Re: [Questions]: Basic Zone Securiy Group problem?

Jijun Thu, 29 Aug 2013 23:44:11 -0700

thank you very much.

the rule looks good, but so strange, i can ping the two guest vms [i-2-7-VM, i-3-8-VM] on my work host.



[ranger@ranger cloudstack]$ ping 192.168.253.66
PING 192.168.253.66 (192.168.253.66) 56(84) bytes of data.
64 bytes from 192.168.253.66: icmp_seq=1 ttl=59 time=4.40 ms
^C
--- 192.168.253.66 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 4.406/4.406/4.406/0.000 ms
[ranger@ranger cloudstack]$ ping 192.168.253.68
PING 192.168.253.68 (192.168.253.68) 56(84) bytes of data.
64 bytes from 192.168.253.68: icmp_seq=1 ttl=59 time=1.20 ms
^C
--- 192.168.253.68 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.201/1.201/1.201/0.000 ms



[root@xenserver-dlghbuxq ~]# iptables -L -nv
Chain INPUT (policy ACCEPT 3354K packets, 2026M bytes)

pkts bytes target prot opt in out sourcedestination


Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out sourcedestination0 0 BRIDGE-FIREWALL all -- * * 0.0.0.0/00.0.0.0/0 PHYSDEV match --physdev-is-bridged0 0 ACCEPT all -- * * 0.0.0.0/00.0.0.0/0 PHYSDEV match --physdev-out eth1 --physdev-is-bridged0 0 ACCEPT all -- * * 0.0.0.0/00.0.0.0/0 PHYSDEV match --physdev-out eth0 --physdev-is-bridged

    0     0 DROP       all  --  *      * 0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 2741K packets, 5547M bytes)

pkts bytes target prot opt in out sourcedestination


Chain BRIDGE-DEFAULT-FIREWALL (1 references)

pkts bytes target prot opt in out sourcedestination0 0 ACCEPT all -- * * 0.0.0.0/00.0.0.0/0 state RELATED,ESTABLISHED0 0 ACCEPT udp -- * * 0.0.0.0/00.0.0.0/0 PHYSDEV match --physdev-is-bridged udp spt:68 dpt:670 0 ACCEPT udp -- * * 0.0.0.0/00.0.0.0/0 PHYSDEV match --physdev-is-bridged udp spt:67 dpt:68


Chain BRIDGE-FIREWALL (1 references)

pkts bytes target prot opt in out sourcedestination0 0 BRIDGE-DEFAULT-FIREWALL all -- * *0.0.0.0/0 0.0.0.0/00 0 i-2-7-def all -- * * 0.0.0.0/00.0.0.0/0 PHYSDEV match --physdev-in vif21.0 --physdev-is-bridged0 0 i-3-8-def all -- * * 0.0.0.0/00.0.0.0/0 PHYSDEV match --physdev-in vif20.0 --physdev-is-bridged0 0 r-4-VM all -- * * 0.0.0.0/00.0.0.0/0 PHYSDEV match --physdev-in vif19.0 --physdev-is-bridged0 0 r-4-VM all -- * * 0.0.0.0/00.0.0.0/0 PHYSDEV match --physdev-in vif19.1 --physdev-is-bridged0 0 s-6-VM all -- * * 0.0.0.0/00.0.0.0/0 PHYSDEV match --physdev-in vif18.2 --physdev-is-bridged0 0 s-6-VM all -- * * 0.0.0.0/00.0.0.0/0 PHYSDEV match --physdev-in vif18.0 --physdev-is-bridged0 0 s-6-VM all -- * * 0.0.0.0/00.0.0.0/0 PHYSDEV match --physdev-in vif18.1 --physdev-is-bridged0 0 s-6-VM all -- * * 0.0.0.0/00.0.0.0/0 PHYSDEV match --physdev-in vif18.3 --physdev-is-bridged0 0 v-2-VM all -- * * 0.0.0.0/00.0.0.0/0 PHYSDEV match --physdev-in vif17.2 --physdev-is-bridged0 0 v-2-VM all -- * * 0.0.0.0/00.0.0.0/0 PHYSDEV match --physdev-in vif17.0 --physdev-is-bridged0 0 v-2-VM all -- * * 0.0.0.0/00.0.0.0/0 PHYSDEV match --physdev-in vif17.1 --physdev-is-bridged0 0 v-2-VM all -- * * 0.0.0.0/00.0.0.0/0 PHYSDEV match --physdev-out vif17.1--physdev-is-bridged0 0 v-2-VM all -- * * 0.0.0.0/00.0.0.0/0 PHYSDEV match --physdev-out vif17.0--physdev-is-bridged0 0 v-2-VM all -- * * 0.0.0.0/00.0.0.0/0 PHYSDEV match --physdev-out vif17.2--physdev-is-bridged0 0 s-6-VM all -- * * 0.0.0.0/00.0.0.0/0 PHYSDEV match --physdev-out vif18.3--physdev-is-bridged0 0 s-6-VM all -- * * 0.0.0.0/00.0.0.0/0 PHYSDEV match --physdev-out vif18.1--physdev-is-bridged0 0 s-6-VM all -- * * 0.0.0.0/00.0.0.0/0 PHYSDEV match --physdev-out vif18.0--physdev-is-bridged0 0 s-6-VM all -- * * 0.0.0.0/00.0.0.0/0 PHYSDEV match --physdev-out vif18.2--physdev-is-bridged0 0 r-4-VM all -- * * 0.0.0.0/00.0.0.0/0 PHYSDEV match --physdev-out vif19.1--physdev-is-bridged0 0 r-4-VM all -- * * 0.0.0.0/00.0.0.0/0 PHYSDEV match --physdev-out vif19.0--physdev-is-bridged0 0 i-3-8-def all -- * * 0.0.0.0/00.0.0.0/0 PHYSDEV match --physdev-out vif20.0--physdev-is-bridged0 0 i-2-7-def all -- * * 0.0.0.0/00.0.0.0/0 PHYSDEV match --physdev-out vif21.0--physdev-is-bridged


