Yes, right, but why can't use floating ip? Administrator or user should care the floating ip for instance rather fix ip. So i think firewall also take effect about floating ip.
Thanks, Xurong Yang 2014-06-05 19:32 GMT+08:00 ZZelle <zze...@gmail.com>: > Hi, > > When the router receives packets from the external network, iptables does > sequentially: > 1) NAT PREROUTING table: translate floatingip to fixed ip > 2) FILTER FORWARD table: apply FW rules ... on fixed ips because > floatingip has been translated to fixed ip > > > So disabling the ping to the floatingip has no effect, you should instead > disable ping to associated fixed ip. > > > More generally in (iptables) FW rules, you should use fixed-ips/cidrs as > source/target not floatingips > > > Cheers, > > Cedric > > > On Thu, Jun 5, 2014 at 1:15 PM, Xurong Yang <ido...@gmail.com> wrote: > >> Hi, Stackers, >> >> Use case description: >> >> Firewal is not working when setting the destination-ip-address as VM's >> floating ip >> Steps to Reproduce: >> 1. create one network and attached it to the newly created router >> 2. Create VMs on the above network >> 3. create security group rule for icmp >> 4. create an external network and attach it to the router as gateway >> 5. create floating ip and associate it to the VMs >> 6. create a first firewall rule as protocol=icmp , action =deny and >> desitination-ip-address as floatingip >> 7. create second firewall rule as protocol=any action=allow >> 8. attach the rule to the policy and the policy to the firewall >> 9. ping the VMs floating ip from network node which is having the >> external network configured. >> >> Actual Results: >> Ping succeeds >> >> Expected Results: >> Ping should fail as per the firewall rule >> >> router's functionality both NAT and Firewall, so , although we have >> created firewall rule, DNAT will take action(change floating ip to fix ip) >> in PREROUTING chain preferentially when network node ping vm's floating ip, >> so firewall rules in FORWARD chain couldn't match because packet's ip has >> been changed to fix ip. >> >> additional case: >> if we change firewall rule protocol=icmp , action =deny and >> desitination-ip-address as fix ip, ping fail. >> >> in short , router firewall can't take effect about floating ip. >> >> what do you think? >> >> Cheers, >> >> Xurong Yang >> >> >> >> >> _______________________________________________ >> OpenStack-dev mailing list >> OpenStack-dev@lists.openstack.org >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > >
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
