[openstack-dev] [openstack]host not reachable with iptables reject after init

Brian Haley brian.haley at hpe.com
Mon Nov 9 16:30:56 UTC 2015


On 11/09/2015 09:55 AM, Wilence Yao wrote:
> Hi all,
> After I run devstack/stack.sh completely, I found that api is not reachable.
> After some check, I found some iptables rules cause the problem:

<snip>

> ACCEPT     tcp  -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>         state NEW tcp dpt:22
> REJECT     all  -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>         reject-with icmp-host-prohibited
> ```
>
> The last  two rules reject all access to the host except port 22(ssh). Why
> should devstack add this two rules in host?

The devstack scripts don't add either of those rules, my guess is your distro 
has locked things down by default.  So you'll need to figure out how best to 
deal with it, either disabling completely or opening all the ports you'll need 
for devstack to function.

-Brian



More information about the OpenStack-dev mailing list