cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mindaugas Milinavičius <mindau...@clustspace.com>
Subject Re: SSVM cant route to MS, Iptables keep self-updating
Date Tue, 05 Apr 2016 13:34:03 GMT
added an additional DNS IP: 8.8.8.8 8.8.4.4




Pagarbiai
Mindaugas Milinavičius
UAB STARNITA
Direktorius
http://www.clustspace.com
LT: +37068882880
RU: +79651806396

Tomorrow's posibilities today
<http://www.clustspace.com/>

   - 1 Core, 512MB RAM, 20GB SSD, 1Gbps, Unlimited, Location: Romania, Los
   Angeles, Ashburn Washington - 11EUR
   - 1 Core, 1024MB RAM, 30GB SSD, 1Gbps, Unlimited, Location: Romania, Los
   Angeles, Ashburn Washington - 18,7EUR
   - 2 Cores, 2048MB RAM, 40GB SSD, 1Gbps, Unlimited, Location: Romania,
   Los Angeles, Ashburn Washington - 27,5EUR
   - 4 Cores, 4096MB RAM, 100GB SSD, 1Gbps, Unlimited, Location: Romania,
   Los Angeles, Ashburn Washington - 46EUR


On Tue, Apr 5, 2016 at 4:31 PM, Syafiq Rokman <msyafiq.rokman@gmail.com>
wrote:

> I think so. network/interfaces file on host/MS:
>
> auto lo
> iface lo inet loopback
>
> auto eth0.100
> iface eth0.100 inet manual
>         address 172.16.135.179
>         netmask 255.255.255.0
>         gateway 172.16.135.254
>         dns-nameservers 172.16.238.7 172.16.238.6
>
> # Public network
> auto cloudbr0
> iface cloudbr0 inet manual
>
>  bridge_ports eth0.200
>  bridge_fd 5
>  bridge_stp off
>  bridge_maxwait 1
>
> # Private network
> auto cloudbr1
> iface cloudbr1 inet manual
>     bridge_ports eth0.300
>     bridge_fd 5
>     bridge_stp off
>     bridge_maxwait 1
>
>
> On Tue, Apr 5, 2016 at 9:21 PM Mindaugas Milinavičius <
> mindaugas@clustspace.com> wrote:
>
> > Is your network configured properly?
> >
> >
> >
> >
> > Pagarbiai
> > Mindaugas Milinavičius
> > UAB STARNITA
> > Direktorius
> > http://www.clustspace.com
> > LT: +37068882880
> > RU: +79651806396
> >
> > Tomorrow's posibilities today
> > <http://www.clustspace.com/>
> >
> >    - 1 Core, 512MB RAM, 20GB SSD, 1Gbps, Unlimited, Location: Romania,
> Los
> >    Angeles, Ashburn Washington - 11EUR
> >    - 1 Core, 1024MB RAM, 30GB SSD, 1Gbps, Unlimited, Location: Romania,
> Los
> >    Angeles, Ashburn Washington - 18,7EUR
> >    - 2 Cores, 2048MB RAM, 40GB SSD, 1Gbps, Unlimited, Location: Romania,
> >    Los Angeles, Ashburn Washington - 27,5EUR
> >    - 4 Cores, 4096MB RAM, 100GB SSD, 1Gbps, Unlimited, Location: Romania,
> >    Los Angeles, Ashburn Washington - 46EUR
> >
> >
> > On Tue, Apr 5, 2016 at 4:18 PM, Syafiq Rokman <msyafiq.rokman@gmail.com>
> > wrote:
> >
> > > traceroute to 172.16.238.7 (172.16.238.7), 30 hops max, 60 byte packets
> > >  1  172.16.135.12 (172.16.135.12)  2996.763 ms !H  2996.765 ms !H
> > 2996.764
> > > ms !H
> > >
> > > traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
> > >  1  s-2059-VM (172.16.135.84)  2996.386 ms !H  2996.374 ms !H  2996.371
> > ms
> > > !H
> > >
> > >
> > >
> > > On Tue, Apr 5, 2016 at 9:01 PM Syafiq Rokman <msyafiq.rokman@gmail.com
> >
> > > wrote:
> > >
> > > > iptables -L in SSVM :
> > > >
> > > > REJECT     tcp  --  anywhere             anywhere             state
> NEW
> > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > REJECT     tcp  --  anywhere             anywhere             state
> NEW
> > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > REJECT     tcp  --  anywhere             anywhere             state
> NEW
> > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > REJECT     tcp  --  anywhere             anywhere             state
> NEW
> > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > REJECT     tcp  --  anywhere             anywhere             state
> NEW
> > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > REJECT     tcp  --  anywhere             anywhere             state
> NEW
> > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > REJECT     tcp  --  anywhere             anywhere             state
> NEW
> > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > REJECT     tcp  --  anywhere             anywhere             state
> NEW
> > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > REJECT     tcp  --  anywhere             anywhere             state
> NEW
> > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > REJECT     tcp  --  anywhere             anywhere             state
> NEW
> > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > REJECT     tcp  --  anywhere             anywhere             state
> NEW
> > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > REJECT     tcp  --  anywhere             anywhere             state
> NEW
> > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > REJECT     tcp  --  anywhere             anywhere             state
> NEW
> > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > REJECT     tcp  --  anywhere             anywhere             state
