cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Noel King <noelk...@gmail.com>
Subject Iptables blocking vms on kvm host
Date Mon, 11 Feb 2013 21:24:58 GMT
Hi

I have setup KVM hosts for Cloudstack 4 using the details in the
installation guide

http://incubator.apache.org/cloudstack/docs/en-US/Apache_CloudStack/4.0.0-incubating/html-single/Installation_Guide/index.html#hypervisor-kvm-install-flow

This setup includes iptables configuration, However after creating VM's on
that host are blocked unless I directly ssh from that kvm host machine.
This means all external machines including other kvm host vms cannot
connect either.

After a VM is created on this host the iptables configuration is changed to
the following state (below), which is preventing non local access to the VM.

Any insight here as to how CloudStack updating of iptables here is
preventing connectivity, it would be greatly appreciated.

Kind regards,

Noel


IPTABLES STATE AFTER VM CREATED
=============================================

Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
dpts:49152:49216
2    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
dpts:5900:6100
3    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
dpt:16509
4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
dpt:1798
5    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
dpt:22

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    BF-cloudbr0  all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV
match --physdev-is-bridged
2    BF-cloudbr0  all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV
match --physdev-is-bridged
3    DROP       all  --  0.0.0.0/0            0.0.0.0/0
4    DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain BF-cloudbr0 (2 references)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
RELATED,ESTABLISHED
2    BF-cloudbr0-IN  all  --  0.0.0.0/0            0.0.0.0/0
PHYSDEV match --physdev-is-in --physdev-is-bridged
3    BF-cloudbr0-OUT  all  --  0.0.0.0/0            0.0.0.0/0
PHYSDEV match --physdev-is-out --physdev-is-bridged
4    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV
match --physdev-out eth0 --physdev-is-bridged

Chain BF-cloudbr0-IN (1 references)
num  target     prot opt source               destination
1    i-1-659-def  all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV
match --physdev-in vnet0 --physdev-is-bridged

Chain BF-cloudbr0-OUT (1 references)
num  target     prot opt source               destination
1    i-1-659-def  all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV
match --physdev-out vnet0 --physdev-is-bridged

Chain i-1-659-VM (1 references)
num  target     prot opt source               destination
1    DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain i-1-659-VM-eg (1 references)
num  target     prot opt source               destination
1    RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain i-1-659-def (2 references)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
RELATED,ESTABLISHED
2    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV
match --physdev-in vnet0 --physdev-is-bridged udp spt:68 dpt:67
3    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV
match --physdev-out vnet0 --physdev-is-bridged udp spt:67 dpt:68
4    RETURN     udp  --  172.18.48.213        0.0.0.0/0           PHYSDEV
match --physdev-in vnet0 --physdev-is-bridged udp dpt:53
5    i-1-659-VM-eg  all  --  172.18.48.213        0.0.0.0/0
PHYSDEV match --physdev-in vnet0 --physdev-is-bridged
6    i-1-659-VM  all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV
match --physdev-out vnet0 --physdev-is-bridged

Table: nat
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message