Hi Daniel,
A simpler way to deal with lcg-bdii is the following:
1) to check the iptables (and lcg-bdii) status execute:
service iptables status
2) to shut down lcg-bdii fully execute:
service lcg-bdii stop
service iptables stop
If lcg-bdii runs on CE acting as permanent NAT for WNs, then don't stop
(or stop it only briefly) service iptables but execute:
service iptables restart
3) to start lcg-bdii execute:
service lcg-bdii start
You may execute also:
service lcg-bdii restart
4) When more than one network interface is present on host running
service lcg-bdii (like a CE acting as NAT for WNs) replace the REDIRECT
line in file /opt/lcg/bdii/sbin/lcg-bdii with:
iptables -t nat -I PREROUTING 1 -p tcp --dport ${BDII_PORT_READ} -j
DNAT --to-destination `host $(hostname) | awk '{print
$4}'`:${BDII_PORT_READ}
Do the same in file /opt/lcg/bdii/sbin/lcg-bdii-update, use this line
instead the REDIRECT line:
system("iptables -t nat -R PREROUTING 1 -p tcp --dport
$bdii_port_read -j DNAT --to-destination `host $bdii_host | awk '{print
\$4}'`:$bdii_port_write");
This would be good for single network interface hosts too.
Regards,
Dan
Daniel Cano wrote:
> Hello,
> now seems it is working. Just stopping lcg-bdii and flushing the nat
> rules solves the problem. But now, when trying
>
> lcg-infosites --vo cms ce|grep ifca
>
> there's nothing there. The same result is produced by
>
>
> lcg-infosites --vo cms se|grep ifca
>
> I have restarted MDS several times, and I don't know why the
> information about ifca is not there, or what service is not collecting
> it. If you have any idea
>
> Thanks in advance
>
> Dani
>
>
> Dan Schrager wrote:
>
>> Hi Maarten,
>>
>> A sure solution - until the new version of the lcg-bdii service is
>> released - is to run the current lcg-bdii service (top level or
>> local) on hosts that don't perform any NAT-ing except for that
>> controlled by the lcg-bdii service itself.
>> Another fix for the current lcg-bdii service would be the replacement
>> of the PREROUTING REDIRECT target with a DNAT target (identical to
>> the one in the OUTPUT chain, just below).
>>
>> Best regards,
>> Dan
>>
>>
>>
>> Maarten Litmaath, CERN wrote:
>>
>>>On Wed, 1 Jun 2005, Maarten Litmaath, CERN wrote:
>>>
>>>
>>>
>>>>On Tue, 31 May 2005, Vega Forneris wrote:
>>>>
>>>>
>>>>
>>>>>Hi again Daniel,
>>>>>
>>>>>
>>>>>
>>>>>>lcg-bdii is running
>>>>>>
>>>>>>
>>>>>what kind of element is suffering this problem? Here at ESA-ESRIN had same
>>>>>problems with our WNs which are NATted behind MasterNode/CE : I found the
>>>>>problem was related to the lcg-bdii startup and update scripts : they
>>>>>write a redirection on the CE from port 2170 to others (range 2171-2173)
>>>>>in iptables chain...to check it lauch:
>>>>>
>>>>>$ iptables -t nat -L
>>>>>
>>>>>Try to stop lcg-bdii service and flush all entries (save your
>>>>>configuration first of course)
>>>>>
>>>>>$ service lcg-bdii stop
>>>>>$ iptables -F
>>>>>
>>>>>(check all rules are flushed: $ iptables -t nat -L)
>>>>>
>>>>>
>>>>To flush the "nat" rules, you need to do this:
>>>>
>>>> iptables -F -t nat
>>>>
>>>>In any case this may not be enough: I have seen some of our nodes get into
>>>>a state where iptables did not report any rules, netstat showed port 2170
>>>>being listened on (with the BDII just restarted), yet connections were refused.
>>>>In such cases a reboot is a solution.
>>>>
>>>>
>>>
>>>The good news: we are testing a new version of the BDII that no longer uses
>>>iptables at all. We expect to make it available shortly.
>>>
>>>
>>
>
