You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by Jijun <ji...@gmail.com> on 2013/08/30 04:11:42 UTC
[Questions]: Basic Zone Securiy Group problem?
i clone branch 4.2 code, package and do a fresh installation.
hypervisor : xenserver 6.2 change openvswitch to bridge.
add basic zone ,security group enabeld.
create a new vm , default security group
the previous version document said the ingress will be blocked by
default. but in my test, the network in and out are all allowed.
so strange.
is it a bug ?
iptable rule in hypervisor :
[root@xenserver-dlghbuxq ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
BRIDGE-FIREWALL all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match
--physdev-is-bridged
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-out eth1 --physdev-is-bridged
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-out eth0 --physdev-is-bridged
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain BRIDGE-DEFAULT-FIREWALL (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-is-bridged udp spt:68 dpt:67
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-is-bridged udp spt:67 dpt:68
Chain BRIDGE-FIREWALL (1 references)
target prot opt source destination
BRIDGE-DEFAULT-FIREWALL all -- 0.0.0.0/0 0.0.0.0/0
i-2-7-def all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-in vif21.0 --physdev-is-bridged
i-3-8-def all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-in vif20.0 --physdev-is-bridged
r-4-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-in vif19.0 --physdev-is-bridged
r-4-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-in vif19.1 --physdev-is-bridged
s-6-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-in vif18.2 --physdev-is-bridged
s-6-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-in vif18.0 --physdev-is-bridged
s-6-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-in vif18.1 --physdev-is-bridged
s-6-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-in vif18.3 --physdev-is-bridged
v-2-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-in vif17.2 --physdev-is-bridged
v-2-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-in vif17.0 --physdev-is-bridged
v-2-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-in vif17.1 --physdev-is-bridged
v-2-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-out vif17.1 --physdev-is-bridged
v-2-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-out vif17.0 --physdev-is-bridged
v-2-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-out vif17.2 --physdev-is-bridged
s-6-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-out vif18.3 --physdev-is-bridged
s-6-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-out vif18.1 --physdev-is-bridged
s-6-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-out vif18.0 --physdev-is-bridged
s-6-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-out vif18.2 --physdev-is-bridged
r-4-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-out vif19.1 --physdev-is-bridged
r-4-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-out vif19.0 --physdev-is-bridged
i-3-8-def all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-out vif20.0 --physdev-is-bridged
i-2-7-def all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-out vif21.0 --physdev-is-bridged
Chain L (0 references)
target prot opt source destination
Chain RH-Firewall-1-INPUT (0 references)
target prot opt source destination
Chain i-2-7-VM (1 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain i-2-7-VM-eg (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain i-2-7-def (2 references)
target prot opt source destination
RETURN udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-in vif21.0 --physdev-is-bridged set i-2-7-VM src udp dpt:53
DROP all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-in vif21.0 --physdev-is-bridged !set i-2-7-VM src
DROP all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-out vif21.0 --physdev-is-bridged !set i-2-7-VM dst
