AW: SecurityGroup - not working?

2016-09-22 Thread Jeroen Keerl 
Hi,

Vivek was absolutely right:
I pulled a „history“ from both xenhosts and the part of the sysctl.conf you 
mentioned.
Although my settings in the sysctl.conf were correct, I forgot to issue the 
sysctl -p /etc/sysctl.conf command.

After doing so, ingress and egress rules become active or inactive immediately.

Thanks Vivek!

JK

Von: Vivek Kumar [mailto:vivek.ku...@indiqus.com] 
Gesendet: Donnerstag, 22. September 2016 09:30
An: users@cloudstack.apache.org; jeroen.ke...@keerl-it.com
Betreff: Re: SecurityGroup - not working?

yeah sure.. because i had the same problem and it was resolved by changing 
these settings in sysctl file

On Thu, Sep 22, 2016 at 12:38 PM, Jeroen Keerl 
 wrote:
Hi Vivek,
I'll check the sysctl settings again tonight, but I am quite sure I set those 
correctly.Everything else was done "by the book".
CheersJK


Von meinem Samsung Galaxy Smartphone gesendet.

 Ursprüngliche Nachricht 
Von: Vivek Kumar  
Datum: 22.09.2016  08:14  (GMT+01:00) An: 
mailto:users@cloudstack.apache.org, mailto:jeroen.ke...@keerl-it.com 
Betreff: Re: SecurityGroup - not working? 
Hello Jeroen,

when you setup basic Zone in Cloudstack with Xenserver you need to change
few things in your Xenserver.

1- *xe-switch-network-backend bridge* ( I hope u have already done this ).
2- And you also need to do some  changes  in sysctl conf file for security
groups.

do below changes in /etc/sysctl.conf on xenserver

net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-arptables = 1

and run this command

# sysctl -p /etc/sysctl.conf

I hope this will work.

*Vivek Kumar*
Virtualization and Cloud Consultant

[image: http://www.indiqus.com/images/logo.jpg]  
*I*ndi*Q*us Technologies Pvt Ltd
A-98, LGF, C.R.Park, New Delhi - 110019
*O* +91 11 4055 1411 | *M* +91 7503460090
http://www.indiqus.com  



On Thu, Sep 22, 2016 at 1:43 AM, Jeroen Keerl 
wrote:

> Hi,
>
> I had a few things configured on ACS – Basic Zone – Security Groups.
> Setup: 2 Citrix 6.5 hosts, Mgmt server under CentOS 6.8.
> Basic Networking, VMs created from template, also CentOS 6.8
>
> At first (default, first VM test) I could not log in using SSH.
> Then I created the appropriate ingress rule and all was ok.
> Same with ICMP (Ping) for http://0.0.0.0/0
> Now I wanted to test a few things in my test environment and removed these
> rules, actually expecting that neither SSH nor ping would go through
> anymore.
>
> Unfortunately they do, so apparently rules once set are not revoked upon
> deletion.
> I would expect nothing to come through, if no ingress rules are set, no
> matter what iptables on the VM itself does.
>
> Tests:
> - Delete all ingress rules (ping, SSH and webmin (TCP 1))
> - Disable iptables on VM
> ⇨ Ping, ssh went through, Webmin didn’t.
> - Enable iptables on VM
> ⇨ Ping and ssh went through
> - Insert ingress rule for webmin, iptables still enables
> ⇨ Webmin times out (expected behaviour)
> - Disable iptables
> ⇨ Webmin works
>
> In the documentation you are pointed towards the “The procedure is
> described in Basic Zone Configuration in the Advanced Installation Guide.”
> (Managing Networks and Traffic – Enabling Security Groups)
> Searched for it on the Apache Site: Not found.
> Google gave me the “Advanced Installation Guide” from Citrix, Version
> 3.*.* … in which you are directed to the administration guide.
> Not really helpful!
>
> Does anybody know about this / experienced something like this before?
>
>
>
> *Jeroen Keerl*
>
>
> *Keerl IT Services GmbH*Birkenstraße 1b . 21521 Aumühle
>
> +49 177 6320 317
>
> http://www.keerl-it.com
> mailto:i...@keerl-it.com
>
> Geschäftsführer. Jacobus J. Keerl
> Registergericht Lubeck. HRB-Nr. 14511
>
> Unsere Allgemeine Geschäftsbedingungen finden Sie hier.
> 
>
>
>


--

*Vivek Kumar*
Virtualization and Cloud Consultant

[image: http://www.indiqus.com/images/logo.jpg]  
*I*ndi*Q*us Technologies Pvt Ltd
A-98, LGF, C.R.Park, New Delhi - 110019
*O* +91 11 4055 1411 | *M* +91 7503460090
http://www.indiqus.com  





Jeroen Keerl


Keerl IT Services GmbH
Birkenstraße 1b . 21521 Aumühle

+49 177 6320 317

http://www.keerl-it.com
mailto:i...@keerl-it.com

Geschäftsführer. Jacobus J. Keerl
Registergericht Lubeck. HRB-Nr. 14511

Unsere Allgemeine Geschäftsbedingungen finden Sie hier.





