subject:"\[openstack\-dev\] \[openstack\]host not reachable with iptables reject after init"

[openstack-dev] [openstack]host not reachable with iptables reject after init

2015-11-09 Thread Wilence Yao

Hi all,
After I run devstack/stack.sh completely, I found that api is not
reachable. After some check, I found some iptables rules cause the problem:

```
Chain INPUT (policy ACCEPT)
target prot opt source   destination
nova-network-INPUT  all  --  0.0.0.0/00.0.0.0/0
neutron-openvswi-INPUT  all  --  0.0.0.0/00.0.0.0/0
nova-api-INPUT  all  --  0.0.0.0/00.0.0.0/0
ACCEPT udp  --  0.0.0.0/00.0.0.0/0udp dpt:53
ACCEPT tcp  --  0.0.0.0/00.0.0.0/0tcp dpt:53
ACCEPT udp  --  0.0.0.0/00.0.0.0/0udp dpt:67
ACCEPT tcp  --  0.0.0.0/00.0.0.0/0tcp dpt:67
ACCEPT all  --  0.0.0.0/00.0.0.0/0state
RELATED,ESTABLISHED
ACCEPT icmp --  0.0.0.0/00.0.0.0/0
ACCEPT all  --  0.0.0.0/00.0.0.0/0
ACCEPT tcp  --  0.0.0.0/00.0.0.0/0state NEW tcp
dpt:22
REJECT all  --  0.0.0.0/00.0.0.0/0reject-with
icmp-host-prohibited
```

The last  two rules reject all access to the host except port 22(ssh). Why
should devstack add this two rules in host?

Wilence Yao
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [openstack]host not reachable with iptables reject after init

2015-11-09 Thread Brian Haley


On 11/09/2015 09:55 AM, Wilence Yao wrote:

Hi all,
After I run devstack/stack.sh completely, I found that api is not reachable.
After some check, I found some iptables rules cause the problem:





ACCEPT tcp  -- 0.0.0.0/0  0.0.0.0/0 
state NEW tcp dpt:22
REJECT all  -- 0.0.0.0/0  0.0.0.0/0 
reject-with icmp-host-prohibited
```

The last  two rules reject all access to the host except port 22(ssh). Why
should devstack add this two rules in host?


The devstack scripts don't add either of those rules, my guess is your distro 
has locked things down by default.  So you'll need to figure out how best to 
deal with it, either disabling completely or opening all the ports you'll need 
for devstack to function.


-Brian

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [openstack]host not reachable with iptables reject after init

Re: [openstack-dev] [openstack]host not reachable with iptables reject after init

2 matches

Site Navigation

Mail list logo

Footer information