Project

General

Profile

Documentation #4260

centos/suse default reject rule in iptables

Added by Sam Lang about 6 years ago. Updated about 6 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
-
Target version:
Start date:
02/25/2013
Due date:
% Done:

0%

Tags:
Backport:
Reviewed:
Affected Versions:
Pull request ID:

Description

Saw this on Ken's centos vms, but it sounds like the same issue may occur on suse. The default OS install adds a reject rule to iptables that rejects everything but ssh. With the reject rule in place on the node running the monitor, this causes clients (connecting from a separate node) to fail with a timeout error when trying to mount. This is what the iptables look like before the rule is removed:

[root@rhelvm1 qauser]# iptables L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -
anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Removing the rule with:

iptables -D INPUT 5

resolves the client connect issue. This should be documented somewhere for centos (and maybe suse) users, with the right changes to iptables (instead of the one above) to poke a hole specifically for ceph traffic, and continuing to reject everything else.

History

#1 Updated by Ian Colle about 6 years ago

  • Assignee set to John Wilkins

#2 Updated by Greg Farnum about 6 years ago

  • Project changed from fs to Ceph

Not an FS issue! :)

#3 Updated by John Wilkins about 6 years ago

  • Status changed from New to In Progress

For now, I've added a description to the monitor troubleshooting section. This should be added to troubleshooting sections for other clients as they become available.

#4 Updated by Sage Weil about 6 years ago

  • Target version set to v0.59

#5 Updated by John Wilkins about 6 years ago

  • Status changed from In Progress to Resolved

I added http://ceph.com/docs/master/rados/operations/troubleshooting-mon/#client-can-t-connect-mount. TO DO. I want to break out the network section on configuration and have a parallel section in troubleshooting.

Also available in: Atom PDF