Jump to content
Welcome to our new Citrix community!
  • 0

Open up port 10500 on XenServer / Hypervisor 8.2 for Zabbix monitoring


Nick Gorbikoff

Question

Hello.

We are trying to add Zabbix client to our Xen Pool vm's and running into a firewall issue on the hosts/hypervisors. No matter how we try to modify iptables - our changes are just ignored after a restart of iptables.
The initial guide we tried to follow is here: https://share.zabbix.com/virtualization/citrix/citrix-xenserver-disk-and-memory

 

But since then I scoured the forums here on citrix.com to no avail. Can't find any documentation that explains where config for iptables lives .

 

# Aything modified here, is simply ignored
# /etc/sysconfig/iptables


# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
# Zabbix
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 10500 -j ACCEPT
-A RH-Firewall-1-INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 10500 -j ACCEPT
# DHCP for host internal networks (CA-6996)
-A RH-Firewall-1-INPUT -p udp -m udp --dport 67 --in-interface xenapi -j ACCEPT
-A RH-Firewall-1-INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Linux HA hearbeat (CA-9394)
-A RH-Firewall-1-INPUT -m conntrack --ctstate NEW -m udp -p udp --dport 694 -j ACCEPT
-A RH-Firewall-1-INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT
# dlm
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 21064 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m multiport --dports 5404,5405 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT


Any suggestions would be appreciated.

Thank you.

PS:
Alternatively, if we can't use Zabbix, SNMP fallback could work.
We are mostly looking to monitor just the physical aspects of the hosts servers: local storage space, uptime, load, drives status.

Link to comment

7 answers to this question

Recommended Posts

  • 0

Thank you for the suggestion @alan
1. Running firewall-cmd  returns an error

firewall-cmd --get-active-zones
#-bash: firewall-cmd: command not found

2. Is there somewhere a doc, describing which firewall is used by the CentOS/RH flavor Citrix XenServer is using? I mostly deal with Debian/Ubuntu systems + ufw/iptables, and I am a bit confounded by Citrix XenServer setup.

@tobias
How do I go about "switching back to iptables". Switching from what?

 

Thank you both!

Link to comment
  • 0

As far as I can tell I am actually running iptables, but I can't seem to figure out where it's picking up its config, because it's obviously ignoring whatever is in /etc/sysconfig/iptables or rules that I provide via CLI. And firewalld doesn't seem to be present on my systems ( doesn't seem to be present on either of my pools - neither old 6.5 nor the new 8.2 that we are migrating to )

Link to comment
  • 0

In fact here is the output of iptables -L ( Which tells me it actually picked up my changes made to /etc/sysconfig/iptables. It's just whatever is controlling the actual firewall on my host, is ignoring these iptable rules.  ( and I did restart and reload  iptables service)

 

image.thumb.png.82768afdfd21bcf604f747fd7991bf4b.png

 

Yet when I nmap ports, it says 10500 is closed ??? :42_confused:

 

image.thumb.png.2273e5554c9ffba890b61116a79dc406.png


There is nothing in between my computer I'm scanning from and Xen host. No firewall. They are on the same switch right next to each other, and I'm not filtering any traffic on this switch.

Any insight is welcome. Thank you

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...