openstack team mailing list archive

[Mark McLoughlin <markmc@xxxxxxxxxx>]

Hi Sharif,

On Tue, 2011-10-11 at 14:55 -0400, Sharif Islam wrote:
> As Jorge was pointing out last week
> (https://lists.launchpad.net/openstack/msg04596.html), the problem seems
> to be iptables related. When I added these two rules, I was able to ping
> google.com with 10.0.1.1 as the nameserver.
> 
> 
> # iptables -I nova-network-INPUT 1 -p tcp --dport 53 -j ACCEPT
> # iptables -I nova-network-INPUT 1 -p udp --dport 53 -j ACCEPT
> 
> 
> However, as soon as a new instance starts, these two rules goes away.
> 
> # iptables -L nova-network-INPUT
> Chain nova-network-INPUT (1 references)
> target     prot opt source               destination
> ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
> ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
> 
> I start a new instance, few seconds later:
> 
> # iptables -L nova-network-INPUT
> Chain nova-network-INPUT (1 references)
> target     prot opt source               destination
> 
> I also have these two rules:
> 
> # iptables -L -n|grep 67
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:67
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:67
> # iptables -L -n|grep 53
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:53
> 
> 
> Can someone explain how these iptables rule get created? I thought these
> rules were generated by starting nova-network.
> 
> I also saw this: https://bugzilla.redhat.com/show_bug.cgi?id=734347. Not
> sure if this is related. I am running RHEL 6.1.

Ah, yes - the issue is that Fedora and RHEL's iptables rules default to
rejecting packets which aren't allowed. Nova's iptables rules assumed
the default was to accept.

You're running Cactus, right? This is fixed in Diablo, see:

  https://bugs.launchpad.net/nova/+bug/844935

Cheers,
Mark.