i-2-7-VM-eg all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match
--physdev-in vif21.0 --physdev-is-bridged set i-2-7-VM src
i-2-7-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-out vif21.0 --physdev-is-bridged
Chain i-3-8-VM (1 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain i-3-8-VM-eg (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain i-3-8-def (2 references)
target prot opt source destination
RETURN udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-in vif20.0 --physdev-is-bridged set i-3-8-VM src udp dpt:53
DROP all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-in vif20.0 --physdev-is-bridged !set i-3-8-VM src
DROP all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-out vif20.0 --physdev-is-bridged !set i-3-8-VM dst
i-3-8-VM-eg all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match
--physdev-in vif20.0 --physdev-is-bridged set i-3-8-VM src
i-3-8-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-out vif20.0 --physdev-is-bridged
Chain r-4-VM (4 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-in vif19.0 --physdev-is-bridged
RETURN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-in vif19.1 --physdev-is-bridged
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain s-6-VM (8 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-in vif18.2 --physdev-is-bridged
RETURN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-in vif18.0 --physdev-is-bridged
RETURN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-in vif18.1 --physdev-is-bridged
RETURN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-in vif18.3 --physdev-is-bridged
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain v-2-VM (6 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-in vif17.2 --physdev-is-bridged
RETURN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-in vif17.0 --physdev-is-bridged
RETURN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-in vif17.1 --physdev-is-bridged
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
*[root@xenserver-dlghbuxq ~]# ebtables -L*
Bridge table: filter
Bridge chain: INPUT, entries: 0, policy: ACCEPT
Bridge chain: FORWARD, entries: 5, policy: ACCEPT
-j DEFAULT_EBTABLES
-i vif21.0 -j i-2-7-VM
-i vif20.0 -j i-3-8-VM
-o vif20.0 -j i-3-8-VM
-o vif21.0 -j i-2-7-VM
Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
Bridge chain: DEFAULT_EBTABLES, entries: 12, policy: ACCEPT
-p IPv4 --ip-dst 255.255.255.255 --ip-proto udp --ip-dport 67 -j ACCEPT
-p IPv4 --ip-dst 255.255.255.255 --ip-proto udp --ip-dport 68 -j ACCEPT
-p ARP --arp-op Request -j ACCEPT
-p ARP --arp-op Reply -j ACCEPT
-p IPv4 -d Broadcast -j DROP
-p IPv4 -d Multicast -j DROP
-p IPv4 --ip-dst 255.255.255.255 -j DROP
-p IPv4 --ip-dst 224.0.0.0/4 -j DROP
-p IPv4 -j RETURN
-p IPv6 -j DROP
-p 802_1Q -j DROP
-j DROP
Bridge chain: i-3-8-VM, entries: 2, policy: ACCEPT
-p IPv4 -i vif20.0 --ip-proto udp --ip-dport 68 -j DROP
-p IPv4 -o vif20.0 --ip-proto udp --ip-dport 67 -j DROP
Bridge chain: i-2-7-VM, entries: 2, policy: ACCEPT
-p IPv4 -i vif21.0 --ip-proto udp --ip-dport 68 -j DROP
-p IPv4 -o vif21.0 --ip-proto udp --ip-dport 67 -j DROP
*[root@xenserver-dlghbuxq ~]# ipset -L*
Name: i-3-8-VM
Type: iphash
References: 4
Header: hashsize: 1024 probes: 8 resize: 50
Members:
192.168.253.66
Name: i-2-7-VM
Type: iphash
References: 4
Header: hashsize: 1024 probes: 8 resize: 50
Members:
192.168.253.68
--
Thanks,
Jijun
Re: [Questions]: Basic Zone Securiy Group problem?
Posted by Jijun <ji...@gmail.com>.
thank you very much.
the rule looks good, but so strange, i can ping the two guest vms [
i-2-7-VM, i-3-8-VM] on my work host.
[ranger@ranger cloudstack]$ ping 192.168.253.66
PING 192.168.253.66 (192.168.253.66) 56(84) bytes of data.
64 bytes from 192.168.253.66: icmp_seq=1 ttl=59 time=4.40 ms
^C
--- 192.168.253.66 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 4.406/4.406/4.406/0.000 ms
[ranger@ranger cloudstack]$ ping 192.168.253.68
PING 192.168.253.68 (192.168.253.68) 56(84) bytes of data.
