Open up port 10500 on XenServer / Hypervisor 8.2 for Zabbix monitoring

[Nick Gorbikoff]

Hello.

We are trying to add Zabbix client to our Xen Pool vm's and running into a firewall issue on the hosts/hypervisors. No matter how we try to modify iptables - our changes are just ignored after a restart of iptables.
The initial guide we tried to follow is here: https://share.zabbix.com/virtualization/citrix/citrix-xenserver-disk-and-memory

 

But since then I scoured the forums here on citrix.com to no avail. Can't find any documentation that explains where config for iptables lives .

 

# Aything modified here, is simply ignored
# /etc/sysconfig/iptables

# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
# Zabbix
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 10500 -j ACCEPT
-A RH-Firewall-1-INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 10500 -j ACCEPT
# DHCP for host internal networks (CA-6996)
-A RH-Firewall-1-INPUT -p udp -m udp --dport 67 --in-interface xenapi -j ACCEPT
-A RH-Firewall-1-INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Linux HA hearbeat (CA-9394)
-A RH-Firewall-1-INPUT -m conntrack --ctstate NEW -m udp -p udp --dport 694 -j ACCEPT
-A RH-Firewall-1-INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT
# dlm
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 21064 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m multiport --dports 5404,5405 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

Any suggestions would be appreciated.

Thank you.

PS:
Alternatively, if we can't use Zabbix, SNMP fallback could work.
We are mostly looking to monitor just the physical aspects of the hosts servers: local storage space, uptime, load, drives status.

[Nick Gorbikoff]

Mark me as blind and dyslexic.
The port 10500 is used for hip-nat service, I needed 10050. 

Solution/Conclusion/Resolution:
don't work on the firewall in the middle of the night. Sometimes it pays to walk away and do something else for a change or get a good night rest.

 

[Alan Lantz]

I don't run version 8 so I don't know for sure. Maybe firewall-cmd commands ? 

 

what does this do ?  firewall-cmd --get-active-zones

 

If that works can you do this ?

firewall-cmd --zone=public --add-port=10500/tcp --permanent

 

--Alan--

 

[Tobias Kreidl]

I think you'd have to switch back to iptables if that's what you want to run.

[Nick Gorbikoff]

Thank you for the suggestion @alan
1. Running firewall-cmd  returns an error

firewall-cmd --get-active-zones
#-bash: firewall-cmd: command not found

2. Is there somewhere a doc, describing which firewall is used by the CentOS/RH flavor Citrix XenServer is using? I mostly deal with Debian/Ubuntu systems + ufw/iptables, and I am a bit confounded by Citrix XenServer setup.

@tobias
How do I go about "switching back to iptables". Switching from what?

 

Thank you both!

[Nick Gorbikoff]

As far as I can tell I am actually running iptables, but I can't seem to figure out where it's picking up its config, because it's obviously ignoring whatever is in /etc/sysconfig/iptables or rules that I provide via CLI. And firewalld doesn't seem to be present on my systems ( doesn't seem to be present on either of my pools - neither old 6.5 nor the new 8.2 that we are migrating to )

[Nick Gorbikoff]

In fact here is the output of iptables -L ( Which tells me it actually picked up my changes made to /etc/sysconfig/iptables. It's just whatever is controlling the actual firewall on my host, is ignoring these iptable rules.  ( and I did restart and reload  iptables service)

 

 

Yet when I nmap ports, it says 10500 is closed ???

 

There is nothing in between my computer I'm scanning from and Xen host. No firewall. They are on the same switch right next to each other, and I'm not filtering any traffic on this switch.

Any insight is welcome. Thank you

[Mark Syms]

Note that Citrix do not support installing any third party software into Dom0 or modifying the shipped firewall rules for any purpose.