In order to enable monitoring with ClearGLASS, a server needs to allow outgoing traffic to UDP port 25826 for monitor.ClearGLASS. Port 25826 is the port were collectd open source monitoring agent uses in order to send the monitoring data. So make sure outgoing traffic to monitor.ClearGLASS for 25826 is allowed.
In order for ClearGLASS to be able to run properly and ping/probe/ssh VMs incoming traffic to these ips need to be whitelisted:
22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11
The list of ips is also contained as A records in dns name ips.ClearGLASS. To get all current ips use dig
root@user:~# dig ips.ClearGLASS ; <<>> DiG 9.9.5-3ubuntu0.9-Ubuntu <<>> ips.ClearGLASS ... ;; ANSWER SECTION:<br>ips.ClearGLASS.300INA18.104.22.168 ips.ClearGLASS. 60 IN A 22.214.171.124 ips.ClearGLASS. 60 IN A 126.96.36.199 ips.ClearGLASS. 60 IN A 188.8.131.52 ips.ClearGLASS. 60 IN A 184.108.40.206 ips.ClearGLASS. 60 IN A 220.127.116.11
To whitelist these
root@user:~# iptables -A INPUT -s ips.ClearGLASS -j ACCEPT
Keep in mind that when dns names are used in iptables, these are resolved when the rule is being added, so in order to keep up with changes in our infrastructure, you'll need to reapply the rules periodically so that the dns entries are re-resolved.