Re: [Openstack] Managing iptables with OpenStack Folsom (using Quantum)

[Razique Mahroua]

That means you shouldn't use iptables for your custom rules since OpenStack manages iptables and everytime the network is updated, iptables is impacted. If you restart nova-netork for instance, then all the iptables rules are flushed and recreated according to your network topology. The iptables service doesn't need to be turned off (is that even possible?), just make sure not to create routing rules manually that might conflict with the rules OpenStack sets :) Razique Mahroua - Nuage & Co razique.mahr...@gmail.com Tel : +33 9 72 37 94 15 Le 28 août 2013 à 19:08, Craig E. Ward <cw...@isi.edu> a écrit : I have an OpenStack Folsom, with Quantum networking, installation that I'm having trouble getting additional rules into the iptables on nova-compute nodes. The online manual (http://docs.openstack.org/trunk/openstack-ops/content/iptables.html) states that "You must use OpenStack to manage iptables." What it doesn't include is any indication of how that is done. How can iptables be managed with OpenStack? When I add rules to the file /etc/sysconfig/iptables, sometimes the nova-compute service fails to work properly. A new instance on the node may not get an IP address or the vnc service in Horizon does not respond. The instance is listed in the database with an assigned IP, but the address is not reachable. Does the iptables service need to be "off" in the context of chkconfig? That is, don't let it start through the rc sequence, but let nova-compute start it and populate the rules? If iptables is started in the rc sequence, then are there some rules that should not be in /etc/sysconfig/iptables? If the rc sequence is not used, how do ports unrelated to OpenStack services get enabled? Does the default response for a packet sent to non-OpenStack related port drop the packet or let it pass? Thanks, Craig -- Craig E. Ward Information Sciences Institute University of Southern California cw...@isi.edu _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to     : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

signature.asc
Description: Message signed with OpenPGP using GPGMail

_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack