You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by Syafiq Rokman <ms...@gmail.com> on 2016/04/04 11:16:06 UTC
SSVM cant route to MS, Iptables keep self-updating
Hi everyone!
Im running CS 4.8 on Ubuntu 14.04 LTS.
So I've managed to set up everything, but I still cant install templates.
So I SSH-ed into the SSVM and ran the healthcheck and it seems that the
SSVM can't connect to the DNS.
Logs says that it can't route to host.
So I've tried to allow all outgoing/incoming connections on Iptables, but
it keeps changing back to deny outgoing connections.
Any ideas on how to proceed?
Will provide logs if anyone needs it.
Thanks
Syafiq Rokman
B.ICT Student
Re: SSVM cant route to MS, Iptables keep self-updating
Posted by Rafael Weingärtner <ra...@gmail.com>.
Are you using VLANs?
Have you tried to use tcpdump at the host to check what is happening with
packages comming from SSVM?
On Tue, Apr 5, 2016 at 10:34 AM, Mindaugas Milinavičius <
mindaugas@clustspace.com> wrote:
> added an additional DNS IP: 8.8.8.8 8.8.4.4
>
>
>
>
> Pagarbiai
> Mindaugas Milinavičius
> UAB STARNITA
> Direktorius
> http://www.clustspace.com
> LT: +37068882880
> RU: +79651806396
>
> Tomorrow's posibilities today
> <http://www.clustspace.com/>
>
> - 1 Core, 512MB RAM, 20GB SSD, 1Gbps, Unlimited, Location: Romania, Los
> Angeles, Ashburn Washington - 11EUR
> - 1 Core, 1024MB RAM, 30GB SSD, 1Gbps, Unlimited, Location: Romania, Los
> Angeles, Ashburn Washington - 18,7EUR
> - 2 Cores, 2048MB RAM, 40GB SSD, 1Gbps, Unlimited, Location: Romania,
> Los Angeles, Ashburn Washington - 27,5EUR
> - 4 Cores, 4096MB RAM, 100GB SSD, 1Gbps, Unlimited, Location: Romania,
> Los Angeles, Ashburn Washington - 46EUR
>
>
> On Tue, Apr 5, 2016 at 4:31 PM, Syafiq Rokman <ms...@gmail.com>
> wrote:
>
> > I think so. network/interfaces file on host/MS:
> >
> > auto lo
> > iface lo inet loopback
> >
> > auto eth0.100
> > iface eth0.100 inet manual
> > address 172.16.135.179
> > netmask 255.255.255.0
> > gateway 172.16.135.254
> > dns-nameservers 172.16.238.7 172.16.238.6
> >
> > # Public network
> > auto cloudbr0
> > iface cloudbr0 inet manual
> >
> > bridge_ports eth0.200
> > bridge_fd 5
> > bridge_stp off
> > bridge_maxwait 1
> >
> > # Private network
> > auto cloudbr1
> > iface cloudbr1 inet manual
> > bridge_ports eth0.300
> > bridge_fd 5
> > bridge_stp off
> > bridge_maxwait 1
> >
> >
> > On Tue, Apr 5, 2016 at 9:21 PM Mindaugas Milinavičius <
> > mindaugas@clustspace.com> wrote:
> >
> > > Is your network configured properly?
> > >
> > >
> > >
> > >
> > > Pagarbiai
> > > Mindaugas Milinavičius
> > > UAB STARNITA
> > > Direktorius
> > > http://www.clustspace.com
> > > LT: +37068882880
> > > RU: +79651806396
> > >
> > > Tomorrow's posibilities today
> > > <http://www.clustspace.com/>
> > >
> > > - 1 Core, 512MB RAM, 20GB SSD, 1Gbps, Unlimited, Location: Romania,
> > Los
> > > Angeles, Ashburn Washington - 11EUR
> > > - 1 Core, 1024MB RAM, 30GB SSD, 1Gbps, Unlimited, Location: Romania,
> > Los
> > > Angeles, Ashburn Washington - 18,7EUR
> > > - 2 Cores, 2048MB RAM, 40GB SSD, 1Gbps, Unlimited, Location:
> Romania,
> > > Los Angeles, Ashburn Washington - 27,5EUR
> > > - 4 Cores, 4096MB RAM, 100GB SSD, 1Gbps, Unlimited, Location:
> Romania,
> > > Los Angeles, Ashburn Washington - 46EUR
> > >
> > >
> > > On Tue, Apr 5, 2016 at 4:18 PM, Syafiq Rokman <
> msyafiq.rokman@gmail.com>
> > > wrote:
> > >
> > > > traceroute to 172.16.238.7 (172.16.238.7), 30 hops max, 60 byte
> packets
> > > > 1 172.16.135.12 (172.16.135.12) 2996.763 ms !H 2996.765 ms !H
> > > 2996.764
> > > > ms !H
> > > >
> > > > traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
> > > > 1 s-2059-VM (172.16.135.84) 2996.386 ms !H 2996.374 ms !H
> 2996.371
> > > ms
> > > > !H
> > > >
> > > >
> > > >
> > > > On Tue, Apr 5, 2016 at 9:01 PM Syafiq Rokman <
> msyafiq.rokman@gmail.com
> > >
> > > > wrote:
> > > >
> > > > > iptables -L in SSVM :
> > > > >
> > > > > REJECT tcp -- anywhere anywhere state
> > NEW
> > > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > > REJECT tcp -- anywhere anywhere state
> > NEW
> > > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > > REJECT tcp -- anywhere anywhere state
> > NEW
> > > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > > REJECT tcp -- anywhere anywhere state
> > NEW
> > > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > > REJECT tcp -- anywhere anywhere state
> > NEW
> > > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > > REJECT tcp -- anywhere anywhere state
> > NEW
> > > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > > REJECT tcp -- anywhere anywhere state
> > NEW
> > > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > > REJECT tcp -- anywhere anywhere state
> > NEW
> > > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > > REJECT tcp -- anywhere anywhere state
> > NEW
> > > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > > REJECT tcp -- anywhere anywhere state
> > NEW
> > > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > > REJECT tcp -- anywhere anywhere state
> > NEW
> > > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > > REJECT tcp -- anywhere anywhere state
> > NEW
> > > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > > REJECT tcp -- anywhere anywhere state
> > NEW
> > > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > > REJECT tcp -- anywhere anywhere state
> > NEW
> > > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > > REJECT tcp -- anywhere anywhere state
> > NEW
> > > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > > REJECT tcp -- anywhere anywhere state
> > NEW
> > > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > > REJECT tcp -- anywhere anywhere state
> > NEW
> > > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > > REJECT tcp -- anywhere anywhere state
> > NEW
> > > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > > REJECT tcp -- anywhere anywhere state
> > NEW
> > > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > > REJECT tcp -- anywhere anywhere state
> > NEW
> > > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > > REJECT tcp -- anywhere anywhere state
> > NEW
> > > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > > REJECT tcp -- anywhere anywhere state
> > NEW
> > > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > > REJECT tcp -- anywhere anywhere state
> > NEW
> > > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > > REJECT tcp -- anywhere anywhere state
> > NEW
> > > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > > REJECT tcp -- anywhere anywhere state
> > NEW
> > > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > > REJECT tcp -- anywhere anywhere state
> > NEW
> > > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > > REJECT tcp -- anywhere anywhere state
> > NEW
> > > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > > REJECT tcp -- anywhere anywhere state
> > NEW
> > > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > > REJECT tcp -- anywhere anywhere state
> > NEW
> > > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > > REJECT tcp -- anywhere anywhere state
> > NEW
> > > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > > REJECT tcp -- anywhere anywhere state
> > NEW
> > > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > > REJECT tcp -- anywhere anywhere state
> > NEW
> > > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > > REJECT tcp -- anywhere anywhere state
> > NEW
> > > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > > REJECT tcp -- anywhere anywhere state
> > NEW
> > > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > > REJECT tcp -- anywhere anywhere state
> > NEW
> > > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > > REJECT tcp -- anywhere anywhere state
> > NEW
> > > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > > REJECT tcp -- anywhere anywhere state
> > NEW
> > > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > > REJECT tcp -- anywhere anywhere state
> > NEW
> > > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > > REJECT tcp -- anywhere anywhere state
> > NEW
> > > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > >
> > > > > Chain HTTP (0 references)
> > > > > target prot opt source destination
> > > > >
> > > > > ==
> > > > >
> > > > > The head is lost, i'm not sure how to filter out the spammed rules.
> > > > >
> > > > > On Tue, Apr 5, 2016 at 8:51 PM Rafael Weingärtner <
> > > > > rafaelweingartner@gmail.com> wrote:
> > > > >
> > > > >> can you post your iptables -L from SSVM?
> > > > >>
> > > > >> On Tue, Apr 5, 2016 at 9:47 AM, Syafiq Rokman <
> > > msyafiq.rokman@gmail.com
> > > > >
> > > > >> wrote:
> > > > >>
> > > > >> > Yes, just tried ping from SSVM to DNS, and 8.8.8.8, and
> > google.com.
> > > > >> Host
> > > > >> > still unreachable.
> > > > >> > Healthcheck script also returning host unreachable.
> > > > >> >
> > > > >> >
> > > > >> > On Tue, Apr 5, 2016 at 8:39 PM Rafael Weingärtner <
> > > > >> > rafaelweingartner@gmail.com> wrote:
> > > > >> >
> > > > >> > > Ok, so in your host there is nothing blocking the in-out/going
> > > > >> requests,
> > > > >> > > but still the ping command does not work?
> > > > >> > >
> > > > >> > > That rule you presented earlier should not block
> > > > “icmp-echo-request”.
> > > > >> > >
> > > > >> > > On Tue, Apr 5, 2016 at 9:36 AM, Syafiq Rokman <
> > > > >> msyafiq.rokman@gmail.com>
> > > > >> > > wrote:
> > > > >> > >
> > > > >> > > > I've checked the host iptables just now...there were rules
> > > > >> accomodating
> > > > >> > > the
> > > > >> > > > SSVM and CPVM.
> > > > >> > > > But I've made the mistake of flushing the iptables rules
> > without
> > > > any
> > > > >> > > > backup.
> > > > >> > > > Now Iptables -P, -L has:
> > > > >> > > >
> > > > >> > > > -P INPUT ACCEPT
> > > > >> > > > -P FORWARD ACCEPT
> > > > >> > > > -P OUTPUT ACCEPT
> > > > >> > > > -A INPUT -j ACCEPT
> > > > >> > > > -A INPUT -j ACCEPT
> > > > >> > > > -A FORWARD -j ACCEPT
> > > > >> > > > -A OUTPUT -j ACCEPT
> > > > >> > > > Chain INPUT (policy ACCEPT)
> > > > >> > > > target prot opt source destination
> > > > >> > > > ACCEPT all -- anywhere anywhere
> > > > >> > > > ACCEPT all -- anywhere anywhere
> > > > >> > > >
> > > > >> > > > Chain FORWARD (policy ACCEPT)
> > > > >> > > > target prot opt source destination
> > > > >> > > > ACCEPT all -- anywhere anywhere
> > > > >> > > >
> > > > >> > > > Chain OUTPUT (policy ACCEPT)
> > > > >> > > > target prot opt source destination
> > > > >> > > > ACCEPT all -- anywhere anywhere
> > > > >> > > >
> > > > >> > > > One more thing, this setup is self-hosted.The MS and host
> are
> > on
> > > > the
> > > > >> > same
> > > > >> > > > machine.
> > > > >> > > >
> > > > >> > > >
> > > > >> > > >
> > > > >> > > > On Tue, Apr 5, 2016 at 8:22 PM Rafael Weingärtner <
> > > > >> > > > rafaelweingartner@gmail.com> wrote:
> > > > >> > > >
> > > > >> > > > > Those rules should not block the "ping" comand, hence they
> > are
> > > > >> meant
> > > > >> > to
> > > > >> > > > > block "http" right?
> > > > >> > > > >
> > > > >> > > > >
> > > > >> > > > > I have been having the same problem lately with XenServer.
> > > > >> > > > >
> > > > >> > > > > The iptables rules that are rejecting my traffic are at
> the
> > > host
> > > > >> > > itself.
> > > > >> > > > >
> > > > >> > > > > Can you check your host iptables configs?
> > > > >> > > > >
> > > > >> > > > > On Tue, Apr 5, 2016 at 3:42 AM, Syafiq Rokman <
> > > > >> > > msyafiq.rokman@gmail.com>
> > > > >> > > > > wrote:
> > > > >> > > > >
> > > > >> > > > > > Hi,
> > > > >> > > > > >
> > > > >> > > > > > Can't ping the default gateway of the SSVM or 8.8.8.8
> from
> > > the
> > > > >> > SSVM.
> > > > >> > > > > > I'm using KVM as hypervisor.
> > > > >> > > > > >
> > > > >> > > > > > Tried changing iptables rules on SSVM using
> > > > >> > > > > >
> > > > >> > > > > > iptables -F
> > > > >> > > > > > iptables -X
> > > > >> > > > > > iptables -t nat -F
> > > > >> > > > > > iptables -t nat -X
> > > > >> > > > > > iptables -t mangle -F
> > > > >> > > > > > iptables -t mangle -X
> > > > >> > > > > > iptables -P INPUT ACCEPT
> > > > >> > > > > > iptables -P FORWARD ACCEPT
> > > > >> > > > > > iptables -P OUTPUT ACCEPT
> > > > >> > > > > >
> > > > >> > > > > > to allow all connections, but keep getting this at Chain
> > > > OUTPUT:
> > > > >> > > > > >
> > > > >> > > > > > REJECT tcp -- anywhere anywhere
> > > > >> state
> > > > >> > > NEW
> > > > >> > > > > tcp
> > > > >> > > > > > dpt:http reject-with icmp-port-unreachable
> > > > >> > > > > > REJECT tcp -- anywhere anywhere
> > > > >> state
> > > > >> > > NEW
> > > > >> > > > > tcp
> > > > >> > > > > > dpt:https reject-with icmp-port-unreachable
> > > > >> > > > > >
> > > > >> > > > > >
> > > > >> > > > > >
> > > > >> > > > > > On Mon, Apr 4, 2016 at 6:49 PM Rafael Weingärtner <
> > > > >> > > > > > rafaelweingartner@gmail.com> wrote:
> > > > >> > > > > >
> > > > >> > > > > > > What hypervisor are you using?
> > > > >> > > > > > > Did change the iptables rules at the SSVM itself?
> > > > >> > > > > > >
> > > > >> > > > > > > On Mon, Apr 4, 2016 at 6:50 AM, Glenn Wagner <
> > > > >> > > > > glenn.wagner@shapeblue.com
> > > > >> > > > > > >
> > > > >> > > > > > > wrote:
> > > > >> > > > > > >
> > > > >> > > > > > > > Hi,
> > > > >> > > > > > > >
> > > > >> > > > > > > > Can you ping the default gateway of the SSVM?
> > > > >> > > > > > > > Can you ping google DNS 8.8.8.8 from the SSVM?
> > > > >> > > > > > > >
> > > > >> > > > > > > > Thanks
> > > > >> > > > > > > > Glenn
> > > > >> > > > > > > >
> > > > >> > > > > > > >
> > > > >> > > > > > > > Regards,
> > > > >> > > > > > > >
> > > > >> > > > > > > > Glenn Wagner
> > > > >> > > > > > > >
> > > > >> > > > > > > > glenn.wagner@shapeblue.com
> > > > >> > > > > > > > www.shapeblue.com
> > > > >> > > > > > > > 2nd Floor, Oudehuis Centre, 122 Main Rd, Somerset
> > West,
> > > > Cape
> > > > >> > Town
> > > > >> > > > > > > > 7130South Africa
> > > > >> > > > > > > > @shapeblue
> > > > >> > > > > > > >
> > > > >> > > > > > > > -----Original Message-----
> > > > >> > > > > > > > From: Syafiq Rokman [mailto:
> msyafiq.rokman@gmail.com]
> > > > >> > > > > > > > Sent: Monday, 04 April 2016 11:16 AM
> > > > >> > > > > > > > To: users@cloudstack.apache.org
> > > > >> > > > > > > > Subject: SSVM cant route to MS, Iptables keep
> > > > self-updating
> > > > >> > > > > > > >
> > > > >> > > > > > > > Hi everyone!
