Are you using VLANs? Have you tried to use tcpdump at the host to check what is happening with packages comming from SSVM?
On Tue, Apr 5, 2016 at 10:34 AM, Mindaugas Milinavičius < mindau...@clustspace.com> wrote: > added an additional DNS IP: 8.8.8.8 8.8.4.4 > > > > > Pagarbiai > Mindaugas Milinavičius > UAB STARNITA > Direktorius > http://www.clustspace.com > LT: +37068882880 > RU: +79651806396 > > Tomorrow's posibilities today > <http://www.clustspace.com/> > > - 1 Core, 512MB RAM, 20GB SSD, 1Gbps, Unlimited, Location: Romania, Los > Angeles, Ashburn Washington - 11EUR > - 1 Core, 1024MB RAM, 30GB SSD, 1Gbps, Unlimited, Location: Romania, Los > Angeles, Ashburn Washington - 18,7EUR > - 2 Cores, 2048MB RAM, 40GB SSD, 1Gbps, Unlimited, Location: Romania, > Los Angeles, Ashburn Washington - 27,5EUR > - 4 Cores, 4096MB RAM, 100GB SSD, 1Gbps, Unlimited, Location: Romania, > Los Angeles, Ashburn Washington - 46EUR > > > On Tue, Apr 5, 2016 at 4:31 PM, Syafiq Rokman <msyafiq.rok...@gmail.com> > wrote: > > > I think so. network/interfaces file on host/MS: > > > > auto lo > > iface lo inet loopback > > > > auto eth0.100 > > iface eth0.100 inet manual > > address 172.16.135.179 > > netmask 255.255.255.0 > > gateway 172.16.135.254 > > dns-nameservers 172.16.238.7 172.16.238.6 > > > > # Public network > > auto cloudbr0 > > iface cloudbr0 inet manual > > > > bridge_ports eth0.200 > > bridge_fd 5 > > bridge_stp off > > bridge_maxwait 1 > > > > # Private network > > auto cloudbr1 > > iface cloudbr1 inet manual > > bridge_ports eth0.300 > > bridge_fd 5 > > bridge_stp off > > bridge_maxwait 1 > > > > > > On Tue, Apr 5, 2016 at 9:21 PM Mindaugas Milinavičius < > > mindau...@clustspace.com> wrote: > > > > > Is your network configured properly? > > > > > > > > > > > > > > > Pagarbiai > > > Mindaugas Milinavičius > > > UAB STARNITA > > > Direktorius > > > http://www.clustspace.com > > > LT: +37068882880 > > > RU: +79651806396 > > > > > > Tomorrow's posibilities today > > > <http://www.clustspace.com/> > > > > > > - 1 Core, 512MB RAM, 20GB SSD, 1Gbps, Unlimited, Location: Romania, > > Los > > > Angeles, Ashburn Washington - 11EUR > > > - 1 Core, 1024MB RAM, 30GB SSD, 1Gbps, Unlimited, Location: Romania, > > Los > > > Angeles, Ashburn Washington - 18,7EUR > > > - 2 Cores, 2048MB RAM, 40GB SSD, 1Gbps, Unlimited, Location: > Romania, > > > Los Angeles, Ashburn Washington - 27,5EUR > > > - 4 Cores, 4096MB RAM, 100GB SSD, 1Gbps, Unlimited, Location: > Romania, > > > Los Angeles, Ashburn Washington - 46EUR > > > > > > > > > On Tue, Apr 5, 2016 at 4:18 PM, Syafiq Rokman < > msyafiq.rok...@gmail.com> > > > wrote: > > > > > > > traceroute to 172.16.238.7 (172.16.238.7), 30 hops max, 60 byte > packets > > > > 1 172.16.135.12 (172.16.135.12) 2996.763 ms !H 2996.765 ms !H > > > 2996.764 > > > > ms !H > > > > > > > > traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets > > > > 1 s-2059-VM (172.16.135.84) 2996.386 ms !H 2996.374 ms !H > 2996.371 > > > ms > > > > !H > > > > > > > > > > > > > > > > On Tue, Apr 5, 2016 at 9:01 PM Syafiq Rokman < > msyafiq.rok...