cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Syafiq Rokman <msyafiq.rok...@gmail.com>
Subject Re: SSVM cant route to MS, Iptables keep self-updating
Date Tue, 05 Apr 2016 13:18:35 GMT
traceroute to 172.16.238.7 (172.16.238.7), 30 hops max, 60 byte packets
 1  172.16.135.12 (172.16.135.12)  2996.763 ms !H  2996.765 ms !H  2996.764
ms !H

traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  s-2059-VM (172.16.135.84)  2996.386 ms !H  2996.374 ms !H  2996.371 ms
!H



On Tue, Apr 5, 2016 at 9:01 PM Syafiq Rokman <msyafiq.rokman@gmail.com>
wrote:

> iptables -L in SSVM :
>
> REJECT     tcp  --  anywhere             anywhere             state NEW
> tcp dpt:https reject-with icmp-port-unreachable
> REJECT     tcp  --  anywhere             anywhere             state NEW
> tcp dpt:http reject-with icmp-port-unreachable
> REJECT     tcp  --  anywhere             anywhere             state NEW
> tcp dpt:https reject-with icmp-port-unreachable
> REJECT     tcp  --  anywhere             anywhere             state NEW
> tcp dpt:http reject-with icmp-port-unreachable
> REJECT     tcp  --  anywhere             anywhere             state NEW
> tcp dpt:https reject-with icmp-port-unreachable
> REJECT     tcp  --  anywhere             anywhere             state NEW
> tcp dpt:http reject-with icmp-port-unreachable
> REJECT     tcp  --  anywhere             anywhere             state NEW
> tcp dpt:https reject-with icmp-port-unreachable
> REJECT     tcp  --  anywhere             anywhere             state NEW
> tcp dpt:http reject-with icmp-port-unreachable
> REJECT     tcp  --  anywhere             anywhere             state NEW
> tcp dpt:https reject-with icmp-port-unreachable
> REJECT     tcp  --  anywhere             anywhere             state NEW
> tcp dpt:http reject-with icmp-port-unreachable
> REJECT     tcp  --  anywhere             anywhere             state NEW
> tcp dpt:https reject-with icmp-port-unreachable
> REJECT     tcp  --  anywhere             anywhere             state NEW
> tcp dpt:http reject-with icmp-port-unreachable
> REJECT     tcp  --  anywhere             anywhere             state NEW
> tcp dpt:https reject-with icmp-port-unreachable
> REJECT     tcp  --  anywhere             anywhere             state NEW
> tcp dpt:http reject-with icmp-port-unreachable
> REJECT     tcp  --  anywhere             anywhere             state NEW
> tcp dpt:https reject-with icmp-port-unreachable
> REJECT     tcp  --  anywhere             anywhere             state NEW
> tcp dpt:http reject-with icmp-port-unreachable
> REJECT     tcp  --  anywhere             anywhere             state NEW
> tcp dpt:https reject-with icmp-port-unreachable
> REJECT     tcp  --  anywhere             anywhere             state NEW
> tcp dpt:http reject-with icmp-port-unreachable
> REJECT     tcp  --  anywhere             anywhere             state NEW
> tcp dpt:https reject-with icmp-port-unreachable
> REJECT     tcp  --  anywhere             anywhere             state NEW
> tcp dpt:http reject-with icmp-port-unreachable
> REJECT     tcp  --  anywhere             anywhere             state NEW
> tcp dpt:https reject-with icmp-port-unreachable
> REJECT     tcp  --  anywhere             anywhere             state NEW
> tcp dpt:http reject-with icmp-port-unreachable
> REJECT     tcp  --  anywhere             anywhere             state NEW
> tcp dpt:https reject-with icmp-port-unreachable
> REJECT     tcp  --  anywhere             anywhere             state NEW
> tcp dpt:http reject-with icmp-port-unreachable
> REJECT     tcp  --  anywhere             anywhere             state NEW
> tcp dpt:https reject-with icmp-port-unreachable
> REJECT     tcp  --  anywhere             anywhere             state NEW
> tcp dpt:http reject-with icmp-port-unreachable
> REJECT     tcp  --  anywhere             anywhere             state NEW
> tcp dpt:https reject-with icmp-port-unreachable
> REJECT     tcp  --  anywhere             anywhere             state NEW
> tcp dpt:http reject-with icmp-port-unreachable
> REJECT     tcp  --  anywhere             anywhere             state NEW
> tcp dpt:https reject-with icmp-port-unreachable
> REJECT     tcp  --  anywhere             anywhere             state NEW
> tcp dpt:http reject-with icmp-port-unreachable
> REJECT     tcp  --  anywhere             anywhere             state NEW
> tcp dpt:https reject-with icmp-port-unreachable
> REJECT     tcp  --  anywhere             anywhere             state NEW
> tcp dpt:http reject-with icmp-port-unreachable
> REJECT     tcp  --  anywhere             anywhere             state NEW
> tcp dpt:https reject-with icmp-port-unreachable
> REJECT     tcp  --  anywhere             anywhere             state NEW
> tcp dpt:http reject-with icmp-port-unreachable
> REJECT     tcp  --  anywhere             anywhere             state NEW
> tcp dpt:https reject-with icmp-port-unreachable
> REJECT     tcp  --  anywhere             anywhere             state NEW
> tcp dpt:http reject-with icmp-port-unreachable
> REJECT     tcp  --  anywhere             anywhere             state NEW
> tcp dpt:https reject-with icmp-port-unreachable
> REJECT     tcp  --  anywhere             anywhere             state NEW
> tcp dpt:http reject-with icmp-port-unreachable
> REJECT     tcp  --  anywhere             anywhere             state NEW
> tcp dpt:https reject-with icmp-port-unreachable
>
> Chain HTTP (0 references)
> target     prot opt source               destination
>
> ==
>
> The head is lost, i'm not sure how to filter out the spammed rules.
