I've already tried iptables command and it didn't work for me. The reason I need to access metadata server is for cloudpipe instance, get 'autorun.sh' from the server. Here's my 'iptables -L' result. "cloud02" the hostname of API Server. Something wrong? Chain INPUT (policy DROP) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:bootps ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:telnet ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:www DROP all -- anywhere anywhere state INVALID ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere cloud02 tcp dpt:ssh ACCEPT udp -- anywhere anywhere udp dpt:ntp nova_input all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere REJECT tcp -- anywhere anywhere reject-with tcp-reset REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain FORWARD (policy DROP) target prot opt source destination nova-local all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT udp -- anywhere 10.0.0.2 udp dpt:openvpn ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED ACCEPT all -- 192.168.122.0/24 anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-port-unreachable DROP all -- anywhere anywhere state INVALID ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU nova_forward all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination nova-local all -- anywhere anywhere DROP all -- anywhere anywhere state INVALID ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED nova_output all -- anywhere anywhere Chain nova-fallback (1 references) target prot opt source destination DROP all -- anywhere anywhere Chain nova-inst-1 (1 references) target prot opt source destination DROP all -- anywhere anywhere state INVALID ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED nova-sg-1 all -- anywhere anywhere ACCEPT udp -- 10.0.0.1 anywhere udp spt:bootps dpt:bootpc ACCEPT all -- 10.0.0.0/26 anywhere nova-fallback all -- anywhere anywhere Chain nova-local (2 references) target prot opt source destination nova-inst-1 all -- anywhere 10.0.0.3 Chain nova-sg-1 (1 references) target prot opt source destination Chain nova_forward (1 references) target prot opt source destination Chain nova_input (1 references) target prot opt source destination ACCEPT tcp -- anywhere cloud02 tcp dpt:8649 ACCEPT udp -- anywhere cloud02 udp dpt:8649 ACCEPT tcp -- anywhere cloud02 tcp dpt:www ACCEPT tcp -- anywhere cloud02 tcp dpt:https ACCEPT tcp -- anywhere cloud02 tcp dpt:3333 ACCEPT tcp -- anywhere cloud02 tcp dpt:8773 ACCEPT tcp -- anywhere cloud02 tcp dpt:6379 ACCEPT tcp -- anywhere cloud02 tcp dpt:mysql ACCEPT tcp -- anywhere cloud02 tcp dpt:4369 ACCEPT tcp -- anywhere cloud02 tcp dpt:amqp ACCEPT tcp -- anywhere cloud02 tcp dpt:53284 ACCEPT tcp -- 10.0.0.0/12 anywhere tcp dpt:domain ACCEPT udp -- 10.0.0.0/12 anywhere udp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT tcp -- anywhere cloud02 tcp dpt:ldap Chain nova_output (1 references) target prot opt source destination