This looks like a bug to me.When we create a basic zone with network offering "DefaultSharedNetworkOffering" no security groups should be applied to vms.
Please feel free to report a bug. Thanks, Sanjeev -----Original Message----- From: Jayapal Reddy Uradi [mailto:[email protected]] Sent: Thursday, September 11, 2014 10:56 AM To: <[email protected]> Subject: Re: Problems with firewall Hi, iptables rules are configured on the host that means CSP is there. The setup is basic shared network with out security groups but there are SG rules configured for the VM in the host and there is no ingress/egress rules config option. Not sure about with out SG configuring rules for VM is a bug. Thanks, Jayapal On 11-Sep-2014, at 10:27 AM, Kirk Kosinski <[email protected]> wrote: > Hi, Carlos. Did you install the CSP on your XS hosts? Also is Open > vSwitch enabled or disabled? > > Best regards, > Kirk > > On 09/10/2014 02:55 PM, Carlos Reategui wrote: >> Hi All, >> This is a problem I have had for a while and worked around but would like >> to get a proper solution for. I have configured a basic shared network >> without security groups. The hosts are Xen 6.0.2. I am currently on >> 4.3 but had this problem previously on 4.1.x and 4.2.x also. >> >> The problem is that the iptables firewall is not getting configured >> properly on the hosts and therefore I am unable to connect to any of >> the VM's on that particular host. My current solution is to have a >> crontab every 5 minutes issue an "/etc/init.d/iptables stop". The >> reason I have to have it on a cron is that every time I create a new >> instance, the cloudstack management server also sends a command to >> configure the firewall which also turns it back on (I guess I could >> also put an exit near the top of the iptables script but that is >> still a workaround). My network offering does not have security >> groups so, as expected, I don't have a means to edit ingress/egress rules. >> >> Has anyone else run into this? Is this a bug or something that I >> have not properly configured? >> >> Here is the output of the firewall on one of the hosts after creating >> a new >> instance: >> # iptables -L -n >> Chain INPUT (policy ACCEPT) >> target prot opt source destination >> >> Chain FORWARD (policy ACCEPT) >> target prot opt source destination >> BRIDGE-FIREWALL all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV >> match --physdev-is-bridged >> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match >> --physdev-out eth2+ --physdev-is-bridged >> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match >> --physdev-out eth6+ --physdev-is-bridged >> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match >> --physdev-out eth5+ --physdev-is-bridged >> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match >> --physdev-out eth7+ --physdev-is-bridged >> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match >> --physdev-out eth3+ --physdev-is-bridged >> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match >> --physdev-out eth1+ --physdev-is-bridged >> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match >> --physdev-out eth4+ --physdev-is-bridged >> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match >> --physdev-out bond0+ --physdev-is-bridged >> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match >> --physdev-out eth0+ --physdev-is-bridged >> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match >> --physdev-out bond1+ --physdev-is-bridged >> DROP all -- 0.0.0.0/0 0.0.0.0/0 >> >> Chain OUTPUT (policy ACCEPT) >> target prot opt source destination >> >> Chain BRIDGE-DEFAULT-FIREWALL (1 references) >> target prot opt source destination >> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state >> RELATED,ESTABLISHED >> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match >> --physdev-is-bridged udp spt:68 dpt:67 >> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match >> --physdev-is-bridged udp spt:67 dpt:68 >> >> Chain BRIDGE-FIREWALL (1 references) >> target prot opt source destination >> BRIDGE-DEFAULT-FIREWALL all -- 0.0.0.0/0 0.0.0.0/0 >> i-3-93-def all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match >> --physdev-in vif20.0 --physdev-is-bridged >> i-3-93-def all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match >> --physdev-out vif20.0 --physdev-is-bridged >> >> Chain i-3-93-VM (1 references) >> target prot opt source destination >> >> Chain i-3-93-VM-eg (1 references) >> target prot opt source destination >> >> Chain i-3-93-def (2 references) >> target prot opt source destination >> RETURN udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match >> --physdev-in vif20.0 --physdev-is-bridged set i-3-93-VM src udp dpt:53 >> DROP all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match >> --physdev-in vif20.0 --physdev-is-bridged !set i-3-93-VM src >> DROP all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match >> --physdev-out vif20.0 --physdev-is-bridged !set i-3-93-VM dst >> i-3-93-VM-eg all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV >> match --physdev-in vif20.0 --physdev-is-bridged set i-3-93-VM src >> i-3-93-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match >> --physdev-out vif20.0 --physdev-is-bridged >> >> Thanks, >> Carlos >>
