-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Elwin,
I can't find any docs on how you are supposed to configure the firewall for a
base linux image under 2.3.2, and I don't remember the details of it. I think
something like the following should get your working.
First, stop iptables to clear all of the tables:
service iptables stop
Create a custom table - you can name it anything, we'll go with "VCL".
iptables -N VCL
Create a rule in INPUT that jumps to the VCL table for everything:
iptables -A INPUT -j VCL
Add a few important rules to the VCL table:
iptables -A VCL -i lo -j ACCEPT
iptables -A VCL -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A VCL -p icmp -m icmp --icmp-type any -j ACCEPT
Add a rule to the VCL table to accept traffic from your management node:
iptables -A VCL -s <management node IP> -m state --state NEW -m tcp -p tcp --
dport 22 -j ACCEPT
Add a rule to the VCL table to reject other traffic:
iptables -A VCL -j REJECT --reject-with icmp-host-prohibited
Save the new configuration:
service iptables save
If I remember correctly, VCL should then manage required additions and
removals on the INPUT table, and leave the VCL table alone, and since the VCL
table has a rule allowing traffic from your management node, it should stop
shutting itself out.
Let me know if this works for you.
Josh
On Tuesday, May 26, 2015 1:13:37 PM Elwin Litchfield wrote:
> Everything seemed to work till the reservation was over. Port 22 is
> blocked, but ping is OK & port 3389 is still available & connection with
> admin ID & password presented at the beginning of the reservation. I have
> bee reading the vcld.log & am unable to make any sense of it. Can you help
> me understand what is hapening?
>
>
> Thanks 2015-05-26
> 12:26:32|9344|46:46|timeout|utils.pm:run_ssh_command(4902)|executing
>
> SSH command on VM7Cent6VCL1:
> |9344|46:46|timeout| /usr/bin/ssh -i /etc/vcl/vcl.key -o
>
> StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o
> ConnectionAttempts=1 -o ConnectTimeout=3 -l root -p 22 -x VM7Cent6VCL1
> '/sbin/chkconfig --list iptables' 2>&1
> 2015-05-26
> 12:26:32|9344|46:46|timeout|Linux.pm:service_exists(3186)|'iptables'
> service exists
> 2015-05-26
> 12:26:32|9344|46:46|timeout|utils.pm:run_ssh_command(4902)|executing
> SSH command on VM7Cent6VCL1:
> |9344|46:46|timeout| /usr/bin/ssh -i /etc/vcl/vcl.key -o
>
> StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o
> ConnectionAttempts=1 -o ConnectTimeout=3 -l root -p 22 -x VM7Cent6VCL1
> 'iptables -L --line-number -n' 2>&1
> 2015-05-26
> 12:26:33|9344|46:46|timeout|utils.pm:run_ssh_command(5020)|run_ssh_command
> output:
> |9344|46:46|timeout| Chain INPUT (policy ACCEPT)
> |9344|46:46|timeout| num target prot opt source destination
> |9344|46:46|timeout| 1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
>
> NEW,RELATED,ESTABLISHED tcp dpt:22
>
> |9344|46:46|timeout| 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
>
> RELATED,ESTABLISHED
>
> |9344|46:46|timeout| 3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
> |9344|46:46|timeout| 4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> |9344|46:46|timeout| 5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp
>
> dpt:443
>
> |9344|46:46|timeout| 6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp
>
> dpt:80
>
> |9344|46:46|timeout| 7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp
>
> dpt:3389
>
> |9344|46:46|timeout| 8 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp
>
> dpt:3389
>
> |9344|46:46|timeout| 9 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with
>
> icmp-host-prohibited
>
> |9344|46:46|timeout| Chain FORWARD (policy ACCEPT)
> |9344|46:46|timeout| num target prot opt source destination
> |9344|46:46|timeout| 1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with
>
> icmp-host-prohibited
>
> |9344|46:46|timeout| Chain OUTPUT (policy ACCEPT)
> |9344|46:46|timeout| num target prot opt source destination
>
> 2015-05-26 12:26:33|9344|46:46|timeout|utils.pm:run_ssh_command(5034)|SSH
> command executed on VM7Cent6VCL1, returning (0, "Chain INPUT (policy
> ACCEPT) nu...")
