It looks you have created egress rule with tcp protocol. Maybe allow all ?
Have On Thursday, February 20, 2025, Andrei Miron <andrei.mi...@iqrate.ro> wrote: > Hi, > > I have an all host installation of CloudStack 4.19.1.3. > I created an instance in an isolated network with SNAT. I added the EGRESS > rule in order to let the VM access the Internet. > But the VM cannot access anything. The ping to VR (internal IP 10.1.1.1) > is working, anything else (ping to gateway 192.168.0.254, 8.8.8.8) is not > working. > > My "public network" is 192.168.0.0/24 with gateway 192.168.0.254. > My VR can ping the gateway (public IP of the VR is 192.168.0.202). This is > routing table in it: > > throw 10.1.1.0/24 table Table_eth0 proto static > default via 192.168.0.254 dev eth2 table Table_eth2 proto static > throw 10.1.1.0/24 table Table_eth2 proto static > throw 169.254.0.0/16 table Table_eth2 proto static > throw 192.168.0.0/24 table Table_eth2 proto static > default via 192.168.0.254 dev eth2 > 10.1.1.0/24 dev eth0 proto kernel scope link src 10.1.1.1 > 169.254.0.0/16 dev eth1 proto kernel scope link src 169.254.47.98 > 192.168.0.0/24 dev eth2 proto kernel scope link src 192.168.0.202 > broadcast 10.1.1.0 dev eth0 table local proto kernel scope link src > 10.1.1.1 > local 10.1.1.1 dev eth0 table local proto kernel scope host src 10.1.1.1 > broadcast 10.1.1.255 dev eth0 table local proto kernel scope link src > 10.1.1.1 > broadcast 127.0.0.0 dev lo table local proto kernel scope link src > 127.0.0.1 > local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 > local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 > broadcast 127.255.255.255 dev lo table local proto kernel scope link src > 127.0.0.1 > broadcast 169.254.0.0 dev eth1 table local proto kernel scope link src > 169.254.47.98 > local 169.254.47.98 dev eth1 table local proto kernel scope host src > 169.254.47.98 > broadcast 169.254.255.255 dev eth1 table local proto kernel scope link src > 169.254.47.98 > broadcast 192.168.0.0 dev eth2 table local proto kernel scope link src > 192.168.0.202 > local 192.168.0.202 dev eth2 table local proto kernel scope host src > 192.168.0.202 > broadcast 192.168.0.255 dev eth2 table local proto kernel scope link src > 192.168.0.202 > > I can see in the iptables of the VR the egress rule and NAT rule: > > # Generated by iptables-save v1.8.7 on Thu Feb 20 13:54:52 2025 > *mangle > :PREROUTING ACCEPT [4527:735583] > :INPUT ACCEPT [4556:596134] > :FORWARD ACCEPT [174:34060] > :OUTPUT ACCEPT [3316:916429] > :POSTROUTING ACCEPT [3353:940981] > :FIREWALL_192.168.0.202 - [0:0] > :VPN_192.168.0.202 - [0:0] > -A PREROUTING -d 192.168.0.202/32 -j FIREWALL_192.168.0.202 > -A PREROUTING -d 192.168.0.202/32 -j VPN_192.168.0.202 > -A PREROUTING -m state --state RELATED,ESTABLISHED -j CONNMARK > --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff > -A PREROUTING -i eth2 -m state --state NEW -j CONNMARK --set-xmark > 0x66/0xffffffff > -A POSTROUTING -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill > -A FIREWALL_192.168.0.202 -m state --state RELATED,ESTABLISHED -j RETURN > -A FIREWALL_192.168.0.202 -j DROP > -A VPN_192.168.0.202 -m state --state RELATED,ESTABLISHED -j ACCEPT > -A VPN_192.168.0.202 -j RETURN > COMMIT > # Completed on Thu Feb 20 13:54:52 2025 > # Generated by iptables-save v1.8.7 on Thu Feb 20 13:54:52 2025 > *filter > :INPUT DROP [5:810] > :FORWARD DROP [0:0] > :OUTPUT ACCEPT [3316:916429] > :FW_EGRESS_RULES - [0:0] > :FW_OUTBOUND - [0:0] > :NETWORK_STATS - [0:0] > :NETWORK_STATS_eth2 - [0:0] > -A INPUT -j NETWORK_STATS > -A INPUT -j NETWORK_STATS_eth2 > -A INPUT -d 224.0.0.18/32 -j ACCEPT > -A INPUT -d 225.0.0.50/32 -j ACCEPT > -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT > -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT > -A INPUT -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT > -A INPUT -p icmp -j ACCEPT > -A INPUT -i lo -j ACCEPT > -A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT > -A INPUT -s 10.1.1.0/24 -i eth0 -p udp -m udp --dport 53 -j ACCEPT > -A INPUT -s 10.1.1.0/24 -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT > -A INPUT -i eth1 -p tcp -m tcp --dport 3922 -m state --state > NEW,ESTABLISHED -j ACCEPT > -A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT > -A INPUT -s 10.1.1.0/24 -i eth0 -p tcp -m tcp --dport 80 -m state --state > NEW -j ACCEPT > -A INPUT -s 10.1.1.0/24 -i eth0 -p tcp -m tcp --dport 443 -m state > --state NEW -j ACCEPT > -A INPUT -s 10.1.1.0/24 -i eth0 -p tcp -m tcp --dport 8080 -m state > --state NEW -j ACCEPT > -A FORWARD -j NETWORK_STATS > -A FORWARD -j NETWORK_STATS_eth2 > -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT > -A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT > -A FORWARD -i eth0 -o eth0 -m state --state NEW -j ACCEPT > -A FORWARD -i eth0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT > -A FORWARD -i eth0 -o eth2 -j FW_OUTBOUND > -A OUTPUT -j NETWORK_STATS > -A OUTPUT -j NETWORK_STATS_eth2 > -A FW_EGRESS_RULES -p tcp -m set --match-set sourceCidrIpset-5 src -m tcp > -j ACCEPT > -A FW_OUTBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT > -A FW_OUTBOUND -j FW_EGRESS_RULES > -A NETWORK_STATS -i eth0 -o eth2 > -A NETWORK_STATS -i eth2 -o eth0 > -A NETWORK_STATS ! -i eth0 -o eth2 -p tcp > -A NETWORK_STATS -i eth2 ! -o eth0 -p tcp > -A NETWORK_STATS_eth2 -i eth0 -o eth2 > -A NETWORK_STATS_eth2 -i eth2 -o eth0 > -A NETWORK_STATS_eth2 ! -i eth0 -o eth2 -p tcp > -A NETWORK_STATS_eth2 -i eth2 ! -o eth0 -p tcp > COMMIT > # Completed on Thu Feb 20 13:54:52 2025 > # Generated by iptables-save v1.8.7 on Thu Feb 20 13:54:52 2025 > *nat > :PREROUTING ACCEPT [2221:380921] > :INPUT ACCEPT [0:0] > :OUTPUT ACCEPT [452:36454] > :POSTROUTING ACCEPT [34:4636] > -A POSTROUTING -o eth2 -j SNAT --to-source 192.168.0.202 > COMMIT > # Completed on Thu Feb 20 13:54:52 2025 > > Can you please tell me what should I check in order to find out what is > wrong in my configuration? > > Thanks, > Andrei >
