-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Lewis,
That is correct. However, if you can successfully make an imaging reservation and connect to it, you can use that as your starting point for updating your firewall configuration. Then, just save it off as a new revision of the image or as a new image. Josh On Tuesday, May 26, 2015 7:52:23 PM Litchfield, Elwin L. wrote: > I assume this configuration must be done before the image is created. > > > Lewis Litchfield > Technology Services – Viking Center Lab > University of South Florida Sarasota-Manatee > 941-359-4231 > > ________________________________________ > From: Josh Thompson <[email protected]> > Sent: Tuesday, May 26, 2015 3:40 PM > To: [email protected] > Subject: Re: vcld.log > > Elwin, > > I can't find any docs on how you are supposed to configure the firewall for > a base linux image under 2.3.2, and I don't remember the details of it. I > think something like the following should get your working. > > First, stop iptables to clear all of the tables: > > service iptables stop > > Create a custom table - you can name it anything, we'll go with "VCL". > > iptables -N VCL > > Create a rule in INPUT that jumps to the VCL table for everything: > > iptables -A INPUT -j VCL > > Add a few important rules to the VCL table: > > iptables -A VCL -i lo -j ACCEPT > iptables -A VCL -m state --state RELATED,ESTABLISHED -j ACCEPT > iptables -A VCL -p icmp -m icmp --icmp-type any -j ACCEPT > > Add a rule to the VCL table to accept traffic from your management node: > > iptables -A VCL -s <management node IP> -m state --state NEW -m tcp -p tcp > -- dport 22 -j ACCEPT > > Add a rule to the VCL table to reject other traffic: > > iptables -A VCL -j REJECT --reject-with icmp-host-prohibited > > Save the new configuration: > > service iptables save > > If I remember correctly, VCL should then manage required additions and > removals on the INPUT table, and leave the VCL table alone, and since the > VCL table has a rule allowing traffic from your management node, it should > stop shutting itself out. > > Let me know if this works for you. > > Josh > > On Tuesday, May 26, 2015 1:13:37 PM Elwin Litchfield wrote: > > Everything seemed to work till the reservation was over. Port 22 is > > blocked, but ping is OK & port 3389 is still available & connection with > > admin ID & password presented at the beginning of the reservation. I have > > bee reading the vcld.log & am unable to make any sense of it. Can you > > help > > me understand what is hapening? > > > > > > Thanks 2015-05-26 > > 12:26:32|9344|46:46|timeout|utils.pm:run_ssh_command(4902)|executing > > > > SSH command on VM7Cent6VCL1: > > |9344|46:46|timeout| /usr/bin/ssh -i /etc/vcl/vcl.key -o > > > > StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o > > ConnectionAttempts=1 -o ConnectTimeout=3 -l root -p 22 -x VM7Cent6VCL1 > > '/sbin/chkconfig --list iptables' 2>&1 > > 2015-05-26 > > 12:26:32|9344|46:46|timeout|Linux.pm:service_exists(3186)|'iptables' > > service exists > > 2015-05-26 > > 12:26:32|9344|46:46|timeout|utils.pm:run_ssh_command(4902)|executing > > > > SSH command on VM7Cent6VCL1: > > |9344|46:46|timeout| /usr/bin/ssh -i /etc/vcl/vcl.key -o > > > > StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o > > ConnectionAttempts=1 -o ConnectTimeout=3 -l root -p 22 -x VM7Cent6VCL1 > > 'iptables -L --line-number -n' 2>&1 > > 2015-05-26 > > 12:26:33|9344|46:46|timeout|utils.pm:run_ssh_command(5020)|run_ssh_command > > > > output: > > |9344|46:46|timeout| Chain INPUT (policy