need to insert iptable rules into FORWARD chain instead of append, as on rhel6, there is a reject rule added at the end of FORWARD
diff --git a/scripts/vm/network/security_group.py b/scripts/vm/network/security_group.py
index 609b935..8598113 100755
--- a/scripts/vm/network/security_group.py
+++ b/scripts/vm/network/security_group.py
@@ -531,15 +531,15 @@
try:
refs = execute("iptables -n -L " + brfw + " |grep " + brfw + " | cut -d \( -f2 | awk '{print $1}'").strip()
if refs == "0":
- execute("iptables -A FORWARD -i " + brname + " -m physdev --physdev-is-bridged -j " + brfw)
- execute("iptables -A FORWARD -o " + brname + " -m physdev --physdev-is-bridged -j " + brfw)
+ execute("iptables -I FORWARD -i " + brname + " -j DROP")
+ execute("iptables -I FORWARD -o " + brname + " -j DROP")
+ execute("iptables -I FORWARD -i " + brname + " -m physdev --physdev-is-bridged -j " + brfw)
+ execute("iptables -I FORWARD -o " + brname + " -m physdev --physdev-is-bridged -j " + brfw)
phydev = execute("brctl show |grep " + brname + " | awk '{print $4}'").strip()
execute("iptables -A " + brfw + " -m physdev --physdev-is-bridged --physdev-out " + phydev + " -j ACCEPT")
execute("iptables -A " + brfw + " -m state --state RELATED,ESTABLISHED -j ACCEPT")
execute("iptables -A " + brfw + " -m physdev --physdev-is-bridged --physdev-is-out -j " + brfwout)
execute("iptables -A " + brfw + " -m physdev --physdev-is-bridged --physdev-is-in -j " + brfwin)
- execute("iptables -A FORWARD -i " + brname + " -j DROP")
- execute("iptables -A FORWARD -o " + brname + " -j DROP")
return True
except:
