You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by Maurice Lawler <ma...@me.com> on 2013/04/18 04:47:35 UTC
IP tables blocking KVM/Console
I have stopped iptables at least 15 times, because it keeps blocking my console access to my instances. How can I either A) disable Iptables all together / b add a rule to allow it's access.
Right now, it has this:
[root@lunder ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpts:49152:49216
ACCEPT tcp -- anywhere anywhere tcp dpts:vnc-server:synchronet-db
ACCEPT tcp -- anywhere anywhere tcp dpt:16509
ACCEPT tcp -- anywhere anywhere tcp dpt:websm
ACCEPT tcp -- anywhere anywhere tcp dpt:8250
ACCEPT tcp -- anywhere anywhere tcp dpt:empowerid
ACCEPT tcp -- anywhere anywhere tcp dpt:webcache
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@lunder ~]#
But there was plenty of other rules previously to my stopping it.
Re: IP tables blocking KVM/Console
Posted by Marcus Sorensen <sh...@gmail.com>.
yea, so you can play with that and see if it makes any difference. Iptables
may be blocking access to your consoleproxy's service, or something else.
On Fri, Apr 19, 2013 at 5:37 PM, Maurice Lawler <ma...@me.com>wrote:
> Output:
>
> [root@gizmo scripts]# cat /proc/sys/net/bridge/bridge*
> 1
> 1
> 1
> 0
> 0
> [root@gizmo scripts]#
>
>
>
>
> On Apr 19, 2013, at 07:21 PM, Marcus Sorensen <sh...@gmail.com> wrote:
>
> what do you see in:
>
> cat /proc/sys/net/bridge/bridge*
>
> ? I think I've seen issues with these being set to 1, but I think it might
> need to be set to 1 if you're using security groups.
>
>
> On Fri, Apr 19, 2013 at 5:20 PM, Marcus Sorensen <shadowsor@gmail.com
> >wrote:
>
> > What do you see in :
> >
> >
> >
> > On Fri, Apr 19, 2013 at 2:17 PM, Maurice Lawler <maurice.lawler@me.com
> >wrote:
> >
> >> I've tried it with them disabled (iptables get written) and enabled (the
> >> same issue)
> >>
> >> The cron job seemed to do the trick, until someone just mentioned to
> try:
> >>
> >> iptables -I INPUT -p tcp -m tcp --dport 5900:6100 -j ACCEPT
> >>
> >> That's not working, so I am going back to my cronjob!
> >>
> >> - Maurice
> >>
> >>
> >> On Apr 19, 2013, at 02:08 PM, Edison Su <Ed...@citrix.com> wrote:
> >>
> >>
> >>
> >> > -----Original Message-----
> >> > From: Jason Pavao [mailto:jason.pavao@oracle.com]
> >> > Sent: Thursday, April 18, 2013 8:50 AM
> >> > To: dev@cloudstack.apache.org
> >> > Cc: Maurice Lawler; users@cloudstack.apache.org
> >> > Subject: Re: IP tables blocking KVM/Console
> >> >
> >> > Maurice,
> >> > I was having the same issues, I tried a number of iptables rule
> >> changes, but it
> >> > seems that whenever a new instance was deployed it would overwrite my
> >> > changes and break things again. My temporary fix is to run a cron job
> >> that
> >> > runs every minute that issues a service iptables stop.
> >>
> >> Do you disable security group when creating the zone? If security group
> >> is disabled, then there should be no iptables rules created on kvm host
> >> when a new instance created.
> >>
> >> >
> >> > It's not elegant but it works since I don't have a need for security
> >> groups and
> >> > am supporting a jenkins continuous testing environment with no need
> for
> >> > network ingress/egress rules.
> >> >
> >> > Does anyone else know why this is happening?
> >> >
> >> > I am running cs 4.0.1 on oel6.3x64
> >> >
> >> > Any help would be appreciated.
> >> > Thanks.
> >> > -jason
> >> >
> >> > On 4/17/2013 7:47 PM, Maurice Lawler wrote:
> >> > > I have stopped iptables at least 15 times, because it keeps blocking
> >> > > my console access to my instances. How can I either A) disable
> >> > > Iptables all together / b add a rule to allow it's access.
> >> > >
> >> > > Right now, it has this:
> >> > >
> >> > > [root@lunder ~]# iptables -L
> >> > > Chain INPUT (policy ACCEPT)
> >> > > target prot opt source destination
> >> > > ACCEPT udp -- anywhere anywhere udp
> >> > > dpt:bootps
> >> > > ACCEPT tcp -- anywhere anywhere tcp
> >> > > dpt:bootps
> >> > > ACCEPT tcp -- anywhere anywhere tcp
> >> > > dpts:49152:49216
> >> > > ACCEPT tcp -- anywhere anywhere tcp
> >> > > dpts:vnc-server:synchronet-db
> >> > > ACCEPT tcp -- anywhere anywhere tcp
> >> > > dpt:16509
> >> > > ACCEPT tcp -- anywhere anywhere tcp
> >> > > dpt:websm
> >> > > ACCEPT tcp -- anywhere anywhere tcp dpt:8250
> >> > > ACCEPT tcp -- anywhere anywhere tcp
> >> > > dpt:empowerid
> >> > > ACCEPT tcp -- anywhere anywhere tcp
> >> > > dpt:webcache
> >> > > ACCEPT all -- anywhere anywhere state
> >> > > RELATED,ESTABLISHED
> >> > > ACCEPT icmp -- anywhere anywhere
> >> > > ACCEPT all -- anywhere anywhere
> >> > > ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
> >> > > REJECT all -- anywhere anywhere reject-with
> >> > > icmp-host-prohibited
> >> > >
> >> > > Chain FORWARD (policy ACCEPT)
> >> > > target prot opt source destination
> >> > >
> >> > > Chain OUTPUT (policy ACCEPT)
> >> > > target prot opt source destination
> >> > > [root@lunder ~]#
> >> > >
> >> > > But there was plenty of other rules previously to my stopping it.