> NEW
> > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > REJECT     tcp  --  anywhere             anywhere             state
> NEW
> > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > REJECT     tcp  --  anywhere             anywhere             state
> NEW
> > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > REJECT     tcp  --  anywhere             anywhere             state
> NEW
> > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > REJECT     tcp  --  anywhere             anywhere             state
> NEW
> > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > REJECT     tcp  --  anywhere             anywhere             state
> NEW
> > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > REJECT     tcp  --  anywhere             anywhere             state
> NEW
> > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > REJECT     tcp  --  anywhere             anywhere             state
> NEW
> > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > REJECT     tcp  --  anywhere             anywhere             state
> NEW
> > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > REJECT     tcp  --  anywhere             anywhere             state
> NEW
> > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > REJECT     tcp  --  anywhere             anywhere             state
> NEW
> > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > REJECT     tcp  --  anywhere             anywhere             state
> NEW
> > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > REJECT     tcp  --  anywhere             anywhere             state
> NEW
> > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > REJECT     tcp  --  anywhere             anywhere             state
> NEW
> > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > REJECT     tcp  --  anywhere             anywhere             state
> NEW
> > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > REJECT     tcp  --  anywhere             anywhere             state
> NEW
> > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > REJECT     tcp  --  anywhere             anywhere             state
> NEW
> > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > REJECT     tcp  --  anywhere             anywhere             state
> NEW
> > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > REJECT     tcp  --  anywhere             anywhere             state
> NEW
> > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > REJECT     tcp  --  anywhere             anywhere             state
> NEW
> > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > REJECT     tcp  --  anywhere             anywhere             state
> NEW
> > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > REJECT     tcp  --  anywhere             anywhere             state
> NEW
> > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > REJECT     tcp  --  anywhere             anywhere             state
> NEW
> > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > REJECT     tcp  --  anywhere             anywhere             state
> NEW
> > > > tcp dpt:https reject-with icmp-port-unreachable
> > > > REJECT     tcp  --  anywhere             anywhere             state
> NEW
> > > > tcp dpt:http reject-with icmp-port-unreachable
> > > > REJECT     tcp  --  anywhere             anywhere             state
> NEW
> > > > tcp dpt:https reject-with icmp-port-unreachable
> > > >
> > > > Chain HTTP (0 references)
> > > > target     prot opt source               destination
> > > >
> > > > ==
> > > >
> > > > The head is lost, i'm not sure how to filter out the spammed rules.
> > > >
> > > > On Tue, Apr 5, 2016 at 8:51 PM Rafael Weingärtner <
> > > > rafaelweingartner@gmail.com> wrote:
> > > >
> > > >> can you post your iptables -L from SSVM?
> > > >>
> > > >> On Tue, Apr 5, 2016 at 9:47 AM, Syafiq Rokman <
> > msyafiq.rokman@gmail.com
> > > >
> > > >> wrote:
> > > >>
> > > >> > Yes, just tried ping from SSVM to DNS, and 8.8.8.8, and
> google.com.
> > > >> Host
> > > >> > still unreachable.
> > > >> > Healthcheck script also returning host unreachable.
> > > >> >
> > > >> >
> > > >> > On Tue, Apr 5, 2016 at 8:39 PM Rafael Weingärtner <
> > > >> > rafaelweingartner@gmail.com> wrote:
> > > >> >
> > > >> > > Ok, so in your host there is nothing blocking the in-out/going
> > > >> requests,
> > > >> > > but still the ping command does not work?
> > > >> > >
> > > >> > > That rule you presented earlier should not block
> > > “icmp-echo-request”.
> > > >> > >
> > > >> > > On Tue, Apr 5, 2016 at 9:36 AM, Syafiq Rokman <
> > > >> msyafiq.rokman@gmail.com>
> > > >> > > wrote:
> > > >> > >
> > > >> > > > I've checked the host iptables just now...there were
rules
> > > >> accomodating
> > > >> > > the
> > > >> > > > SSVM and CPVM.
