Return-Path: 
 <users-return-6115-apmail-cloudstack-users-archive=cloudstack.apache.org@cloudstack.apache.org>
X-Original-To: apmail-cloudstack-users-archive@www.apache.org
Delivered-To: apmail-cloudstack-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 83BAA10265
	for <apmail-cloudstack-users-archive@www.apache.org>;
 Thu, 18 Apr 2013 15:50:52 +0000 (UTC)
Received: (qmail 24415 invoked by uid 500); 18 Apr 2013 15:50:50 -0000
Delivered-To: apmail-cloudstack-users-archive@cloudstack.apache.org
Received: (qmail 24362 invoked by uid 500); 18 Apr 2013 15:50:50 -0000
Mailing-List: contact users-help@cloudstack.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@cloudstack.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@cloudstack.apache.org>
List-Post: <mailto:users@cloudstack.apache.org>
List-Id: <users.cloudstack.apache.org>
Reply-To: users@cloudstack.apache.org
Delivered-To: mailing list users@cloudstack.apache.org
Received: (qmail 24315 invoked by uid 99); 18 Apr 2013 15:50:50 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 18 Apr 2013 15:50:50 +0000
X-ASF-Spam-Status: No, hits=-2.3 required=5.0
	tests=RCVD_IN_DNSWL_MED,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of jason.pavao@oracle.com
 designates 141.146.126.69 as permitted sender)
Received: from [141.146.126.69] (HELO aserp1040.oracle.com) (141.146.126.69)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 18 Apr 2013 15:50:43 +0000
Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237])
	by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id
 r3IFoLVf004614
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
	Thu, 18 Apr 2013 15:50:22 GMT
Received: from aserz7022.oracle.com (aserz7022.oracle.com [141.146.126.231])
	by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r3IFoLGr013425
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL);
	Thu, 18 Apr 2013 15:50:21 GMT
Received: from abhmt108.oracle.com (abhmt108.oracle.com [141.146.116.60])
	by aserz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r3IFoLwi022094;
	Thu, 18 Apr 2013 15:50:21 GMT
Received: from [10.154.121.33] (/10.154.121.33)
	by default (Oracle Beehive Gateway v4.0)
	with ESMTP ; Thu, 18 Apr 2013 08:50:20 -0700
Message-ID: <5170161F.2020003@oracle.com>
Date: Thu, 18 Apr 2013 08:49:51 -0700
From: Jason Pavao <jason.pavao@oracle.com>
Reply-To: jason.pavao@oracle.com
Organization: Oracle Corporation
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
 rv:17.0) Gecko/20130107 Thunderbird/17.0.2
MIME-Version: 1.0
To: dev@cloudstack.apache.org
CC: Maurice Lawler <maurice.lawler@me.com>, users@cloudstack.apache.org
Subject: Re: IP tables blocking KVM/Console
References: <6b5ff442-4a21-44b6-82eb-4d1333b5c234@me.com>
In-Reply-To: <6b5ff442-4a21-44b6-82eb-4d1333b5c234@me.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Source-IP: acsinet21.oracle.com [141.146.126.237]
X-Virus-Checked: Checked by ClamAV on apache.org

Maurice,
I was having the same issues, I tried a number of iptables rule changes, 
but it seems that whenever a new instance was deployed it would 
overwrite my changes and break things again. My temporary fix is to run 
a cron job that runs every minute that issues a service iptables stop.

It's not elegant but it works since I don't have a need for security 
groups and am supporting a jenkins continuous testing environment with 
no need for network ingress/egress rules.

Does anyone else know why this is happening?

I am running cs 4.0.1 on oel6.3x64

Any help would be appreciated.
Thanks.
-jason

On 4/17/2013 7:47 PM, Maurice Lawler wrote:
> I have stopped iptables at least 15 times, because it keeps blocking 
> my console access to my instances. How can I either A) disable 
> Iptables all together / b add a rule to allow it's access.
>
> Right now, it has this:
>
> [root@lunder ~]# iptables -L
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     udp  --  anywhere             anywhere            udp 
> dpt:bootps
> ACCEPT     tcp  --  anywhere             anywhere            tcp 
> dpt:bootps
> ACCEPT     tcp  --  anywhere             anywhere            tcp 
> dpts:49152:49216
> ACCEPT     tcp  --  anywhere             anywhere            tcp 
> dpts:vnc-server:synchronet-db
> ACCEPT     tcp  --  anywhere             anywhere            tcp 
> dpt:16509
> ACCEPT     tcp  --  anywhere             anywhere            tcp 
> dpt:websm
> ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:8250
> ACCEPT     tcp  --  anywhere             anywhere            tcp 
> dpt:empowerid
> ACCEPT     tcp  --  anywhere             anywhere            tcp 
> dpt:webcache
> ACCEPT     all  --  anywhere             anywhere state 
> RELATED,ESTABLISHED
> ACCEPT     icmp --  anywhere             anywhere
> ACCEPT     all  --  anywhere             anywhere
> ACCEPT     tcp  --  anywhere             anywhere state NEW tcp dpt:ssh
> REJECT     all  --  anywhere             anywhere reject-with 
> icmp-host-prohibited
>
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> [root@lunder ~]#
>
> But there was plenty of other rules previously to my stopping it.
>
>

-- 
Thanks.
-Jason