cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ahmad Emneina <aemne...@gmail.com>
Subject Re: Iptables blocking vms on kvm host
Date Mon, 11 Feb 2013 21:32:22 GMT
do you have security groups enabled? If so you'll need to setup rules to
allow for ingress traffic.


On Mon, Feb 11, 2013 at 1:24 PM, Noel King <noelking@gmail.com> wrote:

> Hi
>
> I have setup KVM hosts for Cloudstack 4 using the details in the
> installation guide
>
>
> http://incubator.apache.org/cloudstack/docs/en-US/Apache_CloudStack/4.0.0-incubating/html-single/Installation_Guide/index.html#hypervisor-kvm-install-flow
>
> This setup includes iptables configuration, However after creating VM's on
> that host are blocked unless I directly ssh from that kvm host machine.
> This means all external machines including other kvm host vms cannot
> connect either.
>
> After a VM is created on this host the iptables configuration is changed to
> the following state (below), which is preventing non local access to the
> VM.
>
> Any insight here as to how CloudStack updating of iptables here is
> preventing connectivity, it would be greatly appreciated.
>
> Kind regards,
>
> Noel
>
>
> IPTABLES STATE AFTER VM CREATED
> =============================================
>
> Table: filter
> Chain INPUT (policy ACCEPT)
> num  target     prot opt source               destination
> 1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
> dpts:49152:49216
> 2    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
> dpts:5900:6100
> 3    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
> dpt:16509
> 4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
> dpt:1798
> 5    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
> dpt:22
>
> Chain FORWARD (policy ACCEPT)
> num  target     prot opt source               destination
> 1    BF-cloudbr0  all  --  0.0.0.0/0            0.0.0.0/0
> PHYSDEV
> match --physdev-is-bridged
> 2    BF-cloudbr0  all  --  0.0.0.0/0            0.0.0.0/0
> PHYSDEV
> match --physdev-is-bridged
> 3    DROP       all  --  0.0.0.0/0            0.0.0.0/0
> 4    DROP       all  --  0.0.0.0/0            0.0.0.0/0
>
> Chain OUTPUT (policy ACCEPT)
> num  target     prot opt source               destination
>
> Chain BF-cloudbr0 (2 references)
> num  target     prot opt source               destination
> 1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
> RELATED,ESTABLISHED
> 2    BF-cloudbr0-IN  all  --  0.0.0.0/0            0.0.0.0/0
> PHYSDEV match --physdev-is-in --physdev-is-bridged
> 3    BF-cloudbr0-OUT  all  --  0.0.0.0/0            0.0.0.0/0
> PHYSDEV match --physdev-is-out --physdev-is-bridged
> 4    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV
> match --physdev-out eth0 --physdev-is-bridged
>
> Chain BF-cloudbr0-IN (1 references)
> num  target     prot opt source               destination
> 1    i-1-659-def  all  --  0.0.0.0/0            0.0.0.0/0
> PHYSDEV
> match --physdev-in vnet0 --physdev-is-bridged
>
> Chain BF-cloudbr0-OUT (1 references)
> num  target     prot opt source               destination
> 1    i-1-659-def  all  --  0.0.0.0/0            0.0.0.0/0
> PHYSDEV
> match --physdev-out vnet0 --physdev-is-bridged
>
> Chain i-1-659-VM (1 references)
> num  target     prot opt source               destination
> 1    DROP       all  --  0.0.0.0/0            0.0.0.0/0
>
> Chain i-1-659-VM-eg (1 references)
> num  target     prot opt source               destination
> 1    RETURN     all  --  0.0.0.0/0            0.0.0.0/0
>
> Chain i-1-659-def (2 references)
> num  target     prot opt source               destination
> 1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
> RELATED,ESTABLISHED
> 2    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV
> match --physdev-in vnet0 --physdev-is-bridged udp spt:68 dpt:67
> 3    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV
> match --physdev-out vnet0 --physdev-is-bridged udp spt:67 dpt:68
> 4    RETURN     udp  --  172.18.48.213        0.0.0.0/0           PHYSDEV
> match --physdev-in vnet0 --physdev-is-bridged udp dpt:53
> 5    i-1-659-VM-eg  all  --  172.18.48.213        0.0.0.0/0
> PHYSDEV match --physdev-in vnet0 --physdev-is-bridged
> 6    i-1-659-VM  all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV
> match --physdev-out vnet0 --physdev-is-bridged
>
> Table: nat
> Chain PREROUTING (policy ACCEPT)
> num  target     prot opt source               destination
>
> Chain POSTROUTING (policy ACCEPT)
> num  target     prot opt source               destination
>
> Chain OUTPUT (policy ACCEPT)
> num  target     prot opt source               destination
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message