cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rafael Weingärtner <rafaelweingart...@gmail.com>
Subject Re: SSVM cant route to MS, Iptables keep self-updating
Date Tue, 05 Apr 2016 13:37:25 GMT
Are you using VLANs?
Have you tried to use tcpdump at the host to check what is happening with
packages comming from SSVM?

On Tue, Apr 5, 2016 at 10:34 AM, Mindaugas Milinavičius <
mindaugas@clustspace.com> wrote:

> added an additional DNS IP: 8.8.8.8 8.8.4.4
>
>
>
>
> Pagarbiai
> Mindaugas Milinavičius
> UAB STARNITA
> Direktorius
> http://www.clustspace.com
> LT: +37068882880
> RU: +79651806396
>
> Tomorrow's posibilities today
> <http://www.clustspace.com/>
>
>    - 1 Core, 512MB RAM, 20GB SSD, 1Gbps, Unlimited, Location: Romania, Los
>    Angeles, Ashburn Washington - 11EUR
>    - 1 Core, 1024MB RAM, 30GB SSD, 1Gbps, Unlimited, Location: Romania, Los
>    Angeles, Ashburn Washington - 18,7EUR
>    - 2 Cores, 2048MB RAM, 40GB SSD, 1Gbps, Unlimited, Location: Romania,
>    Los Angeles, Ashburn Washington - 27,5EUR
>    - 4 Cores, 4096MB RAM, 100GB SSD, 1Gbps, Unlimited, Location: Romania,
>    Los Angeles, Ashburn Washington - 46EUR
>
>
> On Tue, Apr 5, 2016 at 4:31 PM, Syafiq Rokman <msyafiq.rokman@gmail.com>
> wrote:
>
> > I think so. network/interfaces file on host/MS:
> >
> > auto lo
> > iface lo inet loopback
> >
> > auto eth0.100
> > iface eth0.100 inet manual
> >         address 172.16.135.179
> >         netmask 255.255.255.0
> >         gateway 172.16.135.254
> >         dns-nameservers 172.16.238.7 172.16.238.6
> >
> > # Public network
> > auto cloudbr0
> > iface cloudbr0 inet manual
> >
> >  bridge_ports eth0.200
> >  bridge_fd 5
> >  bridge_stp off
> >  bridge_maxwait 1
> >
> > # Private network
> > auto cloudbr1
> > iface cloudbr1 inet manual
> >     bridge_ports eth0.300
> >     bridge_fd 5
> >     bridge_stp off
> >     bridge_maxwait 1
> >
> >
> > On Tue, Apr 5, 2016 at 9:21 PM Mindaugas Milinavičius <
> > mindaugas@clustspace.com> wrote:
> >
> > > Is your network configured properly?
> > >
> > >
> > >
> > >
> > > Pagarbiai
> > > Mindaugas Milinavičius
> > > UAB STARNITA
> > > Direktorius
> > > http://www.clustspace.com
> > > LT: +37068882880
> > > RU: +79651806396
> > >
> > > Tomorrow's posibilities today
> > > <http://www.clustspace.com/>
> > >
> > >    - 1 Core, 512MB RAM, 20GB SSD, 1Gbps, Unlimited, Location: Romania,
> > Los
> > >    Angeles, Ashburn Washington - 11EUR
> > >    - 1 Core, 1024MB RAM, 30GB SSD, 1Gbps, Unlimited, Location: Romania,
> > Los
> > >    Angeles, Ashburn Washington - 18,7EUR
> > >    - 2 Cores, 2048MB RAM, 40GB SSD, 1Gbps, Unlimited, Location:
> Romania,
> > >    Los Angeles, Ashburn Washington - 27,5EUR
> > >    - 4 Cores, 4096MB RAM, 100GB SSD, 1Gbps, Unlimited, Location:
> Romania,
> > >    Los Angeles, Ashburn Washington - 46EUR
> > >
> > >
> > > On Tue, Apr 5, 2016 at 4:18 PM, Syafiq Rokman <
> msyafiq.rokman@gmail.com>
> > > wrote:
> > >
> > > > traceroute to 172.16.238.7 (172.16.238.7), 30 hops max, 60 byte
> packets
> > > >  1  172.16.135.12 (172.16.135.12)  2996.763 ms !H  2996.765 ms !H
> > > 2996.764
> > > > ms !H
> > > >
> > > > traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
> > > >  1  s-2059-VM (172.16.135.84)  2996.386 ms !H  2996.374 ms !H
> 2996.371
> > > ms
> > > > !H
> > > >
> > > >
> > > >
> > > > On Tue, Apr 5, 2016 at 9:01 PM Syafiq Rokman <
> msyafiq.rokman@gmail.com
> > >
> > > > wrote:
> > > >
> > > > > iptables -L in SSVM :
> > > > >
> > > > > REJECT     tcp  --  anywhere             anywhere             state
> > NEW
> > > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > > REJECT     tcp  --  anywhere             anywhere             state
> > NEW
> > > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > > REJECT     tcp  --  anywhere             anywhere             state
> > NEW
> > > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > > REJECT     tcp  --  anywhere             anywhere             state
> > NEW
> > > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > > REJECT     tcp  --  anywhere             anywhere             state
> > NEW
> > > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > > REJECT     tcp  --  anywhere             anywhere             state
> > NEW
> > > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > > REJECT     tcp  --  anywhere             anywhere             state
> > NEW
> > > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > > REJECT     tcp  --  anywhere             anywhere             state
> > NEW
> > > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > > REJECT     tcp  --  anywhere             anywhere             state
> > NEW
> > > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > > REJECT     tcp  --  anywhere             anywhere             state
> > NEW
> > > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > > REJECT     tcp  --  anywhere             anywhere             state
> > NEW
> > > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > > REJECT     tcp  --  anywhere             anywhere             state
> > NEW
> > > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > > REJECT     tcp  --  anywhere             anywhere             state
> > NEW
> > > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > > REJECT     tcp  --  anywhere             anywhere             state
> > NEW
> > > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > > REJECT     tcp  --  anywhere             anywhere             state
> > NEW
> > > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > > REJECT     tcp  --  anywhere             anywhere             state
> > NEW
> > > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > > REJECT     tcp  --  anywhere             anywhere             state
> > NEW
> > > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > > REJECT     tcp  --  anywhere             anywhere             state
> > NEW
> > > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > > REJECT     tcp  --  anywhere             anywhere             state
> > NEW
> > > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > > REJECT     tcp  --  anywhere             anywhere             state
> > NEW
> > > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > > REJECT     tcp  --  anywhere             anywhere             state
> > NEW
> > > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > > REJECT     tcp  --  anywhere             anywhere             state
> > NEW
> > > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > > REJECT     tcp  --  anywhere             anywhere             state
> > NEW
> > > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > > REJECT     tcp  --  anywhere             anywhere             state
> > NEW
> > > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > > REJECT     tcp  --  anywhere             anywhere             state
> > NEW
> > > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > > REJECT     tcp  --  anywhere             anywhere             state
> > NEW
> > > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > > REJECT     tcp  --  anywhere             anywhere             state
> > NEW
> > > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > > REJECT     tcp  --  anywhere             anywhere             state
> > NEW
> > > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > > REJECT     tcp  --  anywhere             anywhere             state
> > NEW
> > > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > > REJECT     tcp  --  anywhere             anywhere             state
> > NEW
> > > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > > REJECT     tcp  --  anywhere             anywhere             state
> > NEW
> > > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > > REJECT     tcp  --  anywhere             anywhere             state
> > NEW
> > > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > > REJECT     tcp  --  anywhere             anywhere             state
> > NEW
> > > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > > REJECT     tcp  --  anywhere             anywhere             state
> > NEW
> > > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > > REJECT     tcp  --  anywhere             anywhere             state
> > NEW
> > > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > > REJECT     tcp  --  anywhere             anywhere             state
> > NEW
> > > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > > REJECT     tcp  --  anywhere             anywhere             state
> > NEW
> > > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > > REJECT     tcp  --  anywhere             anywhere             state
> > NEW
> > > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > > REJECT     tcp  --  anywhere             anywhere             state
> > NEW
> > > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > >
> > > > > Chain HTTP (0 references)
> > > > > target     prot opt source               destination
> > > > >
> > > > > ==
> > > > >
> > > > > The head is lost, i'm not sure how to filter out the spammed rules.
