[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Problem to expose the apps



Iptables seems ok
other things to checks ?

Master

:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3444:617828]
:DOCKER - [0:0]
:OS_FIREWALL_ALLOW - [0:0]
-A INPUT -p udp -m multiport --dports 4789 -m comment --comment "001 vxlan incoming" -j ACCEPT
-A INPUT -i tun0 -m comment --comment "traffic from docker for internet" -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j OS_FIREWALL_ALLOW
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -o lbr0 -j DOCKER
-A FORWARD -o lbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lbr0 ! -o lbr0 -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -s 10.1.0.0/16 -j ACCEPT
-A FORWARD -d 10.1.0.0/16 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -i lbr0 -o lbr0 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m tcp --dport 1936 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 4001 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 8443 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A OS_FIREWALL_ALLOW -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 24224 -j ACCEPT
-A OS_FIREWALL_ALLOW -p udp -m state --state NEW -m udp --dport 24224 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 10250 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT



Node

:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [12:2343]
:DOCKER - [0:0]
:OS_FIREWALL_ALLOW - [0:0]
-A INPUT -p udp -m multiport --dports 4789 -m comment --comment "001 vxlan incoming" -j ACCEPT
-A INPUT -i tun0 -m comment --comment "traffic from docker for internet" -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j OS_FIREWALL_ALLOW
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -o lbr0 -j DOCKER
-A FORWARD -o lbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lbr0 ! -o lbr0 -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -s 10.1.0.0/16 -j ACCEPT
-A FORWARD -d 10.1.0.0/16 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -i lbr0 -o lbr0 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m tcp --dport 1936 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 10250 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT


2015-07-09 15:46 GMT+02:00 Scott Dodson <sdodson redhat com>:
Make sure that iptables and whatever other network security layers are
involved allows for incoming connections on 80/443 to the master
(where your router is running).

On Thu, Jul 9, 2015 at 6:46 AM, Massimiliano Dessì
<massimiliano dessi gmail com> wrote:
>
> Hi, on a origin v3 installed with ansible
> I've the following configuration
>
> DNS  *.cloudapps.<mydomain_redacted> -> master ip
>
> NodeJS Pods (Nodejs-example)
> NodeJS Service (Selectors: name=nodejs-frontend)
> Nodejs Frontend (on node1 )
>
> The HA stat page show the Nodejs frontend
> be_http_<project-nodejs-route>
>
> the
> oc exec -p <router-pod> -- cat /var/lib/containers/router/routes.json
>
> shows
>
> "default/router": {
>     "Name": "default/router",
>     "EndpointTable": [
>       {
>         "ID": "10.1.1.3:80",
>         "IP": "10.1.1.3",
>         "Port": "80",
>         "TargetName": "router-1-29unx"
>       }
>     ],
>     "ServiceAliasConfigs": {}
>   },
>   "<myproject redacted>/nodejs-frontend": {
>     "Name": "<myproject redacted>/nodejs-frontend",
>     "EndpointTable": [
>       {
>         "ID": "10.1.1.7:8080",
>         "IP": "10.1.1.7",
>         "Port": "8080",
>         "TargetName": "nodejs-frontend-2-tf7eu"
>       }
>     ],
>     "ServiceAliasConfigs": {
>       "<myproject redacted>-nodejs-route": {
>         "Host": "nodejs.cloudapps.<mydomain_redacted>",
>         "Path": "",
>         "TLSTermination": "",
>         "Certificates": null,
>         "Status": "saved"
>       }
>     }
>   },
>
> using the address from oc get svc to retrieve the nodejs-frontend ip and
> using with curl <nodejs-frontend ip>:8080 I'm able to see the html of the
> page
>
> the ping nodejs.cloudapps.<mydomain_redacted> shows the address of the
> master,
>
> but if I try to call with the browser
> http://node-js.cloudapps.<mydomain_redacted> the browser is not able to
> connect,
> which piece in the configuration I've missed or which other checks can I try
> ?
>
> Thanks
> Max
>
>
> _______________________________________________
> users mailing list
> users lists openshift redhat com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]