Re: [Questions]: Basic Zone Securiy Group problem?

Jayapal Reddy Uradi Thu, 29 Aug 2013 23:03:34 -0700

Hi,

The rules are looking as expected.
The ingress traffic to vm should block.


Can you run 'iptables -L -nv' and see which rules are accepting the ingress 
traffic.

Thanks,
Jayapal
On 30-Aug-2013, at 7:41 AM, Jijun <jiju...@gmail.com> wrote:

> i clone branch 4.2 code, package and do a  fresh installation.
> 
> hypervisor : xenserver 6.2 change  openvswitch to bridge.
> 
> add basic zone ,security group enabeld.
> 
> create a new vm , default security group
> 
> the previous version  document   said the ingress will be blocked by default. 
>  but in my test, the network in and out are all allowed.
> so strange.
> 
> is it a bug ?
> 
> iptable rule in hypervisor :
> 
> [root@xenserver-dlghbuxq ~]# iptables -nL
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> BRIDGE-FIREWALL  all  --  0.0.0.0/0            0.0.0.0/0 PHYSDEV match 
> --physdev-is-bridged
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
> --physdev-out eth1 --physdev-is-bridged
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
> --physdev-out eth0 --physdev-is-bridged
> DROP       all  --  0.0.0.0/0            0.0.0.0/0
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain BRIDGE-DEFAULT-FIREWALL (1 references)
> target     prot opt source               destination
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state 
> RELATED,ESTABLISHED
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
> --physdev-is-bridged udp spt:68 dpt:67
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
> --physdev-is-bridged udp spt:67 dpt:68
> 
> Chain BRIDGE-FIREWALL (1 references)
> target     prot opt source               destination
> BRIDGE-DEFAULT-FIREWALL  all  --  0.0.0.0/0 0.0.0.0/0
> i-2-7-def  all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
> --physdev-in vif21.0 --physdev-is-bridged
> i-3-8-def  all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
> --physdev-in vif20.0 --physdev-is-bridged
> r-4-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
> --physdev-in vif19.0 --physdev-is-bridged
> r-4-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
> --physdev-in vif19.1 --physdev-is-bridged
> s-6-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
> --physdev-in vif18.2 --physdev-is-bridged
> s-6-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
> --physdev-in vif18.0 --physdev-is-bridged
> s-6-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
> --physdev-in vif18.1 --physdev-is-bridged
> s-6-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
> --physdev-in vif18.3 --physdev-is-bridged
> v-2-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
> --physdev-in vif17.2 --physdev-is-bridged
> v-2-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
> --physdev-in vif17.0 --physdev-is-bridged
> v-2-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
> --physdev-in vif17.1 --physdev-is-bridged
> v-2-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
> --physdev-out vif17.1 --physdev-is-bridged
> v-2-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
> --physdev-out vif17.0 --physdev-is-bridged
> v-2-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
> --physdev-out vif17.2 --physdev-is-bridged
> s-6-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
> --physdev-out vif18.3 --physdev-is-bridged
> s-6-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
> --physdev-out vif18.1 --physdev-is-bridged
> s-6-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
> --physdev-out vif18.0 --physdev-is-bridged
> s-6-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
> --physdev-out vif18.2 --physdev-is-bridged
> r-4-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
> --physdev-out vif19.1 --physdev-is-bridged
> r-4-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
> --physdev-out vif19.0 --physdev-is-bridged
> i-3-8-def  all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
> --physdev-out vif20.0 --physdev-is-bridged
> i-2-7-def  all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
> --physdev-out vif21.0 --physdev-is-bridged
> 
> Chain L (0 references)
> target     prot opt source               destination
> 
> Chain RH-Firewall-1-INPUT (0 references)
> target     prot opt source               destination
> 
> Chain i-2-7-VM (1 references)
> target     prot opt source               destination
> DROP       all  --  0.0.0.0/0            0.0.0.0/0
> 
> Chain i-2-7-VM-eg (1 references)
> target     prot opt source               destination
> RETURN     all  --  0.0.0.0/0            0.0.0.0/0
> 
> Chain i-2-7-def (2 references)
> target     prot opt source               destination