Chain L (0 references)

pkts bytes target prot opt in out sourcedestination


Chain RH-Firewall-1-INPUT (0 references)

pkts bytes target prot opt in out sourcedestination


Chain i-2-7-VM (1 references)

pkts bytes target prot opt in out sourcedestination

    0     0 DROP       all  --  *      * 0.0.0.0/0            0.0.0.0/0

Chain i-2-7-VM-eg (1 references)

pkts bytes target prot opt in out sourcedestination

    0     0 RETURN     all  --  *      * 0.0.0.0/0            0.0.0.0/0

Chain i-2-7-def (2 references)

pkts bytes target prot opt in out sourcedestination0 0 RETURN udp -- * * 0.0.0.0/00.0.0.0/0 PHYSDEV match --physdev-in vif21.0--physdev-is-bridged set i-2-7-VM src udp dpt:530 0 DROP all -- * * 0.0.0.0/00.0.0.0/0 PHYSDEV match --physdev-in vif21.0--physdev-is-bridged !set i-2-7-VM src0 0 DROP all -- * * 0.0.0.0/00.0.0.0/0 PHYSDEV match --physdev-out vif21.0--physdev-is-bridged !set i-2-7-VM dst0 0 i-2-7-VM-eg all -- * * 0.0.0.0/00.0.0.0/0 PHYSDEV match --physdev-in vif21.0--physdev-is-bridged set i-2-7-VM src0 0 i-2-7-VM all -- * * 0.0.0.0/00.0.0.0/0 PHYSDEV match --physdev-out vif21.0--physdev-is-bridged


Chain i-3-8-VM (1 references)

pkts bytes target prot opt in out sourcedestination

    0     0 DROP       all  --  *      * 0.0.0.0/0            0.0.0.0/0

Chain i-3-8-VM-eg (1 references)

pkts bytes target prot opt in out sourcedestination

    0     0 RETURN     all  --  *      * 0.0.0.0/0            0.0.0.0/0

Chain i-3-8-def (2 references)

pkts bytes target prot opt in out sourcedestination0 0 RETURN udp -- * * 0.0.0.0/00.0.0.0/0 PHYSDEV match --physdev-in vif20.0--physdev-is-bridged set i-3-8-VM src udp dpt:530 0 DROP all -- * * 0.0.0.0/00.0.0.0/0 PHYSDEV match --physdev-in vif20.0--physdev-is-bridged !set i-3-8-VM src0 0 DROP all -- * * 0.0.0.0/00.0.0.0/0 PHYSDEV match --physdev-out vif20.0--physdev-is-bridged !set i-3-8-VM dst0 0 i-3-8-VM-eg all -- * * 0.0.0.0/00.0.0.0/0 PHYSDEV match --physdev-in vif20.0--physdev-is-bridged set i-3-8-VM src0 0 i-3-8-VM all -- * * 0.0.0.0/00.0.0.0/0 PHYSDEV match --physdev-out vif20.0--physdev-is-bridged


Chain r-4-VM (4 references)

pkts bytes target prot opt in out sourcedestination0 0 RETURN all -- * * 0.0.0.0/00.0.0.0/0 PHYSDEV match --physdev-in vif19.0 --physdev-is-bridged0 0 RETURN all -- * * 0.0.0.0/00.0.0.0/0 PHYSDEV match --physdev-in vif19.1 --physdev-is-bridged