> > > > >> > > > > > > >
> > > > >> > > > > > > > Im running CS 4.8 on Ubuntu 14.04 LTS.
> > > > >> > > > > > > >
> > > > >> > > > > > > > So I've managed to set up everything, but I still
> cant
> > > > >> install
> > > > >> > > > > > templates.
> > > > >> > > > > > > > So I SSH-ed into the SSVM and ran the healthcheck
> and
> > it
> > > > >> seems
> > > > >> > > that
> > > > >> > > > > the
> > > > >> > > > > > > > SSVM can't connect to the DNS.
> > > > >> > > > > > > >
> > > > >> > > > > > > > Logs says that it can't route to host.
> > > > >> > > > > > > >
> > > > >> > > > > > > > So I've tried to allow all outgoing/incoming
> > connections
> > > > on
> > > > >> > > > Iptables,
> > > > >> > > > > > but
> > > > >> > > > > > > > it keeps changing back to deny outgoing connections.
> > > > >> > > > > > > >
> > > > >> > > > > > > > Any ideas on how to proceed?
> > > > >> > > > > > > >
> > > > >> > > > > > > > Will provide logs if anyone needs it.
> > > > >> > > > > > > >
> > > > >> > > > > > > > Thanks
> > > > >> > > > > > > > Syafiq Rokman
> > > > >> > > > > > > > B.ICT Student
> > > > >> > > > > > > >
> > > > >> > > > > > >
> > > > >> > > > > > >
> > > > >> > > > > > >
> > > > >> > > > > > > --
> > > > >> > > > > > > Rafael Weingärtner
> > > > >> > > > > > >
> > > > >> > > > > >
> > > > >> > > > >
> > > > >> > > > >
> > > > >> > > > >
> > > > >> > > > > --
> > > > >> > > > > Rafael Weingärtner
> > > > >> > > > >
> > > > >> > > > --
> > > > >> > > > Syafiq Rokman
> > > > >> > > > B. ICT Student
> > > > >> > > > Universiti Teknologi PETRONAS
> > > > >> > > >
> > > > >> > >
> > > > >> > >
> > > > >> > >
> > > > >> > > --
> > > > >> > > Rafael Weingärtner
> > > > >> > >
> > > > >> > --
> > > > >> > Syafiq Rokman
> > > > >> > B. ICT Student
> > > > >> > Universiti Teknologi PETRONAS
> > > > >> >
> > > > >>
> > > > >>
> > > > >>
> > > > >> --
> > > > >> Rafael Weingärtner
> > > > >>
> > > > > --
> > > > > Syafiq Rokman
> > > > > B. ICT Student
> > > > > Universiti Teknologi PETRONAS
> > > > >
> > > > --
> > > > Syafiq Rokman
> > > > B. ICT Student
> > > > Universiti Teknologi PETRONAS
> > > >
> > >
> > --
> > Syafiq Rokman
> > B. ICT Student
> > Universiti Teknologi PETRONAS
> >
>
--
Rafael Weingärtner
Re: SSVM cant route to MS, Iptables keep self-updating
Posted by Mindaugas Milinavičius <mi...@clustspace.com>.
added an additional DNS IP: 8.8.8.8 8.8.4.4
Pagarbiai
Mindaugas Milinavičius
UAB STARNITA
Direktorius
http://www.clustspace.com
LT: +37068882880
RU: +79651806396
Tomorrow's posibilities today
<http://www.clustspace.com/>
- 1 Core, 512MB RAM, 20GB SSD, 1Gbps, Unlimited, Location: Romania, Los
Angeles, Ashburn Washington - 11EUR
- 1 Core, 1024MB RAM, 30GB SSD, 1Gbps, Unlimited, Location: Romania, Los
Angeles, Ashburn Washington - 18,7EUR
- 2 Cores, 2048MB RAM, 40GB SSD, 1Gbps, Unlimited, Location: Romania,
Los Angeles, Ashburn Washington - 27,5EUR
- 4 Cores, 4096MB RAM, 100GB SSD, 1Gbps, Unlimited, Location: Romania,
Los Angeles, Ashburn Washington - 46EUR
On Tue, Apr 5, 2016 at 4:31 PM, Syafiq Rokman <ms...@gmail.com>
wrote:
> I think so. network/interfaces file on host/MS:
>
> auto lo
> iface lo inet loopback
>
> auto eth0.100
> iface eth0.100 inet manual
> address 172.16.135.179
> netmask 255.255.255.0
> gateway 172.16.135.254
> dns-nameservers 172.16.238.7 172.16.238.6
>
> # Public network
> auto cloudbr0
> iface cloudbr0 inet manual
>
> bridge_ports eth0.200
> bridge_fd 5
> bridge_stp off
> bridge_maxwait 1
>
> # Private network
> auto cloudbr1
> iface cloudbr1 inet manual
> bridge_ports eth0.300
> bridge_fd 5
> bridge_stp off
> bridge_maxwait 1
>
>
> On Tue, Apr 5, 2016 at 9:21 PM Mindaugas Milinavičius <
> mindaugas@clustspace.com> wrote:
>
> > Is your network configured properly?
> >
> >
> >
> >
> > Pagarbiai
> > Mindaugas Milinavičius
> > UAB STARNITA
> > Direktorius
> > http://www.clustspace.com
> > LT: +37068882880
> > RU: +79651806396
> >
> > Tomorrow's posibilities today
> > <http://www.clustspace.com/>
> >
> > - 1 Core, 512MB RAM, 20GB SSD, 1Gbps, Unlimited, Location: Romania,
> Los
> > Angeles, Ashburn Washington - 11EUR
> > - 1 Core, 1024MB RAM, 30GB SSD, 1Gbps, Unlimited, Location: Romania,
> Los
> > Angeles, Ashburn Washington - 18,7EUR
> > - 2 Cores, 2048MB RAM, 40GB SSD, 1Gbps, Unlimited, Location: Romania,
> > Los Angeles, Ashburn Washington - 27,5EUR
> > - 4 Cores, 4096MB RAM, 100GB SSD, 1Gbps, Unlimited, Location: Romania,
> > Los Angeles, Ashburn Washington - 46EUR
> >
> >
> > On Tue, Apr 5, 2016 at 4:18 PM, Syafiq Rokman <ms...@gmail.com>
> > wrote:
> >
> > > traceroute to 172.16.238.7 (172.16.238.7), 30 hops max, 60 byte packets
> > > 1 172.16.135.12 (172.16.135.12) 2996.763 ms !H 2996.765 ms !H
> > 2996.764
> > > ms !H
> > >
> > > traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
> > > 1 s-2059-VM (172.16.135.84) 2996.386 ms !H 2996.374 ms !H 2996.371
> > ms
> > > !H
> > >
> > >
> > >
> > > On Tue, Apr 5, 2016 at 9:01 PM Syafiq Rokman <msyafiq.rokman@gmail.com
> >
> > > wrote:
> > >
> > > > iptables -L in SSVM :
> > > >
> > > > REJECT tcp -- anywhere anywhere state
> NEW
> > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > REJECT tcp -- anywhere anywhere state
> NEW
> > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > REJECT tcp -- anywhere anywhere state
> NEW
> > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > REJECT tcp -- anywhere anywhere state
> NEW
> > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > REJECT tcp -- anywhere anywhere state
> NEW
> > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > REJECT tcp -- anywhere anywhere state
> NEW
> > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > REJECT tcp -- anywhere anywhere state
> NEW
> > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > REJECT tcp -- anywhere anywhere state
> NEW
> > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > REJECT tcp -- anywhere anywhere state
> NEW
> > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > REJECT tcp -- anywhere anywhere state
> NEW
> > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > REJECT tcp -- anywhere anywhere state
> NEW
> > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > REJECT tcp -- anywhere anywhere state
> NEW
> > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > REJECT tcp -- anywhere anywhere state
> NEW
> > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > REJECT tcp -- anywhere anywhere state
> NEW
> > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > REJECT tcp -- anywhere anywhere state
> NEW
> > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > REJECT tcp -- anywhere anywhere state
> NEW
> > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > REJECT tcp -- anywhere anywhere state
> NEW
> > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > REJECT tcp -- anywhere anywhere state
> NEW
> > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > REJECT tcp -- anywhere anywhere state
> NEW
> > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > REJECT tcp -- anywhere anywhere state
> NEW
> > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > REJECT tcp -- anywhere anywhere state
> NEW
> > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > REJECT tcp -- anywhere anywhere state
> NEW
> > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > REJECT tcp -- anywhere anywhere state
> NEW
> > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > REJECT tcp -- anywhere anywhere state
> NEW
> > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > REJECT tcp -- anywhere anywhere state
> NEW
> > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > REJECT tcp -- anywhere anywhere state
> NEW
> > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > REJECT tcp -- anywhere anywhere state
> NEW
> > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > REJECT tcp -- anywhere anywhere state
> NEW
> > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > REJECT tcp -- anywhere anywhere state
> NEW
> > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > REJECT tcp -- anywhere anywhere state
> NEW
> > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > REJECT tcp -- anywhere anywhere state
> NEW
> > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > REJECT tcp -- anywhere anywhere state
> NEW
> > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > REJECT tcp -- anywhere anywhere state
> NEW
> > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > REJECT tcp -- anywhere anywhere state
> NEW
> > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > REJECT tcp -- anywhere anywhere state
> NEW
> > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > REJECT tcp -- anywhere anywhere state
> NEW
> > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > REJECT tcp -- anywhere anywhere state
> NEW
> > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > REJECT tcp -- anywhere anywhere state
> NEW
> > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > REJECT tcp -- anywhere anywhere state
> NEW
> > > > tcp dpt:https reject-with icmp-port-unreachable
> > > >
> > > > Chain HTTP (0 references)
> > > > target prot opt source destination
> > > >
> > > > ==
> > > >
> > > > The head is lost, i'm not sure how to filter out the spammed rules.
> > > >
> > > > On Tue, Apr 5, 2016 at 8:51 PM Rafael Weingärtner <
> > > > rafaelweingartner@gmail.com> wrote:
> > > >
> > > >> can you post your iptables -L from SSVM?
> > > >>
> > > >> On Tue, Apr 5, 2016 at 9:47 AM, Syafiq Rokman <
> > msyafiq.rokman@gmail.com
> > > >
> > > >> wrote:
> > > >>
> > > >> > Yes, just tried ping from SSVM to DNS, and 8.8.8.8, and
> google.com.
> > > >> Host
> > > >> > still unreachable.
> > > >> > Healthcheck script also returning host unreachable.
> > > >> >
> > > >> >
> > > >> > On Tue, Apr 5, 2016 at 8:39 PM Rafael Weingärtner <
> > > >> > rafaelweingartner@gmail.com> wrote:
> > > >> >
> > > >> > > Ok, so in your host there is nothing blocking the in-out/going
> > > >> requests,
> > > >> > > but still the ping command does not work?
> > > >> > >
> > > >> > > That rule you presented earlier should not block
> > > “icmp-echo-request”.
> > > >> > >
> > > >> > > On Tue, Apr 5, 2016 at 9:36 AM, Syafiq Rokman <
> > > >> msyafiq.rokman@gmail.com>
> > > >> > > wrote:
> > > >> > >
> > > >> > > > I've checked the host iptables just now...there were rules
> > > >> accomodating
> > > >> > > the
> > > >> > > > SSVM and CPVM.
> > > >> > > > But I've made the mistake of flushing the iptables rules
> without
> > > any
> > > >> > > > backup.
> > > >> > > > Now Iptables -P, -L has:
> > > >> > > >
> > > >> > > > -P INPUT ACCEPT
> > > >> > > > -P FORWARD ACCEPT
> > > >> > > > -P OUTPUT ACCEPT
> > > >> > > > -A INPUT -j ACCEPT
> > > >> > > > -A INPUT -j ACCEPT
> > > >> > > > -A FORWARD -j ACCEPT
> > > >> > > > -A OUTPUT -j ACCEPT
> > > >> > > > Chain INPUT (policy ACCEPT)
> > > >> > > > target prot opt source destination
> > > >> > > > ACCEPT all -- anywhere anywhere
> > > >> > > > ACCEPT all -- anywhere anywhere
> > > >> > > >
> > > >> > > > Chain FORWARD (policy ACCEPT)
> > > >> > > > target prot opt source destination
> > > >> > > > ACCEPT all -- anywhere anywhere
> > > >> > > >
> > > >> > > > Chain OUTPUT (policy ACCEPT)
> > > >> > > > target prot opt source destination
> > > >> > > > ACCEPT all -- anywhere anywhere
> > > >> > > >
> > > >> > > > One more thing, this setup is self-hosted.The MS and host are
> on
> > > the
> > > >> > same
> > > >> > > > machine.
> > > >> > > >
> > > >> > > >
> > > >> > > >
> > > >> > > > On Tue, Apr 5, 2016 at 8:22 PM Rafael Weingärtner <
> > > >> > > > rafaelweingartner@gmail.com> wrote:
> > > >> > > >
> > > >> > > > > Those rules should not block the "ping" comand, hence they
> are
> > > >> meant
> > > >> > to
> > > >> > > > > block "http" right?
> > > >> > > > >
> > > >> > > > >
> > > >> > > > > I have been having the same problem lately with XenServer.
> > > >> > > > >
> > > >> > > > > The iptables rules that are rejecting my traffic are at the
> > host
> > > >> > > itself.
> > > >> > > > >
> > > >> > > > > Can you check your host iptables configs?
> > > >> > > > >
> > > >> > > > > On Tue, Apr 5, 2016 at 3:42 AM, Syafiq Rokman <
> > > >> > > msyafiq.rokman@gmail.com>
> > > >> > > > > wrote:
> > > >> > > > >
> > > >> > > > > > Hi,
> > > >> > > > > >
> > > >> > > > > > Can't ping the default gateway of the SSVM or 8.8.8.8 from
> > the
> > > >> > SSVM.
> > > >> > > > > > I'm using KVM as hypervisor.
> > > >> > > > > >
> > > >> > > > > > Tried changing iptables rules on SSVM using
> > > >> > > > > >
> > > >> > > > > > iptables -F
> > > >> > > > > > iptables -X
> > > >> > > > > > iptables -t nat -F
> > > >> > > > > > iptables -t nat -X
> > > >> > > > > > iptables -t mangle -F
> > > >> > > > > > iptables -t mangle -X
> > > >> > > > > > iptables -P INPUT ACCEPT
> > > >> > > > > > iptables -P FORWARD ACCEPT
> > > >> > > > > > iptables -P OUTPUT ACCEPT
> > > >> > > > > >
> > > >> > > > > > to allow all connections, but keep getting this at Chain
> > > OUTPUT:
> > > >> > > > > >
> > > >> > > > > > REJECT tcp -- anywhere anywhere
> > > >> state
> > > >> > > NEW
> > > >> > > > > tcp
> > > >> > > > > > dpt:http reject-with icmp-port-unreachable
> > > >> > > > > > REJECT tcp -- anywhere anywhere
> > > >> state
> > > >> > > NEW
> > > >> > > > > tcp
> > > >> > > > > > dpt:https reject-with icmp-port-unreachable
> > > >> > > > > >
> > > >> > > > > >
> > > >> > > > > >
> > > >> > > > > > On Mon, Apr 4, 2016 at 6:49 PM Rafael Weingärtner <
> > > >> > > > > > rafaelweingartner@gmail.com> wrote:
> > > >> > > > > >
> > > >> > > > > > > What hypervisor are you using?
