It looks like you have defined 3 public vlans all with the same range? On 5/22/13 2:20 PM, "wq meng" <[email protected]> wrote:
>Hello jayapal, > >I have reload and reinstalled CS4.02, Still have the problem. > >Please see the router vm, why so many ethx? > >eth0 is for guest, eth1 is link-local, eth2 should be the public? > >I have tried > >iptables -A FORWARD -i eth0 -o eth2 -j ACCEPT > >Still no luck. > >Any problem with my install? I use one box for the management server and >also the KVM host. > >Thank you very much. > > > >root@r-4-VM:~# route -n >Kernel IP routing table >Destination Gateway Genmask Flags Metric Ref Use >Iface >198.105.191.0 0.0.0.0 255.255.255.0 U 0 0 0 >eth2 >198.105.191.0 0.0.0.0 255.255.255.0 U 0 0 0 >eth3 >198.105.191.0 0.0.0.0 255.255.255.0 U 0 0 0 >eth4 >10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 >eth0 >169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 >eth1 >0.0.0.0 198.105.191.1 0.0.0.0 UG 0 0 0 >eth2 >root@r-4-VM:~# ifconfig >eth0 Link encap:Ethernet HWaddr 02:00:5b:79:00:02 > inet addr:10.1.1.1 Bcast:10.1.1.255 Mask:255.255.255.0 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:386 errors:0 dropped:0 overruns:0 frame:0 > TX packets:29 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:38794 (37.8 KiB) TX bytes:2754 (2.6 KiB) > >eth1 Link encap:Ethernet HWaddr 0e:00:a9:fe:02:e9 > inet addr:169.254.2.233 Bcast:169.254.255.255 Mask:255.255.0.0 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:2327 errors:0 dropped:0 overruns:0 frame:0 > TX packets:2051 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:390750 (381.5 KiB) TX bytes:383291 (374.3 KiB) > >eth2 Link encap:Ethernet HWaddr 06:eb:d8:00:00:2b > inet addr:198.105.191.25 Bcast:198.105.191.255 >Mask:255.255.255.0 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:3368 errors:0 dropped:0 overruns:0 frame:0 > TX packets:331 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:198359 (193.7 KiB) TX bytes:31594 (30.8 KiB) > >eth3 Link encap:Ethernet HWaddr 06:80:0e:00:00:2b > inet addr:198.105.191.25 Bcast:0.0.0.0 Mask:255.255.255.0 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:3260 errors:0 dropped:0 overruns:0 frame:0 > TX packets:2 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:179843 (175.6 KiB) TX bytes:84 (84.0 B) > >eth4 Link encap:Ethernet HWaddr 06:b8:9a:00:00:2b > inet addr:198.105.191.25 Bcast:0.0.0.0 Mask:255.255.255.0 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:3255 errors:0 dropped:0 overruns:0 frame:0 > TX packets:2 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:179567 (175.3 KiB) TX bytes:84 (84.0 B) > >lo Link encap:Local Loopback > inet addr:127.0.0.1 Mask:255.0.0.0 > UP LOOPBACK RUNNING MTU:16436 Metric:1 > RX packets:6 errors:0 dropped:0 overruns:0 frame:0 > TX packets:6 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:414 (414.0 B) TX bytes:414 (414.0 B) > >root@r-4-VM:~# iptables -L >Chain INPUT (policy DROP) >target prot opt source destination >NETWORK_STATS all -- anywhere anywhere >ACCEPT all -- anywhere vrrp.mcast.net >ACCEPT all -- anywhere 225.0.0.50 >ACCEPT all -- anywhere anywhere state >RELATED,ESTABLISHED >ACCEPT all -- anywhere anywhere state >RELATED,ESTABLISHED >ACCEPT all -- anywhere anywhere state >RELATED,ESTABLISHED >ACCEPT icmp -- anywhere anywhere >ACCEPT all -- anywhere anywhere >ACCEPT udp -- anywhere anywhere udp >dpt:bootps >ACCEPT udp -- anywhere anywhere udp >dpt:domain >ACCEPT tcp -- anywhere anywhere state NEW tcp >dpt:3922 >ACCEPT tcp -- anywhere anywhere state NEW tcp >dpt:http-alt >ACCEPT tcp -- anywhere