64 bytes from 192.168.253.68: icmp_seq=1 ttl=59 time=1.20 ms
^C
--- 192.168.253.68 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.201/1.201/1.201/0.000 ms
[root@xenserver-dlghbuxq ~]# iptables -L -nv
Chain INPUT (policy ACCEPT 3354K packets, 2026M bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 BRIDGE-FIREWALL all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-is-bridged
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-out eth1 --physdev-is-bridged
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-out eth0 --physdev-is-bridged
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 2741K packets, 5547M bytes)
pkts bytes target prot opt in out source
destination
Chain BRIDGE-DEFAULT-FIREWALL (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-is-bridged udp spt:68 dpt:67
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-is-bridged udp spt:67 dpt:68
Chain BRIDGE-FIREWALL (1 references)
pkts bytes target prot opt in out source
destination
0 0 BRIDGE-DEFAULT-FIREWALL all -- * *
0.0.0.0/0 0.0.0.0/0
0 0 i-2-7-def all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in vif21.0 --physdev-is-bridged
0 0 i-3-8-def all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in vif20.0 --physdev-is-bridged
0 0 r-4-VM all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in vif19.0 --physdev-is-bridged
0 0 r-4-VM all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in vif19.1 --physdev-is-bridged
0 0 s-6-VM all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in vif18.2 --physdev-is-bridged
0 0 s-6-VM all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in vif18.0 --physdev-is-bridged
0 0 s-6-VM all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in vif18.1 --physdev-is-bridged
0 0 s-6-VM all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in vif18.3 --physdev-is-bridged
0 0 v-2-VM all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in vif17.2 --physdev-is-bridged
0 0 v-2-VM all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in vif17.0 --physdev-is-bridged
0 0 v-2-VM all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in vif17.1 --physdev-is-bridged
0 0 v-2-VM all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-out vif17.1
--physdev-is-bridged
0 0 v-2-VM all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-out vif17.0
--physdev-is-bridged
0 0 v-2-VM all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-out vif17.2
--physdev-is-bridged
0 0 s-6-VM all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-out vif18.3
--physdev-is-bridged
0 0 s-6-VM all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-out vif18.1
--physdev-is-bridged
0 0 s-6-VM all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-out vif18.0
--physdev-is-bridged
0 0 s-6-VM all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-out vif18.2
--physdev-is-bridged
0 0 r-4-VM all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-out vif19.1
--physdev-is-bridged
0 0 r-4-VM all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-out vif19.0
--physdev-is-bridged
0 0 i-3-8-def all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-out vif20.0
--physdev-is-bridged
0 0 i-2-7-def all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-out vif21.0
--physdev-is-bridged
Chain L (0 references)
pkts bytes target prot opt in out source
destination
Chain RH-Firewall-1-INPUT (0 references)
pkts bytes target prot opt in out source
destination
Chain i-2-7-VM (1 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain i-2-7-VM-eg (1 references)
pkts bytes target prot opt in out source
destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain i-2-7-def (2 references)
pkts bytes target prot opt in out source
destination
0 0 RETURN udp -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in vif21.0
--physdev-is-bridged set i-2-7-VM src udp dpt:53
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in vif21.0
--physdev-is-bridged !set i-2-7-VM src
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-out vif21.0
--physdev-is-bridged !set i-2-7-VM dst
0 0 i-2-7-VM-eg all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in vif21.0
--physdev-is-bridged set i-2-7-VM src
0 0 i-2-7-VM all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-out vif21.0
--physdev-is-bridged
Chain i-3-8-VM (1 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain i-3-8-VM-eg (1 references)
pkts bytes target prot opt in out source
destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain i-3-8-def (2 references)
pkts bytes target prot opt in out source
destination
0 0 RETURN udp -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in vif20.0
--physdev-is-bridged set i-3-8-VM src udp dpt:53
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in vif20.0
--physdev-is-bridged !set i-3-8-VM src
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-out vif20.0
--physdev-is-bridged !set i-3-8-VM dst
0 0 i-3-8-VM-eg all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in vif20.0
--physdev-is-bridged set i-3-8-VM src
0 0 i-3-8-VM all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-out vif20.0
--physdev-is-bridged
Chain r-4-VM (4 references)
pkts bytes target prot opt in out source
destination
0 0 RETURN all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in vif19.0 --physdev-is-bridged
0 0 RETURN all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in vif19.1 --physdev-is-bridged
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain s-6-VM (8 references)
pkts bytes target prot opt in out source
destination
0 0 RETURN all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in vif18.2 --physdev-is-bridged
0 0 RETURN all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in vif18.0 --physdev-is-bridged
0 0 RETURN all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in vif18.1 --physdev-is-bridged
0 0 RETURN all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in vif18.3 --physdev-is-bridged
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain v-2-VM (6 references)
pkts bytes target prot opt in out source
destination
0 0 RETURN all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in vif17.2 --physdev-is-bridged
0 0 RETURN all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in vif17.0 --physdev-is-bridged
0 0 RETURN all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in vif17.1 --physdev-is-bridged
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
On 08/30/2013 02:02 PM, Jayapal Reddy Uradi wrote:
> Hi,
>
> The rules are looking as expected.
