iptables -L in SSVM : REJECT tcp -- anywhere anywhere state NEW tcp dpt:https reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere state NEW tcp dpt:http reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere state NEW tcp dpt:https reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere state NEW tcp dpt:http reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere state NEW tcp dpt:https reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere state NEW tcp dpt:http reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere state NEW tcp dpt:https reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere state NEW tcp dpt:http reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere state NEW tcp dpt:https reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere state NEW tcp dpt:http reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere state NEW tcp dpt:https reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere state NEW tcp dpt:http reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere state NEW tcp dpt:https reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere state NEW tcp dpt:http reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere state NEW tcp dpt:https reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere state NEW tcp dpt:http reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere state NEW tcp dpt:https reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere state NEW tcp dpt:http reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere state NEW tcp dpt:https reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere state NEW tcp dpt:http reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere state NEW tcp dpt:https reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere state NEW tcp dpt:http reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere state NEW tcp dpt:https reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere state NEW tcp dpt:http reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere state NEW tcp dpt:https reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere state NEW tcp dpt:http reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere state NEW tcp dpt:https reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere state NEW tcp dpt:http reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere state NEW tcp dpt:https reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere state NEW tcp dpt:http reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere state NEW tcp dpt:https reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere state NEW tcp dpt:http reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere state NEW tcp dpt:https reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere state NEW tcp dpt:http reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere state NEW tcp dpt:https reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere state NEW tcp dpt:http reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere state NEW tcp dpt:https reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere state NEW tcp dpt:http reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere state NEW tcp dpt:https reject-with icmp-port-unreachable
Chain HTTP (0 references) target prot opt source destination == The head is lost, i'm not sure how to filter out the spammed rules. On Tue, Apr 5, 2016 at 8:51 PM Rafael Weingärtner < rafaelweingart...@gmail.com> wrote: > can you post your iptables -L from SSVM? > > On Tue, Apr 5, 2016 at 9:47 AM, Syafiq Rokman <msyafiq.rok...@gmail.com> > wrote: > > > Yes, just tried ping from SSVM to DNS, and 8.8.8.8, and google.com. Host > > still unreachable. > > Healthcheck script also returning host unreachable. > > > > > > On Tue, Apr 5, 2016 at 8:39 PM Rafael Weingärtner < > > rafaelweingart...@gmail.com> wrote: > > > > > Ok, so in your host there is nothing blocking the in-out/going > requests, > > > but still the ping command does not work? > > > > > > That rule you presented earlier should not block “icmp-echo-request”. > > > > > > On Tue, Apr 5, 2016 at 9:36 AM, Syafiq Rokman < > msyafiq.rok...