Hi Sharif, On Tue, 2011-10-11 at 14:55 -0400, Sharif Islam wrote: > As Jorge was pointing out last week > (https://lists.launchpad.net/openstack/msg04596.html), the problem seems > to be iptables related. When I added these two rules, I was able to ping > google.com with 10.0.1.1 as the nameserver. > > > # iptables -I nova-network-INPUT 1 -p tcp --dport 53 -j ACCEPT > # iptables -I nova-network-INPUT 1 -p udp --dport 53 -j ACCEPT > > > However, as soon as a new instance starts, these two rules goes away. > > # iptables -L nova-network-INPUT > Chain nova-network-INPUT (1 references) > target prot opt source destination > ACCEPT udp -- anywhere anywhere udp dpt:domain > ACCEPT tcp -- anywhere anywhere tcp dpt:domain > > I start a new instance, few seconds later: > > # iptables -L nova-network-INPUT > Chain nova-network-INPUT (1 references) > target prot opt source destination > > I also have these two rules: > > # iptables -L -n|grep 67 > ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67 > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 > # iptables -L -n|grep 53 > ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 > > > Can someone explain how these iptables rule get created? I thought these > rules were generated by starting nova-network. > > I also saw this: https://bugzilla.redhat.com/show_bug.cgi?id=734347. Not > sure if this is related. I am running RHEL 6.1.
Ah, yes - the issue is that Fedora and RHEL's iptables rules default to rejecting packets which aren't allowed. Nova's iptables rules assumed the default was to accept. You're running Cactus, right? This is fixed in Diablo, see: https://bugs.launchpad.net/nova/+bug/844935 Cheers, Mark. _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : [email protected] Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
