Ask Your Question
0

RDO CentOS 6.5 All-In-One Single NIC instances cannot access internet

asked 2014-04-22 06:49:16 -0500

user42 gravatar image

I've installed Havana All-In-One with RDO packstack on a CentOS 6.5 single NIC server but cannot access internet from the instances as long as I do not remove the reject forward rules from iptables.

I've already tried to manually add a masquerading rule before the reject rules but it doesn't help.

# forward masquerading rule
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1/24 -j MASQUERADE

# forward reject rules to remove from /etc/sysconfig/iptables
#-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
#-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
#-A FORWARD -j REJECT --reject-with icmp-host-prohibited

Any ideas?

Thanks

edit retag flag offensive close merge delete

Comments

Cool. Thanks for the links! I managed to get GlusterFS 3.4.2 running, using it as distributed file system for the instances by inserting following rules before the reject rule:

-A INPUT -m state --state NEW -m tcp -p tcp --dport 24007:24008 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 38465:38468 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 49152:49162 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 111 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 2049 -j ACCEPT

But for using GlusterFS as cinder backend you have to remove/uncomment all reject rules.

However to get ...(more)

user42 gravatar imageuser42 ( 2014-04-22 13:41:35 -0500 )edit

Both links provided contain iptables update required by Gluster 3.4.X

Per Andrew Law :-

-A INPUT -p tcp -m multiport --dport 24007:24047 -j ACCEPT
-A INPUT -p tcp --dport 111 -j ACCEPT
-A INPUT -p udp --dport 111 -j ACCEPT
-A INPUT -p tcp -m multiport --dport 38465:38485 -j ACCEPT
dbaxps gravatar imagedbaxps ( 2014-04-22 14:38:37 -0500 )edit

Link 2 also provides:-

$ netstat -lntp | grep gluster

tcp 0 0 0.0.0.0:655 0.0.0.0:* LISTEN 2591/glusterfs

tcp 0 0 0.0.0.0:49152 0.0.0.0:* LISTEN 2524/glusterfsd

tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN 2591/glusterfs

tcp 0 0 0.0.0.0:38465 0.0.0.0:* LISTEN 2591/glusterfs

tcp 0 0 0.0.0.0:38466 0.0.0.0:* LISTEN 2591/glusterfs

tcp 0 0 0.0.0.0:49155 0.0.0.0:* LISTEN 2525/glusterfsd

tcp 0 0 0.0.0.0:38468 0.0.0.0:* LISTEN 2591/glusterfs

tcp 0 0 0.0.0.0:38469 0.0.0.0:* LISTEN 2591/glusterfs

tcp 0 0 0.0.0.0:24007 0.0.0.0:* LISTEN 2380/glusterd

dbaxps gravatar imagedbaxps ( 2014-04-22 14:41:57 -0500 )edit

2 answers

Sort by ยป oldest newest most voted
1

answered 2014-04-26 10:17:12 -0500

user42 gravatar image

So, I am not the only one and I found out that one only needs to comment out the general forward reject rule. The rules from openstack for virbr0 are ok.

# forward masquerading rule
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1/24 -j MASQUERADE

# forward reject rules to remove from /etc/sysconfig/iptables
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
#-A FORWARD -j REJECT --reject-with icmp-host-prohibited
edit flag offensive delete link more
-1

answered 2014-04-22 13:26:10 -0500

dbaxps gravatar image

updated 2014-04-22 13:26:40 -0500

You are not the first person removing this lines. One more reason setup Gluster 3.4.2 as backend for cinder. View for instance 1 or 2

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2014-04-22 06:49:16 -0500

Seen: 490 times

Last updated: Apr 26 '14