On Tue, Oct 3, 2017 at 11:51 AM, Gianluca Cecchi <gianluca.cecchi@gmail.com> wrote:
Hello, I have read this interesting blog post https://www.ovirt.org/blog/2016/12/extension-iptables-rules-oVirt-hosts/
In my case, to allow incoming connections from Nagios server to connect to Nagios nrpe daemon installed on hosts I have run
[root@ovmgr1 ~]# engine-config --set IPTablesConfigSiteCustom='
-A INPUT -p tcp --dport 5666 -s 10.4.5.99/32 -m comment --comment "Nagios NRPE daemon" -j ACCEPT ' [root@ovmgr1 ~]#
and
systemctl restart ovirt-engine
BTW: the link above misses the final ' apex at the end of the similar command in the given example
On my oVirt running host (CentOS 7.4) in the mean time I have run
[g.cecchi@ov300 ~]$ sudo iptables -I INPUT 16 -p tcp --dport 5666 -s 10.4.5.99/32 -m comment --comment "Nagios NRPE daemon" -j ACCEPT
In fact the current "reject-with icmp-host-prohibited" was line 16 and I have inserted it right before.
So far so good.
I have a doubt if, in case of host put into maintenance and then reactivated, or rebooted, the rule will remain.
AFAIU nothing touches iptables conf on hosts except for host-deploy (Re/Install).
Or do I have anyway to put any line in any file on host to set it persistently?
I think it should be safe to manually edit /etc/sysconfig/iptables in that case. Of course, verify on a test system. Also, you might be happy to know that in 4.2 we'll support firewalld, which is much nicer to work with than patching/generating /etc/sysconfig/iptables. See also: https://bugzilla.redhat.com/show_bug.cgi?id=995362
I wouldn't like to go and reinstall it only to statically set a new iptables rule.
Thanks, Gianluca
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- Didi