> > > >> > > > > > > Did change the iptables rules at the SSVM itself?
> > > >> > > > > > >
> > > >> > > > > > > On Mon, Apr 4, 2016 at 6:50 AM, Glenn Wagner <
> > > >> > > > > glenn.wagner@shapeblue.com
> > > >> > > > > > >
> > > >> > > > > > > wrote:
> > > >> > > > > > >
> > > >> > > > > > > > Hi,
> > > >> > > > > > > >
> > > >> > > > > > > > Can you ping the default gateway of the SSVM?
> > > >> > > > > > > > Can you ping google DNS 8.8.8.8 from the SSVM?
> > > >> > > > > > > >
> > > >> > > > > > > > Thanks
> > > >> > > > > > > > Glenn
> > > >> > > > > > > >
> > > >> > > > > > > >
> > > >> > > > > > > > Regards,
> > > >> > > > > > > >
> > > >> > > > > > > > Glenn Wagner
> > > >> > > > > > > >
> > > >> > > > > > > > glenn.wagner@shapeblue.com
> > > >> > > > > > > > www.shapeblue.com
> > > >> > > > > > > > 2nd Floor, Oudehuis Centre, 122 Main Rd, Somerset
> West,
> > > Cape
> > > >> > Town
> > > >> > > > > > > > 7130South Africa
> > > >> > > > > > > > @shapeblue
> > > >> > > > > > > >
> > > >> > > > > > > > -----Original Message-----
> > > >> > > > > > > > From: Syafiq Rokman [mailto:msyafiq.rokman@gmail.com]
> > > >> > > > > > > > Sent: Monday, 04 April 2016 11:16 AM
> > > >> > > > > > > > To: users@cloudstack.apache.org
> > > >> > > > > > > > Subject: SSVM cant route to MS, Iptables keep
> > > self-updating
> > > >> > > > > > > >
> > > >> > > > > > > > Hi everyone!
> > > >> > > > > > > >
> > > >> > > > > > > > Im running CS 4.8 on Ubuntu 14.04 LTS.
> > > >> > > > > > > >
> > > >> > > > > > > > So I've managed to set up everything, but I still cant
> > > >> install
> > > >> > > > > > templates.
> > > >> > > > > > > > So I SSH-ed into the SSVM and ran the healthcheck and
> it
> > > >> seems
> > > >> > > that
> > > >> > > > > the
> > > >> > > > > > > > SSVM can't connect to the DNS.
> > > >> > > > > > > >
> > > >> > > > > > > > Logs says that it can't route to host.
> > > >> > > > > > > >
> > > >> > > > > > > > So I've tried to allow all outgoing/incoming
> connections
> > > on
> > > >> > > > Iptables,
> > > >> > > > > > but
> > > >> > > > > > > > it keeps changing back to deny outgoing connections.
> > > >> > > > > > > >
> > > >> > > > > > > > Any ideas on how to proceed?
> > > >> > > > > > > >
> > > >> > > > > > > > Will provide logs if anyone needs it.
> > > >> > > > > > > >
> > > >> > > > > > > > Thanks
> > > >> > > > > > > > Syafiq Rokman
> > > >> > > > > > > > B.ICT Student
> > > >> > > > > > > >
> > > >> > > > > > >
> > > >> > > > > > >
> > > >> > > > > > >
> > > >> > > > > > > --
> > > >> > > > > > > Rafael Weingärtner
> > > >> > > > > > >
> > > >> > > > > >
> > > >> > > > >
> > > >> > > > >
> > > >> > > > >
> > > >> > > > > --
> > > >> > > > > Rafael Weingärtner
> > > >> > > > >
> > > >> > > > --
> > > >> > > > Syafiq Rokman
> > > >> > > > B. ICT Student
> > > >> > > > Universiti Teknologi PETRONAS
> > > >> > > >
> > > >> > >
> > > >> > >
> > > >> > >
> > > >> > > --
> > > >> > > Rafael Weingärtner
> > > >> > >
> > > >> > --
> > > >> > Syafiq Rokman
> > > >> > B. ICT Student
> > > >> > Universiti Teknologi PETRONAS
> > > >> >
> > > >>
> > > >>
> > > >>
> > > >> --
> > > >> Rafael Weingärtner
> > > >>
> > > > --
> > > > Syafiq Rokman
> > > > B. ICT Student
> > > > Universiti Teknologi PETRONAS
> > > >
> > > --
> > > Syafiq Rokman
> > > B. ICT Student
> > > Universiti Teknologi PETRONAS
> > >
> >
> --
> Syafiq Rokman
> B. ICT Student
> Universiti Teknologi PETRONAS
>
Re: SSVM cant route to MS, Iptables keep self-updating
Posted by Syafiq Rokman <ms...@gmail.com>.
I think so. network/interfaces file on host/MS:
auto lo
iface lo inet loopback
auto eth0.100
iface eth0.100 inet manual
address 172.16.135.179
netmask 255.255.255.0
gateway 172.16.135.254
dns-nameservers 172.16.238.7 172.16.238.6
# Public network
auto cloudbr0
iface cloudbr0 inet manual
bridge_ports eth0.200
bridge_fd 5
bridge_stp off
bridge_maxwait 1
# Private network
auto cloudbr1
iface cloudbr1 inet manual
bridge_ports eth0.300
bridge_fd 5
bridge_stp off
bridge_maxwait 1
On Tue, Apr 5, 2016 at 9:21 PM Mindaugas Milinavičius <
mindaugas@clustspace.com> wrote:
> Is your network configured properly?
>
>
>
>
> Pagarbiai
> Mindaugas Milinavičius
> UAB STARNITA
> Direktorius
> http://www.clustspace.com
> LT: +37068882880
> RU: +79651806396
>
> Tomorrow's posibilities today
> <http://www.clustspace.com/>
>
> - 1 Core, 512MB RAM, 20GB SSD, 1Gbps, Unlimited, Location: Romania, Los
> Angeles, Ashburn Washington - 11EUR
> - 1 Core, 1024MB RAM, 30GB SSD, 1Gbps, Unlimited, Location: Romania, Los
> Angeles, Ashburn Washington - 18,7EUR
> - 2 Cores, 2048MB RAM, 40GB SSD, 1Gbps, Unlimited, Location: Romania,
> Los Angeles, Ashburn Washington - 27,5EUR
> - 4 Cores, 4096MB RAM, 100GB SSD, 1Gbps, Unlimited, Location: Romania,
> Los Angeles, Ashburn Washington - 46EUR
>
>
> On Tue, Apr 5, 2016 at 4:18 PM, Syafiq Rokman <ms...@gmail.com>
> wrote:
>
> > traceroute to 172.16.238.7 (172.16.238.7), 30 hops max, 60 byte packets
> > 1 172.16.135.12 (172.16.135.12) 2996.763 ms !H 2996.765 ms !H
> 2996.764
> > ms !H
> >
> > traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
> > 1 s-2059-VM (172.16.135.84) 2996.386 ms !H 2996.374 ms !H 2996.371
> ms
> > !H
> >
> >
> >
> > On Tue, Apr 5, 2016 at 9:01 PM Syafiq Rokman <ms...@gmail.com>
> > wrote:
> >
> > > iptables -L in SSVM :
> > >
> > > REJECT tcp -- anywhere anywhere state NEW
> > > tcp dpt:https reject-with icmp-port-unreachable
> > > REJECT tcp -- anywhere anywhere state NEW
> > > tcp dpt:http reject-with icmp-port-unreachable
> > > REJECT tcp -- anywhere anywhere state NEW
> > > tcp dpt:https reject-with icmp-port-unreachable
> > > REJECT tcp -- anywhere anywhere state NEW
> > > tcp dpt:http reject-with icmp-port-unreachable
> > > REJECT tcp -- anywhere anywhere state NEW
> > > tcp dpt:https reject-with icmp-port-unreachable
> > > REJECT tcp -- anywhere anywhere state NEW
> > > tcp dpt:http reject-with icmp-port-unreachable
> > > REJECT tcp -- anywhere anywhere state NEW
> > > tcp dpt:https reject-with icmp-port-unreachable
> > > REJECT tcp -- anywhere anywhere state NEW
> > > tcp dpt:http reject-with icmp-port-unreachable
> > > REJECT tcp -- anywhere anywhere state NEW
> > > tcp dpt:https reject-with icmp-port-unreachable
> > > REJECT tcp -- anywhere anywhere state NEW
> > > tcp dpt:http reject-with icmp-port-unreachable
> > > REJECT tcp -- anywhere anywhere state NEW
> > > tcp dpt:https reject-with icmp-port-unreachable
> > > REJECT tcp -- anywhere anywhere state NEW
> > > tcp dpt:http reject-with icmp-port-unreachable
> > > REJECT tcp -- anywhere anywhere state NEW
> > > tcp dpt:https reject-with icmp-port-unreachable
> > > REJECT tcp -- anywhere anywhere state NEW
> > > tcp dpt:http reject-with icmp-port-unreachable
> > > REJECT tcp -- anywhere anywhere state NEW
> > > tcp dpt:https reject-with icmp-port-unreachable
> > > REJECT tcp -- anywhere anywhere state NEW
> > > tcp dpt:http reject-with icmp-port-unreachable
> > > REJECT tcp -- anywhere anywhere state NEW
> > > tcp dpt:https reject-with icmp-port-unreachable
> > > REJECT tcp -- anywhere anywhere state NEW
> > > tcp dpt:http reject-with icmp-port-unreachable
> > > REJECT tcp -- anywhere anywhere state NEW
> > > tcp dpt:https reject-with icmp-port-unreachable
> > > REJECT tcp -- anywhere anywhere state NEW
> > > tcp dpt:http reject-with icmp-port-unreachable
> > > REJECT tcp -- anywhere anywhere state NEW
> > > tcp dpt:https reject-with icmp-port-unreachable
> > > REJECT tcp -- anywhere anywhere state NEW
> > > tcp dpt:http reject-with icmp-port-unreachable
> > > REJECT tcp -- anywhere anywhere state NEW
> > > tcp dpt:https reject-with icmp-port-unreachable
> > > REJECT tcp -- anywhere anywhere state NEW
> > > tcp dpt:http reject-with icmp-port-unreachable
> > > REJECT tcp -- anywhere anywhere state NEW
> > > tcp dpt:https reject-with icmp-port-unreachable
> > > REJECT tcp -- anywhere anywhere state NEW
> > > tcp dpt:http reject-with icmp-port-unreachable
> > > REJECT tcp -- anywhere anywhere state NEW
> > > tcp dpt:https reject-with icmp-port-unreachable
> > > REJECT tcp -- anywhere anywhere state NEW
> > > tcp dpt:http reject-with icmp-port-unreachable
> > > REJECT tcp -- anywhere anywhere state NEW
> > > tcp dpt:https reject-with icmp-port-unreachable
> > > REJECT tcp -- anywhere anywhere state NEW
> > > tcp dpt:http reject-with icmp-port-unreachable
> > > REJECT tcp -- anywhere anywhere state NEW
> > > tcp dpt:https reject-with icmp-port-unreachable
> > > REJECT tcp -- anywhere anywhere state NEW
> > > tcp dpt:http reject-with icmp-port-unreachable
> > > REJECT tcp -- anywhere anywhere state NEW
> > > tcp dpt:https reject-with icmp-port-unreachable
> > > REJECT tcp -- anywhere anywhere state NEW
> > > tcp dpt:http reject-with icmp-port-unreachable
> > > REJECT tcp -- anywhere anywhere state NEW
> > > tcp dpt:https reject-with icmp-port-unreachable
> > > REJECT tcp -- anywhere anywhere state NEW
> > > tcp dpt:http reject-with icmp-port-unreachable
> > > REJECT tcp -- anywhere anywhere state NEW
> > > tcp dpt:https reject-with icmp-port-unreachable
> > > REJECT tcp -- anywhere anywhere state NEW
> > > tcp dpt:http reject-with icmp-port-unreachable
> > > REJECT tcp -- anywhere anywhere state NEW
> > > tcp dpt:https reject-with icmp-port-unreachable
> > >
> > > Chain HTTP (0 references)
> > > target prot opt source destination
> > >
> > > ==
> > >
> > > The head is lost, i'm not sure how to filter out the spammed rules.
> > >
> > > On Tue, Apr 5, 2016 at 8:51 PM Rafael Weingärtner <
> > > rafaelweingartner@gmail.com> wrote:
> > >
> > >> can you post your iptables -L from SSVM?
> > >>
> > >> On Tue, Apr 5, 2016 at 9:47 AM, Syafiq Rokman <
> msyafiq.rokman@gmail.com
> > >
> > >> wrote:
> > >>
> > >> > Yes, just tried ping from SSVM to DNS, and 8.8.8.8, and google.com.
> > >> Host
> > >> > still unreachable.
> > >> > Healthcheck script also returning host unreachable.
> > >> >
> > >> >
> > >> > On Tue, Apr 5, 2016 at 8:39 PM Rafael Weingärtner <
> > >> > rafaelweingartner@gmail.com> wrote:
> > >> >
> > >> > > Ok, so in your host there is nothing blocking the in-out/going
> > >> requests,
> > >> > > but still the ping command does not work?
> > >> > >
> > >> > > That rule you presented earlier should not block
> > “icmp-echo-request”.
> > >> > >
> > >> > > On Tue, Apr 5, 2016 at 9:36 AM, Syafiq Rokman <
> > >> msyafiq.rokman@gmail.com>
> > >> > > wrote:
> > >> > >
> > >> > > > I've checked the host iptables just now...there were rules
> > >> accomodating
> > >> > > the
> > >> > > > SSVM and CPVM.
> > >> > > > But I've made the mistake of flushing the iptables rules without
> > any
> > >> > > > backup.
> > >> > > > Now Iptables -P, -L has:
> > >> > > >
> > >> > > > -P INPUT ACCEPT
> > >> > > > -P FORWARD ACCEPT
> > >> > > > -P OUTPUT ACCEPT
> > >> > > > -A INPUT -j ACCEPT
> > >> > > > -A INPUT -j ACCEPT
> > >> > > > -A FORWARD -j ACCEPT
> > >> > > > -A OUTPUT -j ACCEPT
> > >> > > > Chain INPUT (policy ACCEPT)
> > >> > > > target prot opt source destination
> > >> > > > ACCEPT all -- anywhere anywhere
> > >> > > > ACCEPT all -- anywhere anywhere
> > >> > > >
> > >> > > > Chain FORWARD (policy ACCEPT)
> > >> > > > target prot opt source destination
> > >> > > > ACCEPT all -- anywhere anywhere
> > >> > > >
> > >> > > > Chain OUTPUT (policy ACCEPT)
> > >> > > > target prot opt source destination
> > >> > > > ACCEPT all -- anywhere anywhere
> > >> > > >
> > >> > > > One more thing, this setup is self-hosted.The MS and host are on
> > the
> > >> > same
> > >> > > > machine.
> > >> > > >
> > >> > > >
> > >> > > >
> > >> > > > On Tue, Apr 5, 2016 at 8:22 PM Rafael Weingärtner <
> > >> > > > rafaelweingartner@gmail.com> wrote:
> > >> > > >
> > >> > > > > Those rules should not block the "ping" comand, hence they are
> > >> meant
> > >> > to
> > >> > > > > block "http" right?
> > >> > > > >
> > >> > > > >
> > >> > > > > I have been having the same problem lately with XenServer.
> > >> > > > >
> > >> > > > > The iptables rules that are rejecting my traffic are at the
> host
> > >> > > itself.
> > >> > > > >
> > >> > > > > Can you check your host iptables configs?
> > >> > > > >
> > >> > > > > On Tue, Apr 5, 2016 at 3:42 AM, Syafiq Rokman <
> > >> > > msyafiq.rokman@gmail.com>
> > >> > > > > wrote:
> > >> > > > >
> > >> > > > > > Hi,
> > >> > > > > >
> > >> > > > > > Can't ping the default gateway of the SSVM or 8.8.8.8 from
> the
> > >> > SSVM.
