This just means you installed it in the wrong way. Ebtables and Iptables must be filled with rules like
-A i-6242-10304-def -m state --state RELATED,ESTABLISHED -j ACCEPT -A i-6242-10304-def -p udp -m physdev --physdev-in vnet18 --physdev-is-bridged -m udp --sport 68 --dport 67 -j ACCEPT -A i-6242-10304-def -p udp -m physdev --physdev-out vnet18 --physdev-is-bridged -m udp --sport 67 --dport 68 -j ACCEPT -A i-6242-10304-def -m physdev --physdev-in vnet18 --physdev-is-bridged -m set ! --match-set i-6242-10304-vm src -j DROP -A i-6242-10304-def -p udp -m physdev --physdev-in vnet18 --physdev-is-bridged -m set --match-set i-6242-10304-vm src -m udp --dport 53 -j RETURN -A i-6242-10304-def -p tcp -m physdev --physdev-in vnet18 --physdev-is-bridged -m set --match-set i-6242-10304-vm src -m tcp --dport 53 -j RETURN -A i-6242-10304-def -m physdev --physdev-in vnet18 --physdev-is-bridged -m set --match-set i-6242-10304-vm src -j i-6242-10304-vm-eg -A i-6242-10304-def -m physdev --physdev-out vnet18 --physdev-is-bridged -j i-6242-10304-vm -A i-6242-10304-vm -p udp -m udp --dport 1:65535 -m state --state NEW -j ACCEPT -A i-6242-10304-vm -p tcp -m tcp --dport 1:65535 -m state --state NEW -j ACCEPT -A i-6242-10304-vm -p icmp -m icmp --icmp-type any -j ACCEPT -A i-6242-10304-vm -j DROP Bridge chain: i-4435-8929-vm-in, entries: 7, policy: ACCEPT -s ! 1e:0:32:0:2:2 -j DROP -p ARP -s ! 1e:0:32:0:2:2 -j DROP -p ARP --arp-mac-src ! 1e:0:32:0:2:2 -j DROP -p ARP -j i-4435-8929-vm-in-ips -p ARP --arp-op Request -j ACCEPT -p ARP --arp-op Reply -j ACCEPT -p ARP -j DROP On Mon, Sep 28, 2020 at 1:10 PM Hean Seng <heans...@gmail.com> wrote: > I checked the hypervisor , it seems iptables is nothing inside , this is > centos7 , initially i turnoff firewalld , but even i turn on it now and > try to update the security group rules, it seems empty iptable rules : > > [root@kvm03 ~]# iptables -L -v -n > > Chain INPUT (policy ACCEPT 82903 packets, 1170M bytes) > > pkts bytes target prot opt in out source > destination > > > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) > > pkts bytes target prot opt in out source > destination > > > Chain OUTPUT (policy ACCEPT 80505 packets, 25M bytes) > > pkts bytes target prot opt in out source > destination > > > > > > > > On Mon, Sep 28, 2020 at 12:05 PM Pearl d'Silva <pearl.dsi...@shapeblue.com > > > wrote: > > > Hi Hean, > > > > In an Advanced Zone with Security Groups enabled, by default, egress > > traffic from the VM is allowed, while Ingress traffic is denied. Hence, > as > > you rightly mentioned, security group rules are added accordingly. These > > rules get added on the hypervisor host, and you can verify them, by going > > into the host and searching for iptables rules corresponding to the VM > > (internal name - i-x-y-VM). > > This blog maybe helpful in providing further details: > > > > > https://shankerbalan.net/blog/cloudstack-advanced-zone-with-security-groups/ > > > > Thanks, > > Pearl > > ________________________________ > > From: Hean Seng <heans...@gmail.com> > > Sent: Sunday, September 27, 2020 2:48 PM > > To: users@cloudstack.apache.org <users@cloudstack.apache.org> > > Subject: Cloudstack Advance with Security Group > > > > Hi > > > > I created advance zone with security group, all working fine. > > > > But VMcreated , seems the default security group that assigned to the VM. > > all accept policy , i understand is Default Deny, and once add in the > port > > in Security Group Ingress and Egress, only is allowed > > > > Also, is this rules created at VirtualRouter of the SharedNetwork, or at > > the Hypervisor? > > > > > > > > -- > > Regards, > > Hean Seng > > > > pearl.dsi...@shapeblue.com > > www.shapeblue.com > > 3 London Bridge Street, 3rd floor, News Building, London SE1 9SGUK > > @shapeblue > > > > > > > > > > -- > Regards, > Hean Seng >
