Hello jayapal,
I have reload and reinstalled CS4.02, Still have the problem.
Please see the router vm, why so many ethx?
eth0 is for guest, eth1 is link-local, eth2 should be the public?
I have tried
iptables -A FORWARD -i eth0 -o eth2 -j ACCEPT
Still no luck.
Any problem with my install? I use one box for the management server and
also the KVM host.
Thank you very much.
root@r-4-VM:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
198.105.191.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
198.105.191.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3
198.105.191.0 0.0.0.0 255.255.255.0 U 0 0 0 eth4
10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
0.0.0.0 198.105.191.1 0.0.0.0 UG 0 0 0 eth2
root@r-4-VM:~# ifconfig
eth0 Link encap:Ethernet HWaddr 02:00:5b:79:00:02
inet addr:10.1.1.1 Bcast:10.1.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:386 errors:0 dropped:0 overruns:0 frame:0
TX packets:29 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:38794 (37.8 KiB) TX bytes:2754 (2.6 KiB)
eth1 Link encap:Ethernet HWaddr 0e:00:a9:fe:02:e9
inet addr:169.254.2.233 Bcast:169.254.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2327 errors:0 dropped:0 overruns:0 frame:0
TX packets:2051 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:390750 (381.5 KiB) TX bytes:383291 (374.3 KiB)
eth2 Link encap:Ethernet HWaddr 06:eb:d8:00:00:2b
inet addr:198.105.191.25 Bcast:198.105.191.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3368 errors:0 dropped:0 overruns:0 frame:0
TX packets:331 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:198359 (193.7 KiB) TX bytes:31594 (30.8 KiB)
eth3 Link encap:Ethernet HWaddr 06:80:0e:00:00:2b
inet addr:198.105.191.25 Bcast:0.0.0.0 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3260 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:179843 (175.6 KiB) TX bytes:84 (84.0 B)
eth4 Link encap:Ethernet HWaddr 06:b8:9a:00:00:2b
inet addr:198.105.191.25 Bcast:0.0.0.0 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3255 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:179567 (175.3 KiB) TX bytes:84 (84.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:6 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:414 (414.0 B) TX bytes:414 (414.0 B)
root@r-4-VM:~# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
NETWORK_STATS all -- anywhere anywhere
ACCEPT all -- anywhere vrrp.mcast.net
ACCEPT all -- anywhere 225.0.0.50
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:3922
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:http-alt
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:www
Chain FORWARD (policy DROP)
target prot opt source destination
NETWORK_STATS all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
NETWORK_STATS all -- anywhere anywhere
Chain NETWORK_STATS (3 references)
target prot opt source destination
all -- anywhere anywhere
all -- anywhere anywhere
tcp -- anywhere anywhere
tcp -- anywhere anywhere
all -- anywhere anywhere
all -- anywhere anywhere
tcp -- anywhere anywhere
tcp -- anywhere anywhere
all -- anywhere anywhere
all -- anywhere anywhere
tcp -- anywhere anywhere
tcp -- anywhere anywhere
On Wed, May 22, 2013 at 6:41 PM, Jayapal Reddy Uradi <
[email protected]> wrote:
> In your CS version egress rules feature is not present.
> Thats the reason CS says Unknown API.
> I checked your iptables rules also, egress rules default block rules are
> not present.
> You can ignore the egress firewall rules.
>
> check the in your router is there rule to accept guest traffic to public.
> If not add below iptables rule on router. This rules make allowing guest
> traffic to public network.
>
> iptables -A FORWARD -i <guest interface name> -o <public interface name>
> -j ACCEPT
>
>
> Thanks,
> jayapal
> On 22-May-2013, at 4:03 PM, wq meng <[email protected]>
> wrote:
>
> > Hello Jayapal
> >
> > If CS4.02 default is block the VM to access public side, and on the UC ,
> > there is no link to change it. As you saw, the API have no API Names to
> > change it too.
> >
> >
> > How to fix the problem?
> >
> >
> >
> >
> > I will reload the OS and re-setup CS4.02 again to check if it will fix.
> >
> >
> >
> > Thank you so much.
> >
> >
> >
> > On Wed, May 22, 2013 at 6:23 PM, Jayapal Reddy Uradi <
> > [email protected]> wrote:
> >
> >> From VM if you are not able to ping public side then it is your setup
> >> issue.
> >> It can be debugged by capturing packets on the router guest interface
> and
> >> public interface to see wether the packets are reaching to router or not
> >>
> >> Thanks,
> >> Jayapal
> >>
> >> On 22-May-2013, at 3:49 PM, Jayapal Reddy Uradi <
> >> [email protected]>
> >> wrote:
> >>
> >>>
> >>> You need pining router VM public IP from public network/subnet ?