> > >> > > > > > I'm using KVM as hypervisor.
> > >> > > > > >
> > >> > > > > > Tried changing iptables rules on SSVM using
> > >> > > > > >
> > >> > > > > > iptables -F
> > >> > > > > > iptables -X
> > >> > > > > > iptables -t nat -F
> > >> > > > > > iptables -t nat -X
> > >> > > > > > iptables -t mangle -F
> > >> > > > > > iptables -t mangle -X
> > >> > > > > > iptables -P INPUT ACCEPT
> > >> > > > > > iptables -P FORWARD ACCEPT
> > >> > > > > > iptables -P OUTPUT ACCEPT
> > >> > > > > >
> > >> > > > > > to allow all connections, but keep getting this at Chain
> > OUTPUT:
> > >> > > > > >
> > >> > > > > > REJECT tcp -- anywhere anywhere
> > >> state
> > >> > > NEW
> > >> > > > > tcp
> > >> > > > > > dpt:http reject-with icmp-port-unreachable
> > >> > > > > > REJECT tcp -- anywhere anywhere
> > >> state
> > >> > > NEW
> > >> > > > > tcp
> > >> > > > > > dpt:https reject-with icmp-port-unreachable
> > >> > > > > >
> > >> > > > > >
> > >> > > > > >
> > >> > > > > > On Mon, Apr 4, 2016 at 6:49 PM Rafael Weingärtner <
> > >> > > > > > rafaelweingartner@gmail.com> wrote:
> > >> > > > > >
> > >> > > > > > > What hypervisor are you using?
> > >> > > > > > > Did change the iptables rules at the SSVM itself?
> > >> > > > > > >
> > >> > > > > > > On Mon, Apr 4, 2016 at 6:50 AM, Glenn Wagner <
> > >> > > > > glenn.wagner@shapeblue.com
> > >> > > > > > >
> > >> > > > > > > wrote:
> > >> > > > > > >
> > >> > > > > > > > Hi,
> > >> > > > > > > >
> > >> > > > > > > > Can you ping the default gateway of the SSVM?
> > >> > > > > > > > Can you ping google DNS 8.8.8.8 from the SSVM?
> > >> > > > > > > >
> > >> > > > > > > > Thanks
> > >> > > > > > > > Glenn
> > >> > > > > > > >
> > >> > > > > > > >
> > >> > > > > > > > Regards,
> > >> > > > > > > >
> > >> > > > > > > > Glenn Wagner
> > >> > > > > > > >
> > >> > > > > > > > glenn.wagner@shapeblue.com
> > >> > > > > > > > www.shapeblue.com
> > >> > > > > > > > 2nd Floor, Oudehuis Centre, 122 Main Rd, Somerset West,
> > Cape
> > >> > Town
> > >> > > > > > > > 7130South Africa
> > >> > > > > > > > @shapeblue
> > >> > > > > > > >
> > >> > > > > > > > -----Original Message-----
> > >> > > > > > > > From: Syafiq Rokman [mailto:msyafiq.rokman@gmail.com]
> > >> > > > > > > > Sent: Monday, 04 April 2016 11:16 AM
> > >> > > > > > > > To: users@cloudstack.apache.org
> > >> > > > > > > > Subject: SSVM cant route to MS, Iptables keep
> > self-updating
> > >> > > > > > > >
> > >> > > > > > > > Hi everyone!
> > >> > > > > > > >
> > >> > > > > > > > Im running CS 4.8 on Ubuntu 14.04 LTS.
> > >> > > > > > > >
> > >> > > > > > > > So I've managed to set up everything, but I still cant
> > >> install
> > >> > > > > > templates.
> > >> > > > > > > > So I SSH-ed into the SSVM and ran the healthcheck and it
> > >> seems
> > >> > > that
> > >> > > > > the
> > >> > > > > > > > SSVM can't connect to the DNS.
> > >> > > > > > > >
> > >> > > > > > > > Logs says that it can't route to host.
> > >> > > > > > > >
> > >> > > > > > > > So I've tried to allow all outgoing/incoming connections
> > on
> > >> > > > Iptables,
> > >> > > > > > but
> > >> > > > > > > > it keeps changing back to deny outgoing connections.
> > >> > > > > > > >
> > >> > > > > > > > Any ideas on how to proceed?
> > >> > > > > > > >
> > >> > > > > > > > Will provide logs if anyone needs it.
> > >> > > > > > > >
> > >> > > > > > > > Thanks
> > >> > > > > > > > Syafiq Rokman
> > >> > > > > > > > B.ICT Student
> > >> > > > > > > >
> > >> > > > > > >
> > >> > > > > > >
> > >> > > > > > >
> > >> > > > > > > --
> > >> > > > > > > Rafael Weingärtner
> > >> > > > > > >
> > >> > > > > >
> > >> > > > >
> > >> > > > >
> > >> > > > >
> > >> > > > > --
> > >> > > > > Rafael Weingärtner
> > >> > > > >
> > >> > > > --
> > >> > > > Syafiq Rokman
> > >> > > > B. ICT Student
> > >> > > > Universiti Teknologi PETRONAS
> > >> > > >
> > >> > >
> > >> > >
> > >> > >
> > >> > > --
> > >> > > Rafael Weingärtner
> > >> > >
> > >> > --
> > >> > Syafiq Rokman
> > >> > B. ICT Student
> > >> > Universiti Teknologi PETRONAS
> > >> >
> > >>
> > >>
> > >>
> > >> --
> > >> Rafael Weingärtner
> > >>
> > > --
> > > Syafiq Rokman
> > > B. ICT Student
> > > Universiti Teknologi PETRONAS
> > >
> > --
> > Syafiq Rokman
> > B. ICT Student
> > Universiti Teknologi PETRONAS
> >
>
--
Syafiq Rokman
B. ICT Student
Universiti Teknologi PETRONAS
Re: SSVM cant route to MS, Iptables keep self-updating
Posted by Mindaugas Milinavičius <mi...@clustspace.com>.
Is your network configured properly?
Pagarbiai
Mindaugas Milinavičius
UAB STARNITA
Direktorius
http://www.clustspace.com
LT: +37068882880
RU: +79651806396
Tomorrow's posibilities today
<http://www.clustspace.com/>
- 1 Core, 512MB RAM, 20GB SSD, 1Gbps, Unlimited, Location: Romania, Los
Angeles, Ashburn Washington - 11EUR
- 1 Core, 1024MB RAM, 30GB SSD, 1Gbps, Unlimited, Location: Romania, Los
Angeles, Ashburn Washington - 18,7EUR
- 2 Cores, 2048MB RAM, 40GB SSD, 1Gbps, Unlimited, Location: Romania,
Los Angeles, Ashburn Washington - 27,5EUR
- 4 Cores, 4096MB RAM, 100GB SSD, 1Gbps, Unlimited, Location: Romania,
Los Angeles, Ashburn Washington - 46EUR
On Tue, Apr 5, 2016 at 4:18 PM, Syafiq Rokman <ms...@gmail.com>
wrote:
> traceroute to 172.16.238.7 (172.16.238.7), 30 hops max, 60 byte packets
> 1 172.16.135.12 (172.16.135.12) 2996.763 ms !H 2996.765 ms !H 2996.764
> ms !H
>
> traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
> 1 s-2059-VM (172.16.135.84) 2996.386 ms !H 2996.374 ms !H 2996.371 ms
> !H
>
>
>
> On Tue, Apr 5, 2016 at 9:01 PM Syafiq Rokman <ms...@gmail.com>
> wrote:
>
> > iptables -L in SSVM :
> >
> > REJECT tcp -- anywhere anywhere state NEW
> > tcp dpt:https reject-with icmp-port-unreachable
> > REJECT tcp -- anywhere anywhere state NEW
> > tcp dpt:http reject-with icmp-port-unreachable
> > REJECT tcp -- anywhere anywhere state NEW
> > tcp dpt:https reject-with icmp-port-unreachable
> > REJECT tcp -- anywhere anywhere state NEW
> > tcp dpt:http reject-with icmp-port-unreachable
> > REJECT tcp -- anywhere anywhere state NEW
> > tcp dpt:https reject-with icmp-port-unreachable
> > REJECT tcp -- anywhere anywhere state NEW
> > tcp dpt:http reject-with icmp-port-unreachable
> > REJECT tcp -- anywhere anywhere state NEW
> > tcp dpt:https reject-with icmp-port-unreachable
> > REJECT tcp -- anywhere anywhere state NEW
> > tcp dpt:http reject-with icmp-port-unreachable
> > REJECT tcp -- anywhere anywhere state NEW
> > tcp dpt:https reject-with icmp-port-unreachable
> > REJECT tcp -- anywhere anywhere state NEW
> > tcp dpt:http reject-with icmp-port-unreachable
> > REJECT tcp -- anywhere anywhere state NEW
> > tcp dpt:https reject-with icmp-port-unreachable
> > REJECT tcp -- anywhere anywhere state NEW
> > tcp dpt:http reject-with icmp-port-unreachable
> > REJECT tcp -- anywhere anywhere state NEW
> > tcp dpt:https reject-with icmp-port-unreachable
> > REJECT tcp -- anywhere anywhere state NEW
> > tcp dpt:http reject-with icmp-port-unreachable
> > REJECT tcp -- anywhere anywhere state NEW
> > tcp dpt:https reject-with icmp-port-unreachable
> > REJECT tcp -- anywhere anywhere state NEW
> > tcp dpt:http reject-with icmp-port-unreachable
> > REJECT tcp -- anywhere anywhere state NEW
> > tcp dpt:https reject-with icmp-port-unreachable
> > REJECT tcp -- anywhere anywhere state NEW
> > tcp dpt:http reject-with icmp-port-unreachable
> > REJECT tcp -- anywhere anywhere state NEW
> > tcp dpt:https reject-with icmp-port-unreachable
> > REJECT tcp -- anywhere anywhere state NEW
> > tcp dpt:http reject-with icmp-port-unreachable
> > REJECT tcp -- anywhere anywhere state NEW
> > tcp dpt:https reject-with icmp-port-unreachable
> > REJECT tcp -- anywhere anywhere state NEW
> > tcp dpt:http reject-with icmp-port-unreachable
> > REJECT tcp -- anywhere anywhere state NEW
> > tcp dpt:https reject-with icmp-port-unreachable
> > REJECT tcp -- anywhere anywhere state NEW
> > tcp dpt:http reject-with icmp-port-unreachable
> > REJECT tcp -- anywhere anywhere state NEW
> > tcp dpt:https reject-with icmp-port-unreachable
> > REJECT tcp -- anywhere anywhere state NEW
> > tcp dpt:http reject-with icmp-port-unreachable
> > REJECT tcp -- anywhere anywhere state NEW
> > tcp dpt:https reject-with icmp-port-unreachable
> > REJECT tcp -- anywhere anywhere state NEW
> > tcp dpt:http reject-with icmp-port-unreachable
> > REJECT tcp -- anywhere anywhere state NEW
> > tcp dpt:https reject-with icmp-port-unreachable
> > REJECT tcp -- anywhere anywhere state NEW
> > tcp dpt:http reject-with icmp-port-unreachable
> > REJECT tcp -- anywhere anywhere state NEW
> > tcp dpt:https reject-with icmp-port-unreachable
> > REJECT tcp -- anywhere anywhere state NEW
> > tcp dpt:http reject-with icmp-port-unreachable
> > REJECT tcp -- anywhere anywhere state NEW
> > tcp dpt:https reject-with icmp-port-unreachable
> > REJECT tcp -- anywhere anywhere state NEW
> > tcp dpt:http reject-with icmp-port-unreachable
> > REJECT tcp -- anywhere anywhere state NEW
> > tcp dpt:https reject-with icmp-port-unreachable
> > REJECT tcp -- anywhere anywhere state NEW
> > tcp dpt:http reject-with icmp-port-unreachable
> > REJECT tcp -- anywhere anywhere state NEW
> > tcp dpt:https reject-with icmp-port-unreachable
> > REJECT tcp -- anywhere anywhere state NEW
> > tcp dpt:http reject-with icmp-port-unreachable
> > REJECT tcp -- anywhere anywhere state NEW
> > tcp dpt:https reject-with icmp-port-unreachable
> >
> > Chain HTTP (0 references)
> > target prot opt source destination
> >
> > ==
> >
> > The head is lost, i'm not sure how to filter out the spammed rules.
> >
> > On Tue, Apr 5, 2016 at 8:51 PM Rafael Weingärtner <
> > rafaelweingartner@gmail.com> wrote:
> >
> >> can you post your iptables -L from SSVM?
> >>
> >> On Tue, Apr 5, 2016 at 9:47 AM, Syafiq Rokman <msyafiq.rokman@gmail.com
> >
> >> wrote:
> >>
> >> > Yes, just tried ping from SSVM to DNS, and 8.8.8.8, and google.com.
> >> Host
> >> > still unreachable.
> >> > Healthcheck script also returning host unreachable.
> >> >
> >> >
> >> > On Tue, Apr 5, 2016 at 8:39 PM Rafael Weingärtner <
> >> > rafaelweingartner@gmail.com> wrote:
> >> >
> >> > > Ok, so in your host there is nothing blocking the in-out/going
> >> requests,
> >> > > but still the ping command does not work?
> >> > >
> >> > > That rule you presented earlier should not block
> “icmp-echo-request”.
> >> > >
> >> > > On Tue, Apr 5, 2016 at 9:36 AM, Syafiq Rokman <
> >> msyafiq.rokman@gmail.com>
> >> > > wrote:
> >> > >
> >> > > > I've checked the host iptables just now...there were rules
> >> accomodating
> >> > > the
> >> > > > SSVM and CPVM.
> >> > > > But I've made the mistake of flushing the iptables rules without
> any
> >> > > > backup.
> >> > > > Now Iptables -P, -L has:
> >> > > >
> >> > > > -P INPUT ACCEPT
> >> > > > -P FORWARD ACCEPT
> >> > > > -P OUTPUT ACCEPT
> >> > > > -A INPUT -j ACCEPT
> >> > > > -A INPUT -j ACCEPT
> >> > > > -A FORWARD -j ACCEPT
> >> > > > -A OUTPUT -j ACCEPT
> >> > > > Chain INPUT (policy ACCEPT)
> >> > > > target prot opt source destination
> >> > > > ACCEPT all -- anywhere anywhere
> >> > > > ACCEPT all -- anywhere anywhere
> >> > > >
> >> > > > Chain FORWARD (policy ACCEPT)
> >> > > > target prot opt source destination
> >> > > > ACCEPT all -- anywhere anywhere
> >> > > >
> >> > > > Chain OUTPUT (policy ACCEPT)
> >> > > > target prot opt source destination
> >> > > > ACCEPT all -- anywhere anywhere
> >> > > >
> >> > > > One more thing, this setup is self-hosted.The MS and host are on
> the
> >> > same
> >> > > > machine.
> >> > > >
> >> > > >
> >> > > >
> >> > > > On Tue, Apr 5, 2016 at 8:22 PM Rafael Weingärtner <
> >> > > > rafaelweingartner@gmail.com> wrote:
> >> > > >
> >> > > > > Those rules should not block the "ping" comand, hence they are
> >> meant
> >> > to
> >> > > > > block "http" right?
> >> > > > >
> >> > > > >
> >> > > > > I have been having the same problem lately with XenServer.
> >> > > > >
> >> > > > > The iptables rules that are rejecting my traffic are at the host
> >> > > itself.
> >> > > > >
> >> > > > > Can you check your host iptables configs?
