Get the verbose iptables output. iptables -Lnv 15. aug. 2014 18:24 skrev "clement mutz" <[email protected]> følgende:
> > Hi, > > > > What's wrong with my configuration ? I forgot something ? > > >> Start by running tcpdump along the network path and try to isolate > >> the faulty network configuration. > > Ok i running tcpdump on console proxy and i can see packets. > > > With the following command on console proxy : tcpdump -vv -i eth1 > > Quote > 16:05:14.378905 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has > 10.254.50.209 tell 10.254.50.45, length 46 > 16:05:15.377608 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has > 10.254.50.209 tell 10.254.50.45, length 46 > 16:05:16.377600 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has > 10.254.50.209 tell 10.254.50.45, length 46 > 16:05:17.395947 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has > 10.254.50.209 tell 10.254.50.45, length 46 > 16:05:18.393719 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has > 10.254.50.209 tell 10.254.50.45, length 46 > 16:05:18.828127 IP (tos 0x0, ttl 64, id 30676, offset 0, flags [DF], proto > TCP (6), length 56) > 10.254.50.201.58036 > 10.254.50.45.8250: Flags [P.], cksum 0x7b1c > (incorrect -> 0xdd06), seq 3973496:3973500, ack 1507845368, win 2641, > options [nop,nop,TS val 826858 ecr 954898], length 4 > seq 3973496:3973500, ack 1507845368, win > eq 1:5, ack 217, win 331, options [nop,nop,TS val 956151 ecr 826868], > length 4 > 16:05:18.883024 IP (tos 0x0, ttl 64, id 30678, offset 0, flags [DF], proto > TCP (6), length 52) > > > I see paquets come on my console proxy > > I didn't touch iptables rules > > > iptables -L on console proxy : > > Chain INPUT (policy DROP) > target prot opt source destination > ACCEPT all -- anywhere anywhere > ACCEPT all -- anywhere anywhere state > RELATED,ESTABLISHED > ACCEPT all -- anywhere anywhere state > RELATED,ESTABLISHED > ACCEPT all -- anywhere anywhere state > RELATED,ESTABLISHED > DROP icmp -- anywhere anywhere icmp > timestamp-request > ACCEPT icmp -- anywhere anywhere > ACCEPT tcp -- anywhere anywhere state NEW > tcp dpt:3922 > ACCEPT tcp -- anywhere anywhere state NEW > tcp dpt:8001 > ACCEPT tcp -- anywhere anywhere state NEW > tcp dpt:8001 > ACCEPT tcp -- anywhere anywhere state NEW > tcp dpt:https > ACCEPT tcp -- anywhere anywhere state NEW > tcp dpt:http > > Chain FORWARD (policy DROP) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > > Thanks for your reply. > > Clément > > ------------------------------------------- > > > > Hi, > > I give you my different tests, the first problem I can't ping system vm > (internal nic and external nic) since same network (since computing node > for exemple). > > I can ping a host from internal nic (10.254.50.0/24) since system vm. > > IP address of computing node 10.254.50.45. > IP address of console proxy vm 10.254.50.209 > > > On console proxy VM : > > root@v-2-VM:~# route -n > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use > Iface > 0.0.0.0 37.122.XXX.XX 0.0.0.0 UG 0 0 0 > eth2 > 8.8.8.8 10.254.50.254 255.255.255.255 UGH 0 0 0 > eth1 > 10.254.50.0 0.0.0.0 255.255.255.0 U 0 0 0 > eth1 > 37.122.XXX.XXX 0.0.0.0 255.255.255.XXX U 0 0 0 > eth2 > 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 > eth0 > > I can ping www.google.fr, my two gateway and host for test: > > root@v-2-VM:~# ping -c2 www.google.fr > PING www.google.fr (173.194.66.94): 48 data bytes > 56 bytes from 173.194.66.94: icmp_seq=0 ttl=48 time=5.989 ms > 56 bytes from 173.194.66.94: icmp_seq=1 ttl=48 time=5.959 ms > --- www.google.fr ping statistics --- > 2 packets transmitted, 2 packets received, 0% packet loss > round-trip min/avg/max/stddev = 5.959/5.974/5.989/0.000 ms > > root@v-2-VM:~# ping -c2 10.254.50.254 > PING 10.254.50.254 (10.254.50.254): 48 data bytes > 56 bytes from 10.254.50.254: icmp_seq=0 ttl=64 time=0.250 ms > 56 bytes from 10.254.50.254: icmp_seq=1 ttl=64 time=0.251 ms > --- 10.254.50.254 ping statistics --- > 2 packets transmitted, 2 packets received, 0% packet loss > round-trip min/avg/max/stddev = 0.250/0.251/0.251/0.000 ms > > root@v-2-VM:~# ping -c2 37.122.XXX.XXX > PING 37.122.XXX.XXX (37.122.XXX.XXX): 48 data bytes > 56 bytes from 37.122.XXX.XXX: icmp_seq=0 ttl=64 time=0.284 ms > 56 bytes from 37.122.XXX.XXX: icmp_seq=1 ttl=64 time=0.173 ms > --- 37.122.XXX.XXX ping statistics --- > 2 packets transmitted, 2 packets received, 0% packet loss > round-trip min/avg/max/stddev = 0.173/0.228/0.284/0.056 ms > > root@v-2-VM:~# ping -c2 10.254.50.123 > PING 10.254.50.123 (10.254.50.123): 48 data bytes > 56 bytes from 10.254.50.123: icmp_seq=0 ttl=128 time=1.468 ms > 56 bytes from 10.254.50.123: icmp_seq=1 ttl=128 time=0.345 ms > --- 10.254.50.123 ping statistics --- > 2 packets transmitted, 2 packets received, 0% packet loss > round-trip min/avg/max/stddev = 0.345/0.906/1.468/0.562 ms > > From my computing node I can ping gateway but not system vm : > > root@ubuntu:/# ping -c2 10.254.50.254 > PING 10.254.50.254 (10.254.50.254) 56(84) bytes of data. > 64 bytes from 10.254.50.254: icmp_req=1 ttl=64 time=1.14 ms > 64 bytes from 10.254.50.254: icmp_req=2 ttl=64 time=0.238 ms > > --- 10.254.50.254 ping statistics --- > 2 packets transmitted, 2 received, 0% packet loss, time 1001ms > rtt min/avg/max/mdev = 0.238/0.691/1.145/0.454 ms > > root@ubuntu:/# ping -c2 10.254.50.209 > PING 10.254.50.209 (10.254.50.209) 56(84) bytes of data. > > --- 10.254.50.209 ping statistics --- > 2 packets transmitted, 0 received, 100% packet loss, time 1000ms > > > There is a firewall hidden ? > > > > > > > Hi Tejas, > > > Thanks you for your reply. I already trying to configure the firewall > Rules (ex : http://i.imgur.com/oiGMMle.png). > > not access at my instances. > > >> From the VM instance, are you able to ICMP ping the virtual router? If > you cant, > >> then please check your network VLAN assignments and traffic label > configurations > > Yes very good point ! I can't ping the virtual router from the VM instance. > So for validate my network I duplicate the network configuration creating > by cloudstack on another xenserver (same environment, same switch ...) ;) . > So on another xenserver I created two VM (with xencenter) and PING worked. > Picture with network configuration creating by cloudstack (see vl41) > http://i.imgur.com/K8Bo3kK.png . > Picture with network configuration creating by me on another xen pool > http://i.imgur.com/ieYD5Oy.png > > On Cloudstack my traffic label http://i.imgur.com/P7ZRbf7.png > > > > I haven't access system vm (console, secondary storage). > > >> If you are not able to access the system VMs, then I would first > >> make sure my Zone network configuration and the hypervisor > >> network traffic types are configured correctly. > > --------------------------------------------------------------- > interfaces | with isolation mode | without isolation mode > administration | Vl50 | Vl50 > public | NONE | Vl60 > guest | Vl60 | Vl50 > Storage | Vl20 | Vl20 > --------------------------------------------------------------- > > Like you see It's traffic label configuration. With isolation mode > cloudstack work without problem. > With isolation mode I declared My guest network (labbel Vl60) like public > network (testing). And I can ping my Vms system console and storage and my > instances by Public NIC. > I can ping the administration network too (not possible without isolation > mode) > > I make sure my zone network configuration (at 99%) because I created a > advanced zone with isolation mode and that worked (access) ;) > > > > > My network is ok because when I configure my zone with security groups I > have access > > system vm and at my instances. > > >> Basic network and Advanced Networks work very differently. Advanced > network uses VLANs > >> which if configured incorrectly can lead to issues like the one you are > facing. > > Thank you but when I mean "configuration my zone with security group", I > talk about advanced network and I check "Isolation mode" :) . > > > > > > Hi Clement, > > Comments inline. > > On 08-Aug-2014, at 12:18 am, clement mutz <[email protected]> wrote: > > > Thanks you for your reply. I already trying to configure the firewall > Rules (ex : http://i.imgur.com/oiGMMle.png). > > not access at my instances. > > From the VM instance, are you able to ICMP ping the virtual router? If you > cant, > then please check your network VLAN assignments and traffic label > configurations > > > > I haven't access system vm (console, secondary storage). > > If you are not able to access the system VMs, then I would first > make sure my Zone network configuration and the hypervisor > network traffic types are configured correctly. > > > > My network is ok because when I configure my zone with security groups I > have access > > system vm and at my instances. > > Basic network and Advanced Networks work very differently. Advanced > network uses VLANs > which if configured incorrectly can lead to issues like the one you are > facing. > > > What's wrong with my configuration ? I forgot something ? > > Start by running tcpdump along the network path and try to isolate > the faulty network configuration. > > > > Sorry my bad english. I learning ;) > > > > Thanks you very much. > > > > No problems. > > > > > > Clément > > > > > > > > > > Comments inline. > > > > On 07-Aug-2014, at 6:24 pm, clement mutz <[email protected]> wrote: > > > >> Hi Shanker, > >> > >>> Look under Network -> Select View -> Security Groups. > >> > >> Thanks you, but the problem appear when I choose a advanced zone > without security group. So I can't see Security Groups( > http://i.imgur.com/WR18PPl.png) ;) > >> > > > > Advanced zones you dont have security groups by default. Only EGRESS and > INGRESS rules. > > > >> How I can to configure the different access without security group ? > > > > Looking at your screenshot, go to Network -> Isolated Network (vl400) -> > Egress Rules and > > Network -> Isolated Network (vl400) -> Source NAT -> Configuration -> > Firewall Rules. > > > >> > >>> The ML strips out attachment. You can use http://imgur.com to share > images. > >> > >> Thanks for your information :) > >> > >> I can't choose Security group, when I created a zone with public > network (I mean with nic public) (http://i.imgur.com/52bjasU.png and > http://i.imgur.com/UN9RXR2.png)... > >> I don't understand why. > >> When I created a zone with security group no problem, I can use ACC > Ingress and Egress rules but I haven't public interface ( > http://i.imgur.com/EhBAbvC.png and http://i.imgur.com/GjhFOZD.png). > >> > >> > >> > >> > >> > >> ----- Mail original ----- > >> De: "Shanker Balan" <[email protected]> > >> À: "CloudStack-Users" <[email protected]> > >> Envoyé: Jeudi 7 Août 2014 13:49:40 > >> Objet: Re: question about security group > >> > >> Comments inline. > >> > >> On 07-Aug-2014, at 3:44 pm, clement mutz <[email protected]> wrote: > >> > >>> Hi Tejas, > >>> > >>> I cannot see the security group in network tab. > >> > >> Look under Network -> Select View -> Security Groups. > >> > >>> > >>> I can't choose Security group, when I created a zone with public > network (I mean with nic public) (picture 1 and 2)... I don't understand > why. > >>> When I created a zone with security group no problem, I can use ACC > Ingress and Egress rules but I haven't public interface (picture 3 and 4). > >>> > >> > >> The ML strips out attachment. You can use http://imgur.com to share > images. > >> > >> -- > >> @shankerbalan > >> > >> M: +91 98860 60539 | O: +91 (80) 67935867 > >> [email protected] | www.shapeblue.com | Twitter:@shapeblue > >> ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade > Centre, Bangalore - 560 055 > >> > >> Find out more about ShapeBlue and our range of CloudStack related > services > >> > >> IaaS Cloud Design & Build< > http://shapeblue.com/iaas-cloud-design-and-build//> > >> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/ > > > >> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/> > >> CloudStack Infrastructure Support< > http://shapeblue.com/cloudstack-infrastructure-support/> > >> CloudStack Bootcamp Training Courses< > http://shapeblue.com/cloudstack-training/> > >> > >> This email and any attachments to it may be confidential and are > intended solely for the use of the