[
https://issues.apache.org/jira/browse/CLOUDSTACK-5144?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13863922#comment-13863922
]
manasaveloori commented on CLOUDSTACK-5144:
-------------------------------------------
iptables in KVM host :
[root@Rack1Pod1Host28 ~]# iptables -L -nv
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpts:49152:49216
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpts:5900:6100
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:16509
14M 11G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
51 3996 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
10 556 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:22
23364 3592K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 719K packets, 89M bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 6190K packets, 7812M bytes)
pkts bytes target prot opt in out source destination
Chain BF-cloudbr0 (0 references)
pkts bytes target prot opt in out source destination
Chain BF-cloudbr0-IN (0 references)
pkts bytes target prot opt in out source destination
0 0 r-4-VM all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in vnet7 --physdev-is-bridged
0 0 i-2-3-def all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in vnet9 --physdev-is-bridged
0 0 v-5-VM all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in vnet1 --physdev-is-bridged
0 0 v-5-VM all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in vnet2 --physdev-is-bridged
0 0 s-6-VM all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in vnet4 --physdev-is-bridged
0 0 s-6-VM all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in vnet5 --physdev-is-bridged
0 0 s-6-VM all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in vnet6 --physdev-is-bridged
Chain BF-cloudbr0-OUT (0 references)
pkts bytes target prot opt in out source destination
0 0 r-4-VM all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-out vnet7 --physdev-is-bridged
0 0 i-2-3-def all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-out vnet9 --physdev-is-bridged
0 0 v-5-VM all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-out vnet1 --physdev-is-bridged
0 0 v-5-VM all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-out vnet2 --physdev-is-bridged
0 0 s-6-VM all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-out vnet4 --physdev-is-bridged
0 0 s-6-VM all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-out vnet5 --physdev-is-bridged
0 0 s-6-VM all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-out vnet6 --physdev-is-bridged
Chain i-2-3-VM (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain i-2-3-VM-eg (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain i-2-3-def (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in vnet9 --physdev-is-bridged udp spt:68 dpt:67
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-out vnet9 --physdev-is-bridged udp spt:67 dpt:68
0 0 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in vnet9 --physdev-is-bridged match-set
i-2-3-VM src udp dpt:53
0 0 i-2-3-VM-eg all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in vnet9 --physdev-is-bridged match-set
i-2-3-VM src
0 0 i-2-3-VM all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-out vnet9 --physdev-is-bridged
Chain r-4-VM (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in vnet7 --physdev-is-bridged
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain s-6-VM (6 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in vnet4 --physdev-is-bridged
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in vnet5 --physdev-is-bridged
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in vnet6 --physdev-is-bridged
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain v-5-VM (4 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in vnet1 --physdev-is-bridged
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in vnet2 --physdev-is-bridged
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
[root@Rack1Pod1Host28 ~]#
Attaching the MS and agent logs
> [Automation]: Basic Zone Security Groups - SSH to VM is allowed even when
> there is no ingress rule defined for the security group
> ---------------------------------------------------------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-5144
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-5144
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Network Controller
> Affects Versions: 4.3.0
> Reporter: Gaurav Aradhye
> Assignee: Wei Zhou
> Priority: Blocker
> Labels: automation
> Fix For: 4.3.0
>
> Attachments: MS-Log.txt, agent.log, ipset-L output.txt,
> iptables-rules.txt
>
>
> In Basic Zone Setup:
> 1. Create an account
> 2. Deploy a VM in that account
> 3. Verify that any ingress rule is not defined for the security group
> belonging to the account
> 4. Try SSH to VM using the nic ipaddress from external client
> SSH is successful to the VM where as it should fail when the ingress rule is
> not defined.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