> >> > > > >
> >> > > > > On Tue, Apr 5, 2016 at 3:42 AM, Syafiq Rokman <
> >> > > msyafiq.rokman@gmail.com>
> >> > > > > wrote:
> >> > > > >
> >> > > > > > Hi,
> >> > > > > >
> >> > > > > > Can't ping the default gateway of the SSVM or 8.8.8.8 from the
> >> > SSVM.
> >> > > > > > I'm using KVM as hypervisor.
> >> > > > > >
> >> > > > > > Tried changing iptables rules on SSVM using
> >> > > > > >
> >> > > > > > iptables -F
> >> > > > > > iptables -X
> >> > > > > > iptables -t nat -F
> >> > > > > > iptables -t nat -X
> >> > > > > > iptables -t mangle -F
> >> > > > > > iptables -t mangle -X
> >> > > > > > iptables -P INPUT ACCEPT
> >> > > > > > iptables -P FORWARD ACCEPT
> >> > > > > > iptables -P OUTPUT ACCEPT
> >> > > > > >
> >> > > > > > to allow all connections, but keep getting this at Chain
> OUTPUT:
> >> > > > > >
> >> > > > > > REJECT tcp -- anywhere anywhere
> >> state
> >> > > NEW
> >> > > > > tcp
> >> > > > > > dpt:http reject-with icmp-port-unreachable
> >> > > > > > REJECT tcp -- anywhere anywhere
> >> state
> >> > > NEW
> >> > > > > tcp
> >> > > > > > dpt:https reject-with icmp-port-unreachable
> >> > > > > >
> >> > > > > >
> >> > > > > >
> >> > > > > > On Mon, Apr 4, 2016 at 6:49 PM Rafael Weingärtner <
> >> > > > > > rafaelweingartner@gmail.com> wrote:
> >> > > > > >
> >> > > > > > > What hypervisor are you using?
> >> > > > > > > Did change the iptables rules at the SSVM itself?
> >> > > > > > >
> >> > > > > > > On Mon, Apr 4, 2016 at 6:50 AM, Glenn Wagner <
> >> > > > > glenn.wagner@shapeblue.com
> >> > > > > > >
> >> > > > > > > wrote:
> >> > > > > > >
> >> > > > > > > > Hi,
> >> > > > > > > >
> >> > > > > > > > Can you ping the default gateway of the SSVM?
> >> > > > > > > > Can you ping google DNS 8.8.8.8 from the SSVM?
> >> > > > > > > >
> >> > > > > > > > Thanks
> >> > > > > > > > Glenn
> >> > > > > > > >
> >> > > > > > > >
> >> > > > > > > > Regards,
> >> > > > > > > >
> >> > > > > > > > Glenn Wagner
> >> > > > > > > >
> >> > > > > > > > glenn.wagner@shapeblue.com
> >> > > > > > > > www.shapeblue.com
> >> > > > > > > > 2nd Floor, Oudehuis Centre, 122 Main Rd, Somerset West,
> Cape
> >> > Town
> >> > > > > > > > 7130South Africa
> >> > > > > > > > @shapeblue
> >> > > > > > > >
> >> > > > > > > > -----Original Message-----
> >> > > > > > > > From: Syafiq Rokman [mailto:msyafiq.rokman@gmail.com]
> >> > > > > > > > Sent: Monday, 04 April 2016 11:16 AM
> >> > > > > > > > To: users@cloudstack.apache.org
> >> > > > > > > > Subject: SSVM cant route to MS, Iptables keep
> self-updating
> >> > > > > > > >
> >> > > > > > > > Hi everyone!
> >> > > > > > > >
> >> > > > > > > > Im running CS 4.8 on Ubuntu 14.04 LTS.
> >> > > > > > > >
> >> > > > > > > > So I've managed to set up everything, but I still cant
> >> install
> >> > > > > > templates.
> >> > > > > > > > So I SSH-ed into the SSVM and ran the healthcheck and it
> >> seems
> >> > > that
> >> > > > > the
> >> > > > > > > > SSVM can't connect to the DNS.
> >> > > > > > > >
> >> > > > > > > > Logs says that it can't route to host.
> >> > > > > > > >
> >> > > > > > > > So I've tried to allow all outgoing/incoming connections
> on
> >> > > > Iptables,
> >> > > > > > but
> >> > > > > > > > it keeps changing back to deny outgoing connections.
> >> > > > > > > >
> >> > > > > > > > Any ideas on how to proceed?
> >> > > > > > > >
> >> > > > > > > > Will provide logs if anyone needs it.
> >> > > > > > > >
> >> > > > > > > > Thanks
> >> > > > > > > > Syafiq Rokman
> >> > > > > > > > B.ICT Student
> >> > > > > > > >
> >> > > > > > >
> >> > > > > > >
> >> > > > > > >
> >> > > > > > > --
> >> > > > > > > Rafael Weingärtner
> >> > > > > > >
> >> > > > > >
> >> > > > >
> >> > > > >
> >> > > > >
> >> > > > > --
> >> > > > > Rafael Weingärtner
> >> > > > >
> >> > > > --
> >> > > > Syafiq Rokman
> >> > > > B. ICT Student
> >> > > > Universiti Teknologi PETRONAS
> >> > > >
> >> > >
> >> > >
> >> > >
> >> > > --
> >> > > Rafael Weingärtner
> >> > >
> >> > --
> >> > Syafiq Rokman
> >> > B. ICT Student
> >> > Universiti Teknologi PETRONAS
> >> >
> >>
> >>
> >>
> >> --
> >> Rafael Weingärtner
> >>
> > --
> > Syafiq Rokman
> > B. ICT Student
> > Universiti Teknologi PETRONAS
> >
> --
> Syafiq Rokman
> B. ICT Student
> Universiti Teknologi PETRONAS
>
Re: SSVM cant route to MS, Iptables keep self-updating
Posted by Syafiq Rokman <ms...@gmail.com>.
traceroute to 172.16.238.7 (172.16.238.7), 30 hops max, 60 byte packets
1 172.16.135.12 (172.16.135.12) 2996.763 ms !H 2996.765 ms !H 2996.764
ms !H
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 s-2059-VM (172.16.135.84) 2996.386 ms !H 2996.374 ms !H 2996.371 ms
!H
On Tue, Apr 5, 2016 at 9:01 PM Syafiq Rokman <ms...@gmail.com>
wrote:
> iptables -L in SSVM :
>
> REJECT tcp -- anywhere anywhere state NEW
> tcp dpt:https reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere state NEW
> tcp dpt:http reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere state NEW
> tcp dpt:https reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere state NEW
> tcp dpt:http reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere state NEW
> tcp dpt:https reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere state NEW
> tcp dpt:http reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere state NEW
> tcp dpt:https reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere state NEW
> tcp dpt:http reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere state NEW
> tcp dpt:https reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere state NEW
> tcp dpt:http reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere state NEW
> tcp dpt:https reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere state NEW
> tcp dpt:http reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere state NEW
> tcp dpt:https reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere state NEW
> tcp dpt:http reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere state NEW
> tcp dpt:https reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere state NEW
> tcp dpt:http reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere state NEW
> tcp dpt:https reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere state NEW
> tcp dpt:http reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere state NEW
> tcp dpt:https reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere state NEW
> tcp dpt:http reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere state NEW
> tcp dpt:https reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere state NEW
> tcp dpt:http reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere state NEW
> tcp dpt:https reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere state NEW
> tcp dpt:http reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere state NEW
> tcp dpt:https reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere state NEW
> tcp dpt:http reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere state NEW
> tcp dpt:https reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere state NEW
> tcp dpt:http reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere state NEW
> tcp dpt:https reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere state NEW
> tcp dpt:http reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere state NEW
> tcp dpt:https reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere state NEW
> tcp dpt:http reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere state NEW
> tcp dpt:https reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere state NEW
> tcp dpt:http reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere state NEW
> tcp dpt:https reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere state NEW
> tcp dpt:http reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere state NEW
> tcp dpt:https reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere state NEW
> tcp dpt:http reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere state NEW
> tcp dpt:https reject-with icmp-port-unreachable
>
> Chain HTTP (0 references)
> target prot opt source destination
>
> ==
>
> The head is lost, i'm not sure how to filter out the spammed rules.
>
> On Tue, Apr 5, 2016 at 8:51 PM Rafael Weingärtner <
> rafaelweingartner@gmail.com> wrote:
>
>> can you post your iptables -L from SSVM?
>>
>> On Tue, Apr 5, 2016 at 9:47 AM, Syafiq Rokman <ms...@gmail.com>
>> wrote:
>>
>> > Yes, just tried ping from SSVM to DNS, and 8.8.8.8, and google.com.
>> Host
>> > still unreachable.
>> > Healthcheck script also returning host unreachable.
>> >
>> >
>> > On Tue, Apr 5, 2016 at 8:39 PM Rafael Weingärtner <
>> > rafaelweingartner@gmail.com> wrote:
>> >
>> > > Ok, so in your host there is nothing blocking the in-out/going
>> requests,
>> > > but still the ping command does not work?
>> > >
>> > > That rule you presented earlier should not block “icmp-echo-request”.
>> > >
>> > > On Tue, Apr 5, 2016 at 9:36 AM, Syafiq Rokman <
>> msyafiq.rokman@gmail.com>
>> > > wrote:
>> > >
>> > > > I've checked the host iptables just now...there were rules
>> accomodating
>> > > the
>> > > > SSVM and CPVM.
>> > > > But I've made the mistake of flushing the iptables rules without any
>> > > > backup.
>> > > > Now Iptables -P, -L has:
>> > > >
>> > > > -P INPUT ACCEPT
>> > > > -P FORWARD ACCEPT
>> > > > -P OUTPUT ACCEPT
>> > > > -A INPUT -j ACCEPT
>> > > > -A INPUT -j ACCEPT
>> > > > -A FORWARD -j ACCEPT
>> > > > -A OUTPUT -j ACCEPT
>> > > > Chain INPUT (policy ACCEPT)
>> > > > target prot opt source destination
>> > > > ACCEPT all -- anywhere anywhere
>> > > > ACCEPT all -- anywhere anywhere
>> > > >
>> > > > Chain FORWARD (policy ACCEPT)
>> > > > target prot opt source destination
>> > > > ACCEPT all -- anywhere anywhere
>> > > >
>> > > > Chain OUTPUT (policy ACCEPT)
>> > > > target prot opt source destination
>> > > > ACCEPT all -- anywhere anywhere
>> > > >
>> > > > One more thing, this setup is self-hosted.The MS and host are on the
>> > same
>> > > > machine.
>> > > >
>> > > >
>> > > >
>> > > > On Tue, Apr 5, 2016 at 8:22 PM Rafael Weingärtner <
>> > > > rafaelweingartner@gmail.com> wrote:
>> > > >
>> > > > > Those rules should not block the "ping" comand, hence they are
>> meant
>> > to
>> > > > > block "http" right?
>> > > > >
>> > > > >
>> > > > > I have been having the same problem lately with XenServer.
>> > > > >
>> > > > > The iptables rules that are rejecting my traffic are at the host
>> > > itself.
>> > > > >
>> > > > > Can you check your host iptables configs?
>> > > > >
>> > > > > On Tue, Apr 5, 2016 at 3:42 AM, Syafiq Rokman <
>> > > msyafiq.rokman@gmail.com>
>> > > > > wrote:
>> > > > >
>> > > > > > Hi,
>> > > > > >
>> > > > > > Can't ping the default gateway of the SSVM or 8.8.8.8 from the
>> > SSVM.
>> > > > > > I'm using KVM as hypervisor.
>> > > > > >
>> > > > > > Tried changing iptables rules on SSVM using
>> > > > > >
>> > > > > > iptables -F
>> > > > > > iptables -X
>> > > > > > iptables -t nat -F
>> > > > > > iptables -t nat -X
>> > > > > > iptables -t mangle -F
>> > > > > > iptables -t mangle -X
>> > > > > > iptables -P INPUT ACCEPT
>> > > > > > iptables -P FORWARD ACCEPT
>> > > > > > iptables -P OUTPUT ACCEPT
>> > > > > >
>> > > > > > to allow all connections, but keep getting this at Chain OUTPUT:
>> > > > > >
>> > > > > > REJECT tcp -- anywhere anywhere
>> state
>> > > NEW
>> > > > > tcp
>> > > > > > dpt:http reject-with icmp-port-unreachable
>> > > > > > REJECT tcp -- anywhere anywhere
>> state
>> > > NEW
>> > > > > tcp
>> > > > > > dpt:https reject-with icmp-port-unreachable
>> > > > > >
>> > > > > >
>> > > > > >
>> > > > > > On Mon, Apr 4, 2016 at 6:49 PM Rafael Weingärtner <
>> > > > > > rafaelweingartner@gmail.com> wrote:
>> > > > > >
>> > > > > > > What hypervisor are you using?
>> > > > > > > Did change the iptables rules at the SSVM itself?
>> > > > > > >
>> > > > > > > On Mon, Apr 4, 2016 at 6:50 AM, Glenn Wagner <
>> > > > > glenn.wagner@shapeblue.com
>> > > > > > >
>> > > > > > > wrote:
>> > > > > > >
>> > > > > > > > Hi,
>> > > > > > > >
>> > > > > > > > Can you ping the default gateway of the SSVM?
>> > > > > > > > Can you ping google DNS 8.8.8.8 from the SSVM?
>> > > > > > > >
>> > > > > > > > Thanks
>> > > > > > > > Glenn
>> > > > > > > >
>> > > > > > > >
>> > > > > > > > Regards,
>> > > > > > > >
>> > > > > > > > Glenn Wagner
>> > > > > > > >
>> > > > > > > > glenn.wagner@shapeblue.com
>> > > > > > > > www.shapeblue.com
>> > > > > > > > 2nd Floor, Oudehuis Centre, 122 Main Rd, Somerset West, Cape
>> > Town
>> > > > > > > > 7130South Africa
>> > > > > > > > @shapeblue
>> > > > > > > >
>> > > > > > > > -----Original Message-----
>> > > > > > > > From: Syafiq Rokman [mailto:msyafiq.rokman@gmail.com]
>> > > > > > > > Sent: Monday, 04 April 2016 11:16 AM
>> > > > > > > > To: users@cloudstack.apache.org
>> > > > > > > > Subject: SSVM cant route to MS, Iptables keep self-updating
>> > > > > > > >
>> > > > > > > > Hi everyone!
>> > > > > > > >
>> > > > > > > > Im running CS 4.8 on Ubuntu 14.04 LTS.
>> > > > > > > >
>> > > > > > > > So I've managed to set up everything, but I still cant
>> install
>> > > > > > templates.
>> > > > > > > > So I SSH-ed into the SSVM and ran the healthcheck and it
>> seems
>> > > that
>> > > > > the
>> > > > > > > > SSVM can't connect to the DNS.
>> > > > > > > >
>> > > > > > > > Logs says that it can't route to host.
>> > > > > > > >
>> > > > > > > > So I've tried to allow all outgoing/incoming connections on
>> > > > Iptables,
>> > > > > > but
>> > > > > > > > it keeps changing back to deny outgoing connections.
>> > > > > > > >
>> > > > > > > > Any ideas on how to proceed?
>> > > > > > > >
>> > > > > > > > Will provide logs if anyone needs it.
