cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jayapal Reddy Uradi <jayapalreddy.ur...@citrix.com>
Subject Re: [Questions]: Basic Zone Securiy Group problem?
Date Fri, 30 Aug 2013 06:02:03 GMT
Hi,

The rules are looking as expected.
The ingress traffic to vm should block.

Can you run 'iptables -L -nv' and see which rules are accepting the ingress traffic.

Thanks,
Jayapal
On 30-Aug-2013, at 7:41 AM, Jijun <jijunlx@gmail.com> wrote:

> i clone branch 4.2 code, package and do a  fresh installation.
> 
> hypervisor : xenserver 6.2 change  openvswitch to bridge.
> 
> add basic zone ,security group enabeld.
> 
> create a new vm , default security group
> 
> the previous version  document   said the ingress will be blocked by default.  but in
my test, the network in and out are all allowed.
> so strange.
> 
> is it a bug ?
> 
> iptable rule in hypervisor :
> 
> [root@xenserver-dlghbuxq ~]# iptables -nL
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> BRIDGE-FIREWALL  all  --  0.0.0.0/0            0.0.0.0/0 PHYSDEV match --physdev-is-bridged
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-out
eth1 --physdev-is-bridged
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-out
eth0 --physdev-is-bridged
> DROP       all  --  0.0.0.0/0            0.0.0.0/0
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain BRIDGE-DEFAULT-FIREWALL (1 references)
> target     prot opt source               destination
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-is-bridged
udp spt:68 dpt:67
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-is-bridged
udp spt:67 dpt:68
> 
> Chain BRIDGE-FIREWALL (1 references)
> target     prot opt source               destination
> BRIDGE-DEFAULT-FIREWALL  all  --  0.0.0.0/0 0.0.0.0/0
> i-2-7-def  all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vif21.0 --physdev-is-bridged
> i-3-8-def  all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vif20.0 --physdev-is-bridged
> r-4-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vif19.0 --physdev-is-bridged
> r-4-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vif19.1 --physdev-is-bridged
> s-6-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vif18.2 --physdev-is-bridged
> s-6-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vif18.0 --physdev-is-bridged
> s-6-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vif18.1 --physdev-is-bridged
> s-6-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vif18.3 --physdev-is-bridged
> v-2-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vif17.2 --physdev-is-bridged
> v-2-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vif17.0 --physdev-is-bridged
> v-2-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vif17.1 --physdev-is-bridged
> v-2-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-out
vif17.1 --physdev-is-bridged
> v-2-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-out
vif17.0 --physdev-is-bridged
> v-2-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-out
vif17.2 --physdev-is-bridged
> s-6-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-out
vif18.3 --physdev-is-bridged
> s-6-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-out
vif18.1 --physdev-is-bridged
> s-6-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-out
vif18.0 --physdev-is-bridged
> s-6-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-out
vif18.2 --physdev-is-bridged
> r-4-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-out
vif19.1 --physdev-is-bridged
> r-4-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-out
vif19.0 --physdev-is-bridged
> i-3-8-def  all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-out
vif20.0 --physdev-is-bridged
> i-2-7-def  all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-out
vif21.0 --physdev-is-bridged
> 
> Chain L (0 references)
> target     prot opt source               destination
> 
> Chain RH-Firewall-1-INPUT (0 references)
> target     prot opt source               destination
> 
> Chain i-2-7-VM (1 references)
> target     prot opt source               destination
> DROP       all  --  0.0.0.0/0            0.0.0.0/0
> 
> Chain i-2-7-VM-eg (1 references)
> target     prot opt source               destination
> RETURN     all  --  0.0.0.0/0            0.0.0.0/0
> 
> Chain i-2-7-def (2 references)
> target     prot opt source               destination
