[CentOS] Ovirt Hosted-Engine VM iptables

Sun May 28 08:53:21 UTC 2017
Gianluca Cecchi <gianluca.cecchi at gmail.com>

On Sun, May 28, 2017 at 8:17 AM, Andrew Dent <adent at ctcroydon.com.au> wrote:

> Hi
>
> I would like to add rules into the iptables of the Hosted Engine VM in
> Ovirt.
>
> the version is oVirt Engine Version: 4.1.1.8-1.el7.centos
> I have tried using the normal process for iptables (iptables-save etc),
> but it seems that the file
> /etc/sysconfig/iptables
> this is ignored in the Ovirt Engine VM.
> How can I add permanent rules into the Engine VM?
>
> Kind regards
>
>
>
> Andrew
>


Hi, probably the oVirt users mailing list would be better than the general
CentOS list; here archives and registration information:
https://lists.ovirt.org/mailman/listinfo/users


That said, the hosted engine setup workflow should give you the option to
configure the firewall too. Didn't you choose that option?
Did you use the provided appliance or did you manage yourself the os
installation and run of engine-setup inside the hosted engine vm?

I suppose you have iptables and not firewalld installed, so that the command

systemctl status firewalld

returns service not found, correct? Otherwise yo uhave to disable firewalld
and enable iptables

For my hosted engine 4.1.1 test setup I have in place firewalld on CentOS
7.3, that is the default using the appliance, and these are the rules if I
run

iptables -S > /tmp/itables-dump.txt

so you can convert them to /etc/sysconfig/iptables rules
Note that the needed rules could change also depending on the oVirt related
services you enable on the engine (eg ovirt-imageio-proxy that needs 54323
port open below, websocket proxy, ecc..)

[root at ractorshe ~]# cat /tmp/iptables-dump.txt
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N FORWARD_IN_ZONES
-N FORWARD_IN_ZONES_SOURCE
-N FORWARD_OUT_ZONES
-N FORWARD_OUT_ZONES_SOURCE
-N FORWARD_direct
-N FWDI_public
-N FWDI_public_allow
-N FWDI_public_deny
-N FWDI_public_log
-N FWDO_public
-N FWDO_public_allow
-N FWDO_public_deny
-N FWDO_public_log
-N INPUT_ZONES
-N INPUT_ZONES_SOURCE
-N INPUT_direct
-N IN_public
-N IN_public_allow
-N IN_public_deny
-N IN_public_log
-N OUTPUT_direct
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j OUTPUT_direct
-A FORWARD_IN_ZONES -i eth0 -g FWDI_public
-A FORWARD_IN_ZONES -g FWDI_public
-A FORWARD_OUT_ZONES -o eth0 -g FWDO_public
-A FORWARD_OUT_ZONES -g FWDO_public
-A FWDI_public -j FWDI_public_log
-A FWDI_public -j FWDI_public_deny
-A FWDI_public -j FWDI_public_allow
-A FWDI_public -p icmp -j ACCEPT
-A FWDO_public -j FWDO_public_log
-A FWDO_public -j FWDO_public_deny
-A FWDO_public -j FWDO_public_allow
-A INPUT_ZONES -i eth0 -g IN_public
-A INPUT_ZONES -g IN_public
-A IN_public -j IN_public_log
-A IN_public -j IN_public_deny
-A IN_public -j IN_public_allow
-A IN_public -p icmp -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 6641 -m conntrack --ctstate NEW -j
ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 6642 -m conntrack --ctstate NEW -j
ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 6100 -m conntrack --ctstate NEW -j
ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 9696 -m conntrack --ctstate NEW -j
ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 2222 -m conntrack --ctstate NEW -j
ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j
ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW -j
ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j
ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 54323 -m conntrack --ctstate NEW
-j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 5432 -m conntrack --ctstate NEW -j
ACCEPT
-A IN_public_allow -p udp -m udp --dport 7410 -m conntrack --ctstate NEW -j
ACCEPT

NOTE: 6641 and 6642 are for OVN setup (
http://www.ovirt.org/develop/release-management/features/ovirt-ovn-provider/)
and probably you don't need them

If I run the dump from command "ip6tables -S" and then run a diff with the
former file, you get an hint on how to create also your
/etc/sysconfig/ip6tables file if you are using ipv6

[root at ractorshe ~]# diff /tmp/ip6tables-dump.txt /tmp/iptables-dump.txt
31c31
< -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
---
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
40c40
< -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
---
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
49c49
< -A FWDI_public -p ipv6-icmp -j ACCEPT
---
> -A FWDI_public -p icmp -j ACCEPT
58c58,60
< -A IN_public -p ipv6-icmp -j ACCEPT
---
> -A IN_public -p icmp -j ACCEPT
> -A IN_public_allow -p tcp -m tcp --dport 6641 -m conntrack --ctstate NEW
-j ACCEPT
> -A IN_public_allow -p tcp -m tcp --dport 6642 -m conntrack --ctstate NEW
-j ACCEPT
63d64
< -A IN_public_allow -d fe80::/64 -p udp -m udp --dport 546 -m conntrack
--ctstate NEW -j ACCEPT
[root at ractorshe ~]#


HIH,
Gianluca