[Openstack] Managing iptables with OpenStack Folsom (using Quantum)
Craig E. Ward
cward at isi.edu
Wed Aug 28 17:08:02 UTC 2013
I have an OpenStack Folsom, with Quantum networking, installation that I'm
having trouble getting additional rules into the iptables on nova-compute
nodes. The online manual
(http://docs.openstack.org/trunk/openstack-ops/content/iptables.html) states
that "You must use OpenStack to manage iptables." What it doesn't include is
any indication of how that is done. How can iptables be managed with OpenStack?
When I add rules to the file /etc/sysconfig/iptables, sometimes the
nova-compute service fails to work properly. A new instance on the node may not
get an IP address or the vnc service in Horizon does not respond. The instance
is listed in the database with an assigned IP, but the address is not reachable.
Does the iptables service need to be "off" in the context of chkconfig? That
is, don't let it start through the rc sequence, but let nova-compute start it
and populate the rules?
If iptables is started in the rc sequence, then are there some rules that
should not be in /etc/sysconfig/iptables?
If the rc sequence is not used, how do ports unrelated to OpenStack services
get enabled?
Does the default response for a packet sent to non-OpenStack related port drop
the packet or let it pass?
Thanks,
Craig
--
Craig E. Ward
Information Sciences Institute
University of Southern California
cward at ISI.EDU
More information about the Openstack
mailing list