cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marcus Sorensen <shadow...@gmail.com>
Subject Re: IP tables blocking KVM/Console
Date Fri, 19 Apr 2013 23:55:36 GMT
yea, so you can play with that and see if it makes any difference. Iptables
may be blocking access to your consoleproxy's service, or something else.


On Fri, Apr 19, 2013 at 5:37 PM, Maurice Lawler <maurice.lawler@me.com>wrote:

> Output:
>
> [root@gizmo scripts]# cat /proc/sys/net/bridge/bridge*
> 1
> 1
> 1
> 0
> 0
> [root@gizmo scripts]#
>
>
>
>
> On Apr 19, 2013, at 07:21 PM, Marcus Sorensen <shadowsor@gmail.com> wrote:
>
> what do you see in:
>
> cat /proc/sys/net/bridge/bridge*
>
> ? I think I've seen issues with these being set to 1, but I think it might
> need to be set to 1 if you're using security groups.
>
>
> On Fri, Apr 19, 2013 at 5:20 PM, Marcus Sorensen <shadowsor@gmail.com
> >wrote:
>
> > What do you see in :
> >
> >
> >
> > On Fri, Apr 19, 2013 at 2:17 PM, Maurice Lawler <maurice.lawler@me.com
> >wrote:
> >
> >> I've tried it with them disabled (iptables get written) and enabled (the
> >> same issue)
> >>
> >> The cron job seemed to do the trick, until someone just mentioned to
> try:
> >>
> >> iptables -I INPUT -p tcp -m tcp --dport 5900:6100 -j ACCEPT
> >>
> >> That's not working, so I am going back to my cronjob!
> >>
> >> - Maurice
> >>
> >>
> >> On Apr 19, 2013, at 02:08 PM, Edison Su <Edison.su@citrix.com> wrote:
> >>
> >>
> >>
> >> > -----Original Message-----
> >> > From: Jason Pavao [mailto:jason.pavao@oracle.com]
> >> > Sent: Thursday, April 18, 2013 8:50 AM
> >> > To: dev@cloudstack.apache.org
> >> > Cc: Maurice Lawler; users@cloudstack.apache.org
> >> > Subject: Re: IP tables blocking KVM/Console
> >> >
> >> > Maurice,
> >> > I was having the same issues, I tried a number of iptables rule
> >> changes, but it
> >> > seems that whenever a new instance was deployed it would overwrite my
> >> > changes and break things again. My temporary fix is to run a cron job
> >> that
> >> > runs every minute that issues a service iptables stop.
> >>
> >> Do you disable security group when creating the zone? If security group
> >> is disabled, then there should be no iptables rules created on kvm host
> >> when a new instance created.
> >>
> >> >
> >> > It's not elegant but it works since I don't have a need for security
> >> groups and
> >> > am supporting a jenkins continuous testing environment with no need
> for
> >> > network ingress/egress rules.
> >> >
> >> > Does anyone else know why this is happening?
> >> >
> >> > I am running cs 4.0.1 on oel6.3x64
> >> >
> >> > Any help would be appreciated.
> >> > Thanks.
> >> > -jason
> >> >
> >> > On 4/17/2013 7:47 PM, Maurice Lawler wrote:
> >> > > I have stopped iptables at least 15 times, because it keeps blocking
> >> > > my console access to my instances. How can I either A) disable
> >> > > Iptables all together / b add a rule to allow it's access.
> >> > >
> >> > > Right now, it has this:
> >> > >
> >> > > [root@lunder ~]# iptables -L
> >> > > Chain INPUT (policy ACCEPT)
> >> > > target prot opt source destination
> >> > > ACCEPT udp -- anywhere anywhere udp
> >> > > dpt:bootps
> >> > > ACCEPT tcp -- anywhere anywhere tcp
> >> > > dpt:bootps
> >> > > ACCEPT tcp -- anywhere anywhere tcp
> >> > > dpts:49152:49216
> >> > > ACCEPT tcp -- anywhere anywhere tcp
> >> > > dpts:vnc-server:synchronet-db
> >> > > ACCEPT tcp -- anywhere anywhere tcp
> >> > > dpt:16509
> >> > > ACCEPT tcp -- anywhere anywhere tcp
> >> > > dpt:websm
> >> > > ACCEPT tcp -- anywhere anywhere tcp dpt:8250
> >> > > ACCEPT tcp -- anywhere anywhere tcp
> >> > > dpt:empowerid
> >> > > ACCEPT tcp -- anywhere anywhere tcp
> >> > > dpt:webcache
> >> > > ACCEPT all -- anywhere anywhere state
> >> > > RELATED,ESTABLISHED
> >> > > ACCEPT icmp -- anywhere anywhere
> >> > > ACCEPT all -- anywhere anywhere
> >> > > ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
> >> > > REJECT all -- anywhere anywhere reject-with
> >> > > icmp-host-prohibited
> >> > >
> >> > > Chain FORWARD (policy ACCEPT)
> >> > > target prot opt source destination
> >> > >
> >> > > Chain OUTPUT (policy ACCEPT)
> >> > > target prot opt source destination
> >> > > [root@lunder ~]#
> >> > >
> >> > > But there was plenty of other rules previously to my stopping it.
> >> > >
> >> > >
> >> >
> >> > --
> >> > Thanks.
> >> > -Jason
> >>
> >>
> >
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message