Hi, I am investigating the issue https://issues.apache.org/jira/browse/CLOUDSTACK-1337, copy template/Iso across zones is failing in branch 4.1, giving the error "HTTP Server returned 403 (expected 200 OK)" and there is a workaround mentioned in https://cwiki.apache.org/confluence/display/CLOUDSTACK/SSVM%2C+templates%2C+Secondary+storage+troubleshooting
The iptable rules in the destination as well as source ssvm: root@s-9-VM:~# iptables -S -P INPUT DROP -P FORWARD DROP -P OUTPUT ACCEPT -N HTTP -A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT -A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -i eth1 -p tcp -m state --state NEW -m tcp --dport 3922 -j ACCEPT -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth3 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 13 -j DROP -A INPUT -p icmp -j ACCEPT -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 3922 -j ACCEPT -A OUTPUT -o eth1 -p tcp -m state --state NEW -m tcp --dport 80 -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -o eth1 -p tcp -m state --state NEW -m tcp --dport 443 -j REJECT --reject-with icmp-port-unreachable I removed the last rule "-A OUTPUT -o eth1 -p tcp -m state --state NEW -m tcp --dport 443 -j REJECT --reject-with icmp-port-unreachable" which is blocking outgoing on 443 port and also modified .htaccess to Options -Indexes order deny,allow #deny from all allow from 10.102.193.95 Copy template worked after this modification. The rule seems valid to me i.e. "-A OUTPUT -o eth1 -p tcp -m state --state NEW -m tcp --dport 443 -j REJECT --reject-with icmp-port-unreachable" but copy template is not happening until I remove this rule. Also, removing "deny from all" is a security threat. I also noticed eth1 RX bytes was increasing during copy template, which possibly means it is using eth1 port. Previously my understanding was, Copy template happens on eth2 port, but from the above, it seems eth1 is getting used. Can someone confirm this behavior? Also, What should be the right approach to fix this issue? Regards Deepti