On Sun, May 28, 2017 at 8:17 AM, Andrew Dent <adent at ctcroydon.com.au> wrote: > Hi > > I would like to add rules into the iptables of the Hosted Engine VM in > Ovirt. > > the version is oVirt Engine Version: 4.1.1.8-1.el7.centos > I have tried using the normal process for iptables (iptables-save etc), > but it seems that the file > /etc/sysconfig/iptables > this is ignored in the Ovirt Engine VM. > How can I add permanent rules into the Engine VM? > > Kind regards > > > > Andrew > Hi, probably the oVirt users mailing list would be better than the general CentOS list; here archives and registration information: https://lists.ovirt.org/mailman/listinfo/users That said, the hosted engine setup workflow should give you the option to configure the firewall too. Didn't you choose that option? Did you use the provided appliance or did you manage yourself the os installation and run of engine-setup inside the hosted engine vm? I suppose you have iptables and not firewalld installed, so that the command systemctl status firewalld returns service not found, correct? Otherwise yo uhave to disable firewalld and enable iptables For my hosted engine 4.1.1 test setup I have in place firewalld on CentOS 7.3, that is the default using the appliance, and these are the rules if I run iptables -S > /tmp/itables-dump.txt so you can convert them to /etc/sysconfig/iptables rules Note that the needed rules could change also depending on the oVirt related services you enable on the engine (eg ovirt-imageio-proxy that needs 54323 port open below, websocket proxy, ecc..) [root at ractorshe ~]# cat /tmp/iptables-dump.txt -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -N FORWARD_IN_ZONES -N FORWARD_IN_ZONES_SOURCE -N FORWARD_OUT_ZONES -N FORWARD_OUT_ZONES_SOURCE -N FORWARD_direct -N FWDI_public -N FWDI_public_allow -N FWDI_public_deny -N FWDI_public_log -N FWDO_public -N FWDO_public_allow -N FWDO_public_deny -N FWDO_public_log -N INPUT_ZONES -N INPUT_ZONES_SOURCE -N INPUT_direct -N IN_public -N IN_public_allow -N IN_public_deny -N IN_public_log -N OUTPUT_direct -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -j INPUT_direct -A INPUT -j INPUT_ZONES_SOURCE -A INPUT -j INPUT_ZONES -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i lo -j ACCEPT -A FORWARD -j FORWARD_direct -A FORWARD -j FORWARD_IN_ZONES_SOURCE -A FORWARD -j FORWARD_IN_ZONES -A FORWARD -j FORWARD_OUT_ZONES_SOURCE -A FORWARD -j FORWARD_OUT_ZONES -A FORWARD -m conntrack --ctstate INVALID -j DROP -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -j OUTPUT_direct -A FORWARD_IN_ZONES -i eth0 -g FWDI_public -A FORWARD_IN_ZONES -g FWDI_public -A FORWARD_OUT_ZONES -o eth0 -g FWDO_public -A FORWARD_OUT_ZONES -g FWDO_public -A FWDI_public -j FWDI_public_log -A FWDI_public -j FWDI_public_deny -A FWDI_public -j FWDI_public_allow -A FWDI_public -p icmp -j ACCEPT -A FWDO_public -j FWDO_public_log -A FWDO_public -j FWDO_public_deny -A FWDO_public -j FWDO_public_allow -A INPUT_ZONES -i eth0 -g IN_public -A INPUT_ZONES -g IN_public -A IN_public -j IN_public_log -A IN_public -j IN_public_deny -A IN_public -j IN_public_allow -A IN_public -p icmp -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 6641 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 6642 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 6100 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 9696 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 2222 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 54323 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 5432 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p udp -m udp --dport 7410 -m conntrack --ctstate NEW -j ACCEPT NOTE: 6641 and 6642 are for OVN setup ( http://www.ovirt.org/develop/release-management/features/ovirt-ovn-provider/) and probably you don't need them If I run the dump from command "ip6tables -S" and then run a diff with the former file, you get an hint on how to create also your /etc/sysconfig/ip6tables file if you are using ipv6 [root at ractorshe ~]# diff /tmp/ip6tables-dump.txt /tmp/iptables-dump.txt 31c31 < -A INPUT -j REJECT --reject-with icmp6-adm-prohibited --- > -A INPUT -j REJECT --reject-with icmp-host-prohibited 40c40 < -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited --- > -A FORWARD -j REJECT --reject-with icmp-host-prohibited 49c49 < -A FWDI_public -p ipv6-icmp -j ACCEPT --- > -A FWDI_public -p icmp -j ACCEPT 58c58,60 < -A IN_public -p ipv6-icmp -j ACCEPT --- > -A IN_public -p icmp -j ACCEPT > -A IN_public_allow -p tcp -m tcp --dport 6641 -m conntrack --ctstate NEW -j ACCEPT > -A IN_public_allow -p tcp -m tcp --dport 6642 -m conntrack --ctstate NEW -j ACCEPT 63d64 < -A IN_public_allow -d fe80::/64 -p udp -m udp --dport 546 -m conntrack --ctstate NEW -j ACCEPT [root at ractorshe ~]# HIH, Gianluca