[Openstack-operators] Help on Iptables in Openstack

shiva m anjaneya2 at gmail.com
Tue Apr 1 10:12:39 UTC 2014


Hi,

Thank you for  response.  I am running routing application on one  of my
VM,  I have 3  VMs and my routing application is running on VM2. If I ping
VM1 to VM3, I want my application to capture the packet and do some
analysis like  what kind of packet?is it secure?  and just forward it  to
VM3 without any modifications. I started with simple test case to implement
a router application but I stuck with anti-spoofing  mechanism of
openstack. I understand libvirt apply anti-spoofing security and I am
trying 'virsh nwfilter' comands to change filter rules. You have mentioned
that it is  possible to disable iptable  rules globally for compute host,
can you please help me how can I disable iptables globally? and what
services needs to be re-started?. Can anyone  please outline me  the  steps
required to allow spoofing?

Looking forward for your reply.

Thanks,
Shiva


On Tue, Apr 1, 2014 at 12:44 PM, Jesse Pretorius
<jesse.pretorius at gmail.com>wrote:

> On 1 April 2014 08:04, shiva m <anjaneya2 at gmail.com> wrote:
>
>> Thank you for response. I tried adding security-groups from dashboard,
>> but it doesnt help. I was trying to spoof a VM instance with  spoof source
>> MAC and spoof  source IP, but the  packet is  not reaching br-int. If I
>> give  proper source MAC  and proper source  IP, the packet reaches br-int
>> and  things work normal. I observed  Openstack stops spoof packets which
>> are  not originating from VM instance before reaching br-int (at tap
>> interface).
>>
>
> In this case applying security groups won't help at all. Both MAC and IP
> Spoofing protection is enabled on the hypervisor level by libvirt as part
> of the instance instantiation. More details here:
> http://libvirt.org/firewall.html
>
>
>> I need help to send a spoof packet from VM. Is there any way to disable
>> iptable rules.
>>
>
> There is, but it's global for that compute host - the templates that apply
> the network filters to protect against spoofing need to be removed.
>
>
>>  Also adding security group rules using command line and using
>> dash-board are they same?
>>
>
> Yes - almost. I don't know if Horizon's interface to security groups is
> still going through the nova api in Icehouse. If it is, the application of
> the rules is only ingress whereas through the neutron CLI you're able to
> define ingress and egress rules. On the CLU you're also able to be more
> granular in the application of your rules/groups.
>
> From a use-case standpoint it may be interesting to understand why you
> need to allow spoofing - if you don't mind, can you describe the purpose?
> We may be able to help you find an alternative method.
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20140401/689b08aa/attachment.html>


More information about the OpenStack-operators mailing list