ACCEPT) > > |9344|46:46|timeout| num target prot opt source destination > > |9344|46:46|timeout| 1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state > > > > NEW,RELATED,ESTABLISHED tcp dpt:22 > > > > |9344|46:46|timeout| 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state > > > > RELATED,ESTABLISHED > > > > |9344|46:46|timeout| 3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 > > |9344|46:46|timeout| 4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 > > |9344|46:46|timeout| 5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp > > > > dpt:443 > > > > |9344|46:46|timeout| 6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp > > > > dpt:80 > > > > |9344|46:46|timeout| 7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp > > > > dpt:3389 > > > > |9344|46:46|timeout| 8 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp > > > > dpt:3389 > > > > |9344|46:46|timeout| 9 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with > > > > icmp-host-prohibited > > > > |9344|46:46|timeout| Chain FORWARD (policy ACCEPT) > > |9344|46:46|timeout| num target prot opt source destination > > |9344|46:46|timeout| 1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with > > > > icmp-host-prohibited > > > > |9344|46:46|timeout| Chain OUTPUT (policy ACCEPT) > > |9344|46:46|timeout| num target prot opt source destination > > > > 2015-05-26 12:26:33|9344|46:46|timeout|utils.pm:run_ssh_command(5034)|SSH > > command executed on VM7Cent6VCL1, returning (0, "Chain INPUT (policy > > ACCEPT) nu...") > > 2015-05-26 > > 12:26:33|9344|46:46|timeout|Linux.pm:get_firewall_configuration(3991)|outp > > ut Chain = INPUT > > 2015-05-26 > > 12:26:33|9344|46:46|timeout|Linux.pm:get_firewall_configuration(4007)|outp > > ut rule: 1, ACCEPT, tcp, 0.0.0.0/0, 0.0.0.0/0, 22 > > 2015-05-26 > > 12:26:35|9344|46:46|timeout|Linux.pm:get_firewall_configuration(4007)|outp > > ut rule: 5, ACCEPT, tcp, 0.0.0.0/0, 0.0.0.0/0, 443 > > 2015-05-26 > > 12:26:36|9344|46:46|timeout|Linux.pm:get_firewall_configuration(4007)|outp > > ut rule: 6, ACCEPT, tcp, 0.0.0.0/0, 0.0.0.0/0, 80 > > 2015-05-26 > > 12:26:36|9344|46:46|timeout|Linux.pm:get_firewall_configuration(4007)|outp > > ut rule: 7, ACCEPT, tcp, 0.0.0.0/0, 0.0.0.0/0, 3389 > > 2015-05-26 12:26:36|26123|vcld:main(167)|lastcheckin time updated for > > management node 1: 2015-05-26 12:26:36 > > 2015-05-26 > > 12:26:37|9344|46:46|timeout|Linux.pm:get_firewall_configuration(4007)|outp > > ut rule: 8, ACCEPT, udp, 0.0.0.0/0, 0.0.0.0/0, 3389 > > 2015-05-26 > > 12:26:38|9344|46:46|timeout|Linux.pm:get_firewall_configuration(3991)|outp > > ut Chain = FORWARD > > 2015-05-26 > > 12:26:38|9344|46:46|timeout|Linux.pm:get_firewall_configuration(3991)|outp > > ut Chain = OUTPUT > > 2015-05-26 > > 12:26:38|9344|46:46|timeout|Linux.pm:get_firewall_configuration(4050)|retr > > ie ved > > > > firewall configuration from VM7Cent6VCL1: > > |9344|46:46|timeout| : { > > |9344|46:46|timeout| : "FORWARD" => { > > |9344|46:46|timeout| : "1" => { > > |9344|46:46|timeout| : "all" => { > > |9344|46:46|timeout| : "any" => { > > |9344|46:46|timeout| : "destination" => "0.0.0.0/0", > > |9344|46:46|timeout| : "name" => "any", > > |9344|46:46|timeout| : "number" => 1, > > |9344|46:46|timeout| : "scope" => "0.0.0.0/0", > > |9344|46:46|timeout| : "target" => "REJECT" > > |9344|46:46|timeout| : } > > |9344|46:46|timeout| : } > > |9344|46:46|timeout| : } > > |9344|46:46|timeout| : }, > > |9344|46:46|timeout| : "INPUT" => { > > |9344|46:46|timeout| : "1" => { > > |9344|46:46|timeout| : "tcp" => { > > |9344|46:46|timeout| : "22" => { > > |9344|46:46|timeout| : "destination" => "0.0.0.0/0", > > |9344|46:46|timeout| : "name" => "ssh", > > |9344|46:46|timeout| : "number" => 