Ask Your Question

Does neutron flush iptables on services startup?

asked 2015-09-15 16:36:05 -0600

JeffKeopp gravatar image

I have small test system that consists of a single management node where all OpenStack services are running. The test system has just one bare metal "tenant" node. There are no VMs involved and just a flat management network. The management node must not be accessible by normal users.

After the management node boots, various iptables rules are set. Mainly they appear to be chains related to neutron. I need to add two rules to harden the node against access from users on the managed nodes. I can do this using iptables and they work as planned.

I then persisted the iptables rules after adding my two rules to /etc/sysconfig/iptables by calling iptables-save, then iptables-restore. I verified my rules and the pre-existing rules were in the /etc/sysconfig/iptables file. After reboot my rules are gone. I can recover them by running 'iptables-restore /etc/sysconfig/iptables'.

Only those from the initial configuration are there after a reboot. It appears that neutron or another OpenStack service is flushing and writing iptables rules when they come up. These rules are not persisted to /etc/sysconfig/iptables.

Is this the desired behavior? If so, why? It is important that a sysadmin can implement site security policy in iptables without having to do so through an OpenStack interface. I saw a blueprint for OSAD for security hardening and this current behavior would seem to negate that effort on the next reboot of the node.

Any help in resolving this is greatly appreciated! Thanks!


edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2015-09-16 06:10:00 -0600

dbaxps gravatar image

I've opened ports 590(X) (persistent) on compute node via /etc/sysconfig/iptables with no problems

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2015-09-15 16:36:05 -0600

Seen: 721 times

Last updated: Sep 16 '15