> >>> - You need to add icmp firewall rule on the public IP to enable ping
> >> request on the public ip
> >>>
> >>> Thanks,
> >>> Jayapal
> >>>
> >>>
> >>> On 22-May-2013, at 3:45 PM, wq meng <[email protected]>
> >>> wrote:
> >>>
> >>>> Hello Jayapal
> >>>>
> >>>> There is no problem to ping Google from the Router VM, Only problem is
> >> that
> >>>> I can not ping the Router VM public IP from outside.
> >>>>
> >>>> root@r-4-VM:~# ping www.google.com
> >>>> PING www.google.com (173.194.64.147): 56 data bytes
> >>>> 64 bytes from 173.194.64.147: icmp_seq=0 ttl=48 time=53.194 ms
> >>>> 64 bytes from 173.194.64.147: icmp_seq=1 ttl=48 time=53.190 ms
> >>>> 64 bytes from 173.194.64.147: icmp_seq=2 ttl=48 time=53.286 ms
> >>>> 64 bytes from 173.194.64.147: icmp_seq=3 ttl=48 time=53.207 ms
> >>>> ^C--- www.google.com ping statistics ---
> >>>> 4 packets transmitted, 4 packets received, 0% packet loss
> >>>> round-trip min/avg/max/stddev = 53.190/53.219/53.286/0.039 ms
> >>>>
> >>>> root@r-4-VM:~# iptables -L -nv
> >>>> Chain INPUT (policy DROP 583 packets, 18656 bytes)
> >>>> pkts bytes target prot opt in out source
> >>>> destination
> >>>> 7009 1074K NETWORK_STATS all -- * * 0.0.0.0/0
> >>>> 0.0.0.0/0
> >>>> 0 0 ACCEPT all -- * * 0.0.0.0/0
> >>>> 224.0.0.18
> >>>> 0 0 ACCEPT all -- * * 0.0.0.0/0
> >>>> 225.0.0.50
> >>>> 0 0 ACCEPT all -- eth0 * 0.0.0.0/0
> >>>> 0.0.0.0/0 state RELATED,ESTABLISHED
> >>>> 5619 1007K ACCEPT all -- eth1 * 0.0.0.0/0
> >>>> 0.0.0.0/0 state RELATED,ESTABLISHED
> >>>> 24 2906 ACCEPT all -- eth2 * 0.0.0.0/0
> >>>> 0.0.0.0/0 state RELATED,ESTABLISHED
> >>>> 57 4825 ACCEPT icmp -- * * 0.0.0.0/0
> >>>> 0.0.0.0/0
> >>>> 5 293 ACCEPT all -- lo * 0.0.0.0/0
> >>>> 0.0.0.0/0
> >>>> 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0
> >>>> 0.0.0.0/0 udp dpt:67
> >>>> 349 24753 ACCEPT udp -- eth0 * 0.0.0.0/0
> >>>> 0.0.0.0/0 udp dpt:53
> >>>> 318 19080 ACCEPT tcp -- eth1 * 0.0.0.0/0
> >>>> 0.0.0.0/0 state NEW tcp dpt:3922
> >>>> 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0
> >>>> 0.0.0.0/0 state NEW tcp dpt:8080
> >>>> 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0
> >>>> 0.0.0.0/0 state NEW tcp dpt:80
> >>>>
> >>>> Chain FORWARD (policy DROP 0 packets, 0 bytes)
> >>>> pkts bytes target prot opt in out source
> >>>> destination
> >>>> 8735 1159K NETWORK_STATS all -- * * 0.0.0.0/0
> >>>> 0.0.0.0/0
> >>>> 0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0
> >>>> 0.0.0.0/0 state RELATED,ESTABLISHED
> >>>> 4746 775K ACCEPT all -- eth0 eth2 0.0.0.0/0
> >>>> 0.0.0.0/0
> >>>> 3657 364K ACCEPT all -- eth2 eth0 0.0.0.0/0
> >>>> 0.0.0.0/0 state RELATED,ESTABLISHED
> >>>> 0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0
> >>>> 0.0.0.0/0 state NEW
> >>>> 0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0
> >>>> 0.0.0.0/0 state RELATED,ESTABLISHED
> >>>> 0 0 ACCEPT all -- eth3 eth0 0.0.0.0/0
> >>>> 0.0.0.0/0 state RELATED,ESTABLISHED