1, > > |9344|46:46|timeout| : "scope" => "0.0.0.0/0", > > |9344|46:46|timeout| : "target" => "ACCEPT" > > |9344|46:46|timeout| : } > > |9344|46:46|timeout| : } > > |9344|46:46|timeout| : }, > > |9344|46:46|timeout| : "2" => { > > |9344|46:46|timeout| : "all" => { > > |9344|46:46|timeout| : "any" => { > > |9344|46:46|timeout| : "destination" => "0.0.0.0/0", > > |9344|46:46|timeout| : "name" => "any", > > |9344|46:46|timeout| : "number" => 2, > > |9344|46:46|timeout| : "scope" => "0.0.0.0/0", > > |9344|46:46|timeout| : "target" => "ACCEPT" > > |9344|46:46|timeout| : } > > |9344|46:46|timeout| : } > > |9344|46:46|timeout| : }, > > |9344|46:46|timeout| : "3" => { > > |9344|46:46|timeout| : "icmp" => { > > |9344|46:46|timeout| : "any" => { > > |9344|46:46|timeout| : "destination" => "0.0.0.0/0", > > |9344|46:46|timeout| : "name" => "any", > > |9344|46:46|timeout| : "number" => 3, > > |9344|46:46|timeout| : "scope" => "0.0.0.0/0", > > |9344|46:46|timeout| : "target" => "ACCEPT" > > |9344|46:46|timeout| : } > > |9344|46:46|timeout| : } > > |9344|46:46|timeout| : }, > > |9344|46:46|timeout| : "4" => { > > |9344|46:46|timeout| : "all" => { > > |9344|46:46|timeout| : "any" => { > > |9344|46:46|timeout| : "destination" => "0.0.0.0/0", > > |9344|46:46|timeout| : "name" => "any", > > |9344|46:46|timeout| : "number" => 4, > > |9344|46:46|timeout| : "scope" => "0.0.0.0/0", > > |9344|46:46|timeout| : "target" => "ACCEPT" > > |9344|46:46|timeout| : } > > |9344|46:46|timeout| : } > > |9344|46:46|timeout| : }, > > |9344|46:46|timeout| : "5" => { > > |9344|46:46|timeout| : "tcp" => { > > |9344|46:46|timeout| : "443" => { > > |9344|46:46|timeout| : "destination" => "0.0.0.0/0", > > |9344|46:46|timeout| : "name" => "https", > > |9344|46:46|timeout| : "number" => 5, > > |9344|46:46|timeout| : "scope" => "0.0.0.0/0", > > |9344|46:46|timeout| : "target" => "ACCEPT" > > |9344|46:46|timeout| : } > > |9344|46:46|timeout| : } > > |9344|46:46|timeout| : }, > > |9344|46:46|timeout| : "6" => { > > |9344|46:46|timeout| : "tcp" => { > > |9344|46:46|timeout| : "80" => { > > |9344|46:46|timeout| : "destination" => "0.0.0.0/0", > > |9344|46:46|timeout| : "name" => "http", > > |9344|46:46|timeout| : "number" => 6, > > |9344|46:46|timeout| : "scope" => "0.0.0.0/0", > > |9344|46:46|timeout| : "target" => "ACCEPT" > > |9344|46:46|timeout| : } > > |9344|46:46|timeout| : } > > |9344|46:46|timeout| : }, > > |9344|46:46|timeout| : "7" => { > > |9344|46:46|timeout| : "tcp" => { > > |9344|46:46|timeout| : "3389" => { > > |9344|46:46|timeout| : "destination" => "0.0.0.0/0", > > |9344|46:46|timeout| : "name" => "ms-wbt-server", > > |9344|46:46|timeout| : "number" => 7, > > |9344|46:46|timeout| : "scope" => "0.0.0.0/0", > > |9344|46:46|timeout| : "target" => "ACCEPT" > > |9344|46:46|timeout| : } > > |9344|46:46|timeout| : } > > |9344|46:46|timeout| : }, > > |9344|46:46|timeout| : "8" => { > > |9344|46:46|timeout| : "udp" => { > > |9344|46:46|timeout| : "3389" => { > > |9344|46:46|timeout| : "destination" => "0.0.0.0/0", > > |9344|46:46|timeout| : "name" => "ms-wbt-server", > > |9344|46:46|timeout| : "number" => 8, > > |9344|46:46|timeout| : "scope" => "0.0.0.0/0", > > |9344|46:46|timeout| : "target" => "ACCEPT" > > |9344|46:46|timeout| : } > > |9344|46:46|timeout| : } > > |9344|46:46|timeout| : }, > > |9344|46:46|timeout| : "9" => { > > |9344|46:46|timeout| : "all" => { > > |9344|46:46|timeout| : "any" => { > > |9344|46:46|timeout| : "destination" => "0.0.0.0/0", > > |9344|46:46|timeout| : "name" => "any", > > |9344|46:46|timeout| : "number" => 