Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
568
Views
1
Helpful
1
Replies

External Connector only allows ICMP by default

evajust
Level 1
Level 1

‎01-02-2023 04:16 AM

I made an External Connector node thinking I'd be able to ssh and run scripts against nodes in my CML lab from my host machine.

I could ping the nodes, but couldn't ssh. I used a packet capture on the link between the External Connector and my lab's switch, and I didn't see any ssh traffic.

tcpdump on the CML server confirmed the bridge interfaces are seeing the ssh traffic, but not sending it into the lab.  I checked the iptables rules and saw two rules (IN_public and FWDI_public) only allowing icmp traffic.  Once I allowed tcp on the FWDI_public rule, I could ssh to all nodes in my lab.

This is the command for anyone who wants to do this: sudo iptables -A FWDI_public -p tcp -j ACCEPT

You can verify the rules with: sudo iptables -S FWDI_public

I'm curious why this isn't the default or at least the user guide doesn't mention this. It makes it seem the External Connector gives you a plain L2 connection into the lab. While this is technically true, nothing mentions that CML's firewall will block everything except ICMP.

Labels:
1 Reply 1

ndmitri
Level 1
Level 1

‎04-01-2024 12:13 PM

@evajust, thank you for this post. Adding "sudo iptables -A FWDI_public -p tcp -j ACCEPT" fixed my ssh issue. I would like to suggest to run "iptables-save" command as well to make the change persistent.

0 Helpful
Customers Also Viewed These Support Documents