> >>>> 0 0 ACCEPT all -- eth0 eth3 0.0.0.0/0
> >>>> 0.0.0.0/0
> >>>> 0 0 ACCEPT tcp -- * * 0.0.0.0/0
> >>>> 10.1.1.5 state RELATED,ESTABLISHED /* 198.105.191.245:22
> :22
> >> */
> >>>> 332 19920 ACCEPT tcp -- * * 0.0.0.0/0
> >>>> 10.1.1.5 tcp dpt:22 state NEW /* 198.105.191.245:22:22 */
> >>>> 0 0 ACCEPT tcp -- * * 0.0.0.0/0
> >>>> 10.1.1.5 state RELATED,ESTABLISHED /* 198.105.191.245:80
> :80
> >> */
> >>>> 0 0 ACCEPT tcp -- * * 0.0.0.0/0
> >>>> 10.1.1.5 tcp dpt:80 state NEW /* 198.105.191.245:80:80 */
> >>>> 0 0 ACCEPT all -- eth4 eth0 0.0.0.0/0
> >>>> 0.0.0.0/0 state RELATED,ESTABLISHED
> >>>> 0 0 ACCEPT all -- eth0 eth4 0.0.0.0/0
> >>>> 0.0.0.0/0
> >>>> 0 0 ACCEPT all -- eth5 eth0 0.0.0.0/0
> >>>> 0.0.0.0/0 state RELATED,ESTABLISHED
> >>>> 0 0 ACCEPT all -- eth0 eth5 0.0.0.0/0
> >>>> 0.0.0.0/0
> >>>> 0 0 ACCEPT all -- eth6 eth0 0.0.0.0/0
> >>>> 0.0.0.0/0 state RELATED,ESTABLISHED
> >>>> 0 0 ACCEPT all -- eth0 eth6 0.0.0.0/0
> >>>> 0.0.0.0/0
> >>>> 0 0 ACCEPT all -- eth7 eth0 0.0.0.0/0
> >>>> 0.0.0.0/0 state RELATED,ESTABLISHED
> >>>> 0 0 ACCEPT all -- eth0 eth7 0.0.0.0/0
> >>>> 0.0.0.0/0
> >>>>
> >>>> Chain OUTPUT (policy ACCEPT 704 packets, 122K bytes)
> >>>> pkts bytes target prot opt in out source
> >>>> destination
> >>>> 6195 1039K NETWORK_STATS all -- * * 0.0.0.0/0
> >>>> 0.0.0.0/0
> >>>>
> >>>> Chain NETWORK_STATS (3 references)
> >>>> pkts bytes target prot opt in out source
> >>>> destination
> >>>> 4746 775K all -- eth0 eth2 0.0.0.0/0
> >>>> 0.0.0.0/0
> >>>> 3989 384K all -- eth2 eth0 0.0.0.0/0
> >>>> 0.0.0.0/0
> >>>> 0 0 tcp -- !eth0 eth2 0.0.0.0/0
> >>>> 0.0.0.0/0
> >>>> 2 100 tcp -- eth2 !eth0 0.0.0.0/0
> >>>> 0.0.0.0/0
> >>>> 0 0 all -- eth0 eth3 0.0.0.0/0
> >>>> 0.0.0.0/0
> >>>> 0 0 all -- eth3 eth0 0.0.0.0/0
> >>>> 0.0.0.0/0
> >>>> 0 0 tcp -- !eth0 eth3 0.0.0.0/0
> >>>> 0.0.0.0/0
> >>>> 0 0 tcp -- eth3 !eth0 0.0.0.0/0
> >>>> 0.0.0.0/0
> >>>> 0 0 all -- eth0 eth4 0.0.0.0/0
> >>>> 0.0.0.0/0
> >>>> 0 0 all -- eth4 eth0 0.0.0.0/0
> >>>> 0.0.0.0/0
> >>>> 0 0 tcp -- !eth0 eth4 0.0.0.0/0
> >>>> 0.0.0.0/0
> >>>> 0 0 tcp -- eth4 !eth0 0.0.0.0/0
> >>>> 0.0.0.0/0
> >>>> 0 0 all -- eth0 eth5 0.0.0.0/0
> >>>> 0.0.0.0/0
> >>>> 0 0 all -- eth5 eth0 0.0.0.0/0
> >>>> 0.0.0.0/0
> >>>> 0 0 tcp -- !eth0 eth5 0.0.0.0/0
> >>>> 0.0.0.0/0
> >>>> 0 0 tcp -- eth5 !eth0 0.0.0.0/0
> >>>> 0.0.0.0/0
> >>>> 0 0 all -- eth0 eth6 0.0.0.0/0
> >>>> 0.0.0.0/0
> >>>> 0 0 all -- eth6 eth0 0.0.0.0/0
> >>>> 0.0.0.0/0
> >>>> 0 0 tcp -- !eth0 eth6 0.0.0.0/0
> >>>> 0.0.0.0/0
> >>>> 0 0 tcp -- eth6 !eth0 0.0.0.0/0
> >>>> 0.0.0.0/0
> >>>> 0 0 all -- eth0 eth7 0.0.0.0/0
> >>>> 0.0.0.0/0
> >>>> 0 0 all -- eth7 eth0 0.0.0.0/0
> >>>> 0.0.0.0/0
> >>>> 0 0 tcp -- !eth0 eth7 0.0.0.0/0
> >>>> 0.0.0.0/0
> >>>> 0 0 tcp -- eth7 !eth0 0.0.0.0/0
> >>>> 0.0.0.0/0
> >>>> root@r-4-VM:~#
> >>>>
> >>>>
> >>>>
> >>>>
> >>
> ------------------------------------------------------------------------------------
> >>>> Below is from the Guest VM instance.