@gmail.com> > > > wrote: > > > > > > > I've checked the host iptables just now...there were rules > accomodating > > > the > > > > SSVM and CPVM. > > > > But I've made the mistake of flushing the iptables rules without any > > > > backup. > > > > Now Iptables -P, -L has: > > > > > > > > -P INPUT ACCEPT > > > > -P FORWARD ACCEPT > > > > -P OUTPUT ACCEPT > > > > -A INPUT -j ACCEPT > > > > -A INPUT -j ACCEPT > > > > -A FORWARD -j ACCEPT > > > > -A OUTPUT -j ACCEPT > > > > Chain INPUT (policy ACCEPT) > > > > target prot opt source destination > > > > ACCEPT all -- anywhere anywhere > > > > ACCEPT all -- anywhere anywhere > > > > > > > > Chain FORWARD (policy ACCEPT) > > > > target prot opt source destination > > > > ACCEPT all -- anywhere anywhere > > > > > > > > Chain OUTPUT (policy ACCEPT) > > > > target prot opt source destination > > > > ACCEPT all -- anywhere anywhere > > > > > > > > One more thing, this setup is self-hosted.The MS and host are on the > > same > > > > machine. > > > > > > > > > > > > > > > > On Tue, Apr 5, 2016 at 8:22 PM Rafael Weingärtner < > > > > rafaelweingart...@gmail.com> wrote: > > > > > > > > > Those rules should not block the "ping" comand, hence they are > meant > > to > > > > > block "http" right? > > > > > > > > > > > > > > > I have been having the same problem lately with XenServer. > > > > > > > > > > The iptables rules that are rejecting my traffic are at the host > > > itself. > > > > > > > > > > Can you check your host iptables configs? > > > > > > > > > > On Tue, Apr 5, 2016 at 3:42 AM, Syafiq Rokman < > > > msyafiq.rok...@gmail.com> > > > > > wrote: > > > > > > > > > > > Hi, > > > > > > > > > > > > Can't ping the default gateway of the SSVM or 8.8.8.8 from the > > SSVM. > > > > > > I'm using KVM as hypervisor. > > > > > > > > > > > > Tried changing iptables rules on SSVM using > > > > > > > > > > > > iptables -F > > > > > > iptables -X > > > > > > iptables -t nat -F > > > > > > iptables -t nat -X > > > > > > iptables -t mangle -F > > > > > > iptables -t mangle -X > > > > > > iptables -P INPUT ACCEPT > > > > > > iptables -P FORWARD ACCEPT > > > > > > iptables -P OUTPUT ACCEPT > > > > > > > > > > > > to allow all connections, but keep getting this at Chain OUTPUT: > > > > > > > > > > > > REJECT tcp -- anywhere anywhere > state > > > NEW > > > > > tcp > > > > > > dpt:http reject-with icmp-port-unreachable > > > > > > REJECT tcp -- anywhere anywhere > state > > > NEW > > > > > tcp > > > > > > dpt:https reject-with icmp-port-unreachable > > > > > > > > > > > > > > > > > > > > > > > > On Mon, Apr 4, 2016 at 6:49 PM Rafael Weingärtner < > > > > > > rafaelweingart...@gmail.com> wrote: > > > > > > > > > > > > > What hypervisor are you using? > > > > > > > Did change the iptables rules at the SSVM itself? > > > > > > > > > > > > > > On Mon, Apr 4, 2016 at 6:50 AM, Glenn Wagner < > > > > > glenn.wag...@shapeblue.com > > > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > Hi, > > > > > > > > > > > > > > > > Can you ping the default gateway of the SSVM? > > > > > > > > Can you ping google DNS 8.8.8.8 from the SSVM? > > > > > > > > > > > > > > > > Thanks > > > > > > > > Glenn > > > > > > > > > > > > > > > > > > > > > > > > Regards, > > > > > > > > > > > > > > > > Glenn Wagner > > > > > > > > > > > > > > > > glenn.wag...@shapeblue.com > > > > > > > > www.shapeblue.com > > > > > > > > 2nd Floor, Oudehuis Centre, 122 Main Rd, Somerset West, Cape > > Town > > > > > > > > 7130South Africa > > > > > > > > @shapeblue > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > From: Syafiq Rokman [mailto:msyafiq.rok...@gmail.com] > > > > > > > > Sent: Monday, 04 April 2016 11:16 AM > > > > > > > > To: users@cloudstack.apache.org > > > > > > > > Subject: SSVM cant route to MS, Iptables keep self-updating > > > > > > > > > > > > > > > > Hi everyone! > > > > > > > > > > > > > > > > Im running CS 4.8 on Ubuntu 14.04 LTS. > > > > > > > > > > > > > > > > So I've managed to set up everything, but I still cant > install > > > > > > templates. > > > > > > > > So I SSH-ed into the SSVM and ran the healthcheck and it > seems > > > that > > > > > the > > > > > > > > SSVM can't connect to the DNS. > > > > > > > > > > > > > > > > Logs says that it can't route to host. > > > > > > > > > > > > > > > > So I've tried to allow all outgoing/incoming connections on > > > > Iptables, > > > > > > but > > > > > > > > it keeps changing back to deny outgoing connections. > > > > > > > > > > > > > > > > Any ideas on how to proceed? > > > > > > > > > > > > > > > > Will provide logs if anyone needs it. > > > > > > > > > > > > > > > > Thanks > > > > > > > > Syafiq Rokman > > > > > > > > B.ICT Student > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > Rafael Weingärtner > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > Rafael Weingärtner > > > > > > > > > -- > > > > Syafiq Rokman > > > > B. ICT Student > > > > Universiti Teknologi PETRONAS > > > > > > > > > > > > > > > > -- > > > Rafael Weingärtner > > > > > -- > > Syafiq Rokman > > B. ICT Student > > Universiti Teknologi PETRONAS > > > > > > -- > Rafael Weingärtner > -- Syafiq Rokman B. ICT Student Universiti Teknologi PETRONAS
