cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Maurice Lawler <maurice.law...@me.com>
Subject Re: ebtables
Date Mon, 22 Apr 2013 22:36:15 GMT
I need to revert ebtables back to default, the strict rules that were once in place. As I mentioned
previously ALL My ports that have services running on are open by utilizing nmap. Previously,
before I removed then reinstalled ebtables; there were NO ports shown on this port scan.

It was told me to to reinstall ebtables, restart the VM's in question; however, that does
not work. Along with that the node it's self is showing all it's open ports as well.

Please assist me in correcting my error !

- Maurice

On Apr 22, 2013, at 01:03 AM, Jayapal Reddy Uradi <jayapalreddy.uradi@citrix.com> wrote:

> Maurice,
>
> You need to change the below rule in eatables to work for secondary ips.
>
> ebtables -t nat -A + vmchain_in + -p ARP --arp-ip-src ! + vm_ip + -j DROP
> ebtables -t nat -A + vmchain_out + -p ARP --arp-ip-dst ! + vm_ip + -j DROP
>
> updated to:
>
> ebtables -t nat -A + vmchain_in + " -p ARP -j " + vmchain_in_ips
> ebtables -t nat -A + vmchain_out + " -p ARP -j " + vmchain_out_ips
>
> ebtables -t nat -A + vmchain_in_ips + " -j DROP
> ebtables -t nat -A + vmchain_out_ips + " -j DROP
>
> ebtables -t nat -I + vmchain_in_ips + -p ARP --arp-ip-src + vm_ip + -j RETURN
> ebtables -t nat -I + vmchain_out_ips + -p ARP --arp-ip-dst + vm_ip + -j RETURN
>
>
> Also you need to update the iptables filter table rules.
> On restart of vm you need to update the rules again.
>
> Please refers the multiple ip address feature CLOUDSTACK-24 commits for the changes.
>
> Thanks,
> Jayapal
>
> On 20-Apr-2013, at 1:50 AM, Maurice Lawler <maurice.lawler@me.com<mailto:maurice.lawler@me.com>>
wrote:
>
> Great -- My ebtables rules are back in place. Now, how can I go about dropping the rule
to allow a secondary IP traffic to a particular VM.
>
> I cannot remember how to do that, someone once told me.
>
>
>
> On Apr 19, 2013, at 01:42 PM, Marcus Sorensen <shadowsor@gmail.com<mailto:shadowsor@gmail.com>>
wrote:
>
> you can go back and disable security groups in the zone if you don't care
> about the ebtables rules, or you can start up ebtables and then restart any
> associated VMs through cloudstack. The rules are dynamic, so they're not
> going to be saved anywhere on the host to be reinstated, they have to be
> reapplied by cloudstack via a restart of the vms.
>
>
> On Fri, Apr 19, 2013 at 11:12 AM, Maurice Lawler <maurice.lawler@me.com<mailto:maurice.lawler@me.com>>wrote:
>
> > Anyone know how to correct my mistake?
> >
> > - Maurice
> >
> >
> > On Apr 19, 2013, at 2:01 AM, Maurice Lawler <maurice.lawler@me.com<mailto:maurice.lawler@me.com>>
wrote:
> >
> > > Perhaps this was not the best thing, now my ports are open; how can I
> > revert back to eatables.
> > >
> > > Along with that, when reverted, how can I drop rules for a particular VM
> > to allow communication via second IP address.
> > >
> > >
> > > On Apr 18, 2013, at 10:34 PM, Maurice Lawler <maurice.lawler@me.com<mailto:maurice.lawler@me.com>>
> > wrote:
> > >
> > >> Disregard, for now, I have disabled/removed ebtables as shown here:
> > >>
> > >>
> > 3CB1DF26ECC0458748AC97CECE2DA98D41012FA47B62D2@SJCPMAILBOX01.citrite.net<http://mail-archives.apache.org/mod_mbox/incubator-cloudstack-users/201302.mbox/%%3Ca%20href=>%3E'>3CB1DF26ECC0458748AC97CECE2DA98D41012FA47B62D2@SJCPMAILBOX01.citrite.net<mailto:3CB1DF26ECC0458748AC97CECE2DA98D41012FA47B62D2@SJCPMAILBOX01.citrite.net'>http://mail-archives.apache.org/mod_mbox/incubator-cloudstack-users/201302.mbox/%3CB1DF26ECC0458748AC97CECE2DA98D41012FA47B62D2@SJCPMAILBOX01.citrite.net<mailto:3CB1DF26ECC0458748AC97CECE2DA98D41012FA47B62D2@SJCPMAILBOX01.citrite.net>%3E
> > >>
> > >>
> > >> On Apr 18, 2013, at 11:28 PM, Maurice Lawler <maurice.lawler@me.com<mailto:maurice.lawler@me.com>>
> > wrote:
> > >>
> > >>> Hello --
> > >>>
> > >>> Previously one told me how to do this, but I cannot find my notes on
> > this, so I hope you can help me out.
> > >>>
> > >>> I am attempting to allow a secondary IP address on an instance by-pass
> > the routing rules set forth in ebtables. I recall doing something like
> > >>>
> > >>> ebtables nat i-2-25-VM something ... I cannot for the life of me
> > remember.
> > >>>
> > >>> How to list and/or drop the rules per VM.
> > >>>
> > >>> Can you guys assist?
> > >
> >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
    • Unnamed multipart/related (inline, None, 0 bytes)
View raw message