> >>>>
> >>>> Not sure how to capture the package .
> >>>>
> >>>> But I do a tracepath www.google.com inside the guest VM.
> >>>>
> >>>> From the output,
> >>>>
> >>>> [root@CentOS5-5 ~]# tracepath www.google.com
> >>>> 1: r-4-VM.cs2cloud.internal (10.1.1.1) 0.149ms
> >>>> 2: no reply
> >>>> 3: no reply
> >>>> 4: no reply
> >>>>
> >>>> [root@CentOS5-5 ~]# iptables -L -nv
> >>>> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
> >>>> pkts bytes target prot opt in out source
> >>>> destination
> >>>> 15198 1412K RH-Firewall-1-INPUT all -- * * 0.0.0.0/0
> >>>> 0.0.0.0/0
> >>>>
> >>>> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> >>>> pkts bytes target prot opt in out source
> >>>> destination
> >>>> 0 0 RH-Firewall-1-INPUT all -- * * 0.0.0.0/0
> >>>> 0.0.0.0/0
> >>>>
> >>>> Chain OUTPUT (policy ACCEPT 17238 packets, 7377K bytes)
> >>>> pkts bytes target prot opt in out source
> >>>> destination
> >>>>
> >>>> Chain RH-Firewall-1-INPUT (2 references)
> >>>> pkts bytes target prot opt in out source
> >>>> destination
> >>>> 56 9116 ACCEPT all -- lo * 0.0.0.0/0
> >>>> 0.0.0.0/0
> >>>> 22 3360 ACCEPT icmp -- * * 0.0.0.0/0
> >>>> 0.0.0.0/0 icmp type 255
> >>>> 0 0 ACCEPT esp -- * * 0.0.0.0/0
> >>>> 0.0.0.0/0
> >>>> 0 0 ACCEPT ah -- * * 0.0.0.0/0
> >>>> 0.0.0.0/0
> >>>> 13 2124 ACCEPT udp -- * * 0.0.0.0/0
> >>>> 224.0.0.251 udp dpt:5353
> >>>> 0 0 ACCEPT udp -- * * 0.0.0.0/0
> >>>> 0.0.0.0/0 udp dpt:631
> >>>> 0 0 ACCEPT tcp -- * * 0.0.0.0/0
> >>>> 0.0.0.0/0 tcp dpt:631
> >>>> 13536 1320K ACCEPT all -- * * 0.0.0.0/0
> >>>> 0.0.0.0/0 state RELATED,ESTABLISHED
> >>>> 931 55796 ACCEPT tcp -- * * 0.0.0.0/0
> >>>> 0.0.0.0/0 state NEW tcp dpt:22
> >>>> 640 21690 REJECT all -- * * 0.0.0.0/0
> >>>> 0.0.0.0/0 reject-with icmp-host-prohibited
> >>>>
> >>>>
> >>>> Inside the VM, Can ping other VMs' guest IP.
> >>>>
> >>>>
> >>>> [root@CentOS5-5 ~]# ping 10.1.1.36
> >>>> PING 10.1.1.36 (10.1.1.36) 56(84) bytes of data.