> >> > >
> >> > >
> >> >
> >> > --
> >> > Thanks.
> >> > -Jason
> >>
> >>
> >
>
>
Re: IP tables blocking KVM/Console
Posted by Marcus Sorensen <sh...@gmail.com>.
yea, so you can play with that and see if it makes any difference. Iptables
may be blocking access to your consoleproxy's service, or something else.
On Fri, Apr 19, 2013 at 5:37 PM, Maurice Lawler <ma...@me.com>wrote:
> Output:
>
> [root@gizmo scripts]# cat /proc/sys/net/bridge/bridge*
> 1
> 1
> 1
> 0
> 0
> [root@gizmo scripts]#
>
>
>
>
> On Apr 19, 2013, at 07:21 PM, Marcus Sorensen <sh...@gmail.com> wrote:
>
> what do you see in:
>
> cat /proc/sys/net/bridge/bridge*
>
> ? I think I've seen issues with these being set to 1, but I think it might
> need to be set to 1 if you're using security groups.
>
>
> On Fri, Apr 19, 2013 at 5:20 PM, Marcus Sorensen <shadowsor@gmail.com
> >wrote:
>
> > What do you see in :
> >
> >
> >
> > On Fri, Apr 19, 2013 at 2:17 PM, Maurice Lawler <maurice.lawler@me.com
> >wrote:
> >
> >> I've tried it with them disabled (iptables get written) and enabled (the
> >> same issue)
> >>
> >> The cron job seemed to do the trick, until someone just mentioned to
> try:
> >>
> >> iptables -I INPUT -p tcp -m tcp --dport 5900:6100 -j ACCEPT
> >>
> >> That's not working, so I am going back to my cronjob!
> >>
> >> - Maurice
> >>
> >>
> >> On Apr 19, 2013, at 02:08 PM, Edison Su <Ed...@citrix.com> wrote:
> >>
> >>
> >>
> >> > -----Original Message-----
> >> > From: Jason Pavao [mailto:jason.pavao@oracle.com]
> >> > Sent: Thursday, April 18, 2013 8:50 AM
> >> > To: dev@cloudstack.apache.org
> >> > Cc: Maurice Lawler; users@cloudstack.apache.org
> >> > Subject: Re: IP tables blocking KVM/Console
> >> >
> >> > Maurice,
> >> > I was having the same issues, I tried a number of iptables rule
> >> changes, but it
> >> > seems that whenever a new instance was deployed it would overwrite my
> >> > changes and break things again. My temporary fix is to run a cron job
> >> that
> >> > runs every minute that issues a service iptables stop.
> >>
> >> Do you disable security group when creating the zone? If security group
> >> is disabled, then there should be no iptables rules created on kvm host
> >> when a new instance created.
> >>
> >> >
> >> > It's not elegant but it works since I don't have a need for security
> >> groups and
> >> > am supporting a jenkins continuous testing environment with no need
> for
> >> > network ingress/egress rules.
> >> >
> >> > Does anyone else know why this is happening?
> >> >
> >> > I am running cs 4.0.1 on oel6.3x64
> >> >
> >> > Any help would be appreciated.
> >> > Thanks.
> >> > -jason
> >> >
> >> > On 4/17/2013 7:47 PM, Maurice Lawler wrote:
> >> > > I have stopped iptables at least 15 times, because it keeps blocking
> >> > > my console access to my instances. How can I either A) disable
> >> > > Iptables all together / b add a rule to allow it's access.
> >> > >
> >> > > Right now, it has this:
> >> > >
> >> > > [root@lunder ~]# iptables -L
> >> > > Chain INPUT (policy ACCEPT)
> >> > > target prot opt source destination
> >> > > ACCEPT udp -- anywhere anywhere udp
> >> > > dpt:bootps
> >> > > ACCEPT tcp -- anywhere anywhere tcp
> >> > > dpt:bootps
> >> > > ACCEPT tcp -- anywhere anywhere tcp
> >> > > dpts:49152:49216
> >> > > ACCEPT tcp -- anywhere anywhere tcp
> >> > > dpts:vnc-server:synchronet-db
> >> > > ACCEPT tcp -- anywhere anywhere tcp
> >> > > dpt:16509
> >> > > ACCEPT tcp -- anywhere anywhere tcp
> >> > > dpt:websm
> >> > > ACCEPT tcp -- anywhere anywhere tcp dpt:8250
> >> > > ACCEPT tcp -- anywhere anywhere tcp
> >> > > dpt:empowerid
> >> > > ACCEPT tcp -- anywhere anywhere tcp
> >> > > dpt:webcache
> >> > > ACCEPT all -- anywhere anywhere state
> >> > > RELATED,ESTABLISHED
> >> > > ACCEPT icmp -- anywhere anywhere
> >> > > ACCEPT all -- anywhere anywhere
> >> > > ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
> >> > > REJECT all -- anywhere anywhere reject-with
> >> > > icmp-host-prohibited
> >> > >
> >> > > Chain FORWARD (policy ACCEPT)
> >> > > target prot opt source destination
> >> > >
> >> > > Chain OUTPUT (policy ACCEPT)
> >> > > target prot opt source destination
> >> > > [root@lunder ~]#
> >> > >
> >> > > But there was plenty of other rules previously to my stopping it.
