[openstack-dev] [neutron] Firewall is ineffective with floating ip?

Xurong Yang idopra at gmail.com
Fri Jun 6 05:11:15 UTC 2014


Yes, right, but why can't use floating ip? Administrator or user should
care the floating ip for instance rather fix ip. So i think firewall also
take effect about floating ip.

Thanks,
Xurong Yang


2014-06-05 19:32 GMT+08:00 ZZelle <zzelle at gmail.com>:

> Hi,
>
> When the router receives packets from the external network, iptables does
> sequentially:
>  1) NAT PREROUTING table: translate floatingip to fixed ip
>  2) FILTER FORWARD table: apply FW rules ... on fixed ips because
> floatingip has been translated to fixed ip
>
>
> So disabling the ping to the floatingip has no effect, you should instead
> disable ping to associated fixed ip.
>
>
> More generally in (iptables) FW rules, you should use fixed-ips/cidrs as
> source/target not floatingips
>
>
> Cheers,
>
> Cedric
>
>
> On Thu, Jun 5, 2014 at 1:15 PM, Xurong Yang <idopra at gmail.com> wrote:
>
>> Hi, Stackers,
>>
>> Use case description:
>>
>> Firewal is not working when setting the destination-ip-address as VM's
>> floating ip
>> Steps to Reproduce:
>> 1. create one network and attached it to the newly created router
>> 2. Create VMs on the above network
>> 3. create security group rule for icmp
>> 4. create an external network and attach it to the router as gateway
>> 5. create floating ip and associate it to the VMs
>> 6. create a first firewall rule as protocol=icmp , action =deny and
>> desitination-ip-address as floatingip
>> 7. create second firewall rule as protocol=any action=allow
>> 8. attach the rule to the policy and the policy to the firewall
>> 9. ping the VMs floating ip from network node which is having the
>> external network configured.
>>
>> Actual Results:
>> Ping succeeds
>>
>> Expected Results:
>> Ping should fail as per the firewall rule
>>
>> router's functionality both NAT and Firewall, so , although we have
>> created firewall rule, DNAT will take action(change floating ip to fix ip)
>> in PREROUTING chain preferentially when network node ping vm's floating ip,
>> so firewall rules in FORWARD chain couldn't match because packet's ip has
>> been changed to fix ip.
>>
>> additional case:
>> if we change firewall rule protocol=icmp , action =deny and
>> desitination-ip-address as fix ip, ping fail.
>>
>> in short , router firewall can't take effect about floating ip.
>>
>> what do you think?
>>
>> Cheers,
>>
>> Xurong Yang
>>
>>
>>
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140606/d88be802/attachment.html>


More information about the OpenStack-dev mailing list