Raja Pullela created CLOUDSTACK-8905:
----------------------------------------
Summary: [Blocker] Egress rules are not configured in VR
Key: CLOUDSTACK-8905
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8905
Project: CloudStack
Issue Type: Bug
Security Level: Public (Anyone can view this level - this is the default.)
Affects Versions: 4.6.0
Reporter: Raja Pullela
Priority: Blocker
Fix For: 4.6.0
1. Deployed CS Advanced zone.
2. Created an isolated network.
3. Navigate to Egress rule:
Observing a pop up message:
"Configure the rules to allow Traffic"
Inside VR :
root@r-9-VM:~# iptables-save
1.Generated by iptables-save v1.4.14 on Wed Sep 23 10:46:46 2015
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [65:7867]
:FW_OUTBOUND - [0:0]
:NETWORK_STATS - [0:0]
-A INPUT -j NETWORK_STATS
-A INPUT -d 224.0.0.18/32 -j ACCEPT
-A INPUT -d 225.0.0.50/32 -j ACCEPT
-A INPUT -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 3922 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 3922 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A INPUT -d 224.0.0.18/32 -j ACCEPT
-A INPUT -d 225.0.0.50/32 -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 8080 -m state --state NEW -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 3922 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A FORWARD -j NETWORK_STATS
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth0 -m state --state NEW -j ACCEPT
-A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth2 -j FW_OUTBOUND
-A OUTPUT -j NETWORK_STATS
-A FW_OUTBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT
-A NETWORK_STATS -i eth0 -o eth2
-A NETWORK_STATS -i eth2 -o eth0
-A NETWORK_STATS ! -i eth0 -o eth2 -p tcp
-A NETWORK_STATS -i eth2 ! -o eth0 -p tcp
COMMIT
2.Completed on Wed Sep 23 10:46:46 2015
3.Generated by iptables-save v1.4.14 on Wed Sep 23 10:46:46 2015
*nat
:PREROUTING ACCEPT [21:1428]
:INPUT ACCEPT [21:1428]
:OUTPUT ACCEPT [2:152]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth2 -j SNAT --to-source 10.147.47.9
COMMIT
4.Completed on Wed Sep 23 10:46:46 2015
5.Generated by iptables-save v1.4.14 on Wed Sep 23 10:46:46 2015
*mangle
:PREROUTING ACCEPT [331:33456]
:INPUT ACCEPT [352:35052]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [331:44643]
:POSTROUTING ACCEPT [331:44643]
:FIREWALL_10.147.47.9 - [0:0]
:VPN_10.147.47.9 - [0:0]
-A PREROUTING -m state --state RELATED,ESTABLISHED -j CONNMARK --restore-mark
--nfmask 0xffffffff --ctmask 0xffffffff
-A PREROUTING -d 10.147.47.9/32 -j FIREWALL_10.147.47.9
-A PREROUTING -d 10.147.47.9/32 -j VPN_10.147.47.9
-A PREROUTING -m state --state RELATED,ESTABLISHED -j CONNMARK --restore-mark
--nfmask 0xffffffff --ctmask 0xffffffff
-A PREROUTING -i eth2 -m state --state NEW -j CONNMARK --set-xmark
0x2/0xffffffff
-A PREROUTING -i eth0 -m state --state NEW -j CONNMARK --set-xmark
0x0/0xffffffff
-A POSTROUTING -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A FIREWALL_10.147.47.9 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FIREWALL_10.147.47.9 -j DROP
-A VPN_10.147.47.9 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A VPN_10.147.47.9 -j RETURN
COMMIT
6.Completed on Wed Sep 23 10:46:46 2015
root@r-9-VM:~#
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