anywhere state NEW tcp >dpt:www > >Chain FORWARD (policy DROP) >target prot opt source destination >NETWORK_STATS all -- anywhere anywhere >ACCEPT all -- anywhere anywhere state >RELATED,ESTABLISHED >ACCEPT all -- anywhere anywhere >ACCEPT all -- anywhere anywhere state >RELATED,ESTABLISHED >ACCEPT all -- anywhere anywhere state NEW >ACCEPT all -- anywhere anywhere state >RELATED,ESTABLISHED >ACCEPT all -- anywhere anywhere state >RELATED,ESTABLISHED >ACCEPT all -- anywhere anywhere >ACCEPT all -- anywhere anywhere state >RELATED,ESTABLISHED >ACCEPT all -- anywhere anywhere >ACCEPT all -- anywhere anywhere >ACCEPT all -- anywhere anywhere >ACCEPT all -- anywhere anywhere >ACCEPT all -- anywhere anywhere > >Chain OUTPUT (policy ACCEPT) >target prot opt source destination >NETWORK_STATS all -- anywhere anywhere > >Chain NETWORK_STATS (3 references) >target prot opt source destination > all -- anywhere anywhere > all -- anywhere anywhere > tcp -- anywhere anywhere > tcp -- anywhere anywhere > all -- anywhere anywhere > all -- anywhere anywhere > tcp -- anywhere anywhere > tcp -- anywhere anywhere > all -- anywhere anywhere > all -- anywhere anywhere > tcp -- anywhere anywhere > tcp -- anywhere anywhere > > >On Wed, May 22, 2013 at 6:41 PM, Jayapal Reddy Uradi < >[email protected]> wrote: > >> In your CS version egress rules feature is not present. >> Thats the reason CS says Unknown API. >> I checked your iptables rules also, egress rules default block rules are >> not present. >> You can ignore the egress firewall rules. >> >> check the in your router is there rule to accept guest traffic to >>public. >> If not add below iptables rule on router. This rules make allowing guest >> traffic to public network. >> >> iptables -A FORWARD -i <guest interface name> -o <public interface >>name> >> -j ACCEPT >> >> >> Thanks, >> jayapal >> On 22-May-2013, at 4:03 PM, wq meng <[email protected]> >> wrote: >> >> > Hello Jayapal >> > >> > If CS4.02 default is block the VM to access public side, and on the >>UC , >> > there is no link to change it. As you saw, the API have no API >>Names to >> > change it too. >> > >> > >> > How to fix the problem? >> > >> > >> > >> > >> > I will reload the OS and re-setup CS4.02 again to check if it will >>fix. >> > >> > >> > >> > Thank you so much. >> > >> > >> > >> > On Wed, May 22, 2013 at 6:23 PM, Jayapal Reddy Uradi < >> > [email protected]> wrote: >> > >> >> From VM if you are not able to ping public side then it is your setup >> >> issue. >> >> It can be debugged by capturing packets on the router guest interface >> and >> >> public interface to see wether the packets are reaching to router or >>not >> >> >> >> Thanks, >> >> Jayapal >> >> >> >> On 22-May-2013, at 3:49 PM, Jayapal Reddy Uradi < >> >> [email protected]> >> >> wrote: >> >> >> >>> >> >>> You need pining router VM public IP from public network/subnet ? >> >>> - You need to add icmp firewall rule on the public IP to enable ping >> >> request on the public ip >> >>> >> >>> Thanks, >> >>> Jayapal >> >>> >> >>> >> >>> On 22-May-2013, at 3:45 PM, wq meng <[email protected]> >> >>> wrote: >> >>> >> >>>> Hello Jayapal >> >>>> >> >>>> There is no problem to ping Google from the Router VM, Only >>problem is >> >> that >> >>>> I can not ping the Router VM public IP from outside. >> >>>> >> >>>> root@r-4-VM:~# ping www.google.com >> >>>> PING www.google.com (173.194.64.147): 56 data bytes >> >>>> 64 bytes from 173.194.64.147: icmp_seq=0 ttl=48 time=53.194 ms >> >>>> 64 bytes from 173.194.64.147: icmp_seq=1 ttl=48 time=53.190 ms >> >>>> 