> > > >> > > > But I've made the mistake of flushing the iptables
rules
> without
> > > any
> > > >> > > > backup.
> > > >> > > >  Now Iptables -P, -L has:
> > > >> > > >
> > > >> > > > -P INPUT ACCEPT
> > > >> > > > -P FORWARD ACCEPT
> > > >> > > > -P OUTPUT ACCEPT
> > > >> > > > -A INPUT -j ACCEPT
> > > >> > > > -A INPUT -j ACCEPT
> > > >> > > > -A FORWARD -j ACCEPT
> > > >> > > > -A OUTPUT -j ACCEPT
> > > >> > > > Chain INPUT (policy ACCEPT)
> > > >> > > > target     prot opt source               destination
> > > >> > > > ACCEPT     all  --  anywhere             anywhere
> > > >> > > > ACCEPT     all  --  anywhere             anywhere
> > > >> > > >
> > > >> > > > Chain FORWARD (policy ACCEPT)
> > > >> > > > target     prot opt source               destination
> > > >> > > > ACCEPT     all  --  anywhere             anywhere
> > > >> > > >
> > > >> > > > Chain OUTPUT (policy ACCEPT)
> > > >> > > > target     prot opt source               destination
> > > >> > > > ACCEPT     all  --  anywhere             anywhere
> > > >> > > >
> > > >> > > > One more thing, this setup is self-hosted.The MS and
host are
> on
> > > the
> > > >> > same
> > > >> > > > machine.
> > > >> > > >
> > > >> > > >
> > > >> > > >
> > > >> > > > On Tue, Apr 5, 2016 at 8:22 PM Rafael Weingärtner
<
> > > >> > > > rafaelweingartner@gmail.com> wrote:
> > > >> > > >
> > > >> > > > > Those rules should not block the "ping" comand,
hence they
> are
> > > >> meant
> > > >> > to
> > > >> > > > > block "http" right?
> > > >> > > > >
> > > >> > > > >
> > > >> > > > > I have been having the same problem lately with
XenServer.
> > > >> > > > >
> > > >> > > > > The iptables rules that are rejecting my traffic
are at the
> > host
> > > >> > > itself.
> > > >> > > > >
> > > >> > > > > Can you check your host iptables configs?
> > > >> > > > >
> > > >> > > > > On Tue, Apr 5, 2016 at 3:42 AM, Syafiq Rokman
<
> > > >> > > msyafiq.rokman@gmail.com>
> > > >> > > > > wrote:
> > > >> > > > >
> > > >> > > > > > Hi,
> > > >> > > > > >
> > > >> > > > > > Can't ping the default gateway of the SSVM
or 8.8.8.8 from
> > the
> > > >> > SSVM.
> > > >> > > > > > I'm using KVM as hypervisor.
> > > >> > > > > >
> > > >> > > > > > Tried changing iptables rules on SSVM using
> > > >> > > > > >
> > > >> > > > > > iptables -F
> > > >> > > > > > iptables -X
> > > >> > > > > > iptables -t nat -F
> > > >> > > > > > iptables -t nat -X
> > > >> > > > > > iptables -t mangle -F
> > > >> > > > > > iptables -t mangle -X
> > > >> > > > > > iptables -P INPUT ACCEPT
> > > >> > > > > > iptables -P FORWARD ACCEPT
> > > >> > > > > > iptables -P OUTPUT ACCEPT
> > > >> > > > > >
> > > >> > > > > > to allow all connections, but keep getting
this at Chain
> > > OUTPUT:
> > > >> > > > > >
> > > >> > > > > > REJECT     tcp  --  anywhere            
anywhere
> > > >>  state
> > > >> > > NEW
> > > >> > > > > tcp
> > > >> > > > > > dpt:http reject-with icmp-port-unreachable
> > > >> > > > > > REJECT     tcp  --  anywhere            
anywhere
> > > >>  state
> > > >> > > NEW
> > > >> > > > > tcp
> > > >> > > > > > dpt:https reject-with icmp-port-unreachable
> > > >> > > > > >
> > > >> > > > > >
> > > >> > > > > >
> > > >> > > > > > On Mon, Apr 4, 2016 at 6:49 PM Rafael Weingärtner
<
> > > >> > > > > > rafaelweingartner@gmail.com> wrote:
> > > >> > > > > >
> > > >> > > > > > > What hypervisor are you using?
> > > >> > > > > > > Did change the iptables rules at the
SSVM itself?