-- 
Vivek Kumar
Virtualization and Cloud Consultant
http://www.indiqus.com/
IndiQus Technologies Pvt Ltd 
A-98, LGF, C.R.Park, New Delhi - 110019 
O +91 11 4055 1411 | M +91 7503460090 
http://www.indiqus.com/




Jeroen Keerl


Keerl IT Services GmbH
Birkenstraße 1b . 21521 Aumühle

+49 177 6320 317

www.keerl-it.com
i...@keerl-it.com

Geschäftsführer. Jacobus J. Keerl
Registergericht Lubeck. HRB-Nr. 14511

Unsere

AW: SecurityGroup - not working?

2016-09-22 Thread Jeroen Keerl 
Hi Vivek,
I'll check the sysctl settings again tonight, but I am quite sure I set those 
correctly.Everything else was done "by the book".
CheersJK


Von meinem Samsung Galaxy Smartphone gesendet.

 Ursprüngliche Nachricht 
Von: Vivek Kumar  Datum: 
22.09.2016  08:14  (GMT+01:00) An: users@cloudstack.apache.org, 
jeroen.ke...@keerl-it.com Betreff: Re: SecurityGroup - not working? 

Hello Jeroen,

when you setup basic Zone in Cloudstack with Xenserver you need to change
few things in your Xenserver.

1- *xe-switch-network-backend bridge* ( I hope u have already done this ).
2- And you also need to do some  changes  in sysctl conf file for security
groups.

do below changes in /etc/sysctl.conf on xenserver

net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-arptables = 1

and run this command

# sysctl -p /etc/sysctl.conf

I hope this will work.

*Vivek Kumar*
Virtualization and Cloud Consultant

[image: http://www.indiqus.com/images/logo.jpg]  
*I*ndi*Q*us Technologies Pvt Ltd
A-98, LGF, C.R.Park, New Delhi - 110019
*O* +91 11 4055 1411 | *M* +91 7503460090
www.indiqus.com  



On Thu, Sep 22, 2016 at 1:43 AM, Jeroen Keerl 
wrote:

> Hi,
>
> I had a few things configured on ACS – Basic Zone – Security Groups.
> Setup: 2 Citrix 6.5 hosts, Mgmt server under CentOS 6.8.
> Basic Networking, VMs created from template, also CentOS 6.8
>
> At first (default, first VM test) I could not log in using SSH.
> Then I created the appropriate ingress rule and all was ok.
> Same with ICMP (Ping) for 0.0.0.0/0
> Now I wanted to test a few things in my test environment and removed these
> rules, actually expecting that neither SSH nor ping would go through
> anymore.
>
> Unfortunately they do, so apparently rules once set are not revoked upon
> deletion.
> I would expect nothing to come through, if no ingress rules are set, no
> matter what iptables on the VM itself does.
>
> Tests:
> - Delete all ingress rules (ping, SSH and webmin (TCP 1))
> - Disable iptables on VM
> ⇨ Ping, ssh went through, Webmin didn’t.
> - Enable iptables on VM
> ⇨ Ping and ssh went through
> - Insert ingress rule for webmin, iptables still enables
> ⇨ Webmin times out (expected behaviour)
> - Disable iptables
> ⇨ Webmin works
>
> In the documentation you are pointed towards the “The procedure is
> described in Basic Zone Configuration in the Advanced Installation Guide.”
> (Managing Networks and Traffic – Enabling Security Groups)
> Searched for it on the Apache Site: Not found.
> Google gave me the “Advanced Installation Guide” from Citrix, Version
> 3.*.* … in which you are directed to the administration guide.
> Not really helpful!
>
> Does anybody know about this / experienced something like this before?
>
>
>
> *Jeroen Keerl*
>
>
> *Keerl IT Services GmbH*Birkenstraße 1b . 21521 Aumühle
>
> +49 177 6320 317
>
> www.keerl-it.com
> i...@keerl-it.com
>
> Geschäftsführer. Jacobus J. Keerl
> Registergericht Lubeck. HRB-Nr. 14511
>
> Unsere Allgemeine Geschäftsbedingungen finden Sie hier.
> 
>
>
>


-- 

*Vivek Kumar*
Virtualization and Cloud Consultant

[image: http://www.indiqus.com/images/logo.jpg]  
*I*ndi*Q*us Technologies Pvt Ltd
A-98, LGF, C.R.Park, New Delhi - 110019
*O* +91 11 4055 1411 | *M* +91 7503460090
www.indiqus.com  





Jeroen Keerl


Keerl IT Services GmbH
Birkenstraße 1b . 21521 Aumühle

+49 177 6320 317

www.keerl-it.com
i...@keerl-it.com

Geschäftsführer. Jacobus J. Keerl
Registergericht Lubeck. HRB-Nr. 14511

Unsere Allgemeine Geschäftsbedingungen finden Sie hier.