Iptables rules are looking fine.
Can you please do the following.
1. ping google.com from vm
2. run the tcpdump command on the router eth0, eth2 and see the packets are
reaching to guest interface
tcpdump -i eth0 -nq
tcpdump -i eth2 -nq
If guest vm icmp packets are not reaching to eth0 and eth2 then there is issue
in your network setup.
Thanks,
Jayapal
> -----Original Message-----
> From: wq meng [mailto:wqm...@gmail.com]
> Sent: Friday, 24 May 2013 1:27 AM
> To: users@cloudstack.apache.org
> Subject: Re: allow outbound access by default on virtual routers
>
> Hello,
>
> Have you tried this and get this to work?
>
> I think I have the same problem just can not get the Guest VM to access
> outbound by the V-router vm.
>
> my guest NIC is eth0, the public NIC is eth2.
>
> Here is the default rules in the Router VM. How to apply the rules to get the
> Guest VM can access outbound?
>
> Could you help me to show how? I have tried many times, just no luck of it.
>
> Thank you very much.
>
>
> root@r-7-VM:~# cat /etc/iptables/rules
>
>
> # Licensed to the Apache Software Foundation (ASF) under one # or more
> contributor license agreements. See the NOTICE file # distributed with this
> work for additional information # regarding copyright ownership. The ASF
> licenses this file # to you under the Apache License, Version 2.0 (the #
> "License"); you may not use this file except in compliance # with the License.
> You may obtain a copy of the License at #
> # http://www.apache.org/licenses/LICENSE-2.0
> #
> # Unless required by applicable law or agreed to in writing, # software
> distributed under the License is distributed on an # "AS IS" BASIS, WITHOUT
> WARRANTIES OR CONDITIONS OF ANY # KIND, either express or implied.
> See the License for the # specific language governing permissions and
> limitations # under the License.
>
> *nat
> :PREROUTING ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> COMMIT
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -d 224.0.0.18/32 -j ACCEPT
> -A INPUT -d 225.0.0.50/32 -j ACCEPT
> -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i
> eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth2 -m
> state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A
> INPUT -i lo -j ACCEPT -A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT -A
> INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -i eth1 -p tcp -m
> state --state NEW --dport 3922 -j ACCEPT -A INPUT -i eth0 -p tcp -m state --
> state NEW --dport 8080 -j ACCEPT -A INPUT -i eth0 -p tcp -m state --state
> NEW --dport 80 -j ACCEPT -A FORWARD -i eth0 -o eth1 -m state --state
> RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth0 -o eth2 -j ACCEPT -A
> FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A
> FORWARD -i eth0 -o eth0 -m state --state NEW -j ACCEPT -A FORWARD -i
> eth0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT COMMIT
> *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD
> ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A
> PREROUTING -m state --state ESTABLISHED,RELATED -j CONNMARK --
> restore-mark -A POSTROUTING -p udp --dport bootpc -j CHECKSUM --
> checksum-fill COMMIT
>
>
> root@r-7-VM:~# ifconfig
>
>
> On Mon, May 20, 2013 at 5:29 PM, Jayapal Reddy Uradi
> <jayapalreddy.ur...@citrix.com> wrote:
> >
> > Currently we don't have the configurable option.
> >
> > 1. You can add egress rule on network with protocol 'all' to allow all
> outbound traffic once the network is created.
> >
> > 2. If you want to allow traffic by default when ever router is created
> > One work around will be add the below line into the iptables-router file
> after the this line -I FW_OUTBOUND -m state --state RELATED,ESTABLISHED
> -j ACCEPT
> >
> > -A FW_OUTBOUND -j ACCEPT
> >
> >
> > Thanks,
> > Jayapal
> >
> >
> > On 20-May-2013, at 2:18 PM, Len Bellemore
> <len.bellem...@controlcircle.com> wrote:
> >
> >> Hi Guys
> >>
> >> Anyone know if it's possible to change some of the default options on a
> virtual router, so that every time it gets created it has particular rules?
> >>
> >> My main issue is that I want to allow outbound access by default to every
> account.
> >>
> >> Thanks
> >> Len
> >>
> >