> >> > >
> >> > >
> >> >
> >> > --
> >> > Thanks.
> >> > -Jason
> >>
> >>
> >
>
>
Re: IP tables blocking KVM/Console
Posted by Marcus Sorensen <sh...@gmail.com>.
what do you see in:
cat /proc/sys/net/bridge/bridge*
? I think I've seen issues with these being set to 1, but I think it might
need to be set to 1 if you're using security groups.
On Fri, Apr 19, 2013 at 5:20 PM, Marcus Sorensen <sh...@gmail.com>wrote:
> What do you see in :
>
>
>
> On Fri, Apr 19, 2013 at 2:17 PM, Maurice Lawler <ma...@me.com>wrote:
>
>> I've tried it with them disabled (iptables get written) and enabled (the
>> same issue)
>>
>> The cron job seemed to do the trick, until someone just mentioned to try:
>>
>> iptables -I INPUT -p tcp -m tcp --dport 5900:6100 -j ACCEPT
>>
>> That's not working, so I am going back to my cronjob!
>>
>> - Maurice
>>
>>
>> On Apr 19, 2013, at 02:08 PM, Edison Su <Ed...@citrix.com> wrote:
>>
>>
>>
>> > -----Original Message-----
>> > From: Jason Pavao [mailto:jason.pavao@oracle.com]
>> > Sent: Thursday, April 18, 2013 8:50 AM
>> > To: dev@cloudstack.apache.org
>> > Cc: Maurice Lawler; users@cloudstack.apache.org
>> > Subject: Re: IP tables blocking KVM/Console
>> >
>> > Maurice,
>> > I was having the same issues, I tried a number of iptables rule
>> changes, but it
>> > seems that whenever a new instance was deployed it would overwrite my
>> > changes and break things again. My temporary fix is to run a cron job
>> that
>> > runs every minute that issues a service iptables stop.
>>
>> Do you disable security group when creating the zone? If security group
>> is disabled, then there should be no iptables rules created on kvm host
>> when a new instance created.
>>
>> >
>> > It's not elegant but it works since I don't have a need for security
>> groups and
>> > am supporting a jenkins continuous testing environment with no need for
>> > network ingress/egress rules.
>> >
>> > Does anyone else know why this is happening?
>> >
>> > I am running cs 4.0.1 on oel6.3x64
>> >
>> > Any help would be appreciated.
>> > Thanks.
>> > -jason
>> >
>> > On 4/17/2013 7:47 PM, Maurice Lawler wrote:
>> > > I have stopped iptables at least 15 times, because it keeps blocking
>> > > my console access to my instances. How can I either A) disable
>> > > Iptables all together / b add a rule to allow it's access.
>> > >
>> > > Right now, it has this:
>> > >
>> > > [root@lunder ~]# iptables -L
>> > > Chain INPUT (policy ACCEPT)
>> > > target prot opt source destination
>> > > ACCEPT udp -- anywhere anywhere udp
>> > > dpt:bootps
>> > > ACCEPT tcp -- anywhere anywhere tcp
>> > > dpt:bootps
>> > > ACCEPT tcp -- anywhere anywhere tcp
>> > > dpts:49152:49216
>> > > ACCEPT tcp -- anywhere anywhere tcp
>> > > dpts:vnc-server:synchronet-db
>> > > ACCEPT tcp -- anywhere anywhere tcp
>> > > dpt:16509
>> > > ACCEPT tcp -- anywhere anywhere tcp
>> > > dpt:websm
>> > > ACCEPT tcp -- anywhere anywhere tcp dpt:8250
>> > > ACCEPT tcp -- anywhere anywhere tcp
>> > > dpt:empowerid
>> > > ACCEPT tcp -- anywhere anywhere tcp
>> > > dpt:webcache
>> > > ACCEPT all -- anywhere anywhere state
>> > > RELATED,ESTABLISHED
>> > > ACCEPT icmp -- anywhere anywhere
>> > > ACCEPT all -- anywhere anywhere
>> > > ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
>> > > REJECT all -- anywhere anywhere reject-with
>> > > icmp-host-prohibited
>> > >
>> > > Chain FORWARD (policy ACCEPT)
>> > > target prot opt source destination
>> > >
>> > > Chain OUTPUT (policy ACCEPT)
>> > > target prot opt source destination
>> > > [root@lunder ~]#
>> > >
>> > > But there was plenty of other rules previously to my stopping it.
>> > >
>> > >
>> >
>> > --
>> > Thanks.
>> > -Jason
>>
>>
>
Re: IP tables blocking KVM/Console
Posted by Marcus Sorensen <sh...@gmail.com>.
what do you see in:
cat /proc/sys/net/bridge/bridge*
? I think I've seen issues with these being set to 1, but I think it might
need to be set to 1 if you're using security groups.
On Fri, Apr 19, 2013 at 5:20 PM, Marcus Sorensen <sh...@gmail.com>wrote:
> What do you see in :
>
>
>
> On Fri, Apr 19, 2013 at 2:17 PM, Maurice Lawler <ma...@me.com>wrote:
>
>> I've tried it with them disabled (iptables get written) and enabled (the
>> same issue)
>>
>> The cron job seemed to do the trick, until someone just mentioned to try:
>>
>> iptables -I INPUT -p tcp -m tcp --dport 5900:6100 -j ACCEPT
>>
>> That's not working, so I am going back to my cronjob!
