Mailing-List: contact users-help@cloudstack.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@cloudstack.apache.org
Received-SPF: pass (nike.apache.org: domain of c.mutz@servitics.fr designates
 37.122.200.75 as permitted sender)
Date: Fri, 15 Aug 2014 18:47:23 +0200 (CEST)
From: clement mutz <c.mutz@servitics.fr>
To: users@cloudstack.apache.org
Message-ID: <31768381.123.1408121234945.JavaMail.MUTZ@Support-1-PC>
In-Reply-To: 
 <CAP997Ud=Zf2dYTS3qoYbz2AWOQAXjjsf47gsQVx3pm_WDrKOKA@mail.gmail.com>
Subject: Re: question about security group
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Thread-Topic: question about security group
Thread-Index: kY70FdfdhdUzMFFDm5O90DhHUB1IQQ==

Hi Skrev,


> Get the verbose iptables output.

> iptables -Lnv


root@v-2-VM:/var/www# iptables -vnL
Chain INPUT (policy DROP 77 packets, 25256 bytes)
 pkts bytes target     prot opt in     out     source               destina=
tion        =20
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0=
/0          =20
  988 75720 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0=
/0            state RELATED,ESTABLISHED
 4242  411K ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0=
/0            state RELATED,ESTABLISHED
  327 25304 ACCEPT     all  --  eth2   *       0.0.0.0/0            0.0.0.0=
/0            state RELATED,ESTABLISHED
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0=
/0            icmptype 13
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0=
/0          =20
   10   600 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0=
/0            state NEW tcp dpt:3922
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0=
/0            state NEW tcp dpt:8001
    0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0=
/0            state NEW tcp dpt:8001
    0     0 ACCEPT     tcp  --  eth2   *       0.0.0.0/0            0.0.0.0=
/0            state NEW tcp dpt:443
    0     0 ACCEPT     tcp  --  eth2   *       0.0.0.0/0            0.0.0.0=
/0            state NEW tcp dpt:80

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destina=
tion        =20

Chain OUTPUT (policy ACCEPT 5334 packets, 603K bytes)
 pkts bytes target     prot opt in     out     source               destina=
tion        =20


Get the verbose iptables output.

iptables -Lnv
15. aug. 2014 18:24 skrev "clement mutz" <c.mutz@servitics.fr> f=C3=B8lgend=
e:

