Openstack Essex: how can I add custom iptables rules

Question

I've got an openstack instance (all in one node) and want to redirect incoming traffic on some port from the host to one of the instance.

Openstack Nova set up a whole bunch of iptables rules. How can I properly configure my box so that my custom rules get somehow merged with Nova rules ?

I know I could iptables-save the nova rules, patch them and then iptables-restore them, but this would somehow break separation of matters between Openstack and the rest of the system.

Give the instance its own IP address, like you're meant to. – Michael Hampton Feb 25 '13 at 21:49 — Michael Hampton, Feb 25 '13 at 21:49
I just have a single public IP for that server. – rcomblen Feb 25 '13 at 22:05 — rcomblen, Feb 25 '13 at 22:05

score 2 · Accepted Answer · answered Mar 14 '13 at 18:48

If your goal is to provide a firewall to public address ranges in addition to the security controls that OpenStack provides, I recommend placing a firewall at the edge of your network beyond the perimeter of OpenStack.

Injecting IPTables rules into OpenStack could be done in the past with nova-network, but it was unsafe at best. Today with quantum it is even more inadvisable.

Openstack Essex: how can I add custom iptables rules

1 Answers1