Hi Varun, The file is for the firewall are all comig from the system VM image, you can find them here depending on the type of the system: https://github.com/apache/cloudstack/tree/master/systemvm/debian/etc/iptables. After the system vm has booted and the SSH is available, the agent daemon sends a command through ssh to setup the system VM with its correspondig type (consoleproxy, dhcpsrv, secstorage...) which configures it differently for each use case. To overcome this, you're best bet is to build a custom systemVM on which you add an extra systemd script to set up the rules you need.
On Wed, Mar 7, 2018 at 10:05 AM, Dag Sonstebo <[email protected]> wrote: > Hi Varun, > > Not sure if I follow your use case – the VR is built to provide services > to VMs on the internal isolated network / VPC tier, the public interface is > there for port forwarding / NATing to services hosted on the VMs. > Hosting DHCP on the VR for clients on the public interface isn’t a > supported use case – anything on the public interface is by definition > considered untrusted. > > I may have misunderstood you though? > > Regards, > Dag Sonstebo > Cloud Architect > ShapeBlue > > On 07/03/2018, 03:21, "Kumar, Varun" <[email protected]> wrote: > > Thanks Dag. > > I am running into a scenario where a VR is required for dhcp service > on the public Internet facing vlan and want to restrict connections to > known trusted sources only. > > Has anyone in the community run into such a situation before and found > a workaround ? > > Thanks, > Varun > > > -----Original Message----- > From: Dag Sonstebo [mailto:[email protected]] > Sent: Tuesday, March 06, 2018 05:41 PM > To: [email protected] > Subject: Re: Iptables on Virtual router > > EXTERNAL EMAIL > > Hi Varun, > > No there’s no method for this, all firewall rules for the VR are > contained in the CloudStack database and written on demand when the VR is > created or firewall changes made. > > Regards, > Dag Sonstebo > Cloud Architect > ShapeBlue > > On 06/03/2018, 11:56, "Kumar, Varun" <[email protected]> wrote: > > Hello, > > Is it possible to write custom iptables on the Virtual router > that's created by cloudstack and make it persistent across restarts ? > > It looks like /etc/iptables/router_rules.v4 on the VR is the file > that's being created but I am looking for the script that creates this > file. > > Any insight is appreciated. > > Thanks, > Varun > > > > > [email protected] > www.shapeblue.com > 53 Chandos Place, Covent Garden, London WC2N 4HSUK > @shapeblue > > > > > > > [email protected] > www.shapeblue.com > 53 Chandos Place, Covent Garden, London WC2N 4HSUK > @shapeblue > > > >
