Sanjeev,
thanks. Because of unclear instructions in the install guide, I've ran the commands to switch to the bridge mode. Perhaps that was the reason why my systemvm network was not working. I've done a clean install without running these commands and all is working okay. Cheers Andrei ----- Original Message ----- From: "Sanjeev Neelarapu" <[email protected]> To: [email protected] Sent: Wednesday, 21 May, 2014 5:06:53 AM Subject: RE: XenServer 6.2 blocks vm outgoing traffic Hi Andrei, As you said egress rules are not applicable for system vms. Since you are using advanced networking you don’t have to add any iptable rules on the hypervisor. Also make sure that on the hypervisor network is set to "openvswitch". If you are trying to download the template from any of your internal web servers add those cidrs to "secstorage.allowed.internal.sites" in global setting parameters. I have a setup with XenServer6.2 with all updates. SSVM is able to resolve the domain names without adding port 53 on hypervisor iptables. Thanks, Sanjeev -----Original Message----- From: Andrei Mikhailovsky [mailto:[email protected]] Sent: Wednesday, May 21, 2014 1:25 AM To: [email protected] Subject: Re: XenServer 6.2 blocks vm outgoing traffic Jayapal, I would imagine this is the case for guest vms. However, I would think that the default policy for system vms would allow dns resolution so that ssvm would be able to download templates and isos from the internet. Is this not the case? Where would I control the default egress rules for the system vms? Thanks Andrei ----- Original Message ----- From: "Jayapal Reddy Uradi" <[email protected]> To: "<[email protected]>" <[email protected]> Sent: Tuesday, 20 May, 2014 4:48:34 PM Subject: Re: XenServer 6.2 blocks vm outgoing traffic For user vms outgoing traffic to allow you need to add egress rules on network. Thanks, Jayapal On 20-May-2014, at 8:38 PM, Andrei Mikhailovsky <[email protected]> wrote: > Hello guys, > > Having a bit of an issue with clean installs of ACS 4.2.1. The same issue is > present on ACS 4.3. Both of the system vms are created and shown as Running. > When I login either to ssvm or cpvm I am able to ping internal and external > dns servers, as well as I can ping public hosts like 8.8.8.8, etc. I am able > to access public IPs on ports 80 or 443 and that's pretty much it.I am unable > to resolve anything or access any other ports. This applies to the management > and public networks. > > I had a quick investigation and it seems that the XenServer iptables rules > are not properly setup. The default iptables policy that I have is: > > # iptables -L -nv > Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot > opt in out source destination 6880K 9595M RH-Firewall-1-INPUT all -- * > * 0.0.0.0/0 0.0.0.0/0 > > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target > prot opt in out source destination > 40776 25M RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain OUTPUT (policy ACCEPT 6152K packets, 15G bytes) pkts bytes > target prot opt in out source destination > > Chain RH-Firewall-1-INPUT (2 references) pkts bytes target prot opt in > out source destination 2355K 5758M ACCEPT all -- lo * 0.0.0.0/0 > 0.0.0.0/0 349K 21M ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type > 255 > 0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 > 3 261 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353 > 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631 > 3 180 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:631 > 0 0 ACCEPT udp -- xenapi * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 4164K 3815M > ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED > 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:694 > 19 1092 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 > 13 732 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 > 10542 632K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443 > 42147 26M REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with > icmp-host-prohibited > > > In order for my system vms to resolve anything I have to manually add the > following lines on the hypervisor: > > iptables -I RH-Firewall-1-INPUT -p udp --dport 53 -j ACCEPT iptables > -I RH-Firewall-1-INPUT -p tcp --dport 53 -j ACCEPT > > Has anyone seen this behaviour from a clean install? Did I miss an important > step during the hypervisor install? > > My networking is Advanced + XenServer 6.2 with latest updates. I have the > following network setup: > > NIC0 - Network Name in XenCenter - Management. ACS traffic label for > the Management network is Management > > NIC1 - Network name in XenCenter - CloudStack - ACS traffic labels for > Public and Guest networks is CloudStack > > Cheers > > Andrei > >
