-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Elwin,
vcld ran these commands on the node: iptables -D INPUT 1 ; /sbin/iptables -I INPUT 1 -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp -j ACCEPT --dport 22 -s 131.247.31.27/24 which apparently blocked itself out. I'm not sure why it assumes the first rule in the INPUT table can be deleted, but for whatever reason, that is the assumption. Then, the second rule is granting the user access to the node. So, what I would recommend is adding an extra iptables rule in your base image at the top of your INPUT table that can safely be deleted (maybe just duplicate the first rule so you have two identical ones in a row). Then, when the above set of commands are run, it will not block itself out. In 2.4.2, the firewall code has been greatly overhauled to better handle things like this. Josh On Friday, May 22, 2015 2:07:25 PM Elwin Litchfield wrote: > I don't understand what happened or why, but looks like something in the > following vcld.log has shut/blocked ssh. Any idea what caused ssh to be > shutdown ot blocked? > > |28735|36:36|reserved| /usr/bin/ssh -i /etc/vcl/vcl.key -o > > StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o > ConnectionAttempts=1 -o ConnectTimeout=3 -l root -p 22 -x Xen3Cent6VCLw1 > 'ls -d --color=never "/etc/sysconfig" 2>&1 || mkdir -p "/etc/sysconfig" > 2>&1 && ls -d --color=never "/etc/sysconfig"' 2>&1 > 2015-05-11 13:24:00|26123|vcld:main(167)|lastcheckin time updated for > management node 1: 2015-05-11 13:24:00 > 2015-05-11 > 13:24:00|28735|36:36|reserved|utils.pm:run_ssh_command(5020)|run_ssh_comman > d > output: > |28735|36:36|reserved| /etc/sysconfig > |28735|36:36|reserved| /etc/sysconfig > > 2015-05-11 13:24:00|28735|36:36|reserved|utils.pm:run_ssh_command(5034)|SSH > command executed on Xen3Cent6VCLw1, returning (0, "/etc/sysconfig > /etc/sysconfig") > 2015-05-11 > 13:24:00|28735|36:36|reserved|Linux.pm:create_directory(1573)|directory > already exists on Xen3Cent6VCLw1: '/etc/sysconfig' > 2015-05-11 13:24:00|28735|36:36|reserved|OS.pm:copy_file(2781)|attempting > to copy file on Xen3Cent6VCLw1: '/etc/sysconfig/iptables' -> > '/etc/sysconfig/iptables_pre_22' > 2015-05-11 13:24:01|28735|36:36|reserved|OS.pm:copy_file(2792)|copied file > on Xen3Cent6VCLw1: '/etc/sysconfig/iptables' --> > '/etc/sysconfig/iptables_pre_22' > 2015-05-11 > 13:24:01|28735|36:36|reserved|Linux.pm:enable_firewall_port(3702)|backed up > original iptables file to: '/etc/sysconfig/iptables_pre_22' > 2015-05-11 > 13:24:01|28735|36:36|reserved|Linux.pm:enable_firewall_port(3710)|attempting > to execute command on Xen3Cent6VCLw1: 'iptables -D INPUT 1 ; /sbin/iptables > -I INPUT 1 -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp -j ACCEPT > --dport 22 -s 131.247.31.27/24' > 2015-05-11 > 13:24:01|28735|36:36|reserved|utils.pm:run_ssh_command(4902)|executing > SSH command on Xen3Cent6VCLw1: > |28735|36:36|reserved| /usr/bin/ssh -i /etc/vcl/vcl.key -o > > StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o > ConnectionAttempts=1 -o ConnectTimeout=3 -l root -p 22 -x Xen3Cent6VCLw1 > 'iptables -D INPUT 1 ; /sbin/iptables -I INPUT 1 -m state --state > NEW,RELATED,ESTABLISHED -m tcp -p tcp -j ACCEPT --dport 22 -s > 131.247.31.27/24' 2>&1 > 2015-05-11 > 13:24:01|28735|36:36|reserved|utils.pm:run_ssh_command(5020)|run_ssh_comman > d output: > 2015-05-11 13:24:01|28735|36:36|reserved|utils.pm:run_ssh_command(5034)|SSH > command executed on Xen3Cent6VCLw1, returning (0, "") > 2015-05-11 > 13:24:01|28735|36:36|reserved|Linux.pm:enable_firewall_port(3712)|executed > command on Xen3Cent6VCLw1: 'iptables -D INPUT 1 ; /sbin/iptables -I INPUT 1 > -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp -j ACCEPT --dport 22 > -s 131.247.31.27/24' > 2015-05-11 > 13:24:01|28735|36:36|reserved|utils.pm:run_ssh_command(4902)|executing > SSH command on Xen3Cent6VCLw1: > |28735|36:36|reserved| /usr/bin/ssh -i /etc/vcl/vcl.key -o > > StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o > ConnectionAttempts=1 -o ConnectTimeout=3 -l root -p 22 -x Xen3Cent6VCLw1 > '/sbin/iptables-save > /etc/sysconfig/iptables' 2>&1 > > |28735|36:36|reserved| ---- WARNING ---- > |28735|36:36|reserved| 2015-05-11 > > 13:24:01|28735|36:36|reserved|utils.pm:run_ssh_command(5006)|attempt > 1/3: failed to execute SSH command on Xen3Cent6VCLw1: '/sbin/iptables-save > > > /etc/sysconfig/iptables', exit status: 255, output: > |28735|36:36|reserved| ssh output (/sbin/ipta...): ssh: connect to host > > Xen3Cent6VCLw1 port 22: No route to host > > Thanks > Lewis - -- - ------------------------------- Josh Thompson VCL Developer North Carolina State University my GPG/PGP key can be found at pgp.mit.edu All electronic mail messages in connection with State business which are sent to or received by this account are subject to the NC Public Records Law and may be disclosed to third parties. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlVfeDIACgkQV/LQcNdtPQNp9QCeKldfXacP7H9qR0TNIzVo/QpQ QNcAninvEaejN5mXdcCgMPOk32NC2YRq =0OOD -----END PGP SIGNATURE-----
