Ask Your Question
0

Does neutron flush iptables on services startup?

asked 2015-09-15 16:36:05 -0500

JeffKeopp gravatar image

I have small test system that consists of a single management node where all OpenStack services are running. The test system has just one bare metal "tenant" node. There are no VMs involved and just a flat management network. The management node must not be accessible by normal users.

After the management node boots, various iptables rules are set. Mainly they appear to be chains related to neutron. I need to add two rules to harden the node against access from users on the managed nodes. I can do this using iptables and they work as planned.

I then persisted the iptables rules after adding my two rules to /etc/sysconfig/iptables by calling iptables-save, then iptables-restore. I verified my rules and the pre-existing rules were in the /etc/sysconfig/iptables file. After reboot my rules are gone. I can recover them by running 'iptables-restore /etc/sysconfig/iptables'.

Only those from the initial configuration are there after a reboot. It appears that neutron or another OpenStack service is flushing and writing iptables rules when they come up. These rules are not persisted to /etc/sysconfig/iptables.

Is this the desired behavior? If so, why? It is important that a sysadmin can implement site security policy in iptables without having to do so through an OpenStack interface. I saw a blueprint for OSAD for security hardening and this current behavior would seem to negate that effort on the next reboot of the node.

Any help in resolving this is greatly appreciated! Thanks!

Jeff

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted
0

answered 2015-09-16 06:10:00 -0500

dbaxps gravatar image

I've opened ports 590(X) (persistent) on compute node via /etc/sysconfig/iptables with no problems

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2015-09-15 16:36:05 -0500

Seen: 615 times

Last updated: Sep 16 '15