Hi
I would like to add rules into the iptables of the Hosted Engine VM in Ovirt.
the version is oVirt Engine Version: 4.1.1.8-1.el7.centos I have tried using the normal process for iptables (iptables-save etc), but it seems that the file /etc/sysconfig/iptables this is ignored in the Ovirt Engine VM. How can I add permanent rules into the Engine VM?
Kind regards
Andrew
On Sun, May 28, 2017 at 8:17 AM, Andrew Dent adent@ctcroydon.com.au wrote:
Hi
I would like to add rules into the iptables of the Hosted Engine VM in Ovirt.
the version is oVirt Engine Version: 4.1.1.8-1.el7.centos I have tried using the normal process for iptables (iptables-save etc), but it seems that the file /etc/sysconfig/iptables this is ignored in the Ovirt Engine VM. How can I add permanent rules into the Engine VM?
Kind regards
Andrew
Hi, probably the oVirt users mailing list would be better than the general CentOS list; here archives and registration information: https://lists.ovirt.org/mailman/listinfo/users
That said, the hosted engine setup workflow should give you the option to configure the firewall too. Didn't you choose that option? Did you use the provided appliance or did you manage yourself the os installation and run of engine-setup inside the hosted engine vm?
I suppose you have iptables and not firewalld installed, so that the command
systemctl status firewalld
returns service not found, correct? Otherwise yo uhave to disable firewalld and enable iptables
For my hosted engine 4.1.1 test setup I have in place firewalld on CentOS 7.3, that is the default using the appliance, and these are the rules if I run
iptables -S > /tmp/itables-dump.txt
so you can convert them to /etc/sysconfig/iptables rules Note that the needed rules could change also depending on the oVirt related services you enable on the engine (eg ovirt-imageio-proxy that needs 54323 port open below, websocket proxy, ecc..)
[root@ractorshe ~]# cat /tmp/iptables-dump.txt -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -N FORWARD_IN_ZONES -N FORWARD_IN_ZONES_SOURCE -N FORWARD_OUT_ZONES -N FORWARD_OUT_ZONES_SOURCE -N FORWARD_direct -N FWDI_public -N FWDI_public_allow -N FWDI_public_deny -N FWDI_public_log -N FWDO_public -N FWDO_public_allow -N FWDO_public_deny -N FWDO_public_log -N INPUT_ZONES -N INPUT_ZONES_SOURCE -N INPUT_direct -N IN_public -N IN_public_allow -N IN_public_deny -N IN_public_log -N OUTPUT_direct -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -j INPUT_direct -A INPUT -j INPUT_ZONES_SOURCE -A INPUT -j INPUT_ZONES -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i lo -j ACCEPT -A FORWARD -j FORWARD_direct -A FORWARD -j FORWARD_IN_ZONES_SOURCE -A FORWARD -j FORWARD_IN_ZONES -A FORWARD -j FORWARD_OUT_ZONES_SOURCE -A FORWARD -j FORWARD_OUT_ZONES -A FORWARD -m conntrack --ctstate INVALID -j DROP -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -j OUTPUT_direct -A FORWARD_IN_ZONES -i eth0 -g FWDI_public -A FORWARD_IN_ZONES -g FWDI_public -A FORWARD_OUT_ZONES -o eth0 -g FWDO_public -A FORWARD_OUT_ZONES -g FWDO_public -A FWDI_public -j FWDI_public_log -A FWDI_public -j FWDI_public_deny -A FWDI_public -j FWDI_public_allow -A FWDI_public -p icmp -j ACCEPT -A FWDO_public -j FWDO_public_log -A FWDO_public -j FWDO_public_deny -A FWDO_public -j FWDO_public_allow -A INPUT_ZONES -i eth0 -g IN_public -A INPUT_ZONES -g IN_public -A IN_public -j IN_public_log -A IN_public -j IN_public_deny -A IN_public -j IN_public_allow -A IN_public -p icmp -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 6641 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 6642 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 6100 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 9696 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 2222 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 54323 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 5432 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p udp -m udp --dport 7410 -m conntrack --ctstate NEW -j ACCEPT
NOTE: 6641 and 6642 are for OVN setup ( http://www.ovirt.org/develop/release-management/features/ovirt-ovn-provider/) and probably you don't need them
If I run the dump from command "ip6tables -S" and then run a diff with the former file, you get an hint on how to create also your /etc/sysconfig/ip6tables file if you are using ipv6
[root@ractorshe ~]# diff /tmp/ip6tables-dump.txt /tmp/iptables-dump.txt 31c31 < -A INPUT -j REJECT --reject-with icmp6-adm-prohibited ---
-A INPUT -j REJECT --reject-with icmp-host-prohibited
40c40 < -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited ---
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
49c49 < -A FWDI_public -p ipv6-icmp -j ACCEPT ---
-A FWDI_public -p icmp -j ACCEPT
58c58,60 < -A IN_public -p ipv6-icmp -j ACCEPT ---
-A IN_public -p icmp -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 6641 -m conntrack --ctstate NEW
-j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 6642 -m conntrack --ctstate NEW
-j ACCEPT 63d64 < -A IN_public_allow -d fe80::/64 -p udp -m udp --dport 546 -m conntrack --ctstate NEW -j ACCEPT [root@ractorshe ~]#
HIH, Gianluca
-
Andrew Dent -
Gianluca Cecchi