>
> Hi,
>
>
> > What's wrong with my configuration ? I forgot something ?
>
> >> Start by running tcpdump along the network path and try to isolate
> >> the faulty network configuration.
>
> Ok i running tcpdump on console proxy and i can see packets.
>
>
> With the following command on console proxy : tcpdump -vv -i eth1
>
> Quote
> 16:05:14.378905 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has
> 10.254.50.209 tell 10.254.50.45, length 46
> 16:05:15.377608 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has
> 10.254.50.209 tell 10.254.50.45, length 46
> 16:05:16.377600 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has
> 10.254.50.209 tell 10.254.50.45, length 46
> 16:05:17.395947 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has
> 10.254.50.209 tell 10.254.50.45, length 46
> 16:05:18.393719 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has
> 10.254.50.209 tell 10.254.50.45, length 46
> 16:05:18.828127 IP (tos 0x0, ttl 64, id 30676, offset 0, flags [DF], prot=
o
> TCP (6), length 56)
>     10.254.50.201.58036 > 10.254.50.45.8250: Flags [P.], cksum 0x7b1c
> (incorrect -> 0xdd06), seq 3973496:3973500, ack 1507845368, win 2641,
> options [nop,nop,TS val 826858 ecr 954898], length 4
>  seq 3973496:3973500, ack 1507845368, win
> eq 1:5, ack 217, win 331, options [nop,nop,TS val 956151 ecr 826868],
> length 4
> 16:05:18.883024 IP (tos 0x0, ttl 64, id 30678, offset 0, flags [DF], prot=
o
> TCP (6), length 52)
>
>
> I see paquets come on my console proxy
>
> I didn't touch iptables rules
>
>
> iptables -L on console proxy :
>
> Chain INPUT (policy DROP)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere
> ACCEPT     all  --  anywhere             anywhere             state
> RELATED,ESTABLISHED
> ACCEPT     all  --  anywhere             anywhere             state
> RELATED,ESTABLISHED
> ACCEPT     all  --  anywhere             anywhere             state
> RELATED,ESTABLISHED
> DROP       icmp --  anywhere             anywhere             icmp
> timestamp-request
> ACCEPT     icmp --  anywhere             anywhere
> ACCEPT     tcp  --  anywhere             anywhere             state NEW
> tcp dpt:3922
> ACCEPT     tcp  --  anywhere             anywhere             state NEW
> tcp dpt:8001
> ACCEPT     tcp  --  anywhere             anywhere             state NEW
> tcp dpt:8001
> ACCEPT     tcp  --  anywhere             anywhere             state NEW
> tcp dpt:https
> ACCEPT     tcp  --  anywhere             anywhere             state NEW
> tcp dpt:http
>
> Chain FORWARD (policy DROP)
> target     prot opt source               destination
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>
>
> Thanks for your reply.
>
> Cl=C3=A9ment
>
> -------------------------------------------
>
>
>
> Hi,
>
> I give you my different tests, the first problem I can't ping system vm
> (internal nic and external nic) since same network (since computing node
> for exemple).
>
> I can ping a host from internal nic (10.254.50.0/24) since system vm.
>
> IP address of computing node 10.254.50.45.
> IP address of console proxy vm 10.254.50.209
>
>
> On console proxy VM :
>
> root@v-2-VM:~# route -n
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
> Iface
> 0.0.0.0         37.122.XXX.XX   0.0.0.0         UG    0      0        0
> eth2
> 8.8.8.8         10.254.50.254   255.255.255.255 UGH   0      0        0
> eth1
> 10.254.50.0     0.0.0.0         255.255.255.0   U     0      0        0
> eth1
> 37.122.XXX.XXX  0.0.0.0         255.255.255.XXX U     0      0        0
> eth2
> 169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0
> eth0
>
> I can ping www.google.fr, my two gateway and host for test:
>
> root@v-2-VM:~# ping -c2 www.google.fr
> PING www.google.fr (173.194.66.94): 48 data bytes
> 56 bytes from 173.194.66.94: icmp_seq=3D0 ttl=3D48 time=3D5.989 ms
> 56 bytes from 173.194.66.94: icmp_seq=3D1 ttl=3D48 time=3D5.959 ms
> --- www.google.fr ping statistics ---
> 2 packets transmitted, 2 packets received, 0% packet loss
> round-trip min/avg/max/stddev =3D 5.959/5.974/5.989/0.000 ms
>
> root@v-2-VM:~# ping -c2 10.254.50.254
> PING 10.254.50.254 (10.254.50.254): 48 data bytes
> 56 bytes from 10.254.50.254: icmp_seq=3D0 ttl=3D64 time=3D0.250 ms
> 56 bytes from 10.254.50.254: icmp_seq=3D1 ttl=3D64 time=3D0.251 ms
