cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Maurice Lawler <maurice.law...@me.com>
Subject Re: IP tables blocking KVM/Console
Date Fri, 19 Apr 2013 23:37:39 GMT
Output:

[root@gizmo scripts]# cat /proc/sys/net/bridge/bridge*
1
1
1
0
0
[root@gizmo scripts]#




On Apr 19, 2013, at 07:21 PM, Marcus Sorensen <shadowsor@gmail.com> wrote:

> what do you see in:
>
> cat /proc/sys/net/bridge/bridge*
>
> ? I think I've seen issues with these being set to 1, but I think it might
> need to be set to 1 if you're using security groups.
>
>
> On Fri, Apr 19, 2013 at 5:20 PM, Marcus Sorensen <shadowsor@gmail.com>wrote:
>
> > What do you see in :
> >
> >
> >
> > On Fri, Apr 19, 2013 at 2:17 PM, Maurice Lawler <maurice.lawler@me.com>wrote:
> >
> >> I've tried it with them disabled (iptables get written) and enabled (the
> >> same issue)
> >>
> >> The cron job seemed to do the trick, until someone just mentioned to try:
> >>
> >> iptables -I INPUT -p tcp -m tcp --dport 5900:6100 -j ACCEPT
> >>
> >> That's not working, so I am going back to my cronjob!
> >>
> >> - Maurice
> >>
> >>
> >> On Apr 19, 2013, at 02:08 PM, Edison Su <Edison.su@citrix.com> wrote:
> >>
> >>
> >>
> >> > -----Original Message-----
> >> > From: Jason Pavao [mailto:jason.pavao@oracle.com]
> >> > Sent: Thursday, April 18, 2013 8:50 AM
> >> > To: dev@cloudstack.apache.org
> >> > Cc: Maurice Lawler; users@cloudstack.apache.org
> >> > Subject: Re: IP tables blocking KVM/Console
> >> >
> >> > Maurice,
> >> > I was having the same issues, I tried a number of iptables rule
> >> changes, but it
> >> > seems that whenever a new instance was deployed it would overwrite my
> >> > changes and break things again. My temporary fix is to run a cron job
> >> that
> >> > runs every minute that issues a service iptables stop.
> >>
> >> Do you disable security group when creating the zone? If security group
> >> is disabled, then there should be no iptables rules created on kvm host
> >> when a new instance created.
> >>
> >> >
> >> > It's not elegant but it works since I don't have a need for security
> >> groups and
> >> > am supporting a jenkins continuous testing environment with no need for
> >> > network ingress/egress rules.
> >> >
> >> > Does anyone else know why this is happening?
> >> >
> >> > I am running cs 4.0.1 on oel6.3x64
> >> >
> >> > Any help would be appreciated.
> >> > Thanks.
> >> > -jason
> >> >
> >> > On 4/17/2013 7:47 PM, Maurice Lawler wrote:
> >> > > I have stopped iptables at least 15 times, because it keeps blocking
> >> > > my console access to my instances. How can I either A) disable
> >> > > Iptables all together / b add a rule to allow it's access.
> >> > >
> >> > > Right now, it has this:
> >> > >
> >> > > [root@lunder ~]# iptables -L
> >> > > Chain INPUT (policy ACCEPT)
> >> > > target prot opt source destination
> >> > > ACCEPT udp -- anywhere anywhere udp
> >> > > dpt:bootps
> >> > > ACCEPT tcp -- anywhere anywhere tcp
> >> > > dpt:bootps
> >> > > ACCEPT tcp -- anywhere anywhere tcp
> >> > > dpts:49152:49216
> >> > > ACCEPT tcp -- anywhere anywhere tcp
> >> > > dpts:vnc-server:synchronet-db
> >> > > ACCEPT tcp -- anywhere anywhere tcp
> >> > > dpt:16509
> >> > > ACCEPT tcp -- anywhere anywhere tcp
> >> > > dpt:websm
> >> > > ACCEPT tcp -- anywhere anywhere tcp dpt:8250
> >> > > ACCEPT tcp -- anywhere anywhere tcp
> >> > > dpt:empowerid
> >> > > ACCEPT tcp -- anywhere anywhere tcp
> >> > > dpt:webcache
> >> > > ACCEPT all -- anywhere anywhere state
> >> > > RELATED,ESTABLISHED
> >> > > ACCEPT icmp -- anywhere anywhere
> >> > > ACCEPT all -- anywhere anywhere
> >> > > ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
> >> > > REJECT all -- anywhere anywhere reject-with
> >> > > icmp-host-prohibited
> >> > >
> >> > > Chain FORWARD (policy ACCEPT)
> >> > > target prot opt source destination
> >> > >
> >> > > Chain OUTPUT (policy ACCEPT)
> >> > > target prot opt source destination
> >> > > [root@lunder ~]#
> >> > >
> >> > > But there was plenty of other rules previously to my stopping it.
> >> > >
> >> > >
> >> >
> >> > --
> >> > Thanks.
> >> > -Jason
> >>
> >>
> >

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
    • Unnamed multipart/related (inline, None, 0 bytes)
View raw message