Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

security group and neutron

Hi, on my lab everything seem to be setup right, but when i change the rules of security group even if the iptables rules are refreshed nothing happens to my virtual word

root@node1:/images# nova secgroup-list-rules default
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp         | 34123     | 34123   | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+


    root@compute1:/# iptables -S | grep tap 
    -A neutron-openvswi-FORWARD -m physdev --physdev-out tap827be275-62 --physdev-is-bridged -j neutron-openvswi-sg-chain
    -A neutron-openvswi-FORWARD -m physdev --physdev-in tap827be275-62 --physdev-is-bridged -j neutron-openvswi-sg-chain
    -A neutron-openvswi-INPUT -m physdev --physdev-in tap827be275-62 --physdev-is-bridged -j neutron-openvswi-o827be275-6
    -A neutron-openvswi-sg-chain -m physdev --physdev-out tap827be275-62 --physdev-is-bridged -j neutron-openvswi-i827be275-6
    -A neutron-openvswi-sg-chain -m physdev --physdev-in tap827be275-62 --physdev-is-bridged -j neutron-openvswi-o827be275-6
    root@compute1:/# 




-A neutron-openvswi-i827be275-6 -m state --state INVALID -j DROP
-A neutron-openvswi-i827be275-6 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-i827be275-6 -p tcp -m tcp --dport 34123 -j RETURN
-A neutron-openvswi-i827be275-6 -s 192.168.17.3/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A neutron-openvswi-i827be275-6 -j neutron-openvswi-sg-fallback

-A neutron-openvswi-o827be275-6 -p udp -m udp --sport 68 --dport 67 -j RETURN
-A neutron-openvswi-o827be275-6 -j neutron-openvswi-s827be275-6
-A neutron-openvswi-o827be275-6 -p udp -m udp --sport 67 --dport 68 -j DROP
-A neutron-openvswi-o827be275-6 -m state --state INVALID -j DROP
-A neutron-openvswi-o827be275-6 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-o827be275-6 -j RETURN
-A neutron-openvswi-o827be275-6 -j neutron-openvswi-sg-fallback

-A neutron-openvswi-s827be275-6 -s 192.168.17.4/32 -m mac --mac-source FA:16:3E:AC:B2:CE -j RETURN
-A neutron-openvswi-s827be275-6 -j DROP
-A neutron-openvswi-sg-chain -m physdev --physdev-out tap827be275-62 --physdev-is-bridged -j neutron-openvswi-i827be275-6
-A neutron-openvswi-sg-chain -m physdev --physdev-in tap827be275-62 --physdev-is-bridged -j neutron-openvswi-o827be275-6
-A neutron-openvswi-sg-chain -j ACCEPT
-A neutron-openvswi-sg-fallback -j DROP


-A neutron-openvswi-sg-fallback -j DROP


tcpdump -ni tap827be275-62


5:30:23.002123 IP x.x.x.108.59772 > 192.168.17.4.3389: Flags [P.], seq 2044:2055, ack 462733, win 65535, options [nop,nop,TS val 1110034546 ecr 216391], length 11
15:30:23.002572 IP x.x.x.108.59772 > 192.168.17.4.3389: Flags [F.], seq 2055, ack 462733, win 65535, options [nop,nop,TS val 1110034546 ecr 216391], length 0
15:30:23.002832 IP 192.168.17.4.3389 > x.x.x.108.59772: Flags [.], ack 2056, win 63598, options [nop,nop,TS val 216392 ecr 1110034546], length 0
15:30:23.005367 IP x.x.x.108.59772 > 192.168.17.4.3389: Flags [.], ack 462733, win 65535, options [nop,nop,TS val 1110034548 ecr 216392], length 0
15:30:23.009478 IP 192.168.17.4.3389 > x.x.x.108.59772: Flags [R.], seq 462733, ack 2056, win 0, length 0
15:30:24.832224 IP6 fe80::24ff:e3cb:d8c7:c3.546 > ff02::1:2.547: dhcp6 solicit
15:30:32.847985 IP6 fe80::24ff:e3cb:d8c7:c3.546 > ff02::1:2.547: dhcp6 solicit
15:30:38.358002 IP x.x.x.108 > 192.168.17.4: ICMP echo request, id 45131, seq 0, length 64
15:30:38.358275 IP 192.168.17.4 > x.x.x.108: ICMP echo reply, id 45131, seq 0, length 64
15:30:39.360882 IP x.x.x.108 > 192.168.17.4: ICMP echo request, id 45131, seq 1, length 64
15:30:39.361186 IP 192.168.17.4 > x.x.x.108: ICMP echo reply, id 45131, seq 1, length 64

still connecting to port 3389 and ping

Any idea.. i hope i'm too tired on friday evening... ;-)

