Here are my filter tables... I did a default installation of 1 controller and 1 compute following openstack install docs.
I read through that the firewalld was not stopped during installation. I'm not sure if that could have cause some invalid insertions/deletions into iptables. Probably, you may want to consider re-installing controller and compute nodes with firewalld disabled in the beginning unless you have enough time to troubleshoot the problem. Controller Filter Table: Chain INPUT (policy ACCEPT) target prot opt source destination neutron-linuxbri-INPUT all -- anywhere anywhere nova-api-INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination neutron-filter-top all -- anywhere anywhere neutron-linuxbri-FORWARD all -- anywhere anywhere nova-filter-top all -- anywhere anywhere nova-api-FORWARD all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination neutron-filter-top all -- anywhere anywhere neutron-linuxbri-OUTPUT all -- anywhere anywhere nova-filter-top all -- anywhere anywhere nova-api-OUTPUT all -- anywhere anywhere Chain neutron-filter-top (2 references) target prot opt source destination neutron-linuxbri-local all -- anywhere anywhere Chain neutron-linuxbri-FORWARD (1 references) target prot opt source destination Chain neutron-linuxbri-INPUT (1 references) target prot opt source destination Chain neutron-linuxbri-OUTPUT (1 references) target prot opt source destination Chain neutron-linuxbri-local (1 references) target prot opt source destination Chain neutron-linuxbri-sg-chain (0 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain neutron-linuxbri-sg-fallback (0 references) target prot opt source destination DROP all -- anywhere anywhere /* Default drop rule for unmatched traffic. */ Chain nova-api-FORWARD (1 references) target prot opt source destination Chain nova-api-INPUT (1 references) target prot opt source destination ACCEPT tcp -- anywhere controller tcp dpt:8775 Chain nova-api-OUTPUT (1 references) target prot opt source destination Chain nova-api-local (1 references) target prot opt source destination Chain nova-filter-top (2 references) target prot opt source destination nova-api-local all -- anywhere anywhere Compute Filter Table: Chain INPUT (policy ACCEPT) target prot opt source destination neutron-linuxbri-INPUT all -- anywhere anywhere nova-compute-INPUT all -- anywhere anywhere ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:bootps Chain FORWARD (policy ACCEPT) target prot opt source destination neutron-filter-top all -- anywhere anywhere neutron-linuxbri-FORWARD all -- anywhere anywhere nova-filter-top all -- anywhere anywhere nova-compute-FORWARD all -- anywhere anywhere ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED ACCEPT all -- 192.168.122.0/24 anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT) target prot opt source destination neutron-filter-top all -- anywhere anywhere neutron-linuxbri-OUTPUT all -- anywhere anywhere nova-filter-top all -- anywhere anywhere nova-compute-OUTPUT all -- anywhere anywhere ACCEPT udp -- anywhere anywhere udp dpt:bootpc Chain neutron-filter-top (2 references) target prot opt source destination neutron-linuxbri-local all -- anywhere anywhere Chain neutron-linuxbri-FORWARD (1 references) target prot opt source destination neutron-linuxbri-sg-chain all -- anywhere anywhere PHYSDEV match --physdev-out tap220f832a-a0 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */ neutron-linuxbri-sg-chain all -- anywhere anywhere PHYSDEV match --physdev-in tap220f832a-a0 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */ neutron-linuxbri-sg-chain all -- anywhere anywhere PHYSDEV match --physdev-out tapc2ae9c01-6b --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */ neutron-linuxbri-sg-chain all -- anywhere anywhere PHYSDEV match --physdev-in tapc2ae9c01-6b --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */ neutron-linuxbri-sg-chain all -- anywhere anywhere PHYSDEV match --physdev-out tapd0191424-88 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */ neutron-linuxbri-sg-chain all -- anywhere anywhere PHYSDEV match --physdev-in tapd0191424-88 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */ Chain neutron-linuxbri-INPUT (1 references) target prot opt source destination neutron-linuxbri-o220f832a-a all -- anywhere anywhere PHYSDEV match --physdev-in tap220f832a-a0 --physdev-is-bridged /* Direct incoming traffic from VM to the security group chain. */ neutron-linuxbri-oc2ae9c01-6 all -- anywhere anywhere PHYSDEV match --physdev-in tapc2ae9c01-6b --physdev-is-bridged /* Direct incoming traffic from VM to the security group chain. */ neutron-linuxbri-od0191424-8 all -- anywhere anywhere PHYSDEV match --physdev-in tapd0191424-88 --physdev-is-bridged /* Direct incoming traffic from VM to the security group chain. */ Chain neutron-linuxbri-OUTPUT (1 references) target prot opt source destination Chain neutron-linuxbri-i220f832a-a (1 references) target prot opt source destination RETURN all -- anywhere anywhere state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */ RETURN udp -- XXX <internal interface> anywhere udp spt:bootps udp dpt:bootpc RETURN all -- anywhere anywhere match-set NIPv4e4277e54-2e75-421d-a87d- src RETURN icmp -- anywhere anywhere RETURN tcp -- anywhere anywhere tcp dpt:ssh DROP all -- anywhere anywhere state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */ neutron-linuxbri-sg-fallback all -- anywhere anywhere /* Send unmatched traffic to the fallback chain. */ Chain neutron-linuxbri-ic2ae9c01-6 (1 references) target prot opt source destination RETURN all -- anywhere anywhere state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */ RETURN udp -- XXX <internal interface> anywhere udp spt:bootps udp dpt:bootpc RETURN all -- anywhere anywhere match-set NIPv4e4277e54-2e75-421d-a87d- src RETURN icmp -- anywhere anywhere RETURN tcp -- anywhere anywhere tcp dpt:ssh DROP all -- anywhere anywhere state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */ neutron-linuxbri-sg-fallback all -- anywhere anywhere /* Send unmatched traffic to the fallback chain. */ Chain neutron-linuxbri-id0191424-8 (1 references) target prot opt source destination RETURN all -- anywhere anywhere state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */ RETURN udp -- XXX <ip_address> anywhere udp spt:bootps udp dpt:bootpc RETURN all -- anywhere anywhere match-set NIPv4e4277e54-2e75-421d-a87d- src RETURN icmp -- anywhere anywhere RETURN tcp -- anywhere anywhere tcp dpt:ssh DROP all -- anywhere anywhere state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */ neutron-linuxbri-sg-fallback all -- anywhere anywhere /* Send unmatched traffic to the fallback chain. */ Chain neutron-linuxbri-local (1 references) target prot opt source destination Chain neutron-linuxbri-o220f832a-a (2 references) target prot opt source destination RETURN udp -- 0.0.0.0 255.255.255.255 udp spt:bootpc dpt:bootps /* Allow DHCP client traffic. */ neutron-linuxbri-s220f832a-a all -- anywhere anywhere RETURN udp -- anywhere anywhere udp spt:bootpc dpt:bootps /* Allow DHCP client traffic. */ DROP udp -- anywhere anywhere udp spt:bootps udp dpt:bootpc /* Prevent DHCP Spoofing by VM. */ RETURN all -- anywhere anywhere state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */ RETURN all -- anywhere anywhere DROP all -- anywhere anywhere state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */ neutron-linuxbri-sg-fallback all -- anywhere anywhere /* Send unmatched traffic to the fallback chain. */ Chain neutron-linuxbri-oc2ae9c01-6 (2 references) target prot opt source destination RETURN udp -- 0.0.0.0 255.255.255.255 udp spt:bootpc dpt:bootps /* Allow DHCP client traffic. */ neutron-linuxbri-sc2ae9c01-6 all -- anywhere anywhere RETURN udp -- anywhere anywhere udp spt:bootpc dpt:bootps /* Allow DHCP client traffic. */ DROP udp -- anywhere anywhere udp spt:bootps udp dpt:bootpc /* Prevent DHCP Spoofing by VM. */ RETURN all -- anywhere anywhere state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */ RETURN all -- anywhere anywhere DROP all -- anywhere anywhere state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */ neutron-linuxbri-sg-fallback all -- anywhere anywhere /* Send unmatched traffic to the fallback chain. */ Chain neutron-linuxbri-od0191424-8 (2 references) target prot opt source destination RETURN udp -- 0.0.0.0 255.255.255.255 udp spt:bootpc