> --- 10.254.50.254 ping statistics ---
> 2 packets transmitted, 2 packets received, 0% packet loss
> round-trip min/avg/max/stddev =3D 0.250/0.251/0.251/0.000 ms
>
> root@v-2-VM:~# ping -c2 37.122.XXX.XXX
> PING 37.122.XXX.XXX (37.122.XXX.XXX): 48 data bytes
> 56 bytes from 37.122.XXX.XXX: icmp_seq=3D0 ttl=3D64 time=3D0.284 ms
> 56 bytes from 37.122.XXX.XXX: icmp_seq=3D1 ttl=3D64 time=3D0.173 ms
> --- 37.122.XXX.XXX ping statistics ---
> 2 packets transmitted, 2 packets received, 0% packet loss
> round-trip min/avg/max/stddev =3D 0.173/0.228/0.284/0.056 ms
>
> root@v-2-VM:~# ping -c2 10.254.50.123
> PING 10.254.50.123 (10.254.50.123): 48 data bytes
> 56 bytes from 10.254.50.123: icmp_seq=3D0 ttl=3D128 time=3D1.468 ms
> 56 bytes from 10.254.50.123: icmp_seq=3D1 ttl=3D128 time=3D0.345 ms
> --- 10.254.50.123 ping statistics ---
> 2 packets transmitted, 2 packets received, 0% packet loss
> round-trip min/avg/max/stddev =3D 0.345/0.906/1.468/0.562 ms
>
> From my computing node I can ping gateway but not system vm :
>
> root@ubuntu:/# ping -c2 10.254.50.254
> PING 10.254.50.254 (10.254.50.254) 56(84) bytes of data.
> 64 bytes from 10.254.50.254: icmp_req=3D1 ttl=3D64 time=3D1.14 ms
> 64 bytes from 10.254.50.254: icmp_req=3D2 ttl=3D64 time=3D0.238 ms
>
> --- 10.254.50.254 ping statistics ---
> 2 packets transmitted, 2 received, 0% packet loss, time 1001ms
> rtt min/avg/max/mdev =3D 0.238/0.691/1.145/0.454 ms
>
> root@ubuntu:/# ping -c2 10.254.50.209
> PING 10.254.50.209 (10.254.50.209) 56(84) bytes of data.
>
> --- 10.254.50.209 ping statistics ---
> 2 packets transmitted, 0 received, 100% packet loss, time 1000ms
>
>
> There is a firewall hidden ?
>
>
>
>
>
>
> Hi Tejas,
>
> > Thanks you for your reply. I already trying to configure the firewall
> Rules (ex : http://i.imgur.com/oiGMMle.png).
> > not access at my instances.
>
> >> From the VM instance, are you able to ICMP ping the virtual router? If
> you cant,
> >> then please check your network VLAN assignments and traffic label
> configurations
>
> Yes very good point ! I can't ping the virtual router from the VM instanc=
e.
> So for validate my network I duplicate the network configuration creating
> by cloudstack on another xenserver (same environment, same switch ...) ;)=
 .
> So on another xenserver I created two VM (with xencenter) and PING worked=
.
> Picture with network configuration creating by cloudstack (see vl41)
> http://i.imgur.com/K8Bo3kK.png  .
> Picture with network configuration creating by me on another xen pool
> http://i.imgur.com/ieYD5Oy.png
>
> On Cloudstack my traffic label http://i.imgur.com/P7ZRbf7.png
>
>
> > I haven't access system vm (console, secondary storage).
>
> >> If you are not able to access the system VMs, then I would first
> >> make sure my Zone network configuration and the hypervisor
> >> network traffic types are configured correctly.
>
> ---------------------------------------------------------------
> interfaces      | with isolation mode   | without isolation mode
> administration  | Vl50                  | Vl50
> public          | NONE                  | Vl60
> guest           | Vl60                  | Vl50
> Storage         | Vl20                  | Vl20
> ---------------------------------------------------------------
>
> Like you see It's traffic label configuration. With isolation mode
> cloudstack work without problem.
> With isolation mode I declared My guest network (labbel Vl60) like public
> network (testing). And I can ping my Vms system console and storage and m=
y
> instances by Public NIC.
> I can ping the administration network too (not possible without isolation
> mode)
>
> I make sure my zone network configuration (at 99%) because I created a
> advanced zone with isolation mode and that worked (access) ;)
>
>
>
> > My network is ok because when I configure my zone with security groups =
I
> have access
> > system vm and at my instances.
>
> >> Basic network and Advanced Networks work very differently. Advanced
> network uses VLANs
> >> which if configured incorrectly can lead to issues like the one you ar=
e
> facing.
>
> Thank you but when I mean "configuration my zone with security group", I
> talk about advanced network and I check "Isolation mode" :) .
>
>
>
>
>
> Hi Clement,
>
> Comments inline.
>
