I installed OpenStack on RHEL6 using DevStack and had it running nicely. One day one of our "system administrators" noticed that iptables was running on the system and decided to turn it off (chkconfig iptables off). He then restarted the server and didn't tell me for a couple days. After he told me I quickly checked to see if I could access my instances. While Horizon was accessible, since nothing is being blocked, and I could access my instances from the Console, these instances could not access the network. After this I tried to access the instances from the server via SSH. The private IP was not accessible.
I then tried to restart iptables, which came up... and blocked the horizon dashboard. So I then attempted to restart all the open stack services... still no access to Horizon or any of the instances, but at least now my IPTables was populated with nova rules
Chain INPUT (policy ACCEPT)
target prot opt source destination
nova-api-INPUT all -- anywhere anywhere
nova-network-INPUT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
ACCEPT tcp -- anywhere anywhere multiport dports https
ACCEPT tcp -- anywhere anywhere multiport dports http
Chain FORWARD (policy ACCEPT)
target prot opt source destination
nova-filter-top all -- anywhere anywhere
nova-api-FORWARD all -- anywhere anywhere
nova-network-FORWARD all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
nova-filter-top all -- anywhere anywhere
nova-api-OUTPUT all -- anywhere anywhere
nova-network-OUTPUT all -- anywhere anywhere
Chain nova-api-FORWARD (1 references)
target prot opt source destination
Chain nova-api-INPUT (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere devcloud.camb.comdev.ca tcp dpt:8775
Chain nova-api-OUTPUT (1 references)
target prot opt source destination
Chain nova-api-local (1 references)
target prot opt source destination
Chain nova-filter-top (2 references)
target prot opt source destination
nova-api-local all -- anywhere anywhere
nova-network-local all -- anywhere anywhere
Chain nova-network-FORWARD (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain nova-network-INPUT (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
Chain nova-network-OUTPUT (1 references)
target prot opt source destination
Chain nova-network-local (1 references)
target prot opt source destination
None of these rules allows allow remote access to Horizon, and they don't even allow local access to the instances that should be running. On top of that, before iptables was turned off I was able to allow Apache HTTPD to listen on any port, but that functionality seems to be stopped now as well.
Right now, the only thing I can think of is starting fresh because I don't have a clue where to look. I've been reading up on iptables and OpenStack and how they work together but haven't been able to find any solution. Can anyone point me in a direction that might help?
I had considered adding rules to the IPtables rules directly, but these would be overridden by nova anytime a change is made or it is restarted which would make this impossible to maintain.
