traceroute to 172.16.238.7 (172.16.238.7), 30 hops max, 60 byte packets 1 172.16.135.12 (172.16.135.12) 2996.763 ms !H 2996.765 ms !H 2996.764 ms !H
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets 1 s-2059-VM (172.16.135.84) 2996.386 ms !H 2996.374 ms !H 2996.371 ms !H On Tue, Apr 5, 2016 at 9:01 PM Syafiq Rokman <msyafiq.rok...@gmail.com> wrote: > iptables -L in SSVM : > > REJECT tcp -- anywhere anywhere state NEW > tcp dpt:https reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere state NEW > tcp dpt:http reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere state NEW > tcp dpt:https reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere state NEW > tcp dpt:http reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere state NEW > tcp dpt:https reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere state NEW > tcp dpt:http reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere state NEW > tcp dpt:https reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere state NEW > tcp dpt:http reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere state NEW > tcp dpt:https reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere state NEW > tcp dpt:http reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere state NEW > tcp dpt:https reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere state NEW > tcp dpt:http reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere state NEW > tcp dpt:https reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere state NEW > tcp dpt:http reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere state NEW > tcp dpt:https reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere state NEW > tcp dpt:http reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere state NEW > tcp dpt:https reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere state NEW > tcp dpt:http reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere state NEW > tcp dpt:https reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere state NEW > tcp dpt:http reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere state NEW > tcp dpt:https reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere state NEW > tcp dpt:http reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere state NEW > tcp dpt:https reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere state NEW > tcp dpt:http reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere state NEW > tcp dpt:https reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere state NEW > tcp dpt:http reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere state NEW > tcp dpt:https reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere state NEW > tcp dpt:http reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere state NEW > tcp dpt:https reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere state NEW > tcp dpt:http reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere state NEW > tcp dpt:https reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere state NEW > tcp dpt:http reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere state NEW > tcp dpt:https reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere state NEW > tcp dpt:http reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere state NEW > tcp dpt:https reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere state NEW > tcp dpt:http reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere state NEW > tcp dpt:https reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere state NEW > tcp dpt:http reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere state NEW > tcp dpt:https reject-with icmp-port-unreachable > > Chain HTTP (0 references) > target prot opt source destination > > == > > The head is lost, i'm not sure how to filter out the spammed rules. > > On Tue, Apr 5, 2016 at 8:51 PM Rafael Weingärtner < > rafaelweingart...@gmail.com> wrote: > >> can you post your iptables -L from SSVM? >> >> On Tue, Apr 5, 2016 at 9:47 AM, Syafiq Rokman <msyafiq.rok...@gmail.com> >> wrote: >> >> > Yes, just tried ping from SSVM to DNS, and 8.8.8.8, and google.com. >> Host >> > still unreachable. >> > Healthcheck script also returning host unreachable. >> > >> > >> > On Tue, Apr 5, 2016 at 8:39 PM Rafael Weingärtner < >> > rafaelweingart...@gmail.com> wrote: >> > >> > > Ok, so in your host there is nothing blocking the in-out/going >> requests, >> > > but still the ping command does not work? >> > > >> > > That rule you presented earlier should not block “icmp-echo-request”. >> > > >> > > On Tue, Apr 5, 2016 at 9:36 AM, Syafiq Rokman < >> msyafiq.rok...