> 2015-05-26
> 12:26:33|9344|46:46|timeout|Linux.pm:get_firewall_configuration(3991)|output
> Chain = INPUT
> 2015-05-26
> 12:26:33|9344|46:46|timeout|Linux.pm:get_firewall_configuration(4007)|output
> rule: 1, ACCEPT, tcp, 0.0.0.0/0, 0.0.0.0/0, 22
> 2015-05-26
> 12:26:35|9344|46:46|timeout|Linux.pm:get_firewall_configuration(4007)|output
> rule: 5, ACCEPT, tcp, 0.0.0.0/0, 0.0.0.0/0, 443
> 2015-05-26
> 12:26:36|9344|46:46|timeout|Linux.pm:get_firewall_configuration(4007)|output
> rule: 6, ACCEPT, tcp, 0.0.0.0/0, 0.0.0.0/0, 80
> 2015-05-26
> 12:26:36|9344|46:46|timeout|Linux.pm:get_firewall_configuration(4007)|output
> rule: 7, ACCEPT, tcp, 0.0.0.0/0, 0.0.0.0/0, 3389
> 2015-05-26 12:26:36|26123|vcld:main(167)|lastcheckin time updated for
> management node 1: 2015-05-26 12:26:36
> 2015-05-26
> 12:26:37|9344|46:46|timeout|Linux.pm:get_firewall_configuration(4007)|output
> rule: 8, ACCEPT, udp, 0.0.0.0/0, 0.0.0.0/0, 3389
> 2015-05-26
> 12:26:38|9344|46:46|timeout|Linux.pm:get_firewall_configuration(3991)|output
> Chain = FORWARD
> 2015-05-26
> 12:26:38|9344|46:46|timeout|Linux.pm:get_firewall_configuration(3991)|output
> Chain = OUTPUT
> 2015-05-26
> 12:26:38|9344|46:46|timeout|Linux.pm:get_firewall_configuration(4050)|retrie
> ved
> firewall configuration from VM7Cent6VCL1:
> |9344|46:46|timeout| : {
> |9344|46:46|timeout| : "FORWARD" => {
> |9344|46:46|timeout| : "1" => {
> |9344|46:46|timeout| : "all" => {
> |9344|46:46|timeout| : "any" => {
> |9344|46:46|timeout| : "destination" => "0.0.0.0/0",
> |9344|46:46|timeout| : "name" => "any",
> |9344|46:46|timeout| : "number" => 1,
> |9344|46:46|timeout| : "scope" => "0.0.0.0/0",
> |9344|46:46|timeout| : "target" => "REJECT"
> |9344|46:46|timeout| : }
> |9344|46:46|timeout| : }
> |9344|46:46|timeout| : }
> |9344|46:46|timeout| : },
> |9344|46:46|timeout| : "INPUT" => {
> |9344|46:46|timeout| : "1" => {
> |9344|46:46|timeout| : "tcp" => {
> |9344|46:46|timeout| : "22" => {
> |9344|46:46|timeout| : "destination" => "0.0.0.0/0",
> |9344|46:46|timeout| : "name" => "ssh",
> |9344|46:46|timeout| : "number" => 1,
> |9344|46:46|timeout| : "scope" => "0.0.0.0/0",
> |9344|46:46|timeout| : "target" => "ACCEPT"
> |9344|46:46|timeout| : }
> |9344|46:46|timeout| : }
> |9344|46:46|timeout| : },
> |9344|46:46|timeout| : "2" => {
> |9344|46:46|timeout| : "all" => {
> |9344|46:46|timeout| : "any" => {
> |9344|46:46|timeout| : "destination" => "0.0.0.0/0",
> |9344|46:46|timeout| : "name" => "any",
> |9344|46:46|timeout| : "number" => 2,
> |9344|46:46|timeout| : "scope" => "0.0.0.0/0",
> |9344|46:46|timeout| : "target" => "ACCEPT"
> |9344|46:46|timeout| : }
> |9344|46:46|timeout| : }
> |9344|46:46|timeout| : },
> |9344|46:46|timeout| : "3" => {
> |9344|46:46|timeout| : "icmp" => {
> |9344|46:46|timeout| : "any" => {
