I thought iptables rules you send from router iptables-save. in /etc/iptables/rules we won't have SNAT rule.
Please send iptables rules from your router not the /etc/iptables/rules. iptables -t nat -L -nv, iptables -L -nv and iptables -t mangle -L -nv. Thanks, Jayapal On 28-Jun-2013, at 8:21 AM, WXR <474745...@qq.com> wrote: > When I added the guest network I selected the system default network offering > with source NAT. > There is a default ip "x.x.x.x[source NAT]" in the list when I click the > "view ip addresses". > > > > > ------------------ Original ------------------ > From: ""<jayapalreddy.ur...@citrix.com>; > Date: Fri, Jun 28, 2013 10:45 AM > To: "<users@cloudstack.apache.org>"<users@cloudstack.apache.org>; > > Subject: Re: How to create a network offering without firewall? > > > > THe problem is there is no source NAT rule added in iptables nat table on > router. > Why the source NAT rule is not added on the router ? > In your network ip address do you have source NAT ip ? > > Thanks, > Jayapal > > > On 28-Jun-2013, at 8:06 AM, WXR <474745...@qq.com> > wrote: > >> I try to add the rule "iptables -A FW_OUTBOUND -j ACCEPT" to the vrouter >> firewall but unfortunately it takes no effect. >> >> This is the iptables rules in file "/etc/iptables/rules" >> >> *nat >> :PREROUTING ACCEPT [0:0] >> :POSTROUTING ACCEPT [0:0] >> :OUTPUT ACCEPT [0:0] >> COMMIT >> *filter >> :INPUT DROP [0:0] >> :FORWARD DROP [0:0] >> :OUTPUT ACCEPT [0:0] >> :FW_OUTBOUND - [0:0] >> -A INPUT -d 224.0.0.18/32 -j ACCEPT >> -A INPUT -d 225.0.0.50/32 -j ACCEPT >> -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT >> -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT >> -A INPUT -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT >> -A INPUT -p icmp -j ACCEPT >> -A INPUT -i lo -j ACCEPT >> -A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT >> -A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT >> -A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT >> -A INPUT -i eth1 -p tcp -m state --state NEW --dport 3922 -j ACCEPT >> -A INPUT -i eth0 -p tcp -m state --state NEW --dport 80 -j ACCEPT >> -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT >> -A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT >> -A FORWARD -i eth0 -o eth0 -m state --state NEW -j ACCEPT >> -A FORWARD -i eth0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT >> -A FORWARD -i eth0 -o eth2 -j FW_OUTBOUND >> -I FW_OUTBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT >> COMMIT >> *mangle >> :PREROUTING ACCEPT [0:0] >> :INPUT ACCEPT [0:0] >> :FORWARD ACCEPT [0:0] >> :OUTPUT ACCEPT [0:0] >> :POSTROUTING ACCEPT [0:0] >> -A PREROUTING -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark >> -A POSTROUTING -p udp --dport bootpc -j CHECKSUM --checksum-fill >> COMMIT >> >> Is there anything wrong? >> >> >> >> ------------------ Original ------------------ >> From: ""<emu...@intecom.ad>; >> Date: Thu, Jun 27, 2013 06:40 PM >> To: "users@cloudstack.apache.org"<users@cloudstack.apache.org>; >> >> Subject: RE: How to create a network offering without firewall? >> >> >> >> I had this issue too some days ago. I solved it by logging into the Virtual >> Router over ssh and adding this rule to the Firewall: >> >> iptables -A FW_OUTBOUND -j ACCEPT >> >> I hope this helps. >> >> Regards >> >> -----Mensaje original----- >> De: Jayapal Reddy Uradi [mailto:jayapalreddy.ur...@citrix.com] >> Enviado el: jueves, 27 de junio de 2013 12:37 >> Para: <users@cloudstack.apache.org> >> Asunto: Re: How to create a network offering without firewall? >> >> Is internet accessible from from router ? >> If it is accessible please send router iptables rules on pastebin.com >> >> Thanks, >> jayapal >> >> On 27-Jun-2013, at 3:34 PM, WXR <474745...@qq.com> >> wrote: >> >>> Sorry,the instance can access the vrouter gateway ip ,but can not access >>> the Internet. >>> >>> >>> ------------------ Original ------------------ >>> From: "WXR"<474745...@qq.com>; >>> Date: Thu, Jun 27, 2013 06:01 PM >>> To: "users"<users@cloudstack.apache.org>; >>> >>> Subject: Re: How to create a network offering without firewall? >>> >>> >>> >>> I have added a egress rule like this: >>> Source CIDR Protocol Start Port End Port >>> 0.0.0.0/0 All All All >>> >>> The vrouter vm can also access the Internet. >>> But the instance vm is still able to access the vrouter gateway ip and the >>> Internet. >>> >>> >>> >>> >>> ------------------ Original ------------------ >>> From: "Murali Reddy"<murali.re...@citrix.com>; >>> Date: Thu, Jun 27, 2013 05:21 PM >>> To: "users@cloudstack.apache.org"<users@cloudstack.apache.org>; >>> >>> Subject: Re: How to create a network offering without firewall? >>> >>> >>> >>> >>> Yes, egress firewall default action is 'BLOCK'. Here is a nice blog >>> from Radhika >>> http://writersopendiary.wordpress.com/2013/05/27/egress-firewall-rules >>> -in-a >>> pache-cloudstack/ >>> >>> On 27/06/13 2:21 PM, "WXR" <474745...@qq.com> wrote: >>> >>>> By the way , when I select the default guestnetworkwithsourceNAT and >>>> create an instance,the vm can not access to the Internet,is this a >>>> default setting?how can I let the vm access the Internet? >>>> >>>> >>>> >>>> >>>> ------------------ Original ------------------ >>>> From: "Murali Reddy"<murali.re...@citrix.com>; >>>> Date: Thu, Jun 27, 2013 04:46 PM >>>> To: "users@cloudstack.apache.org"<users@cloudstack.apache.org>; >>>> >>>> Subject: Re: How to create a network offering without firewall? >>>> >>>> >>>> >>>> >>>> Also, by default all the ports that will be used by edge services are >>>> blocked by iptable config in the router VM templates. They needed to >>>> be opened explicitly with firewall rules. >>>> >>>> On 27/06/13 2:08 PM, "Jayapal Reddy Uradi" >>>> <jayapalreddy.ur...@citrix.com> >>>> wrote: >>>> >>>>> With out firewall provider you can't have sourceNAT and static NAT >>>>> services because these services are provided by firewall provider only. >>>>> >>>>> Thanks, >>>>> Jayapal >>>>> >>>>> On 27-Jun-2013, at 1:35 PM, WXR <474745...@qq.com> >>>>> wrote: >>>>> >>>>>> If I create a new network offering and check >>>>>> dns,dhcp,userdata,sourceNAT,staticNAT,not check the firewall >>>>>> service.But the firewall will be added into it automatically. >>>>>> I don't need the firewall service ,how can I create a network >>>>>> offering without firewall? >>>>> >>>>> >>>> >>>> >>>> . >>> >>> >>> . >> >> . > > .
