andrijapanic commented on a change in pull request #13: Update Quick
Installation Guide
URL:
https://github.com/apache/cloudstack-documentation/pull/13#discussion_r228741736
##########
File path: source/quickinstallationguide/qig.rst
##########
@@ -308,37 +341,50 @@ Now you'll need uncomment the configuration values in
the file
STATD_OUTGOING_PORT=2020
Now we need to configure the firewall to permit incoming NFS connections.
-Edit the file /etc/sysconfig/iptables
+Create firewalldnfs.sh, and add the following content to it:
.. parsed-literal::
- -A INPUT -s 172.16.10.0/24 -m state --state NEW -p udp --dport 111 -j ACCEPT
- -A INPUT -s 172.16.10.0/24 -m state --state NEW -p tcp --dport 111 -j ACCEPT
- -A INPUT -s 172.16.10.0/24 -m state --state NEW -p tcp --dport 2049 -j
ACCEPT
- -A INPUT -s 172.16.10.0/24 -m state --state NEW -p tcp --dport 32803 -j
ACCEPT
- -A INPUT -s 172.16.10.0/24 -m state --state NEW -p udp --dport 32769 -j
ACCEPT
- -A INPUT -s 172.16.10.0/24 -m state --state NEW -p tcp --dport 892 -j ACCEPT
- -A INPUT -s 172.16.10.0/24 -m state --state NEW -p udp --dport 892 -j ACCEPT
- -A INPUT -s 172.16.10.0/24 -m state --state NEW -p tcp --dport 875 -j ACCEPT
- -A INPUT -s 172.16.10.0/24 -m state --state NEW -p udp --dport 875 -j ACCEPT
- -A INPUT -s 172.16.10.0/24 -m state --state NEW -p tcp --dport 662 -j ACCEPT
- -A INPUT -s 172.16.10.0/24 -m state --state NEW -p udp --dport 662 -j ACCEPT
-
-Now you can restart the iptables service with the following command:
+ #!/bin/bash
+
+ firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 10 -m state
--state ESTABLISHED,RELATED -j ACCEPT
Review comment:
@rhtyd I'm not sure this would work (in my CentOS 7.latest minimal setup) -
simply because BY DEFAULT iptables rules/chains:
- traffic has been redirected to INPUT_direct chain (empty for now, but we
can add allow rules here - or we can add them as you suggested directly to
INPUT chain), but...
- after packet don't match any of the INPUT_direct chain it will go back for
inspection to the INPUT chain - and here there is default DROP rule !
- i.e. in example above I don't see TCP 8250 for CPVM/SSVM to Mgmt server -
in my box didn't work until I explicitly added the rule...
I can assume the difference in you setup (which I'm sure works for you) and
my setup - is somewhere in the starting configuration point of iptables (before
we add any rules) - in latest CentOS 7 that I installed, there is already bunch
of rules and chains existing...
I also don't like firewall-cmd (again, it is present by default in latest
Minimal installation) and I also love KISS method with iptables :) - but anyway
is NOT enough
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