> The ingress traffic to vm should block.
>
> Can you run 'iptables -L -nv' and see which rules are accepting the ingress traffic.
>
> Thanks,
> Jayapal
> On 30-Aug-2013, at 7:41 AM, Jijun <ji...@gmail.com> wrote:
>
>> i clone branch 4.2 code, package and do a fresh installation.
>>
>> hypervisor : xenserver 6.2 change openvswitch to bridge.
>>
>> add basic zone ,security group enabeld.
>>
>> create a new vm , default security group
>>
>> the previous version document said the ingress will be blocked by default. but in my test, the network in and out are all allowed.
>> so strange.
>>
>> is it a bug ?
>>
>> iptable rule in hypervisor :
>>
>> [root@xenserver-dlghbuxq ~]# iptables -nL
>> Chain INPUT (policy ACCEPT)
>> target prot opt source destination
>>
>> Chain FORWARD (policy ACCEPT)
>> target prot opt source destination
>> BRIDGE-FIREWALL all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged
>> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out eth1 --physdev-is-bridged
>> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out eth0 --physdev-is-bridged
>> DROP all -- 0.0.0.0/0 0.0.0.0/0
>>
>> Chain OUTPUT (policy ACCEPT)
>> target prot opt source destination
>>
>> Chain BRIDGE-DEFAULT-FIREWALL (1 references)
>> target prot opt source destination
>> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
>> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged udp spt:68 dpt:67
>> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged udp spt:67 dpt:68
>>
>> Chain BRIDGE-FIREWALL (1 references)
>> target prot opt source destination
>> BRIDGE-DEFAULT-FIREWALL all -- 0.0.0.0/0 0.0.0.0/0
>> i-2-7-def all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif21.0 --physdev-is-bridged
>> i-3-8-def all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif20.0 --physdev-is-bridged
>> r-4-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif19.0 --physdev-is-bridged
>> r-4-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif19.1 --physdev-is-bridged
>> s-6-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif18.2 --physdev-is-bridged
>> s-6-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif18.0 --physdev-is-bridged
>> s-6-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif18.1 --physdev-is-bridged
>> s-6-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif18.3 --physdev-is-bridged
>> v-2-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif17.2 --physdev-is-bridged
>> v-2-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif17.0 --physdev-is-bridged
>> v-2-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif17.1 --physdev-is-bridged
>> v-2-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vif17.1 --physdev-is-bridged
>> v-2-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vif17.0 --physdev-is-bridged
>> v-2-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vif17.2 --physdev-is-bridged
>> s-6-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vif18.3 --physdev-is-bridged
>> s-6-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vif18.1 --physdev-is-bridged
>> s-6-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vif18.0 --physdev-is-bridged
>> s-6-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vif18.2 --physdev-is-bridged
>> r-4-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vif19.1 --physdev-is-bridged
>> r-4-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vif19.0 --physdev-is-bridged
>> i-3-8-def all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vif20.0 --physdev-is-bridged
>> i-2-7-def all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vif21.0 --physdev-is-bridged
>>
>> Chain L (0 references)
>> target prot opt source destination
>>
>> Chain RH-Firewall-1-INPUT (0 references)
>> target prot opt source destination
>>
>> Chain i-2-7-VM (1 references)
>> target prot opt source destination
>> DROP all -- 0.0.0.0/0 0.0.0.0/0
>>
>> Chain i-2-7-VM-eg (1 references)
>> target prot opt source destination
>> RETURN all -- 0.0.0.0/0 0.0.0.0/0
>>
>> Chain i-2-7-def (2 references)
>> target prot opt source destination
>> RETURN udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif21.0 --physdev-is-bridged set i-2-7-VM src udp dpt:53
