For user vms outgoing traffic to allow you need to add egress rules on network.
Thanks, Jayapal On 20-May-2014, at 8:38 PM, Andrei Mikhailovsky <[email protected]> wrote: > Hello guys, > > Having a bit of an issue with clean installs of ACS 4.2.1. The same issue is > present on ACS 4.3. Both of the system vms are created and shown as Running. > When I login either to ssvm or cpvm I am able to ping internal and external > dns servers, as well as I can ping public hosts like 8.8.8.8, etc. I am able > to access public IPs on ports 80 or 443 and that's pretty much it.I am unable > to resolve anything or access any other ports. This applies to the management > and public networks. > > I had a quick investigation and it seems that the XenServer iptables rules > are not properly setup. The default iptables policy that I have is: > > # iptables -L -nv > Chain INPUT (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > 6880K 9595M RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > 40776 25M RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain OUTPUT (policy ACCEPT 6152K packets, 15G bytes) > pkts bytes target prot opt in out source destination > > Chain RH-Firewall-1-INPUT (2 references) > pkts bytes target prot opt in out source destination > 2355K 5758M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 > 349K 21M ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 255 > 0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 > 3 261 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353 > 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631 > 3 180 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:631 > 0 0 ACCEPT udp -- xenapi * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 > 4164K 3815M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED > 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:694 > 19 1092 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 > 13 732 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 > 10542 632K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443 > 42147 26M REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with > icmp-host-prohibited > > > In order for my system vms to resolve anything I have to manually add the > following lines on the hypervisor: > > iptables -I RH-Firewall-1-INPUT -p udp --dport 53 -j ACCEPT > iptables -I RH-Firewall-1-INPUT -p tcp --dport 53 -j ACCEPT > > Has anyone seen this behaviour from a clean install? Did I miss an important > step during the hypervisor install? > > My networking is Advanced + XenServer 6.2 with latest updates. I have the > following network setup: > > NIC0 - Network Name in XenCenter - Management. ACS traffic label for the > Management network is Management > > NIC1 - Network name in XenCenter - CloudStack - ACS traffic labels for Public > and Guest networks is CloudStack > > Cheers > > Andrei > >
