iptables rule to allow apcupsd traffic to APC management card

Reply to iptables rule to allow apcupsd traffic to APC management card on Wed, 25 Jan 2023 19:10:25 GMT

dougs — Wed, 25 Jan 2023 19:10:25 GMT

@Ajmind-0
Well, well, I switched to the snmp connection method and it worked just fine. Um...

Thank you for your pointer.

Reply to iptables rule to allow apcupsd traffic to APC management card on Wed, 25 Jan 2023 16:28:11 GMT

Ajmind 0 — Wed, 25 Jan 2023 16:28:11 GMT

as already mentioned, I have not modified iptables in regard to the communication with the management nic on our APC ups. It was just working by using dom0 default settings.

@dougs
Why using "pcnet" as device instead of snmp? You need to specify a username and a pass passphrase.

If you go with snmp it is quite simple to archive.

[17:17 IT1XCP-NG-SLAVE1 apcupsd]# apcaccess
APC      : 001,046,1126
DATE     : 2023-01-25 17:17:30 +0100
HOSTNAME : IT1XCP-NG-SLAVE1
VERSION  : 3.14.14 (31 May 2016) redhat
UPSNAME  : IT1USV1
CABLE    : Ethernet Link
DRIVER   : SNMP UPS Driver
UPSMODE  : Stand Alone
STARTTIME: 2022-12-11 14:08:12 +0100
STATUS   : ONLINE
LINEV    : 231.0 Volts
LOADPCT  : 9.0 Percent
BCHARGE  : 100.0 Percent
TIMELEFT : 84.0 Minutes
MBATTCHG : 45 Percent
MINTIMEL : 25 Minutes
MAXTIME  : 0 Seconds
MAXLINEV : 233.0 Volts
MINLINEV : 226.0 Volts
OUTPUTV  : 231.0 Volts
SENSE    : Unknown
DWAKE    : 12000 Seconds
DSHUTD   : 240 Seconds
DLOWBATT : 2 Minutes
LOTRANS  : 161.0 Volts
HITRANS  : 253.0 Volts
RETPCT   : 25.0 Percent
ITEMP    : 26.0 C
ALARMDEL : 5 Seconds
BATTV    : 218.0 Volts
LINEFREQ : 50.0 Hz
LASTXFER : Automatic or explicit self test
NUMXFERS : 1
XONBATT  : 2022-12-18 16:58:19 +0100
TONBATT  : 0 Seconds
CUMONBATT: 1 Seconds
XOFFBATT : 2022-12-18 16:58:20 +0100
LASTSTEST: 2022-12-18 16:58:19 +0100
SELFTEST : OK
STESTI   : 336
STATFLAG : 0x05000008
MANDATE  : 10/11/08
BATTDATE : 02/01/13
NOMOUTV  : 230 Volts
EXTBATTS : 1
FIRMWARE : 477.18.W
END APC  : 2023-01-25 17:18:09 +0100
[17:18 IT1XCP-NG-SLAVE1 apcupsd]#

Reply to iptables rule to allow apcupsd traffic to APC management card on Wed, 25 Jan 2023 11:57:18 GMT

fohdeesha — Wed, 25 Jan 2023 11:57:18 GMT

Indeed, to properly edit iptables rules on xcp-ng, you need to add rules to /etc/sysconfig/iptables. I would copy something like the ssh allow line to another line directly below it, and change the port to 161 for example (and change protocol to udp, which I'm pretty sure your card uses, if it's just doing plain snmp). After verifying that fixes it, you can lock the rule down further by allowing this traffic only from the IP of the management card.

Example of added line below ssh line:

-A RH-Firewall-1-INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m conntrack --ctstate NEW -m udp --dport 694 -j ACCEPT
##UPS rule
-A RH-Firewall-1-INPUT -p tcp -m conntrack --ctstate NEW -m udp --dport 161 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 80 -j ACCEPT
etc
etc

Note that anytime you edit this file, you must restart iptables for it to take effect with service iptables restart

Thinking about this further though I don't think this should be necessary, as the ups daemon in dom0 is reaching out to the UPS card, not the other way around, so an explicit open port shouldn't be necessary with the default iptables in dom0 (which allows outbound conns)

Reply to iptables rule to allow apcupsd traffic to APC management card on Wed, 25 Jan 2023 09:56:01 GMT

Ajmind 0 — Wed, 25 Jan 2023 09:56:01 GMT

@dougs

my settings are:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
xapi_nbd_input_chain  tcp  --  anywhere             anywhere             tcp dpt:nbd
ACCEPT     gre  --  anywhere             anywhere
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
xapi_nbd_output_chain  tcp  --  anywhere             anywhere             tcp spt:nbd

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere             icmp any
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere             ctstate NEW udp dpt:ha-cluster
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:21064
ACCEPT     udp  --  anywhere             anywhere             multiport dports hpoms-dps-lstn,netsupport
ACCEPT     all  --  10.10.10.0/24        anywhere
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain xapi_nbd_input_chain (1 references)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain xapi_nbd_output_chain (1 references)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

I have some old notes from flurweg.net about a Xenserver 6.2 setting:

Xenserver firewall, enable port:
If you want to read the values of the UPS connected to the Xenserver from another Linux host with installed CGI-Multimon connected to the Xenserver (NISIP), the Xenserver firewall blocks communication. Tcp port
3551 must be opened, for this the file "/etc/sysconfig/iptables" must be edited, the line: 

"-A RH-Firewall-1-INPUT -p tcp -m tcp -dport 631 -j ACCEPT" 
and paste it below again. In this copied line, change the port to 3551:

May this is what you need to do?

Reply to iptables rule to allow apcupsd traffic to APC management card on Tue, 24 Jan 2023 23:41:15 GMT

dougs — Tue, 24 Jan 2023 23:41:15 GMT

@Ajmind-0
Strange. I'm using UPSTYPE pcnet and the corresponding DEVICE ipaddr:username:password statement. I'm using the exact syntax on all of our FreeBSD servers and they're communicating with the APC management card.

What is your iptables configuration like?

Reply to iptables rule to allow apcupsd traffic to APC management card on Tue, 24 Jan 2023 11:30:31 GMT

Ajmind 0 — Tue, 24 Jan 2023 11:30:31 GMT

@olivierlambert

sorry, I was not detailed enough.

In order to use your APC ups via management NIC or usb cable you have to install the "apcupsd" package.

In the config file apcupsd.conf for apcupsd located in

/etc/apcupsd

you could set /define how your ups is communicating with your host(s). The possible parameters are well documented in this file.

I have not modified any iptables entry to work with my systems.

Reply to iptables rule to allow apcupsd traffic to APC management card on Tue, 24 Jan 2023 10:31:09 GMT

olivierlambert — Tue, 24 Jan 2023 10:31:09 GMT

Where do you put this config @Ajmind-0 ?

Reply to iptables rule to allow apcupsd traffic to APC management card on Tue, 24 Jan 2023 09:59:21 GMT

Ajmind 0 — Tue, 24 Jan 2023 09:59:21 GMT

I am using

UPSTYPE snmp
DEVICE 192.168.x.xxx:161:APC:private

This works fine without touching iptables.

Reply to iptables rule to allow apcupsd traffic to APC management card on Tue, 24 Jan 2023 08:02:56 GMT

olivierlambert — Tue, 24 Jan 2023 08:02:56 GMT

Adding @fohdeesha or @stormi here