64 bytes from 173.194.64.147: icmp_seq=2 ttl=48 time=53.286 ms >> >>>> 64 bytes from 173.194.64.147: icmp_seq=3 ttl=48 time=53.207 ms >> >>>> ^C--- www.google.com ping statistics --- >> >>>> 4 packets transmitted, 4 packets received, 0% packet loss >> >>>> round-trip min/avg/max/stddev = 53.190/53.219/53.286/0.039 ms >> >>>> >> >>>> root@r-4-VM:~# iptables -L -nv >> >>>> Chain INPUT (policy DROP 583 packets, 18656 bytes) >> >>>> pkts bytes target prot opt in out source >> >>>> destination >> >>>> 7009 1074K NETWORK_STATS all -- * * 0.0.0.0/0 >> >>>> 0.0.0.0/0 >> >>>> 0 0 ACCEPT all -- * * 0.0.0.0/0 >> >>>> 224.0.0.18 >> >>>> 0 0 ACCEPT all -- * * 0.0.0.0/0 >> >>>> 225.0.0.50 >> >>>> 0 0 ACCEPT all -- eth0 * 0.0.0.0/0 >> >>>> 0.0.0.0/0 state RELATED,ESTABLISHED >> >>>> 5619 1007K ACCEPT all -- eth1 * 0.0.0.0/0 >> >>>> 0.0.0.0/0 state RELATED,ESTABLISHED >> >>>> 24 2906 ACCEPT all -- eth2 * 0.0.0.0/0 >> >>>> 0.0.0.0/0 state RELATED,ESTABLISHED >> >>>> 57 4825 ACCEPT icmp -- * * 0.0.0.0/0 >> >>>> 0.0.0.0/0 >> >>>> 5 293 ACCEPT all -- lo * 0.0.0.0/0 >> >>>> 0.0.0.0/0 >> >>>> 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 >> >>>> 0.0.0.0/0 udp dpt:67 >> >>>> 349 24753 ACCEPT udp -- eth0 * 0.0.0.0/0 >> >>>> 0.0.0.0/0 udp dpt:53 >> >>>> 318 19080 ACCEPT tcp -- eth1 * 0.0.0.0/0 >> >>>> 0.0.0.0/0 state NEW tcp dpt:3922 >> >>>> 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 >> >>>> 0.0.0.0/0 state NEW tcp dpt:8080 >> >>>> 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 >> >>>> 0.0.0.0/0 state NEW tcp dpt:80 >> >>>> >> >>>> Chain FORWARD (policy DROP 0 packets, 0 bytes) >> >>>> pkts bytes target prot opt in out source >> >>>> destination >> >>>> 8735 1159K NETWORK_STATS all -- * * 0.0.0.0/0 >> >>>> 0.0.0.0/0 >> >>>> 0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 >> >>>> 0.0.0.0/0 state RELATED,ESTABLISHED >> >>>> 4746 775K ACCEPT all -- eth0 eth2 0.0.0.0/0 >> >>>> 0.0.0.0/0 >> >>>> 3657 364K ACCEPT all -- eth2 eth0 0.0.0.0/0 >> >>>> 0.0.0.0/0 state RELATED,ESTABLISHED >> >>>> 0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0 >> >>>> 0.0.0.0/0 state NEW >> >>>> 0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0 >> >>>> 0.0.0.0/0 state RELATED,ESTABLISHED >> >>>> 0 0 ACCEPT all -- eth3 eth0 0.0.0.0/0 >> >>>> 0.0.0.0/0 state RELATED,ESTABLISHED >> >>>> 0 0 ACCEPT all -- eth0 eth3 0.0.0.0/0 >> >>>> 0.0.0.0/0 >> >>>> 0 0 ACCEPT tcp -- * * 0.0.0.0/0 >> >>>> 10.1.1.5 state RELATED,ESTABLISHED /* 198.105.191.245:22 >> :22 >> >> */ >> >>>> 332 19920 ACCEPT tcp -- * * 0.0.0.0/0 >> >>>> 10.1.1.5 tcp dpt:22 state NEW /* 198.105.191.245:22:22 >>*/ >> >>>> 0 0 ACCEPT tcp -- * * 0.0.0.0/0 >> >>>> 10.1.1.5 state RELATED,ESTABLISHED /* 198.105.191.245:80 >> :80 >> >> */ >> >>>> 0 0 ACCEPT tcp -- * * 0.0.0.0/0 >> >>>> 10.1.1.5 tcp dpt:80 state NEW /* 198.105.191.245:80:80 >>*/ >> >>>> 0 0 ACCEPT all -- eth4 eth0 0.0.0.0/0 >> >>>> 0.0.0.0/0 state RELATED,ESTABLISHED >> >>>> 0 0 ACCEPT all -- eth0 eth4 0.0.0.0/0 >> >>>> 0.0.0.0/0 >> >>>> 0 0 ACCEPT all -- eth5 eth0 0.0.0.0/0 >> >>>> 0.0.0.0/0 state RELATED,ESTABLISHED >> >>>> 0 0 ACCEPT all -- eth0 eth5 0.0.0.0/0 >> >>>> 0.0.0.0/0 >> >>>> 0 0 ACCEPT all -- eth6 eth0 0.0.0.0/0 >> >>>> 0.0.0.0/0 state RELATED,ESTABLISHED >> >>>> 0 0 ACCEPT all -- eth0 eth6 0.0.0.0/0 >> >>>> 0.0.0.0/0 >> >>>> 0 0 ACCEPT all -- eth7 eth0 0.0.0.0/0 >> >>>> 0.0.0.0/0 state RELATED,ESTABLISHED >> >>>> 0 0 ACCEPT all -- eth0 eth7 0.0.0.0/0 >> >>>> 0.0.0.0/0 >> >>>> >> >>>> Chain OUTPUT (policy ACCEPT 704 packets, 122K bytes) >> >>>> pkts bytes target prot opt in out source >> >>>> destination >> >>>> 6195 1039K NETWORK_STATS all -- * * 0.0.0.0/0 >> >>>> 0.0.0.0/0 >> >>>> >> >>>> Chain NETWORK_STATS (3 references) >> >>>> pkts bytes target prot opt in out source >> >>>> destination >> >>>> 4746 775K all -- eth0 eth2 0.0.0.0/0 >> >>>> 0.0.0.0/0 >> >>>> 3989 384K all -- eth2 eth0 0.0.0.0/0 >> >>>> 0.0.0.0/0 >> >>>> 0 0 tcp -- !eth0 eth2 0.0.0.0/0 >> >>>> 0.0.0.0/0 >> >>>> 2 100 tcp -- eth2 !eth0 0.0.0.0/0 >> >>>> 0.0.0.0/0 >> >>>> 0 0 all -- eth0 eth3 0.0.0.0/0 >> >>>> 0.0.0.0/0 >> >>>> 0 0 all -- eth3 eth0 0.0.0.0/0 >> >>>> 0.0.0.0/0 >> >>>> 0 0 tcp -- !eth0 eth3 0.0.0.0/0 >> >>>> 0.0.0.0/0 >> >>>> 0 0 tcp -- eth3 !eth0 0.0.0.0/0 >> >>>> 0.0.0.0/0 >> >>>> 0 0 all -- eth0 eth4 0.0.0.0/0 >> >>>> 0.0.0.0/0 >> >>>> 0 0 all -- eth4 eth0 0.0.0.0/0 >> >>>> 0.0.0.0/0 >> >>>> 0 0 tcp -- !eth0 eth4 0.0.0.0/0 >> >>>> 0.0.0.0/0 >> >>>> 0 0 tcp -- eth4 !eth0 0.0.0.0/0 >> >>>> 0.0.0.0/0 >> >>>> 0 0 all -- eth0 eth5 0.0.0.0/0 >> >>>> 0.0.0.0/0 >> >>>> 0 0 all -- eth5 eth0 0.0.0.0/0 >> >>>> 0.0.0.0/0 >> >>>> 0 0 tcp -- !eth0 eth5 0.0.0.0/0 >> >>>> 0.0.0.0/0 >> >>>> 0 0 tcp -- eth5 !eth0 0.0.0.0/0 >> >>>> 0.0.0.0/0 >> >>>> 0 0 all -- eth0 eth6 0.0.0.0/0 >> >>>> 0.0.0.0/0 >> >>>> 0 0 all -- eth6 eth0 0.0.0.0/0 >> >>>> 0.0.0.0/0 >> >>>> 0 0 tcp -- !eth0 eth6 0.0.0.0/0 >> >>>> 0.0.0.0/0 >> >>>> 0 0 tcp -- eth6 !eth0 0.0.0.0/0 >> >>>> 0.0.0.0/0 >> >>>> 0 0 all -- eth0 eth7 0.0.0.0/0 >> >>>> 0.0.0.0/0 >> >>>> 0 0 all -- eth7 eth0 0.0.0.0/0 >> >>>> 0.0.0.0/0 >> >>>> 0 0 tcp -- !eth0 eth7 0.0.0.0/0 >> >>>> 0.0.0.0/0 >> >>>> 0 0 tcp -- eth7 !eth0 0.0.0.0/0 >> >>>> 0.0.0.0/0 >> >>>> root@r-4-VM:~# >> >>>> >> >>>> >> >>>> >> >>>> >> >> >> >>------------------------------------------------------------------------- >>----------- >> >>>> Below is from the Guest VM instance. >> >>>> >> >>>> Not sure how to capture the package . >> >>>> >> >>>> But I do a tracepath www.google.com inside the guest VM. >> >>>> >> >>>> From the output, >> >>>> >> >>>> [root@CentOS5-5 ~]# tracepath www.google.com >> >>>> 1: r-4-VM.cs2cloud.internal (10.1.1.1) 0.149ms >> >>>> 2: no reply >> >>>> 3: no reply >> >>>> 4: no reply >> >>>> >> >>>> [root@CentOS5-5 ~]# iptables -L -nv >> >>>> Chain INPUT (policy ACCEPT 0 packets, 0 bytes) >> >>>> pkts bytes target prot opt in out source >> >>>> destination >> >>>> 15198 1412K RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 >> >>>> 0.0.0.0/0 >> >>>> >> >>>> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) >> >>>> pkts bytes target prot opt in out source >> >>>> destination >> >>>> 0 0 RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 >> >>>> 0.0.0.0/0 >> >>>> >> >>>> Chain OUTPUT (policy ACCEPT 17238 packets, 7377K bytes) >> >>>> pkts bytes target prot opt in out source >> >>>> destination >> >>>> >> >>>> Chain RH-Firewall-1-INPUT (2 references) >> >>>> pkts bytes target prot opt in out source >> >>>> destination >> >>>> 56 9116 ACCEPT all -- lo * 0.0.0.0/0 >> >>>> 0.0.0.0/0 >> >>>> 22 3360 ACCEPT icmp -- * * 0.0.0.0/0 >> >>>> 0.0.0.0/0 icmp type 255 >> >>>> 0 0 ACCEPT esp -- * * 0.0.0.0/0 >> >>>> 0.0.0.0/0 >> >>>> 0 0 ACCEPT ah -- * * 0.0.0.0/0 >> >>>> 0.0.0.0/0 >> >>>> 13 2124 ACCEPT udp -- * * 0.0.0.0/0 >> >>>> 224.0.0.251 udp dpt:5353 >> >>>> 0 0 ACCEPT udp -- * * 0.0.0.0/0 >> >>>> 0.0.0.0/0 udp dpt:631 >> >>>> 0 0 ACCEPT tcp -- * * 0.0.0.0/0 >> >>>> 0.0.0.0/0 tcp dpt:631 >> >>>> 13536 1320K ACCEPT all -- * * 0.0.0.0/0 >> >>>> 0.0.0.0/0 state RELATED,ESTABLISHED >> >>>> 931 55796 ACCEPT tcp -- * * 0.0.0.0/0 >> >>>> 0.0.0.0/0 state NEW tcp dpt:22 >> >>>> 640 21690 REJECT all -- * * 0.0.0.0/0 >> >>>> 0.0.0.0/0 reject-with icmp-host-prohibited >> >>>> >> >>>> >> >>>> Inside the VM, Can ping other VMs' guest IP. >> >>>> >> >>>> >> >>>> [root@CentOS5-5 ~]# ping 10.1.1.36 >> >>>> PING 10.1.1.36 (10.1.1.36) 56(84) bytes of data. >> >>>> 64 bytes from 10.1.1.36: icmp_seq=1 ttl=64 time=1.32 ms >> >>>> 64 bytes from 10.1.1.36: icmp_seq=2 ttl=64 time=0.156 ms >> >>>> 64 bytes from 10.1.1.36: icmp_seq=3 ttl=64 time=0.134 ms >> >>>> >> >>>> --- 10.1.1.36 ping statistics --- >> >>>> 3 packets transmitted, 3 received, 0% packet loss, time 2000ms >> >>>> rtt min/avg/max/mdev = 0.134/0.538/1.326/0.557 ms >> >>>> [root@CentOS5-5 ~]# ifconfig >> >>>> eth0 Link encap:Ethernet HWaddr 02:00:2D:C8:00:01 >> >>>> inet addr:10.1.1.5 Bcast:10.1.1.255 Mask:255.255.255.0 >> >>>> inet6 addr: fe80::2dff:fec8:1/64 Scope:Link >> >>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 >> >>>> RX packets:16846 errors:0 dropped:0 overruns:0 frame:0 >> >>>> TX packets:18252 errors:0 dropped:0 overruns:0 carrier:0 >> >>>> collisions:0 txqueuelen:1000 >> >>>> RX bytes:1716037 (1.6 MiB) TX bytes:7661658 (7.3 MiB) >> >>>> >> >>>> lo Link encap:Local Loopback >> >>>> inet addr:127.0.0.1 Mask:255.0.0.0 >> >>>> inet6 addr: ::1/128 Scope:Host >> >>>> UP LOOPBACK RUNNING MTU:16436 Metric:1 >> >>>> RX packets:56 errors:0 dropped:0 overruns:0 frame:0 >> >>>> TX packets:56 errors:0 dropped:0 overruns:0 carrier:0 >> >>>> collisions:0 txqueuelen:0 >> >>>> RX bytes:9116 (8.9 KiB) TX bytes:9116 (8.9 KiB) >> >>>> >> >>>> >> >>>> >> >>>> [root@CentOS5-5 ~]# ping www.google.com >> >>>> PING www.google.com (173.194.64.104) 56(84) bytes of data. >> >>>> ^C >> >>>> --- www.google.com ping statistics --- >> >>>> 6 packets transmitted, 0 received, 100% packet loss, time 5000ms >> >>>> >> >>>> >> >>>> >> >>>> Any problems? >> >>>> >> >>>> Thank you so much. >> >>>> >> >>>> >> >>>> >> >>>> On Wed, May 22, 2013 at 4:14 PM, Jayapal Reddy Uradi < >> >>>> [email protected]> wrote: >> >>>> >> >>>>> By looking at the iptables rules, there is no egress rules >>feature in >> >> your >> >>>>> deployment. >> >>>>> In your case the issue seems to be different. >> >>>>> >> >>>>> Please do the below trouble shooting. >> >>>>> Ping from the guest vm to public subnet/google and try to capture >>the >> >>>>> packets on the router guest interface and public interface. >> >>>>> Check wether the packets are reaching to public interface of VR or >> not. >> >>>>> >> >>>>> Also send iptables -L -nv output. >> >>>>> >> >>>>> Thanks, >> >>>>> Jayapal >> >>>>> >> >>>>> On 22-May-2013, at 1:18 PM, wq meng <[email protected]> >> >>>>> wrote: >> >>>>> >> >>>>>> Hello Jayapal >> >>>>>> >> >>>>>> I know very little about api yet. >> >>>>>> >> >>>>>> I login to the VRouter VM, Can I change the rules to get work? >> >>>>>> >> >>>>>> On >> >>>>>> >> >>>>> >> >> >> >>https://cwiki.apache.org/confluence/display/CLOUDSTACK/Egress+firewall+ru >>les+for+guest+network >> >>>>>> >> >>>>>> It says some Chains , but I can not find them inside my VRouter >>VM. >> >>>>>> >> >>>>>> ==================== >> >>>>>> >> >>>>>> firewallRule_egress.sh script get called on the virtual router. >> >>>>>> >> >>>>>> The egress rules are added in filter table table, FW_EGRESS_RULES >> >> chain. >> >>>>>> >> >>>>>> All the traffic from eth0 eth2 (public interface) will be send to >> the >> >>>>>> FW_OUTBOUND chain. >> >>>>>> >> >>>>>> *iptables rules:* >> >>>>>> >> >>>>>> *Default rules:* >> >>>>>> >> >>>>>> ipassoc.sh adding rule to ACCEPT traffic from eth0 to public >> >> interface. >> >>>>>> >> >>>>>> Modified