Re: Security Groups and IGMP

Thu, 20 Jun 2013 20:41:08 -0700 

Hi,

The IGMP packets are blocked by default.
In case of xenserver multicast traffic is blocked in ebtables.

To allow IGMP traffic please update the eatables and iptables rules on the 
xenserver.
For testing you can add rules to accept multicast traffic in the eatables and 
iptables.

Example rules on host:

sample iptables rules for VM:

Chain i-8-9-QA (1 references)
 pkts bytes target     prot opt in     out     source               destination 
        

Chain i-8-9-QA-eg (1 references)
 pkts bytes target     prot opt in     out     source               destination 
        

Chain i-8-9-def (2 references)
 pkts bytes target     prot opt in     out     source               destination 
        
    0     0 RETURN     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
        PHYSDEV match --physdev-in vif34.0 --physdev-is-bridged set i-8-9-QA 
src udp dpt:53 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        PHYSDEV match --physdev-in vif34.0 --physdev-is-bridged !set i-8-9-QA 
src 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        PHYSDEV match --physdev-out vif34.0 --physdev-is-bridged !set i-8-9-QA 
dst 
    0     0 i-8-9-QA-eg  all  --  *      *       0.0.0.0/0            0.0.0.0/0 
          PHYSDEV match --physdev-in vif34.0 --physdev-is-bridged set i-8-9-QA 
src 
    0     0 i-8-9-QA   all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        PHYSDEV match --physdev-out vif34.0 --physdev-is-bridged 


ebtables:

:DEFAULT_EBTABLES ACCEPT
:i-8-9-QA ACCEPT
-A FORWARD -j DEFAULT_EBTABLES
-A FORWARD -i vif34.0 -j i-8-9-QA
-A FORWARD -o vif34.0 -j i-8-9-QA
-A DEFAULT_EBTABLES -p IPv4 --ip-dst 255.255.255.255 --ip-proto udp --ip-dport 
67 -j ACCEPT
-A DEFAULT_EBTABLES -p ARP --arp-op Request -j ACCEPT
-A DEFAULT_EBTABLES -p ARP --arp-op Reply -j ACCEPT
-A DEFAULT_EBTABLES -p IPv4 -d Broadcast -j DROP
-A DEFAULT_EBTABLES -p IPv4 -d Multicast -j DROP
-A DEFAULT_EBTABLES -p IPv4 --ip-dst 255.255.255.255 -j DROP
-A DEFAULT_EBTABLES -p IPv4 --ip-dst 224.0.0.0/4 -j DROP
-A DEFAULT_EBTABLES -p IPv4 -j RETURN
-A DEFAULT_EBTABLES -p IPv6 -j DROP
-A DEFAULT_EBTABLES -p 802_1Q -j DROP
-A DEFAULT_EBTABLES -j DROP
-A i-8-9-QA -s ! 6:bb:e8:0:0:1e -i vif34.0 -j DROP
-A i-8-9-QA -p IPv4 -i vif34.0 --ip-proto udp --ip-dport 68 -j DROP
-A i-8-9-QA -p IPv4 -o vif34.0 --ip-proto udp --ip-dport 67 -j DROP


Note: If you update rules manually cloudstack overwrite on vm reboot or when 
new rule is added.


Thanks,
Jayapal

On 21-Jun-2013, at 1:21 AM, Kenneth Warren <kwar...@orbistechnologies.com>
 wrote:

> Good Afternoon!
> 
> We are working with multicast and IGMP groups on our CloudStack 
> infrastructure, and I have a question regarding security groups.
> 
> To create an ingress rule, one must navigate to the security groups panel 
> then add a new rule based on protocol. The values allowed are ICMP, TCP, and 
> UDP. I am concerned that the IGMP member query messages on the network are 
> being blocked by the security group settings, as our VMs continually act as 
> if they have been kicked out of the membership group.
> 
> Are IGMP packets blocked by security groups by default? If so, how do we 
> enable them?
> 
> Thanks!
> 
> Kenny Warren, MITM
> Associate Information Assurance Engineer
> Orbis Technologies, Inc.
> 443.569.6722
> www.orbistechnologies.com<http://www.orbistechnologies.com/>
>

Reply via email to