>>
>> - Maurice
>>
>>
>> On Apr 19, 2013, at 02:08 PM, Edison Su <Ed...@citrix.com> wrote:
>>
>>
>>
>> > -----Original Message-----
>> > From: Jason Pavao [mailto:jason.pavao@oracle.com]
>> > Sent: Thursday, April 18, 2013 8:50 AM
>> > To: dev@cloudstack.apache.org
>> > Cc: Maurice Lawler; users@cloudstack.apache.org
>> > Subject: Re: IP tables blocking KVM/Console
>> >
>> > Maurice,
>> > I was having the same issues, I tried a number of iptables rule
>> changes, but it
>> > seems that whenever a new instance was deployed it would overwrite my
>> > changes and break things again. My temporary fix is to run a cron job
>> that
>> > runs every minute that issues a service iptables stop.
>>
>> Do you disable security group when creating the zone? If security group
>> is disabled, then there should be no iptables rules created on kvm host
>> when a new instance created.
>>
>> >
>> > It's not elegant but it works since I don't have a need for security
>> groups and
>> > am supporting a jenkins continuous testing environment with no need for
>> > network ingress/egress rules.
>> >
>> > Does anyone else know why this is happening?
>> >
>> > I am running cs 4.0.1 on oel6.3x64
>> >
>> > Any help would be appreciated.
>> > Thanks.
>> > -jason
>> >
>> > On 4/17/2013 7:47 PM, Maurice Lawler wrote:
>> > > I have stopped iptables at least 15 times, because it keeps blocking
>> > > my console access to my instances. How can I either A) disable
>> > > Iptables all together / b add a rule to allow it's access.
>> > >
>> > > Right now, it has this:
>> > >
>> > > [root@lunder ~]# iptables -L
>> > > Chain INPUT (policy ACCEPT)
>> > > target prot opt source destination
>> > > ACCEPT udp -- anywhere anywhere udp
>> > > dpt:bootps
>> > > ACCEPT tcp -- anywhere anywhere tcp
>> > > dpt:bootps
>> > > ACCEPT tcp -- anywhere anywhere tcp
>> > > dpts:49152:49216
>> > > ACCEPT tcp -- anywhere anywhere tcp
>> > > dpts:vnc-server:synchronet-db
>> > > ACCEPT tcp -- anywhere anywhere tcp
>> > > dpt:16509
>> > > ACCEPT tcp -- anywhere anywhere tcp
>> > > dpt:websm
>> > > ACCEPT tcp -- anywhere anywhere tcp dpt:8250
>> > > ACCEPT tcp -- anywhere anywhere tcp
>> > > dpt:empowerid
>> > > ACCEPT tcp -- anywhere anywhere tcp
>> > > dpt:webcache
>> > > ACCEPT all -- anywhere anywhere state
>> > > RELATED,ESTABLISHED
>> > > ACCEPT icmp -- anywhere anywhere
>> > > ACCEPT all -- anywhere anywhere
>> > > ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
>> > > REJECT all -- anywhere anywhere reject-with
>> > > icmp-host-prohibited
>> > >
>> > > Chain FORWARD (policy ACCEPT)
>> > > target prot opt source destination
>> > >
>> > > Chain OUTPUT (policy ACCEPT)
>> > > target prot opt source destination
>> > > [root@lunder ~]#
>> > >
>> > > But there was plenty of other rules previously to my stopping it.
>> > >
>> > >
>> >
>> > --
>> > Thanks.
>> > -Jason
>>
>>
>
Re: IP tables blocking KVM/Console
Posted by Marcus Sorensen <sh...@gmail.com>.
What do you see in :
On Fri, Apr 19, 2013 at 2:17 PM, Maurice Lawler <ma...@me.com>wrote:
> I've tried it with them disabled (iptables get written) and enabled (the
> same issue)
>
> The cron job seemed to do the trick, until someone just mentioned to try:
>
> iptables -I INPUT -p tcp -m tcp --dport 5900:6100 -j ACCEPT
>
> That's not working, so I am going back to my cronjob!
>
> - Maurice
>
>
> On Apr 19, 2013, at 02:08 PM, Edison Su <Ed...@citrix.com> wrote:
>
>
>
> > -----Original Message-----
> > From: Jason Pavao [mailto:jason.pavao@oracle.com]
> > Sent: Thursday, April 18, 2013 8:50 AM
> > To: dev@cloudstack.apache.org
> > Cc: Maurice Lawler; users@cloudstack.apache.org
> > Subject: Re: IP tables blocking KVM/Console
> >
> > Maurice,
> > I was having the same issues, I tried a number of iptables rule changes,
> but it
> > seems that whenever a new instance was deployed it would overwrite my
> > changes and break things again. My temporary fix is to run a cron job
> that
> > runs every minute that issues a service iptables stop.
>
> Do you disable security group when creating the zone? If security group is
> disabled, then there should be no iptables rules created on kvm host when a
> new instance created.
>
> >
> > It's not elegant but it works since I don't have a need for security
> groups and
> > am supporting a jenkins continuous testing environment with no need for
> > network ingress/egress rules.
> >
> > Does anyone else know why this is happening?
> >
> > I am running cs 4.0.1 on oel6.3x64
> >
> > Any help would be appreciated.
> > Thanks.
> > -jason
> >
> > On 4/17/2013 7:47 PM, Maurice Lawler wrote:
> > > I have stopped iptables at least 15 times, because it keeps blocking
> > > my console access to my instances. How can I either A) disable
> > > Iptables all together / b add a rule to allow it's access.
