Maurice, You need to change the below rule in eatables to work for secondary ips.
ebtables -t nat -A + vmchain_in + -p ARP --arp-ip-src ! + vm_ip + -j DROP ebtables -t nat -A + vmchain_out + -p ARP --arp-ip-dst ! + vm_ip + -j DROP updated to: ebtables -t nat -A + vmchain_in + " -p ARP -j " + vmchain_in_ips ebtables -t nat -A + vmchain_out + " -p ARP -j " + vmchain_out_ips ebtables -t nat -A + vmchain_in_ips + " -j DROP ebtables -t nat -A + vmchain_out_ips + " -j DROP ebtables -t nat -I + vmchain_in_ips + -p ARP --arp-ip-src + vm_ip + -j RETURN ebtables -t nat -I + vmchain_out_ips + -p ARP --arp-ip-dst + vm_ip + -j RETURN Also you need to update the iptables filter table rules. On restart of vm you need to update the rules again. Please refers the multiple ip address feature CLOUDSTACK-24 commits for the changes. Thanks, Jayapal On 20-Apr-2013, at 1:50 AM, Maurice Lawler <maurice.law...@me.com<mailto:maurice.law...@me.com>> wrote: Great -- My ebtables rules are back in place. Now, how can I go about dropping the rule to allow a secondary IP traffic to a particular VM. I cannot remember how to do that, someone once told me. On Apr 19, 2013, at 01:42 PM, Marcus Sorensen <shadow...@gmail.com<mailto:shadow...@gmail.com>> wrote: you can go back and disable security groups in the zone if you don't care about the ebtables rules, or you can start up ebtables and then restart any associated VMs through cloudstack. The rules are dynamic, so they're not going to be saved anywhere on the host to be reinstated, they have to be reapplied by cloudstack via a restart of the vms. On Fri, Apr 19, 2013 at 11:12 AM, Maurice Lawler <maurice.law...@me.com<mailto:maurice.law...@me.com>>wrote: > Anyone know how to correct my mistake? > > - Maurice > > > On Apr 19, 2013, at 2:01 AM, Maurice Lawler > <maurice.law...@me.com<mailto:maurice.law...@me.com>> wrote: > > > Perhaps this was not the best thing, now my ports are open; how can I > revert back to eatables. > > > > Along with that, when reverted, how can I drop rules for a particular VM > to allow communication via second IP address. > > > > > > On Apr 18, 2013, at 10:34 PM, Maurice Lawler > > <maurice.law...@me.com<mailto:maurice.law...@me.com>> > wrote: > > > >> Disregard, for now, I have disabled/removed ebtables as shown here: > >> > >> > 3cb1df26ecc0458748ac97cece2da98d41012fa47b6...@sjcpmailbox01.citrite.net<http://mail-archives.apache.org/mod_mbox/incubator-cloudstack-users/201302.mbox/%%3Ca%20href=>%3E'>http://mail-archives.apache.org/mod_mbox/incubator-cloudstack-users/201302.mbox/%3cb1df26ecc0458748ac97cece2da98d41012fa47b6...@sjcpmailbox01.citrite.net<mailto:3cb1df26ecc0458748ac97cece2da98d41012fa47b6...@sjcpmailbox01.citrite.net>%3E > >> > >> > >> On Apr 18, 2013, at 11:28 PM, Maurice Lawler > >> <maurice.law...@me.com<mailto:maurice.law...@me.com>> > wrote: > >> > >>> Hello -- > >>> > >>> Previously one told me how to do this, but I cannot find my notes on > this, so I hope you can help me out. > >>> > >>> I am attempting to allow a secondary IP address on an instance by-pass > the routing rules set forth in ebtables. I recall doing something like > >>> > >>> ebtables nat i-2-25-VM something ... I cannot for the life of me > remember. > >>> > >>> How to list and/or drop the rules per VM. > >>> > >>> Can you guys assist? > > > >
