Thanks for this Wei,
thant helped me out!

I will share my findings - maybe someone googling for some more information
regarding the ACLs will find it useful.


- You need to set an "egress deny <port/all> destionation>" to work with
further "egress allow" rules. So i missunderstand the docs regarding this
point.
- keep in mind that ACL have limitations and are not the same as an
firewall
- Referenced iptables Tables for the ACL items (and then in the separate
chain of the ACL-List)
     - Egress Items are found in the "mangle" - Table
     - Ingress Items are found in the "forward" - Table

Another intersting thing to mention:
ACLs are statefull (!) - which is quiet convenient but not allways default.
And for some applications additonal actions might be needed or concidered
during Nw-planning.

Also Egress and Ingress rules are not related with each other even if they
are displayed in one List (or say that it are 2 virtual lists)
Example ACL-List of an tier:
     Pos. 1     egress deny all to 0.0.0.0/0
     Pos. 2     ingress allow 22 from 0.0.0.0/0

will give you an ssh connection from 0.0.0.0/0 to the network of the tier.
something one might want to keep in mind.

Another thing i noticed:
For me to use the "drag&drop" of ACL-items was quiet a mixed back.
the "rule numbers" often were not consistent displayes or updated.
for example i had something like
nr 1-Item A
nr 2-Item B
nr 4-Item D
nr 3-Item C
Which can be a bit cumbersome as on the virtual router sorted the items
correctly in the iptable chains meaning
nr 1- item A
nr 2 - item B
nr 3 - item C
nr 4 - item D

if you are new to this - one can spend some time to find the mistake he
made..... ;-)



Am Sa., 2. Okt. 2021 um 15:45 Uhr schrieb Wei ZHOU <ustcweiz...@gmail.com>:

> Hi,
>
> The network acl feature is implemented through iptables and ipset. If you
> have related knowledge and like to investigate the issue, it would be nice.
>
> Wei
>
> On Saturday, 2 October 2021, vas...@gmx.de <vas...@gmx.de> wrote:
>
>> I can do. But before raising "issues" I normally try to confirm that my
>> issue is to some degree valid. As my knowledge on how and where Cloudstack
>> is working with the configured ACLs is at the moment quiet shallow, i will
>> need to try out some things beforehand I guess....
>>
>> Wei ZHOU <ustcweiz...@gmail.com> schrieb am Sa., 2. Okt. 2021, 08:50:
>>
>> > Hi,
>> >
>> > Could you create an issue on github and provide more details ?
>> >
>> > -Wei
>> >
>> > On Sat, 2 Oct 2021 at 02:31, vas...@gmx.de <vas...@gmx.de> wrote:
>> >
>> > > Hi everyone,
>> > >
>> > > i currently am looking into the ACL implemention used in VPCs.
>> > >
>> > > However i was not able to locate any of my created "egress" - entries
>> in
>> > > any of the chains / tables  on the router.
>> > > Tried several things like deny / allow egress traffic for one client
>> or
>> > the
>> > > whole tier, but i wasn't able to locate the changes on the router.
>> > >
>> > > Might one of you can give some where to look / locate egress related
>> > rules
>> > > in iptables?
>> > >
>> > > In this context, maybe someone can give me an idea if my
>> understanding of
>> > > the documentation regarding egress ACL items is correct.
>> > > From the docs:
>> > > " ... once you add an ACL rule for outgoing traffic, then only
>> outgoing
>> > > traffic specified in this ACL rule is allowed, the rest is blocked."
>> > > so adding an "eggress + allow" for an instance in the tier shall
>> result
>> > in
>> > > changeing the "default"  of the whole acl to "egress + deny" for the
>> rest
>> > > of the network automatically.
>> > > is that correct?
>> > >
>> > > Thanks in advance!
>> > >
>> >
>>
>

Reply via email to