security group and neutron

Hi, on my lab everything seem to be setup right, but when i change the rules of security group even if the iptables rules are refreshed nothing happens to my virtual word word, i use port 34123 only see if something happens to iptables

root@node1:/images# nova secgroup-list-rules default
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp         | 34123     | 34123   | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+


    root@compute1:/# iptables -S | grep tap 
    -A neutron-openvswi-FORWARD -m physdev --physdev-out tap827be275-62 --physdev-is-bridged -j neutron-openvswi-sg-chain
    -A neutron-openvswi-FORWARD -m physdev --physdev-in tap827be275-62 --physdev-is-bridged -j neutron-openvswi-sg-chain
    -A neutron-openvswi-INPUT -m physdev --physdev-in tap827be275-62 --physdev-is-bridged -j neutron-openvswi-o827be275-6
    -A neutron-openvswi-sg-chain -m physdev --physdev-out tap827be275-62 --physdev-is-bridged -j neutron-openvswi-i827be275-6
    -A neutron-openvswi-sg-chain -m physdev --physdev-in tap827be275-62 --physdev-is-bridged -j neutron-openvswi-o827be275-6
    root@compute1:/# 




-A neutron-openvswi-i827be275-6 -m state --state INVALID -j DROP
-A neutron-openvswi-i827be275-6 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-i827be275-6 -p tcp -m tcp --dport 34123 -j RETURN
-A neutron-openvswi-i827be275-6 -s 192.168.17.3/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A neutron-openvswi-i827be275-6 -j neutron-openvswi-sg-fallback

-A neutron-openvswi-o827be275-6 -p udp -m udp --sport 68 --dport 67 -j RETURN
-A neutron-openvswi-o827be275-6 -j neutron-openvswi-s827be275-6
-A neutron-openvswi-o827be275-6 -p udp -m udp --sport 67 --dport 68 -j DROP
-A neutron-openvswi-o827be275-6 -m state --state INVALID -j DROP
-A neutron-openvswi-o827be275-6 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-o827be275-6 -j RETURN
-A neutron-openvswi-o827be275-6 -j neutron-openvswi-sg-fallback

-A neutron-openvswi-s827be275-6 -s 192.168.17.4/32 -m mac --mac-source FA:16:3E:AC:B2:CE -j RETURN
-A neutron-openvswi-s827be275-6 -j DROP
-A neutron-openvswi-sg-chain -m physdev --physdev-out tap827be275-62 --physdev-is-bridged -j neutron-openvswi-i827be275-6
-A neutron-openvswi-sg-chain -m physdev --physdev-in tap827be275-62 --physdev-is-bridged -j neutron-openvswi-o827be275-6
-A neutron-openvswi-sg-chain -j ACCEPT
-A neutron-openvswi-sg-fallback -j DROP


-A neutron-openvswi-sg-fallback -j DROP


tcpdump -ni tap827be275-62


5:30:23.002123 IP x.x.x.108.59772 > 192.168.17.4.3389: Flags [P.], seq 2044:2055, ack 462733, win 65535, options [nop,nop,TS val 1110034546 ecr 216391], length 11
15:30:23.002572 IP x.x.x.108.59772 > 192.168.17.4.3389: Flags [F.], seq 2055, ack 462733, win 65535, options [nop,nop,TS val 1110034546 ecr 216391], length 0
15:30:23.002832 IP 192.168.17.4.3389 > x.x.x.108.59772: Flags [.], ack 2056, win 63598, options [nop,nop,TS val 216392 ecr 1110034546], length 0
15:30:23.005367 IP x.x.x.108.59772 > 192.168.17.4.3389: Flags [.], ack 462733, win 65535, options [nop,nop,TS val 1110034548 ecr 216392], length 0
15:30:23.009478 IP 192.168.17.4.3389 > x.x.x.108.59772: Flags [R.], seq 462733, ack 2056, win 0, length 0
15:30:24.832224 IP6 fe80::24ff:e3cb:d8c7:c3.546 > ff02::1:2.547: dhcp6 solicit
15:30:32.847985 IP6 fe80::24ff:e3cb:d8c7:c3.546 > ff02::1:2.547: dhcp6 solicit
15:30:38.358002 IP x.x.x.108 > 192.168.17.4: ICMP echo request, id 45131, seq 0, length 64
15:30:38.358275 IP 192.168.17.4 > x.x.x.108: ICMP echo reply, id 45131, seq 0, length 64
15:30:39.360882 IP x.x.x.108 > 192.168.17.4: ICMP echo request, id 45131, seq 1, length 64
15:30:39.361186 IP 192.168.17.4 > x.x.x.108: ICMP echo reply, id 45131, seq 1, length 64

still connecting to port 3389 and ping

Any idea.. i hope i'm too tired on friday evening... ;-)