>> > > > > > > >
>> > > > > > > > Thanks
>> > > > > > > > Syafiq Rokman
>> > > > > > > > B.ICT Student
>> > > > > > > >
>> > > > > > >
>> > > > > > >
>> > > > > > >
>> > > > > > > --
>> > > > > > > Rafael Weingärtner
>> > > > > > >
>> > > > > >
>> > > > >
>> > > > >
>> > > > >
>> > > > > --
>> > > > > Rafael Weingärtner
>> > > > >
>> > > > --
>> > > > Syafiq Rokman
>> > > > B. ICT Student
>> > > > Universiti Teknologi PETRONAS
>> > > >
>> > >
>> > >
>> > >
>> > > --
>> > > Rafael Weingärtner
>> > >
>> > --
>> > Syafiq Rokman
>> > B. ICT Student
>> > Universiti Teknologi PETRONAS
>> >
>>
>>
>>
>> --
>> Rafael Weingärtner
>>
> --
> Syafiq Rokman
> B. ICT Student
> Universiti Teknologi PETRONAS
>
--
Syafiq Rokman
B. ICT Student
Universiti Teknologi PETRONAS
Re: SSVM cant route to MS, Iptables keep self-updating
Posted by Syafiq Rokman <ms...@gmail.com>.
iptables -L in SSVM :
REJECT tcp -- anywhere anywhere state NEW tcp
dpt:https reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere state NEW tcp
dpt:http reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere state NEW tcp
dpt:https reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere state NEW tcp
dpt:http reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere state NEW tcp
dpt:https reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere state NEW tcp
dpt:http reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere state NEW tcp
dpt:https reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere state NEW tcp
dpt:http reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere state NEW tcp
dpt:https reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere state NEW tcp
dpt:http reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere state NEW tcp
dpt:https reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere state NEW tcp
dpt:http reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere state NEW tcp
dpt:https reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere state NEW tcp
dpt:http reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere state NEW tcp
dpt:https reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere state NEW tcp
dpt:http reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere state NEW tcp
dpt:https reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere state NEW tcp
dpt:http reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere state NEW tcp
dpt:https reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere state NEW tcp
dpt:http reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere state NEW tcp
dpt:https reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere state NEW tcp
dpt:http reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere state NEW tcp
dpt:https reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere state NEW tcp
dpt:http reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere state NEW tcp
dpt:https reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere state NEW tcp
dpt:http reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere state NEW tcp
dpt:https reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere state NEW tcp
dpt:http reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere state NEW tcp
dpt:https reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere state NEW tcp
dpt:http reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere state NEW tcp
dpt:https reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere state NEW tcp
dpt:http reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere state NEW tcp
dpt:https reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere state NEW tcp
dpt:http reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere state NEW tcp
dpt:https reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere state NEW tcp
dpt:http reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere state NEW tcp
dpt:https reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere state NEW tcp
dpt:http reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere state NEW tcp
dpt:https reject-with icmp-port-unreachable
Chain HTTP (0 references)
target prot opt source destination
==
The head is lost, i'm not sure how to filter out the spammed rules.
On Tue, Apr 5, 2016 at 8:51 PM Rafael Weingärtner <
rafaelweingartner@gmail.com> wrote:
> can you post your iptables -L from SSVM?
>
> On Tue, Apr 5, 2016 at 9:47 AM, Syafiq Rokman <ms...@gmail.com>
> wrote:
>
> > Yes, just tried ping from SSVM to DNS, and 8.8.8.8, and google.com. Host
> > still unreachable.
> > Healthcheck script also returning host unreachable.
> >
> >
> > On Tue, Apr 5, 2016 at 8:39 PM Rafael Weingärtner <
> > rafaelweingartner@gmail.com> wrote:
> >
> > > Ok, so in your host there is nothing blocking the in-out/going
> requests,
> > > but still the ping command does not work?
> > >
> > > That rule you presented earlier should not block “icmp-echo-request”.
> > >
> > > On Tue, Apr 5, 2016 at 9:36 AM, Syafiq Rokman <
> msyafiq.rokman@gmail.com>
> > > wrote:
> > >
> > > > I've checked the host iptables just now...there were rules
> accomodating
> > > the
> > > > SSVM and CPVM.
> > > > But I've made the mistake of flushing the iptables rules without any
> > > > backup.
> > > > Now Iptables -P, -L has:
> > > >
> > > > -P INPUT ACCEPT
> > > > -P FORWARD ACCEPT
> > > > -P OUTPUT ACCEPT
> > > > -A INPUT -j ACCEPT
> > > > -A INPUT -j ACCEPT
> > > > -A FORWARD -j ACCEPT
> > > > -A OUTPUT -j ACCEPT
> > > > Chain INPUT (policy ACCEPT)
> > > > target prot opt source destination
> > > > ACCEPT all -- anywhere anywhere
> > > > ACCEPT all -- anywhere anywhere
> > > >
> > > > Chain FORWARD (policy ACCEPT)
> > > > target prot opt source destination
> > > > ACCEPT all -- anywhere anywhere
> > > >
> > > > Chain OUTPUT (policy ACCEPT)
> > > > target prot opt source destination
> > > > ACCEPT all -- anywhere anywhere
> > > >
> > > > One more thing, this setup is self-hosted.The MS and host are on the
> > same
> > > > machine.
> > > >
> > > >
> > > >
> > > > On Tue, Apr 5, 2016 at 8:22 PM Rafael Weingärtner <
> > > > rafaelweingartner@gmail.com> wrote:
> > > >
> > > > > Those rules should not block the "ping" comand, hence they are
> meant
> > to
> > > > > block "http" right?
> > > > >
> > > > >
> > > > > I have been having the same problem lately with XenServer.
> > > > >
> > > > > The iptables rules that are rejecting my traffic are at the host
> > > itself.
> > > > >
> > > > > Can you check your host iptables configs?
> > > > >
> > > > > On Tue, Apr 5, 2016 at 3:42 AM, Syafiq Rokman <
> > > msyafiq.rokman@gmail.com>
> > > > > wrote:
> > > > >
> > > > > > Hi,
> > > > > >
> > > > > > Can't ping the default gateway of the SSVM or 8.8.8.8 from the
> > SSVM.
> > > > > > I'm using KVM as hypervisor.
> > > > > >
> > > > > > Tried changing iptables rules on SSVM using
> > > > > >
> > > > > > iptables -F
> > > > > > iptables -X
> > > > > > iptables -t nat -F
> > > > > > iptables -t nat -X
> > > > > > iptables -t mangle -F
> > > > > > iptables -t mangle -X
> > > > > > iptables -P INPUT ACCEPT
> > > > > > iptables -P FORWARD ACCEPT
> > > > > > iptables -P OUTPUT ACCEPT
> > > > > >
> > > > > > to allow all connections, but keep getting this at Chain OUTPUT:
> > > > > >
> > > > > > REJECT tcp -- anywhere anywhere
> state
> > > NEW
> > > > > tcp
> > > > > > dpt:http reject-with icmp-port-unreachable
> > > > > > REJECT tcp -- anywhere anywhere
> state
> > > NEW
> > > > > tcp
> > > > > > dpt:https reject-with icmp-port-unreachable
> > > > > >
> > > > > >
> > > > > >
> > > > > > On Mon, Apr 4, 2016 at 6:49 PM Rafael Weingärtner <
> > > > > > rafaelweingartner@gmail.com> wrote:
> > > > > >
> > > > > > > What hypervisor are you using?
> > > > > > > Did change the iptables rules at the SSVM itself?
> > > > > > >
> > > > > > > On Mon, Apr 4, 2016 at 6:50 AM, Glenn Wagner <
> > > > > glenn.wagner@shapeblue.com
> > > > > > >
> > > > > > > wrote:
> > > > > > >
> > > > > > > > Hi,
> > > > > > > >
> > > > > > > > Can you ping the default gateway of the SSVM?
> > > > > > > > Can you ping google DNS 8.8.8.8 from the SSVM?
> > > > > > > >
> > > > > > > > Thanks
> > > > > > > > Glenn
> > > > > > > >
> > > > > > > >
> > > > > > > > Regards,
> > > > > > > >
> > > > > > > > Glenn Wagner
> > > > > > > >
> > > > > > > > glenn.wagner@shapeblue.com
> > > > > > > > www.shapeblue.com
> > > > > > > > 2nd Floor, Oudehuis Centre, 122 Main Rd, Somerset West, Cape
> > Town
> > > > > > > > 7130South Africa
> > > > > > > > @shapeblue
> > > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: Syafiq Rokman [mailto:msyafiq.rokman@gmail.com]
> > > > > > > > Sent: Monday, 04 April 2016 11:16 AM
> > > > > > > > To: users@cloudstack.apache.org
> > > > > > > > Subject: SSVM cant route to MS, Iptables keep self-updating
> > > > > > > >
> > > > > > > > Hi everyone!
> > > > > > > >
> > > > > > > > Im running CS 4.8 on Ubuntu 14.04 LTS.
> > > > > > > >
> > > > > > > > So I've managed to set up everything, but I still cant
> install
> > > > > > templates.
> > > > > > > > So I SSH-ed into the SSVM and ran the healthcheck and it
> seems
> > > that
> > > > > the
> > > > > > > > SSVM can't connect to the DNS.
> > > > > > > >
> > > > > > > > Logs says that it can't route to host.
> > > > > > > >
> > > > > > > > So I've tried to allow all outgoing/incoming connections on
> > > > Iptables,
> > > > > > but
> > > > > > > > it keeps changing back to deny outgoing connections.
> > > > > > > >
> > > > > > > > Any ideas on how to proceed?
> > > > > > > >
> > > > > > > > Will provide logs if anyone needs it.
> > > > > > > >
> > > > > > > > Thanks
> > > > > > > > Syafiq Rokman
> > > > > > > > B.ICT Student
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > Rafael Weingärtner
> > > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Rafael Weingärtner
> > > > >
> > > > --
> > > > Syafiq Rokman
> > > > B. ICT Student
> > > > Universiti Teknologi PETRONAS
> > > >
> > >
> > >
> > >
> > > --
> > > Rafael Weingärtner
> > >
> > --
> > Syafiq Rokman
> > B. ICT Student
> > Universiti Teknologi PETRONAS
> >
>
>
>
> --
> Rafael Weingärtner
>
--
Syafiq Rokman
B. ICT Student
Universiti Teknologi PETRONAS
Re: SSVM cant route to MS, Iptables keep self-updating
Posted by Mindaugas Milinavičius <ua...@gmail.com>.
Post traceroute
5 апр. 2016 г. 15:51 пользователь "Rafael Weingärtner" <
rafaelweingartner@gmail.com> написал:
> can you post your iptables -L from SSVM?
>
> On Tue, Apr 5, 2016 at 9:47 AM, Syafiq Rokman <ms...@gmail.com>
> wrote:
>
> > Yes, just tried ping from SSVM to DNS, and 8.8.8.8, and google.com. Host
> > still unreachable.
> > Healthcheck script also returning host unreachable.
> >
> >
> > On Tue, Apr 5, 2016 at 8:39 PM Rafael Weingärtner <
> > rafaelweingartner@gmail.com> wrote:
> >
> > > Ok, so in your host there is nothing blocking the in-out/going
> requests,
> > > but still the ping command does not work?
> > >
> > > That rule you presented earlier should not block “icmp-echo-request”.
> > >
> > > On Tue, Apr 5, 2016 at 9:36 AM, Syafiq Rokman <
> msyafiq.rokman@gmail.com>
> > > wrote:
> > >
> > > > I've checked the host iptables just now...there were rules
> accomodating
> > > the
> > > > SSVM and CPVM.
> > > > But I've made the mistake of flushing the iptables rules without any
> > > > backup.
> > > > Now Iptables -P, -L has:
> > > >
> > > > -P INPUT ACCEPT
> > > > -P FORWARD ACCEPT
> > > > -P OUTPUT ACCEPT
> > > > -A INPUT -j ACCEPT
> > > > -A INPUT -j ACCEPT
> > > > -A FORWARD -j ACCEPT
> > > > -A OUTPUT -j ACCEPT
> > > > Chain INPUT (policy ACCEPT)
> > > > target prot opt source destination
> > > > ACCEPT all -- anywhere anywhere
> > > > ACCEPT all -- anywhere anywhere
> > > >
> > > > Chain FORWARD (policy ACCEPT)
> > > > target prot opt source destination
> > > > ACCEPT all -- anywhere anywhere
> > > >
> > > > Chain OUTPUT (policy ACCEPT)
> > > > target prot opt source destination
> > > > ACCEPT all -- anywhere anywhere
> > > >
> > > > One more thing, this setup is self-hosted.The MS and host are on the
> > same
> > > > machine.
> > > >
> > > >
> > > >
> > > > On Tue, Apr 5, 2016 at 8:22 PM Rafael Weingärtner <
> > > > rafaelweingartner@gmail.com> wrote:
> > > >
> > > > > Those rules should not block the "ping" comand, hence they are
> meant
> > to
> > > > > block "http" right?
> > > > >
> > > > >
> > > > > I have been having the same problem lately with XenServer.
> > > > >
> > > > > The iptables rules that are rejecting my traffic are at the host
> > > itself.
> > > > >
> > > > > Can you check your host iptables configs?
> > > > >
> > > > > On Tue, Apr 5, 2016 at 3:42 AM, Syafiq Rokman <
> > > msyafiq.rokman@gmail.com>
> > > > > wrote:
> > > > >
> > > > > > Hi,
> > > > > >
> > > > > > Can't ping the default gateway of the SSVM or 8.8.8.8 from the
> > SSVM.
> > > > > > I'm using KVM as hypervisor.
> > > > > >
> > > > > > Tried changing iptables rules on SSVM using
> > > > > >
> > > > > > iptables -F
> > > > > > iptables -X
> > > > > > iptables -t nat -F
> > > > > > iptables -t nat -X
> > > > > > iptables -t mangle -F
> > > > > > iptables -t mangle -X
> > > > > > iptables -P INPUT ACCEPT
> > > > > > iptables -P FORWARD ACCEPT
> > > > > > iptables -P OUTPUT ACCEPT
> > > > > >
> > > > > > to allow all connections, but keep getting this at Chain OUTPUT:
> > > > > >
> > > > > > REJECT tcp -- anywhere anywhere
> state
> > > NEW
> > > > > tcp
> > > > > > dpt:http reject-with icmp-port-unreachable
> > > > > > REJECT tcp -- anywhere anywhere
> state
> > > NEW
> > > > > tcp
> > > > > > dpt:https reject-with icmp-port-unreachable
> > > > > >
> > > > > >
> > > > > >
> > > > > > On Mon, Apr 4, 2016 at 6:49 PM Rafael Weingärtner <
> > > > > > rafaelweingartner@gmail.com> wrote:
> > > > > >
> > > > > > > What hypervisor are you using?
> > > > > > > Did change the iptables rules at the SSVM itself?
> > > > > > >
> > > > > > > On Mon, Apr 4, 2016 at 6:50 AM, Glenn Wagner <
> > > > > glenn.wagner@shapeblue.com
> > > > > > >
> > > > > > > wrote:
> > > > > > >
> > > > > > > > Hi,
> > > > > > > >
> > > > > > > > Can you ping the default gateway of the SSVM?
> > > > > > > > Can you ping google DNS 8.8.8.8 from the SSVM?
> > > > > > > >
> > > > > > > > Thanks
> > > > > > > > Glenn
> > > > > > > >
> > > > > > > >
> > > > > > > > Regards,
> > > > > > > >
> > > > > > > > Glenn Wagner
> > > > > > > >
> > > > > > > > glenn.wagner@shapeblue.com
> > > > > > > > www.shapeblue.com
> > > > > > > > 2nd Floor, Oudehuis Centre, 122 Main Rd, Somerset West, Cape
> > Town
> > > > > > > > 7130South Africa
> > > > > > > > @shapeblue
> > > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: Syafiq Rokman [mailto:msyafiq.rokman@gmail.com]
> > > > > > > > Sent: Monday, 04 April 2016 11:16 AM
> > > > > > > > To: users@cloudstack.apache.org
> > > > > > > > Subject: SSVM cant route to MS, Iptables keep self-updating
> > > > > > > >
> > > > > > > > Hi everyone!
> > > > > > > >
> > > > > > > > Im running CS 4.8 on Ubuntu 14.04 LTS.
> > > > > > > >
> > > > > > > > So I've managed to set up everything, but I still cant
> install
> > > > > > templates.
