Ransom Briggs wrote: > Hello, Hi, > > I just finished up an upgrade to LCG-2_4_0 and everything seemed to be > working fine until I noticed that the BDII server is no longer reachable > from the worker nodes. The peculiar thing was that the BDII was reachable > from everywhere else. I came to the conclusion was that there is a problem > with having our workers behind a NAT box and the new iptables rules. > > The reason I believe this is a problem is due to the fact that the worker > nodes can see all other ports just fine except for 2170. I can even query > the ldap on 2171-3. Does anyone have a suggestion on what I should do to > get this to work? More serious problem is that NAT-ed worker nodes (or routed through CE) cannot reach any BDII on 2170 port in the world which breaks replication. In /etc/init.d/lcg-bdii and /opt/lcg/bdii/sbin/lcg-bdii-update replace the rule that is added to the PREROUTING chain (with REDIRECT target) by a copy of the rule added to the OUTPUT chain (with DNAT target). In /etc/init.d/lcg-bdii it should be: iptables -t nat -I PREROUTING 1 -p tcp --dport ${BDII_PORT_READ} -d `hostname -f` -j DNAT --to-destination `host $(hostname) | awk '{print $4}'`:${BDII_PORT_READ} in /opt/lcg/bdii/sbin/lcg-bdii-update: system("iptables -t nat -R PREROUTING 1 -p tcp --dport $bdii_port_read -d $bdii_host -j DNAT --to-destination `host $bdii_host | awk '{print \$4}'`:$bdii_port_write"); Good luck, Jan -- Jan Astalos Institute of Informatics, Slovak Academy of Sciences