> > >
> > > Right now, it has this:
> > >
> > > [root@lunder ~]# iptables -L
> > > Chain INPUT (policy ACCEPT)
> > > target prot opt source destination
> > > ACCEPT udp -- anywhere anywhere udp
> > > dpt:bootps
> > > ACCEPT tcp -- anywhere anywhere tcp
> > > dpt:bootps
> > > ACCEPT tcp -- anywhere anywhere tcp
> > > dpts:49152:49216
> > > ACCEPT tcp -- anywhere anywhere tcp
> > > dpts:vnc-server:synchronet-db
> > > ACCEPT tcp -- anywhere anywhere tcp
> > > dpt:16509
> > > ACCEPT tcp -- anywhere anywhere tcp
> > > dpt:websm
> > > ACCEPT tcp -- anywhere anywhere tcp dpt:8250
> > > ACCEPT tcp -- anywhere anywhere tcp
> > > dpt:empowerid
> > > ACCEPT tcp -- anywhere anywhere tcp
> > > dpt:webcache
> > > ACCEPT all -- anywhere anywhere state
> > > RELATED,ESTABLISHED
> > > ACCEPT icmp -- anywhere anywhere
> > > ACCEPT all -- anywhere anywhere
> > > ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
> > > REJECT all -- anywhere anywhere reject-with
> > > icmp-host-prohibited
> > >
> > > Chain FORWARD (policy ACCEPT)
> > > target prot opt source destination
> > >
> > > Chain OUTPUT (policy ACCEPT)
> > > target prot opt source destination
> > > [root@lunder ~]#
> > >
> > > But there was plenty of other rules previously to my stopping it.
> > >
> > >
> >
> > --
> > Thanks.
> > -Jason
>
>
Re: IP tables blocking KVM/Console
Posted by Marcus Sorensen <sh...@gmail.com>.
What do you see in :
On Fri, Apr 19, 2013 at 2:17 PM, Maurice Lawler <ma...@me.com>wrote:
> I've tried it with them disabled (iptables get written) and enabled (the
> same issue)
>
> The cron job seemed to do the trick, until someone just mentioned to try:
>
> iptables -I INPUT -p tcp -m tcp --dport 5900:6100 -j ACCEPT
>
> That's not working, so I am going back to my cronjob!
>
> - Maurice
>
>
> On Apr 19, 2013, at 02:08 PM, Edison Su <Ed...@citrix.com> wrote:
>
>
>
> > -----Original Message-----
> > From: Jason Pavao [mailto:jason.pavao@oracle.com]
> > Sent: Thursday, April 18, 2013 8:50 AM
> > To: dev@cloudstack.apache.org
> > Cc: Maurice Lawler; users@cloudstack.apache.org
> > Subject: Re: IP tables blocking KVM/Console
> >
> > Maurice,
> > I was having the same issues, I tried a number of iptables rule changes,
> but it
> > seems that whenever a new instance was deployed it would overwrite my
> > changes and break things again. My temporary fix is to run a cron job
> that
> > runs every minute that issues a service iptables stop.
>
> Do you disable security group when creating the zone? If security group is
> disabled, then there should be no iptables rules created on kvm host when a
> new instance created.
>
> >
> > It's not elegant but it works since I don't have a need for security
> groups and
> > am supporting a jenkins continuous testing environment with no need for
> > network ingress/egress rules.
> >
> > Does anyone else know why this is happening?
> >
> > I am running cs 4.0.1 on oel6.3x64
> >
> > Any help would be appreciated.
> > Thanks.
> > -jason
> >
> > On 4/17/2013 7:47 PM, Maurice Lawler wrote:
> > > I have stopped iptables at least 15 times, because it keeps blocking
> > > my console access to my instances. How can I either A) disable
> > > Iptables all together / b add a rule to allow it's access.
> > >
> > > Right now, it has this:
> > >
> > > [root@lunder ~]# iptables -L
> > > Chain INPUT (policy ACCEPT)
> > > target prot opt source destination
> > > ACCEPT udp -- anywhere anywhere udp
> > > dpt:bootps
> > > ACCEPT tcp -- anywhere anywhere tcp
> > > dpt:bootps
> > > ACCEPT tcp -- anywhere anywhere tcp
> > > dpts:49152:49216
> > > ACCEPT tcp -- anywhere anywhere tcp
> > > dpts:vnc-server:synchronet-db
> > > ACCEPT tcp -- anywhere anywhere tcp
> > > dpt:16509
> > > ACCEPT tcp -- anywhere anywhere tcp
> > > dpt:websm
> > > ACCEPT tcp -- anywhere anywhere tcp dpt:8250
> > > ACCEPT tcp -- anywhere anywhere tcp
> > > dpt:empowerid
> > > ACCEPT tcp -- anywhere anywhere tcp
> > > dpt:webcache
> > > ACCEPT all -- anywhere anywhere state
> > > RELATED,ESTABLISHED
> > > ACCEPT icmp -- anywhere anywhere
> > > ACCEPT all -- anywhere anywhere
> > > ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
> > > REJECT all -- anywhere anywhere reject-with
> > > icmp-host-prohibited
> > >
> > > Chain FORWARD (policy ACCEPT)
> > > target prot opt source destination
> > >
> > > Chain OUTPUT (policy ACCEPT)
> > > target prot opt source destination
> > > [root@lunder ~]#
> > >
> > > But there was plenty of other rules previously to my stopping it.
> > >
> > >
> >
> > --
> > Thanks.
> > -Jason
>
>
RE: IP tables blocking KVM/Console
Posted by Edison Su <Ed...@citrix.com>.
> -----Original Message-----
> From: Jason Pavao [mailto:jason.pavao@oracle.com]
> Sent: Thursday, April 18, 2013 8:50 AM
> To: dev@cloudstack.apache.org
> Cc: Maurice Lawler; users@cloudstack.apache.org
> Subject: Re: IP tables blocking KVM/Console
>
> Maurice,
> I was having the same issues, I tried a number of iptables rule changes, but it
> seems that whenever a new instance was deployed it would overwrite my
> changes and break things again. My temporary fix is to run a cron job that
> runs every minute that issues a service iptables stop.
