Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Exact firewall rules for metadata agent on controller node

Hello.

I'm using Queens Openstack release, controller and compute node deployed on latest CentOS7 release. Network is configured to use "provider network" model.

I've faced with problem, that built-in iptables rule on controller node blocks metadata request response to instances, so they are unable to retrieve ssh key and other data during cloud-init on first boot via http://169.254.169.254:80 url (which is routed in instance to metadata agent IP). Here it is:

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

Last time I've solved very similar problem but related to DHCP requests by adding the following rule to /etc/sysconfig/iptables file prior "REJECT" one:

-A FORWARD -p udp -m udp --sport 67 --dport 68 -j ACCEPT

To resolve problem with metadata the following rules were added to the "FORWARD" chain on controller node and they works:

-A FORWARD -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 80 -j ACCEPT

But I'm not sure that they are completely correct. Can someone share his experience for that scenario?

Another question will be - why init and run-time scripts of Openstack services on controller node does not care about iptables for all cases? Firewall driver was set correctly in nova/neutron, and some rules appear in iptables after restart of services in addition to existing ones, but not a necessary set to avoid intercommunication problems between controller and compute nodes.

Below is the full list of iptables rules:

[root@controller ~]# iptables-save
# Generated by iptables-save v1.4.21 on Fri Aug 31 03:03:24 2018
*nat
:PREROUTING ACCEPT [40331:4980395]
:INPUT ACCEPT [19152:1206716]
:OUTPUT ACCEPT [3424:208170]
:POSTROUTING ACCEPT [16794:2598368]
COMMIT
# Completed on Fri Aug 31 03:03:24 2018
# Generated by iptables-save v1.4.21 on Fri Aug 31 03:03:24 2018
*mangle
:PREROUTING ACCEPT [13992448:6525771277]
:INPUT ACCEPT [13783684:6505744476]
:FORWARD ACCEPT [206259:20684970]
:OUTPUT ACCEPT [13759465:6212240069]
:POSTROUTING ACCEPT [13965444:6232905496]
COMMIT
# Completed on Fri Aug 31 03:03:24 2018
# Generated by iptables-save v1.4.21 on Fri Aug 31 03:03:24 2018
*raw
:PREROUTING ACCEPT [13988200:6524208181]
:OUTPUT ACCEPT [13755278:6210758332]
:neutron-linuxbri-OUTPUT - [0:0]
:neutron-linuxbri-PREROUTING - [0:0]
-A PREROUTING -j neutron-linuxbri-PREROUTING
-A OUTPUT -j neutron-linuxbri-OUTPUT
COMMIT
# Completed on Fri Aug 31 03:03:24 2018
# Generated by iptables-save v1.4.21 on Fri Aug 31 03:03:24 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4556611:2056773792]
:neutron-filter-top - [0:0]
:neutron-linuxbri-FORWARD - [0:0]
:neutron-linuxbri-INPUT - [0:0]
:neutron-linuxbri-OUTPUT - [0:0]
:neutron-linuxbri-local - [0:0]
:neutron-linuxbri-sg-chain - [0:0]
:neutron-linuxbri-sg-fallback - [0:0]
-A INPUT -j neutron-linuxbri-INPUT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 123 -j ACCEPT
-A INPUT -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5672 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 35357 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8778 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 9292 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 9696 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 6080 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-linuxbri-FORWARD
-A FORWARD -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 80 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-linuxbri-OUTPUT
-A neutron-filter-top -j neutron-linuxbri-local
-A neutron-linuxbri-FORWARD -m physdev --physdev-out tap923a6922-4d --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT
-A neutron-linuxbri-sg-chain -j ACCEPT
-A neutron-linuxbri-sg-fallback -m comment --comment "Default drop rule for unmatched traffic." -j DROP
COMMIT
# Completed on Fri Aug 31 03:03:24 2018