> |9344|46:46|timeout| : "destination" => "0.0.0.0/0",
> |9344|46:46|timeout| : "name" => "any",
> |9344|46:46|timeout| : "number" => 3,
> |9344|46:46|timeout| : "scope" => "0.0.0.0/0",
> |9344|46:46|timeout| : "target" => "ACCEPT"
> |9344|46:46|timeout| : }
> |9344|46:46|timeout| : }
> |9344|46:46|timeout| : },
> |9344|46:46|timeout| : "4" => {
> |9344|46:46|timeout| : "all" => {
> |9344|46:46|timeout| : "any" => {
> |9344|46:46|timeout| : "destination" => "0.0.0.0/0",
> |9344|46:46|timeout| : "name" => "any",
> |9344|46:46|timeout| : "number" => 4,
> |9344|46:46|timeout| : "scope" => "0.0.0.0/0",
> |9344|46:46|timeout| : "target" => "ACCEPT"
> |9344|46:46|timeout| : }
> |9344|46:46|timeout| : }
> |9344|46:46|timeout| : },
> |9344|46:46|timeout| : "5" => {
> |9344|46:46|timeout| : "tcp" => {
> |9344|46:46|timeout| : "443" => {
> |9344|46:46|timeout| : "destination" => "0.0.0.0/0",
> |9344|46:46|timeout| : "name" => "https",
> |9344|46:46|timeout| : "number" => 5,
> |9344|46:46|timeout| : "scope" => "0.0.0.0/0",
> |9344|46:46|timeout| : "target" => "ACCEPT"
> |9344|46:46|timeout| : }
> |9344|46:46|timeout| : }
> |9344|46:46|timeout| : },
> |9344|46:46|timeout| : "6" => {
> |9344|46:46|timeout| : "tcp" => {
> |9344|46:46|timeout| : "80" => {
> |9344|46:46|timeout| : "destination" => "0.0.0.0/0",
> |9344|46:46|timeout| : "name" => "http",
> |9344|46:46|timeout| : "number" => 6,
> |9344|46:46|timeout| : "scope" => "0.0.0.0/0",
> |9344|46:46|timeout| : "target" => "ACCEPT"
> |9344|46:46|timeout| : }
> |9344|46:46|timeout| : }
> |9344|46:46|timeout| : },
> |9344|46:46|timeout| : "7" => {
> |9344|46:46|timeout| : "tcp" => {
> |9344|46:46|timeout| : "3389" => {
> |9344|46:46|timeout| : "destination" => "0.0.0.0/0",
> |9344|46:46|timeout| : "name" => "ms-wbt-server",
> |9344|46:46|timeout| : "number" => 7,
> |9344|46:46|timeout| : "scope" => "0.0.0.0/0",
> |9344|46:46|timeout| : "target" => "ACCEPT"
> |9344|46:46|timeout| : }
> |9344|46:46|timeout| : }
> |9344|46:46|timeout| : },
> |9344|46:46|timeout| : "8" => {
> |9344|46:46|timeout| : "udp" => {
> |9344|46:46|timeout| : "3389" => {
> |9344|46:46|timeout| : "destination" => "0.0.0.0/0",
> |9344|46:46|timeout| : "name" => "ms-wbt-server",
> |9344|46:46|timeout| : "number" => 8,
> |9344|46:46|timeout| : "scope" => "0.0.0.0/0",
> |9344|46:46|timeout| : "target" => "ACCEPT"
> |9344|46:46|timeout| : }
> |9344|46:46|timeout| : }
> |9344|46:46|timeout| : },
> |9344|46:46|timeout| : "9" => {
> |9344|46:46|timeout| : "all" => {
> |9344|46:46|timeout| : "any" => {
> |9344|46:46|timeout| : "destination" => "0.0.0.0/0",
> |9344|46:46|timeout| : "name" => "any",
> |9344|46:46|timeout| : "number" => 9,
> |9344|46:46|timeout| : "scope" => "0.0.0.0/0",
> |9344|46:46|timeout| : "target" => "REJECT"
> |9344|46:46|timeout| : }