> >>>> 64 bytes from 10.1.1.36: icmp_seq=1 ttl=64 time=1.32 ms
> >>>> 64 bytes from 10.1.1.36: icmp_seq=2 ttl=64 time=0.156 ms
> >>>> 64 bytes from 10.1.1.36: icmp_seq=3 ttl=64 time=0.134 ms
> >>>>
> >>>> --- 10.1.1.36 ping statistics ---
> >>>> 3 packets transmitted, 3 received, 0% packet loss, time 2000ms
> >>>> rtt min/avg/max/mdev = 0.134/0.538/1.326/0.557 ms
> >>>> [root@CentOS5-5 ~]# ifconfig
> >>>> eth0 Link encap:Ethernet HWaddr 02:00:2D:C8:00:01
> >>>> inet addr:10.1.1.5 Bcast:10.1.1.255 Mask:255.255.255.0
> >>>> inet6 addr: fe80::2dff:fec8:1/64 Scope:Link
> >>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> >>>> RX packets:16846 errors:0 dropped:0 overruns:0 frame:0
> >>>> TX packets:18252 errors:0 dropped:0 overruns:0 carrier:0
> >>>> collisions:0 txqueuelen:1000
> >>>> RX bytes:1716037 (1.6 MiB) TX bytes:7661658 (7.3 MiB)
> >>>>
> >>>> lo Link encap:Local Loopback
> >>>> inet addr:127.0.0.1 Mask:255.0.0.0
> >>>> inet6 addr: ::1/128 Scope:Host
> >>>> UP LOOPBACK RUNNING MTU:16436 Metric:1
> >>>> RX packets:56 errors:0 dropped:0 overruns:0 frame:0
> >>>> TX packets:56 errors:0 dropped:0 overruns:0 carrier:0
> >>>> collisions:0 txqueuelen:0
> >>>> RX bytes:9116 (8.9 KiB) TX bytes:9116 (8.9 KiB)
> >>>>
> >>>>
> >>>>
> >>>> [root@CentOS5-5 ~]# ping www.google.com
> >>>> PING www.google.com (173.194.64.104) 56(84) bytes of data.
> >>>> ^C
> >>>> --- www.google.com ping statistics ---
> >>>> 6 packets transmitted, 0 received, 100% packet loss, time 5000ms
> >>>>
> >>>>
> >>>>
> >>>> Any problems?
> >>>>
> >>>> Thank you so much.
> >>>>
> >>>>
> >>>>
> >>>> On Wed, May 22, 2013 at 4:14 PM, Jayapal Reddy Uradi <
> >>>> [email protected]> wrote:
> >>>>
> >>>>> By looking at the iptables rules, there is no egress rules feature in
> >> your
> >>>>> deployment.
> >>>>> In your case the issue seems to be different.
> >>>>>
> >>>>> Please do the below trouble shooting.
> >>>>> Ping from the guest vm to public subnet/google and try to capture the
> >>>>> packets on the router guest interface and public interface.
> >>>>> Check wether the packets are reaching to public interface of VR or
> not.
> >>>>>
> >>>>> Also send iptables -L -nv output.
> >>>>>
> >>>>> Thanks,
> >>>>> Jayapal
> >>>>>
> >>>>> On 22-May-2013, at 1:18 PM, wq meng <[email protected]>
> >>>>> wrote:
> >>>>>
> >>>>>> Hello Jayapal
> >>>>>>
> >>>>>> I know very little about api yet.
> >>>>>>
> >>>>>> I login to the VRouter VM, Can I change the rules to get work?
> >>>>>>
> >>>>>> On
> >>>>>>
> >>>>>
> >>
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Egress+firewall+rules+for+guest+network
> >>>>>>
> >>>>>> It says some Chains , but I can not find them inside my VRouter VM.
> >>>>>>
> >>>>>> ====================
> >>>>>>
> >>>>>> firewallRule_egress.sh script get called on the virtual router.
> >>>>>>
> >>>>>> The egress rules are added in filter table table, FW_EGRESS_RULES
> >> chain.
> >>>>>>
> >>>>>> All the traffic from eth0 eth2 (public interface) will be send to
> the
> >>>>>> FW_OUTBOUND chain.
> >>>>>>
> >>>>>> *iptables rules:*
> >>>>>>
> >>>>>> *Default rules:*
> >>>>>>
> >>>>>> ipassoc.sh adding rule to ACCEPT traffic from eth0 to public
> >> interface.
> >>>>>>
> >>>>>> Modified the rule to send egress traffic to the FW_OUTBOUND chain.
> >>>>>>
> >>>>>> *iptables -A FORWARD -i eth0 -o eth2 -j FW_OUTBOUND*
> >>>>>>
> >>>>>> *Rules added while configuring:*
> >>>>>>
> >>>>>> Ex: Egress rule to block the port 22 (ssh) traffic from
> 10.1.1.31/32
> >>>>>>
> >>>>>> *iptables -A **FW_OUTBOUND **-j EGRESS_FWRULES*
> >>>>>>
> >>>>>> *iptables -A EGRESS_FWRULES -s 10.1.1.31/32 -p tcp --dport
> 22:22
> >>>>> -j
> >>>>>> ACCEPT*
> >>>>>> ======================
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> Here is how the current iptables shows.
