[
https://issues.apache.org/jira/browse/CLOUDSTACK-5144?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13855601#comment-13855601
]
Gaurav Aradhye commented on CLOUDSTACK-5144:
--------------------------------------------
Jayapal, I am not able to get the iptables from basic zone setup host as the
setup is down currently, but I am able to reproduce this issue in Security
group enabled advanced zone setup too and following are the iptables from the
host.
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT 47 -- * *
0.0.0.0/0 0.0.0.0/0
64M 63G RH-Firewall-1-INPUT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 RH-Firewall-1-INPUT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 56M packets, 93G bytes)
pkts bytes target prot opt in out source destination
Chain RH-Firewall-1-INPUT (2 references)
pkts bytes target prot opt in out
source destination
35M 49G ACCEPT all -- lo *
0.0.0.0/0 0.0.0.0/0
8159 497K ACCEPT icmp -- * *
0.0.0.0/0 0.0.0.0/0 icmp type 255
0 0 ACCEPT esp -- * *
0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT ah -- * *
0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * *
0.0.0.0/0 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- * *
0.0.0.0/0 0.0.0.0/0 udp dpt:631
0 0 ACCEPT tcp -- * *
0.0.0.0/0 0.0.0.0/0 tcp dpt:631
0 0 ACCEPT udp -- xenapi *
0.0.0.0/0 0.0.0.0/0 udp dpt:67
24M 13G ACCEPT all -- * *
0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * *
0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:694
14 832 ACCEPT tcp -- * *
0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
3918 204K ACCEPT tcp -- * *
0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
227K 14M ACCEPT tcp -- * *
0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
5225K 1015M REJECT all -- * *
0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
> [Automation]: Basic Zone Security Groups - SSH to VM is allowed even when
> there is no ingress rule defined for the security group
> ---------------------------------------------------------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-5144
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-5144
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Network Controller
> Affects Versions: 4.3.0
> Reporter: Gaurav Aradhye
> Assignee: Gaurav Aradhye
> Priority: Critical
> Labels: automation
> Fix For: 4.3.0
>
>
> In Basic Zone Setup:
> 1. Create an account
> 2. Deploy a VM in that account
> 3. Verify that any ingress rule is not defined for the security group
> belonging to the account
> 4. Try SSH to VM using the nic ipaddress from external client
> SSH is successful to the VM where as it should fail when the ingress rule is
> not defined.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
