Ask Your Question
0

which iptables rules should be applied

asked 2015-10-07 03:59:44 -0500

smcas gravatar image

updated 2015-10-07 04:43:09 -0500

configured three node (controller,network(neutron) and compute) with icehouse on centos so which iptables rules should be applied on each node and selinux should be disabled or permissive. i have applied some rules that is sufficient or not please give some suggestion

controller:

[root@controller ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
nova-api-INPUT  all  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
nova-filter-top  all  --  anywhere             anywhere
nova-api-FORWARD  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             192.168.122.0/24    state RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
nova-filter-top  all  --  anywhere             anywhere
nova-api-OUTPUT  all  --  anywhere             anywhere

Chain nova-api-FORWARD (1 references)
target     prot opt source               destination

Chain nova-api-INPUT (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             newcontroller       tcp dpt:8775

Chain nova-api-OUTPUT (1 references)
target     prot opt source               destination

Chain nova-api-local (1 references)
target     prot opt source               destination

Chain nova-filter-top (2 references)
target     prot opt source               destination
nova-api-local  all  --  anywhere             anywhere

Network:

[root@network ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
neutron-openvswi-INPUT  all  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
neutron-filter-top  all  --  anywhere             anywhere
neutron-openvswi-FORWARD  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             192.168.122.0/24    state RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
neutron-filter-top  all  --  anywhere             anywhere
neutron-openvswi-OUTPUT  all  --  anywhere             anywhere

Chain neutron-filter-top (2 references)
target     prot opt source               destination
neutron-openvswi-local  all  --  anywhere             anywhere

Chain neutron-openvswi-FORWARD (1 references)
target     prot opt source               destination

Chain neutron-openvswi-INPUT (1 references)
target     prot opt source               destination

Chain neutron-openvswi-OUTPUT (1 references)
target     prot opt source               destination

Chain neutron-openvswi-local (1 references)
target     prot opt source               destination

Chain neutron-openvswi-sg-chain (0 references)
target     prot opt source               destination

Chain neutron-openvswi-sg-fallback (0 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere

compute:

[root@compute1 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
neutron-openvswi-INPUT  all  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
neutron-filter-top  all  --  anywhere             anywhere
neutron-openvswi-FORWARD  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             192.168.122.0/24    state RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain OUTPUT ...
(more)
edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted
0

answered 2015-10-12 03:06:18 -0500

updated 2015-10-12 05:17:16 -0500

It works with SELinux set to "enforcing", as long as you install the openstack-selinux package. Don't disable SELinux on a production system.

As to the firewall, I would start by opening these ports:

  • on the controller, the port for the message queue and all endpoints configured in Keystone.
  • swift ports on all swift servers.
  • If you use the cinder LVM-iSCSI driver, the iSCSI port on volume servers.
  • On the network and compute servers, all the ports required by your applications.

There may be more, I can't think of any right now though. Apart from opening ports, I don't think anything needs to be done to the firewall.

Edit: You might need to open the firewalls on Compute and Network nodes for GRE traffic, if you use GRE tunnels.

edit flag offensive delete link more

Comments

thanks bernd, i will try as you suggested

smcas gravatar imagesmcas ( 2015-10-16 04:21:34 -0500 )edit

Hi Bernd, I have tried searching for the ports of the drivers and other services you suggested above but I didn't find exact ports for the same. Please provide the port numbers to be opened on respective nodes in openstack icehouse 3-node. Also suggest the rules to be applied on firewall ?

smcas gravatar imagesmcas ( 2015-10-19 05:49:54 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2015-10-07 03:59:44 -0500

Seen: 1,980 times

Last updated: Oct 12 '15