> |9344|46:46|timeout| : }
> |9344|46:46|timeout| : }
> |9344|46:46|timeout| : }
> |9344|46:46|timeout| : }
>
> 2015-05-26
> 12:26:38|9344|46:46|timeout|Linux.pm:disable_firewall_port(3783)|attempting
> to execute command on VM7Cent6VCL1: 'iptables -D INPUT 1'
> 2015-05-26
> 12:26:38|9344|46:46|timeout|utils.pm:run_ssh_command(4902)|executing
> SSH command on VM7Cent6VCL1:
> |9344|46:46|timeout| /usr/bin/ssh -i /etc/vcl/vcl.key -o
>
> StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o
> ConnectionAttempts=1 -o ConnectTimeout=3 -l root -p 22 -x VM7Cent6VCL1
> 'iptables -D INPUT 1' 2>&1
> 2015-05-26
> 12:26:39|9344|46:46|timeout|utils.pm:run_ssh_command(5020)|run_ssh_command
> output:
> 2015-05-26 12:26:39|9344|46:46|timeout|utils.pm:run_ssh_command(5034)|SSH
> command executed on VM7Cent6VCL1, returning (0, "")
> 2015-05-26
> 12:26:39|9344|46:46|timeout|Linux.pm:disable_firewall_port(3785)|executed
> command on VM7Cent6VCL1: 'iptables -D INPUT 1'
> 2015-05-26
> 12:26:39|9344|46:46|timeout|utils.pm:run_ssh_command(4902)|executing
> SSH command on VM7Cent6VCL1:
> |9344|46:46|timeout| /usr/bin/ssh -i /etc/vcl/vcl.key -o
>
> StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o
> ConnectionAttempts=1 -o ConnectTimeout=3 -l root -p 22 -x VM7Cent6VCL1
> '/sbin/iptables-save > /etc/sysconfig/iptables' 2>&1
>
> |9344|46:46|timeout| ---- WARNING ----
> |9344|46:46|timeout| 2015-05-26
>
> 12:26:39|9344|46:46|timeout|utils.pm:run_ssh_command(5006)|attempt
> 1/3: failed to execute SSH command on VM7Cent6VCL1: '/sbin/iptables-save >
>
> /etc/sysconfig/iptables', exit status: 255, output:
> |9344|46:46|timeout| ssh output (/sbin/ipta...): ssh: connect to host
>
> VM7Cent6VCL1 port 22: No route to host
>
> |9344|46:46|timeout| ( 0) utils.pm, run_ssh_command (line: 5006)
> |9344|46:46|timeout| (-1) OS.pm, execute (line: 1992)
> |9344|46:46|timeout| (-2) Linux.pm, disable_firewall_port (line: 3794)
> |9344|46:46|timeout| (-3) OS.pm, process_connect_methods (line: 2576)
> |9344|46:46|timeout| (-4) Linux.pm, sanitize (line: 1172)
> |9344|46:46|timeout| (-5) reclaim.pm, call_os_sanitize (line: 271)
>
> 2015-05-26
> 12:26:39|9344|46:46|timeout|utils.pm:run_ssh_command(4894)|sleeping for 2
> seconds before making next SSH attempt
> 201
>
> Thanks
>
> Lewis
- --
- -------------------------------
Josh Thompson
VCL Developer
North Carolina State University
my GPG/PGP key can be found at pgp.mit.edu
All electronic mail messages in connection with State business which
are sent to or received by this account are subject to the NC Public
Records Law and may be disclosed to third parties.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iEYEARECAAYFAlVkzBkACgkQV/LQcNdtPQNcVQCfSv3pX3IgV+zf0UvZ3mGaKgQ/
ZiQAn2Jvh47BpB8NYk8Q5aS8ElFCrJFc
=ezUt
-----END PGP SIGNATURE-----
