Bug 1122701

Summary: Incoming ports are wide open - no reject at the end of the chain
Product: Red Hat OpenStack Reporter: Steve Reichard <sreichar>
Component: openstack-foreman-installerAssignee: Jiri Stransky <jstransk>
Status: CLOSED ERRATA QA Contact: Alexander Chuzhoy <sasha>
Severity: high Docs Contact:
Priority: unspecified    
Version: 5.0 (RHEL 7)CC: aberezin, dnavale, jeckersb, jguiditt, jstransk, lars, mburns, morazi, rhos-maint, sreichar, yeylon
Target Milestone: ga   
Target Release: Installer   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-foreman-installer-2.0.20-1.el6ost Doc Type: Bug Fix
Doc Text:
Previously, on the RHEL 7 hosts, firewalld was not disabled early during puppet run, which resulted in the default iptables rules (for example, rejection of traffic which was not explicitly allowed) not being present. With this update, on the RHEL 7 hosts, firewalld is removed and iptables is started early in the puppet run, before Puppet attempts to create any custom iptables rules. As a result, default iptables rules (including rejection of traffic which was not explicitly allowed) are now present.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-08-21 18:06:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Steve Reichard 2014-07-23 19:48:21 UTC 
Description of problem:

What I see is that firewalld has been disabled, and iptables is being used, however the usaully reject at the end of the INPUT chain is missing.  This means all port are being accepted.  Notice you will not see any port 22 in the INPUT but I can ssh to the system.

[root@ospha1 ~]# systemctl status firewalld
firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled)
   Active: inactive (dead)

[root@ospha1 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
nova-api-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 5672,35672,4369 /* 001 amqp incoming */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80,443 /* 001 apache incoming */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8776 /* 001 cinder incoming */
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 5404,5405 /* 001 corosync mcast */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 3306,9200,4567,4568,4444 /* 001 galera incoming */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 9191,9292 /* 001 glance incoming */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8000 /* 001 heat cfn incoming */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8003 /* 001 heat cloudwatch incoming */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8004 /* 001 heat incoming */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 5000,35357 /* 001 keystone incoming */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 81 /* 001 load balancer incoming */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8774,8775,6080,6081 /* 001 nova incoming */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 2224 /* 001 pcsd */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 873 /* 010 rsync incoming */

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
nova-filter-top  all  --  0.0.0.0/0            0.0.0.0/0           
nova-api-FORWARD  all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
nova-filter-top  all  --  0.0.0.0/0            0.0.0.0/0           
nova-api-OUTPUT  all  --  0.0.0.0/0            0.0.0.0/0           

Chain nova-api-FORWARD (1 references)
target     prot opt source               destination         

Chain nova-api-INPUT (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            10.19.139.31         tcp dpt:8775

Chain nova-api-OUTPUT (1 references)
target     prot opt source               destination         

Chain nova-api-local (1 references)
target     prot opt source               destination         

Chain nova-filter-top (2 references)
target     prot opt source               destination         
nova-api-local  all  --  0.0.0.0/0            0.0.0.0/0           
[root@ospha1 ~]# 





Version-Release number of selected component (if applicable):


[root@ospha-inst ~]# yum list installed | grep -e puppet -e foreman 
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
foreman.noarch                      1.6.0.21-1.el6sat  @RHEL-6-Server-OS-Foreman
foreman-installer.noarch            1:1.5.0-0.4.RC2.el6ost
foreman-mysql2.noarch               1.6.0.21-1.el6sat  @RHEL-6-Server-OS-Foreman
foreman-proxy.noarch                1.6.0.8-1.el6sat   @RHEL-6-Server-OS-Foreman
foreman-selinux.noarch              1.6.0.3-1.el6sat   @RHEL-6-Server-OS-Foreman
openstack-foreman-installer.noarch  2.0.16-1.el6ost    @RHEL-6-Server-OS-Foreman
openstack-puppet-modules.noarch     2014.1-19.1.el6ost @RHEL-6-Server-OS-Foreman
puppet.noarch                       3.6.2-1.1.el6      @RHEL-6-Server-OS-Foreman
puppet-server.noarch                3.6.2-1.1.el6      @RHEL-6-Server-OS-Foreman
ruby193-rubygem-foreman_openstack_simplify.noarch
rubygem-foreman_api.noarch          0.1.11-4.el6sat    @RHEL-6-Server-OS-Foreman
rubygem-hammer_cli_foreman.noarch   0.1.0-6.el6sat     @RHEL-6-Server-OS-Foreman
rubygem-hammer_cli_foreman-doc.noarch
[root@ospha-inst ~]# 




How reproducible:


Noticed on last couple of config and psoted mail.

