Hi Varun,

The file is for the firewall are all comig from the system VM image, you
can find them here depending on the type of the system:
https://github.com/apache/cloudstack/tree/master/systemvm/debian/etc/iptables.
After the system vm has booted and the SSH is available, the agent daemon
sends a command through ssh to setup the system VM with its correspondig
type (consoleproxy, dhcpsrv, secstorage...) which configures it differently
for each use case. To overcome this, you're best bet is to build a custom
systemVM on which you add an extra systemd script to set up the rules you
need.

On Wed, Mar 7, 2018 at 10:05 AM, Dag Sonstebo <dag.sonst...@shapeblue.com>
wrote:

> Hi Varun,
>
> Not sure if I follow your use case – the VR is built to provide services
> to VMs on the internal isolated network / VPC tier, the public interface is
> there for port forwarding / NATing to services hosted on the VMs.
> Hosting DHCP on the VR for clients on the public interface isn’t a
> supported use case – anything on the public interface is by definition
> considered untrusted.
>
> I may have misunderstood you though?
>
> Regards,
> Dag Sonstebo
> Cloud Architect
> ShapeBlue
>
> On 07/03/2018, 03:21, "Kumar, Varun" <varku...@virtela.net> wrote:
>
>     Thanks Dag.
>
>     I am running into a scenario where a VR is required for dhcp service
> on the public Internet facing vlan and want to restrict connections to
> known trusted sources only.
>
>     Has anyone in the community run into such a situation before and found
> a workaround ?
>
>     Thanks,
>     Varun
>
>
>     -----Original Message-----
>     From: Dag Sonstebo [mailto:dag.sonst...@shapeblue.com]
>     Sent: Tuesday, March 06, 2018 05:41 PM
>     To: users@cloudstack.apache.org
>     Subject: Re: Iptables on Virtual router
>
>     EXTERNAL EMAIL
>
>     Hi Varun,
>
>     No there’s no method for this, all firewall rules for the VR are
> contained in the CloudStack database and written on demand when the VR is
> created or firewall changes made.
>
>     Regards,
>     Dag Sonstebo
>     Cloud Architect
>     ShapeBlue
>
>     On 06/03/2018, 11:56, "Kumar, Varun" <varku...@virtela.net> wrote:
>
>         Hello,
>
>         Is it possible to write custom iptables  on the Virtual router
> that's created by cloudstack  and make it persistent across restarts ?
>
>         It looks like /etc/iptables/router_rules.v4  on the VR is the file
> that's being created  but I am looking for the script that creates this
> file.
>
>         Any insight is appreciated.
>
>         Thanks,
>         Varun
>
>
>
>
>     dag.sonst...@shapeblue.com
>     www.shapeblue.com
>     53 Chandos Place, Covent Garden, London  WC2N 4HSUK
>     @shapeblue
>
>
>
>
>
>
> dag.sonst...@shapeblue.com
> www.shapeblue.com
> 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
> @shapeblue
>
>
>
>

Reply via email to