Re: [ovirt-users] Doubt about iptables host config
On Tue, Oct 3, 2017 at 11:51 AM, Gianluca Cecchi
<gianluca.cecchi(a)gmail.com> wrote:
Hello,
I have read this interesting blog post
https://www.ovirt.org/blog/2016/12/extension-iptables-rules-oVirt-hosts/
In my case, to allow incoming connections from Nagios server to connect to
Nagios nrpe daemon installed on hosts I have run
[root@ovmgr1 ~]# engine-config --set IPTablesConfigSiteCustom='
> -A INPUT -p tcp --dport 5666 -s 10.4.5.99/32 -m comment --comment "Nagios
> NRPE daemon" -j ACCEPT
> '
[root@ovmgr1 ~]#
and
systemctl restart ovirt-engine
BTW: the link above misses the final ' apex at the end of the similar
command in the given example
On my oVirt running host (CentOS 7.4) in the mean time I have run
[g.cecchi@ov300 ~]$ sudo iptables -I INPUT 16 -p tcp --dport 5666 -s
10.4.5.99/32 -m comment --comment "Nagios NRPE daemon" -j ACCEPT
In fact the current "reject-with icmp-host-prohibited" was line 16 and I
have inserted it right before.
So far so good.
I have a doubt if, in case of host put into maintenance and then
reactivated, or rebooted, the rule will remain.
AFAIU nothing touches iptables conf on hosts except for host-deploy
(Re/Install).
Or do I have anyway to put any line in any file on host to set it
persistently?
I think it should be safe to manually edit /etc/sysconfig/iptables
in that case.
Of course, verify on a test system.
Also, you might be happy to know that in 4.2 we'll support firewalld,
which is much nicer to work with than patching/generating
/etc/sysconfig/iptables.
See also:
https://bugzilla.redhat.com/show_bug.cgi?id=995362
I wouldn't like to go and reinstall it only to statically set a new iptables
rule.
Thanks,
Gianluca
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
--
Didi