do you have security groups enabled? If so you'll need to setup rules to allow for ingress traffic.
On Mon, Feb 11, 2013 at 1:24 PM, Noel King <[email protected]> wrote: > Hi > > I have setup KVM hosts for Cloudstack 4 using the details in the > installation guide > > > http://incubator.apache.org/cloudstack/docs/en-US/Apache_CloudStack/4.0.0-incubating/html-single/Installation_Guide/index.html#hypervisor-kvm-install-flow > > This setup includes iptables configuration, However after creating VM's on > that host are blocked unless I directly ssh from that kvm host machine. > This means all external machines including other kvm host vms cannot > connect either. > > After a VM is created on this host the iptables configuration is changed to > the following state (below), which is preventing non local access to the > VM. > > Any insight here as to how CloudStack updating of iptables here is > preventing connectivity, it would be greatly appreciated. > > Kind regards, > > Noel > > > IPTABLES STATE AFTER VM CREATED > ============================================= > > Table: filter > Chain INPUT (policy ACCEPT) > num target prot opt source destination > 1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp > dpts:49152:49216 > 2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp > dpts:5900:6100 > 3 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp > dpt:16509 > 4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp > dpt:1798 > 5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp > dpt:22 > > Chain FORWARD (policy ACCEPT) > num target prot opt source destination > 1 BF-cloudbr0 all -- 0.0.0.0/0 0.0.0.0/0 > PHYSDEV > match --physdev-is-bridged > 2 BF-cloudbr0 all -- 0.0.0.0/0 0.0.0.0/0 > PHYSDEV > match --physdev-is-bridged > 3 DROP all -- 0.0.0.0/0 0.0.0.0/0 > 4 DROP all -- 0.0.0.0/0 0.0.0.0/0 > > Chain OUTPUT (policy ACCEPT) > num target prot opt source destination > > Chain BF-cloudbr0 (2 references) > num target prot opt source destination > 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state > RELATED,ESTABLISHED > 2 BF-cloudbr0-IN all -- 0.0.0.0/0 0.0.0.0/0 > PHYSDEV match --physdev-is-in --physdev-is-bridged > 3 BF-cloudbr0-OUT all -- 0.0.0.0/0 0.0.0.0/0 > PHYSDEV match --physdev-is-out --physdev-is-bridged > 4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV > match --physdev-out eth0 --physdev-is-bridged > > Chain BF-cloudbr0-IN (1 references) > num target prot opt source destination > 1 i-1-659-def all -- 0.0.0.0/0 0.0.0.0/0 > PHYSDEV > match --physdev-in vnet0 --physdev-is-bridged > > Chain BF-cloudbr0-OUT (1 references) > num target prot opt source destination > 1 i-1-659-def all -- 0.0.0.0/0 0.0.0.0/0 > PHYSDEV > match --physdev-out vnet0 --physdev-is-bridged > > Chain i-1-659-VM (1 references) > num target prot opt source destination > 1 DROP all -- 0.0.0.0/0 0.0.0.0/0 > > Chain i-1-659-VM-eg (1 references) > num target prot opt source destination > 1 RETURN all -- 0.0.0.0/0 0.0.0.0/0 > > Chain i-1-659-def (2 references) > num target prot opt source destination > 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state > RELATED,ESTABLISHED > 2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV > match --physdev-in vnet0 --physdev-is-bridged udp spt:68 dpt:67 > 3 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV > match --physdev-out vnet0 --physdev-is-bridged udp spt:67 dpt:68 > 4 RETURN udp -- 172.18.48.213 0.0.0.0/0 PHYSDEV > match --physdev-in vnet0 --physdev-is-bridged udp dpt:53 > 5 i-1-659-VM-eg all -- 172.18.48.213 0.0.0.0/0 > PHYSDEV match --physdev-in vnet0 --physdev-is-bridged > 6 i-1-659-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV > match --physdev-out vnet0 --physdev-is-bridged > > Table: nat > Chain PREROUTING (policy ACCEPT) > num target prot opt source destination > > Chain POSTROUTING (policy ACCEPT) > num target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > num target prot opt source destination >
