Return-Path: X-Original-To: apmail-incubator-cloudstack-users-archive@minotaur.apache.org Delivered-To: apmail-incubator-cloudstack-users-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 61B90EBBD for ; Mon, 11 Feb 2013 21:25:28 +0000 (UTC) Received: (qmail 77398 invoked by uid 500); 11 Feb 2013 21:25:27 -0000 Delivered-To: apmail-incubator-cloudstack-users-archive@incubator.apache.org Received: (qmail 77366 invoked by uid 500); 11 Feb 2013 21:25:27 -0000 Mailing-List: contact cloudstack-users-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: cloudstack-users@incubator.apache.org Delivered-To: mailing list cloudstack-users@incubator.apache.org Received: (qmail 77358 invoked by uid 99); 11 Feb 2013 21:25:27 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 11 Feb 2013 21:25:27 +0000 X-ASF-Spam-Status: No, hits=3.9 required=5.0 tests=HTML_MESSAGE,HTML_OBFUSCATE_20_30,NORMAL_HTTP_TO_IP,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of noelking@gmail.com designates 209.85.210.178 as permitted sender) Received: from [209.85.210.178] (HELO mail-ia0-f178.google.com) (209.85.210.178) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 11 Feb 2013 21:25:19 +0000 Received: by mail-ia0-f178.google.com with SMTP id y26so6742918iab.23 for ; Mon, 11 Feb 2013 13:24:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:date:message-id:subject:from:to :content-type; bh=R6yjREUtpMu1TatTVNbtY81ODaN0Y/q1q3ygBMohI5E=; b=rbCbu4+f/SFpWNGwEaGHTxwsdiftPGZPUsO2aIaJFRuNV+rwJlcxRUhdVvuDijkfYu uNK8z0j1oxcVvtEpmXOimC7fr45ZVkYmwMMG1BieiQDn6TfVUSszk9ZcchhgwaEivyFV jiKTbUEQx+PwN4bqBTr95dOpcarnghmGCLR0wX0b1+dRpZ+y75iMst+yqHLvlViIJP8l EwsCCzBued+VVpe8Lny4cOZhDCBb+ddPRb2ANfYtEKZ6fWveRuLvZ/ag5Mw/fFZqzjg8 OoUdYLq+g1dhvhJwLOUG27wOZwEAg1w5G5E5+mDmzPbEHaJPk7yffiwLeFSXHZv59DZb Xriw== MIME-Version: 1.0 X-Received: by 10.50.207.67 with SMTP id lu3mr14424885igc.12.1360617898460; Mon, 11 Feb 2013 13:24:58 -0800 (PST) Received: by 10.64.23.99 with HTTP; Mon, 11 Feb 2013 13:24:58 -0800 (PST) Date: Mon, 11 Feb 2013 21:24:58 +0000 Message-ID: Subject: Iptables blocking vms on kvm host From: Noel King To: cloudstack-users@incubator.apache.org Content-Type: multipart/alternative; boundary=14dae9340b6583445104d5798aac X-Virus-Checked: Checked by ClamAV on apache.org --14dae9340b6583445104d5798aac Content-Type: text/plain; charset=ISO-8859-1 Hi I have setup KVM hosts for Cloudstack 4 using the details in the installation guide http://incubator.apache.org/cloudstack/docs/en-US/Apache_CloudStack/4.0.0-incubating/html-single/Installation_Guide/index.html#hypervisor-kvm-install-flow This setup includes iptables configuration, However after creating VM's on that host are blocked unless I directly ssh from that kvm host machine. This means all external machines including other kvm host vms cannot connect either. After a VM is created on this host the iptables configuration is changed to the following state (below), which is preventing non local access to the VM. Any insight here as to how CloudStack updating of iptables here is preventing connectivity, it would be greatly appreciated. Kind regards, Noel IPTABLES STATE AFTER VM CREATED ============================================= Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:49152:49216 2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:5900:6100 3 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:16509 4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1798 5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 Chain FORWARD (policy ACCEPT) num target prot opt source destination 1 BF-cloudbr0 all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged 2 BF-cloudbr0 all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged 3 DROP all -- 0.0.0.0/0 0.0.0.0/0 4 DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain BF-cloudbr0 (2 references) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 BF-cloudbr0-IN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-in --physdev-is-bridged 3 BF-cloudbr0-OUT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-out --physdev-is-bridged 4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out eth0 --physdev-is-bridged Chain BF-cloudbr0-IN (1 references) num target prot opt source destination 1 i-1-659-def all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 --physdev-is-bridged Chain BF-cloudbr0-OUT (1 references) num target prot opt source destination 1 i-1-659-def all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vnet0 --physdev-is-bridged Chain i-1-659-VM (1 references) num target prot opt source destination 1 DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain i-1-659-VM-eg (1 references) num target prot opt source destination 1 RETURN all -- 0.0.0.0/0 0.0.0.0/0 Chain i-1-659-def (2 references) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 --physdev-is-bridged udp spt:68 dpt:67 3 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vnet0 --physdev-is-bridged udp spt:67 dpt:68 4 RETURN udp -- 172.18.48.213 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 --physdev-is-bridged udp dpt:53 5 i-1-659-VM-eg all -- 172.18.48.213 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 --physdev-is-bridged 6 i-1-659-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vnet0 --physdev-is-bridged Table: nat Chain PREROUTING (policy ACCEPT) num target prot opt source destination Chain POSTROUTING (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination --14dae9340b6583445104d5798aac--