Hi, I have an all host installation of CloudStack 4.19.1.3. I created an instance in an isolated network with SNAT. I added the EGRESS rule in order to let the VM access the Internet. But the VM cannot access anything. The ping to VR (internal IP 10.1.1.1) is working, anything else (ping to gateway 192.168.0.254, 8.8.8.8) is not working.
My "public network" is 192.168.0.0/24 with gateway 192.168.0.254. My VR can ping the gateway (public IP of the VR is 192.168.0.202). This is routing table in it: throw 10.1.1.0/24 table Table_eth0 proto static default via 192.168.0.254 dev eth2 table Table_eth2 proto static throw 10.1.1.0/24 table Table_eth2 proto static throw 169.254.0.0/16 table Table_eth2 proto static throw 192.168.0.0/24 table Table_eth2 proto static default via 192.168.0.254 dev eth2 10.1.1.0/24 dev eth0 proto kernel scope link src 10.1.1.1 169.254.0.0/16 dev eth1 proto kernel scope link src 169.254.47.98 192.168.0.0/24 dev eth2 proto kernel scope link src 192.168.0.202 broadcast 10.1.1.0 dev eth0 table local proto kernel scope link src 10.1.1.1 local 10.1.1.1 dev eth0 table local proto kernel scope host src 10.1.1.1 broadcast 10.1.1.255 dev eth0 table local proto kernel scope link src 10.1.1.1 broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 broadcast 169.254.0.0 dev eth1 table local proto kernel scope link src 169.254.47.98 local 169.254.47.98 dev eth1 table local proto kernel scope host src 169.254.47.98 broadcast 169.254.255.255 dev eth1 table local proto kernel scope link src 169.254.47.98 broadcast 192.168.0.0 dev eth2 table local proto kernel scope link src 192.168.0.202 local 192.168.0.202 dev eth2 table local proto kernel scope host src 192.168.0.202 broadcast 192.168.0.255 dev eth2 table local proto kernel scope link src 192.168.0.202 I can see in the iptables of the VR the egress rule and NAT rule: # Generated by iptables-save v1.8.7 on Thu Feb 20 13:54:52 2025 *mangle :PREROUTING ACCEPT [4527:735583] :INPUT ACCEPT [4556:596134] :FORWARD ACCEPT [174:34060] :OUTPUT ACCEPT [3316:916429] :POSTROUTING ACCEPT [3353:940981] :FIREWALL_192.168.0.202 - [0:0] :VPN_192.168.0.202 - [0:0] -A PREROUTING -d 192.168.0.202/32 -j FIREWALL_192.168.0.202 -A PREROUTING -d 192.168.0.202/32 -j VPN_192.168.0.202 -A PREROUTING -m state --state RELATED,ESTABLISHED -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff -A PREROUTING -i eth2 -m state --state NEW -j CONNMARK --set-xmark 0x66/0xffffffff -A POSTROUTING -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill -A FIREWALL_192.168.0.202 -m state --state RELATED,ESTABLISHED -j RETURN -A FIREWALL_192.168.0.202 -j DROP -A VPN_192.168.0.202 -m state --state RELATED,ESTABLISHED -j ACCEPT -A VPN_192.168.0.202 -j RETURN COMMIT # Completed on Thu Feb 20 13:54:52 2025 # Generated by iptables-save v1.8.7 on Thu Feb 20 13:54:52 2025 *filter :INPUT DROP [5:810] :FORWARD DROP [0:0] :OUTPUT ACCEPT [3316:916429] :FW_EGRESS_RULES - [0:0] :FW_OUTBOUND - [0:0] :NETWORK_STATS - [0:0] :NETWORK_STATS_eth2 - [0:0] -A INPUT -j NETWORK_STATS -A INPUT -j NETWORK_STATS_eth2 -A INPUT -d 224.0.0.18/32 -j ACCEPT -A INPUT -d 225.0.0.50/32 -j ACCEPT -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT -A INPUT -s 10.1.1.0/24 -i eth0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -s 10.1.1.0/24 -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -i eth1 -p tcp -m tcp --dport 3922 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT -A INPUT -s 10.1.1.0/24 -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT -A INPUT -s 10.1.1.0/24 -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT -A INPUT -s 10.1.1.0/24 -i eth0 -p tcp -m tcp --dport 8080 -m state --state NEW -j ACCEPT -A FORWARD -j NETWORK_STATS -A FORWARD -j NETWORK_STATS_eth2 -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth0 -o eth0 -m state --state NEW -j ACCEPT -A FORWARD -i eth0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth0 -o eth2 -j FW_OUTBOUND -A OUTPUT -j NETWORK_STATS -A OUTPUT -j NETWORK_STATS_eth2 -A FW_EGRESS_RULES -p tcp -m set --match-set sourceCidrIpset-5 src -m tcp -j ACCEPT -A FW_OUTBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT -A FW_OUTBOUND -j FW_EGRESS_RULES -A NETWORK_STATS -i eth0 -o eth2 -A NETWORK_STATS -i eth2 -o eth0 -A NETWORK_STATS ! -i eth0 -o eth2 -p tcp -A NETWORK_STATS -i eth2 ! -o eth0 -p tcp -A NETWORK_STATS_eth2 -i eth0 -o eth2 -A NETWORK_STATS_eth2 -i eth2 -o eth0 -A NETWORK_STATS_eth2 ! -i eth0 -o eth2 -p tcp -A NETWORK_STATS_eth2 -i eth2 ! -o eth0 -p tcp COMMIT # Completed on Thu Feb 20 13:54:52 2025 # Generated by iptables-save v1.8.7 on Thu Feb 20 13:54:52 2025 *nat :PREROUTING ACCEPT [2221:380921] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [452:36454] :POSTROUTING ACCEPT [34:4636] -A POSTROUTING -o eth2 -j SNAT --to-source 192.168.0.202 COMMIT # Completed on Thu Feb 20 13:54:52 2025 Can you please tell me what should I check in order to find out what is wrong in my configuration? Thanks, Andrei
