Re: SSH issue in SG enabled advanced zone

Jayapal Reddy Uradi Mon, 20 Jan 2014 00:49:31 -0800

Hi Gaurav,

Did you install CSP in xenserver ?
Is host network mode set to bridge ?
check file /etc/xensource/network.conf for 'bridge'


>From the host iptables, there are no SG rules got configured.

Thanks,
Jayapal




On 20-Jan-2014, at 12:27 PM, Gaurav Aradhye <gaurav.arad...@clogeny.com> wrote:

> Hello all,
> 
> I am facing issue while SSHing to VM in security groups enabled advanced
> zone (XenServer host) even after applying the ingress rule for the security
> group in which VM is deployed.
> 
> Also, even if I can see the ingress rule being applied through API listing
> and on UI, I can't see the iptables on host being updated after
> adding/removing ingress rule.
> 
> Is there any existing problem with XenServer regarding this? I read on few
> blogs about some people encountering similar issue with Xenserver. I have
> not yet tried on KVM.
> 
> The output of command "iptables -L -v -n" on host is as following.
> 
> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target     prot opt in     out     source
> destination
>    0     0 ACCEPT     47   --  *      *       0.0.0.0/0
> 0.0.0.0/0
> 109M  110G RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0
>   0.0.0.0/0
> 
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target     prot opt in     out     source
> destination
>    0     0 RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0
>   0.0.0.0/0
> 
> Chain OUTPUT (policy ACCEPT 91M packets, 149G bytes)
> pkts bytes target     prot opt in     out     source
> destination
> 
> Chain RH-Firewall-1-INPUT (2 references)
> pkts bytes target     prot opt in     out     source
> destination
>  54M   76G ACCEPT     all  --  lo     *       0.0.0.0/0
> 0.0.0.0/0
> 8430  520K ACCEPT     icmp --  *      *       0.0.0.0/0
> 0.0.0.0/0           icmp type 255
>    0     0 ACCEPT     esp  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>    0     0 ACCEPT     ah   --  *      *       0.0.0.0/0
> 0.0.0.0/0
>    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0
> 224.0.0.251         udp dpt:5353
>    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           udp dpt:631
>    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           tcp dpt:631
>    0     0 ACCEPT     udp  --  xenapi *       0.0.0.0/0
> 0.0.0.0/0           udp dpt:67
>  47M   32G ACCEPT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           state RELATED,ESTABLISHED
>    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           state NEW udp dpt:694
>   19  1132 ACCEPT     tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           state NEW tcp dpt:22
> 3919  204K ACCEPT     tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           state NEW tcp dpt:80
> 346K   21M ACCEPT     tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           state NEW tcp dpt:443
> 7721K 1583M REJECT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           reject-with icmp-host-prohibited
> 
> 
> Any directions?
> 
> Regards,
> Gaurav

Re: SSH issue in SG enabled advanced zone

Reply via email to