> >>>>>>
> >>>>>>
> >>>>>
> >>
> --------------------------------------------------------------------------------
> >>>>>> root@r-4-VM:~# iptables -L
> >>>>>> Chain INPUT (policy DROP)
> >>>>>> target prot opt source destination
> >>>>>> NETWORK_STATS all -- anywhere anywhere
> >>>>>> ACCEPT all -- anywhere vrrp.mcast.net
> >>>>>> ACCEPT all -- anywhere 225.0.0.50
> >>>>>> ACCEPT all -- anywhere anywhere state
> >>>>>> RELATED,ESTABLISHED
> >>>>>> ACCEPT all -- anywhere anywhere state
> >>>>>> RELATED,ESTABLISHED
> >>>>>> ACCEPT all -- anywhere anywhere state
> >>>>>> RELATED,ESTABLISHED
> >>>>>> ACCEPT icmp -- anywhere anywhere
> >>>>>> ACCEPT all -- anywhere anywhere
> >>>>>> ACCEPT udp -- anywhere anywhere udp
> >>>>> dpt:bootps
> >>>>>> ACCEPT udp -- anywhere anywhere udp
> >>>>> dpt:domain
> >>>>>> ACCEPT tcp -- anywhere anywhere state
> NEW
> >>>>> tcp
> >>>>>> dpt:3922
> >>>>>> ACCEPT tcp -- anywhere anywhere state
> NEW
> >>>>> tcp
> >>>>>> dpt:http-alt
> >>>>>> ACCEPT tcp -- anywhere anywhere state
> NEW
> >>>>> tcp
> >>>>>> dpt:www
> >>>>>>
> >>>>>> Chain FORWARD (policy DROP)
> >>>>>> target prot opt source destination
> >>>>>> NETWORK_STATS all -- anywhere anywhere
> >>>>>> ACCEPT all -- anywhere anywhere state
> >>>>>> RELATED,ESTABLISHED
> >>>>>> ACCEPT all -- anywhere anywhere
> >>>>>> ACCEPT all -- anywhere anywhere state
> >>>>>> RELATED,ESTABLISHED
> >>>>>> ACCEPT all -- anywhere anywhere state
> NEW
> >>>>>> ACCEPT all -- anywhere anywhere state
> >>>>>> RELATED,ESTABLISHED
> >>>>>> ACCEPT all -- anywhere anywhere state
> >>>>>> RELATED,ESTABLISHED
> >>>>>> ACCEPT all -- anywhere anywhere
> >>>>>> ACCEPT all -- anywhere anywhere state
> >>>>>> RELATED,ESTABLISHED
> >>>>>> ACCEPT all -- anywhere anywhere
> >>>>>> ACCEPT all -- anywhere anywhere state
> >>>>>> RELATED,ESTABLISHED
> >>>>>> ACCEPT all -- anywhere anywhere
> >>>>>> ACCEPT all -- anywhere anywhere state
> >>>>>> RELATED,ESTABLISHED
> >>>>>> ACCEPT all -- anywhere anywhere
> >>>>>> ACCEPT all -- anywhere anywhere state
> >>>>>> RELATED,ESTABLISHED
> >>>>>> ACCEPT all -- anywhere anywhere
> >>>>>>
> >>>>>> Chain OUTPUT (policy ACCEPT)
> >>>>>> target prot opt source destination
> >>>>>> NETWORK_STATS all -- anywhere anywhere
> >>>>>>
> >>>>>> Chain NETWORK_STATS (3 references)
> >>>>>> target prot opt source destination
> >>>>>> all -- anywhere anywhere
> >>>>>> all -- anywhere anywhere
> >>>>>> tcp -- anywhere anywhere
> >>>>>> tcp -- anywhere anywhere
> >>>>>> all -- anywhere anywhere
> >>>>>> all -- anywhere anywhere
> >>>>>> tcp -- anywhere anywhere
> >>>>>> tcp -- anywhere anywhere
> >>>>>> all -- anywhere anywhere
> >>>>>> all -- anywhere anywhere
> >>>>>> tcp -- anywhere anywhere
> >>>>>> tcp -- anywhere anywhere
> >>>>>> all -- anywhere anywhere
> >>>>>> all -- anywhere anywhere
> >>>>>> tcp -- anywhere anywhere
> >>>>>> tcp -- anywhere anywhere
> >>>>>> all -- anywhere anywhere
> >>>>>> all -- anywhere anywhere
> >>>>>> tcp -- anywhere anywhere
> >>>>>> tcp -- anywhere anywhere
> >>>>>> all -- anywhere anywhere
> >>>>>> all -- anywhere anywhere
> >>>>>> tcp -- anywhere anywhere
> >>>>>> tcp -- anywhere anywhere
> >>>>>>
> >>>>>>
> >>>>>> And the link have been fixed in the Git ?
> >>>>>>
> >>>>>> Thank you so much.
