cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeroen Keerl <jeroen.ke...@keerl-it.com>
Subject AW: SecurityGroup - not working?
Date Thu, 22 Sep 2016 19:57:20 GMT
Hi,

Vivek was absolutely right:
I pulled a „history“ from both xenhosts and the part of the sysctl.conf you mentioned.
Although my settings in the sysctl.conf were correct, I forgot to issue the sysctl -p /etc/sysctl.conf
command.

After doing so, ingress and egress rules become active or inactive immediately.

Thanks Vivek!

JK

Von: Vivek Kumar [mailto:vivek.kumar@indiqus.com] 
Gesendet: Donnerstag, 22. September 2016 09:30
An: users@cloudstack.apache.org; jeroen.keerl@keerl-it.com
Betreff: Re: SecurityGroup - not working?

yeah sure.. because i had the same problem and it was resolved by changing these settings
in sysctl file

On Thu, Sep 22, 2016 at 12:38 PM, Jeroen Keerl <mailto:jeroen.keerl@keerl-it.com> wrote:
Hi Vivek,
I'll check the sysctl settings again tonight, but I am quite sure I set those correctly.Everything
else was done "by the book".
CheersJK


Von meinem Samsung Galaxy Smartphone gesendet.<div>
</div><div>
</div><!-- originalMessage --><div>-------- Ursprüngliche Nachricht --------</div><div>Von:
Vivek Kumar <mailto:vivek.kumar@indiqus.com> </div><div>Datum: 22.09.2016
 08:14  (GMT+01:00) </div><div>An: mailto:users@cloudstack.apache.org, mailto:jeroen.keerl@keerl-it.com
</div><div>Betreff: Re: SecurityGroup - not working? </div><div>
</div>Hello Jeroen,

when you setup basic Zone in Cloudstack with Xenserver you need to change
few things in your Xenserver.

1- *xe-switch-network-backend bridge* ( I hope u have already done this ).
2- And you also need to do some  changes  in sysctl conf file for security
groups.

do below changes in /etc/sysctl.conf on xenserver

net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-arptables = 1

and run this command

# sysctl -p /etc/sysctl.conf

I hope this will work.

*Vivek Kumar*
Virtualization and Cloud Consultant

[image: http://www.indiqus.com/images/logo.jpg]  <http://www.indiqus.com/>
*I*ndi*Q*us Technologies Pvt Ltd
A-98, LGF, C.R.Park, New Delhi - 110019
*O* +91 11 4055 1411 | *M* +91 7503460090
http://www.indiqus.com  <http://www.indiqus.com/>



On Thu, Sep 22, 2016 at 1:43 AM, Jeroen Keerl <mailto:jeroen.keerl@keerl-it.com>
wrote:

> Hi,
>
> I had a few things configured on ACS – Basic Zone – Security Groups.
> Setup: 2 Citrix 6.5 hosts, Mgmt server under CentOS 6.8.
> Basic Networking, VMs created from template, also CentOS 6.8
>
> At first (default, first VM test) I could not log in using SSH.
> Then I created the appropriate ingress rule and all was ok.
> Same with ICMP (Ping) for http://0.0.0.0/0
> Now I wanted to test a few things in my test environment and removed these
> rules, actually expecting that neither SSH nor ping would go through
> anymore.
>
> Unfortunately they do, so apparently rules once set are not revoked upon
> deletion.
> I would expect nothing to come through, if no ingress rules are set, no
> matter what iptables on the VM itself does.
>
> Tests:
> - Delete all ingress rules (ping, SSH and webmin (TCP 10000))
> - Disable iptables on VM
> ⇨ Ping, ssh went through, Webmin didn’t.
> - Enable iptables on VM
> ⇨ Ping and ssh went through
> - Insert ingress rule for webmin, iptables still enables
> ⇨ Webmin times out (expected behaviour)
> - Disable iptables
> ⇨ Webmin works
>
> In the documentation you are pointed towards the “The procedure is
> described in Basic Zone Configuration in the Advanced Installation Guide.”
> (Managing Networks and Traffic – Enabling Security Groups)
> Searched for it on the Apache Site: Not found.
> Google gave me the “Advanced Installation Guide” from Citrix, Version
> 3.*.* … in which you are directed to the administration guide.
> Not really helpful!
>
> Does anybody know about this / experienced something like this before?
>
>
>
> *Jeroen Keerl*
>
>
> *Keerl IT Services GmbH*Birkenstraße 1b . 21521 Aumühle
>
> +49 177 6320 317
>
> http://www.keerl-it.com
> mailto:info@keerl-it.com
>
> Geschäftsführer. Jacobus J. Keerl
> Registergericht Lubeck. HRB-Nr. 14511
>
> Unsere Allgemeine Geschäftsbedingungen finden Sie hier.
> <http://www.keerl-it.com/AGB.pdf>
>
>
>


--

*Vivek Kumar*
Virtualization and Cloud Consultant

[image: http://www.indiqus.com/images/logo.jpg]  <http://www.indiqus.com/>
*I*ndi*Q*us Technologies Pvt Ltd
A-98, LGF, C.R.Park, New Delhi - 110019
*O* +91 11 4055 1411 | *M* +91 7503460090
http://www.indiqus.com  <http://www.indiqus.com/>





Jeroen Keerl


Keerl IT Services GmbH
Birkenstraße 1b . 21521 Aumühle

+49 177 6320 317

http://www.keerl-it.com
mailto:info@keerl-it.com

Geschäftsführer. Jacobus J. Keerl
Registergericht Lubeck. HRB-Nr. 14511

Unsere Allgemeine Geschäftsbedingungen finden Sie hier.





-- 
Vivek Kumar
Virtualization and Cloud Consultant
http://www.indiqus.com/
IndiQus Technologies Pvt Ltd 
A-98, LGF, C.R.Park, New Delhi - 110019 
O +91 11 4055 1411 | M +91 7503460090 
http://www.indiqus.com/




Jeroen Keerl


Keerl IT Services GmbH
Birkenstraße 1b . 21521 Aumühle

+49 177 6320 317

www.keerl-it.com
info@keerl-it.com

Geschäftsführer. Jacobus J. Keerl
Registergericht Lubeck. HRB-Nr. 14511

Unsere Allgemeine Geschäftsbedingungen finden Sie hier.



Mime
  • Unnamed multipart/related (inline, None, 0 bytes)
View raw message