cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Noel King <noelk...@gmail.com>
Subject Re: Iptables blocking vms on kvm host
Date Mon, 11 Feb 2013 22:03:18 GMT
Hi Amed

Thank you very much for your response, I had not reviewed the security
group being used and yes the security group was not setup correctly.

Kind regards

Noel

On 11 February 2013 21:32, Ahmad Emneina <aemneina@gmail.com> wrote:

> do you have security groups enabled? If so you'll need to setup rules to
> allow for ingress traffic.
>
>
> On Mon, Feb 11, 2013 at 1:24 PM, Noel King <noelking@gmail.com> wrote:
>
> > Hi
> >
> > I have setup KVM hosts for Cloudstack 4 using the details in the
> > installation guide
> >
> >
> >
> http://incubator.apache.org/cloudstack/docs/en-US/Apache_CloudStack/4.0.0-incubating/html-single/Installation_Guide/index.html#hypervisor-kvm-install-flow
> >
> > This setup includes iptables configuration, However after creating VM's
> on
> > that host are blocked unless I directly ssh from that kvm host machine.
> > This means all external machines including other kvm host vms cannot
> > connect either.
> >
> > After a VM is created on this host the iptables configuration is changed
> to
> > the following state (below), which is preventing non local access to the
> > VM.
> >
> > Any insight here as to how CloudStack updating of iptables here is
> > preventing connectivity, it would be greatly appreciated.
> >
> > Kind regards,
> >
> > Noel
> >
> >
> > IPTABLES STATE AFTER VM CREATED
> > =============================================
> >
> > Table: filter
> > Chain INPUT (policy ACCEPT)
> > num  target     prot opt source               destination
> > 1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
> > dpts:49152:49216
> > 2    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
> > dpts:5900:6100
> > 3    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
> > dpt:16509
> > 4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
> > dpt:1798
> > 5    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
> > dpt:22
> >
> > Chain FORWARD (policy ACCEPT)
> > num  target     prot opt source               destination
> > 1    BF-cloudbr0  all  --  0.0.0.0/0            0.0.0.0/0
> > PHYSDEV
> > match --physdev-is-bridged
> > 2    BF-cloudbr0  all  --  0.0.0.0/0            0.0.0.0/0
> > PHYSDEV
> > match --physdev-is-bridged
> > 3    DROP       all  --  0.0.0.0/0            0.0.0.0/0
> > 4    DROP       all  --  0.0.0.0/0            0.0.0.0/0
> >
> > Chain OUTPUT (policy ACCEPT)
> > num  target     prot opt source               destination
> >
> > Chain BF-cloudbr0 (2 references)
> > num  target     prot opt source               destination
> > 1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
> > RELATED,ESTABLISHED
> > 2    BF-cloudbr0-IN  all  --  0.0.0.0/0            0.0.0.0/0
> > PHYSDEV match --physdev-is-in --physdev-is-bridged
> > 3    BF-cloudbr0-OUT  all  --  0.0.0.0/0            0.0.0.0/0
> > PHYSDEV match --physdev-is-out --physdev-is-bridged
> > 4    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> PHYSDEV
> > match --physdev-out eth0 --physdev-is-bridged
> >
> > Chain BF-cloudbr0-IN (1 references)
> > num  target     prot opt source               destination
> > 1    i-1-659-def  all  --  0.0.0.0/0            0.0.0.0/0
> > PHYSDEV
> > match --physdev-in vnet0 --physdev-is-bridged
> >
> > Chain BF-cloudbr0-OUT (1 references)
> > num  target     prot opt source               destination
> > 1    i-1-659-def  all  --  0.0.0.0/0            0.0.0.0/0
> > PHYSDEV
> > match --physdev-out vnet0 --physdev-is-bridged
> >
> > Chain i-1-659-VM (1 references)
> > num  target     prot opt source               destination
> > 1    DROP       all  --  0.0.0.0/0            0.0.0.0/0
> >
> > Chain i-1-659-VM-eg (1 references)
> > num  target     prot opt source               destination
> > 1    RETURN     all  --  0.0.0.0/0            0.0.0.0/0
> >
> > Chain i-1-659-def (2 references)
> > num  target     prot opt source               destination
> > 1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
> > RELATED,ESTABLISHED
> > 2    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0
> PHYSDEV
> > match --physdev-in vnet0 --physdev-is-bridged udp spt:68 dpt:67
> > 3    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0
> PHYSDEV
> > match --physdev-out vnet0 --physdev-is-bridged udp spt:67 dpt:68
> > 4    RETURN     udp  --  172.18.48.213        0.0.0.0/0
> PHYSDEV
> > match --physdev-in vnet0 --physdev-is-bridged udp dpt:53
> > 5    i-1-659-VM-eg  all  --  172.18.48.213        0.0.0.0/0
> > PHYSDEV match --physdev-in vnet0 --physdev-is-bridged
> > 6    i-1-659-VM  all  --  0.0.0.0/0            0.0.0.0/0
> PHYSDEV
> > match --physdev-out vnet0 --physdev-is-bridged
> >
> > Table: nat
> > Chain PREROUTING (policy ACCEPT)
> > num  target     prot opt source               destination
> >
> > Chain POSTROUTING (policy ACCEPT)
> > num  target     prot opt source               destination
> >
> > Chain OUTPUT (policy ACCEPT)
> > num  target     prot opt source               destination
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message