Hello.
Another issue. I configured a custom securitygroup to a VM and was expecting the rules to show up. But they didn’t. Okay maybe another permission issue. So configured sudo for oneadmin. But still. No rules from that specific securitygroup applied on the vm. Someone has a hint for me where to start looking?
thanks and cheers
t.
Maybe a little bit more information. Here is one securitygroup which is not applied:
SECURITY GROUP 101 INFORMATION
ID : 101
NAME : logserver
USER : himbeere
GROUP : users
PERMISSIONS
OWNER : um-
GROUP : ---
OTHER : ---
VIRTUAL MACHINES
UPDATED : 175
OUTDATED :
ERROR :
RULES
TYPE PROTOCOL ICMP_TYPE NETWORK RANGE
inbound TCP Start: 138.201.123.123, Size: 1 9200
inbound TCP Start: 188.68.456.456, Size: 1 9200
inbound TCP Start: 5.196.789.789, Size: 1 9200
inbound TCP Any 22,80,443
outbound TCP Any
outbound UDP Any
inbound ICMP 0 Any
TEMPLATE CONTENTS
DESCRIPTION=""
On the node on which the vm is running there is no such iptables rule.
root@ns366669:~# virsh list
Id Name State
----------------------------------------------------
3 one-173 running
5 one-175 running
root@ns366669:~#
Here the output of iptables:
root@ns366669:~# iptables -nvL
Chain INPUT (policy ACCEPT 1043K packets, 13G bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 138.201.123.123 0.0.0.0/0 tcp dpts:5900:6900
1 48 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:5900:6900
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
Chain FORWARD (policy ACCEPT 822K packets, 940M bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 918K packets, 4468M bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:68
root@ns366669:~#
ruben
(Rubén S. Montero)
September 24, 2016, 8:42pm
3
Not all network drivers implements security groups, what network driver are
you using?
Hm. Another example of how great opennebula is and how stupid i am. I had bridged instead of bridged & securitygroups selected. Thanks Ruben.
cheers
t.