Ask Your Question
0

rules not working properly on security groups

asked 2016-01-05 23:28:27 -0600

Basivireddy gravatar image

updated 2016-01-06 22:45:10 -0600

Bipin gravatar image

I did not apply the ICMP rule but I am able to ping the vm.

 [root@n42-poweredge-3 ~]# iptables -S | grep tap607c43ff-13

-A neutron-openvswi-FORWARD -m physdev --physdev-out tap607c43ff-13 --physdev-is-bridged -j neutron-openvswi-sg-chain

-A neutron-openvswi-FORWARD -m physdev --physdev-in tap607c43ff-13 --physdev-is-bridged -j neutron-openvswi-sg-chain

-A neutron-openvswi-INPUT -m physdev --physdev-in tap607c43ff-13 --physdev-is-bridged -j neutron-openvswi-o607c43ff-1

-A neutron-openvswi-sg-chain -m physdev --physdev-out tap607c43ff-13 --physdev-is-bridged -j neutron-openvswi-i607c43ff-1

-A neutron-openvswi-sg-chain -m physdev --physdev-in tap607c43ff-13 --physdev-is-bridged -j neutron-openvswi-o607c43ff-1

 [root@n42-poweredge-3 ~]# iptables -s neutron-openvswi-i607c43ff-1

iptables v1.4.21: no command specified

Try `iptables -h' or 'iptables --help' for more information.

[root@n42-poweredge-3 ~]# iptables -L neutron-openvswi-i607c43ff-1

Chain neutron-openvswi-i607c43ff-1 (1 references)

target     prot opt source               destination

DROP       all  --  anywhere             anywhere             state INVALID

RETURN     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

RETURN     udp  --  10.10.10.3           anywhere             udp spt:bootps dpt:bootpc

RETURN     tcp  --  10.0.0.0/24          anywhere             tcp multiport dports tcpmux:65535

neutron-openvswi-sg-fallback  all  --  anywhere             anywhere



[root@n42-poweredge-3 ~]# iptables -L neutron-openvswi-o607c43ff-1

Chain neutron-openvswi-o607c43ff-1 (2 references)

target     prot opt source               destination

RETURN     udp  --  anywhere             anywhere             udp spt:bootpc dpt:bootps

neutron-openvswi-s607c43ff-1  all  --  anywhere             anywhere

DROP       udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc

DROP       all  --  anywhere             anywhere             state INVALID

RETURN     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

RETURN     tcp  --  anywhere             10.0.0.0/24          tcp multiport dports tcpmux:65535

neutron-openvswi-sg-fallback  all  --  anywhere             anywhere

> [root@n42-poweredge-3 ~]# iptables -L neutron-openvswi-s607c43ff-1

Chain neutron-openvswi-s607c43ff-1 (1 references)

target     prot opt source               destination

RETURN     all  --  10.10.10.7           anywhere             MAC FA:16:3E:B9:47:3B

DROP       all  --  anywhere             anywhere
edit retag flag offensive close merge delete
add a comment

1 answer

Sort by ยป oldest newest most voted
0

answered 2016-01-06 23:10:01 -0600

Prateek K gravatar image

updated 2016-01-06 23:10:37 -0600

Hmm... this is strange , what my wild guess would be to check the configurations files of neutron and see weather the firewall variable has been set correctly in security groups sections:-

[securitygroup]

enable_security_group = True

enable_ipset = True

firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver

Let me know how it goes

edit flag offensive delete link more

Comments

I am using Same drivers.I follow the this installation guide.http://docs.openstack.org/juno/install-guide/install/yum/content/

Basivireddy gravatar imageBasivireddy ( 2016-01-07 23:30:59 -0600 )edit
add a comment

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2016-01-05 23:28:27 -0600

Seen: 723 times

Last updated: Jan 06 '16

Related questions

Detaching and attaching security group resolved the VM accessibility issue, HOW?

Load Balancer only uses default SG

Why its mandatory to provide security group during VM creation but its allowed to modify a VM and remove all the security group

Problem with Security Groups JSON - Is this a bug?

How can I specify a customised Security Group when creating tenant? [closed]

Security Group Not Working [closed]

How to change default security group ?

ERROR (HTTPNotImplemented): Network driver does not support this function. (HTTP 501) message seen on running the "nova secgroup-list-default-rules" command

Export Security Group across Tenants

Problem with my security group json, is this a bug?