[openstack-dev] [openstack]host not reachable with iptables reject after init

Wilence Yao wilence.yao at gmail.com
Mon Nov 9 14:55:43 UTC 2015


Hi all,
After I run devstack/stack.sh completely, I found that api is not
reachable. After some check, I found some iptables rules cause the problem:

```
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
nova-network-INPUT  all  --  0.0.0.0/0            0.0.0.0/0
neutron-openvswi-INPUT  all  --  0.0.0.0/0            0.0.0.0/0
nova-api-INPUT  all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:67
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:67
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state
RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp
dpt:22
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with
icmp-host-prohibited
```

The last  two rules reject all access to the host except port 22(ssh). Why
should devstack add this two rules in host?

Wilence Yao
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20151109/a4247273/attachment.html>


More information about the OpenStack-dev mailing list