Documentation #4260
closedcentos/suse default reject rule in iptables
0%
Description
Saw this on Ken's centos vms, but it sounds like the same issue may occur on suse. The default OS install adds a reject rule to iptables that rejects everything but ssh. With the reject rule in place on the node running the monitor, this causes clients (connecting from a separate node) to fail with a timeout error when trying to mount. This is what the iptables look like before the rule is removed:
[root@rhelvm1 qauser]# iptables L anywhere anywhere state RELATED,ESTABLISHED
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Removing the rule with:
iptables -D INPUT 5
resolves the client connect issue. This should be documented somewhere for centos (and maybe suse) users, with the right changes to iptables (instead of the one above) to poke a hole specifically for ceph traffic, and continuing to reject everything else.
Updated by John Wilkins about 11 years ago
- Status changed from New to In Progress
For now, I've added a description to the monitor troubleshooting section. This should be added to troubleshooting sections for other clients as they become available.
Updated by John Wilkins about 11 years ago
- Status changed from In Progress to Resolved
I added http://ceph.com/docs/master/rados/operations/troubleshooting-mon/#client-can-t-connect-mount. TO DO. I want to break out the network section on configuration and have a parallel section in troubleshooting.