Do you disable security group when creating the zone? If security group is disabled, then there should be no iptables rules created on kvm host when a new instance created.
>
> It's not elegant but it works since I don't have a need for security groups and
> am supporting a jenkins continuous testing environment with no need for
> network ingress/egress rules.
>
> Does anyone else know why this is happening?
>
> I am running cs 4.0.1 on oel6.3x64
>
> Any help would be appreciated.
> Thanks.
> -jason
>
> On 4/17/2013 7:47 PM, Maurice Lawler wrote:
> > I have stopped iptables at least 15 times, because it keeps blocking
> > my console access to my instances. How can I either A) disable
> > Iptables all together / b add a rule to allow it's access.
> >
> > Right now, it has this:
> >
> > [root@lunder ~]# iptables -L
> > Chain INPUT (policy ACCEPT)
> > target prot opt source destination
> > ACCEPT udp -- anywhere anywhere udp
> > dpt:bootps
> > ACCEPT tcp -- anywhere anywhere tcp
> > dpt:bootps
> > ACCEPT tcp -- anywhere anywhere tcp
> > dpts:49152:49216
> > ACCEPT tcp -- anywhere anywhere tcp
> > dpts:vnc-server:synchronet-db
> > ACCEPT tcp -- anywhere anywhere tcp
> > dpt:16509
> > ACCEPT tcp -- anywhere anywhere tcp
> > dpt:websm
> > ACCEPT tcp -- anywhere anywhere tcp dpt:8250
> > ACCEPT tcp -- anywhere anywhere tcp
> > dpt:empowerid
> > ACCEPT tcp -- anywhere anywhere tcp
> > dpt:webcache
> > ACCEPT all -- anywhere anywhere state
> > RELATED,ESTABLISHED
> > ACCEPT icmp -- anywhere anywhere
> > ACCEPT all -- anywhere anywhere
> > ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
> > REJECT all -- anywhere anywhere reject-with
> > icmp-host-prohibited
> >
> > Chain FORWARD (policy ACCEPT)
> > target prot opt source destination
> >
> > Chain OUTPUT (policy ACCEPT)
> > target prot opt source destination
> > [root@lunder ~]#
> >
> > But there was plenty of other rules previously to my stopping it.
> >
> >
>
> --
> Thanks.
> -Jason
RE: IP tables blocking KVM/Console
Posted by Edison Su <Ed...@citrix.com>.
> -----Original Message-----
> From: Jason Pavao [mailto:jason.pavao@oracle.com]
> Sent: Thursday, April 18, 2013 8:50 AM
> To: dev@cloudstack.apache.org
> Cc: Maurice Lawler; users@cloudstack.apache.org
> Subject: Re: IP tables blocking KVM/Console
>
> Maurice,
> I was having the same issues, I tried a number of iptables rule changes, but it
> seems that whenever a new instance was deployed it would overwrite my
> changes and break things again. My temporary fix is to run a cron job that
> runs every minute that issues a service iptables stop.
Do you disable security group when creating the zone? If security group is disabled, then there should be no iptables rules created on kvm host when a new instance created.
>
> It's not elegant but it works since I don't have a need for security groups and
> am supporting a jenkins continuous testing environment with no need for
> network ingress/egress rules.
>
> Does anyone else know why this is happening?
>
> I am running cs 4.0.1 on oel6.3x64
>
> Any help would be appreciated.
> Thanks.
> -jason
>
> On 4/17/2013 7:47 PM, Maurice Lawler wrote:
> > I have stopped iptables at least 15 times, because it keeps blocking
> > my console access to my instances. How can I either A) disable
> > Iptables all together / b add a rule to allow it's access.
> >
> > Right now, it has this:
> >
> > [root@lunder ~]# iptables -L
> > Chain INPUT (policy ACCEPT)
> > target prot opt source destination
> > ACCEPT udp -- anywhere anywhere udp
> > dpt:bootps
> > ACCEPT tcp -- anywhere anywhere tcp
> > dpt:bootps
> > ACCEPT tcp -- anywhere anywhere tcp
> > dpts:49152:49216
> > ACCEPT tcp -- anywhere anywhere tcp
> > dpts:vnc-server:synchronet-db
> > ACCEPT tcp -- anywhere anywhere tcp
> > dpt:16509
> > ACCEPT tcp -- anywhere anywhere tcp
> > dpt:websm
> > ACCEPT tcp -- anywhere anywhere tcp dpt:8250
> > ACCEPT tcp -- anywhere anywhere tcp
> > dpt:empowerid
> > ACCEPT tcp -- anywhere anywhere tcp
> > dpt:webcache
> > ACCEPT all -- anywhere anywhere state
> > RELATED,ESTABLISHED
> > ACCEPT icmp -- anywhere anywhere
> > ACCEPT all -- anywhere anywhere
> > ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
> > REJECT all -- anywhere anywhere reject-with
> > icmp-host-prohibited
> >
> > Chain FORWARD (policy ACCEPT)
> > target prot opt source destination
> >
> > Chain OUTPUT (policy ACCEPT)
> > target prot opt source destination
> > [root@lunder ~]#
> >
> > But there was plenty of other rules previously to my stopping it.
> >
> >
>
> --
> Thanks.
> -Jason
Re: IP tables blocking KVM/Console
Posted by Jason Pavao <ja...@oracle.com>.
