[openstack-dev] [neutron] Firewall is ineffective with floating ip?
idopra at gmail.com
Fri Jun 6 05:11:15 UTC 2014
Yes, right, but why can't use floating ip? Administrator or user should
care the floating ip for instance rather fix ip. So i think firewall also
take effect about floating ip.
2014-06-05 19:32 GMT+08:00 ZZelle <zzelle at gmail.com>:
> When the router receives packets from the external network, iptables does
> 1) NAT PREROUTING table: translate floatingip to fixed ip
> 2) FILTER FORWARD table: apply FW rules ... on fixed ips because
> floatingip has been translated to fixed ip
> So disabling the ping to the floatingip has no effect, you should instead
> disable ping to associated fixed ip.
> More generally in (iptables) FW rules, you should use fixed-ips/cidrs as
> source/target not floatingips
> On Thu, Jun 5, 2014 at 1:15 PM, Xurong Yang <idopra at gmail.com> wrote:
>> Hi, Stackers,
>> Use case description:
>> Firewal is not working when setting the destination-ip-address as VM's
>> floating ip
>> Steps to Reproduce:
>> 1. create one network and attached it to the newly created router
>> 2. Create VMs on the above network
>> 3. create security group rule for icmp
>> 4. create an external network and attach it to the router as gateway
>> 5. create floating ip and associate it to the VMs
>> 6. create a first firewall rule as protocol=icmp , action =deny and
>> desitination-ip-address as floatingip
>> 7. create second firewall rule as protocol=any action=allow
>> 8. attach the rule to the policy and the policy to the firewall
>> 9. ping the VMs floating ip from network node which is having the
>> external network configured.
>> Actual Results:
>> Ping succeeds
>> Expected Results:
>> Ping should fail as per the firewall rule
>> router's functionality both NAT and Firewall, so , although we have
>> created firewall rule, DNAT will take action(change floating ip to fix ip)
>> in PREROUTING chain preferentially when network node ping vm's floating ip,
>> so firewall rules in FORWARD chain couldn't match because packet's ip has
>> been changed to fix ip.
>> additional case:
>> if we change firewall rule protocol=icmp , action =deny and
>> desitination-ip-address as fix ip, ping fail.
>> in short , router firewall can't take effect about floating ip.
>> what do you think?
>> Xurong Yang
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-dev