>> DROP all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif21.0 --physdev-is-bridged !set i-2-7-VM src
>> DROP all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vif21.0 --physdev-is-bridged !set i-2-7-VM dst
>> i-2-7-VM-eg all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif21.0 --physdev-is-bridged set i-2-7-VM src
>> i-2-7-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vif21.0 --physdev-is-bridged
>>
>> Chain i-3-8-VM (1 references)
>> target prot opt source destination
>> DROP all -- 0.0.0.0/0 0.0.0.0/0
>>
>> Chain i-3-8-VM-eg (1 references)
>> target prot opt source destination
>> RETURN all -- 0.0.0.0/0 0.0.0.0/0
>>
>> Chain i-3-8-def (2 references)
>> target prot opt source destination
>> RETURN udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif20.0 --physdev-is-bridged set i-3-8-VM src udp dpt:53
>> DROP all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif20.0 --physdev-is-bridged !set i-3-8-VM src
>> DROP all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vif20.0 --physdev-is-bridged !set i-3-8-VM dst
>> i-3-8-VM-eg all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif20.0 --physdev-is-bridged set i-3-8-VM src
>> i-3-8-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vif20.0 --physdev-is-bridged
>>
>> Chain r-4-VM (4 references)
>> target prot opt source destination
>> RETURN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif19.0 --physdev-is-bridged
>> RETURN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif19.1 --physdev-is-bridged
>> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
>>
>> Chain s-6-VM (8 references)
>> target prot opt source destination
>> RETURN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif18.2 --physdev-is-bridged
>> RETURN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif18.0 --physdev-is-bridged
>> RETURN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif18.1 --physdev-is-bridged
>> RETURN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif18.3 --physdev-is-bridged
>> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
>>
>> Chain v-2-VM (6 references)
>> target prot opt source destination
>> RETURN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif17.2 --physdev-is-bridged
>> RETURN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif17.0 --physdev-is-bridged
>> RETURN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif17.1 --physdev-is-bridged
>> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
>>
>>
>> *[root@xenserver-dlghbuxq ~]# ebtables -L*
>> Bridge table: filter
>>
>> Bridge chain: INPUT, entries: 0, policy: ACCEPT
>>
>> Bridge chain: FORWARD, entries: 5, policy: ACCEPT
>> -j DEFAULT_EBTABLES
>> -i vif21.0 -j i-2-7-VM
>> -i vif20.0 -j i-3-8-VM
>> -o vif20.0 -j i-3-8-VM
>> -o vif21.0 -j i-2-7-VM
>>
>> Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
>>
>> Bridge chain: DEFAULT_EBTABLES, entries: 12, policy: ACCEPT
>> -p IPv4 --ip-dst 255.255.255.255 --ip-proto udp --ip-dport 67 -j ACCEPT
>> -p IPv4 --ip-dst 255.255.255.255 --ip-proto udp --ip-dport 68 -j ACCEPT
>> -p ARP --arp-op Request -j ACCEPT
>> -p ARP --arp-op Reply -j ACCEPT
>> -p IPv4 -d Broadcast -j DROP
>> -p IPv4 -d Multicast -j DROP
>> -p IPv4 --ip-dst 255.255.255.255 -j DROP
>> -p IPv4 --ip-dst 224.0.0.0/4 -j DROP
>> -p IPv4 -j RETURN
>> -p IPv6 -j DROP
>> -p 802_1Q -j DROP
>> -j DROP
>>
>> Bridge chain: i-3-8-VM, entries: 2, policy: ACCEPT
>> -p IPv4 -i vif20.0 --ip-proto udp --ip-dport 68 -j DROP
>> -p IPv4 -o vif20.0 --ip-proto udp --ip-dport 67 -j DROP
>>
>> Bridge chain: i-2-7-VM, entries: 2, policy: ACCEPT
>> -p IPv4 -i vif21.0 --ip-proto udp --ip-dport 68 -j DROP
>> -p IPv4 -o vif21.0 --ip-proto udp --ip-dport 67 -j DROP
>>
>>
>> *[root@xenserver-dlghbuxq ~]# ipset -L*
>> Name: i-3-8-VM
>> Type: iphash
>> References: 4
>> Header: hashsize: 1024 probes: 8 resize: 50
>> Members:
>> 192.168.253.66
>>
>> Name: i-2-7-VM
>> Type: iphash
>> References: 4
>> Header: hashsize: 1024 probes: 8 resize: 50
>> Members:
>> 192.168.253.68
>>
>>
>>
>>
>>
>>
>>
>> --
>> Thanks,
>> Jijun
>>
--
Thanks,
Jijun
Re: [Questions]: Basic Zone Securiy Group problem?
