Revision history [back]

click to hide/show revision 1
initial version

Setting Firewall on OpenStack nodes

I tried to configure the firewall for OpenStack Controller and Compute node and here are the rules I added to the firewall:

myZone (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp2s0 enp7s4
  sources: 
  services: ssh dhcpv6-client
  ports: 80/tcp 6080/tcp 11211/tcp 9696/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
    rule family="ipv4" source address="192.168.0.32" accept
    rule family="ipv4" source address="192.168.0.31" accept

The address of the Controller and the Compute nodes are 192.168.0.31 and 192.168.0.32, respectively. Using these rules I can use Horizon on the browser and the Compute node services can connect to the Controller nodes ports.

The problem is when the firewall is enabled on the Controller node, instances that are running on the Controller node (I configure the Controller node as the Compute node, too) just can be pinged and all other VMs and nodes (including the Controller node) cannot connect to it (using SSH or any other connection to a specific port). There is no firewall running on instances. I configured an external network to connect VMs to each other CentOS7 is running on all nodes Here are ports listening on the Controller node:

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:8775            0.0.0.0:*               LISTEN      4478/python2        
tcp        0      0 0.0.0.0:9191            0.0.0.0:*               LISTEN      4461/python2        
tcp        0      0 0.0.0.0:5000            0.0.0.0:*               LISTEN      10189/httpd         
tcp        0      0 0.0.0.0:8776            0.0.0.0:*               LISTEN      4487/python2        
tcp        0      0 0.0.0.0:25672           0.0.0.0:*               LISTEN      4466/beam.smp       
tcp        0      0 0.0.0.0:8778            0.0.0.0:*               LISTEN      10189/httpd         
tcp        0      0 192.168.0.31:3306       0.0.0.0:*               LISTEN      4860/mysqld         
tcp        0      0 192.168.0.31:2379       0.0.0.0:*               LISTEN      4464/etcd           
tcp        0      0 192.168.0.31:11211      0.0.0.0:*               LISTEN      4457/memcached      
tcp        0      0 127.0.0.1:11211         0.0.0.0:*               LISTEN      4457/memcached      
tcp        0      0 192.168.0.31:5900       0.0.0.0:*               LISTEN      16844/qemu-kvm      
tcp        0      0 0.0.0.0:9292            0.0.0.0:*               LISTEN      4500/python2        
tcp        0      0 192.168.0.31:2380       0.0.0.0:*               LISTEN      4464/etcd           
tcp        0      0 192.168.0.31:5901       0.0.0.0:*               LISTEN      16982/qemu-kvm      
tcp        0      0 192.168.0.31:5902       0.0.0.0:*               LISTEN      17339/qemu-kvm      
tcp        0      0 192.168.0.31:5903       0.0.0.0:*               LISTEN      17621/qemu-kvm      
tcp        0      0 192.168.0.31:5904       0.0.0.0:*               LISTEN      17840/qemu-kvm      
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      10189/httpd         
tcp        0      0 0.0.0.0:4369            0.0.0.0:*               LISTEN      1/systemd           
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      4468/sshd           
tcp        0      0 192.168.0.31:3260       0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:6080            0.0.0.0:*               LISTEN      4458/python2        
tcp        0      0 0.0.0.0:9696            0.0.0.0:*               LISTEN      4473/python2        
tcp        0      0 0.0.0.0:8774            0.0.0.0:*               LISTEN      4478/python2        
tcp6       0      0 :::5672                 :::*                    LISTEN      4466/beam.smp       
tcp6       0      0 :::22                   :::*                    LISTEN      4468/sshd

So, is there any port or something to add to firewall rules for making instances reachable when the firewall is running on the Controller node?