>
> On Tue, Apr 5, 2016 at 8:51 PM Rafael Weingärtner <
> rafaelweingartner@gmail.com> wrote:
>
>> can you post your iptables -L from SSVM?
>>
>> On Tue, Apr 5, 2016 at 9:47 AM, Syafiq Rokman <msyafiq.rokman@gmail.com>
>> wrote:
>>
>> > Yes, just tried ping from SSVM to DNS, and 8.8.8.8, and google.com.
>> Host
>> > still unreachable.
>> > Healthcheck script also returning host unreachable.
>> >
>> >
>> > On Tue, Apr 5, 2016 at 8:39 PM Rafael Weingärtner <
>> > rafaelweingartner@gmail.com> wrote:
>> >
>> > > Ok, so in your host there is nothing blocking the in-out/going
>> requests,
>> > > but still the ping command does not work?
>> > >
>> > > That rule you presented earlier should not block “icmp-echo-request”.
>> > >
>> > > On Tue, Apr 5, 2016 at 9:36 AM, Syafiq Rokman <
>> msyafiq.rokman@gmail.com>
>> > > wrote:
>> > >
>> > > > I've checked the host iptables just now...there were rules
>> accomodating
>> > > the
>> > > > SSVM and CPVM.
>> > > > But I've made the mistake of flushing the iptables rules without any
>> > > > backup.
>> > > >  Now Iptables -P, -L has:
>> > > >
>> > > > -P INPUT ACCEPT
>> > > > -P FORWARD ACCEPT
>> > > > -P OUTPUT ACCEPT
>> > > > -A INPUT -j ACCEPT
>> > > > -A INPUT -j ACCEPT
>> > > > -A FORWARD -j ACCEPT
>> > > > -A OUTPUT -j ACCEPT
>> > > > Chain INPUT (policy ACCEPT)
>> > > > target     prot opt source               destination
>> > > > ACCEPT     all  --  anywhere             anywhere
>> > > > ACCEPT     all  --  anywhere             anywhere
>> > > >
>> > > > Chain FORWARD (policy ACCEPT)
>> > > > target     prot opt source               destination
>> > > > ACCEPT     all  --  anywhere             anywhere
>> > > >
>> > > > Chain OUTPUT (policy ACCEPT)
>> > > > target     prot opt source               destination
>> > > > ACCEPT     all  --  anywhere             anywhere
>> > > >
>> > > > One more thing, this setup is self-hosted.The MS and host are on the
>> > same
>> > > > machine.
>> > > >
>> > > >
>> > > >
>> > > > On Tue, Apr 5, 2016 at 8:22 PM Rafael Weingärtner <
>> > > > rafaelweingartner@gmail.com> wrote:
>> > > >
>> > > > > Those rules should not block the "ping" comand, hence they are
>> meant
>> > to
>> > > > > block "http" right?
>> > > > >
>> > > > >
>> > > > > I have been having the same problem lately with XenServer.
>> > > > >
>> > > > > The iptables rules that are rejecting my traffic are at the host
>> > > itself.
>> > > > >
>> > > > > Can you check your host iptables configs?
>> > > > >
>> > > > > On Tue, Apr 5, 2016 at 3:42 AM, Syafiq Rokman <
>> > > msyafiq.rokman@gmail.com>
>> > > > > wrote:
>> > > > >
>> > > > > > Hi,
>> > > > > >
>> > > > > > Can't ping the default gateway of the SSVM or 8.8.8.8 from
the
>> > SSVM.
>> > > > > > I'm using KVM as hypervisor.
