Security group rules not applied despite being shown in IPtables

I have installed Opennebula 5.8.0 on Ubuntu 18.04.

My networking is configured to use a bridge which is not bridged to any physical network card on the server. The bridge simply has an IP address allocated from a subnet which is routed to the IP address of the physical interface on the server. Networking works fine, I can spin up VM’s and SSH to them no problem.

The issue I have is applying security groups, I have removed the allow any inbound rule from the default security group and added an allow TCP 22 rule for SSH. I can SSH into the VM no problem but if I run netcat and listen on a port lets say for argument sake 8000 and then try and initiate a connection from my workstation to the IP of the VM on port 8000 I can connect without issue. The security group rule however should be blocking this.

iptables-save output on the host is below. bear in mind my bridge br0 is not connected to a physical interface, it just bridges the VM adapters and the traffic is then forwarded by the host machine.

The desired behavior is that only port 22 should be accessible if thats what is configured in the security group as per the generated IPtables rules.

root@virtual01:~# iptables-save

Generated by iptables-save v1.6.1 on Thu Feb 28 16:11:05 2019

:INPUT ACCEPT [56:4583]
:OUTPUT ACCEPT [54:8831]
:one-5-0-i - [0:0]
:one-5-0-o - [0:0]
:opennebula - [0:0]
-A FORWARD -m physdev --physdev-is-bridged -j opennebula
-A one-5-0-i -m state --state RELATED,ESTABLISHED -j ACCEPT
-A one-5-0-i -p tcp -m multiport --dports 22 -j RETURN
-A one-5-0-i -p tcp -m multiport --dports 22 -j RETURN
-A one-5-0-i -j DROP
-A one-5-0-o -m mac ! --mac-source 02:00:5E:82:65:82 -j DROP
-A one-5-0-o -s -d -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A one-5-0-o -m set ! --match-set one-5-0-ip-spoofing src -j DROP
-A one-5-0-o -m state --state RELATED,ESTABLISHED -j ACCEPT
-A one-5-0-o -j RETURN
-A one-5-0-o -p tcp -j RETURN
-A one-5-0-o -j DROP
-A opennebula -m physdev --physdev-in one-5-0 --physdev-is-bridged -j one-5-0-o
-A opennebula -m physdev --physdev-out one-5-0 --physdev-is-bridged -j one-5-0-i
-A opennebula -j ACCEPT

Completed on Thu Feb 28 16:11:05 2019

Any help would be very much appreciated. Thank you in advance.


It seems that there are no packages traversing the opennebula chain (:opennebula - [0:0]). In particular, this chain:

-A FORWARD -m physdev --physdev-is-bridged -j opennebula

So if you are routing packages based on the IP, probably the packages are not being bridged (they are routed). The above rule does not match and hence the package does not go through the sec. group rules. You may want to update the bridge configuration so the rule matches, this depends on your current routing table and configuration.