dpt:bootps /* Allow DHCP client traffic. */ neutron-linuxbri-sd0191424-8 all -- anywhere anywhere RETURN udp -- anywhere anywhere udp spt:bootpc dpt:bootps /* Allow DHCP client traffic. */ DROP udp -- anywhere anywhere udp spt:bootps udp dpt:bootpc /* Prevent DHCP Spoofing by VM. */ RETURN all -- anywhere anywhere state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */ RETURN all -- anywhere anywhere DROP all -- anywhere anywhere state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */ neutron-linuxbri-sg-fallback all -- anywhere anywhere /* Send unmatched traffic to the fallback chain. */ Chain neutron-linuxbri-s220f832a-a (1 references) target prot opt source destination RETURN all -- XXX <ip address> anywhere MAC XX:XX:XX:FF:36:AA /* Allow traffic from defined IP/MAC pairs. */ DROP all -- anywhere anywhere /* Drop traffic without an IP/MAC allow rule. */ Chain neutron-linuxbri-sc2ae9c01-6 (1 references) target prot opt source destination RETURN all -- XXX <ip address> anywhere MAC XX:XX:XX:88:CA:0C /* Allow traffic from defined IP/MAC pairs. */ DROP all -- anywhere anywhere /* Drop traffic without an IP/MAC allow rule. */ Chain neutron-linuxbri-sd0191424-8 (1 references) target prot opt source destination RETURN all -- XXX <ip address> anywhere MAC XX:XX:XX:2A:55:AA /* Allow traffic from defined IP/MAC pairs. */ DROP all -- anywhere anywhere /* Drop traffic without an IP/MAC allow rule. */ Chain neutron-linuxbri-sg-chain (6 references) target prot opt source destination neutron-linuxbri-i220f832a-a all -- anywhere anywhere PHYSDEV match --physdev-out tap220f832a-a0 --physdev-is-bridged /* Jump to the VM specific chain. */ neutron-linuxbri-o220f832a-a all -- anywhere anywhere PHYSDEV match --physdev-in tap220f832a-a0 --physdev-is-bridged /* Jump to the VM specific chain. */ neutron-linuxbri-ic2ae9c01-6 all -- anywhere anywhere PHYSDEV match --physdev-out tapc2ae9c01-6b --physdev-is-bridged /* Jump to the VM specific chain. */ neutron-linuxbri-oc2ae9c01-6 all -- anywhere anywhere PHYSDEV match --physdev-in tapc2ae9c01-6b --physdev-is-bridged /* Jump to the VM specific chain. */ neutron-linuxbri-id0191424-8 all -- anywhere anywhere PHYSDEV match --physdev-out tapd0191424-88 --physdev-is-bridged /* Jump to the VM specific chain. */ neutron-linuxbri-od0191424-8 all -- anywhere anywhere PHYSDEV match --physdev-in tapd0191424-88 --physdev-is-bridged /* Jump to the VM specific chain. */ ACCEPT all -- anywhere anywhere Chain neutron-linuxbri-sg-fallback (6 references) target prot opt source destination DROP all -- anywhere anywhere /* Default drop rule for unmatched traffic. */ Chain nova-compute-FORWARD (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere DROP all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere DROP all -- anywhere anywhere Chain nova-compute-INPUT (1 references) target prot opt source destination Chain nova-compute-OUTPUT (1 references) target prot opt source destination Chain nova-compute-local (1 references) target prot opt source destination Chain nova-filter-top (2 references) target prot opt source destination nova-compute-local all -- anywhere anywhere Regards, Manjunath -----Original Message----- From: Georgios Dimitrakakis [mailto:gior...@acmac.uoc.gr] Sent: Sunday, 19 March, 2017 11:35 PM To: openstack@lists.openstack.org Subject: Re: [Openstack] DHCP Request Failed on Ocata Any ideas on this? Here are my firewall rules on Controller Node: #ALLOW ALL Compute Node -A INPUT -s $COMPUTE_NODE_IP/32 -p udp -j ACCEPT -A OUTPUT -d $COMPUTE_NODE_IP/32 -p udp -j ACCEPT -A INPUT -s $COMPUTE_NODE_IP/32 -p tcp -j ACCEPT -A OUTPUT -d $COMPUTE_NODE_IP/32 -p tcp -j ACCEPT #ALLOW ALL from-to Public Subnet -A INPUT -s $PUBLIC_SUBNET/29 -p udp -j ACCEPT -A OUTPUT -d $PUBLIC_SUBNET/29 -p udp -j ACCEPT -A INPUT -s $PUBLIC_SUBNET/29 -p tcp -j ACCEPT -A OUTPUT -d $PUBLIC_SUBNET/29 -p tcp -j ACCEPT After these more rule are following for SSH (port 22) , HTTP (port 80) etc. Repsectively on Compute Node I have #ALLOW ALL Controller Node -A INPUT -s $CONTROLLER_NODE_IP/32 -p udp -j ACCEPT -A OUTPUT -d $CONTROLLER_NODE_IP/32 -p udp -j ACCEPT -A INPUT -s $CONTROLLER_NODE_IP/32 -p tcp -j ACCEPT -A OUTPUT -d $CONTROLLER_NODE_IP/32 -p tcp -j ACCEPT #ALLOW ALL from-to Public Subnet -A INPUT -s $PUBLIC_SUBNET/29 -p udp -j ACCEPT -A OUTPUT -d $PUBLIC_SUBNET/29 -p udp -j ACCEPT -A INPUT -s $PUBLIC_SUBNET/29 -p tcp -j ACCEPT -A OUTPUT -d $PUBLIC_SUBNET/29 -p tcp -j ACCEPT After these more rule are following for SSH (port 22) , HTTP (port 80) etc. where on all the above: The $COMPUTE_NODE_IP is the static IP address of the compute node The $CONTROLLER_NODE_IP is the static IP address of the controller node The $PUBLIC_SUBNET is the subnet for the public IP addresses as defined by my provider The above rules are on the top of my IPTABLES files immediately after: *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT while at the very end (after all the rules) I have: -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT Using the above rules I believe that I have an open communication between the Controller, the Compute Node and the VMs. Obviously I am missing something...but what??? Can someone help me or share with me its firewall rules between a controller and a compute node?? Keeping the firewall disabled solves the problem and all VMs are getting IP addresses without a problem, but this is not desired. I really appreciate any help provided since I am puzzled for quiet a few days now with this.... Regards, G. > I have also disabled completely the "firewalld" service and reverted > back to "iptables" service but without success. > > No matter what I do my instances cannot get a DHCP address unless the > firewall is "stopped". > > I 've tried to add the UDP ports 67-68 on the firewall but without > success as well. > What else should I do in order to be able to have "iptables" enabled > for basic firewall functionality and at the same time my OpenStack > environment to work without a problem? > > Any ideas??? > > Regards, > > G. > > On Mon, 13 Mar 2017 19:37:41 -0400, Mohammed Naser wrote: >> It causes problems for us so we uninstall and disable it on all >> compute nodes. >> >> yum -y remove firewalld >> >> Sent from my iPhone >> >>> On Mar 13, 2017, at 5:58 PM, Georgios Dimitrakakis >>> <gior...@acmac.uoc.gr> wrote: >>> >>> My problem may be due to the "firewalld" service running.... >>> >>> Has anyone configured OpenStack on CentOS with Firewalld or do you >>> suggest to disable it? >>> >>> Best, >>> >>> G. >>> >>>> On Sat, 11 Mar 2017 21:28:51 +0200, Georgios Dimitrakakis wrote: >>>> Hello! >>>> >>>> I am trying to setup a new Ocata installation following the >>>> official >>>> guide but my instances fail to get a DHCP address. >>>> >>>> I am using two physical nodes (1x controller and 1x compute) each >>>> one >>>> with two network interfaces. >>>> Compute node can reach the Controller node via the first interface >>>> and vice versa. >>>> As recommended by the manual the second interface is unnumbered. >>>> >>>> When I launch an instance I can see using "tcpdump" that the DHCP >>>> request reaches the second (the unnumbered) interface >>>> of the compute node but never reaches any other interface either >>>> on >>>> compute or controller node. >>>> >>>> Therefore I am wondering how should the instance get an IP >>>> address? >>>> What is the correct path that is followed? >>>> >>>> I have tried that using both provider and self-service networks >>>> and >>>> the result is always the same. >>>> >>>> >>>> Looking forward for any directions, recommendations etc. >>>> >>>> >>>> All the best, >>>> >>>> G. >>>> >>>> _______________________________________________ >>>> Mailing list: >>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack >>>> Post to : openstack@lists.openstack.org >>>> Unsubscribe : >>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack >>> >>> >>> _______________________________________________ >>> Mailing list: >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack >>> Post to : openstack@lists.openstack.org >>> Unsubscribe : >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > > > > _______________________________________________ > Mailing list: > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > Post to : openstack@lists.openstack.org > Unsubscribe : > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