> > > > >
> > > > > On Tue, Apr 5, 2016 at 8:51 PM Rafael Weingärtner <
> > > > > rafaelweingartner@gmail.com> wrote:
> > > > >
> > > > >> can you post your iptables -L from SSVM?
> > > > >>
> > > > >> On Tue, Apr 5, 2016 at 9:47 AM, Syafiq Rokman <
> > > msyafiq.rokman@gmail.com
> > > > >
> > > > >> wrote:
> > > > >>
> > > > >> > Yes, just tried ping from SSVM to DNS, and 8.8.8.8, and
> > google.com.
> > > > >> Host
> > > > >> > still unreachable.
> > > > >> > Healthcheck script also returning host unreachable.
> > > > >> >
> > > > >> >
> > > > >> > On Tue, Apr 5, 2016 at 8:39 PM Rafael Weingärtner <
> > > > >> > rafaelweingartner@gmail.com> wrote:
> > > > >> >
> > > > >> > > Ok, so in your host there is nothing blocking the in-out/going
> > > > >> requests,
> > > > >> > > but still the ping command does not work?
> > > > >> > >
> > > > >> > > That rule you presented earlier should not block
> > > > “icmp-echo-request”.
> > > > >> > >
> > > > >> > > On Tue, Apr 5, 2016 at 9:36 AM, Syafiq Rokman <
> > > > >> msyafiq.rokman@gmail.com>
> > > > >> > > wrote:
> > > > >> > >
> > > > >> > > > I've checked the host iptables just now...there
were rules
> > > > >> accomodating
> > > > >> > > the
> > > > >> > > > SSVM and CPVM.
> > > > >> > > > But I've made the mistake of flushing the iptables
rules
> > without
> > > > any
> > > > >> > > > backup.
> > > > >> > > >  Now Iptables -P, -L has:
> > > > >> > > >
> > > > >> > > > -P INPUT ACCEPT
> > > > >> > > > -P FORWARD ACCEPT
> > > > >> > > > -P OUTPUT ACCEPT
> > > > >> > > > -A INPUT -j ACCEPT
> > > > >> > > > -A INPUT -j ACCEPT
> > > > >> > > > -A FORWARD -j ACCEPT
> > > > >> > > > -A OUTPUT -j ACCEPT
> > > > >> > > > Chain INPUT (policy ACCEPT)
> > > > >> > > > target     prot opt source               destination
> > > > >> > > > ACCEPT     all  --  anywhere             anywhere
> > > > >> > > > ACCEPT     all  --  anywhere             anywhere
> > > > >> > > >
> > > > >> > > > Chain FORWARD (policy ACCEPT)
> > > > >> > > > target     prot opt source               destination
> > > > >> > > > ACCEPT     all  --  anywhere             anywhere
> > > > >> > > >
> > > > >> > > > Chain OUTPUT (policy ACCEPT)
> > > > >> > > > target     prot opt source               destination
> > > > >> > > > ACCEPT     all  --  anywhere             anywhere
> > > > >> > > >
> > > > >> > > > One more thing, this setup is self-hosted.The
MS and host
> are
> > on
> > > > the
> > > > >> > same
> > > > >> > > > machine.
> > > > >> > > >
> > > > >> > > >
> > > > >> > > >
> > > > >> > > > On Tue, Apr 5, 2016 at 8:22 PM Rafael Weingärtner
<
> > > > >> > > > rafaelweingartner@gmail.com> wrote:
> > > > >> > > >
> > > > >> > > > > Those rules should not block the "ping" comand,
hence they
> > are
> > > > >> meant
> > > > >> > to
> > > > >> > > > > block "http" right?
> > > > >> > > > >
> > > > >> > > > >
> > > > >> > > > > I have been having the same problem lately
with XenServer.
> > > > >> > > > >
> > > > >> > > > > The iptables rules that are rejecting my
traffic are at
> the
> > > host
> > > > >> > > itself.
> > > > >> > > > >
> > > > >> > > > > Can you check your host iptables configs?
> > > > >> > > > >
> > > > >> > > > > On Tue, Apr 5, 2016 at 3:42 AM, Syafiq Rokman
<
> > > > >> > > msyafiq.rokman@gmail.com>
> > > > >> > > > > wrote:
> > > > >> > > > >
> > > > >> > > > > > Hi,
> > > > >> > > > > >
> > > > >> > > > > > Can't ping the default gateway of the
SSVM or 8.8.8.8
> from
> > > the
> > > > >> > SSVM.
> > > > >> > > > > > I'm using KVM as hypervisor.
> > > > >> > > > > >
> > > > >> > > > > > Tried changing iptables rules on SSVM
using
> > > > >> > > > > >
> > > > >> > > > > > iptables -F
> > > > >> > > > > > iptables -X
> > > > >> > > > > > iptables -t nat -F
> > > > >> > > > > > iptables -t nat -X
> > > > >> > > > > > iptables -t mangle -F
> > > > >> > > > > > iptables -t mangle -X
> > > > >> > > > > > iptables -P INPUT ACCEPT
> > > > >> > > > > > iptables -P FORWARD ACCEPT
> > > > >> > > > > > iptables -P OUTPUT ACCEPT
> > > > >> > > > > >
> > > > >> > > > > > to allow all connections, but keep getting
this at Chain
> > > > OUTPUT:
> > > > >> > > > > >
> > > > >> > > > > > REJECT     tcp  --  anywhere       
     anywhere
> > > > >>  state
> > > > >> > > NEW
> > > > >> > > > > tcp
> > > > >> > > > > > dpt:http reject-with icmp-port-unreachable
> > > > >> > > > > > REJECT     tcp  --  anywhere       
     anywhere
> > > > >>  state
> > > > >> > > NEW
> > > > >> > > > > tcp
> > > > >> > > > > > dpt:https reject-with icmp-port-unreachable
> > > > >> > > > > >
> > > > >> > > > > >
> > > > >> > > > > >
> > > > >> > > > > > On Mon, Apr 4, 2016 at 6:49 PM Rafael
Weingärtner <
> > > > >> > > > > > rafaelweingartner@gmail.com> wrote:
> > > > >> > > > > >
> > > > >> > > > > > > What hypervisor are you using?
> > > > >> > > > > > > Did change the iptables rules at
the SSVM itself?
> > > > >> > > > > > >
> > > > >> > > > > > > On Mon, Apr 4, 2016 at 6:50 AM,
Glenn Wagner <
> > > > >> > > > > glenn.wagner@shapeblue.com
> > > > >> > > > > > >
> > > > >> > > > > > > wrote:
> > > > >> > > > > > >
> > > > >> > > > > > > > Hi,
> > > > >> > > > > > > >
> > > > >> > > > > > > > Can you ping the default gateway
of the SSVM?
> > > > >> > > > > > > > Can you ping google DNS 8.8.8.8
from the SSVM?
