[Firewall][OpenStack]
Soheil Pourbafrani
soheil.ir08 at gmail.com
Sat Dec 29 07:31:58 UTC 2018
I tried to configure the firewall for OpenStack Controller and Compute node
and here are the rules I added to the firewall:
myZone (active)
target: default
icmp-block-inversion: no
interfaces: enp2s0 enp7s4
sources:
services: ssh dhcpv6-client
ports: 80/tcp 6080/tcp 11211/tcp 9696/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.0.32" accept
rule family="ipv4" source address="192.168.0.31" accept
The address of the Controller and the Compute nodes are 192.168.0.31 and
192.168.0.32, respectively.
Using these rules I can use Horizon on the browser and the Compute node
services can connect to the Controller nodes ports.
The problem is when the firewall is enabled on the Controller node,
instances that are running on the Controller node (I configure the
Controller node as the Compute node, too) just can be pinged and all other
VMs and nodes (including the Controller node) cannot connect to it (using
SSH or any other connection to a specific port).
- There is no firewall running on instances.
- I configured an external network to connect VMs to each other
- CentOS7 is running on all nodes
Here are ports listening on the Controller node:
Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
tcp 0 0 0.0.0.0:8775 0.0.0.0:* LISTEN
4478/python2
tcp 0 0 0.0.0.0:9191 0.0.0.0:* LISTEN
4461/python2
tcp 0 0 0.0.0.0:5000 0.0.0.0:* LISTEN
10189/httpd
tcp 0 0 0.0.0.0:8776 0.0.0.0:* LISTEN
4487/python2
tcp 0 0 0.0.0.0:25672 0.0.0.0:* LISTEN
4466/beam.smp
tcp 0 0 0.0.0.0:8778 0.0.0.0:* LISTEN
10189/httpd
tcp 0 0 192.168.0.31:3306 0.0.0.0:* LISTEN
4860/mysqld
tcp 0 0 192.168.0.31:2379 0.0.0.0:* LISTEN
4464/etcd
tcp 0 0 192.168.0.31:11211 0.0.0.0:* LISTEN
4457/memcached
tcp 0 0 127.0.0.1:11211 0.0.0.0:* LISTEN
4457/memcached
tcp 0 0 192.168.0.31:5900 0.0.0.0:* LISTEN
16844/qemu-kvm
tcp 0 0 0.0.0.0:9292 0.0.0.0:* LISTEN
4500/python2
tcp 0 0 192.168.0.31:2380 0.0.0.0:* LISTEN
4464/etcd
tcp 0 0 192.168.0.31:5901 0.0.0.0:* LISTEN
16982/qemu-kvm
tcp 0 0 192.168.0.31:5902 0.0.0.0:* LISTEN
17339/qemu-kvm
tcp 0 0 192.168.0.31:5903 0.0.0.0:* LISTEN
17621/qemu-kvm
tcp 0 0 192.168.0.31:5904 0.0.0.0:* LISTEN
17840/qemu-kvm
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
10189/httpd
tcp 0 0 0.0.0.0:4369 0.0.0.0:* LISTEN
1/systemd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
4468/sshd
tcp 0 0 192.168.0.31:3260 0.0.0.0:* LISTEN
-
tcp 0 0 0.0.0.0:6080 0.0.0.0:* LISTEN
4458/python2
tcp 0 0 0.0.0.0:9696 0.0.0.0:* LISTEN
4473/python2
tcp 0 0 0.0.0.0:8774 0.0.0.0:* LISTEN
4478/python2
tcp6 0 0 :::5672 :::* LISTEN
4466/beam.smp
tcp6 0 0 :::22 :::* LISTEN
4468/sshd
So, is there any port or something to add to firewall rules for making
instances reachable when the firewall is running on the Controller node?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20181229/f67cc439/attachment-0001.html>
More information about the openstack-discuss
mailing list