Community
 
 
 

CloudPlatform 3.x

343 followers
 
Avatar
Gert Jensen

xenserver iptables

Hello,

I am only using advanced networking with vlans.

My problem is when iptables are enabled on the xenserver nothing works..

So i have disabled iptables witk chkconfig iptables off
that does not keep it disabled.

so one a day i go and stop the service service stop iptabes.

But does anybody have a clue to what i should do to keep it disabled.
or open the correct ports on my xenserver /firewall.
My iptables is :
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 67 --in-interface xenapi -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 694 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

I am no an iptables kind of guy så i you have examples it would help a lot.. :)
My problem is that if if i have 2 servers and thay are on different serveres they can not comunicate.
for instance a server and a router or 2 serveres........

Kind regards
Gert


5 comments
0

Please sign in to leave a comment.

 
 

Previous 5 comments

Avatar
Kurt Bachelder

Hi Gert -

I'm not sure what the issue is with your configuration, but I can tell you that we're on XenServer 6.1 (hotfix XS610E030) with iptables enabled with VLAN-based advanced networking, and have no issues with connectivity.

chkconfig iptables off will only prevent automatically starting the service for specific init levels at OS boot... so if something is manually restarting it due to cloud config, chkconfig won't have an impact.

One thing that I've noticed is that if you need to restart iptables on the XenServer host, the rules do not get refreshed properly. The host itself does NOT store all of the rules required for use with CloudPlatform - some of the rules are dynamically populated when the server transitions to an "up" state.

My iptables file looks very similar to yours... however, if you run "iptables -L", you should see MANY more rules in the current list that are not in the configuration file - many of them configured for the bridged interfaces that CCP creates when you use advanced networking. I'd recommend putting the server in maintenance mode and rebooting it so that it grabs the correct rules configuration from CloudPlatform... then don't mess with iptables... let CCP handle it for you and see if that works.

K


Comment actions Permalink
Avatar
Gert Jensen

Hello kbacheI903,

Thank you for your reply.

I have tried to let CS "do its thing" with iptables, but the buttom line is that,
i can not have 2 vms on different hosts communicate with each other if iptables service is on.

I have tried waiting 4 hours after restart to see if something happens, but no.

I am trying to figure out how to monitor the iptables deny rules..

I would like to have CS compleatly control my iptables but it is just not working for me.. :)

Kind regards
Gert


Comment actions Permalink
Avatar
Kurt Bachelder

Hi Gert -

iptables -L (or iptables --list) will show you all of the current iptables rules that are in memory - that includes anything that has been added, removed, changed, reordered, etc. - basically, anything that is currently active.

I do think you'll need to fix the actual problem, though - the thing with iptables is that even if you stop the service, anything that modifies the iptables rule list will auto-start the service:

# service iptables stop
iptables: Flushing firewall rules: OK
iptables: Setting chains to policy ACCEPT: filter OK
iptables: Unloading modules: OK

# service iptables status
iptables: Firewall is not running.

# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

# iptables -A INPUT -p icmp -j ACCEPT

# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT)
num target prot opt source destination

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

K


Comment actions Permalink
Avatar
Gert Jensen

hello,

yes i agree with you that i need to figure out why i do not get traffic through, but do you know
which log file i can se some info in ? :)

Kind regards
Gert


Comment actions Permalink
Avatar
Administrator
Avatar

Since iptables is related to the kernel, the log lines generated by iptables are located into /var/log/kern.log

 

At least I can confirm this on XenServer 6.2.

 

Hope it helps.


Oscar Ayoun MEMBERS
Comment actions Permalink

Top Contributors