iptables rule to allow apcupsd traffic to APC management card
-
I need to allow traffic between apcupsd on the host and the APC management card. When iptables is disabled, the host can communicate with the management card. However, when iptables is active, communications no longer occur.
I have tried to insert a rule as follows:
ACCEPT tcp 192.168.xxx.xxx/32 anywhere tcp dpt:apcupsd state NEWas the next to last rule in the RH-Firewall-1-INPUT chain. (The IP address belongs to the APC management card.) The rule doesn't allow packets to/from apcupsd.
I am no iptables expert (we use FreeBSD) and I am not familiar with how the iptables rules are structured on the xcp-ng host. It appears to be specially tailored to xcp-ng.
# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT udp -- anywhere anywhere ctstate NEW udp dpt:ha-cluster ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp dpt:21064 ACCEPT udp -- anywhere anywhere multiport dports hpoms-dps-lstn,netsupport ACCEPT tcp -- 192.168.xxx.xxx/32 anywhere tcp dpt:apcupsd state NEW REJECT all -- anywhere anywhere reject-with icmp-host-prohibited #Suggestions?
-
Adding @fohdeesha or @stormi here
-
I am using
UPSTYPE snmp DEVICE 192.168.x.xxx:161:APC:privateThis works fine without touching iptables.
-
Where do you put this config @Ajmind-0 ?
-
sorry, I was not detailed enough.
In order to use your APC ups via management NIC or usb cable you have to install the "apcupsd" package.
In the config file apcupsd.conf for apcupsd located in
/etc/apcupsdyou could set /define how your ups is communicating with your host(s). The possible parameters are well documented in this file.
I have not modified any iptables entry to work with my systems.
-
@Ajmind-0
Strange. I'm using UPSTYPE pcnet and the corresponding DEVICE ipaddr:username:password statement. I'm using the exact syntax on all of our FreeBSD servers and they're communicating with the APC management card.What is your iptables configuration like?
-
my settings are:
Chain INPUT (policy ACCEPT) target prot opt source destination xapi_nbd_input_chain tcp -- anywhere anywhere tcp dpt:nbd ACCEPT gre -- anywhere anywhere RH-Firewall-1-INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination xapi_nbd_output_chain tcp -- anywhere anywhere tcp spt:nbd Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT udp -- anywhere anywhere ctstate NEW udp dpt:ha-cluster ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp dpt:21064 ACCEPT udp -- anywhere anywhere multiport dports hpoms-dps-lstn,netsupport ACCEPT all -- 10.10.10.0/24 anywhere REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain xapi_nbd_input_chain (1 references) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain xapi_nbd_output_chain (1 references) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-port-unreachableI have some old notes from flurweg.net about a Xenserver 6.2 setting:
Xenserver firewall, enable port: If you want to read the values of the UPS connected to the Xenserver from another Linux host with installed CGI-Multimon connected to the Xenserver (NISIP), the Xenserver firewall blocks communication. Tcp port 3551 must be opened, for this the file "/etc/sysconfig/iptables" must be edited, the line: "-A RH-Firewall-1-INPUT -p tcp -m tcp -dport 631 -j ACCEPT" and paste it below again. In this copied line, change the port to 3551:May this is what you need to do?
-
Indeed, to properly edit iptables rules on xcp-ng, you need to add rules to
/etc/sysconfig/iptables. I would copy something like the ssh allow line to another line directly below it, and change the port to 161 for example (and change protocol to udp, which I'm pretty sure your card uses, if it's just doing plain snmp). After verifying that fixes it, you can lock the rule down further by allowing this traffic only from the IP of the management card.Example of added line below ssh line:
-A RH-Firewall-1-INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m conntrack --ctstate NEW -m udp --dport 694 -j ACCEPT ##UPS rule -A RH-Firewall-1-INPUT -p tcp -m conntrack --ctstate NEW -m udp --dport 161 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 80 -j ACCEPT etc etcNote that anytime you edit this file, you must restart iptables for it to take effect with
service iptables restartThinking about this further though I don't think this should be necessary, as the ups daemon in dom0 is reaching out to the UPS card, not the other way around, so an explicit open port shouldn't be necessary with the default iptables in dom0 (which allows outbound conns)
-
as already mentioned, I have not modified iptables in regard to the communication with the management nic on our APC ups. It was just working by using dom0 default settings.
@dougs
Why using "pcnet" as device instead of snmp? You need to specify a username and a pass passphrase.If you go with snmp it is quite simple to archive.
[17:17 IT1XCP-NG-SLAVE1 apcupsd]# apcaccess APC : 001,046,1126 DATE : 2023-01-25 17:17:30 +0100 HOSTNAME : IT1XCP-NG-SLAVE1 VERSION : 3.14.14 (31 May 2016) redhat UPSNAME : IT1USV1 CABLE : Ethernet Link DRIVER : SNMP UPS Driver UPSMODE : Stand Alone STARTTIME: 2022-12-11 14:08:12 +0100 STATUS : ONLINE LINEV : 231.0 Volts LOADPCT : 9.0 Percent BCHARGE : 100.0 Percent TIMELEFT : 84.0 Minutes MBATTCHG : 45 Percent MINTIMEL : 25 Minutes MAXTIME : 0 Seconds MAXLINEV : 233.0 Volts MINLINEV : 226.0 Volts OUTPUTV : 231.0 Volts SENSE : Unknown DWAKE : 12000 Seconds DSHUTD : 240 Seconds DLOWBATT : 2 Minutes LOTRANS : 161.0 Volts HITRANS : 253.0 Volts RETPCT : 25.0 Percent ITEMP : 26.0 C ALARMDEL : 5 Seconds BATTV : 218.0 Volts LINEFREQ : 50.0 Hz LASTXFER : Automatic or explicit self test NUMXFERS : 1 XONBATT : 2022-12-18 16:58:19 +0100 TONBATT : 0 Seconds CUMONBATT: 1 Seconds XOFFBATT : 2022-12-18 16:58:20 +0100 LASTSTEST: 2022-12-18 16:58:19 +0100 SELFTEST : OK STESTI : 336 STATFLAG : 0x05000008 MANDATE : 10/11/08 BATTDATE : 02/01/13 NOMOUTV : 230 Volts EXTBATTS : 1 FIRMWARE : 477.18.W END APC : 2023-01-25 17:18:09 +0100 [17:18 IT1XCP-NG-SLAVE1 apcupsd]# -
@Ajmind-0
Well, well, I switched to the snmp connection method and it worked just fine. Um...Thank you for your pointer.
