I checked the hypervisor , it seems iptables is nothing inside , this is centos7 , initially i turnoff firewalld , but even i turn on it now and try to update the security group rules, it seems empty iptable rules :
[root@kvm03 ~]# iptables -L -v -n Chain INPUT (policy ACCEPT 82903 packets, 1170M bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 80505 packets, 25M bytes) pkts bytes target prot opt in out source destination On Mon, Sep 28, 2020 at 12:05 PM Pearl d'Silva <pearl.dsi...@shapeblue.com> wrote: > Hi Hean, > > In an Advanced Zone with Security Groups enabled, by default, egress > traffic from the VM is allowed, while Ingress traffic is denied. Hence, as > you rightly mentioned, security group rules are added accordingly. These > rules get added on the hypervisor host, and you can verify them, by going > into the host and searching for iptables rules corresponding to the VM > (internal name - i-x-y-VM). > This blog maybe helpful in providing further details: > > https://shankerbalan.net/blog/cloudstack-advanced-zone-with-security-groups/ > > Thanks, > Pearl > ________________________________ > From: Hean Seng <heans...@gmail.com> > Sent: Sunday, September 27, 2020 2:48 PM > To: users@cloudstack.apache.org <users@cloudstack.apache.org> > Subject: Cloudstack Advance with Security Group > > Hi > > I created advance zone with security group, all working fine. > > But VMcreated , seems the default security group that assigned to the VM. > all accept policy , i understand is Default Deny, and once add in the port > in Security Group Ingress and Egress, only is allowed > > Also, is this rules created at VirtualRouter of the SharedNetwork, or at > the Hypervisor? > > > > -- > Regards, > Hean Seng > > pearl.dsi...@shapeblue.com > www.shapeblue.com > 3 London Bridge Street, 3rd floor, News Building, London SE1 9SGUK > @shapeblue > > > > -- Regards, Hean Seng