> >>>>>>
> >>>>>>
> >>>>>> On Wed, May 22, 2013 at 2:55 PM, Jayapal Reddy Uradi <
> >>>>>> [email protected]> wrote:
> >>>>>>
> >>>>>>>
> >>>>>>> I think UI link is missed but it is fixed after that.
> >>>>>>> Try to add rules using the API 'createEgressFirewallRule'
> >>>>>>>
> >>>>>>> Thanks,
> >>>>>>> Jayapal
> >>>>>>>
> >>>>>>> On 22-May-2013, at 12:05 PM, wq meng <[email protected]>
> >>>>>>> wrote:
> >>>>>>>
> >>>>>>>> Hello Jayapal,
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>
> >>
> https://cwiki.apache.org/CLOUDSTACK/egress-firewall-rules-for-guest-network.html
> >>>>>>>>
> >>>>>>>> I have checked Network -> Guest Network (Name) ->
> >>>>>>>>
> >>>>>>>> I can not find out any Egress fire rule tab.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> Have I missed something?
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> Thank you very much.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> On Wed, May 22, 2013 at 1:23 PM, Jayapal Reddy Uradi <
> >>>>>>>> [email protected]> wrote:
> >>>>>>>>
> >>>>>>>>> Hi,
> >>>>>>>>>
> >>>>>>>>> Did you configure the egress firewall rules on the guest network
> ?
> >>>>>>>>> You need to add egress rules to allow guest traffic.
> >>>>>>>>>
> >>>>>>>>> After adding egress rule it not works, please send router
> iptables
> >>>>>>> rules.
> >>>>>>>>>
> >>>>>>>>> Thanks,
> >>>>>>>>> Jayapal
> >>>>>>>>>
> >>>>>>>>> On 22-May-2013, at 4:10 AM, wq meng <[email protected]> wrote:
> >>>>>>>>>
> >>>>>>>>>> Hello
> >>>>>>>>>>
> >>>>>>>>>> Anyone have faced this problem? CS4.02 KVM Advanced Network, VM
> >>>>>>> instance
> >>>>>>>>>> can not access public IP. NAT(Source)
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> That the VM instance running, but inside the VM instance, it is
> >> not
> >>>>>>>>>> possible to access outside.
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> It can ping VMs each other, It can ping google.com in the*
> >> Virtual
> >>>>>>>>> Router
> >>>>>>>>>> VM.*
> >>>>>>>>>>
> >>>>>>>>>> But just can not ping Google.com inside the VM instance.
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> Seems inside the VM instance, It can resolve the Google.com 's
> IP
> >>>>>>>>> address.
> >>>>>>>>>> BUT can not do others.
> >>>>>>>>>>
> >>>>>>>>>> Please see the following output.
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> ------------------------
> >>>>>>>>>> [root@CentOS5-5 ~]# wget www.google.com
> >>>>>>>>>> --2013-05-21 08:30:39-- http://www.google.com/
> >>>>>>>>>> Resolving www.google.com... 173.194.64.104, 173.194.64.99,
> >>>>>>>>> 173.194.64.105,
> >>>>>>>>>> ...
> >>>>>>>>>> Connecting to www.google.com|173.194.64.104|:80...
> >>>>>>>>>> [root@CentOS5-5 ~]# ls
> >>>>>>>>>>
> >>>>>>>>>> -------------------------
> >>>>>>>>>> [root@CentOS5-5 ~]# iptables -L
> >>>>>>>>>> Chain INPUT (policy ACCEPT)
> >>>>>>>>>> target prot opt source destination
> >>>>>>>>>> RH-Firewall-1-INPUT all -- anywhere anywhere
> >>>>>>>>>>
> >>>>>>>>>> Chain FORWARD (policy ACCEPT)
> >>>>>>>>>> target prot opt source destination
> >>>>>>>>>> RH-Firewall-1-INPUT all -- anywhere anywhere
> >>>>>>>>>>
> >>>>>>>>>> Chain OUTPUT (policy ACCEPT)
> >>>>>>>>>> target prot opt source destination
> >>>>>>>>>>