Posted by Jayapal Reddy Uradi <ja...@citrix.com>.
Hi,
The rules are looking as expected.
The ingress traffic to vm should block.
Can you run 'iptables -L -nv' and see which rules are accepting the ingress traffic.
Thanks,
Jayapal
On 30-Aug-2013, at 7:41 AM, Jijun <ji...@gmail.com> wrote:
> i clone branch 4.2 code, package and do a fresh installation.
>
> hypervisor : xenserver 6.2 change openvswitch to bridge.
>
> add basic zone ,security group enabeld.
>
> create a new vm , default security group
>
> the previous version document said the ingress will be blocked by default. but in my test, the network in and out are all allowed.
> so strange.
>
> is it a bug ?
>
> iptable rule in hypervisor :
>
> [root@xenserver-dlghbuxq ~]# iptables -nL
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> BRIDGE-FIREWALL all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out eth1 --physdev-is-bridged
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out eth0 --physdev-is-bridged
> DROP all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain BRIDGE-DEFAULT-FIREWALL (1 references)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged udp spt:68 dpt:67
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged udp spt:67 dpt:68
>
> Chain BRIDGE-FIREWALL (1 references)
> target prot opt source destination
> BRIDGE-DEFAULT-FIREWALL all -- 0.0.0.0/0 0.0.0.0/0
> i-2-7-def all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif21.0 --physdev-is-bridged
> i-3-8-def all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif20.0 --physdev-is-bridged
> r-4-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif19.0 --physdev-is-bridged
> r-4-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif19.1 --physdev-is-bridged
> s-6-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif18.2 --physdev-is-bridged
> s-6-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif18.0 --physdev-is-bridged
> s-6-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif18.1 --physdev-is-bridged
> s-6-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif18.3 --physdev-is-bridged
> v-2-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif17.2 --physdev-is-bridged
> v-2-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif17.0 --physdev-is-bridged
> v-2-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif17.1 --physdev-is-bridged
> v-2-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vif17.1 --physdev-is-bridged
> v-2-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vif17.0 --physdev-is-bridged
> v-2-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vif17.2 --physdev-is-bridged
> s-6-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vif18.3 --physdev-is-bridged
> s-6-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vif18.1 --physdev-is-bridged
> s-6-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vif18.0 --physdev-is-bridged
> s-6-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vif18.2 --physdev-is-bridged
> r-4-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vif19.1 --physdev-is-bridged
> r-4-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vif19.0 --physdev-is-bridged
> i-3-8-def all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vif20.0 --physdev-is-bridged
> i-2-7-def all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vif21.0 --physdev-is-bridged
>
> Chain L (0 references)
> target prot opt source destination
>
> Chain RH-Firewall-1-INPUT (0 references)
> target prot opt source destination
>
> Chain i-2-7-VM (1 references)
> target prot opt source destination
> DROP all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain i-2-7-VM-eg (1 references)
> target prot opt source destination
> RETURN all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain i-2-7-def (2 references)
> target prot opt source destination
> RETURN udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif21.0 --physdev-is-bridged set i-2-7-VM src udp dpt:53
