[ovirt-users] Doubt about iptables host config

[Yedidyah Bar David]

On Tue, Oct 3, 2017 at 11:51 AM, Gianluca Cecchi
<gianluca.cecchi at gmail.com> wrote:
> Hello,
> I have read this interesting blog post
> https://www.ovirt.org/blog/2016/12/extension-iptables-rules-oVirt-hosts/
>
> In my case, to allow incoming connections from Nagios server to connect to
> Nagios nrpe daemon installed on hosts I have run
>
> [root at ovmgr1 ~]# engine-config --set IPTablesConfigSiteCustom='
>> -A INPUT -p tcp --dport 5666 -s 10.4.5.99/32 -m comment --comment "Nagios
>> NRPE daemon" -j ACCEPT
>> '
> [root at ovmgr1 ~]#
>
> and
>
> systemctl restart ovirt-engine
>
>
> BTW: the link above misses the final ' apex at the end of the similar
> command in the given example
>
> On my oVirt running host (CentOS 7.4) in the mean time I have run
>
> [g.cecchi at ov300 ~]$ sudo iptables -I INPUT 16 -p tcp --dport 5666 -s
> 10.4.5.99/32 -m comment --comment "Nagios NRPE daemon" -j ACCEPT
>
> In fact the current "reject-with icmp-host-prohibited" was line 16 and I
> have inserted it right before.
>
> So far so good.
>
> I have a doubt if, in case of host put into maintenance and then
> reactivated, or rebooted, the rule will remain.

AFAIU nothing touches iptables conf on hosts except for host-deploy
(Re/Install).

> Or do I have anyway to put any line in any file on host to set it
> persistently?

I think it should be safe to manually edit /etc/sysconfig/iptables
in that case.

Of course, verify on a test system.

Also, you might be happy to know that in 4.2 we'll support firewalld,
which is much nicer to work with than patching/generating
/etc/sysconfig/iptables.
See also:

https://bugzilla.redhat.com/show_bug.cgi?id=995362

>
> I wouldn't like to go and reinstall it only to statically set a new iptables
> rule.
>
> Thanks,
> Gianluca
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>



-- 
Didi