[Openstack] Security Groups rules applied but ignored...
Martinx - ジェームズ
thiagocmartinsc at gmail.com
Mon Oct 28 22:30:46 UTC 2013
Stackers!
I'm trying to configure my Security Groups and, I'm seeing that the rules
are being applied at the Compute Node OVS ports (iptables / ip6tables) BUT,
it does have no effect (or just being ignored?).
I'm using Ubuntu 12.04.3 + Havana from Cloud Archive.
For example:
I have 1 Instance with 1 Floating IP attached to it, open port is: 80.
Look:
---
root at hypervisor-1:~# iptables -L neutron-openvswi-i9cf07c24-7 -nv
Chain neutron-openvswi-i9cf07c24-7 (1 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
0 0 RETURN all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 RETURN tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80
0 0 RETURN udp -- * * 192.168.50.3
0.0.0.0/0 udp spt:67 dpt:68
0 0 neutron-openvswi-sg-fallback all -- * *
0.0.0.0/0
0.0.0.0/0
---
The problem is that the respective Instance still answers SSH to the
Internet. I mean, ALL ports are OPEN!! Regardless of what I typed at its
Security Groups.
I created one "Security Group", called "web", only with TCP port 80 on it,
nothing more, nothing less. This Instance doesn't belong to the "default"
Security Group", only "web".
Recently I've changed the *libvirt_vif_driver* from *
nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver* to *
nova.virt.libvirt.vif.LibvirtOpenVswitchDriver*, maybe it is the cause?!
Any tips!?
Thanks!
Thiago
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20131028/404210bd/attachment.html>
More information about the Openstack
mailing list