Re: IP tables blocking KVM/Console

Fri, 19 Apr 2013 11:22:56 -0700 

That's reflected by this line:

ACCEPT     tcp  --  anywhere             anywhere            tcp
dpts:vnc-server:synchronet-db

Although we don't know what interfaces it applies to because we don't have
an 'iptables -L -v'

If stopping iptables fixes Maurice's problem it would be interesting to
know, as the rules seem to let VNC through. It should be easy to tcpdump
and see what traffic is actually being blocked because his rules suggest
that VNC is wide open on the KVM host.


On Fri, Apr 19, 2013 at 12:15 PM, Edison Su <edison...@citrix.com> wrote:

> This rule will reject all the ingress activities: "REJECT     all  --
>  anywhere             anywhere            reject-with icmp-host-prohibited"
> You can try:
> iptables -I INPUT -p tcp -m tcp --dport 5900:6100 -j ACCEPT
> to allow console access.
>
> From: Maurice Lawler [mailto:maurice.law...@me.com]
> Sent: Wednesday, April 17, 2013 7:48 PM
> To: Cloud Dev
> Cc: us...@cloudstack.apache.org; us...@cloudstack.apache.org
> Subject: IP tables blocking KVM/Console
>
> I have stopped iptables at least 15 times, because it keeps blocking my
> console access to my instances. How can I either A) disable Iptables all
> together / b add a rule to allow it's access.
>
> Right now, it has this:
>
> [root@lunder ~]# iptables -L
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps
> ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps
> ACCEPT     tcp  --  anywhere             anywhere            tcp
> dpts:49152:49216
> ACCEPT     tcp  --  anywhere             anywhere            tcp
> dpts:vnc-server:synchronet-db
> ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:16509
> ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:websm
> ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:8250
> ACCEPT     tcp  --  anywhere             anywhere            tcp
> dpt:empowerid
> ACCEPT     tcp  --  anywhere             anywhere            tcp
> dpt:webcache
> ACCEPT     all  --  anywhere             anywhere            state
> RELATED,ESTABLISHED
> ACCEPT     icmp --  anywhere             anywhere
> ACCEPT     all  --  anywhere             anywhere
> ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp
> dpt:ssh
> REJECT     all  --  anywhere             anywhere            reject-with
> icmp-host-prohibited
>
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> [root@lunder ~]#
>
> But there was plenty of other rules previously to my stopping it.
>
>
>

Reply via email to