@gmail.com > > > > > > > wrote: > > > > > > > > > iptables -L in SSVM : > > > > > > > > > > REJECT tcp -- anywhere anywhere state > > NEW > > > > > tcp dpt:https reject-with icmp-port-unreachable > > > > > REJECT tcp -- anywhere anywhere state > > NEW > > > > > tcp dpt:http reject-with icmp-port-unreachable > > > > > REJECT tcp -- anywhere anywhere state > > NEW > > > > > tcp dpt:https reject-with icmp-port-unreachable > > > > > REJECT tcp -- anywhere anywhere state > > NEW > > > > > tcp dpt:http reject-with icmp-port-unreachable > > > > > REJECT tcp -- anywhere anywhere state > > NEW > > > > > tcp dpt:https reject-with icmp-port-unreachable > > > > > REJECT tcp -- anywhere anywhere state > > NEW > > > > > tcp dpt:http reject-with icmp-port-unreachable > > > > > REJECT tcp -- anywhere anywhere state > > NEW > > > > > tcp dpt:https reject-with icmp-port-unreachable > > > > > REJECT tcp -- anywhere anywhere state > > NEW > > > > > tcp dpt:http reject-with icmp-port-unreachable > > > > > REJECT tcp -- anywhere anywhere state > > NEW > > > > > tcp dpt:https reject-with icmp-port-unreachable > > > > > REJECT tcp -- anywhere anywhere state > > NEW > > > > > tcp dpt:http reject-with icmp-port-unreachable > > > > > REJECT tcp -- anywhere anywhere state > > NEW > > > > > tcp dpt:https reject-with icmp-port-unreachable > > > > > REJECT tcp -- anywhere anywhere state > > NEW > > > > > tcp dpt:http reject-with icmp-port-unreachable > > > > > REJECT tcp -- anywhere anywhere state > > NEW > > > > > tcp dpt:https reject-with icmp-port-unreachable > > > > > REJECT tcp -- anywhere anywhere state > > NEW > > > > > tcp dpt:http reject-with icmp-port-unreachable > > > > > REJECT tcp -- anywhere anywhere state > > NEW > > > > > tcp dpt:https reject-with icmp-port-unreachable > > > > > REJECT tcp -- anywhere anywhere state > > NEW > > > > > tcp dpt:http reject-with icmp-port-unreachable > > > > > REJECT tcp -- anywhere anywhere state > > NEW > > > > > tcp dpt:https reject-with icmp-port-unreachable > > > > > REJECT tcp -- anywhere anywhere state > > NEW > > > > > tcp dpt:http reject-with icmp-port-unreachable > > > > > REJECT tcp -- anywhere anywhere state > > NEW > > > > > tcp dpt:https reject-with icmp-port-unreachable > > > > > REJECT tcp -- anywhere anywhere state > > NEW > > > > > tcp dpt:http reject-with icmp-port-unreachable > > > > > REJECT tcp -- anywhere anywhere state > > NEW > > > > > tcp dpt:https reject-with icmp-port-unreachable > > > > > REJECT tcp -- anywhere anywhere state > > NEW > > > > > tcp dpt:http reject-with icmp-port-unreachable > > > > > REJECT tcp -- anywhere anywhere state > > NEW > > > > > tcp dpt:https reject-with icmp-port-unreachable > > > > > REJECT tcp -- anywhere anywhere state > > NEW > > > > > tcp dpt:http reject-with icmp-port-unreachable > > > > > REJECT tcp -- anywhere anywhere state > > NEW > > > > > tcp dpt:https reject-with icmp-port-unreachable > > > > > REJECT tcp -- anywhere anywhere state > > NEW > > > > > tcp dpt:http reject-with icmp-port-unreachable > > > > > REJECT tcp -- anywhere anywhere state > > NEW > > > > > tcp dpt:https reject-with icmp-port-unreachable > > > > > REJECT tcp -- anywhere anywhere state > > NEW > > > > > tcp dpt:http reject-with icmp-port-unreachable > > > > > REJECT tcp -- anywhere anywhere state > > NEW > > > > > tcp dpt:https reject-with icmp-port-unreachable > > > > > REJECT tcp -- anywhere anywhere state > > NEW > > > > > tcp dpt:http reject-with icmp-port-unreachable > > > > > REJECT tcp -- anywhere anywhere state > > NEW > > > > > tcp dpt:https reject-with icmp-port-unreachable > > > > > REJECT tcp -- anywhere anywhere state > > NEW > > > > > tcp dpt:http reject-with icmp-port-unreachable > > > > > REJECT tcp -- anywhere anywhere state > > NEW > > > > > tcp dpt:https reject-with icmp-port-unreachable > > > > > REJECT tcp -- anywhere anywhere state > > NEW > > > > > tcp dpt:http reject-with icmp-port-unreachable > > > > > REJECT tcp -- anywhere anywhere state > > NEW > > > > > tcp dpt:https reject-with icmp-port-unreachable > > > > > REJECT tcp -- anywhere anywhere state > > NEW > > > > > tcp dpt:http reject-with icmp-port-unreachable > > > > > REJECT tcp -- anywhere anywhere state > > NEW > > > > > tcp dpt:https reject-with icmp-port-unreachable > > > > > REJECT tcp -- anywhere anywhere state > > NEW > > > > > tcp dpt:http reject-with icmp-port-unreachable > > > > > REJECT tcp -- anywhere anywhere state > > NEW > > > > > tcp dpt:https reject-with icmp-port-unreachable > > > > > > > > > > Chain HTTP (0 references) > > > > > target prot opt source destination > > > > > > > > > > == > > > > > > > > > > The head is lost, i'm not sure how to filter out the spammed rules. > > > > > > > > > > On Tue, Apr 5, 2016 at 8:51 PM Rafael Weingärtner < > > > > > rafaelweingart...@gmail.com> wrote: > > > > > > > > > >> can you post your iptables -L from SSVM? > > > > >> > > > > >> On Tue, Apr 5, 2016 at 9:47 AM, Syafiq Rokman < > > > msyafiq.rok...@gmail.com > > > > > > > > > >> wrote: > > > > >> > > > > >> > Yes, just tried ping from SSVM to DNS, and 8.8.8.8, and > > google.com. > > > > >> Host > > > > >> > still unreachable. > > > > >> > Healthcheck script also returning host unreachable. > > > > >> > > > > > >> > > > > > >> > On Tue, Apr 5, 2016 at 8:39 PM Rafael Weingärtner < > > > > >> > rafaelweingart...@gmail.com> wrote: > > > > >> > > > > > >> > > Ok, so in your host there is nothing blocking the in-out/going > > > > >> requests, > > > > >> > > but still the ping command does not work? > > > > >> > > > > > > >> > > That rule you presented earlier should not block > > > > “icmp-echo-request”. > > > > >> > > > > > > >> > > On Tue, Apr 5, 2016 at 9:36 AM, Syafiq Rokman < > > > > >> msyafiq.rok...@gmail.com> > > > > >> > > wrote: > > > > >> > > > > > > >> > > > I've checked the host iptables just now...there were rules > > > > >> accomodating > > > > >> > > the > > > > >> > > > SSVM and CPVM. > > > > >> > > > But I've made the mistake of flushing the iptables rules > > without > > > > any > > > > >> > > > backup. > > > > >> > > > Now Iptables -P, -L has: > > > > >> > > > > > > > >> > > > -P INPUT ACCEPT > > > > >> > > > -P FORWARD ACCEPT > > > > >> > > > -P OUTPUT ACCEPT > > > > >> > > > -A INPUT -j ACCEPT > > > > >> > > > -A INPUT -j ACCEPT > > > > >> > > > -A FORWARD -j ACCEPT > > > > >> > > > -A OUTPUT -j ACCEPT > > > > >> > > > Chain INPUT (policy ACCEPT) > > > > >> > > > target prot opt source destination > > > > >> > > > ACCEPT all -- anywhere anywhere > > > > >> > > > ACCEPT all -- anywhere anywhere > > > > >> > > > > > > > >> > > > Chain