> > > > >> > > > > > > >
> > > > >> > > > > > > > Thanks
> > > > >> > > > > > > > Glenn
> > > > >> > > > > > > >
> > > > >> > > > > > > >
> > > > >> > > > > > > > Regards,
> > > > >> > > > > > > >
> > > > >> > > > > > > > Glenn Wagner
> > > > >> > > > > > > >
> > > > >> > > > > > > > glenn.wagner@shapeblue.com
> > > > >> > > > > > > > www.shapeblue.com
> > > > >> > > > > > > > 2nd Floor, Oudehuis Centre,
122 Main Rd, Somerset
> > West,
> > > > Cape
> > > > >> > Town
> > > > >> > > > > > > > 7130South Africa
> > > > >> > > > > > > > @shapeblue
> > > > >> > > > > > > >
> > > > >> > > > > > > > -----Original Message-----
> > > > >> > > > > > > > From: Syafiq Rokman [mailto:
> msyafiq.rokman@gmail.com]
> > > > >> > > > > > > > Sent: Monday, 04 April 2016
11:16 AM
> > > > >> > > > > > > > To: users@cloudstack.apache.org
> > > > >> > > > > > > > Subject: SSVM cant route to
MS, Iptables keep
> > > > self-updating
> > > > >> > > > > > > >
> > > > >> > > > > > > > Hi everyone!
> > > > >> > > > > > > >
> > > > >> > > > > > > > Im running CS 4.8 on Ubuntu
14.04 LTS.
> > > > >> > > > > > > >
> > > > >> > > > > > > > So I've managed to set up
everything, but I still
> cant
> > > > >> install
> > > > >> > > > > > templates.
> > > > >> > > > > > > > So I SSH-ed into the SSVM
and ran the healthcheck
> and
> > it
> > > > >> seems
> > > > >> > > that
> > > > >> > > > > the
> > > > >> > > > > > > > SSVM can't connect to the
DNS.
> > > > >> > > > > > > >
> > > > >> > > > > > > > Logs says that it can't route
to host.
> > > > >> > > > > > > >
> > > > >> > > > > > > > So I've tried to allow all
outgoing/incoming
> > connections
> > > > on
> > > > >> > > > Iptables,
> > > > >> > > > > > but
> > > > >> > > > > > > > it keeps changing back to
deny outgoing connections.
> > > > >> > > > > > > >
> > > > >> > > > > > > > Any ideas on how to proceed?
> > > > >> > > > > > > >
> > > > >> > > > > > > > Will provide logs if anyone
needs it.
> > > > >> > > > > > > >
> > > > >> > > > > > > > Thanks
> > > > >> > > > > > > > Syafiq Rokman
> > > > >> > > > > > > > B.ICT Student
> > > > >> > > > > > > >
> > > > >> > > > > > >
> > > > >> > > > > > >
> > > > >> > > > > > >
> > > > >> > > > > > > --
> > > > >> > > > > > > Rafael Weingärtner
> > > > >> > > > > > >
> > > > >> > > > > >
> > > > >> > > > >
> > > > >> > > > >
> > > > >> > > > >
> > > > >> > > > > --
> > > > >> > > > > Rafael Weingärtner
> > > > >> > > > >
> > > > >> > > > --
> > > > >> > > > Syafiq Rokman
> > > > >> > > > B. ICT Student
> > > > >> > > > Universiti Teknologi PETRONAS
> > > > >> > > >
> > > > >> > >
> > > > >> > >
> > > > >> > >
> > > > >> > > --
> > > > >> > > Rafael Weingärtner
> > > > >> > >
> > > > >> > --
> > > > >> > Syafiq Rokman
> > > > >> > B. ICT Student
> > > > >> > Universiti Teknologi PETRONAS
> > > > >> >
> > > > >>
> > > > >>
> > > > >>
> > > > >> --
> > > > >> Rafael Weingärtner
> > > > >>
> > > > > --
> > > > > Syafiq Rokman
> > > > > B. ICT Student
> > > > > Universiti Teknologi PETRONAS
> > > > >
> > > > --
> > > > Syafiq Rokman
> > > > B. ICT Student
> > > > Universiti Teknologi PETRONAS
> > > >
> > >
> > --
> > Syafiq Rokman
> > B. ICT Student
> > Universiti Teknologi PETRONAS
> >
>



-- 
Rafael Weingärtner

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message