Maurice,
I was having the same issues, I tried a number of iptables rule changes,
but it seems that whenever a new instance was deployed it would
overwrite my changes and break things again. My temporary fix is to run
a cron job that runs every minute that issues a service iptables stop.
It's not elegant but it works since I don't have a need for security
groups and am supporting a jenkins continuous testing environment with
no need for network ingress/egress rules.
Does anyone else know why this is happening?
I am running cs 4.0.1 on oel6.3x64
Any help would be appreciated.
Thanks.
-jason
On 4/17/2013 7:47 PM, Maurice Lawler wrote:
> I have stopped iptables at least 15 times, because it keeps blocking
> my console access to my instances. How can I either A) disable
> Iptables all together / b add a rule to allow it's access.
>
> Right now, it has this:
>
> [root@lunder ~]# iptables -L
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT udp -- anywhere anywhere udp
> dpt:bootps
> ACCEPT tcp -- anywhere anywhere tcp
> dpt:bootps
> ACCEPT tcp -- anywhere anywhere tcp
> dpts:49152:49216
> ACCEPT tcp -- anywhere anywhere tcp
> dpts:vnc-server:synchronet-db
> ACCEPT tcp -- anywhere anywhere tcp
> dpt:16509
> ACCEPT tcp -- anywhere anywhere tcp
> dpt:websm
> ACCEPT tcp -- anywhere anywhere tcp dpt:8250
> ACCEPT tcp -- anywhere anywhere tcp
> dpt:empowerid
> ACCEPT tcp -- anywhere anywhere tcp
> dpt:webcache
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT icmp -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
> ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
> REJECT all -- anywhere anywhere reject-with
> icmp-host-prohibited
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> [root@lunder ~]#
>
> But there was plenty of other rules previously to my stopping it.
>
>
--
Thanks.
-Jason
Re: IP tables blocking KVM/Console
Posted by Marcus Sorensen <sh...@gmail.com>.
That's reflected by this line:
ACCEPT tcp -- anywhere anywhere tcp
dpts:vnc-server:synchronet-db
Although we don't know what interfaces it applies to because we don't have
an 'iptables -L -v'
If stopping iptables fixes Maurice's problem it would be interesting to
know, as the rules seem to let VNC through. It should be easy to tcpdump
and see what traffic is actually being blocked because his rules suggest
that VNC is wide open on the KVM host.
On Fri, Apr 19, 2013 at 12:15 PM, Edison Su <Ed...@citrix.com> wrote:
> This rule will reject all the ingress activities: "REJECT all --
> anywhere anywhere reject-with icmp-host-prohibited"
> You can try:
> iptables -I INPUT -p tcp -m tcp --dport 5900:6100 -j ACCEPT
> to allow console access.
>
> From: Maurice Lawler [mailto:maurice.lawler@me.com]
> Sent: Wednesday, April 17, 2013 7:48 PM
> To: Cloud Dev
> Cc: users@cloudstack.apache.org; users@cloudstack.apache.org
> Subject: IP tables blocking KVM/Console
>
> I have stopped iptables at least 15 times, because it keeps blocking my
> console access to my instances. How can I either A) disable Iptables all
> together / b add a rule to allow it's access.
>
> Right now, it has this:
>
> [root@lunder ~]# iptables -L
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT udp -- anywhere anywhere udp dpt:bootps
> ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
> ACCEPT tcp -- anywhere anywhere tcp
> dpts:49152:49216
> ACCEPT tcp -- anywhere anywhere tcp
> dpts:vnc-server:synchronet-db
> ACCEPT tcp -- anywhere anywhere tcp dpt:16509
> ACCEPT tcp -- anywhere anywhere tcp dpt:websm
> ACCEPT tcp -- anywhere anywhere tcp dpt:8250
> ACCEPT tcp -- anywhere anywhere tcp
> dpt:empowerid
> ACCEPT tcp -- anywhere anywhere tcp
> dpt:webcache
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT icmp -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
> ACCEPT tcp -- anywhere anywhere state NEW tcp
> dpt:ssh
> REJECT all -- anywhere anywhere reject-with
> icmp-host-prohibited
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> [root@lunder ~]#
>
> But there was plenty of other rules previously to my stopping it.
>
>
>
Re: IP tables blocking KVM/Console
Posted by Marcus Sorensen <sh...@gmail.com>.
That's reflected by this line:
ACCEPT tcp -- anywhere anywhere tcp
dpts:vnc-server:synchronet-db
Although we don't know what interfaces it applies to because we don't have
an 'iptables -L -v'
If stopping iptables fixes Maurice's problem it would be interesting to
know, as the rules seem to let VNC through. It should be easy to tcpdump
and see what traffic is actually being blocked because his rules suggest
that VNC is wide open on the KVM host.
On Fri, Apr 19, 2013 at 12:15 PM, Edison Su <Ed...@citrix.com> wrote:
> This rule will reject all the ingress activities: "REJECT all --
> anywhere anywhere reject-with icmp-host-prohibited"
> You can try:
> iptables -I INPUT -p tcp -m tcp --dport 5900:6100 -j ACCEPT
> to allow console access.
>
> From: Maurice Lawler [mailto:maurice.lawler@me.com]
> Sent: Wednesday, April 17, 2013 7:48 PM
> To: Cloud Dev
> Cc: users@cloudstack.apache.org; users@cloudstack.apache.org
> Subject: IP tables blocking KVM/Console
>
> I have stopped iptables at least 15 times, because it keeps blocking my
> console access to my instances. How can I either A) disable Iptables all
> together / b add a rule to allow it's access.
