| Posted by VPSRight, 06-22-2009, 08:18 PM | | We have been trying all day to resolve a very annoying issue with iptables, more info below;
http://kb.parallels.com/en/746
After following the above guide, PIM became not available but clients were able to start their firewalls without any issues.
I made some changes and PIM and clients firewalls were fine but particular features in PIM are not functioning, as seen below;
----
Cannot create Containers on the "linux.x86_64" platform as no suitable Hardware Nodes are available.
Possible reasons
All compatible Hardware Nodes are offline.No OS templates found.
Possible solutions
Try again and select another platform or Hardware Node. Install at least one OS template for this platform.
----
There is 100's of templates and I was able to create containers before I made the iptable changes.
I have been in contact with Parallels but it seems they don't know how to solve it either as they haven't replied for almost 4 hours. (they were replying instantly until gave them the above)
Any help will be greatly appreciated!
|
| Posted by mindbend, 06-22-2009, 08:55 PM | | If iptables is blocking connections and causing this issue to occur, start watching the counters and find what rule is actually blocking connections. Then you can start removing those rules one at a time to find the cause.
-=--
while i=true; do iptables -L -nv | grep _rule details_|awk '{ print $1 " - " $2 }'; sleep 10; done
-=--
|
| Posted by VPSRight, 06-22-2009, 09:38 PM | | I think it must be a module blocking PIM communicating with the HW.
I tried that command you gave and if gave me endless amounts of the following;
grep: details_: No such file or directory
grep: details_: No such file or directory
Any further help with be appreciated!
|
| Posted by mindbend, 06-22-2009, 09:45 PM | | Did you run a script which setup the firewall or did you do it manually?
You will need to replace the _rule details_ with the rule you implemented.
[root@void dev_html]# while i=true; do iptables -L -nv | grep REJECT|grep "dpt:25"|awk '{ print $1 " - " $2 }'; sleep 10; done
3312 - 0
3312 - 0
3312 - 0
3312 - 0
In your case if a chain was actively blocking connections this number would be increasing.
|
| Posted by VPSRight, 06-22-2009, 10:13 PM | | I tried running that command for each module that I loaded earlier but it didn't return anything.
Any ideas?
|
| Posted by mindbend, 06-22-2009, 10:22 PM | | Did you run a script which setup the firewall or did you do it manually? What makes you think an IP tables entry has caused the problem?
|
| Posted by VPSRight, 06-22-2009, 10:30 PM | | We install CSF/LFD manually onto clients VPS servers.
When I remove the modules from the config and restart VZ, everything works fine, just the Firewalls don't, then our support desk gets flooded with tickets from clients saying "My Firewalls gone all crazy"
When the modules are applied, everything works fine, firewalls etc etc just some features of PIM that require HW access don't work. I.e. when trying to create a container or accessing a VPS from the Terminal Login provided within PIM.
|
| Posted by mindbend, 06-22-2009, 10:40 PM | | Try adding the remote hosts into your csf.allow file and restart csf. They are more than likely being blocked.
CSF also if configured to ( by default it is ) will log blocked traffic to your /var/log/messages. If you know the IP address being used to connect to the vps' try and grep it out of the messages.
My bet is CSF is identifying the traffic as malicious and has the IP blocked.
|
| Posted by VPSRight, 06-22-2009, 10:55 PM | | CSF isn't on the node. CSF is installed on the VPS servers.
This is purely an IPtables issue on the HW node with the modules needed to run firewalls on VPS servers.
|
| Posted by mindbend, 06-22-2009, 11:02 PM | | CSF doesn't care where it is at, it will block hosts going in and out of the server regardless of the type of traffic. If the IP address is being blocked it will be logged. This is where I would start researching the issue.
|
|
 Add to Favourites
 Print this Article
|
