Hi Maarten,

A sure solution - until the new version of the lcg-bdii service is released - is to run the current lcg-bdii service (top level or local) on hosts that don't perform any NAT-ing except for that controlled by the lcg-bdii service itself.
Another fix for the current lcg-bdii service would be the replacement of the PREROUTING REDIRECT target with a DNAT target (identical to the one in the OUTPUT chain, just below).

Best regards,
Dan

Maarten Litmaath, CERN wrote:

[log in to unmask]" type="cite">

On Wed, 1 Jun 2005, Maarten Litmaath, CERN wrote:

On Tue, 31 May 2005, Vega Forneris wrote:

Hi again Daniel,

lcg-bdii is running

what kind of element is suffering this problem? Here at ESA-ESRIN had same 
problems with our WNs which are NATted behind MasterNode/CE : I found the 
problem was related to the lcg-bdii startup and update scripts : they 
write a redirection on the CE from port 2170 to others (range 2171-2173) 
in iptables chain...to check it lauch:

$ iptables -t nat -L

Try to stop lcg-bdii service and flush all entries (save your 
configuration first of course)

$ service lcg-bdii stop
$ iptables -F

(check all rules are flushed: $ iptables -t nat -L)

To flush the "nat" rules, you need to do this:

    iptables -F -t nat

In any case this may not be enough: I have seen some of our nodes get into
a state where iptables did not report any rules, netstat showed port 2170
being listened on (with the BDII just restarted), yet connections were refused.
In such cases a reboot is a solution.


The good news: we are testing a new version of the BDII that no longer uses
iptables at all.  We expect to make it available shortly.