cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jayapal Reddy Uradi <jayapalreddy.ur...@citrix.com>
Subject Re: XenServer 6.2 blocks vm outgoing traffic
Date Tue, 20 May 2014 15:48:34 GMT
For user vms outgoing traffic to allow you need to add egress rules on network.


Thanks,
Jayapal

On 20-May-2014, at 8:38 PM, Andrei Mikhailovsky <andrei@arhont.com> wrote:

> Hello guys, 
> 
> Having a bit of an issue with clean installs of ACS 4.2.1. The same issue is present
on ACS 4.3. Both of the system vms are created and shown as Running. When I login either to
ssvm or cpvm I am able to ping internal and external dns servers, as well as I can ping public
hosts like 8.8.8.8, etc. I am able to access public IPs on ports 80 or 443 and that's pretty
much it.I am unable to resolve anything or access any other ports. This applies to the management
and public networks. 
> 
> I had a quick investigation and it seems that the XenServer iptables rules are not properly
setup. The default iptables policy that I have is: 
> 
> # iptables -L -nv 
> Chain INPUT (policy ACCEPT 0 packets, 0 bytes) 
> pkts bytes target prot opt in out source destination 
> 6880K 9595M RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0 
> 
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) 
> pkts bytes target prot opt in out source destination 
> 40776 25M RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0 
> 
> Chain OUTPUT (policy ACCEPT 6152K packets, 15G bytes) 
> pkts bytes target prot opt in out source destination 
> 
> Chain RH-Firewall-1-INPUT (2 references) 
> pkts bytes target prot opt in out source destination 
> 2355K 5758M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 
> 349K 21M ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 255 
> 0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0 
> 0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 
> 3 261 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353 
> 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631 
> 3 180 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:631 
> 0 0 ACCEPT udp -- xenapi * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 
> 4164K 3815M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 
> 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:694 
> 19 1092 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 
> 13 732 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 
> 10542 632K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443 
> 42147 26M REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 
> 
> 
> In order for my system vms to resolve anything I have to manually add the following lines
on the hypervisor: 
> 
> iptables -I RH-Firewall-1-INPUT -p udp --dport 53 -j ACCEPT 
> iptables -I RH-Firewall-1-INPUT -p tcp --dport 53 -j ACCEPT 
> 
> Has anyone seen this behaviour from a clean install? Did I miss an important step during
the hypervisor install? 
> 
> My networking is Advanced + XenServer 6.2 with latest updates. I have the following network
setup: 
> 
> NIC0 - Network Name in XenCenter - Management. ACS traffic label for the Management network
is Management 
> 
> NIC1 - Network name in XenCenter - CloudStack - ACS traffic labels for Public and Guest
networks is CloudStack 
> 
> Cheers 
> 
> Andrei 
> 
> 


Mime
View raw message