the rule to send egress traffic to the FW_OUTBOUND >>chain. >> >>>>>> >> >>>>>> *iptables -A FORWARD -i eth0 -o eth2 -j FW_OUTBOUND* >> >>>>>> >> >>>>>> *Rules added while configuring:* >> >>>>>> >> >>>>>> Ex: Egress rule to block the port 22 (ssh) traffic from >> 10.1.1.31/32 >> >>>>>> >> >>>>>> *iptables -A **FW_OUTBOUND **-j EGRESS_FWRULES* >> >>>>>> >> >>>>>> *iptables -A EGRESS_FWRULES -s 10.1.1.31/32 -p tcp --dport >> 22:22 >> >>>>> -j >> >>>>>> ACCEPT* >> >>>>>> ====================== >> >>>>>> >> >>>>>> >> >>>>>> >> >>>>>> >> >>>>>> >> >>>>>> Here is how the current iptables shows. >> >>>>>> >> >>>>>> >> >>>>> >> >> >> >>------------------------------------------------------------------------- >>------- >> >>>>>> root@r-4-VM:~# iptables -L >> >>>>>> Chain INPUT (policy DROP) >> >>>>>> target prot opt source destination >> >>>>>> NETWORK_STATS all -- anywhere anywhere >> >>>>>> ACCEPT all -- anywhere vrrp.mcast.net >> >>>>>> ACCEPT all -- anywhere 225.0.0.50 >> >>>>>> ACCEPT all -- anywhere anywhere >>state >> >>>>>> RELATED,ESTABLISHED >> >>>>>> ACCEPT all -- anywhere anywhere >>state >> >>>>>> RELATED,ESTABLISHED >> >>>>>> ACCEPT all -- anywhere anywhere >>state >> >>>>>> RELATED,ESTABLISHED >> >>>>>> ACCEPT icmp -- anywhere anywhere >> >>>>>> ACCEPT all -- anywhere anywhere >> >>>>>> ACCEPT udp -- anywhere anywhere udp >> >>>>> dpt:bootps >> >>>>>> ACCEPT udp -- anywhere anywhere udp >> >>>>> dpt:domain >> >>>>>> ACCEPT tcp -- anywhere anywhere >>state >> NEW >> >>>>> tcp >> >>>>>> dpt:3922 >> >>>>>> ACCEPT tcp -- anywhere anywhere >>state >> NEW >> >>>>> tcp >> >>>>>> dpt:http-alt >> >>>>>> ACCEPT tcp -- anywhere anywhere >>state >> NEW >> >>>>> tcp >> >>>>>> dpt:www >> >>>>>> >> >>>>>> Chain FORWARD (policy DROP) >> >>>>>> target prot opt source destination >> >>>>>> NETWORK_STATS all -- anywhere anywhere >> >>>>>> ACCEPT all -- anywhere anywhere >>state >> >>>>>> RELATED,ESTABLISHED >> >>>>>> ACCEPT all -- anywhere anywhere >> >>>>>> ACCEPT all -- anywhere anywhere >>state >> >>>>>> RELATED,ESTABLISHED >> >>>>>> ACCEPT all -- anywhere anywhere >>state >> NEW >> >>>>>> ACCEPT all -- anywhere anywhere >>state >> >>>>>> RELATED,ESTABLISHED >> >>>>>> ACCEPT all -- anywhere anywhere >>state >> >>>>>> RELATED,ESTABLISHED >> >>>>>> ACCEPT all -- anywhere anywhere >> >>>>>> ACCEPT all -- anywhere anywhere >>state >> >>>>>> RELATED,ESTABLISHED >> >>>>>> ACCEPT all -- anywhere anywhere >> >>>>>> ACCEPT all -- anywhere anywhere >>state >> >>>>>> RELATED,ESTABLISHED >> >>>>>> ACCEPT all -- anywhere anywhere >> >>>>>> ACCEPT all -- anywhere anywhere >>state >> >>>>>> RELATED,ESTABLISHED >> >>>>>> ACCEPT all -- anywhere anywhere >> >>>>>> ACCEPT all -- anywhere anywhere >>state >> >>>>>> RELATED,ESTABLISHED >> >>>>>> ACCEPT all -- anywhere anywhere >> >>>>>> >> >>>>>> Chain OUTPUT (policy ACCEPT) >> >>>>>> target prot opt source destination >> >>>>>> NETWORK_STATS all -- anywhere anywhere >> >>>>>> >> >>>>>> Chain NETWORK_STATS (3 references) >> >>>>>> target prot opt source destination >> >>>>>> all -- anywhere anywhere >> >>>>>> all -- anywhere anywhere >> >>>>>> tcp -- anywhere anywhere >> >>>>>> tcp -- anywhere anywhere >> >>>>>> all -- anywhere anywhere >> >>>>>> all -- anywhere anywhere >> >>>>>> tcp -- anywhere anywhere >> >>>>>> tcp -- anywhere anywhere >> >>>>>> all -- anywhere anywhere >> >>>>>> all -- anywhere anywhere >> >>>>>> tcp -- anywhere anywhere >> >>>>>> tcp -- anywhere anywhere >> >>>>>> all -- anywhere anywhere >> >>>>>> all -- anywhere anywhere >> >>>>>> tcp -- anywhere anywhere >> >>>>>> tcp -- anywhere anywhere >> >>>>>> all -- anywhere anywhere >> >>>>>> all -- anywhere anywhere >> >>>>>> tcp -- anywhere anywhere >> >>>>>> tcp -- anywhere anywhere >> >>>>>> all -- anywhere anywhere >> >>>>>> all -- anywhere anywhere >> >>>>>> tcp -- anywhere anywhere >> >>>>>> tcp -- anywhere anywhere >> >>>>>> >> >>>>>> >> >>>>>> And the link have been fixed in the Git ? >> >>>>>> >> >>>>>> Thank you so much. >> >>>>>> >> >>>>>> >> >>>>>> On Wed, May 22, 2013 at 2:55 PM, Jayapal Reddy Uradi < >> >>>>>> [email protected]> wrote: >> >>>>>> >> >>>>>>> >> >>>>>>> I think UI link is missed but it is fixed after that. >> >>>>>>> Try to add rules using the API 'createEgressFirewallRule' >> >>>>>>> >> >>>>>>> Thanks, >> >>>>>>> Jayapal >> >>>>>>> >> >>>>>>> On 22-May-2013, at 12:05 PM, wq meng <[email protected]> >> >>>>>>> wrote: >> >>>>>>> >> >>>>>>>> Hello Jayapal, >> >>>>>>>> >> >>>>>>>> >> >>>>>>>> >> >>>>>>> >> >>>>> >> >> >> >>https://cwiki.apache.org/CLOUDSTACK/egress-firewall-rules-for-guest-netwo >>rk.html >> >>>>>>>> >> >>>>>>>> I have checked Network -> Guest Network (Name) -> >> >>>>>>>> >> >>>>>>>> I can not find out any Egress fire rule tab. >> >>>>>>>> >> >>>>>>>> >> >>>>>>>> Have I missed something? >> >>>>>>>> >> >>>>>>>> >> >>>>>>>> Thank you very much. >> >>>>>>>> >> >>>>>>>> >> >>>>>>>> >> >>>>>>>> >> >>>>>>>> On Wed, May 22, 2013 at 1:23 PM, Jayapal Reddy Uradi < >> >>>>>>>> [email protected]> wrote: >> >>>>>>>> >> >>>>>>>>> Hi, >> >>>>>>>>> >> >>>>>>>>> Did you configure the egress firewall rules on the guest >>network >> ? >> >>>>>>>>> You need to add egress rules to allow guest traffic. >> >>>>>>>>> >> >>>>>>>>> After adding egress rule it not works, please send router >> iptables >> >>>>>>> rules. >> >>>>>>>>> >> >>>>>>>>> Thanks, >> >>>>>>>>> Jayapal >> >>>>>>>>> >> >>>>>>>>> On 22-May-2013, at 4:10 AM, wq meng <[email protected]> wrote: >> >>>>>>>>> >> >>>>>>>>>> Hello >> >>>>>>>>>> >> >>>>>>>>>> Anyone have faced this problem? CS4.02 KVM Advanced >>Network, VM >> >>>>>>> instance >> >>>>>>>>>> can not access public IP. NAT(Source) >> >>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>> That the VM instance running, but inside the VM instance, it >>is >> >> not >> >>>>>>>>>> possible to access outside. >> >>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>> It can ping VMs each other, It can ping google.com in the* >> >> Virtual >> >>>>>>>>> Router >> >>>>>>>>>> VM.* >> >>>>>>>>>> >> >>>>>>>>>> But just can not ping Google.com inside the VM instance. >> >>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>> Seems inside the VM instance, It can resolve the Google.com >>'s >> IP >> >>>>>>>>> address. >> >>>>>>>>>> BUT can not do others. >> >>>>>>>>>> >> >>>>>>>>>> Please see the following output. >> >>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>> ------------------------ >> >>>>>>>>>> [root@CentOS5-5 ~]# wget www.google.com >> >>>>>>>>>> --2013-05-21 08:30:39-- http://www.google.com/ >> >>>>>>>>>> Resolving www.google.com... 173.194.64.104, 173.194.64.99, >> >>>>>>>>> 173.194.64.105, >> >>>>>>>>>> ... >> >>>>>>>>>> Connecting to www.google.com|173.194.64.104|:80... >> >>>>>>>>>> [root@CentOS5-5 ~]# ls >> >>>>>>>>>> >> >>>>>>>>>> ------------------------- >> >>>>>>>>>> [root@CentOS5-5 ~]# iptables -L >> >>>>>>>>>> Chain INPUT (policy ACCEPT) >> >>>>>>>>>> target prot opt source destination >> >>>>>>>>>> RH-Firewall-1-INPUT all -- anywhere anywhere >> >>>>>>>>>> >> >>>>>>>>>> Chain FORWARD (policy ACCEPT) >> >>>>>>>>>> target prot opt source destination >> >>>>>>>>>> RH-Firewall-1-INPUT all -- anywhere anywhere >> >>>>>>>>>> >> >>>>>>>>>> Chain OUTPUT (policy ACCEPT) >> >>>>>>>>>> target prot opt source destination >> >>>>>>>>>> >> >>>>>>>>>> Chain RH-Firewall-1-INPUT (2 references) >> >>>>>>>>>> target prot opt source destination >> >>>>>>>>>> ACCEPT all -- anywhere anywhere >> >>>>>>>>>> ACCEPT icmp -- anywhere anywhere >> icmp >> >> any >> >>>>>>>>>> ACCEPT esp -- anywhere anywhere >> >>>>>>>>>> ACCEPT ah -- anywhere anywhere >> >>>>>>>>>> ACCEPT udp -- anywhere 224.0.0.251 >>udp >> >>>>>>> dpt:mdns >> >>>>>>>>>> ACCEPT udp -- anywhere anywhere >>udp >> >>>>>>> dpt:ipp >> >>>>>>>>>> ACCEPT tcp -- anywhere anywhere >>tcp >> >>>>>>> dpt:ipp >> >>>>>>>>>> ACCEPT all -- anywhere anywhere >> state >> >>>>>>>>>> RELATED,ESTABLISHED >> >>>>>>>>>> ACCEPT tcp -- anywhere anywhere >> state >> >>>>> NEW >> >>>>>>>>> tcp >> >>>>>>>>>> dpt:ssh >> >>>>>>>>>> REJECT all -- anywhere anywhere >> >>>>>>> reject-with >> >>>>>>>>>> icmp-host-prohibited >> >>>>>>>>>> [root@CentOS5-5 ~]# ping 8.8.8.8 >> >>>>>>>>>> PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. >> >>>>>>>>>> >> >>>>>>>>>> --- 8.8.8.8 ping statistics --- >> >>>>>>>>>> 3 packets transmitted, 0 received, 100% packet loss, time >>2000ms >> >>>>>>>>>> >> >>>>>>>>>> -------------------------- >> >>>>>>>>>> [root@CentOS5-5 ~]# ifconfig >> >>>>>>>>>> eth0 Link encap:Ethernet HWaddr 02:00:2D:C8:00:01 >> >>>>>>>>>> inet addr:10.1.1.5 Bcast:10.1.1.255 Mask:255.255.255.0 >> >>>>>>>>>> inet6 addr: fe80::2dff:fec8:1/64 Scope:Link >> >>>>>>>>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 >> >>>>>>>>>> RX packets:2442 errors:0 dropped:0 overruns:0 frame:0 >> >>>>>>>>>> TX packets:2261 errors:0 dropped:0 overruns:0 carrier:0 >> >>>>>>>>>> collisions:0 txqueuelen:1000 >> >>>>>>>>>> RX bytes:174960 (170.8 KiB) TX bytes:154159 (150.5 KiB) >> >>>>>>>>>> >> >>>>>>>>>> lo Link encap:Local Loopback >> >>>>>>>>>> inet addr:127.0.0.1 Mask:255.0.0.0 >> >>>>>>>>>> inet6 addr: ::1/128 Scope:Host >> >>>>>>>>>> UP LOOPBACK RUNNING MTU:16436 Metric:1 >> >>>>>>>>>> RX packets:32 errors:0 dropped:0 overruns:0 frame:0 >> >>>>>>>>>> TX packets:32 errors:0 dropped:0 overruns:0 carrier:0 >> >>>>>>>>>> collisions:0 txqueuelen:0 >> >>>>>>>>>> RX bytes:3913 (3.8 KiB) TX bytes:3913 (3.8 KiB) >> >>>>>>>>>> >> >>>>>>>>>> ---------------------------- >> >>>>>>>>>> >> >>>>>>>>>> [root@CentOS5-5 ~]# tracert www.google.com >> >>>>>>>>>> traceroute to www.google.com (173.194.64.106), 30 hops max, >>40 >> >> byte >> >>>>>>>>> packets >> >>>>>>>>>> 1 r-4-VM.cs2cloud.internal (10.1.1.1) 0.158 ms 0.136 ms >> 0.134 >> >> ms >> >>>>>>>>>> 2 * * * >> >>>>>>>>>> 3 * * * >> >>>>>>>>>> 4 * * * >> >>>>>>>>>> 5 * * * >> >>>>>>>>>> 6 * * * >> >>>>>>>>>> 7 * * * >> >>>>>>>>>> 8 * * * >> >>>>>>>>>> 9 * * * >> >>>>>>>>>> 10 * * * >> >>>>>>>>>> 11 * * * >> >>>>>>>>>> 12 * * * >> >>>>>>>>>> 13 * * * >> >>>>>>>>>> 14 * * * >> >>>>>>>>>> 15 * * * >> >>>>>>>>>> 16 * * * >> >>>>>>>>>> 17 * * * >> >>>>>>>>>> 18 * * * >> >>>>>>>>>> 19 * * * >> >>>>>>>>>> 20 * * * >> >>>>>>>>>> 21 * * * >> >>>>>>>>>> 22 * * * >> >>>>>>>>>> 23 * * * >> >>>>>>>>>> 24 * * * >> >>>>>>>>>> 25 * * * >> >>>>>>>>>> 26 * * * >> >>>>>>>>>> 27 * * * >> >>>>>>>>>> 28 * * * >> >>>>>>>>>> 29 * * * >> >>>>>>>>>> 30 * * * >> >>>>>>>>>> >> >>>>>>>>>> ---------------- >> >>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>> Any thoughts? >> >>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>> Thank you very much. >> >>>>>>>>> >> >>>>>>>>> >> >>>>>>> >> >>>>>>> >> >>>>> >> >>>>> >> >>> >> >> >> >> >> >>