> On 08-Aug-2014, at 12:18 am, clement mutz <c.mutz@servitics.fr> wrote:
>
> > Thanks you for your reply. I already trying to configure the firewall
> Rules (ex : http://i.imgur.com/oiGMMle.png).
> > not access at my instances.
>
> From the VM instance, are you able to ICMP ping the virtual router? If yo=
u
> cant,
> then please check your network VLAN assignments and traffic label
> configurations
>
>
> > I haven't access system vm (console, secondary storage).
>
> If you are not able to access the system VMs, then I would first
> make sure my Zone network configuration and the hypervisor
> network traffic types are configured correctly.
>
>
> > My network is ok because when I configure my zone with security groups =
I
> have access
> > system vm and at my instances.
>
> Basic network and Advanced Networks work very differently. Advanced
> network uses VLANs
> which if configured incorrectly can lead to issues like the one you are
> facing.
>
> > What's wrong with my configuration ? I forgot something ?
>
> Start by running tcpdump along the network path and try to isolate
> the faulty network configuration.
>
>
> > Sorry my bad english. I learning ;)
> >
> > Thanks you very much.
> >
>
> No problems.
>
>
>
>
> > Cl=C3=A9ment
> >
> >
> >
> >
> > Comments inline.
> >
> > On 07-Aug-2014, at 6:24 pm, clement mutz <c.mutz@servitics.fr> wrote:
> >
> >> Hi Shanker,
> >>
> >>> Look under Network -> Select View -> Security Groups.
> >>
> >> Thanks you, but the problem appear when I choose a advanced zone
> without security group. So I can't see  Security Groups(
> http://i.imgur.com/WR18PPl.png) ;)
> >>
> >
> > Advanced zones you dont have security groups by default. Only EGRESS an=
d
> INGRESS rules.
> >
> >> How I can to configure the different access without security group ?
> >
> > Looking at your screenshot, go to Network -> Isolated Network (vl400) -=
>
> Egress Rules and
> > Network -> Isolated Network (vl400) -> Source NAT -> Configuration ->
> Firewall Rules.
> >
> >>
> >>> The ML strips out attachment. You can use http://imgur.com to share
> images.
> >>
> >> Thanks for your information :)
> >>
> >> I can't choose Security group, when I created a zone with public
> network (I mean with nic public)  (http://i.imgur.com/52bjasU.png and
> http://i.imgur.com/UN9RXR2.png)...
> >> I don't understand why.
> >> When I created a zone with security group no problem, I can use ACC
> Ingress and Egress rules but I haven't public interface (
> http://i.imgur.com/EhBAbvC.png and http://i.imgur.com/GjhFOZD.png).
> >>
> >>
> >>
> >>
> >>
> >> ----- Mail original -----
> >> De: "Shanker Balan" <shanker.balan@shapeblue.com>
> >> =C3=80: "CloudStack-Users" <users@cloudstack.apache.org>
> >> Envoy=C3=A9: Jeudi 7 Ao=C3=BBt 2014 13:49:40
> >> Objet: Re: question about security group
> >>
> >> Comments inline.
> >>
> >> On 07-Aug-2014, at 3:44 pm, clement mutz <c.mutz@servitics.fr> wrote:
> >>
> >>> Hi Tejas,
> >>>
> >>> I cannot see the security group in network tab.
> >>
> >> Look under Network -> Select View -> Security Groups.
> >>
> >>>
> >>> I can't choose Security group, when I created a zone with public
> network (I mean with nic public)  (picture 1 and 2)... I don't understand
> why.
> >>> When I created a zone with security group no problem, I can use ACC
> Ingress and Egress rules but I haven't public interface (picture 3 and 4)=
.
> >>>
> >>
> >> The ML strips out attachment. You can use http://imgur.com to share
> images.
> >>
> >> --
> >> @shankerbalan
> >>
> >> M: +91 98860 60539 | O: +91 (80) 67935867
> >> shanker.balan@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue
> >> ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade
> Centre, Bangalore - 560 055
> >>
> >> Find out more about ShapeBlue and our range of CloudStack related
> services
> >>
> >> IaaS Cloud Design & Build<
> http://shapeblue.com/iaas-cloud-design-and-build//>
> >> CSForge =E2=80=93 rapid IaaS deployment framework<http://shapeblue.com=
/csforge/
> >
> >> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
> >> CloudStack Infrastructure Support<
> http://shapeblue.com/cloudstack-infrastructure-support/>
> >> CloudStack Bootcamp Training Courses<
> http://shapeblue.com/cloudstack-training/>
> >>
> >> This email and any attachments to it may be confidential and are