FORWARD (policy ACCEPT) > > > > >> > > > target prot opt source destination > > > > >> > > > ACCEPT all -- anywhere anywhere > > > > >> > > > > > > > >> > > > Chain OUTPUT (policy ACCEPT) > > > > >> > > > target prot opt source destination > > > > >> > > > ACCEPT all -- anywhere anywhere > > > > >> > > > > > > > >> > > > One more thing, this setup is self-hosted.The MS and host > are > > on > > > > the > > > > >> > same > > > > >> > > > machine. > > > > >> > > > > > > > >> > > > > > > > >> > > > > > > > >> > > > On Tue, Apr 5, 2016 at 8:22 PM Rafael Weingärtner < > > > > >> > > > rafaelweingart...@gmail.com> wrote: > > > > >> > > > > > > > >> > > > > Those rules should not block the "ping" comand, hence they > > are > > > > >> meant > > > > >> > to > > > > >> > > > > block "http" right? > > > > >> > > > > > > > > >> > > > > > > > > >> > > > > I have been having the same problem lately with XenServer. > > > > >> > > > > > > > > >> > > > > The iptables rules that are rejecting my traffic are at > the > > > host > > > > >> > > itself. > > > > >> > > > > > > > > >> > > > > Can you check your host iptables configs? > > > > >> > > > > > > > > >> > > > > On Tue, Apr 5, 2016 at 3:42 AM, Syafiq Rokman < > > > > >> > > msyafiq.rok...@gmail.com> > > > > >> > > > > wrote: > > > > >> > > > > > > > > >> > > > > > Hi, > > > > >> > > > > > > > > > >> > > > > > Can't ping the default gateway of the SSVM or 8.8.8.8 > from > > > the > > > > >> > SSVM. > > > > >> > > > > > I'm using KVM as hypervisor. > > > > >> > > > > > > > > > >> > > > > > Tried changing iptables rules on SSVM using > > > > >> > > > > > > > > > >> > > > > > iptables -F > > > > >> > > > > > iptables -X > > > > >> > > > > > iptables -t nat -F > > > > >> > > > > > iptables -t nat -X > > > > >> > > > > > iptables -t mangle -F > > > > >> > > > > > iptables -t mangle -X > > > > >> > > > > > iptables -P INPUT ACCEPT > > > > >> > > > > > iptables -P FORWARD ACCEPT > > > > >> > > > > > iptables -P OUTPUT ACCEPT > > > > >> > > > > > > > > > >> > > > > > to allow all connections, but keep getting this at Chain > > > > OUTPUT: > > > > >> > > > > > > > > > >> > > > > > REJECT tcp -- anywhere anywhere > > > > >> state > > > > >> > > NEW > > > > >> > > > > tcp > > > > >> > > > > > dpt:http reject-with icmp-port-unreachable > > > > >> > > > > > REJECT tcp -- anywhere anywhere > > > > >> state > > > > >> > > NEW > > > > >> > > > > tcp > > > > >> > > > > > dpt:https reject-with icmp-port-unreachable > > > > >> > > > > > > > > > >> > > > > > > > > > >> > > > > > > > > > >> > > > > > On Mon, Apr 4, 2016 at 6:49 PM Rafael Weingärtner < > > > > >> > > > > > rafaelweingart...@gmail.com> wrote: > > > > >> > > > > > > > > > >> > > > > > > What hypervisor are you using? > > > > >> > > > > > > Did change the iptables rules at the SSVM itself? > > > > >> > > > > > > > > > > >> > > > > > > On Mon, Apr 4, 2016 at 6:50 AM, Glenn Wagner < > > > > >> > > > > glenn.wag...