[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Kumo public Zone XenServers

hello

iptables is working mainly with IP addresses and Ports.
I think you should "open" every port to be used.
You can look to "ipsets" to manage more easily a list of ports and without stopping the firewall.

Regards

JP P

De: "Paul Angus" <paul.angus@xxxxxxxxxxxxx>
Ã: "JP Pozzi" <jpp@xxxxxxxxxxxxxxxxxx>
Cc: "Marco Sinhoreli" <marco.sinhoreli@xxxxxxxxxxxxx>, xen-users@xxxxxxxxxxxxx
EnvoyÃ: Mercredi 11 Juin 2014 20:32:39
Objet: RE: [Xen-users] Kumo public Zone XenServers

Thanks JP,

 

But surely I donât have to create a firewall rule for every port that a guest would want to use?

 

Regards

 

Paul Angus

Cloud Architect
S: +44 20 3603 0540 | M: +447711418784 | T: CloudyAngus
paul.angus@xxxxxxxxxxxxx

 

From: JP Pozzi [mailto:jpp@xxxxxxxxxxxxxxxxxx]
Sent: 11 June 2014 19:25
To: Paul Angus
Cc: Marco Sinhoreli; xen-users@xxxxxxxxxxxxx
Subject: Re: [Xen-users] Kumo public Zone XenServers

 

    Hello,

 

Ithink that RDP uses port 3389 which is not allowed in your firewall rules ?

 

Regards

 

JP P

De: "Paul Angus" <paul.angus@xxxxxxxxxxxxx>
Ã: "Marco Sinhoreli" <marco.sinhoreli@xxxxxxxxxxxxx>, xen-users@xxxxxxxxxxxxx
EnvoyÃ: Mercredi 11 Juin 2014 18:49:05
Objet: [Xen-users] Kumo public Zone XenServers

 

When iptables is running users cannot rdp to guest VMs.

When iptables is stopped users can.

 

Weâve stopped iptables for the moment but need to figure out what the problem is and re-enable the firewall.

 

 

 

# Generated by iptables-save v1.3.5 on Mon Apr 29 17:23:28 2013

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [595645782:1940184239142]

:RH-Firewall-1-INPUT - [0:0]

-A INPUT -j RH-Firewall-1-INPUT

-A FORWARD -j RH-Firewall-1-INPUT

-A RH-Firewall-1-INPUT -i lo -j ACCEPT

-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT

-A RH-Firewall-1-INPUT -p esp -j ACCEPT

-A RH-Firewall-1-INPUT -p ah -j ACCEPT

-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT

-A RH-Firewall-1-INPUT -p udp -m udp --dport 67:68 -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 67:68 -j ACCEPT

-A RH-Firewall-1-INPUT -p udp -m udp --dport 161 -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 161 -j ACCEPT

-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT

-A RH-Firewall-1-INPUT -p udp -m udp --dport 161 -j ACCEPT

-A RH-Firewall-1-INPUT -i xenapi -p udp -m udp --dport 67 -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 694 -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

COMMIT

# Completed on Mon Apr 29 17:23:28 2013

 

 

 

 

-bash-3.2# iptables --list

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

RH-Firewall-1-INPUT  all  --  anywhere             anywhere

 

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

RH-Firewall-1-INPUT  all  --  anywhere             anywhere

 

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

 

Chain RH-Firewall-1-INPUT (2 references)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere

ACCEPT     icmp --  anywhere             anywhere            icmp any

ACCEPT     esp  --  anywhere             anywhere

ACCEPT     ah   --  anywhere             anywhere

ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns

ACCEPT     udp  --  anywhere             anywhere            udp dpts:bootps:bootpc

ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:bootps:bootpc

ACCEPT     udp  --  anywhere             anywhere            udp dpt:snmp

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:snmp

ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp

ACCEPT     udp  --  anywhere             anywhere            udp dpt:snmp

ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps

ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:ha-cluster

ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh

ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http

ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https

REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

 

 

 

Regards

 

Paul Angus

Senior Consultant / Cloud Architect

 

cid:image002.png@01CE1071.C6CC9C10

 

S: +44 20 3603 0540 | M: +447711418784 | T: @CloudyAngus

paul.angus@xxxxxxxxxxxxx | www.shapeblue.com | Twitter:@shapeblue

ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N 4HS

 

 

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue is a registered trademark.


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxx
http://lists.xen.org/xen-users

 


This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxx
http://lists.xen.org/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.