what do you see in: cat /proc/sys/net/bridge/bridge*
? I think I've seen issues with these being set to 1, but I think it might need to be set to 1 if you're using security groups. On Fri, Apr 19, 2013 at 5:20 PM, Marcus Sorensen <shadow...@gmail.com>wrote: > What do you see in : > > > > On Fri, Apr 19, 2013 at 2:17 PM, Maurice Lawler <maurice.law...@me.com>wrote: > >> I've tried it with them disabled (iptables get written) and enabled (the >> same issue) >> >> The cron job seemed to do the trick, until someone just mentioned to try: >> >> iptables -I INPUT -p tcp -m tcp --dport 5900:6100 -j ACCEPT >> >> That's not working, so I am going back to my cronjob! >> >> - Maurice >> >> >> On Apr 19, 2013, at 02:08 PM, Edison Su <edison...@citrix.com> wrote: >> >> >> >> > -----Original Message----- >> > From: Jason Pavao [mailto:jason.pa...@oracle.com] >> > Sent: Thursday, April 18, 2013 8:50 AM >> > To: dev@cloudstack.apache.org >> > Cc: Maurice Lawler; us...@cloudstack.apache.org >> > Subject: Re: IP tables blocking KVM/Console >> > >> > Maurice, >> > I was having the same issues, I tried a number of iptables rule >> changes, but it >> > seems that whenever a new instance was deployed it would overwrite my >> > changes and break things again. My temporary fix is to run a cron job >> that >> > runs every minute that issues a service iptables stop. >> >> Do you disable security group when creating the zone? If security group >> is disabled, then there should be no iptables rules created on kvm host >> when a new instance created. >> >> > >> > It's not elegant but it works since I don't have a need for security >> groups and >> > am supporting a jenkins continuous testing environment with no need for >> > network ingress/egress rules. >> > >> > Does anyone else know why this is happening? >> > >> > I am running cs 4.0.1 on oel6.3x64 >> > >> > Any help would be appreciated. >> > Thanks. >> > -jason >> > >> > On 4/17/2013 7:47 PM, Maurice Lawler wrote: >> > > I have stopped iptables at least 15 times, because it keeps blocking >> > > my console access to my instances. How can I either A) disable >> > > Iptables all together / b add a rule to allow it's access. >> > > >> > > Right now, it has this: >> > > >> > > [root@lunder ~]# iptables -L >> > > Chain INPUT (policy ACCEPT) >> > > target prot opt source destination >> > > ACCEPT udp -- anywhere anywhere udp >> > > dpt:bootps >> > > ACCEPT tcp -- anywhere anywhere tcp >> > > dpt:bootps >> > > ACCEPT tcp -- anywhere anywhere tcp >> > > dpts:49152:49216 >> > > ACCEPT tcp -- anywhere anywhere tcp >> > > dpts:vnc-server:synchronet-db >> > > ACCEPT tcp -- anywhere anywhere tcp >> > > dpt:16509 >> > > ACCEPT tcp -- anywhere anywhere tcp >> > > dpt:websm >> > > ACCEPT tcp -- anywhere anywhere tcp dpt:8250 >> > > ACCEPT tcp -- anywhere anywhere tcp >> > > dpt:empowerid >> > > ACCEPT tcp -- anywhere anywhere tcp >> > > dpt:webcache >> > > ACCEPT all -- anywhere anywhere state >> > > RELATED,ESTABLISHED >> > > ACCEPT icmp -- anywhere anywhere >> > > ACCEPT all -- anywhere anywhere >> > > ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh >> > > REJECT all -- anywhere anywhere reject-with >> > > icmp-host-prohibited >> > > >> > > Chain FORWARD (policy ACCEPT) >> > > target prot opt source destination >> > > >> > > Chain OUTPUT (policy ACCEPT) >> > > target prot opt source destination >> > > [root@lunder ~]# >> > > >> > > But there was plenty of other rules previously to my stopping it. >> > > >> > > >> > >> > -- >> > Thanks. >> > -Jason >> >> >
