From: John Wilkins <john.wilkins@inktank.com>
Date: Tue, 26 Feb 2013 00:12:50 +0000 (-0800)
Subject: doc: Added content to remove REJECT rules from iptables.
X-Git-Tag: v0.59~120
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=5e5530be196e25b48b9db1a00ce1b295c09bc6a2;p=ceph.git

doc: Added content to remove REJECT rules from iptables.

Signed-off-by: John Wilkins <john.wilkins@inktank.com>
---

diff --git a/doc/rados/operations/troubleshooting-mon.rst b/doc/rados/operations/troubleshooting-mon.rst
index e2b834acffb..3c3809087ae 100644
--- a/doc/rados/operations/troubleshooting-mon.rst
+++ b/doc/rados/operations/troubleshooting-mon.rst
@@ -28,4 +28,25 @@ For example::
 If there are not enough monitors to form a quorum, the ``ceph``
 command will block trying to reach the cluster.  In this situation,
 you need to get enough ``ceph-mon`` daemons running to form a quorum
-before doing anything else with the cluster.
\ No newline at end of file
+before doing anything else with the cluster.
+
+
+Client Can't Connect/Mount
+==========================
+
+Check your IP tables. Some OS install utilities add a ``REJECT`` rule to
+``iptables``. The rule rejects all clients trying to connect to the host except
+for ``ssh``. If your monitor host's IP tables have such a ``REJECT`` rule in
+place, clients connecting from a separate node will fail to mount with a timeout
+error. You need to address ``iptables`` rules that reject clients trying to
+connect to Ceph daemons.  For example, you would need to address rules that look
+like this appropriately::
+
+	REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
+
+You may also need to add rules to IP tables on your Ceph hosts to ensure
+that clients can access the ports associated with your Ceph monitors (i.e., port
+6789 by default) and Ceph OSDs (i.e., 6800 et. seq. by default). For example::
+
+	iptables -A INPUT -m multiport -p tcp -s {ip-address}/{netmask} --dports 6789,6800:6810 -j ACCEPT
+