9, > > |9344|46:46|timeout| : "scope" => "0.0.0.0/0", > > |9344|46:46|timeout| : "target" => "REJECT" > > |9344|46:46|timeout| : } > > |9344|46:46|timeout| : } > > |9344|46:46|timeout| : } > > |9344|46:46|timeout| : } > > |9344|46:46|timeout| : } > > > > 2015-05-26 > > 12:26:38|9344|46:46|timeout|Linux.pm:disable_firewall_port(3783)|attemptin > > g > > to execute command on VM7Cent6VCL1: 'iptables -D INPUT 1' > > 2015-05-26 > > 12:26:38|9344|46:46|timeout|utils.pm:run_ssh_command(4902)|executing > > > > SSH command on VM7Cent6VCL1: > > |9344|46:46|timeout| /usr/bin/ssh -i /etc/vcl/vcl.key -o > > > > StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o > > ConnectionAttempts=1 -o ConnectTimeout=3 -l root -p 22 -x VM7Cent6VCL1 > > 'iptables -D INPUT 1' 2>&1 > > 2015-05-26 > > 12:26:39|9344|46:46|timeout|utils.pm:run_ssh_command(5020)|run_ssh_command > > output: > > 2015-05-26 12:26:39|9344|46:46|timeout|utils.pm:run_ssh_command(5034)|SSH > > command executed on VM7Cent6VCL1, returning (0, "") > > 2015-05-26 > > 12:26:39|9344|46:46|timeout|Linux.pm:disable_firewall_port(3785)|executed > > command on VM7Cent6VCL1: 'iptables -D INPUT 1' > > 2015-05-26 > > 12:26:39|9344|46:46|timeout|utils.pm:run_ssh_command(4902)|executing > > > > SSH command on VM7Cent6VCL1: > > |9344|46:46|timeout| /usr/bin/ssh -i /etc/vcl/vcl.key -o > > > > StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o > > ConnectionAttempts=1 -o ConnectTimeout=3 -l root -p 22 -x VM7Cent6VCL1 > > '/sbin/iptables-save > /etc/sysconfig/iptables' 2>&1 > > > > |9344|46:46|timeout| ---- WARNING ---- > > |9344|46:46|timeout| 2015-05-26 > > > > 12:26:39|9344|46:46|timeout|utils.pm:run_ssh_command(5006)|attempt > > 1/3: failed to execute SSH command on VM7Cent6VCL1: '/sbin/iptables-save > > > > > /etc/sysconfig/iptables', exit status: 255, output: > > |9344|46:46|timeout| ssh output (/sbin/ipta...): ssh: connect to host > > > > VM7Cent6VCL1 port 22: No route to host > > > > |9344|46:46|timeout| ( 0) utils.pm, run_ssh_command (line: 5006) > > |9344|46:46|timeout| (-1) OS.pm, execute (line: 1992) > > |9344|46:46|timeout| (-2) Linux.pm, disable_firewall_port (line: 3794) > > |9344|46:46|timeout| (-3) OS.pm, process_connect_methods (line: 2576) > > |9344|46:46|timeout| (-4) Linux.pm, sanitize (line: 1172) > > |9344|46:46|timeout| (-5) reclaim.pm, call_os_sanitize (line: 271) > > > > 2015-05-26 > > 12:26:39|9344|46:46|timeout|utils.pm:run_ssh_command(4894)|sleeping for 2 > > seconds before making next SSH attempt > > 201 > > > > Thanks > > > > Lewis > > -- > ------------------------------- > Josh Thompson > VCL Developer > North Carolina State University > > my GPG/PGP key can be found at pgp.mit.edu > > All electronic mail messages in connection with State business which > are sent to or received by this account are subject to the NC Public > Records Law and may be disclosed to third parties. - -- - ------------------------------- Josh Thompson VCL Developer North Carolina State University my GPG/PGP key can be found at pgp.mit.edu All electronic mail messages in connection with State business which are sent to or received by this account are subject to the NC Public Records Law and may be disclosed to third parties. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlVlweoACgkQV/LQcNdtPQMQMwCeKII154mTy404UH9lVj7Jay/C BFkAn1bCP/vRTeQIFeOsz73Rx/dDUL13 =1olU -----END PGP SIGNATURE-----