> RETURN     udp  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vif21.0 --physdev-is-bridged set i-2-7-VM src udp dpt:53
> DROP       all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vif21.0 --physdev-is-bridged !set i-2-7-VM src
> DROP       all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-out
vif21.0 --physdev-is-bridged !set i-2-7-VM dst
> i-2-7-VM-eg  all  --  0.0.0.0/0            0.0.0.0/0 PHYSDEV match --physdev-in vif21.0
--physdev-is-bridged set i-2-7-VM src
> i-2-7-VM   all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-out
vif21.0 --physdev-is-bridged
> 
> Chain i-3-8-VM (1 references)
> target     prot opt source               destination
> DROP       all  --  0.0.0.0/0            0.0.0.0/0
> 
> Chain i-3-8-VM-eg (1 references)
> target     prot opt source               destination
> RETURN     all  --  0.0.0.0/0            0.0.0.0/0
> 
> Chain i-3-8-def (2 references)
> target     prot opt source               destination
> RETURN     udp  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vif20.0 --physdev-is-bridged set i-3-8-VM src udp dpt:53
> DROP       all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vif20.0 --physdev-is-bridged !set i-3-8-VM src
> DROP       all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-out
vif20.0 --physdev-is-bridged !set i-3-8-VM dst
> i-3-8-VM-eg  all  --  0.0.0.0/0            0.0.0.0/0 PHYSDEV match --physdev-in vif20.0
--physdev-is-bridged set i-3-8-VM src
> i-3-8-VM   all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-out
vif20.0 --physdev-is-bridged
> 
> Chain r-4-VM (4 references)
> target     prot opt source               destination
> RETURN     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vif19.0 --physdev-is-bridged
> RETURN     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vif19.1 --physdev-is-bridged
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> 
> Chain s-6-VM (8 references)
> target     prot opt source               destination
> RETURN     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vif18.2 --physdev-is-bridged
> RETURN     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vif18.0 --physdev-is-bridged
> RETURN     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vif18.1 --physdev-is-bridged
> RETURN     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vif18.3 --physdev-is-bridged
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> 
> Chain v-2-VM (6 references)
> target     prot opt source               destination
> RETURN     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vif17.2 --physdev-is-bridged
> RETURN     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vif17.0 --physdev-is-bridged
> RETURN     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vif17.1 --physdev-is-bridged
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> 
> 
> *[root@xenserver-dlghbuxq ~]# ebtables -L*
> Bridge table: filter
> 
> Bridge chain: INPUT, entries: 0, policy: ACCEPT
> 
> Bridge chain: FORWARD, entries: 5, policy: ACCEPT
> -j DEFAULT_EBTABLES
> -i vif21.0 -j i-2-7-VM
> -i vif20.0 -j i-3-8-VM
> -o vif20.0 -j i-3-8-VM
> -o vif21.0 -j i-2-7-VM
> 
> Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
> 
> Bridge chain: DEFAULT_EBTABLES, entries: 12, policy: ACCEPT
> -p IPv4 --ip-dst 255.255.255.255 --ip-proto udp --ip-dport 67 -j ACCEPT
> -p IPv4 --ip-dst 255.255.255.255 --ip-proto udp --ip-dport 68 -j ACCEPT
> -p ARP --arp-op Request -j ACCEPT
> -p ARP --arp-op Reply -j ACCEPT
> -p IPv4 -d Broadcast -j DROP
> -p IPv4 -d Multicast -j DROP
> -p IPv4 --ip-dst 255.255.255.255 -j DROP
> -p IPv4 --ip-dst 224.0.0.0/4 -j DROP
> -p IPv4 -j RETURN
> -p IPv6 -j DROP
> -p 802_1Q -j DROP
> -j DROP
> 
> Bridge chain: i-3-8-VM, entries: 2, policy: ACCEPT
> -p IPv4 -i vif20.0 --ip-proto udp --ip-dport 68 -j DROP
> -p IPv4 -o vif20.0 --ip-proto udp --ip-dport 67 -j DROP
> 
> Bridge chain: i-2-7-VM, entries: 2, policy: ACCEPT
> -p IPv4 -i vif21.0 --ip-proto udp --ip-dport 68 -j DROP
> -p IPv4 -o vif21.0 --ip-proto udp --ip-dport 67 -j DROP
> 
> 
> *[root@xenserver-dlghbuxq ~]# ipset -L*
> Name: i-3-8-VM
> Type: iphash
> References: 4
> Header: hashsize: 1024 probes: 8 resize: 50
> Members:
> 192.168.253.66
> 
> Name: i-2-7-VM
> Type: iphash
> References: 4
> Header: hashsize: 1024 probes: 8 resize: 50
> Members:
> 192.168.253.68
> 
> 
> 
> 
> 
> 
> 
> -- 
> Thanks,
> Jijun
> 


Mime
View raw message