>> > > > > >
>> > > > > > Tried changing iptables rules on SSVM using
>> > > > > >
>> > > > > > iptables -F
>> > > > > > iptables -X
>> > > > > > iptables -t nat -F
>> > > > > > iptables -t nat -X
>> > > > > > iptables -t mangle -F
>> > > > > > iptables -t mangle -X
>> > > > > > iptables -P INPUT ACCEPT
>> > > > > > iptables -P FORWARD ACCEPT
>> > > > > > iptables -P OUTPUT ACCEPT
>> > > > > >
>> > > > > > to allow all connections, but keep getting this at Chain
OUTPUT:
>> > > > > >
>> > > > > > REJECT     tcp  --  anywhere             anywhere
>>  state
>> > > NEW
>> > > > > tcp
>> > > > > > dpt:http reject-with icmp-port-unreachable
>> > > > > > REJECT     tcp  --  anywhere             anywhere
>>  state
>> > > NEW
>> > > > > tcp
>> > > > > > dpt:https reject-with icmp-port-unreachable
>> > > > > >
>> > > > > >
>> > > > > >
>> > > > > > On Mon, Apr 4, 2016 at 6:49 PM Rafael Weingärtner <
>> > > > > > rafaelweingartner@gmail.com> wrote:
>> > > > > >
>> > > > > > > What hypervisor are you using?
>> > > > > > > Did change the iptables rules at the SSVM itself?
>> > > > > > >
>> > > > > > > On Mon, Apr 4, 2016 at 6:50 AM, Glenn Wagner <
>> > > > > glenn.wagner@shapeblue.com
>> > > > > > >
>> > > > > > > wrote:
>> > > > > > >
>> > > > > > > > Hi,
>> > > > > > > >
>> > > > > > > > Can you ping the default gateway of the SSVM?
>> > > > > > > > Can you ping google DNS 8.8.8.8 from the SSVM?
>> > > > > > > >
>> > > > > > > > Thanks
>> > > > > > > > Glenn
>> > > > > > > >
>> > > > > > > >
>> > > > > > > > Regards,
>> > > > > > > >
>> > > > > > > > Glenn Wagner
>> > > > > > > >
>> > > > > > > > glenn.wagner@shapeblue.com
>> > > > > > > > www.shapeblue.com
>> > > > > > > > 2nd Floor, Oudehuis Centre, 122 Main Rd, Somerset
West, Cape
>> > Town
>> > > > > > > > 7130South Africa
>> > > > > > > > @shapeblue
>> > > > > > > >
>> > > > > > > > -----Original Message-----
>> > > > > > > > From: Syafiq Rokman [mailto:msyafiq.rokman@gmail.com]
>> > > > > > > > Sent: Monday, 04 April 2016 11:16 AM
>> > > > > > > > To: users@cloudstack.apache.org
>> > > > > > > > Subject: SSVM cant route to MS, Iptables keep
self-updating
>> > > > > > > >
>> > > > > > > > Hi everyone!
>> > > > > > > >
>> > > > > > > > Im running CS 4.8 on Ubuntu 14.04 LTS.
>> > > > > > > >
>> > > > > > > > So I've managed to set up everything, but I still
cant
>> install
>> > > > > > templates.
>> > > > > > > > So I SSH-ed into the SSVM and ran the healthcheck
and it
>> seems
>> > > that
>> > > > > the
>> > > > > > > > SSVM can't connect to the DNS.
>> > > > > > > >
>> > > > > > > > Logs says that it can't route to host.
>> > > > > > > >
>> > > > > > > > So I've tried to allow all outgoing/incoming connections
on
>> > > > Iptables,
>> > > > > > but
>> > > > > > > > it keeps changing back to deny outgoing connections.
>> > > > > > > >
>> > > > > > > > Any ideas on how to proceed?
>> > > > > > > >
>> > > > > > > > Will provide logs if anyone needs it.
>> > > > > > > >
>> > > > > > > > Thanks
>> > > > > > > > Syafiq Rokman
>> > > > > > > > B.ICT Student
>> > > > > > > >
>> > > > > > >
>> > > > > > >
>> > > > > > >
>> > > > > > > --
>> > > > > > > Rafael Weingärtner
>> > > > > > >
>> > > > > >
>> > > > >
>> > > > >
>> > > > >
>> > > > > --
>> > > > > Rafael Weingärtner
>> > > > >
>> > > > --
>> > > > Syafiq Rokman
>> > > > B. ICT Student
>> > > > Universiti Teknologi PETRONAS
>> > > >
>> > >
>> > >
>> > >
>> > > --
>> > > Rafael Weingärtner
>> > >
>> > --
>> > Syafiq Rokman
>> > B. ICT Student
>> > Universiti Teknologi PETRONAS
>> >
>>
>>
>>
>> --
>> Rafael Weingärtner
>>
> --
> Syafiq Rokman
> B. ICT Student
> Universiti Teknologi PETRONAS
>
-- 
Syafiq Rokman
B. ICT Student
Universiti Teknologi PETRONAS

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message