Contact Us

support@onapp.com

U.S: (+1) 888-876-8666

UK: +44 (0) 203-318-5364

Custom routing configuration (Router inside the cloud)

Follow

Comments

3 comments

  • Avatar
    Dominik Nowacki

    It would be nice if this could be allowed via API or via CP.

  • Avatar
    Aleksander Papiez

    Whole problem is due to the firewall rules OnApp generates for a VM containing an "anti-spoofing" guard. That is - no packet can leave/reach a virtual interface if it's not sourced/destined to one of the IPs assigned to that interface. That is of course smart and necessary feature in a cloud environment. It does however block any router-like functionality (NAT router for private-only machines, VPN gateway etc).

    The above workaround, if I understand it correctly, at least partly bypasses firewall rules defined for VMs. We don't see this as a desired behavior - it makes any troubleshooting complicated and effective rules being applied hardly understandable. We have developed and use at our clouds for quite long now a much better solution:

    The attached script takes as a single parameter a name of the virtual interface that needs to have the anti-spoofing guard disabled.

    When executed incorrectly or the specified virtual interface does not exist it exits with the error message printed to stderr.

    If the specified interface exists and does have an anti-spoofing guard - the guard is disabled and all: the "iptables -R" command executed, the rule before and after the change are logged to /var/log/messages.

    If the specified interface exists but it already has the guard disabled - the script is NOP.

    We ourselves run the script from cron every 5 minutes for all router-like private-side interfaces. The script does not interfere with the firewall rules for VMs, it only disables the guard. Of course due to anti-spoofing disabled the VMs become a better target for malicious attack. Consider the script public domain.

  • Avatar
    Nick Zurku

    I don't see an attached script, Aleksander.

     

    Do you have an external link to the script?

Please sign in to leave a comment.