You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by Jeroen Keerl <je...@keerl-it.com> on 2016/09/21 20:13:03 UTC
SecurityGroup - not working?
Hi,
I had a few things configured on ACS – Basic Zone – Security Groups.
Setup: 2 Citrix 6.5 hosts, Mgmt server under CentOS 6.8.
Basic Networking, VMs created from template, also CentOS 6.8
At first (default, first VM test) I could not log in using SSH.
Then I created the appropriate ingress rule and all was ok.
Same with ICMP (Ping) for 0.0.0.0/0
Now I wanted to test a few things in my test environment and removed these rules, actually expecting that neither SSH nor ping would go through anymore.
Unfortunately they do, so apparently rules once set are not revoked upon deletion.
I would expect nothing to come through, if no ingress rules are set, no matter what iptables on the VM itself does.
Tests:
- Delete all ingress rules (ping, SSH and webmin (TCP 10000))
- Disable iptables on VM
⇨ Ping, ssh went through, Webmin didn’t.
- Enable iptables on VM
⇨ Ping and ssh went through
- Insert ingress rule for webmin, iptables still enables
⇨ Webmin times out (expected behaviour)
- Disable iptables
⇨ Webmin works
In the documentation you are pointed towards the “The procedure is described in Basic Zone Configuration in the Advanced Installation Guide.”
(Managing Networks and Traffic – Enabling Security Groups)
Searched for it on the Apache Site: Not found.
Google gave me the “Advanced Installation Guide” from Citrix, Version 3.*.* … in which you are directed to the administration guide.
Not really helpful!
Does anybody know about this / experienced something like this before?
Jeroen Keerl
Keerl IT Services GmbH
Birkenstraße 1b . 21521 Aumühle
+49 177 6320 317
www.keerl-it.com
info@keerl-it.com
Geschäftsführer. Jacobus J. Keerl
Registergericht Lubeck. HRB-Nr. 14511
Unsere Allgemeine Geschäftsbedingungen finden Sie hier.
Re: SecurityGroup - not working?
Posted by Vivek Kumar <vi...@indiqus.com>.
Hello Jeroen,
when you setup basic Zone in Cloudstack with Xenserver you need to change
few things in your Xenserver.
1- *xe-switch-network-backend bridge* ( I hope u have already done this ).
2- And you also need to do some changes in sysctl conf file for security
groups.
do below changes in /etc/sysctl.conf on xenserver
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-arptables = 1
and run this command
# sysctl -p /etc/sysctl.conf
I hope this will work.
*Vivek Kumar*
Virtualization and Cloud Consultant
[image: http://www.indiqus.com/images/logo.jpg] <http://www.indiqus.com/>
*I*ndi*Q*us Technologies Pvt Ltd
A-98, LGF, C.R.Park, New Delhi - 110019
*O* +91 11 4055 1411 | *M* +91 7503460090
www.indiqus.com <http://www.indiqus.com/>
On Thu, Sep 22, 2016 at 1:43 AM, Jeroen Keerl <je...@keerl-it.com>
wrote:
> Hi,
>
> I had a few things configured on ACS – Basic Zone – Security Groups.
> Setup: 2 Citrix 6.5 hosts, Mgmt server under CentOS 6.8.
> Basic Networking, VMs created from template, also CentOS 6.8
>
> At first (default, first VM test) I could not log in using SSH.
> Then I created the appropriate ingress rule and all was ok.
> Same with ICMP (Ping) for 0.0.0.0/0
> Now I wanted to test a few things in my test environment and removed these
> rules, actually expecting that neither SSH nor ping would go through
> anymore.
>
> Unfortunately they do, so apparently rules once set are not revoked upon
> deletion.
> I would expect nothing to come through, if no ingress rules are set, no
> matter what iptables on the VM itself does.
>
> Tests:
> - Delete all ingress rules (ping, SSH and webmin (TCP 10000))
> - Disable iptables on VM
> ⇨ Ping, ssh went through, Webmin didn’t.
> - Enable iptables on VM
> ⇨ Ping and ssh went through
> - Insert ingress rule for webmin, iptables still enables
> ⇨ Webmin times out (expected behaviour)
> - Disable iptables
> ⇨ Webmin works
>
> In the documentation you are pointed towards the “The procedure is
> described in Basic Zone Configuration in the Advanced Installation Guide.”
> (Managing Networks and Traffic – Enabling Security Groups)
> Searched for it on the Apache Site: Not found.
> Google gave me the “Advanced Installation Guide” from Citrix, Version
> 3.*.* … in which you are directed to the administration guide.
> Not really helpful!
>
> Does anybody know about this / experienced something like this before?
>
>
>
> *Jeroen Keerl*
>
>
> *Keerl IT Services GmbH*Birkenstraße 1b . 21521 Aumühle
>
> +49 177 6320 317
>
> www.keerl-it.com
> info@keerl-it.com
>
> Geschäftsführer. Jacobus J. Keerl
> Registergericht Lubeck. HRB-Nr. 14511
>
> Unsere Allgemeine Geschäftsbedingungen finden Sie hier.
> <http://www.keerl-it.com/AGB.pdf>
>
>
>
--
*Vivek Kumar*
Virtualization and Cloud Consultant
[image: http://www.indiqus.com/images/logo.jpg] <http://www.indiqus.com/>
*I*ndi*Q*us Technologies Pvt Ltd
A-98, LGF, C.R.Park, New Delhi - 110019
*O* +91 11 4055 1411 | *M* +91 7503460090
www.indiqus.com <http://www.indiqus.com/>