    0     0 ACCEPT     all  --  *      * 0.0.0.0/0            0.0.0.0/0

Chain s-6-VM (8 references)

pkts bytes target prot opt in out sourcedestination0 0 RETURN all -- * * 0.0.0.0/00.0.0.0/0 PHYSDEV match --physdev-in vif18.2 --physdev-is-bridged0 0 RETURN all -- * * 0.0.0.0/00.0.0.0/0 PHYSDEV match --physdev-in vif18.0 --physdev-is-bridged0 0 RETURN all -- * * 0.0.0.0/00.0.0.0/0 PHYSDEV match --physdev-in vif18.1 --physdev-is-bridged0 0 RETURN all -- * * 0.0.0.0/00.0.0.0/0 PHYSDEV match --physdev-in vif18.3 --physdev-is-bridged

    0     0 ACCEPT     all  --  *      * 0.0.0.0/0            0.0.0.0/0

Chain v-2-VM (6 references)

pkts bytes target prot opt in out sourcedestination0 0 RETURN all -- * * 0.0.0.0/00.0.0.0/0 PHYSDEV match --physdev-in vif17.2 --physdev-is-bridged0 0 RETURN all -- * * 0.0.0.0/00.0.0.0/0 PHYSDEV match --physdev-in vif17.0 --physdev-is-bridged0 0 RETURN all -- * * 0.0.0.0/00.0.0.0/0 PHYSDEV match --physdev-in vif17.1 --physdev-is-bridged

    0     0 ACCEPT     all  --  *      * 0.0.0.0/0            0.0.0.0/0



On 08/30/2013 02:02 PM, Jayapal Reddy Uradi wrote:

Hi,

The rules are looking as expected.
The ingress traffic to vm should block.

Can you run 'iptables -L -nv' and see which rules are accepting the ingress 
traffic.

Thanks,
Jayapal
On 30-Aug-2013, at 7:41 AM, Jijun <jiju...@gmail.com> wrote:

i clone branch 4.2 code, package and do a  fresh installation.

hypervisor : xenserver 6.2 change  openvswitch to bridge.

add basic zone ,security group enabeld.

create a new vm , default security group

the previous version  document   said the ingress will be blocked by default.  
but in my test, the network in and out are all allowed.
so strange.

is it a bug ?

iptable rule in hypervisor :

[root@xenserver-dlghbuxq ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
BRIDGE-FIREWALL  all  --  0.0.0.0/0            0.0.0.0/0 PHYSDEV match 
--physdev-is-bridged
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
--physdev-out eth1 --physdev-is-bridged
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
--physdev-out eth0 --physdev-is-bridged
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain BRIDGE-DEFAULT-FIREWALL (1 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state 
RELATED,ESTABLISHED
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
--physdev-is-bridged udp spt:68 dpt:67
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
--physdev-is-bridged udp spt:67 dpt:68

Chain BRIDGE-FIREWALL (1 references)
target     prot opt source               destination
BRIDGE-DEFAULT-FIREWALL  all  --  0.0.0.0/0 0.0.0.0/0
i-2-7-def  all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
--physdev-in vif21.0 --physdev-is-bridged
i-3-8-def  all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
--physdev-in vif20.0 --physdev-is-bridged
r-4-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
--physdev-in vif19.0 --physdev-is-bridged
r-4-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
--physdev-in vif19.1 --physdev-is-bridged
s-6-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
--physdev-in vif18.2 --physdev-is-bridged
s-6-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
--physdev-in vif18.0 --physdev-is-bridged
s-6-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
--physdev-in vif18.1 --physdev-is-bridged
s-6-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
--physdev-in vif18.3 --physdev-is-bridged
v-2-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
--physdev-in vif17.2 --physdev-is-bridged
v-2-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
--physdev-in vif17.0 --physdev-is-bridged
v-2-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
--physdev-in vif17.1 --physdev-is-bridged
v-2-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
--physdev-out vif17.1 --physdev-is-bridged
v-2-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
--physdev-out vif17.0 --physdev-is-bridged
v-2-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
--physdev-out vif17.2 --physdev-is-bridged
s-6-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
--physdev-out vif18.3 --physdev-is-bridged
s-6-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
--physdev-out vif18.1 --physdev-is-bridged
s-6-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
--physdev-out vif18.0 --physdev-is-bridged
s-6-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
--physdev-out vif18.2 --physdev-is-bridged
r-4-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
--physdev-out vif19.1 --physdev-is-bridged
r-4-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
--physdev-out vif19.0 --physdev-is-bridged
i-3-8-def  all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
--physdev-out vif20.0 --physdev-is-bridged
i-2-7-def  all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
--physdev-out vif21.0 --physdev-is-bridged

