cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kirk Kosinski <kirkkosin...@gmail.com>
Subject Re: Problems with firewall
Date Thu, 11 Sep 2014 04:57:51 GMT
Hi, Carlos.  Did you install the CSP on your XS hosts?  Also is Open
vSwitch enabled or disabled?

Best regards,
Kirk

On 09/10/2014 02:55 PM, Carlos Reategui wrote:
> Hi All,
> This is a problem I have had for a while and worked around but would like
> to get a proper solution for.   I have configured a basic shared network
> without security groups.  The hosts are Xen 6.0.2.  I am currently on 4.3
> but had this problem previously on 4.1.x and 4.2.x also.
> 
> The problem is that the iptables firewall is not getting configured
> properly on the hosts and therefore I am unable to connect to any of the
> VM's on that particular host.  My current solution is to have a crontab
> every 5 minutes issue an "/etc/init.d/iptables stop".  The reason I have to
> have it on a cron is that every time I create a new instance, the
> cloudstack management server also sends a command to configure the firewall
> which also turns it back on  (I guess I could also put an exit near the top
> of the iptables script but that is still a workaround).  My network
> offering does not have security groups so, as expected, I don't have a
> means to edit ingress/egress rules.
> 
> Has anyone else run into this?  Is this a bug or something that I have not
> properly configured?
> 
> Here is the output of the firewall on one of the hosts after creating a new
> instance:
> # iptables -L -n
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> BRIDGE-FIREWALL  all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV
> match --physdev-is-bridged
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match
> --physdev-out eth2+ --physdev-is-bridged
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match
> --physdev-out eth6+ --physdev-is-bridged
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match
> --physdev-out eth5+ --physdev-is-bridged
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match
> --physdev-out eth7+ --physdev-is-bridged
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match
> --physdev-out eth3+ --physdev-is-bridged
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match
> --physdev-out eth1+ --physdev-is-bridged
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match
> --physdev-out eth4+ --physdev-is-bridged
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match
> --physdev-out bond0+ --physdev-is-bridged
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match
> --physdev-out eth0+ --physdev-is-bridged
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match
> --physdev-out bond1+ --physdev-is-bridged
> DROP       all  --  0.0.0.0/0            0.0.0.0/0
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain BRIDGE-DEFAULT-FIREWALL (1 references)
> target     prot opt source               destination
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
> RELATED,ESTABLISHED
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match
> --physdev-is-bridged udp spt:68 dpt:67
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match
> --physdev-is-bridged udp spt:67 dpt:68
> 
> Chain BRIDGE-FIREWALL (1 references)
> target     prot opt source               destination
> BRIDGE-DEFAULT-FIREWALL  all  --  0.0.0.0/0            0.0.0.0/0
> i-3-93-def  all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match
> --physdev-in vif20.0 --physdev-is-bridged
> i-3-93-def  all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match
> --physdev-out vif20.0 --physdev-is-bridged
> 
> Chain i-3-93-VM (1 references)
> target     prot opt source               destination
> 
> Chain i-3-93-VM-eg (1 references)
> target     prot opt source               destination
> 
> Chain i-3-93-def (2 references)
> target     prot opt source               destination
> RETURN     udp  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match
> --physdev-in vif20.0 --physdev-is-bridged set i-3-93-VM src udp dpt:53
> DROP       all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match
> --physdev-in vif20.0 --physdev-is-bridged !set i-3-93-VM src
> DROP       all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match
> --physdev-out vif20.0 --physdev-is-bridged !set i-3-93-VM dst
> i-3-93-VM-eg  all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV
> match --physdev-in vif20.0 --physdev-is-bridged set i-3-93-VM src
> i-3-93-VM  all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match
> --physdev-out vif20.0 --physdev-is-bridged
> 
> Thanks,
> Carlos
> 

Mime
View raw message