individual to whom it is addressed. Any > views or opinions expressed are solely those of the author and do not > necessarily represent those of Shape Blue Ltd or related companies. If you > are not the intended recipient of this email, you must neither take any > action based upon its contents, nor copy or show it to anyone. Please > contact the sender if you believe you have received this email in error. > Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue > Services India LLP is a company incorporated in India and is operated under > license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a > company incorporated in Brasil and is operated under license from Shape > Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of > South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is > a registered trademark. > > > > -- > > @shankerbalan > > > > M: +91 98860 60539 | O: +91 (80) 67935867 > > [email protected] | www.shapeblue.com | Twitter:@shapeblue > > ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade > Centre, Bangalore - 560 055 > > > > Find out more about ShapeBlue and our range of CloudStack related > services > > > > IaaS Cloud Design & Build< > http://shapeblue.com/iaas-cloud-design-and-build//> > > CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/> > > CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/> > > CloudStack Infrastructure Support< > http://shapeblue.com/cloudstack-infrastructure-support/> > > CloudStack Bootcamp Training Courses< > http://shapeblue.com/cloudstack-training/> > > > > This email and any attachments to it may be confidential and are > intended solely for the use of the individual to whom it is addressed. Any > views or opinions expressed are solely those of the author and do not > necessarily represent those of Shape Blue Ltd or related companies. If you > are not the intended recipient of this email, you must neither take any > action based upon its contents, nor copy or show it to anyone. Please > contact the sender if you believe you have received this email in error. > Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue > Services India LLP is a company incorporated in India and is operated under > license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a > company incorporated in Brasil and is operated under license from Shape > Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of > South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is > a registered trademark. > > -- > @shankerbalan > > M: +91 98860 60539 | O: +91 (80) 67935867 > [email protected] | www.shapeblue.com | Twitter:@shapeblue > ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade Centre, > Bangalore - 560 055 > > Find out more about ShapeBlue and our range of CloudStack related services > > IaaS Cloud Design & Build< > http://shapeblue.com/iaas-cloud-design-and-build//> > CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/> > CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/> > CloudStack Infrastructure Support< > http://shapeblue.com/cloudstack-infrastructure-support/> > CloudStack Bootcamp Training Courses< > http://shapeblue.com/cloudstack-training/> > > This email and any attachments to it may be confidential and are intended > solely for the use of the individual to whom it is addressed. Any views or > opinions expressed are solely those of the author and do not necessarily > represent those of Shape Blue Ltd or related companies. If you are not the > intended recipient of this email, you must neither take any action based > upon its contents, nor copy or show it to anyone. Please contact the sender > if you believe you have received this email in error. Shape Blue Ltd is a > company incorporated in England & Wales. ShapeBlue Services India LLP is a > company incorporated in India and is operated under license from Shape Blue > Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil > and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is > a company registered by The Republic of South Africa and is traded under > license from Shape Blue Ltd. ShapeBlue is a registered trademark. >
