openstack team mailing list archive

Thread
Date

nova-network-INPUT (was Re: dns issue?)

To: openstack@xxxxxxxxxxxxxxxxxxx
From: Sharif Islam <islamsh@xxxxxxxxxxx>
Date: Tue, 11 Oct 2011 14:55:40 -0400
In-reply-to: <4E946A03.4070804@indiana.edu>
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.23) Gecko/20110921 Thunderbird/3.1.15

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

As Jorge was pointing out last week
(https://lists.launchpad.net/openstack/msg04596.html), the problem seems
to be iptables related. When I added these two rules, I was able to ping
google.com with 10.0.1.1 as the nameserver.


# iptables -I nova-network-INPUT 1 -p tcp --dport 53 -j ACCEPT
# iptables -I nova-network-INPUT 1 -p udp --dport 53 -j ACCEPT


However, as soon as a new instance starts, these two rules goes away.

# iptables -L nova-network-INPUT
Chain nova-network-INPUT (1 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain

I start a new instance, few seconds later:

# iptables -L nova-network-INPUT
Chain nova-network-INPUT (1 references)
target     prot opt source               destination

I also have these two rules:

# iptables -L -n|grep 67
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:67
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:67
# iptables -L -n|grep 53
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:53


Can someone explain how these iptables rule get created? I thought these
rules were generated by starting nova-network.

I also saw this: https://bugzilla.redhat.com/show_bug.cgi?id=734347. Not
sure if this is related. I am running RHEL 6.1.

thanks.


- --sharif





- -- 
Sharif Islam
Senior Systems Analyst/Programmer
FutureGrid (http://futuregrid.org)
Pervasive Technology Institute, Indiana University Bloomington
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJOlJEsAAoJEACffes9SivFivEIAKA17GpyNWZb9cyvsJZhEyLL
vdvbRH9ywYHR7GJtHcIt4GnH0jBWR6JbqfviuozIpyYg5f6FkFJ8N1rGUBWFVyE+
obb+fPofq7c5Kb9EbH19pKwkccjomNC55lJBZbX4UUzVsAtGubj3yWdwGeFVMyZX
tUwyoylnY+PFE38rQ+FWjIBBPdmBkIRJrXmu9xSqKzYqDbJ3Z/5YLZwdc6dOC6le
abchZkbYUI1tCEQoSJHnolzXbhXXoNDivdcqPKJRN2DbuWjvi+unE0yYBzAhtK8Y
1y+0DaJzCaDhNr0focz24fbEdXw/qDCdMm+BeerZSo9+WMV2zyeWhF7EdkO7w24=
=BVdE
-----END PGP SIGNATURE-----

Follow ups

Re: nova-network-INPUT (was Re: dns issue?)
From: Mark McLoughlin, 2011-10-13

References

dns issue?
From: Sharif Islam, 2011-10-07
Re: dns issue?
From: Jorge Luiz Correa, 2011-10-07
Re: dns issue?
From: Sharif Islam, 2011-10-07
Re: dns issue?
From: Jorge Luiz Correa, 2011-10-07
Re: dns issue?
From: Sharif Islam, 2011-10-07
Re: dns issue?
From: Jorge Luiz Corrêa, 2011-10-07
Re: dns issue?
From: Sharif Islam, 2011-10-10
Re: dns issue?
From: Jason Kölker, 2011-10-10
Re: dns issue?
From: Sharif Islam, 2011-10-10
Re: dns issue?
From: Sharif Islam, 2011-10-11