I have installed Opennebula 5.8.0 on Ubuntu 18.04.
My networking is configured to use a bridge which is not bridged to any physical network card on the server. The bridge simply has an IP address allocated from a subnet which is routed to the IP address of the physical interface on the server. Networking works fine, I can spin up VM’s and SSH to them no problem.
The issue I have is applying security groups, I have removed the allow any inbound rule from the default security group and added an allow TCP 22 rule for SSH. I can SSH into the VM no problem but if I run netcat and listen on a port lets say for argument sake 8000 and then try and initiate a connection from my workstation to the IP of the VM on port 8000 I can connect without issue. The security group rule however should be blocking this.
iptables-save output on the host is below. bear in mind my bridge br0 is not connected to a physical interface, it just bridges the VM adapters and the traffic is then forwarded by the host machine.
The desired behavior is that only port 22 should be accessible if thats what is configured in the security group as per the generated IPtables rules.
root@virtual01:~# iptables-save
Generated by iptables-save v1.6.1 on Thu Feb 28 16:11:05 2019
*filter
:INPUT ACCEPT [56:4583]
:FORWARD ACCEPT [12:604]
:OUTPUT ACCEPT [54:8831]
:one-5-0-i - [0:0]
:one-5-0-o - [0:0]
:opennebula - [0:0]
-A FORWARD -m physdev --physdev-is-bridged -j opennebula
-A one-5-0-i -m state --state RELATED,ESTABLISHED -j ACCEPT
-A one-5-0-i -p tcp -m multiport --dports 22 -j RETURN
-A one-5-0-i -p tcp -m multiport --dports 22 -j RETURN
-A one-5-0-i -j DROP
-A one-5-0-o -m mac ! --mac-source 02:00:5E:82:65:82 -j DROP
-A one-5-0-o -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A one-5-0-o -m set ! --match-set one-5-0-ip-spoofing src -j DROP
-A one-5-0-o -m state --state RELATED,ESTABLISHED -j ACCEPT
-A one-5-0-o -j RETURN
-A one-5-0-o -p tcp -j RETURN
-A one-5-0-o -j DROP
-A opennebula -m physdev --physdev-in one-5-0 --physdev-is-bridged -j one-5-0-o
-A opennebula -m physdev --physdev-out one-5-0 --physdev-is-bridged -j one-5-0-i
-A opennebula -j ACCEPT
COMMIT
Completed on Thu Feb 28 16:11:05 2019
Any help would be very much appreciated. Thank you in advance.