I can add a rule into ipdates such as this iptables -I INPUT -s 192.168.0.10 -p tcp -m tcp --dport 5666 -j ACCEPT I can see the addition has succeeded with this iptables-save > /etc/sysconfig/iptables But a reboot of the Engine VM (not the Host) doesn't keep the new rule, and I was expecting that during bootup CentOS would read from /etc/sysconfig/iptables. Alas it isn't. Found a solution. After reading this https://stackoverflow.com/questions/24756240/how-can-i-use-iptables-on-cento... I installed iptables-services But once installed I found that iptables -L showed no rules. thankfully I still had the default hosted-engine rules in /etc/sysconfig/iptables iptables-restore < /etc/sysconfig/iptables Then..... service iptables save restored the default hosted-engine rules including my rule for 5666. Rebooting the hosted-engine VM and my rule 5666 for NRPE is still there. Success!! To answer your other questions
Did you ask to configure the firewall during engine-setup? Yes. Looks like it setup firewalld for me.
Alternatively, it's recommended to use firewalld. For the moment I have disabled firewalld and are using iptables....Is there a reason why firewalld is preferred over iptables?
Kind regards Andrew ------ Original Message ------ From: "Yedidyah Bar David" <didi@redhat.com> To: "Andrew Dent" <adent@ctcroydon.com.au> Cc: "users" <users@ovirt.org> Sent: 29/05/2017 9:26:23 PM Subject: Re: [ovirt-users] Ovirt Hosted-Engine VM iptables
On Mon, May 29, 2017 at 1:14 PM, Andrew Dent <adent@ctcroydon.com.au> wrote:
Hi
I would like to add rules into the iptables of the Hosted Engine VM in Ovirt. I am wanting to monitor the Ovirt Engine using Nagios -> NRPE and I would like to open port 5666
the version is oVirt Engine Version: 4.1.1.8-1.el7.centos I have tried using the normal process for iptables (iptables-save etc), but it seems that the file /etc/sysconfig/iptables is ignored when the Ovirt Engine VM starts.
What do you mean in "ignored"?
What's the output of 'iptables-save'?
Did you ask to configure the firewall during engine-setup?
How can I add permanent iptables rules into the Engine VM?
On the engine vm (unlike hosts), the only thing that touches iptables is engine-setup. Before doing that it asks you if you want to configure the firewall. There aren't currently means to add your custom rules - either you manage it all by yourself or you let engine-setup do that.
Alternatively, it's recommended to use firewalld. engine-setup can add to firewalld the stuff it wants, and you still can add your own stuff.
If I got you wrong and you refer to the hosts (not engine), see also:
https://www.ovirt.org/blog/2016/12/extension-iptables-rules-oVirt-hosts/
Best,
Kind regards
Andrew
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- Didi