@shapeblue.com > > > > >> > > > > > > > > > > >> > > > > > > wrote: > > > > >> > > > > > > > > > > >> > > > > > > > Hi, > > > > >> > > > > > > > > > > > >> > > > > > > > Can you ping the default gateway of the SSVM? > > > > >> > > > > > > > Can you ping google DNS 8.8.8.8 from the SSVM? > > > > >> > > > > > > > > > > > >> > > > > > > > Thanks > > > > >> > > > > > > > Glenn > > > > >> > > > > > > > > > > > >> > > > > > > > > > > > >> > > > > > > > Regards, > > > > >> > > > > > > > > > > > >> > > > > > > > Glenn Wagner > > > > >> > > > > > > > > > > > >> > > > > > > > glenn.wag...@shapeblue.com > > > > >> > > > > > > > www.shapeblue.com > > > > >> > > > > > > > 2nd Floor, Oudehuis Centre, 122 Main Rd, Somerset > > West, > > > > Cape > > > > >> > Town > > > > >> > > > > > > > 7130South Africa > > > > >> > > > > > > > @shapeblue > > > > >> > > > > > > > > > > > >> > > > > > > > -----Original Message----- > > > > >> > > > > > > > From: Syafiq Rokman [mailto: > msyafiq.rok...@gmail.com] > > > > >> > > > > > > > Sent: Monday, 04 April 2016 11:16 AM > > > > >> > > > > > > > To: users@cloudstack.apache.org > > > > >> > > > > > > > Subject: SSVM cant route to MS, Iptables keep > > > > self-updating > > > > >> > > > > > > > > > > > >> > > > > > > > Hi everyone! > > > > >> > > > > > > > > > > > >> > > > > > > > Im running CS 4.8 on Ubuntu 14.04 LTS. > > > > >> > > > > > > > > > > > >> > > > > > > > So I've managed to set up everything, but I still > cant > > > > >> install > > > > >> > > > > > templates. > > > > >> > > > > > > > So I SSH-ed into the SSVM and ran the healthcheck > and > > it > > > > >> seems > > > > >> > > that > > > > >> > > > > the > > > > >> > > > > > > > SSVM can't connect to the DNS. > > > > >> > > > > > > > > > > > >> > > > > > > > Logs says that it can't route to host. > > > > >> > > > > > > > > > > > >> > > > > > > > So I've tried to allow all outgoing/incoming > > connections > > > > on > > > > >> > > > Iptables, > > > > >> > > > > > but > > > > >> > > > > > > > it keeps changing back to deny outgoing connections. > > > > >> > > > > > > > > > > > >> > > > > > > > Any ideas on how to proceed? > > > > >> > > > > > > > > > > > >> > > > > > > > Will provide logs if anyone needs it. > > > > >> > > > > > > > > > > > >> > > > > > > > Thanks > > > > >> > > > > > > > Syafiq Rokman > > > > >> > > > > > > > B.ICT Student > > > > >> > > > > > > > > > > > >> > > > > > > > > > > >> > > > > > > > > > > >> > > > > > > > > > > >> > > > > > > -- > > > > >> > > > > > > Rafael Weingärtner > > > > >> > > > > > > > > > > >> > > > > > > > > > >> > > > > > > > > >> > > > > > > > > >> > > > > > > > > >> > > > > -- > > > > >> > > > > Rafael Weingärtner > > > > >> > > > > > > > > >> > > > -- > > > > >> > > > Syafiq Rokman > > > > >> > > > B. ICT Student > > > > >> > > > Universiti Teknologi PETRONAS > > > > >> > > > > > > > >> > > > > > > >> > > > > > > >> > > > > > > >> > > -- > > > > >> > > Rafael Weingärtner > > > > >> > > > > > > >> > -- > > > > >> > Syafiq Rokman > > > > >> > B. ICT Student > > > > >> > Universiti Teknologi PETRONAS > > > > >> > > > > > >> > > > > >> > > > > >> > > > > >> -- > > > > >> Rafael Weingärtner > > > > >> > > > > > -- > > > > > Syafiq Rokman > > > > > B. ICT Student > > > > > Universiti Teknologi PETRONAS > > > > > > > > > -- > > > > Syafiq Rokman > > > > B. ICT Student > > > > Universiti Teknologi PETRONAS > > > > > > > > > -- > > Syafiq Rokman > > B. ICT Student > > Universiti Teknologi PETRONAS > > > -- Rafael Weingärtner