Chain L (0 references)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (0 references)
target     prot opt source               destination

Chain i-2-7-VM (1 references)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain i-2-7-VM-eg (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain i-2-7-def (2 references)
target     prot opt source               destination
RETURN     udp  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
--physdev-in vif21.0 --physdev-is-bridged set i-2-7-VM src udp dpt:53
DROP       all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
--physdev-in vif21.0 --physdev-is-bridged !set i-2-7-VM src
DROP       all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
--physdev-out vif21.0 --physdev-is-bridged !set i-2-7-VM dst
i-2-7-VM-eg  all  --  0.0.0.0/0            0.0.0.0/0 PHYSDEV match --physdev-in 
vif21.0 --physdev-is-bridged set i-2-7-VM src
i-2-7-VM   all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
--physdev-out vif21.0 --physdev-is-bridged

Chain i-3-8-VM (1 references)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain i-3-8-VM-eg (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain i-3-8-def (2 references)
target     prot opt source               destination
RETURN     udp  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
--physdev-in vif20.0 --physdev-is-bridged set i-3-8-VM src udp dpt:53
DROP       all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
--physdev-in vif20.0 --physdev-is-bridged !set i-3-8-VM src
DROP       all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
--physdev-out vif20.0 --physdev-is-bridged !set i-3-8-VM dst
i-3-8-VM-eg  all  --  0.0.0.0/0            0.0.0.0/0 PHYSDEV match --physdev-in 
vif20.0 --physdev-is-bridged set i-3-8-VM src
i-3-8-VM   all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
--physdev-out vif20.0 --physdev-is-bridged

Chain r-4-VM (4 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
--physdev-in vif19.0 --physdev-is-bridged
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
--physdev-in vif19.1 --physdev-is-bridged
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain s-6-VM (8 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
--physdev-in vif18.2 --physdev-is-bridged
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
--physdev-in vif18.0 --physdev-is-bridged
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
--physdev-in vif18.1 --physdev-is-bridged
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
--physdev-in vif18.3 --physdev-is-bridged
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain v-2-VM (6 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
--physdev-in vif17.2 --physdev-is-bridged
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
--physdev-in vif17.0 --physdev-is-bridged
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
--physdev-in vif17.1 --physdev-is-bridged
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0


*[root@xenserver-dlghbuxq ~]# ebtables -L*
Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 5, policy: ACCEPT
-j DEFAULT_EBTABLES
-i vif21.0 -j i-2-7-VM
-i vif20.0 -j i-3-8-VM
-o vif20.0 -j i-3-8-VM
-o vif21.0 -j i-2-7-VM

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

Bridge chain: DEFAULT_EBTABLES, entries: 12, policy: ACCEPT
-p IPv4 --ip-dst 255.255.255.255 --ip-proto udp --ip-dport 67 -j ACCEPT
-p IPv4 --ip-dst 255.255.255.255 --ip-proto udp --ip-dport 68 -j ACCEPT
-p ARP --arp-op Request -j ACCEPT
-p ARP --arp-op Reply -j ACCEPT
-p IPv4 -d Broadcast -j DROP
-p IPv4 -d Multicast -j DROP
-p IPv4 --ip-dst 255.255.255.255 -j DROP
-p IPv4 --ip-dst 224.0.0.0/4 -j DROP
-p IPv4 -j RETURN
-p IPv6 -j DROP
-p 802_1Q -j DROP
-j DROP

Bridge chain: i-3-8-VM, entries: 2, policy: ACCEPT
-p IPv4 -i vif20.0 --ip-proto udp --ip-dport 68 -j DROP
-p IPv4 -o vif20.0 --ip-proto udp --ip-dport 67 -j DROP

Bridge chain: i-2-7-VM, entries: 2, policy: ACCEPT
-p IPv4 -i vif21.0 --ip-proto udp --ip-dport 68 -j DROP
-p IPv4 -o vif21.0 --ip-proto udp --ip-dport 67 -j DROP


*[root@xenserver-dlghbuxq ~]# ipset -L*
Name: i-3-8-VM
Type: iphash
References: 4
Header: hashsize: 1024 probes: 8 resize: 50
Members:
192.168.253.66

Name: i-2-7-VM
Type: iphash
References: 4
Header: hashsize: 1024 probes: 8 resize: 50
Members:
192.168.253.68







--
Thanks,
Jijun



--
Thanks,
Jijun

Re: [Questions]: Basic Zone Securiy Group problem?

Reply via email to