[Openstack] Security Groups rules applied but ignored...

Martinx - ジェームズ thiagocmartinsc at gmail.com
Mon Oct 28 22:30:46 UTC 2013


I'm trying to configure my Security Groups and, I'm seeing that the rules
are being applied at the Compute Node OVS ports (iptables / ip6tables) BUT,
it does have no effect (or just being ignored?).

I'm using Ubuntu 12.04.3 + Havana from Cloud Archive.

For example:

I have 1 Instance with 1 Floating IP attached to it, open port is: 80.


root at hypervisor-1:~# iptables -L neutron-openvswi-i9cf07c24-7 -nv
Chain neutron-openvswi-i9cf07c24-7 (1 references)
 pkts bytes target     prot opt in     out     source
    0     0 DROP       all  --  *      *            state INVALID
    0     0 RETURN     all  --  *      *            state RELATED,ESTABLISHED
    0     0 RETURN     tcp  --  *      *            tcp dpt:80
    0     0 RETURN     udp  --  *      *            udp spt:67 dpt:68
    0     0 neutron-openvswi-sg-fallback  all  --  *      *

The problem is that the respective Instance still answers SSH to the
Internet. I mean, ALL ports are OPEN!! Regardless of what I typed at its
Security Groups.

I created one "Security Group", called "web", only with TCP port 80 on it,
nothing more, nothing less. This Instance doesn't belong to the "default"
Security Group", only "web".

Recently I've changed the *libvirt_vif_driver* from *
nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver* to *
nova.virt.libvirt.vif.LibvirtOpenVswitchDriver*, maybe it is the cause?!

Any tips!?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20131028/404210bd/attachment.html>

More information about the Openstack mailing list