Multinode setups with CentOS 8 block won't work due to traffic being blocked
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
devstack |
Expired
|
Undecided
|
Unassigned |
Bug Description
Right now, if we deploy a multinode setup with devstack, we'll see that the traffic between nodes it's going to be dropped.
The reason is default iptables rules added by iptables-service who's enabled here [0].
After we do this, the following rules are installed in the INPUT chain:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
10 664 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- any any anywhere anywhere
0 0 ACCEPT all -- lo any anywhere anywhere
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-
The last REJECT rule will prevent services to communicate across hosts so we must disable this.
For reference, this is the default firewall configuration on a CentOS8 machine:
$ sudo cat /etc/sysconfig/
# sample configuration for iptables service
# you can edit this manually or use system-
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-
-A FORWARD -j REJECT --reject-with icmp-host-
COMMIT
[0] https:/
Fix proposed to branch: master /review. opendev. org/755554
Review: https:/