@gmail.com> >> > > wrote: >> > > >> > > > I've checked the host iptables just now...there were rules >> accomodating >> > > the >> > > > SSVM and CPVM. >> > > > But I've made the mistake of flushing the iptables rules without any >> > > > backup. >> > > > Now Iptables -P, -L has: >> > > > >> > > > -P INPUT ACCEPT >> > > > -P FORWARD ACCEPT >> > > > -P OUTPUT ACCEPT >> > > > -A INPUT -j ACCEPT >> > > > -A INPUT -j ACCEPT >> > > > -A FORWARD -j ACCEPT >> > > > -A OUTPUT -j ACCEPT >> > > > Chain INPUT (policy ACCEPT) >> > > > target prot opt source destination >> > > > ACCEPT all -- anywhere anywhere >> > > > ACCEPT all -- anywhere anywhere >> > > > >> > > > Chain FORWARD (policy ACCEPT) >> > > > target prot opt source destination >> > > > ACCEPT all -- anywhere anywhere >> > > > >> > > > Chain OUTPUT (policy ACCEPT) >> > > > target prot opt source destination >> > > > ACCEPT all -- anywhere anywhere >> > > > >> > > > One more thing, this setup is self-hosted.The MS and host are on the >> > same >> > > > machine. >> > > > >> > > > >> > > > >> > > > On Tue, Apr 5, 2016 at 8:22 PM Rafael Weingärtner < >> > > > rafaelweingart...@gmail.com> wrote: >> > > > >> > > > > Those rules should not block the "ping" comand, hence they are >> meant >> > to >> > > > > block "http" right? >> > > > > >> > > > > >> > > > > I have been having the same problem lately with XenServer. >> > > > > >> > > > > The iptables rules that are rejecting my traffic are at the host >> > > itself. >> > > > > >> > > > > Can you check your host iptables configs? >> > > > > >> > > > > On Tue, Apr 5, 2016 at 3:42 AM, Syafiq Rokman < >> > > msyafiq.rok...@gmail.com> >> > > > > wrote: >> > > > > >> > > > > > Hi, >> > > > > > >> > > > > > Can't ping the default gateway of the SSVM or 8.8.8.8 from the >> > SSVM. >> > > > > > I'm using KVM as hypervisor. >> > > > > > >> > > > > > Tried changing iptables rules on SSVM using >> > > > > > >> > > > > > iptables -F >> > > > > > iptables -X >> > > > > > iptables -t nat -F >> > > > > > iptables -t nat -X >> > > > > > iptables -t mangle -F >> > > > > > iptables -t mangle -X >> > > > > > iptables -P INPUT ACCEPT >> > > > > > iptables -P FORWARD ACCEPT >> > > > > > iptables -P OUTPUT ACCEPT >> > > > > > >> > > > > > to allow all connections, but keep getting this at Chain OUTPUT: >> > > > > > >> > > > > > REJECT tcp -- anywhere anywhere >> state >> > > NEW >> > > > > tcp >> > > > > > dpt:http reject-with icmp-port-unreachable >> > > > > > REJECT tcp -- anywhere anywhere >> state >> > > NEW >> > > > > tcp >> > > > > > dpt:https reject-with icmp-port-unreachable >> > > > > > >> > > > > > >> > > > > > >> > > > > > On Mon, Apr 4, 2016 at 6:49 PM Rafael Weingärtner < >> > > > > > rafaelweingart...@gmail.com> wrote: >> > > > > > >> > > > > > > What hypervisor are you using? >> > > > > > > Did change the iptables rules at the SSVM itself? >> > > > > > > >> > > > > > > On Mon, Apr 4, 2016 at 6:50 AM, Glenn Wagner < >> > > > > glenn.wag...@shapeblue.com >> > > > > > > >> > > > > > > wrote: >> > > > > > > >> > > > > > > > Hi, >> > > > > > > > >> > > > > > > > Can you ping the default gateway of the SSVM? >> > > > > > > > Can you ping google DNS 8.8.8.8 from the SSVM? >> > > > > > > > >> > > > > > > > Thanks >> > > > > > > > Glenn >> > > > > > > > >> > > > > > > > >> > > > > > > > Regards, >> > > > > > > > >> > > > > > > > Glenn Wagner >> > > > > > > > >> > > > > > > > glenn.wag...@shapeblue.com >> > > > > > > > www.shapeblue.com >> > > > > > > > 2nd Floor, Oudehuis Centre, 122 Main Rd, Somerset West, Cape >> > Town >> > > > > > > > 7130South Africa >> > > > > > > > @shapeblue >> > > > > > > > >> > > > > > > > -----Original Message----- >> > > > > > > > From: Syafiq Rokman [mailto:msyafiq.rok...@gmail.com] >> > > > > > > > Sent: Monday, 04 April 2016 11:16 AM >> > > > > > > > To: users@cloudstack.apache.org >> > > > > > > > Subject: SSVM cant route to MS, Iptables keep self-updating >> > > > > > > > >> > > > > > > > Hi everyone! >> > > > > > > > >> > > > > > > > Im running CS 4.8 on Ubuntu 14.04 LTS. >> > > > > > > > >> > > > > > > > So I've managed to set up everything, but I still cant >> install >> > > > > > templates. >> > > > > > > > So I SSH-ed into the SSVM and ran the healthcheck and it >> seems >> > > that >> > > > > the >> > > > > > > > SSVM can't connect to the DNS. >> > > > > > > > >> > > > > > > > Logs says that it can't route to host. >> > > > > > > > >> > > > > > > > So I've tried to allow all outgoing/incoming connections on >> > > > Iptables, >> > > > > > but >> > > > > > > > it keeps changing back to deny outgoing connections. >> > > > > > > > >> > > > > > > > Any ideas on how to proceed? >> > > > > > > > >> > > > > > > > Will provide logs if anyone needs it. >> > > > > > > > >> > > > > > > > Thanks >> > > > > > > > Syafiq Rokman >> > > > > > > > B.ICT Student >> > > > > > > > >> > > > > > > >> > > > > > > >> > > > > > > >> > > > > > > -- >> > > > > > > Rafael Weingärtner >> > > > > > > >> > > > > > >> > > > > >> > > > > >> > > > > >> > > > > -- >> > > > > Rafael Weingärtner >> > > > > >> > > > -- >> > > > Syafiq Rokman >> > > > B. ICT Student >> > > > Universiti Teknologi PETRONAS >> > > > >> > > >> > > >> > > >> > > -- >> > > Rafael Weingärtner >> > > >> > -- >> > Syafiq Rokman >> > B. ICT Student >> > Universiti Teknologi PETRONAS >> > >> >> >> >> -- >> Rafael Weingärtner >> > -- > Syafiq Rokman > B. ICT Student > Universiti Teknologi PETRONAS > -- Syafiq Rokman B. ICT Student Universiti Teknologi PETRONAS