> DROP all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif21.0 --physdev-is-bridged !set i-2-7-VM src
> DROP all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vif21.0 --physdev-is-bridged !set i-2-7-VM dst
> i-2-7-VM-eg all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif21.0 --physdev-is-bridged set i-2-7-VM src
> i-2-7-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vif21.0 --physdev-is-bridged
>
> Chain i-3-8-VM (1 references)
> target prot opt source destination
> DROP all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain i-3-8-VM-eg (1 references)
> target prot opt source destination
> RETURN all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain i-3-8-def (2 references)
> target prot opt source destination
> RETURN udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif20.0 --physdev-is-bridged set i-3-8-VM src udp dpt:53
> DROP all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif20.0 --physdev-is-bridged !set i-3-8-VM src
> DROP all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vif20.0 --physdev-is-bridged !set i-3-8-VM dst
> i-3-8-VM-eg all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif20.0 --physdev-is-bridged set i-3-8-VM src
> i-3-8-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vif20.0 --physdev-is-bridged
>
> Chain r-4-VM (4 references)
> target prot opt source destination
> RETURN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif19.0 --physdev-is-bridged
> RETURN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif19.1 --physdev-is-bridged
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain s-6-VM (8 references)
> target prot opt source destination
> RETURN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif18.2 --physdev-is-bridged
> RETURN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif18.0 --physdev-is-bridged
> RETURN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif18.1 --physdev-is-bridged
> RETURN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif18.3 --physdev-is-bridged
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain v-2-VM (6 references)
> target prot opt source destination
> RETURN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif17.2 --physdev-is-bridged
> RETURN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif17.0 --physdev-is-bridged
> RETURN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif17.1 --physdev-is-bridged
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
>
>
> *[root@xenserver-dlghbuxq ~]# ebtables -L*
> Bridge table: filter
>
> Bridge chain: INPUT, entries: 0, policy: ACCEPT
>
> Bridge chain: FORWARD, entries: 5, policy: ACCEPT
> -j DEFAULT_EBTABLES
> -i vif21.0 -j i-2-7-VM
> -i vif20.0 -j i-3-8-VM
> -o vif20.0 -j i-3-8-VM
> -o vif21.0 -j i-2-7-VM
>
> Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
>
> Bridge chain: DEFAULT_EBTABLES, entries: 12, policy: ACCEPT
> -p IPv4 --ip-dst 255.255.255.255 --ip-proto udp --ip-dport 67 -j ACCEPT
> -p IPv4 --ip-dst 255.255.255.255 --ip-proto udp --ip-dport 68 -j ACCEPT
> -p ARP --arp-op Request -j ACCEPT
> -p ARP --arp-op Reply -j ACCEPT
> -p IPv4 -d Broadcast -j DROP
> -p IPv4 -d Multicast -j DROP
> -p IPv4 --ip-dst 255.255.255.255 -j DROP
> -p IPv4 --ip-dst 224.0.0.0/4 -j DROP
> -p IPv4 -j RETURN
> -p IPv6 -j DROP
> -p 802_1Q -j DROP
> -j DROP
>
> Bridge chain: i-3-8-VM, entries: 2, policy: ACCEPT
> -p IPv4 -i vif20.0 --ip-proto udp --ip-dport 68 -j DROP
> -p IPv4 -o vif20.0 --ip-proto udp --ip-dport 67 -j DROP
>
> Bridge chain: i-2-7-VM, entries: 2, policy: ACCEPT
> -p IPv4 -i vif21.0 --ip-proto udp --ip-dport 68 -j DROP
> -p IPv4 -o vif21.0 --ip-proto udp --ip-dport 67 -j DROP
>
>
> *[root@xenserver-dlghbuxq ~]# ipset -L*
> Name: i-3-8-VM
> Type: iphash
> References: 4
> Header: hashsize: 1024 probes: 8 resize: 50
> Members:
> 192.168.253.66
>
> Name: i-2-7-VM
> Type: iphash
> References: 4
> Header: hashsize: 1024 probes: 8 resize: 50
> Members:
> 192.168.253.68
>
>
>
>
>
>
>
> --
> Thanks,
> Jijun
>