> >>>>>>>>>> Chain RH-Firewall-1-INPUT (2 references)
> >>>>>>>>>> target prot opt source destination
> >>>>>>>>>> ACCEPT all -- anywhere anywhere
> >>>>>>>>>> ACCEPT icmp -- anywhere anywhere
> icmp
> >> any
> >>>>>>>>>> ACCEPT esp -- anywhere anywhere
> >>>>>>>>>> ACCEPT ah -- anywhere anywhere
> >>>>>>>>>> ACCEPT udp -- anywhere 224.0.0.251 udp
> >>>>>>> dpt:mdns
> >>>>>>>>>> ACCEPT udp -- anywhere anywhere udp
> >>>>>>> dpt:ipp
> >>>>>>>>>> ACCEPT tcp -- anywhere anywhere tcp
> >>>>>>> dpt:ipp
> >>>>>>>>>> ACCEPT all -- anywhere anywhere
> state
> >>>>>>>>>> RELATED,ESTABLISHED
> >>>>>>>>>> ACCEPT tcp -- anywhere anywhere
> state
> >>>>> NEW
> >>>>>>>>> tcp
> >>>>>>>>>> dpt:ssh
> >>>>>>>>>> REJECT all -- anywhere anywhere
> >>>>>>> reject-with
> >>>>>>>>>> icmp-host-prohibited
> >>>>>>>>>> [root@CentOS5-5 ~]# ping 8.8.8.8
> >>>>>>>>>> PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
> >>>>>>>>>>
> >>>>>>>>>> --- 8.8.8.8 ping statistics ---
> >>>>>>>>>> 3 packets transmitted, 0 received, 100% packet loss, time 2000ms
> >>>>>>>>>>
> >>>>>>>>>> --------------------------
> >>>>>>>>>> [root@CentOS5-5 ~]# ifconfig
> >>>>>>>>>> eth0 Link encap:Ethernet HWaddr 02:00:2D:C8:00:01
> >>>>>>>>>> inet addr:10.1.1.5 Bcast:10.1.1.255 Mask:255.255.255.0
> >>>>>>>>>> inet6 addr: fe80::2dff:fec8:1/64 Scope:Link
> >>>>>>>>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> >>>>>>>>>> RX packets:2442 errors:0 dropped:0 overruns:0 frame:0
> >>>>>>>>>> TX packets:2261 errors:0 dropped:0 overruns:0 carrier:0
> >>>>>>>>>> collisions:0 txqueuelen:1000
> >>>>>>>>>> RX bytes:174960 (170.8 KiB) TX bytes:154159 (150.5 KiB)
> >>>>>>>>>>
> >>>>>>>>>> lo Link encap:Local Loopback
> >>>>>>>>>> inet addr:127.0.0.1 Mask:255.0.0.0
> >>>>>>>>>> inet6 addr: ::1/128 Scope:Host
> >>>>>>>>>> UP LOOPBACK RUNNING MTU:16436 Metric:1
> >>>>>>>>>> RX packets:32 errors:0 dropped:0 overruns:0 frame:0
> >>>>>>>>>> TX packets:32 errors:0 dropped:0 overruns:0 carrier:0
> >>>>>>>>>> collisions:0 txqueuelen:0
> >>>>>>>>>> RX bytes:3913 (3.8 KiB) TX bytes:3913 (3.8 KiB)
> >>>>>>>>>>
> >>>>>>>>>> ----------------------------
> >>>>>>>>>>
> >>>>>>>>>> [root@CentOS5-5 ~]# tracert www.google.com
> >>>>>>>>>> traceroute to www.google.com (173.194.64.106), 30 hops max, 40
> >> byte
> >>>>>>>>> packets
> >>>>>>>>>> 1 r-4-VM.cs2cloud.internal (10.1.1.1) 0.158 ms 0.136 ms
> 0.134
> >> ms
> >>>>>>>>>> 2 * * *
> >>>>>>>>>> 3 * * *
> >>>>>>>>>> 4 * * *
> >>>>>>>>>> 5 * * *
> >>>>>>>>>> 6 * * *
> >>>>>>>>>> 7 * * *
> >>>>>>>>>> 8 * * *
> >>>>>>>>>> 9 * * *
> >>>>>>>>>> 10 * * *
> >>>>>>>>>> 11 * * *
> >>>>>>>>>> 12 * * *
> >>>>>>>>>> 13 * * *
> >>>>>>>>>> 14 * * *
> >>>>>>>>>> 15 * * *
> >>>>>>>>>> 16 * * *
> >>>>>>>>>> 17 * * *
> >>>>>>>>>> 18 * * *
> >>>>>>>>>> 19 * * *
> >>>>>>>>>> 20 * * *
> >>>>>>>>>> 21 * * *
> >>>>>>>>>> 22 * * *
> >>>>>>>>>> 23 * * *
> >>>>>>>>>> 24 * * *
> >>>>>>>>>> 25 * * *
> >>>>>>>>>> 26 * * *
> >>>>>>>>>> 27 * * *
> >>>>>>>>>> 28 * * *
> >>>>>>>>>> 29 * * *
> >>>>>>>>>> 30 * * *
> >>>>>>>>>>
> >>>>>>>>>> ----------------
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> Any thoughts?
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> Thank you very much.
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>
> >>>>>
> >>>
> >>
> >>
>
>