> RETURN     udp  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
> --physdev-in vif21.0 --physdev-is-bridged set i-2-7-VM src udp dpt:53
> DROP       all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
> --physdev-in vif21.0 --physdev-is-bridged !set i-2-7-VM src
> DROP       all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
> --physdev-out vif21.0 --physdev-is-bridged !set i-2-7-VM dst
> i-2-7-VM-eg  all  --  0.0.0.0/0            0.0.0.0/0 PHYSDEV match 
> --physdev-in vif21.0 --physdev-is-bridged set i-2-7-VM src
> i-2-7-VM   all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
> --physdev-out vif21.0 --physdev-is-bridged
> 
> Chain i-3-8-VM (1 references)
> target     prot opt source               destination
> DROP       all  --  0.0.0.0/0            0.0.0.0/0
> 
> Chain i-3-8-VM-eg (1 references)
> target     prot opt source               destination
> RETURN     all  --  0.0.0.0/0            0.0.0.0/0
> 
> Chain i-3-8-def (2 references)
> target     prot opt source               destination
> RETURN     udp  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
> --physdev-in vif20.0 --physdev-is-bridged set i-3-8-VM src udp dpt:53
> DROP       all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
> --physdev-in vif20.0 --physdev-is-bridged !set i-3-8-VM src
> DROP       all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
> --physdev-out vif20.0 --physdev-is-bridged !set i-3-8-VM dst
> i-3-8-VM-eg  all  --  0.0.0.0/0            0.0.0.0/0 PHYSDEV match 
> --physdev-in vif20.0 --physdev-is-bridged set i-3-8-VM src
> i-3-8-VM   all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
> --physdev-out vif20.0 --physdev-is-bridged
> 
> Chain r-4-VM (4 references)
> target     prot opt source               destination
> RETURN     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
> --physdev-in vif19.0 --physdev-is-bridged
> RETURN     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
> --physdev-in vif19.1 --physdev-is-bridged
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> 
> Chain s-6-VM (8 references)
> target     prot opt source               destination
> RETURN     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
> --physdev-in vif18.2 --physdev-is-bridged
> RETURN     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
> --physdev-in vif18.0 --physdev-is-bridged
> RETURN     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
> --physdev-in vif18.1 --physdev-is-bridged
> RETURN     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
> --physdev-in vif18.3 --physdev-is-bridged
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> 
> Chain v-2-VM (6 references)
> target     prot opt source               destination
> RETURN     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
> --physdev-in vif17.2 --physdev-is-bridged
> RETURN     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
> --physdev-in vif17.0 --physdev-is-bridged
> RETURN     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match 
> --physdev-in vif17.1 --physdev-is-bridged
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> 
> 
> *[root@xenserver-dlghbuxq ~]# ebtables -L*
> Bridge table: filter
> 
> Bridge chain: INPUT, entries: 0, policy: ACCEPT
> 
> Bridge chain: FORWARD, entries: 5, policy: ACCEPT
> -j DEFAULT_EBTABLES
> -i vif21.0 -j i-2-7-VM
> -i vif20.0 -j i-3-8-VM
> -o vif20.0 -j i-3-8-VM
> -o vif21.0 -j i-2-7-VM
> 
> Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
> 
> Bridge chain: DEFAULT_EBTABLES, entries: 12, policy: ACCEPT
> -p IPv4 --ip-dst 255.255.255.255 --ip-proto udp --ip-dport 67 -j ACCEPT
> -p IPv4 --ip-dst 255.255.255.255 --ip-proto udp --ip-dport 68 -j ACCEPT
> -p ARP --arp-op Request -j ACCEPT
> -p ARP --arp-op Reply -j ACCEPT
> -p IPv4 -d Broadcast -j DROP
> -p IPv4 -d Multicast -j DROP
> -p IPv4 --ip-dst 255.255.255.255 -j DROP
> -p IPv4 --ip-dst 224.0.0.0/4 -j DROP
> -p IPv4 -j RETURN
> -p IPv6 -j DROP
> -p 802_1Q -j DROP
> -j DROP
> 
> Bridge chain: i-3-8-VM, entries: 2, policy: ACCEPT
> -p IPv4 -i vif20.0 --ip-proto udp --ip-dport 68 -j DROP
> -p IPv4 -o vif20.0 --ip-proto udp --ip-dport 67 -j DROP
> 
> Bridge chain: i-2-7-VM, entries: 2, policy: ACCEPT
> -p IPv4 -i vif21.0 --ip-proto udp --ip-dport 68 -j DROP
> -p IPv4 -o vif21.0 --ip-proto udp --ip-dport 67 -j DROP
> 
> 
> *[root@xenserver-dlghbuxq ~]# ipset -L*
> Name: i-3-8-VM
> Type: iphash
> References: 4
> Header: hashsize: 1024 probes: 8 resize: 50
> Members:
> 192.168.253.66
> 
> Name: i-2-7-VM
> Type: iphash
> References: 4
> Header: hashsize: 1024 probes: 8 resize: 50
> Members:
> 192.168.253.68
> 
> 
> 
> 
> 
> 
> 
> -- 
> Thanks,
> Jijun
>

Re: [Questions]: Basic Zone Securiy Group problem?

Reply via email to