[Openstack-operators] Help on Iptables in Openstack
shiva m
anjaneya2 at gmail.com
Tue Apr 1 10:12:39 UTC 2014
Hi,
Thank you for response. I am running routing application on one of my
VM, I have 3 VMs and my routing application is running on VM2. If I ping
VM1 to VM3, I want my application to capture the packet and do some
analysis like what kind of packet?is it secure? and just forward it to
VM3 without any modifications. I started with simple test case to implement
a router application but I stuck with anti-spoofing mechanism of
openstack. I understand libvirt apply anti-spoofing security and I am
trying 'virsh nwfilter' comands to change filter rules. You have mentioned
that it is possible to disable iptable rules globally for compute host,
can you please help me how can I disable iptables globally? and what
services needs to be re-started?. Can anyone please outline me the steps
required to allow spoofing?
Looking forward for your reply.
Thanks,
Shiva
On Tue, Apr 1, 2014 at 12:44 PM, Jesse Pretorius
<jesse.pretorius at gmail.com>wrote:
> On 1 April 2014 08:04, shiva m <anjaneya2 at gmail.com> wrote:
>
>> Thank you for response. I tried adding security-groups from dashboard,
>> but it doesnt help. I was trying to spoof a VM instance with spoof source
>> MAC and spoof source IP, but the packet is not reaching br-int. If I
>> give proper source MAC and proper source IP, the packet reaches br-int
>> and things work normal. I observed Openstack stops spoof packets which
>> are not originating from VM instance before reaching br-int (at tap
>> interface).
>>
>
> In this case applying security groups won't help at all. Both MAC and IP
> Spoofing protection is enabled on the hypervisor level by libvirt as part
> of the instance instantiation. More details here:
> http://libvirt.org/firewall.html
>
>
>> I need help to send a spoof packet from VM. Is there any way to disable
>> iptable rules.
>>
>
> There is, but it's global for that compute host - the templates that apply
> the network filters to protect against spoofing need to be removed.
>
>
>> Also adding security group rules using command line and using
>> dash-board are they same?
>>
>
> Yes - almost. I don't know if Horizon's interface to security groups is
> still going through the nova api in Icehouse. If it is, the application of
> the rules is only ingress whereas through the neutron CLI you're able to
> define ingress and egress rules. On the CLU you're also able to be more
> granular in the application of your rules/groups.
>
> From a use-case standpoint it may be interesting to understand why you
> need to allow spoofing - if you don't mind, can you describe the purpose?
> We may be able to help you find an alternative method.
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20140401/689b08aa/attachment.html>
More information about the OpenStack-operators
mailing list