我使用DevStack在RHEL6上安装了OpenStack并使其运行良好.有一天,我们的一个“系统管理员”发现iptables正在系统上运行,并决定将其关闭(chkconfig iptables off).然后他重新启动了服务器,并没有告诉我几天.在他告诉我之后,我很快检查了我是否可以访问我的实例.虽然可以访问Horizon,但由于没有阻止任何内容,并且我可以从控制台访问我的实例,因此这些实例无法访问网络.在此之后,我尝试通过SSH从服务器访问实例.私人知识产权无法访问.
然后我试图重新启动iptables,它出现了…并阻止了地平线仪表板.然后我尝试重新启动所有打开的堆栈服务…仍然无法访问Horizon或任何实例,但至少现在我的IPTables填充了nova规则
Chain INPUT (policy ACCEPT)
target prot opt source destination
nova-api-INPUT all -- anywhere anywhere
nova-network-INPUT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
ACCEPT tcp -- anywhere anywhere multiport dports https
ACCEPT tcp -- anywhere anywhere multiport dports http
Chain FORWARD (policy ACCEPT)
target prot opt source destination
nova-filter-top all -- anywhere anywhere
nova-api-FORWARD all -- anywhere anywhere
nova-network-FORWARD all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
nova-filter-top all -- anywhere anywhere
nova-api-OUTPUT all -- anywhere anywhere
nova-network-OUTPUT all -- anywhere anywhere
Chain nova-api-FORWARD (1 references)
target prot opt source destination
Chain nova-api-INPUT (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere devcloud.camb.comdev.ca tcp dpt:8775
Chain nova-api-OUTPUT (1 references)
target prot opt source destination
Chain nova-api-local (1 references)
target prot opt source destination
Chain nova-filter-top (2 references)
target prot opt source destination
nova-api-local all -- anywhere anywhere
nova-network-local all -- anywhere anywhere
Chain nova-network-FORWARD (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain nova-network-INPUT (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
Chain nova-network-OUTPUT (1 references)
target prot opt source destination
Chain nova-network-local (1 references)
target prot opt source destination
这些规则都不允许允许远程访问Horizon,它们甚至不允许本地访问应该运行的实例.最重要的是,在关闭iptables之前,我能够允许Apache HTTPD监听任何端口,但现在似乎也停止了该功能.
现在,我唯一能想到的就是重新开始,因为我不知道在哪里看.我一直在阅读iptables和OpenStack,以及它们如何协同工作但未能找到任何解决方案.任何人都能指出我可能会有所帮助的方向吗?
我曾考虑直接在IPtables规则中添加规则,但是只要进行更改或重新启动就会被nova覆盖,这会使得无法维护.
最佳答案 我有同样的问题.我登录控制台,发现INPUT和FORWARD策略设置为丢弃.要解决此问题:
$sudo iptables -A INPUT ACCEPT
$sudo iptables -A FORWARD ACCEPT
然后我可以ssh并打开仪表板.