OpenStack Compute (nova)

Security group no effect in r1215

Asked by Hugo Kou

As title ...

I did not set any security group rule ....but still can access instance with any port.

While I set only icmp and ssh port for instance....Why that I can access the http service in instance from other host????

I want to verify it...

Question information

Language:
English Edit question
Status:
Answered
For:
OpenStack Compute (nova) Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Everett Toews (everett-toews) said : 		#1

Hi Hugo,

We've actually run into the same problem. Did you ever track down the cause?

When I examine the iptables on the compute node everything seems to be in place but you can still access services from a local machine on ports that are not authorized.

Everett

Revision history for this message
Soren Hansen (soren) said : 		#2

Can either of you provide the output of "sudo iptables-save"?

Revision history for this message
Vish Ishaya (vishvananda) said : 		#3

With current trunk, try --noallow_same_net_traffic

Vish

On Aug 17, 2011, at 12:55 PM, Everett Toews wrote:

> Question #163006 on OpenStack Compute (nova) changed:
> https://answers.launchpad.net/nova/+question/163006
>
> Status: Open => Needs information
>
> Everett Toews requested more information:
> Hi Hugo,
>
> We've actually run into the same problem. Did you ever track down the
> cause?
>
> When I examine the iptables on the compute node everything seems to be
> in place but you can still access services from a local machine on ports
> that are not authorized.
>
> Everett
>
> --
> You received this question notification because you are a member of Nova
> Core, which is an answer contact for OpenStack Compute (nova).

Revision history for this message
Everett Toews (everett-toews) said : 		#4

http://pastie.org/2387712

The instance in question is nova-compute-inst-1271.

euca-describe-groups
GROUP toews default default
PERMISSION toews default ALLOWS tcp 22 22 FROM CIDR 0.0.0.0/0
PERMISSION toews default ALLOWS tcp 80 80 FROM CIDR 0.0.0.0/0
PERMISSION toews default ALLOWS icmp -1 -1 FROM CIDR 0.0.0.0/0
PERMISSION toews default ALLOWS tcp 3389 3389 FROM CIDR 0.0.0.0/0
PERMISSION toews default ALLOWS udp 3389 3389 FROM CIDR 0.0.0.0/0

Steps:

1. Run instance and associate floating IP
2. ssh to instance
3. Add port 200 and tcp to the /etc/services file on the instance.
4. sudo nc -l 200
5. From local machine: telnet <floating IP> 200

A connection is made to the instance on port 200 from my local machine.
Anything typed into the telnet session appears on the instance.

Everett

On Wed, Aug 17, 2011 at 2:05 PM, Soren Hansen <
<email address hidden>> wrote:

> Question #163006 on OpenStack Compute (nova) changed:
> https://answers.launchpad.net/nova/+question/163006
>
> Status: Needs information => Answered
>
> Soren Hansen proposed the following answer:
> Can either of you provide the output of "sudo iptables-save"?
>
> --
> You received this question notification because you are a direct
> subscriber of the question.
>

Revision history for this message
Everett Toews (everett-toews) said : 		#5

I see that the description of allow_same_net_traffic is

"Whether to allow network traffic from same network"

So, even though we're using Cactus, do you think this flag would help?

I'm accessing the instance from my local machine, which is on a completely
different network anyway.

Everett

On Wed, Aug 17, 2011 at 2:25 PM, Vish Ishaya <
<email address hidden>> wrote:

> Question #163006 on OpenStack Compute (nova) changed:
> https://answers.launchpad.net/nova/+question/163006
>
> Vish Ishaya proposed the following answer:
> With current trunk, try --noallow_same_net_traffic
>
> Vish
>
> On Aug 17, 2011, at 12:55 PM, Everett Toews wrote:
>
> > Question #163006 on OpenStack Compute (nova) changed:
> > https://answers.launchpad.net/nova/+question/163006
> >
> > Status: Open => Needs information
> >
> > Everett Toews requested more information:
> > Hi Hugo,
> >
> > We've actually run into the same problem. Did you ever track down the
> > cause?
> >
> > When I examine the iptables on the compute node everything seems to be
> > in place but you can still access services from a local machine on ports
> > that are not authorized.
> >
> > Everett
> >
> > --
> > You received this question notification because you are a member of Nova
> > Core, which is an answer contact for OpenStack Compute (nova).
>
> --
> You received this question notification because you are a direct
> subscriber of the question.
>

Revision history for this message
Everett Toews (everett-toews) said : 		#6

@Soren

Did you have a chance to look at this? Any thoughts?

Thanks,
Everett

On Wed, Aug 17, 2011 at 2:05 PM, Soren Hansen <
<email address hidden>> wrote:

> Question #163006 on OpenStack Compute (nova) changed:
> https://answers.launchpad.net/nova/+question/163006
>
> Status: Needs information => Answered
>
> Soren Hansen proposed the following answer:
> Can either of you provide the output of "sudo iptables-save"?
>
> --
> You received this question notification because you are a direct
> subscriber of the question.
>

Revision history for this message
Everett Toews (everett-toews) said : 		#7

The root of this problem is actually because all traffic appears to be coming from the default gateway of the VM, see Determining remote IP from within VM [https://answers.launchpad.net/nova/+question/168570].

The solution to that problem fixed this problem as well.

Can you help with this problem?

Provide an answer of your own, or ask Hugo Kou for more information if necessary.

To post a message you must log in.