cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jayapal Reddy Uradi <jayapalreddy.ur...@citrix.com>
Subject Re: SSH issue in SG enabled advanced zone
Date Tue, 21 Jan 2014 06:30:24 GMT
It is ebtables in previous mail, ebtables  is auto corrected by my mail client :)

On 21-Jan-2014, at 11:37 AM, Jayapal Reddy Uradi <jayapalreddy.uradi@citrix.com>
 wrote:

> Hi Gaurav,
> 
> Network mode should be bridge for SG rules work.
> 
> Some of security group rules (iptables rules) are configured match the traffic in/out
from the bridge.
> Also eatables rules needs bridge.
> 
> Cloudstack Basic and Advanced needs bridge mode for SG networks.
> 
> Thanks,
> Jayapal
> 
> 1.
> On 20-Jan-2014, at 3:55 PM, Gaurav Aradhye <gaurav.aradhye@clogeny.com> wrote:
> 
>> Hi Jayapal,
>> 
>> CSP is installed but the network mode is set to openvswitch. Should it be
>> "bridge"?
>> 
>> Here are few doubts.
>> 
>> 1) Does Security Group feature always requires network mode set to bridge
>> irrespective of basic or advanced zone setup?
>> 
>> 2) In what scenarios we will need it to be openvswitch / bridge? And why
>> exactly? I reckon openvswitch has more features than the basic bridge
>> networking mode.
>> 
>> 
>> Regards,
>> Gaurav
>> 
>> 
>> On Mon, Jan 20, 2014 at 2:18 PM, Jayapal Reddy Uradi <
>> jayapalreddy.uradi@citrix.com> wrote:
>> 
>>> Hi Gaurav,
>>> 
>>> Did you install CSP in xenserver ?
>>> Is host network mode set to bridge ?
>>> check file /etc/xensource/network.conf for 'bridge'
>>> 
>>> From the host iptables, there are no SG rules got configured.
>>> 
>>> Thanks,
>>> Jayapal
>>> 
>>> 
>>> 
>>> 
>>> On 20-Jan-2014, at 12:27 PM, Gaurav Aradhye <gaurav.aradhye@clogeny.com>
>>> wrote:
>>> 
>>>> Hello all,
>>>> 
>>>> I am facing issue while SSHing to VM in security groups enabled advanced
>>>> zone (XenServer host) even after applying the ingress rule for the
>>> security
>>>> group in which VM is deployed.
>>>> 
>>>> Also, even if I can see the ingress rule being applied through API
>>> listing
>>>> and on UI, I can't see the iptables on host being updated after
>>>> adding/removing ingress rule.
>>>> 
>>>> Is there any existing problem with XenServer regarding this? I read on
>>> few
>>>> blogs about some people encountering similar issue with Xenserver. I have
>>>> not yet tried on KVM.
>>>> 
>>>> The output of command "iptables -L -v -n" on host is as following.
>>>> 
>>>> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
>>>> pkts bytes target     prot opt in     out     source
>>>> destination
>>>>  0     0 ACCEPT     47   --  *      *       0.0.0.0/0
>>>> 0.0.0.0/0
>>>> 109M  110G RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0
>>>> 0.0.0.0/0
>>>> 
>>>> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>>>> pkts bytes target     prot opt in     out     source
>>>> destination
>>>>  0     0 RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0
>>>> 0.0.0.0/0
>>>> 
>>>> Chain OUTPUT (policy ACCEPT 91M packets, 149G bytes)
>>>> pkts bytes target     prot opt in     out     source
>>>> destination
>>>> 
>>>> Chain RH-Firewall-1-INPUT (2 references)
>>>> pkts bytes target     prot opt in     out     source
>>>> destination
>>>> 54M   76G ACCEPT     all  --  lo     *       0.0.0.0/0
>>>> 0.0.0.0/0
>>>> 8430  520K ACCEPT     icmp --  *      *       0.0.0.0/0
>>>> 0.0.0.0/0           icmp type 255
>>>>  0     0 ACCEPT     esp  --  *      *       0.0.0.0/0
>>>> 0.0.0.0/0
>>>>  0     0 ACCEPT     ah   --  *      *       0.0.0.0/0
>>>> 0.0.0.0/0
>>>>  0     0 ACCEPT     udp  --  *      *       0.0.0.0/0
>>>> 224.0.0.251         udp dpt:5353
>>>>  0     0 ACCEPT     udp  --  *      *       0.0.0.0/0
>>>> 0.0.0.0/0           udp dpt:631
>>>>  0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
>>>> 0.0.0.0/0           tcp dpt:631
>>>>  0     0 ACCEPT     udp  --  xenapi *       0.0.0.0/0
>>>> 0.0.0.0/0           udp dpt:67
>>>> 47M   32G ACCEPT     all  --  *      *       0.0.0.0/0
>>>> 0.0.0.0/0           state RELATED,ESTABLISHED
>>>>  0     0 ACCEPT     udp  --  *      *       0.0.0.0/0
>>>> 0.0.0.0/0           state NEW udp dpt:694
>>>> 19  1132 ACCEPT     tcp  --  *      *       0.0.0.0/0
>>>> 0.0.0.0/0           state NEW tcp dpt:22
>>>> 3919  204K ACCEPT     tcp  --  *      *       0.0.0.0/0
>>>> 0.0.0.0/0           state NEW tcp dpt:80
>>>> 346K   21M ACCEPT     tcp  --  *      *       0.0.0.0/0
>>>> 0.0.0.0/0           state NEW tcp dpt:443
>>>> 7721K 1583M REJECT     all  --  *      *       0.0.0.0/0
>>>> 0.0.0.0/0           reject-with icmp-host-prohibited
>>>> 
>>>> 
>>>> Any directions?
>>>> 
>>>> Regards,
>>>> Gaurav
>>> 
>>> 
> 


Mime
View raw message