cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Carlos Reategui <create...@gmail.com>
Subject Problems with firewall
Date Wed, 10 Sep 2014 21:55:40 GMT
Hi All,
This is a problem I have had for a while and worked around but would like
to get a proper solution for.   I have configured a basic shared network
without security groups.  The hosts are Xen 6.0.2.  I am currently on 4.3
but had this problem previously on 4.1.x and 4.2.x also.

The problem is that the iptables firewall is not getting configured
properly on the hosts and therefore I am unable to connect to any of the
VM's on that particular host.  My current solution is to have a crontab
every 5 minutes issue an "/etc/init.d/iptables stop".  The reason I have to
have it on a cron is that every time I create a new instance, the
cloudstack management server also sends a command to configure the firewall
which also turns it back on  (I guess I could also put an exit near the top
of the iptables script but that is still a workaround).  My network
offering does not have security groups so, as expected, I don't have a
means to edit ingress/egress rules.

Has anyone else run into this?  Is this a bug or something that I have not
properly configured?

Here is the output of the firewall on one of the hosts after creating a new
instance:
# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
BRIDGE-FIREWALL  all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV
match --physdev-is-bridged
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match
--physdev-out eth2+ --physdev-is-bridged
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match
--physdev-out eth6+ --physdev-is-bridged
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match
--physdev-out eth5+ --physdev-is-bridged
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match
--physdev-out eth7+ --physdev-is-bridged
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match
--physdev-out eth3+ --physdev-is-bridged
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match
--physdev-out eth1+ --physdev-is-bridged
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match
--physdev-out eth4+ --physdev-is-bridged
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match
--physdev-out bond0+ --physdev-is-bridged
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match
--physdev-out eth0+ --physdev-is-bridged
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match
--physdev-out bond1+ --physdev-is-bridged
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain BRIDGE-DEFAULT-FIREWALL (1 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
RELATED,ESTABLISHED
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match
--physdev-is-bridged udp spt:68 dpt:67
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match
--physdev-is-bridged udp spt:67 dpt:68

Chain BRIDGE-FIREWALL (1 references)
target     prot opt source               destination
BRIDGE-DEFAULT-FIREWALL  all  --  0.0.0.0/0            0.0.0.0/0
i-3-93-def  all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match
--physdev-in vif20.0 --physdev-is-bridged
i-3-93-def  all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match
--physdev-out vif20.0 --physdev-is-bridged

Chain i-3-93-VM (1 references)
target     prot opt source               destination

Chain i-3-93-VM-eg (1 references)
target     prot opt source               destination

Chain i-3-93-def (2 references)
target     prot opt source               destination
RETURN     udp  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match
--physdev-in vif20.0 --physdev-is-bridged set i-3-93-VM src udp dpt:53
DROP       all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match
--physdev-in vif20.0 --physdev-is-bridged !set i-3-93-VM src
DROP       all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match
--physdev-out vif20.0 --physdev-is-bridged !set i-3-93-VM dst
i-3-93-VM-eg  all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV
match --physdev-in vif20.0 --physdev-is-bridged set i-3-93-VM src
i-3-93-VM  all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match
--physdev-out vif20.0 --physdev-is-bridged

Thanks,
Carlos

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message