>
> Right now, it has this:
>
> [root@lunder ~]# iptables -L
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT udp -- anywhere anywhere udp dpt:bootps
> ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
> ACCEPT tcp -- anywhere anywhere tcp
> dpts:49152:49216
> ACCEPT tcp -- anywhere anywhere tcp
> dpts:vnc-server:synchronet-db
> ACCEPT tcp -- anywhere anywhere tcp dpt:16509
> ACCEPT tcp -- anywhere anywhere tcp dpt:websm
> ACCEPT tcp -- anywhere anywhere tcp dpt:8250
> ACCEPT tcp -- anywhere anywhere tcp
> dpt:empowerid
> ACCEPT tcp -- anywhere anywhere tcp
> dpt:webcache
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT icmp -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
> ACCEPT tcp -- anywhere anywhere state NEW tcp
> dpt:ssh
> REJECT all -- anywhere anywhere reject-with
> icmp-host-prohibited
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> [root@lunder ~]#
>
> But there was plenty of other rules previously to my stopping it.
>
>
>
RE: IP tables blocking KVM/Console
Posted by Edison Su <Ed...@citrix.com>.
This rule will reject all the ingress activities: "REJECT all -- anywhere anywhere reject-with icmp-host-prohibited"
You can try:
iptables -I INPUT -p tcp -m tcp --dport 5900:6100 -j ACCEPT
to allow console access.
From: Maurice Lawler [mailto:maurice.lawler@me.com]
Sent: Wednesday, April 17, 2013 7:48 PM
To: Cloud Dev
Cc: users@cloudstack.apache.org; users@cloudstack.apache.org
Subject: IP tables blocking KVM/Console
I have stopped iptables at least 15 times, because it keeps blocking my console access to my instances. How can I either A) disable Iptables all together / b add a rule to allow it's access.
Right now, it has this:
[root@lunder ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpts:49152:49216
ACCEPT tcp -- anywhere anywhere tcp dpts:vnc-server:synchronet-db
ACCEPT tcp -- anywhere anywhere tcp dpt:16509
ACCEPT tcp -- anywhere anywhere tcp dpt:websm
ACCEPT tcp -- anywhere anywhere tcp dpt:8250
ACCEPT tcp -- anywhere anywhere tcp dpt:empowerid
ACCEPT tcp -- anywhere anywhere tcp dpt:webcache
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@lunder ~]#
But there was plenty of other rules previously to my stopping it.
Re: IP tables blocking KVM/Console
Posted by Jason Pavao <ja...@oracle.com>.
Maurice,
I was having the same issues, I tried a number of iptables rule changes,
but it seems that whenever a new instance was deployed it would
overwrite my changes and break things again. My temporary fix is to run
a cron job that runs every minute that issues a service iptables stop.
It's not elegant but it works since I don't have a need for security
groups and am supporting a jenkins continuous testing environment with
no need for network ingress/egress rules.
Does anyone else know why this is happening?
I am running cs 4.0.1 on oel6.3x64
Any help would be appreciated.
Thanks.
-jason
On 4/17/2013 7:47 PM, Maurice Lawler wrote:
> I have stopped iptables at least 15 times, because it keeps blocking
> my console access to my instances. How can I either A) disable
> Iptables all together / b add a rule to allow it's access.
>
> Right now, it has this:
>
> [root@lunder ~]# iptables -L
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT udp -- anywhere anywhere udp
> dpt:bootps
> ACCEPT tcp -- anywhere anywhere tcp
> dpt:bootps
> ACCEPT tcp -- anywhere anywhere tcp
> dpts:49152:49216
> ACCEPT tcp -- anywhere anywhere tcp
> dpts:vnc-server:synchronet-db
> ACCEPT tcp -- anywhere anywhere tcp
> dpt:16509
> ACCEPT tcp -- anywhere anywhere tcp
> dpt:websm
> ACCEPT tcp -- anywhere anywhere tcp dpt:8250
> ACCEPT tcp -- anywhere anywhere tcp
> dpt:empowerid
> ACCEPT tcp -- anywhere anywhere tcp
> dpt:webcache
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT icmp -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
> ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
> REJECT all -- anywhere anywhere reject-with
> icmp-host-prohibited
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> [root@lunder ~]#
>
> But there was plenty of other rules previously to my stopping it.
>
>
--
Thanks.
-Jason
RE: IP tables blocking KVM/Console
Posted by Edison Su <Ed...@citrix.com>.
This rule will reject all the ingress activities: "REJECT all -- anywhere anywhere reject-with icmp-host-prohibited"
You can try:
iptables -I INPUT -p tcp -m tcp --dport 5900:6100 -j ACCEPT
to allow console access.
From: Maurice Lawler [mailto:maurice.lawler@me.com]
Sent: Wednesday, April 17, 2013 7:48 PM
To: Cloud Dev
Cc: users@cloudstack.apache.org; users@cloudstack.apache.org
Subject: IP tables blocking KVM/Console
I have stopped iptables at least 15 times, because it keeps blocking my console access to my instances. How can I either A) disable Iptables all together / b add a rule to allow it's access.
Right now, it has this:
[root@lunder ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpts:49152:49216
ACCEPT tcp -- anywhere anywhere tcp dpts:vnc-server:synchronet-db
ACCEPT tcp -- anywhere anywhere tcp dpt:16509
ACCEPT tcp -- anywhere anywhere tcp dpt:websm
ACCEPT tcp -- anywhere anywhere tcp dpt:8250
ACCEPT tcp -- anywhere anywhere tcp dpt:empowerid
ACCEPT tcp -- anywhere anywhere tcp dpt:webcache
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@lunder ~]#
But there was plenty of other rules previously to my stopping it.