> > > > > > > > So I SSH-ed into the SSVM and ran the healthcheck and it
> seems
> > > that
> > > > > the
> > > > > > > > SSVM can't connect to the DNS.
> > > > > > > >
> > > > > > > > Logs says that it can't route to host.
> > > > > > > >
> > > > > > > > So I've tried to allow all outgoing/incoming connections on
> > > > Iptables,
> > > > > > but
> > > > > > > > it keeps changing back to deny outgoing connections.
> > > > > > > >
> > > > > > > > Any ideas on how to proceed?
> > > > > > > >
> > > > > > > > Will provide logs if anyone needs it.
> > > > > > > >
> > > > > > > > Thanks
> > > > > > > > Syafiq Rokman
> > > > > > > > B.ICT Student
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > Rafael Weingärtner
> > > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Rafael Weingärtner
> > > > >
> > > > --
> > > > Syafiq Rokman
> > > > B. ICT Student
> > > > Universiti Teknologi PETRONAS
> > > >
> > >
> > >
> > >
> > > --
> > > Rafael Weingärtner
> > >
> > --
> > Syafiq Rokman
> > B. ICT Student
> > Universiti Teknologi PETRONAS
> >
>
>
>
> --
> Rafael Weingärtner
>
Re: SSVM cant route to MS, Iptables keep self-updating
Posted by Rafael Weingärtner <ra...@gmail.com>.
can you post your iptables -L from SSVM?
On Tue, Apr 5, 2016 at 9:47 AM, Syafiq Rokman <ms...@gmail.com>
wrote:
> Yes, just tried ping from SSVM to DNS, and 8.8.8.8, and google.com. Host
> still unreachable.
> Healthcheck script also returning host unreachable.
>
>
> On Tue, Apr 5, 2016 at 8:39 PM Rafael Weingärtner <
> rafaelweingartner@gmail.com> wrote:
>
> > Ok, so in your host there is nothing blocking the in-out/going requests,
> > but still the ping command does not work?
> >
> > That rule you presented earlier should not block “icmp-echo-request”.
> >
> > On Tue, Apr 5, 2016 at 9:36 AM, Syafiq Rokman <ms...@gmail.com>
> > wrote:
> >
> > > I've checked the host iptables just now...there were rules accomodating
> > the
> > > SSVM and CPVM.
> > > But I've made the mistake of flushing the iptables rules without any
> > > backup.
> > > Now Iptables -P, -L has:
> > >
> > > -P INPUT ACCEPT
> > > -P FORWARD ACCEPT
> > > -P OUTPUT ACCEPT
> > > -A INPUT -j ACCEPT
> > > -A INPUT -j ACCEPT
> > > -A FORWARD -j ACCEPT
> > > -A OUTPUT -j ACCEPT
> > > Chain INPUT (policy ACCEPT)
> > > target prot opt source destination
> > > ACCEPT all -- anywhere anywhere
> > > ACCEPT all -- anywhere anywhere
> > >
> > > Chain FORWARD (policy ACCEPT)
> > > target prot opt source destination
> > > ACCEPT all -- anywhere anywhere
> > >
> > > Chain OUTPUT (policy ACCEPT)
> > > target prot opt source destination
> > > ACCEPT all -- anywhere anywhere
> > >
> > > One more thing, this setup is self-hosted.The MS and host are on the
> same
> > > machine.
> > >
> > >
> > >
> > > On Tue, Apr 5, 2016 at 8:22 PM Rafael Weingärtner <
> > > rafaelweingartner@gmail.com> wrote:
> > >
> > > > Those rules should not block the "ping" comand, hence they are meant
> to
> > > > block "http" right?
> > > >
> > > >
> > > > I have been having the same problem lately with XenServer.
> > > >
> > > > The iptables rules that are rejecting my traffic are at the host
> > itself.
> > > >
> > > > Can you check your host iptables configs?
> > > >
> > > > On Tue, Apr 5, 2016 at 3:42 AM, Syafiq Rokman <
> > msyafiq.rokman@gmail.com>
> > > > wrote:
> > > >
> > > > > Hi,
> > > > >
> > > > > Can't ping the default gateway of the SSVM or 8.8.8.8 from the
> SSVM.
> > > > > I'm using KVM as hypervisor.
> > > > >
> > > > > Tried changing iptables rules on SSVM using
> > > > >
> > > > > iptables -F
> > > > > iptables -X
> > > > > iptables -t nat -F
> > > > > iptables -t nat -X
> > > > > iptables -t mangle -F
> > > > > iptables -t mangle -X
> > > > > iptables -P INPUT ACCEPT
> > > > > iptables -P FORWARD ACCEPT
> > > > > iptables -P OUTPUT ACCEPT
> > > > >
> > > > > to allow all connections, but keep getting this at Chain OUTPUT:
> > > > >
> > > > > REJECT tcp -- anywhere anywhere state
> > NEW
> > > > tcp
> > > > > dpt:http reject-with icmp-port-unreachable
> > > > > REJECT tcp -- anywhere anywhere state
> > NEW
> > > > tcp
> > > > > dpt:https reject-with icmp-port-unreachable
> > > > >
> > > > >
> > > > >
> > > > > On Mon, Apr 4, 2016 at 6:49 PM Rafael Weingärtner <
> > > > > rafaelweingartner@gmail.com> wrote:
> > > > >
> > > > > > What hypervisor are you using?
> > > > > > Did change the iptables rules at the SSVM itself?
> > > > > >
> > > > > > On Mon, Apr 4, 2016 at 6:50 AM, Glenn Wagner <
> > > > glenn.wagner@shapeblue.com
> > > > > >
> > > > > > wrote:
> > > > > >
> > > > > > > Hi,
> > > > > > >
> > > > > > > Can you ping the default gateway of the SSVM?
> > > > > > > Can you ping google DNS 8.8.8.8 from the SSVM?
> > > > > > >
> > > > > > > Thanks
> > > > > > > Glenn
> > > > > > >
> > > > > > >
> > > > > > > Regards,
> > > > > > >
> > > > > > > Glenn Wagner
> > > > > > >
> > > > > > > glenn.wagner@shapeblue.com
> > > > > > > www.shapeblue.com
> > > > > > > 2nd Floor, Oudehuis Centre, 122 Main Rd, Somerset West, Cape
> Town
> > > > > > > 7130South Africa
> > > > > > > @shapeblue
> > > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: Syafiq Rokman [mailto:msyafiq.rokman@gmail.com]
> > > > > > > Sent: Monday, 04 April 2016 11:16 AM
> > > > > > > To: users@cloudstack.apache.org
> > > > > > > Subject: SSVM cant route to MS, Iptables keep self-updating
> > > > > > >
> > > > > > > Hi everyone!
> > > > > > >
> > > > > > > Im running CS 4.8 on Ubuntu 14.04 LTS.
> > > > > > >
> > > > > > > So I've managed to set up everything, but I still cant install
> > > > > templates.
> > > > > > > So I SSH-ed into the SSVM and ran the healthcheck and it seems
> > that
> > > > the
> > > > > > > SSVM can't connect to the DNS.
> > > > > > >
> > > > > > > Logs says that it can't route to host.
> > > > > > >
> > > > > > > So I've tried to allow all outgoing/incoming connections on
> > > Iptables,
> > > > > but
> > > > > > > it keeps changing back to deny outgoing connections.
> > > > > > >
> > > > > > > Any ideas on how to proceed?
> > > > > > >
> > > > > > > Will provide logs if anyone needs it.
> > > > > > >
> > > > > > > Thanks
> > > > > > > Syafiq Rokman
> > > > > > > B.ICT Student
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Rafael Weingärtner
> > > > > >
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Rafael Weingärtner
> > > >
> > > --
> > > Syafiq Rokman
> > > B. ICT Student
> > > Universiti Teknologi PETRONAS
> > >
> >
> >
> >
> > --
> > Rafael Weingärtner
> >
> --
> Syafiq Rokman
> B. ICT Student
> Universiti Teknologi PETRONAS
>
--
Rafael Weingärtner
Re: SSVM cant route to MS, Iptables keep self-updating
Posted by Syafiq Rokman <ms...@gmail.com>.
Yes, just tried ping from SSVM to DNS, and 8.8.8.8, and google.com. Host
still unreachable.
Healthcheck script also returning host unreachable.
On Tue, Apr 5, 2016 at 8:39 PM Rafael Weingärtner <
rafaelweingartner@gmail.com> wrote:
> Ok, so in your host there is nothing blocking the in-out/going requests,
> but still the ping command does not work?
>
> That rule you presented earlier should not block “icmp-echo-request”.
>
> On Tue, Apr 5, 2016 at 9:36 AM, Syafiq Rokman <ms...@gmail.com>
> wrote:
>
> > I've checked the host iptables just now...there were rules accomodating
> the
> > SSVM and CPVM.
> > But I've made the mistake of flushing the iptables rules without any
> > backup.
> > Now Iptables -P, -L has:
> >
> > -P INPUT ACCEPT
> > -P FORWARD ACCEPT
> > -P OUTPUT ACCEPT
> > -A INPUT -j ACCEPT
> > -A INPUT -j ACCEPT
> > -A FORWARD -j ACCEPT
> > -A OUTPUT -j ACCEPT
> > Chain INPUT (policy ACCEPT)
> > target prot opt source destination
> > ACCEPT all -- anywhere anywhere
> > ACCEPT all -- anywhere anywhere
> >
> > Chain FORWARD (policy ACCEPT)
> > target prot opt source destination
> > ACCEPT all -- anywhere anywhere
> >
> > Chain OUTPUT (policy ACCEPT)
> > target prot opt source destination
> > ACCEPT all -- anywhere anywhere
> >
> > One more thing, this setup is self-hosted.The MS and host are on the same
> > machine.
> >
> >
> >
> > On Tue, Apr 5, 2016 at 8:22 PM Rafael Weingärtner <
> > rafaelweingartner@gmail.com> wrote:
> >
> > > Those rules should not block the "ping" comand, hence they are meant to
> > > block "http" right?
> > >
> > >
> > > I have been having the same problem lately with XenServer.
> > >
> > > The iptables rules that are rejecting my traffic are at the host
> itself.
> > >
> > > Can you check your host iptables configs?
> > >
> > > On Tue, Apr 5, 2016 at 3:42 AM, Syafiq Rokman <
> msyafiq.rokman@gmail.com>
> > > wrote:
> > >
> > > > Hi,
> > > >
> > > > Can't ping the default gateway of the SSVM or 8.8.8.8 from the SSVM.
> > > > I'm using KVM as hypervisor.
> > > >
> > > > Tried changing iptables rules on SSVM using
> > > >
> > > > iptables -F
> > > > iptables -X
> > > > iptables -t nat -F
> > > > iptables -t nat -X
> > > > iptables -t mangle -F
> > > > iptables -t mangle -X
> > > > iptables -P INPUT ACCEPT
> > > > iptables -P FORWARD ACCEPT
> > > > iptables -P OUTPUT ACCEPT
> > > >
> > > > to allow all connections, but keep getting this at Chain OUTPUT:
> > > >
> > > > REJECT tcp -- anywhere anywhere state
> NEW
> > > tcp
> > > > dpt:http reject-with icmp-port-unreachable
> > > > REJECT tcp -- anywhere anywhere state
> NEW
> > > tcp
> > > > dpt:https reject-with icmp-port-unreachable
> > > >
> > > >
> > > >
> > > > On Mon, Apr 4, 2016 at 6:49 PM Rafael Weingärtner <
> > > > rafaelweingartner@gmail.com> wrote:
> > > >
> > > > > What hypervisor are you using?
> > > > > Did change the iptables rules at the SSVM itself?
> > > > >
> > > > > On Mon, Apr 4, 2016 at 6:50 AM, Glenn Wagner <
> > > glenn.wagner@shapeblue.com
> > > > >
> > > > > wrote:
> > > > >
> > > > > > Hi,
> > > > > >
> > > > > > Can you ping the default gateway of the SSVM?
> > > > > > Can you ping google DNS 8.8.8.8 from the SSVM?
> > > > > >
> > > > > > Thanks
> > > > > > Glenn
> > > > > >
> > > > > >
> > > > > > Regards,
> > > > > >
> > > > > > Glenn Wagner
> > > > > >
> > > > > > glenn.wagner@shapeblue.com
> > > > > > www.shapeblue.com
> > > > > > 2nd Floor, Oudehuis Centre, 122 Main Rd, Somerset West, Cape Town
> > > > > > 7130South Africa
> > > > > > @shapeblue
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: Syafiq Rokman [mailto:msyafiq.rokman@gmail.com]
> > > > > > Sent: Monday, 04 April 2016 11:16 AM
> > > > > > To: users@cloudstack.apache.org
> > > > > > Subject: SSVM cant route to MS, Iptables keep self-updating
> > > > > >
> > > > > > Hi everyone!
> > > > > >
> > > > > > Im running CS 4.8 on Ubuntu 14.04 LTS.
> > > > > >
> > > > > > So I've managed to set up everything, but I still cant install
> > > > templates.
> > > > > > So I SSH-ed into the SSVM and ran the healthcheck and it seems
> that
> > > the
> > > > > > SSVM can't connect to the DNS.
> > > > > >
> > > > > > Logs says that it can't route to host.
> > > > > >
> > > > > > So I've tried to allow all outgoing/incoming connections on
> > Iptables,
> > > > but
> > > > > > it keeps changing back to deny outgoing connections.
> > > > > >
> > > > > > Any ideas on how to proceed?
> > > > > >
> > > > > > Will provide logs if anyone needs it.
> > > > > >
> > > > > > Thanks
> > > > > > Syafiq Rokman
> > > > > > B.ICT Student
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Rafael Weingärtner
> > > > >
> > > >
> > >
> > >
> > >
> > > --
> > > Rafael Weingärtner
> > >
> > --
> > Syafiq Rokman
> > B. ICT Student
> > Universiti Teknologi PETRONAS
> >
>
>
>
> --
> Rafael Weingärtner
>
--
Syafiq Rokman
B. ICT Student
Universiti Teknologi PETRONAS
Re: SSVM cant route to MS, Iptables keep self-updating
Posted by Rafael Weingärtner <ra...@gmail.com>.
Ok, so in your host there is nothing blocking the in-out/going requests,
but still the ping command does not work?
That rule you presented earlier should not block “icmp-echo-request”.
On Tue, Apr 5, 2016 at 9:36 AM, Syafiq Rokman <ms...@gmail.com>
wrote:
> I've checked the host iptables just now...there were rules accomodating the
> SSVM and CPVM.
> But I've made the mistake of flushing the iptables rules without any
> backup.
> Now Iptables -P, -L has:
>
> -P INPUT ACCEPT
> -P FORWARD ACCEPT
> -P OUTPUT ACCEPT
> -A INPUT -j ACCEPT
> -A INPUT -j ACCEPT
> -A FORWARD -j ACCEPT
> -A OUTPUT -j ACCEPT
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
>
> One more thing, this setup is self-hosted.The MS and host are on the same
> machine.
>
>
>
> On Tue, Apr 5, 2016 at 8:22 PM Rafael Weingärtner <
> rafaelweingartner@gmail.com> wrote:
>
> > Those rules should not block the "ping" comand, hence they are meant to
> > block "http" right?
> >
> >
> > I have been having the same problem lately with XenServer.
> >
> > The iptables rules that are rejecting my traffic are at the host itself.
> >
> > Can you check your host iptables configs?
> >
> > On Tue, Apr 5, 2016 at 3:42 AM, Syafiq Rokman <ms...@gmail.com>
> > wrote:
> >
> > > Hi,
> > >
> > > Can't ping the default gateway of the SSVM or 8.8.8.8 from the SSVM.
> > > I'm using KVM as hypervisor.
