[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-API] XCP and Dell OpenManage Server Admin


  • To: Aric Aasgaard <aric@xxxxxxxxxx>
  • From: Casper Biering <cb@xxxxxxxxxxxxx>
  • Date: Fri, 28 Dec 2012 10:57:26 +0100
  • Cc: xen-api@xxxxxxxxxxxxx
  • Delivery-date: Fri, 28 Dec 2012 09:57:38 +0000
  • List-id: User and development list for XCP and XAPI <xen-api.lists.xen.org>

The problem was the order of the "-A INPUT" lines.

In your 2nd output, connections to port 1311 gets REJECT'ed in the
RH-Firewall-1-INPUT chain before reaching your port 1311 ACCEPT rules.

I suggest you use the utility "system-config-securitylevel-tui" for
simple port opening. :)

-- Casper

On Thu, 2012-12-27 at 16:15 -0600, Aric Aasgaard wrote:
> Thanks, that was it.
> 
> I had this, no luck
> 
> # iptables-save
> # Generated by iptables-save v1.3.5 on Thu Dec 27 12:15:18 2012
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [1246:384131]
> :RH-Firewall-1-INPUT - [0:0]
> -A INPUT -j RH-Firewall-1-INPUT
> -A INPUT -p tcp -m tcp --dport 1311 -j ACCEPT
> -A FORWARD -j RH-Firewall-1-INPUT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
> -A RH-Firewall-1-INPUT -p esp -j ACCEPT
> -A RH-Firewall-1-INPUT -p ah -j ACCEPT
> -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
> -A RH-Firewall-1-INPUT -i xenapi -p udp -m udp --dport 67 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 694 -j 
> ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j 
> ACCEPT
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> COMMIT
> # Completed on Thu Dec 27 12:15:18 2012
> 
> I tried this, no luck
> 
> # iptables-save
> # Generated by iptables-save v1.3.5 on Thu Dec 27 12:21:28 2012
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [1246:384131]
> :RH-Firewall-1-INPUT - [0:0]
> -A INPUT -j RH-Firewall-1-INPUT
> -A INPUT -p tcp -m tcp --dport 1311 -j ACCEPT
> -A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1311 -j ACCEPT
> -A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1311 -m state --state NEW 
> -j ACCEPT
> -A FORWARD -j RH-Firewall-1-INPUT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
> -A RH-Firewall-1-INPUT -p esp -j ACCEPT
> -A RH-Firewall-1-INPUT -p ah -j ACCEPT
> -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
> -A RH-Firewall-1-INPUT -i xenapi -p udp -m udp --dport 67 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 694 -j 
> ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j 
> ACCEPT
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> COMMIT
> # Completed on Thu Dec 27 12:21:28 2012
> 
> 
> I SCP'd /etc/sysconfig/iptables from a working Xenserver install and it 
> worked .....no clue why the others didn't
> 
> # iptables-save
> # Generated by iptables-save v1.3.5 on Thu Dec 27 12:44:35 2012
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [655:875233]
> :RH-Firewall-1-INPUT - [0:0]
> -A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1311 -m state --state NEW 
> -j ACCEPT
> -A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1311 -j ACCEPT
> -A INPUT -p udp -m udp --dport 161 -j ACCEPT
> -A INPUT -j RH-Firewall-1-INPUT
> -A FORWARD -j RH-Firewall-1-INPUT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
> -A RH-Firewall-1-INPUT -p esp -j ACCEPT
> -A RH-Firewall-1-INPUT -p ah -j ACCEPT
> -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
> -A RH-Firewall-1-INPUT -i xenapi -p udp -m udp --dport 67 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 694 -j 
> ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j 
> ACCEPT
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> COMMIT
> # Completed on Thu Dec 27 12:44:35 2012 
> 
> 
> 
> 
> -----Original Message-----
> From: Casper Biering [mailto:cb@xxxxxxxxxxx] 
> Sent: Thursday, December 27, 2012 5:30 AM
> To: Aric Aasgaard
> Cc: xen-api@xxxxxxxxxxxxx
> Subject: Re: [Xen-API] XCP and Dell OpenManage Server Admin
> 
> Hi,
> 
> It sounds like an iptables problem.
> 
> Could you please attach the output of the "iptables-save" command.
> 
> As a workaround, you can use SSH port forwarding:
> ssh -L 1311:127.0.0.1:1311 <server-ip>
> and then open https://localhost:1311/ in your local browser.
> 



_______________________________________________
Xen-api mailing list
Xen-api@xxxxxxxxxxxxx
http://lists.xen.org/cgi-bin/mailman/listinfo/xen-api


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.