From 1c24605d299f30d17aa43110e5076d3b6fa8f87b Mon Sep 17 00:00:00 2001 From: Edison Su Date: Fri, 13 May 2011 16:07:00 -0400 Subject: [PATCH] need to insert iptable rules into FORWARD chain instead of append, as on rhel6, there is a reject rule added at the end of FORWARD --- scripts/vm/network/security_group.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/scripts/vm/network/security_group.py b/scripts/vm/network/security_group.py index 609b9357bf8..8598113b106 100755 --- a/scripts/vm/network/security_group.py +++ b/scripts/vm/network/security_group.py @@ -531,15 +531,15 @@ def addFWFramework(brname): try: refs = execute("iptables -n -L " + brfw + " |grep " + brfw + " | cut -d \( -f2 | awk '{print $1}'").strip() if refs == "0": - execute("iptables -A FORWARD -i " + brname + " -m physdev --physdev-is-bridged -j " + brfw) - execute("iptables -A FORWARD -o " + brname + " -m physdev --physdev-is-bridged -j " + brfw) + execute("iptables -I FORWARD -i " + brname + " -j DROP") + execute("iptables -I FORWARD -o " + brname + " -j DROP") + execute("iptables -I FORWARD -i " + brname + " -m physdev --physdev-is-bridged -j " + brfw) + execute("iptables -I FORWARD -o " + brname + " -m physdev --physdev-is-bridged -j " + brfw) phydev = execute("brctl show |grep " + brname + " | awk '{print $4}'").strip() execute("iptables -A " + brfw + " -m physdev --physdev-is-bridged --physdev-out " + phydev + " -j ACCEPT") execute("iptables -A " + brfw + " -m state --state RELATED,ESTABLISHED -j ACCEPT") execute("iptables -A " + brfw + " -m physdev --physdev-is-bridged --physdev-is-out -j " + brfwout) execute("iptables -A " + brfw + " -m physdev --physdev-is-bridged --physdev-is-in -j " + brfwin) - execute("iptables -A FORWARD -i " + brname + " -j DROP") - execute("iptables -A FORWARD -o " + brname + " -j DROP") return True except: