Thanks for this Wei, thant helped me out! I will share my findings - maybe someone googling for some more information regarding the ACLs will find it useful.
- You need to set an "egress deny <port/all> destionation>" to work with further "egress allow" rules. So i missunderstand the docs regarding this point. - keep in mind that ACL have limitations and are not the same as an firewall - Referenced iptables Tables for the ACL items (and then in the separate chain of the ACL-List) - Egress Items are found in the "mangle" - Table - Ingress Items are found in the "forward" - Table Another intersting thing to mention: ACLs are statefull (!) - which is quiet convenient but not allways default. And for some applications additonal actions might be needed or concidered during Nw-planning. Also Egress and Ingress rules are not related with each other even if they are displayed in one List (or say that it are 2 virtual lists) Example ACL-List of an tier: Pos. 1 egress deny all to 0.0.0.0/0 Pos. 2 ingress allow 22 from 0.0.0.0/0 will give you an ssh connection from 0.0.0.0/0 to the network of the tier. something one might want to keep in mind. Another thing i noticed: For me to use the "drag&drop" of ACL-items was quiet a mixed back. the "rule numbers" often were not consistent displayes or updated. for example i had something like nr 1-Item A nr 2-Item B nr 4-Item D nr 3-Item C Which can be a bit cumbersome as on the virtual router sorted the items correctly in the iptable chains meaning nr 1- item A nr 2 - item B nr 3 - item C nr 4 - item D if you are new to this - one can spend some time to find the mistake he made..... ;-) Am Sa., 2. Okt. 2021 um 15:45 Uhr schrieb Wei ZHOU <ustcweiz...@gmail.com>: > Hi, > > The network acl feature is implemented through iptables and ipset. If you > have related knowledge and like to investigate the issue, it would be nice. > > Wei > > On Saturday, 2 October 2021, vas...@gmx.de <vas...@gmx.de> wrote: > >> I can do. But before raising "issues" I normally try to confirm that my >> issue is to some degree valid. As my knowledge on how and where Cloudstack >> is working with the configured ACLs is at the moment quiet shallow, i will >> need to try out some things beforehand I guess.... >> >> Wei ZHOU <ustcweiz...@gmail.com> schrieb am Sa., 2. Okt. 2021, 08:50: >> >> > Hi, >> > >> > Could you create an issue on github and provide more details ? >> > >> > -Wei >> > >> > On Sat, 2 Oct 2021 at 02:31, vas...@gmx.de <vas...@gmx.de> wrote: >> > >> > > Hi everyone, >> > > >> > > i currently am looking into the ACL implemention used in VPCs. >> > > >> > > However i was not able to locate any of my created "egress" - entries >> in >> > > any of the chains / tables on the router. >> > > Tried several things like deny / allow egress traffic for one client >> or >> > the >> > > whole tier, but i wasn't able to locate the changes on the router. >> > > >> > > Might one of you can give some where to look / locate egress related >> > rules >> > > in iptables? >> > > >> > > In this context, maybe someone can give me an idea if my >> understanding of >> > > the documentation regarding egress ACL items is correct. >> > > From the docs: >> > > " ... once you add an ACL rule for outgoing traffic, then only >> outgoing >> > > traffic specified in this ACL rule is allowed, the rest is blocked." >> > > so adding an "eggress + allow" for an instance in the tier shall >> result >> > in >> > > changeing the "default" of the whole acl to "egress + deny" for the >> rest >> > > of the network automatically. >> > > is that correct? >> > > >> > > Thanks in advance! >> > > >> > >> >