> > >
> > > Tried changing iptables rules on SSVM using
> > >
> > > iptables -F
> > > iptables -X
> > > iptables -t nat -F
> > > iptables -t nat -X
> > > iptables -t mangle -F
> > > iptables -t mangle -X
> > > iptables -P INPUT ACCEPT
> > > iptables -P FORWARD ACCEPT
> > > iptables -P OUTPUT ACCEPT
> > >
> > > to allow all connections, but keep getting this at Chain OUTPUT:
> > >
> > > REJECT tcp -- anywhere anywhere state NEW
> > tcp
> > > dpt:http reject-with icmp-port-unreachable
> > > REJECT tcp -- anywhere anywhere state NEW
> > tcp
> > > dpt:https reject-with icmp-port-unreachable
> > >
> > >
> > >
> > > On Mon, Apr 4, 2016 at 6:49 PM Rafael Weingärtner <
> > > rafaelweingartner@gmail.com> wrote:
> > >
> > > > What hypervisor are you using?
> > > > Did change the iptables rules at the SSVM itself?
> > > >
> > > > On Mon, Apr 4, 2016 at 6:50 AM, Glenn Wagner <
> > glenn.wagner@shapeblue.com
> > > >
> > > > wrote:
> > > >
> > > > > Hi,
> > > > >
> > > > > Can you ping the default gateway of the SSVM?
> > > > > Can you ping google DNS 8.8.8.8 from the SSVM?
> > > > >
> > > > > Thanks
> > > > > Glenn
> > > > >
> > > > >
> > > > > Regards,
> > > > >
> > > > > Glenn Wagner
> > > > >
> > > > > glenn.wagner@shapeblue.com
> > > > > www.shapeblue.com
> > > > > 2nd Floor, Oudehuis Centre, 122 Main Rd, Somerset West, Cape Town
> > > > > 7130South Africa
> > > > > @shapeblue
> > > > >
> > > > > -----Original Message-----
> > > > > From: Syafiq Rokman [mailto:msyafiq.rokman@gmail.com]
> > > > > Sent: Monday, 04 April 2016 11:16 AM
> > > > > To: users@cloudstack.apache.org
> > > > > Subject: SSVM cant route to MS, Iptables keep self-updating
> > > > >
> > > > > Hi everyone!
> > > > >
> > > > > Im running CS 4.8 on Ubuntu 14.04 LTS.
> > > > >
> > > > > So I've managed to set up everything, but I still cant install
> > > templates.
> > > > > So I SSH-ed into the SSVM and ran the healthcheck and it seems that
> > the
> > > > > SSVM can't connect to the DNS.
> > > > >
> > > > > Logs says that it can't route to host.
> > > > >
> > > > > So I've tried to allow all outgoing/incoming connections on
> Iptables,
> > > but
> > > > > it keeps changing back to deny outgoing connections.
> > > > >
> > > > > Any ideas on how to proceed?
> > > > >
> > > > > Will provide logs if anyone needs it.
> > > > >
> > > > > Thanks
> > > > > Syafiq Rokman
> > > > > B.ICT Student
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Rafael Weingärtner
> > > >
> > >
> >
> >
> >
> > --
> > Rafael Weingärtner
> >
> --
> Syafiq Rokman
> B. ICT Student
> Universiti Teknologi PETRONAS
>
--
Rafael Weingärtner
Re: SSVM cant route to MS, Iptables keep self-updating
Posted by Syafiq Rokman <ms...@gmail.com>.
I've checked the host iptables just now...there were rules accomodating the
SSVM and CPVM.
But I've made the mistake of flushing the iptables rules without any backup.
Now Iptables -P, -L has:
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -j ACCEPT
-A INPUT -j ACCEPT
-A FORWARD -j ACCEPT
-A OUTPUT -j ACCEPT
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
One more thing, this setup is self-hosted.The MS and host are on the same
machine.
On Tue, Apr 5, 2016 at 8:22 PM Rafael Weingärtner <
rafaelweingartner@gmail.com> wrote:
> Those rules should not block the "ping" comand, hence they are meant to
> block "http" right?
>
>
> I have been having the same problem lately with XenServer.
>
> The iptables rules that are rejecting my traffic are at the host itself.
>
> Can you check your host iptables configs?
>
> On Tue, Apr 5, 2016 at 3:42 AM, Syafiq Rokman <ms...@gmail.com>
> wrote:
>
> > Hi,
> >
> > Can't ping the default gateway of the SSVM or 8.8.8.8 from the SSVM.
> > I'm using KVM as hypervisor.
> >
> > Tried changing iptables rules on SSVM using
> >
> > iptables -F
> > iptables -X
> > iptables -t nat -F
> > iptables -t nat -X
> > iptables -t mangle -F
> > iptables -t mangle -X
> > iptables -P INPUT ACCEPT
> > iptables -P FORWARD ACCEPT
> > iptables -P OUTPUT ACCEPT
> >
> > to allow all connections, but keep getting this at Chain OUTPUT:
> >
> > REJECT tcp -- anywhere anywhere state NEW
> tcp
> > dpt:http reject-with icmp-port-unreachable
> > REJECT tcp -- anywhere anywhere state NEW
> tcp
> > dpt:https reject-with icmp-port-unreachable
> >
> >
> >
> > On Mon, Apr 4, 2016 at 6:49 PM Rafael Weingärtner <
> > rafaelweingartner@gmail.com> wrote:
> >
> > > What hypervisor are you using?
> > > Did change the iptables rules at the SSVM itself?
> > >
> > > On Mon, Apr 4, 2016 at 6:50 AM, Glenn Wagner <
> glenn.wagner@shapeblue.com
> > >
> > > wrote:
> > >
> > > > Hi,
> > > >
> > > > Can you ping the default gateway of the SSVM?
> > > > Can you ping google DNS 8.8.8.8 from the SSVM?
> > > >
> > > > Thanks
> > > > Glenn
> > > >
> > > >
> > > > Regards,
> > > >
> > > > Glenn Wagner
> > > >
> > > > glenn.wagner@shapeblue.com
> > > > www.shapeblue.com
> > > > 2nd Floor, Oudehuis Centre, 122 Main Rd, Somerset West, Cape Town
> > > > 7130South Africa
> > > > @shapeblue
> > > >
> > > > -----Original Message-----
> > > > From: Syafiq Rokman [mailto:msyafiq.rokman@gmail.com]
> > > > Sent: Monday, 04 April 2016 11:16 AM
> > > > To: users@cloudstack.apache.org
> > > > Subject: SSVM cant route to MS, Iptables keep self-updating
> > > >
> > > > Hi everyone!
> > > >
> > > > Im running CS 4.8 on Ubuntu 14.04 LTS.
> > > >
> > > > So I've managed to set up everything, but I still cant install
> > templates.
> > > > So I SSH-ed into the SSVM and ran the healthcheck and it seems that
> the
> > > > SSVM can't connect to the DNS.
> > > >
> > > > Logs says that it can't route to host.
> > > >
> > > > So I've tried to allow all outgoing/incoming connections on Iptables,
> > but
> > > > it keeps changing back to deny outgoing connections.
> > > >
> > > > Any ideas on how to proceed?
> > > >
> > > > Will provide logs if anyone needs it.
> > > >
> > > > Thanks
> > > > Syafiq Rokman
> > > > B.ICT Student
> > > >
> > >
> > >
> > >
> > > --
> > > Rafael Weingärtner
> > >
> >
>
>
>
> --
> Rafael Weingärtner
>
--
Syafiq Rokman
B. ICT Student
Universiti Teknologi PETRONAS
Re: SSVM cant route to MS, Iptables keep self-updating
Posted by Rafael Weingärtner <ra...@gmail.com>.
Those rules should not block the "ping" comand, hence they are meant to
block "http" right?
I have been having the same problem lately with XenServer.
The iptables rules that are rejecting my traffic are at the host itself.
Can you check your host iptables configs?
On Tue, Apr 5, 2016 at 3:42 AM, Syafiq Rokman <ms...@gmail.com>
wrote:
> Hi,
>
> Can't ping the default gateway of the SSVM or 8.8.8.8 from the SSVM.
> I'm using KVM as hypervisor.
>
> Tried changing iptables rules on SSVM using
>
> iptables -F
> iptables -X
> iptables -t nat -F
> iptables -t nat -X
> iptables -t mangle -F
> iptables -t mangle -X
> iptables -P INPUT ACCEPT
> iptables -P FORWARD ACCEPT
> iptables -P OUTPUT ACCEPT
>
> to allow all connections, but keep getting this at Chain OUTPUT:
>
> REJECT tcp -- anywhere anywhere state NEW tcp
> dpt:http reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere state NEW tcp
> dpt:https reject-with icmp-port-unreachable
>
>
>
> On Mon, Apr 4, 2016 at 6:49 PM Rafael Weingärtner <
> rafaelweingartner@gmail.com> wrote:
>
> > What hypervisor are you using?
> > Did change the iptables rules at the SSVM itself?
> >
> > On Mon, Apr 4, 2016 at 6:50 AM, Glenn Wagner <glenn.wagner@shapeblue.com
> >
> > wrote:
> >
> > > Hi,
> > >
> > > Can you ping the default gateway of the SSVM?
> > > Can you ping google DNS 8.8.8.8 from the SSVM?
> > >
> > > Thanks
> > > Glenn
> > >
> > >
> > > Regards,
> > >
> > > Glenn Wagner
> > >
> > > glenn.wagner@shapeblue.com
> > > www.shapeblue.com
> > > 2nd Floor, Oudehuis Centre, 122 Main Rd, Somerset West, Cape Town
> > > 7130South Africa
> > > @shapeblue
> > >
> > > -----Original Message-----
> > > From: Syafiq Rokman [mailto:msyafiq.rokman@gmail.com]
> > > Sent: Monday, 04 April 2016 11:16 AM
> > > To: users@cloudstack.apache.org
> > > Subject: SSVM cant route to MS, Iptables keep self-updating
> > >
> > > Hi everyone!
> > >
> > > Im running CS 4.8 on Ubuntu 14.04 LTS.
> > >
> > > So I've managed to set up everything, but I still cant install
> templates.
> > > So I SSH-ed into the SSVM and ran the healthcheck and it seems that the
> > > SSVM can't connect to the DNS.
> > >
> > > Logs says that it can't route to host.
> > >
> > > So I've tried to allow all outgoing/incoming connections on Iptables,
> but
> > > it keeps changing back to deny outgoing connections.
> > >
> > > Any ideas on how to proceed?
> > >
> > > Will provide logs if anyone needs it.
> > >
> > > Thanks
> > > Syafiq Rokman
> > > B.ICT Student
> > >
> >
> >
> >
> > --
> > Rafael Weingärtner
> >
>
--
Rafael Weingärtner
Re: SSVM cant route to MS, Iptables keep self-updating
Posted by Syafiq Rokman <ms...@gmail.com>.
Hi,
Can't ping the default gateway of the SSVM or 8.8.8.8 from the SSVM.
I'm using KVM as hypervisor.
Tried changing iptables rules on SSVM using
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
to allow all connections, but keep getting this at Chain OUTPUT:
REJECT tcp -- anywhere anywhere state NEW tcp
dpt:http reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere state NEW tcp
dpt:https reject-with icmp-port-unreachable
On Mon, Apr 4, 2016 at 6:49 PM Rafael Weingärtner <
rafaelweingartner@gmail.com> wrote:
> What hypervisor are you using?
> Did change the iptables rules at the SSVM itself?
>
> On Mon, Apr 4, 2016 at 6:50 AM, Glenn Wagner <gl...@shapeblue.com>
> wrote:
>
> > Hi,
> >
> > Can you ping the default gateway of the SSVM?
> > Can you ping google DNS 8.8.8.8 from the SSVM?
> >
> > Thanks
> > Glenn
> >
> >
> > Regards,
> >
> > Glenn Wagner
> >
> > glenn.wagner@shapeblue.com
> > www.shapeblue.com
> > 2nd Floor, Oudehuis Centre, 122 Main Rd, Somerset West, Cape Town
> > 7130South Africa
> > @shapeblue
> >
> > -----Original Message-----
> > From: Syafiq Rokman [mailto:msyafiq.rokman@gmail.com]
> > Sent: Monday, 04 April 2016 11:16 AM
> > To: users@cloudstack.apache.org
> > Subject: SSVM cant route to MS, Iptables keep self-updating
> >
> > Hi everyone!
> >
> > Im running CS 4.8 on Ubuntu 14.04 LTS.
> >
> > So I've managed to set up everything, but I still cant install templates.
> > So I SSH-ed into the SSVM and ran the healthcheck and it seems that the
> > SSVM can't connect to the DNS.
> >
> > Logs says that it can't route to host.
> >
> > So I've tried to allow all outgoing/incoming connections on Iptables, but
> > it keeps changing back to deny outgoing connections.
> >
> > Any ideas on how to proceed?
> >
> > Will provide logs if anyone needs it.
> >
> > Thanks
> > Syafiq Rokman
> > B.ICT Student
> >
>
>
>
> --
> Rafael Weingärtner
>
Re: SSVM cant route to MS, Iptables keep self-updating
Posted by Rafael Weingärtner <ra...@gmail.com>.
What hypervisor are you using?
Did change the iptables rules at the SSVM itself?
On Mon, Apr 4, 2016 at 6:50 AM, Glenn Wagner <gl...@shapeblue.com>
wrote:
> Hi,
>
> Can you ping the default gateway of the SSVM?
> Can you ping google DNS 8.8.8.8 from the SSVM?
>
> Thanks
> Glenn
>
>
> Regards,
>
> Glenn Wagner
>
> glenn.wagner@shapeblue.com
> www.shapeblue.com
> 2nd Floor, Oudehuis Centre, 122 Main Rd, Somerset West, Cape Town
> 7130South Africa
> @shapeblue
>
> -----Original Message-----
> From: Syafiq Rokman [mailto:msyafiq.rokman@gmail.com]
> Sent: Monday, 04 April 2016 11:16 AM
> To: users@cloudstack.apache.org
> Subject: SSVM cant route to MS, Iptables keep self-updating
>
> Hi everyone!
>
> Im running CS 4.8 on Ubuntu 14.04 LTS.
>
> So I've managed to set up everything, but I still cant install templates.
> So I SSH-ed into the SSVM and ran the healthcheck and it seems that the
> SSVM can't connect to the DNS.
>
> Logs says that it can't route to host.
>
> So I've tried to allow all outgoing/incoming connections on Iptables, but
> it keeps changing back to deny outgoing connections.
>
> Any ideas on how to proceed?
>
> Will provide logs if anyone needs it.
>
> Thanks
> Syafiq Rokman
> B.ICT Student
>
--
Rafael Weingärtner
RE: SSVM cant route to MS, Iptables keep self-updating
Posted by Glenn Wagner <gl...@shapeblue.com>.
Hi,
Can you ping the default gateway of the SSVM?
Can you ping google DNS 8.8.8.8 from the SSVM?
Thanks
Glenn
Regards,
Glenn Wagner
glenn.wagner@shapeblue.com
www.shapeblue.com
2nd Floor, Oudehuis Centre, 122 Main Rd, Somerset West, Cape Town 7130South Africa
@shapeblue
-----Original Message-----
From: Syafiq Rokman [mailto:msyafiq.rokman@gmail.com]
Sent: Monday, 04 April 2016 11:16 AM
To: users@cloudstack.apache.org
Subject: SSVM cant route to MS, Iptables keep self-updating
Hi everyone!
Im running CS 4.8 on Ubuntu 14.04 LTS.
So I've managed to set up everything, but I still cant install templates.
So I SSH-ed into the SSVM and ran the healthcheck and it seems that the SSVM can't connect to the DNS.
Logs says that it can't route to host.
So I've tried to allow all outgoing/incoming connections on Iptables, but it keeps changing back to deny outgoing connections.
Any ideas on how to proceed?
Will provide logs if anyone needs it.
Thanks
Syafiq Rokman
B.ICT Student