Exact firewall rules for metadata agent on controller node

asked 2018-08-31 02:21:26 -0500

dendvk gravatar image

Hello.

I'm using Queens Openstack release, controller and compute node deployed on latest CentOS7 release. Network is configured to use "provider network" model.

I've faced with problem, that built-in iptables rule on controller node blocks metadata request response to instances, so they are unable to retrieve ssh key and other data during cloud-init on first boot via http://169.254.169.254:80 url (which is routed in instance to metadata agent IP). Here it is:

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

Last time I've solved very similar problem but related to DHCP requests by adding the following rule to /etc/sysconfig/iptables file prior "REJECT" one:

-A FORWARD -p udp -m udp --sport 67 --dport 68 -j ACCEPT

To resolve problem with metadata the following rules were added to the "FORWARD" chain on controller node and they works:

-A FORWARD -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 80 -j ACCEPT

But I'm not sure that they are completely correct. Can someone share his experience for that scenario?

Another question will be - why init and run-time scripts of Openstack services on controller node does not care about iptables for all cases? Firewall driver was set correctly in nova/neutron, and some rules appear in iptables after restart of services in addition to existing ones, but not a necessary set to avoid intercommunication problems between controller and compute nodes.

Below is the full list of iptables rules:

[root@controller ~]# iptables-save
# Generated by iptables-save v1.4.21 on Fri Aug 31 03:03:24 2018
*nat
:PREROUTING ACCEPT [40331:4980395]
:INPUT ACCEPT [19152:1206716]
:OUTPUT ACCEPT [3424:208170]
:POSTROUTING ACCEPT [16794:2598368]
COMMIT
# Completed on Fri Aug 31 03:03:24 2018
# Generated by iptables-save v1.4.21 on Fri Aug 31 03:03:24 2018
*mangle
:PREROUTING ACCEPT [13992448:6525771277]
:INPUT ACCEPT [13783684:6505744476]
:FORWARD ACCEPT [206259:20684970]
:OUTPUT ACCEPT [13759465:6212240069]
:POSTROUTING ACCEPT [13965444:6232905496]
COMMIT
# Completed on Fri Aug 31 03:03:24 2018
# Generated by iptables-save v1.4.21 on Fri Aug 31 03:03:24 2018
*raw
:PREROUTING ACCEPT [13988200:6524208181]
:OUTPUT ACCEPT [13755278:6210758332]
:neutron-linuxbri-OUTPUT - [0:0]
:neutron-linuxbri-PREROUTING - [0:0]
-A PREROUTING -j neutron-linuxbri-PREROUTING
-A OUTPUT -j neutron-linuxbri-OUTPUT
COMMIT
# Completed on Fri Aug 31 03:03:24 2018
# Generated by iptables-save v1.4.21 on Fri Aug 31 03:03:24 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4556611:2056773792]
:neutron-filter-top - [0:0]
:neutron-linuxbri-FORWARD - [0:0]
:neutron-linuxbri-INPUT - [0:0]
:neutron-linuxbri-OUTPUT - [0:0]
:neutron-linuxbri-local - [0:0]
:neutron-linuxbri-sg-chain - [0:0]
:neutron-linuxbri-sg-fallback - [0:0]
-A INPUT -j neutron-linuxbri-INPUT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 123 -j ACCEPT
-A INPUT -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -p tcp -m ...
(more)
edit retag flag offensive close merge delete