4

我使用 DevStack 在 RHEL6 上安装了 OpenStack,并且运行良好。有一天,我们的一位“系统管理员”注意到系统上正在运行 iptables,并决定将其关闭(chkconfig iptables off)。然后他重新启动了服务器,几天没有告诉我。在他告诉我之后,我迅速检查我是否可以访问我的实例。当 Horizo​​n 可以访问时,由于没有任何内容被阻止,并且我可以从控制台访问我的实例,这些实例无法访问网络。在此之后,我尝试通过 SSH 从服务器访问实例。无法访问私有 IP。

然后我尝试重新启动 iptables,它出现了......并阻止了地平线仪表板。所以我然后尝试重新启动所有开放堆栈服务......仍然无法访问 Horizo​​n 或任何实例,但至少现在我的 IPTables 填充了新规则

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
nova-api-INPUT  all  --  anywhere             anywhere            
nova-network-INPUT  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 
ACCEPT     tcp  --  anywhere             anywhere            multiport dports https 
ACCEPT     tcp  --  anywhere             anywhere            multiport dports http 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
nova-filter-top  all  --  anywhere             anywhere            
nova-api-FORWARD  all  --  anywhere             anywhere            
nova-network-FORWARD  all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
nova-filter-top  all  --  anywhere             anywhere            
nova-api-OUTPUT  all  --  anywhere             anywhere            
nova-network-OUTPUT  all  --  anywhere             anywhere            

Chain nova-api-FORWARD (1 references)
target     prot opt source               destination         

Chain nova-api-INPUT (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             devcloud.camb.comdev.ca tcp dpt:8775 

Chain nova-api-OUTPUT (1 references)
target     prot opt source               destination         

Chain nova-api-local (1 references)
target     prot opt source               destination         

Chain nova-filter-top (2 references)
target     prot opt source               destination         
nova-api-local  all  --  anywhere             anywhere            
nova-network-local  all  --  anywhere             anywhere            

Chain nova-network-FORWARD (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain nova-network-INPUT (1 references)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain 

Chain nova-network-OUTPUT (1 references)
target     prot opt source               destination         

Chain nova-network-local (1 references)
target     prot opt source               destination

这些规则都不允许远程访问 Horizo​​n,甚至不允许本地访问应该运行的实例。最重要的是,在关闭 iptables 之前,我能够允许 Apache HTTPD 侦听任何端口,但该功能现在似乎也停止了。

现在,我唯一能想到的就是重新开始,因为我不知道去哪里找。我一直在阅读 iptables 和 OpenStack 以及它们如何协同工作,但找不到任何解决方案。谁能指出我可能有帮助的方向?

我曾考虑直接将规则添加到 IPtables 规则中,但这些规则会在任何时候被 nova 覆盖,或者它会在重新启动时被覆盖,这将导致无法维护。

4

1 回答 1

2

我有同样的问题。我登录控制台,发现 INPUT 和 FORWARD 策略设置为 drop。要解决此问题:

$ sudo iptables -A INPUT ACCEPT
$ sudo iptables -A FORWARD ACCEPT

然后我可以ssh打开仪表板。

于 2014-11-24T17:51:47.520 回答