Hi, Carlos. Did you install the CSP on your XS hosts? Also is Open vSwitch enabled or disabled?
Best regards, Kirk On 09/10/2014 02:55 PM, Carlos Reategui wrote: > Hi All, > This is a problem I have had for a while and worked around but would like > to get a proper solution for. I have configured a basic shared network > without security groups. The hosts are Xen 6.0.2. I am currently on 4.3 > but had this problem previously on 4.1.x and 4.2.x also. > > The problem is that the iptables firewall is not getting configured > properly on the hosts and therefore I am unable to connect to any of the > VM's on that particular host. My current solution is to have a crontab > every 5 minutes issue an "/etc/init.d/iptables stop". The reason I have to > have it on a cron is that every time I create a new instance, the > cloudstack management server also sends a command to configure the firewall > which also turns it back on (I guess I could also put an exit near the top > of the iptables script but that is still a workaround). My network > offering does not have security groups so, as expected, I don't have a > means to edit ingress/egress rules. > > Has anyone else run into this? Is this a bug or something that I have not > properly configured? > > Here is the output of the firewall on one of the hosts after creating a new > instance: > # iptables -L -n > Chain INPUT (policy ACCEPT) > target prot opt source destination > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > BRIDGE-FIREWALL all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV > match --physdev-is-bridged > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match > --physdev-out eth2+ --physdev-is-bridged > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match > --physdev-out eth6+ --physdev-is-bridged > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match > --physdev-out eth5+ --physdev-is-bridged > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match > --physdev-out eth7+ --physdev-is-bridged > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match > --physdev-out eth3+ --physdev-is-bridged > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match > --physdev-out eth1+ --physdev-is-bridged > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match > --physdev-out eth4+ --physdev-is-bridged > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match > --physdev-out bond0+ --physdev-is-bridged > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match > --physdev-out eth0+ --physdev-is-bridged > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match > --physdev-out bond1+ --physdev-is-bridged > DROP all -- 0.0.0.0/0 0.0.0.0/0 > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > Chain BRIDGE-DEFAULT-FIREWALL (1 references) > target prot opt source destination > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state > RELATED,ESTABLISHED > ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match > --physdev-is-bridged udp spt:68 dpt:67 > ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match > --physdev-is-bridged udp spt:67 dpt:68 > > Chain BRIDGE-FIREWALL (1 references) > target prot opt source destination > BRIDGE-DEFAULT-FIREWALL all -- 0.0.0.0/0 0.0.0.0/0 > i-3-93-def all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match > --physdev-in vif20.0 --physdev-is-bridged > i-3-93-def all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match > --physdev-out vif20.0 --physdev-is-bridged > > Chain i-3-93-VM (1 references) > target prot opt source destination > > Chain i-3-93-VM-eg (1 references) > target prot opt source destination > > Chain i-3-93-def (2 references) > target prot opt source destination > RETURN udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match > --physdev-in vif20.0 --physdev-is-bridged set i-3-93-VM src udp dpt:53 > DROP all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match > --physdev-in vif20.0 --physdev-is-bridged !set i-3-93-VM src > DROP all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match > --physdev-out vif20.0 --physdev-is-bridged !set i-3-93-VM dst > i-3-93-VM-eg all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV > match --physdev-in vif20.0 --physdev-is-bridged set i-3-93-VM src > i-3-93-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match > --physdev-out vif20.0 --physdev-is-bridged > > Thanks, > Carlos >
