Specific network ssh security group no access

Hi,

I have configured an ssh security group for a specific network but it’s not working as I can’t ssh into the vm. I can see the following rule in iptables

RETURN all – anywhere anywhere match-set one-568-0-106-i-nr-inet src,dst

On the other hand, I have created the another ssh security group but to apply to all networks instead of a specific one and it worked this time. This is the rule created in iptables

RETURN tcp – anywhere anywhere multiport dports ssh

These are the iptables rules added by OpenNebula

-A one-568-0-i -m state --state RELATED,ESTABLISHED -j RETURN
-A one-568-0-i -m set --match-set one-568-0-106-i-nr-inet src,dst -j RETURN
-A one-568-0-i -j DROP
-A one-568-0-o -m state --state RELATED,ESTABLISHED -j RETURN
-A one-568-0-o -j DROP
-A opennebula -m physdev --physdev-in one-568-0 --physdev-is-bridged -j one-568-0-o
-A opennebula -m physdev --physdev-out one-568-0 --physdev-is-bridged -j one-568-0-i
-A opennebula -j ACCEPT

Do you know why the network specific security group is not working?
I’d say for some reason the traffic is not matching the iptables rule

RETURN all – anywhere anywhere match-set one-568-0-106-i-nr-inet src,dst

How the rule is build? What does one-568-0-106-i-nr-inet src,dst param mean?

Thanks
Jaime

Hi @jaimeibar,

Can you provide more details on what do you mean by “to apply to all networks instead of a specific one”? Also, it would be useful if you can share you network config (i.e onevnet show -x <vnet_id>) and the same for the SGs.

Hi @cgonzalez ,

when you define a security group, in target network dropdown, you can specify if the
rule you’re configuring applies to all networks, manual network or opennebula virtual network.

When I select opennebula virtual network, if you want to apply the security group to a certain vm,
you go to vm → network → nic

the rule is configured in iptables but it doesn’t seem to be working.

<VNET>                                                                                                                                                                                                      [28/4510]
  <ID>11</ID>                      
  <UID>0</UID>                     
  <GID>0</GID>
  <UNAME>oneadmin</UNAME>
  <GNAME>oneadmin</GNAME>
  <NAME>Private01</NAME>          
  <PERMISSIONS>                        
    <OWNER_U>1</OWNER_U>                      
    <OWNER_M>1</OWNER_M>         
    <OWNER_A>0</OWNER_A>          
    <GROUP_U>0</GROUP_U>                                                                                  
    <GROUP_M>0</GROUP_M>                        
    <GROUP_A>0</GROUP_A>          
    <OTHER_U>0</OTHER_U>
    <OTHER_M>0</OTHER_M>
    <OTHER_A>0</OTHER_A>                   
  </PERMISSIONS>                                  
  <CLUSTERS>                      
    <ID>0</ID>  
  </CLUSTERS>  
  <BRIDGE><![CDATA[br0]]></BRIDGE>         
  <BRIDGE_TYPE><![CDATA[linux]]></BRIDGE_TYPE>    
  <STATE><![CDATA[1]]></STATE>    
  <PREV_STATE><![CDATA[1]]></PREV_STATE>
  <PARENT_NETWORK_ID/>
  <VN_MAD><![CDATA[fw]]></VN_MAD>
  <PHYDEV/> 
  <VLAN_ID/>
  <OUTER_VLAN_ID/>   
  <VLAN_ID_AUTOMATIC>0</VLAN_ID_AUTOMATIC>
  <OUTER_VLAN_ID_AUTOMATIC>0</OUTER_VLAN_ID_AUTOMATIC>
  <USED_LEASES>2</USED_LEASES>
  <VROUTERS>
    <ID>20</ID>
  </VROUTERS>
  <TEMPLATE>
    <BRIDGE><![CDATA[br0]]></BRIDGE>
    <BRIDGE_TYPE><![CDATA[linux]]></BRIDGE_TYPE>
    <GATEWAY><![CDATA[192.168.10.1]]></GATEWAY>
    <NETWORK_ADDRESS><![CDATA[192.168.10.0]]></NETWORK_ADDRESS>
    <NETWORK_MASK><![CDATA[24]]></NETWORK_MASK>
    <OUTER_VLAN_ID><![CDATA[]]></OUTER_VLAN_ID>
    <PHYDEV><![CDATA[]]></PHYDEV>
    <SECURITY_GROUPS><![CDATA[102,105]]></SECURITY_GROUPS>
    <VLAN_ID><![CDATA[]]></VLAN_ID>
    <VN_MAD><![CDATA[fw]]></VN_MAD>
  </TEMPLATE>
  <AR_POOL>
    <AR>
      <AR_ID><![CDATA[0]]></AR_ID>
      <IP><![CDATA[192.168.10.1]]></IP>
      <MAC><![CDATA[02:00:c0:a8:0a:01]]></MAC>
      <SIZE><![CDATA[20]]></SIZE>
      <TYPE><![CDATA[IP4]]></TYPE>
      <MAC_END><![CDATA[02:00:c0:a8:0a:14]]></MAC_END>
      <IP_END><![CDATA[192.168.10.20]]></IP_END>
      <USED_LEASES>2</USED_LEASES>
      <LEASES>
        <LEASE>
          <IP><![CDATA[192.168.10.1]]></IP>
          <MAC><![CDATA[02:00:c0:a8:0a:01]]></MAC>
          <VM><![CDATA[590]]></VM>
        </LEASE>
        <LEASE>
          <IP><![CDATA[192.168.10.2]]></IP>
          <MAC><![CDATA[02:00:c0:a8:0a:02]]></MAC>
          <VM><![CDATA[593]]></VM>
        </LEASE>
      </LEASES>
    </AR>
  </AR_POOL>
</VNET>

Thanks
Jaime