >>> I have checked Network -> Guest Network (Name) -> >>> >>> I can not find out any Egress fire rule tab. >>> >>> >>> Have I missed something? >>> >>> >>> Thank you very much. >>> >>> >>> >>> >>> On Wed, May 22, 2013 at 1:23 PM, Jayapal Reddy Uradi < >>> jayapalreddy.ur...@citrix.com> wrote: >>> >>>> Hi, >>>> >>>> Did you configure the egress firewall rules on the guest network ? >>>> You need to add egress rules to allow guest traffic. >>>> >>>> After adding egress rule it not works, please send router iptables >> rules. >>>> >>>> Thanks, >>>> Jayapal >>>> >>>> On 22-May-2013, at 4:10 AM, wq meng <wqm...@gmail.com> wrote: >>>> >>>>> Hello >>>>> >>>>> Anyone have faced this problem? CS4.02 KVM Advanced Network, VM >> instance >>>>> can not access public IP. NAT(Source) >>>>> >>>>> >>>>> That the VM instance running, but inside the VM instance, it is not >>>>> possible to access outside. >>>>> >>>>> >>>>> It can ping VMs each other, It can ping google.com in the* Virtual >>>> Router >>>>> VM.* >>>>> >>>>> But just can not ping Google.com inside the VM instance. >>>>> >>>>> >>>>> Seems inside the VM instance, It can resolve the Google.com 's IP >>>> address. >>>>> BUT can not do others. >>>>> >>>>> Please see the following output. >>>>> >>>>> >>>>> ------------------------ >>>>> [root@CentOS5-5 ~]# wget www.google.com >>>>> --2013-05-21 08:30:39-- http://www.google.com/ >>>>> Resolving www.google.com... 173.194.64.104, 173.194.64.99, >>>> 173.194.64.105, >>>>> ... >>>>> Connecting to www.google.com|173.194.64.104|:80... >>>>> [root@CentOS5-5 ~]# ls >>>>> >>>>> ------------------------- >>>>> [root@CentOS5-5 ~]# iptables -L >>>>> Chain INPUT (policy ACCEPT) >>>>> target prot opt source destination >>>>> RH-Firewall-1-INPUT all -- anywhere anywhere >>>>> >>>>> Chain FORWARD (policy ACCEPT) >>>>> target prot opt source destination >>>>> RH-Firewall-1-INPUT all -- anywhere anywhere >>>>> >>>>> Chain OUTPUT (policy ACCEPT) >>>>> target prot opt source destination >>>>> >>>>> Chain RH-Firewall-1-INPUT (2 references) >>>>> target prot opt source destination >>>>> ACCEPT all -- anywhere anywhere >>>>> ACCEPT icmp -- anywhere anywhere icmp any >>>>> ACCEPT esp -- anywhere anywhere >>>>> ACCEPT ah -- anywhere anywhere >>>>> ACCEPT udp -- anywhere 224.0.0.251 udp >> dpt:mdns >>>>> ACCEPT udp -- anywhere anywhere udp >> dpt:ipp >>>>> ACCEPT tcp -- anywhere anywhere tcp >> dpt:ipp >>>>> ACCEPT all -- anywhere anywhere state >>>>> RELATED,ESTABLISHED >>>>> ACCEPT tcp -- anywhere anywhere state NEW >>>> tcp >>>>> dpt:ssh >>>>> REJECT all -- anywhere anywhere >> reject-with >>>>> icmp-host-prohibited >>>>> [root@CentOS5-5 ~]# ping 8.8.8.8 >>>>> PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. >>>>> >>>>> --- 8.8.8.8 ping statistics --- >>>>> 3 packets transmitted, 0 received, 100% packet loss, time 2000ms >>>>> >>>>> -------------------------- >>>>> [root@CentOS5-5 ~]# ifconfig >>>>> eth0 Link encap:Ethernet HWaddr 02:00:2D:C8:00:01 >>>>> inet addr:10.1.1.5 Bcast:10.1.1.255 Mask:255.255.255.0 >>>>> inet6 addr: fe80::2dff:fec8:1/64 Scope:Link >>>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 >>>>> RX packets:2442 errors:0 dropped:0 overruns:0 frame:0 >>>>> TX packets:2261 errors:0 dropped:0 overruns:0 carrier:0 >>>>> collisions:0 txqueuelen:1000 >>>>> RX bytes:174960 (170.8 KiB) TX bytes:154159 (150.5 KiB) >>>>> >>>>> lo Link encap:Local Loopback >>>>> inet addr:127.0.0.1 Mask:255.0.0.0 >>>>> inet6 addr: ::1/128 Scope:Host >>>>> UP LOOPBACK RUNNING MTU:16436 Metric:1 >>>>> RX packets:32 errors:0 dropped:0 overruns:0 frame:0 >>>>> TX packets:32 errors:0 dropped:0 overruns:0 carrier:0 >>>>> collisions:0 txqueuelen:0 >>>>> RX bytes:3913 (3.8 KiB) TX bytes:3913 (3.8 KiB) >>>>> >>>>> ---------------------------- >>>>> >>>>> [root@CentOS5-5 ~]# tracert www.google.com >>>>> traceroute to www.google.com (173.194.64.106), 30 hops max, 40 byte >>>> packets >>>>> 1 r-4-VM.cs2cloud.internal (10.1.1.1) 0.158 ms 0.136 ms 0.134 ms >>>>> 2 * * * >>>>> 3 * * * >>>>> 4 * * * >>>>> 5 * * * >>>>> 6 * * * >>>>> 7 * * * >>>>> 8 * * * >>>>> 9 * * * >>>>> 10 * * * >>>>> 11 * * * >>>>> 12 * * * >>>>> 13 * * * >>>>> 14 * * * >>>>> 15 * * * >>>>> 16 * * * >>>>> 17 * * * >>>>> 18 * * * >>>>> 19 * * * >>>>> 20 * * * >>>>> 21 * * * >>>>> 22 * * * >>>>> 23 * * * >>>>> 24 * * * >>>>> 25 * * * >>>>> 26 * * * >>>>> 27 * * * >>>>> 28 * * * >>>>> 29 * * * >>>>> 30 * * * >>>>> >>>>> ---------------- >>>>> >>>>> >>>>> Any thoughts? >>>>> >>>>> >>>>> >>>>> >>>>> Thank you very much. >>>> >>>> >> >>
