Hi, Good findings. Thanks for sharing.
Do you think it works as what you expected? -Wei On Sat, 2 Oct 2021 at 23:41, vas...@gmx.de <vas...@gmx.de> wrote: > Thanks for this Wei, > thant helped me out! > > I will share my findings - maybe someone googling for some more information > regarding the ACLs will find it useful. > > > - You need to set an "egress deny <port/all> destionation>" to work with > further "egress allow" rules. So i missunderstand the docs regarding this > point. > - keep in mind that ACL have limitations and are not the same as an > firewall > - Referenced iptables Tables for the ACL items (and then in the separate > chain of the ACL-List) > - Egress Items are found in the "mangle" - Table > - Ingress Items are found in the "forward" - Table > > Another intersting thing to mention: > ACLs are statefull (!) - which is quiet convenient but not allways default. > And for some applications additonal actions might be needed or concidered > during Nw-planning. > > Also Egress and Ingress rules are not related with each other even if they > are displayed in one List (or say that it are 2 virtual lists) > Example ACL-List of an tier: > Pos. 1 egress deny all to 0.0.0.0/0 > Pos. 2 ingress allow 22 from 0.0.0.0/0 > > will give you an ssh connection from 0.0.0.0/0 to the network of the tier. > something one might want to keep in mind. > > Another thing i noticed: > For me to use the "drag&drop" of ACL-items was quiet a mixed back. > the "rule numbers" often were not consistent displayes or updated. > for example i had something like > nr 1-Item A > nr 2-Item B > nr 4-Item D > nr 3-Item C > Which can be a bit cumbersome as on the virtual router sorted the items > correctly in the iptable chains meaning > nr 1- item A > nr 2 - item B > nr 3 - item C > nr 4 - item D > > if you are new to this - one can spend some time to find the mistake he > made..... ;-) > > > > Am Sa., 2. Okt. 2021 um 15:45 Uhr schrieb Wei ZHOU <ustcweiz...@gmail.com > >: > > > Hi, > > > > The network acl feature is implemented through iptables and ipset. If you > > have related knowledge and like to investigate the issue, it would be > nice. > > > > Wei > > > > On Saturday, 2 October 2021, vas...@gmx.de <vas...@gmx.de> wrote: > > > >> I can do. But before raising "issues" I normally try to confirm that my > >> issue is to some degree valid. As my knowledge on how and where > Cloudstack > >> is working with the configured ACLs is at the moment quiet shallow, i > will > >> need to try out some things beforehand I guess.... > >> > >> Wei ZHOU <ustcweiz...@gmail.com> schrieb am Sa., 2. Okt. 2021, 08:50: > >> > >> > Hi, > >> > > >> > Could you create an issue on github and provide more details ? > >> > > >> > -Wei > >> > > >> > On Sat, 2 Oct 2021 at 02:31, vas...@gmx.de <vas...@gmx.de> wrote: > >> > > >> > > Hi everyone, > >> > > > >> > > i currently am looking into the ACL implemention used in VPCs. > >> > > > >> > > However i was not able to locate any of my created "egress" - > entries > >> in > >> > > any of the chains / tables on the router. > >> > > Tried several things like deny / allow egress traffic for one client > >> or > >> > the > >> > > whole tier, but i wasn't able to locate the changes on the router. > >> > > > >> > > Might one of you can give some where to look / locate egress related > >> > rules > >> > > in iptables? > >> > > > >> > > In this context, maybe someone can give me an idea if my > >> understanding of > >> > > the documentation regarding egress ACL items is correct. > >> > > From the docs: > >> > > " ... once you add an ACL rule for outgoing traffic, then only > >> outgoing > >> > > traffic specified in this ACL rule is allowed, the rest is blocked." > >> > > so adding an "eggress + allow" for an instance in the tier shall > >> result > >> > in > >> > > changeing the "default" of the whole acl to "egress + deny" for the > >> rest > >> > > of the network automatically. > >> > > is that correct? > >> > > > >> > > Thanks in advance! > >> > > > >> > > >> > > >
