The problem was the order of the "-A INPUT" lines. In your 2nd output, connections to port 1311 gets REJECT'ed in the RH-Firewall-1-INPUT chain before reaching your port 1311 ACCEPT rules.
I suggest you use the utility "system-config-securitylevel-tui" for simple port opening. :) -- Casper On Thu, 2012-12-27 at 16:15 -0600, Aric Aasgaard wrote: > Thanks, that was it. > > I had this, no luck > > # iptables-save > # Generated by iptables-save v1.3.5 on Thu Dec 27 12:15:18 2012 > *filter > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [1246:384131] > :RH-Firewall-1-INPUT - [0:0] > -A INPUT -j RH-Firewall-1-INPUT > -A INPUT -p tcp -m tcp --dport 1311 -j ACCEPT > -A FORWARD -j RH-Firewall-1-INPUT > -A RH-Firewall-1-INPUT -i lo -j ACCEPT > -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT > -A RH-Firewall-1-INPUT -p esp -j ACCEPT > -A RH-Firewall-1-INPUT -p ah -j ACCEPT > -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT > -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT > -A RH-Firewall-1-INPUT -i xenapi -p udp -m udp --dport 67 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > -A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 694 -j > ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j > ACCEPT > -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited > COMMIT > # Completed on Thu Dec 27 12:15:18 2012 > > I tried this, no luck > > # iptables-save > # Generated by iptables-save v1.3.5 on Thu Dec 27 12:21:28 2012 > *filter > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [1246:384131] > :RH-Firewall-1-INPUT - [0:0] > -A INPUT -j RH-Firewall-1-INPUT > -A INPUT -p tcp -m tcp --dport 1311 -j ACCEPT > -A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1311 -j ACCEPT > -A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1311 -m state --state NEW > -j ACCEPT > -A FORWARD -j RH-Firewall-1-INPUT > -A RH-Firewall-1-INPUT -i lo -j ACCEPT > -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT > -A RH-Firewall-1-INPUT -p esp -j ACCEPT > -A RH-Firewall-1-INPUT -p ah -j ACCEPT > -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT > -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT > -A RH-Firewall-1-INPUT -i xenapi -p udp -m udp --dport 67 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > -A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 694 -j > ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j > ACCEPT > -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited > COMMIT > # Completed on Thu Dec 27 12:21:28 2012 > > > I SCP'd /etc/sysconfig/iptables from a working Xenserver install and it > worked .....no clue why the others didn't > > # iptables-save > # Generated by iptables-save v1.3.5 on Thu Dec 27 12:44:35 2012 > *filter > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [655:875233] > :RH-Firewall-1-INPUT - [0:0] > -A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1311 -m state --state NEW > -j ACCEPT > -A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1311 -j ACCEPT > -A INPUT -p udp -m udp --dport 161 -j ACCEPT > -A INPUT -j RH-Firewall-1-INPUT > -A FORWARD -j RH-Firewall-1-INPUT > -A RH-Firewall-1-INPUT -i lo -j ACCEPT > -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT > -A RH-Firewall-1-INPUT -p esp -j ACCEPT > -A RH-Firewall-1-INPUT -p ah -j ACCEPT > -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT > -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT > -A RH-Firewall-1-INPUT -i xenapi -p udp -m udp --dport 67 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > -A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 694 -j > ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j > ACCEPT > -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited > COMMIT > # Completed on Thu Dec 27 12:44:35 2012 > > > > > -----Original Message----- > From: Casper Biering [mailto:[email protected]] > Sent: Thursday, December 27, 2012 5:30 AM > To: Aric Aasgaard > Cc: [email protected] > Subject: Re: [Xen-API] XCP and Dell OpenManage Server Admin > > Hi, > > It sounds like an iptables problem. > > Could you please attach the output of the "iptables-save" command. > > As a workaround, you can use SSH port forwarding: > ssh -L 1311:127.0.0.1:1311 <server-ip> > and then open https://localhost:1311/ in your local browser. > _______________________________________________ Xen-api mailing list [email protected] http://lists.xen.org/cgi-bin/mailman/listinfo/xen-api