> > > >> > > > > > >
> > > >> > > > > > > On Mon, Apr 4, 2016 at 6:50 AM, Glenn
Wagner <
> > > >> > > > > glenn.wagner@shapeblue.com
> > > >> > > > > > >
> > > >> > > > > > > wrote:
> > > >> > > > > > >
> > > >> > > > > > > > Hi,
> > > >> > > > > > > >
> > > >> > > > > > > > Can you ping the default gateway
of the SSVM?
> > > >> > > > > > > > Can you ping google DNS 8.8.8.8
from the SSVM?
> > > >> > > > > > > >
> > > >> > > > > > > > Thanks
> > > >> > > > > > > > Glenn
> > > >> > > > > > > >
> > > >> > > > > > > >
> > > >> > > > > > > > Regards,
> > > >> > > > > > > >
> > > >> > > > > > > > Glenn Wagner
> > > >> > > > > > > >
> > > >> > > > > > > > glenn.wagner@shapeblue.com
> > > >> > > > > > > > www.shapeblue.com
> > > >> > > > > > > > 2nd Floor, Oudehuis Centre, 122
Main Rd, Somerset
> West,
> > > Cape
> > > >> > Town
> > > >> > > > > > > > 7130South Africa
> > > >> > > > > > > > @shapeblue
> > > >> > > > > > > >
> > > >> > > > > > > > -----Original Message-----
> > > >> > > > > > > > From: Syafiq Rokman [mailto:msyafiq.rokman@gmail.com]
> > > >> > > > > > > > Sent: Monday, 04 April 2016 11:16
AM
> > > >> > > > > > > > To: users@cloudstack.apache.org
> > > >> > > > > > > > Subject: SSVM cant route to MS,
Iptables keep
> > > self-updating
> > > >> > > > > > > >
> > > >> > > > > > > > Hi everyone!
> > > >> > > > > > > >
> > > >> > > > > > > > Im running CS 4.8 on Ubuntu 14.04
LTS.
> > > >> > > > > > > >
> > > >> > > > > > > > So I've managed to set up everything,
but I still cant
> > > >> install
> > > >> > > > > > templates.
> > > >> > > > > > > > So I SSH-ed into the SSVM and ran
the healthcheck and
> it
> > > >> seems
> > > >> > > that
> > > >> > > > > the
> > > >> > > > > > > > SSVM can't connect to the DNS.
> > > >> > > > > > > >
> > > >> > > > > > > > Logs says that it can't route to
host.
> > > >> > > > > > > >
> > > >> > > > > > > > So I've tried to allow all outgoing/incoming
> connections
> > > on
> > > >> > > > Iptables,
> > > >> > > > > > but
> > > >> > > > > > > > it keeps changing back to deny
outgoing connections.
> > > >> > > > > > > >
> > > >> > > > > > > > Any ideas on how to proceed?
> > > >> > > > > > > >
> > > >> > > > > > > > Will provide logs if anyone needs
it.
> > > >> > > > > > > >
> > > >> > > > > > > > Thanks
> > > >> > > > > > > > Syafiq Rokman
> > > >> > > > > > > > B.ICT Student
> > > >> > > > > > > >
> > > >> > > > > > >
> > > >> > > > > > >
> > > >> > > > > > >
> > > >> > > > > > > --
> > > >> > > > > > > Rafael Weingärtner
> > > >> > > > > > >
> > > >> > > > > >
> > > >> > > > >
> > > >> > > > >
> > > >> > > > >
> > > >> > > > > --
> > > >> > > > > Rafael Weingärtner
> > > >> > > > >
> > > >> > > > --
> > > >> > > > Syafiq Rokman
> > > >> > > > B. ICT Student
> > > >> > > > Universiti Teknologi PETRONAS
> > > >> > > >
> > > >> > >
> > > >> > >
> > > >> > >
> > > >> > > --
> > > >> > > Rafael Weingärtner
> > > >> > >
> > > >> > --
> > > >> > Syafiq Rokman
> > > >> > B. ICT Student
> > > >> > Universiti Teknologi PETRONAS
> > > >> >
> > > >>
> > > >>
> > > >>
> > > >> --
> > > >> Rafael Weingärtner
> > > >>
> > > > --
> > > > Syafiq Rokman
> > > > B. ICT Student
> > > > Universiti Teknologi PETRONAS
> > > >
> > > --
> > > Syafiq Rokman
> > > B. ICT Student
> > > Universiti Teknologi PETRONAS
> > >
> >
> --
> Syafiq Rokman
> B. ICT Student
> Universiti Teknologi PETRONAS
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message