> intended solely for the use of the individual to whom it is addressed. An=
y
> views or opinions expressed are solely those of the author and do not
> necessarily represent those of Shape Blue Ltd or related companies. If yo=
u
> are not the intended recipient of this email, you must neither take any
> action based upon its contents, nor copy or show it to anyone. Please
> contact the sender if you believe you have received this email in error.
> Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue
> Services India LLP is a company incorporated in India and is operated und=
er
> license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a
> company incorporated in Brasil and is operated under license from Shape
> Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of
> South Africa and is traded under license from Shape Blue Ltd. ShapeBlue i=
s
> a registered trademark.
> >
> > --
> > @shankerbalan
> >
> > M: +91 98860 60539 | O: +91 (80) 67935867
> > shanker.balan@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue
> > ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade
> Centre, Bangalore - 560 055
> >
> > Find out more about ShapeBlue and our range of CloudStack related
> services
> >
> > IaaS Cloud Design & Build<
> http://shapeblue.com/iaas-cloud-design-and-build//>
> > CSForge =E2=80=93 rapid IaaS deployment framework<http://shapeblue.com/=
csforge/>
> > CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
> > CloudStack Infrastructure Support<
> http://shapeblue.com/cloudstack-infrastructure-support/>
> > CloudStack Bootcamp Training Courses<
> http://shapeblue.com/cloudstack-training/>
> >
> > This email and any attachments to it may be confidential and are
> intended solely for the use of the individual to whom it is addressed. An=
y
> views or opinions expressed are solely those of the author and do not
> necessarily represent those of Shape Blue Ltd or related companies. If yo=
u
> are not the intended recipient of this email, you must neither take any
> action based upon its contents, nor copy or show it to anyone. Please
> contact the sender if you believe you have received this email in error.
> Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue
> Services India LLP is a company incorporated in India and is operated und=
er
> license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a
> company incorporated in Brasil and is operated under license from Shape
> Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of
> South Africa and is traded under license from Shape Blue Ltd. ShapeBlue i=
s
> a registered trademark.
>
> --
> @shankerbalan
>
> M: +91 98860 60539 | O: +91 (80) 67935867
> shanker.balan@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue
> ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade Centre,
> Bangalore - 560 055
>
> Find out more about ShapeBlue and our range of CloudStack related service=
s
>
> IaaS Cloud Design & Build<
> http://shapeblue.com/iaas-cloud-design-and-build//>
> CSForge =E2=80=93 rapid IaaS deployment framework<http://shapeblue.com/cs=
forge/>
> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
> CloudStack Infrastructure Support<
> http://shapeblue.com/cloudstack-infrastructure-support/>
> CloudStack Bootcamp Training Courses<
> http://shapeblue.com/cloudstack-training/>
>
> This email and any attachments to it may be confidential and are intended
> solely for the use of the individual to whom it is addressed. Any views o=
r
> opinions expressed are solely those of the author and do not necessarily
> represent those of Shape Blue Ltd or related companies. If you are not th=
e
> intended recipient of this email, you must neither take any action based
> upon its contents, nor copy or show it to anyone. Please contact the send=
er
> if you believe you have received this email in error. Shape Blue Ltd is a
> company incorporated in England & Wales. ShapeBlue Services India LLP is =
a
> company incorporated in India and is operated under license from Shape Bl=
ue
> Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Bras=
il
> and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd i=
s
> a company registered by The Republic of South Africa and is traded under
> license from Shape Blue Ltd. ShapeBlue is a registered trademark.
>