Seen with All-in-one HA, Nova Net Controller, Nova Net Compute




Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 2 Jason Guiditta 2014-07-24 14:00:47 UTC 
Lars, any idea if something has changed in RHEL 7 setup here?  We have made no changes to how we set up our firewall rules between Havana/Icehouse and RHEL 6/7.  Do you think this is likely something we need to work around/add, or something missing from the firewall puppet module related to RHEL 7 + forewalld as the default?
Comment 3 Lars Kellogg-Stedman 2014-07-24 15:38:14 UTC 
We are never explicitly creating a default REJECT rule in the firewall.

The puppet "firewall" module preserves the pre-existing firewall configuration.  If I start with:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3609:260737]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A INPUT -j REJECT --reject-with icmp-host-prohibited 
-A FORWARD -j REJECT --reject-with icmp-host-prohibited 
COMMIT

And then run packstack --allinone, I end up with:

-P INPUT ACCEPT
-A INPUT -p tcp -m multiport --dports 8777 -m comment --comment "001 ceilometer-api incoming ceilometer_api" -j ACCEPT 
-A INPUT -j neutron-openvswi-INPUT 
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT 
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT 
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT 
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT 
-A INPUT -j nova-api-INPUT 
-A INPUT -s 172.16.0.18/32 -p tcp -m multiport --dports 3260,8776 -m comment --comment "001 cinder incoming cinder_172.16.0.18" -j ACCEPT 
-A INPUT -s 172.16.0.18/32 -p tcp -m multiport --dports 9292 -m comment --comment "001 glance incoming glance_172.16.0.18" -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 80 -m comment --comment "001 horizon 80  incoming" -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 5000,35357 -m comment --comment "001 keystone incoming keystone" -j ACCEPT 
-A INPUT -i lo -p tcp -m multiport --dports 27017 -m comment --comment "001 mongodb incoming localhost" -j ACCEPT 
-A INPUT -s 172.16.0.18/32 -p tcp -m multiport --dports 3306 -m comment --comment "001 mysql incoming mysql_172.16.0.18" -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 80 -m comment --comment "001 nagios incoming" -j ACCEPT 
-A INPUT -s 172.16.0.18/32 -p tcp -m multiport --dports 5666 -m comment --comment "001 nagios-nrpe incoming nagios_nrpe" -j ACCEPT 
-A INPUT -s 172.16.0.18/32 -p tcp -m multiport --dports 67 -m comment --comment "001 neutron dhcp in incoming neutron_dhcp_in_172.16.0.18_172.16.0.18" -j ACCEPT 
-A INPUT -s 172.16.0.18/32 -p tcp -m multiport --dports 9696 -m comment --comment "001 neutron server incoming neutron_server_172.16.0.18_172.16.0.18" -j ACCEPT 
-A INPUT -s 172.16.0.18/32 -p tcp -m multiport --dports 5900:5999 -m comment --comment "001 nova compute incoming nova_compute" -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 8773,8774,8775 -m comment --comment "001 novaapi incoming" -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 6080 -m comment --comment "001 novncproxy incoming" -j ACCEPT 
-A INPUT -s 172.16.0.18/32 -p tcp -m multiport --dports 5671,5672 -m comment --comment "001 qpid incoming qpid_172.16.0.18" -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 8080 -m comment --comment "001 swift proxy incoming" -j ACCEPT 
-A INPUT -s 172.16.0.18/32 -p tcp -m multiport --dports 6000,6001,6002,873 -m comment --comment "001 swift storage and rsync incoming swift_storage_and_rsync_172.16.0.18" -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A INPUT -j REJECT --reject-with icmp-host-prohibited 

But if I start with an empty firewall table, I don't automatically get a default REJECT rule.
Comment 4 Lars Kellogg-Stedman 2014-07-24 15:48:42 UTC 
Would it make sense to run "iptables-save > /etc/sysconfig/iptables" prior to disabling firewalld?  That would in theory preserve the existing firewalld-generated configuration.
Comment 5 Jiri Stransky 2014-07-30 16:02:20 UTC 
Here's the solution with iptables-save. The problem is that iptables rules created by firewalld are more complex than we need for this use case (some custom chains, often empty etc.), but if we disable firewalld we can no longer manage the complex rules via firewall-cmd.

https://github.com/redhat-openstack/astapor/pull/328

Here's another solution which recreates the default rules using puppet:

https://github.com/redhat-openstack/astapor/pull/329

I'm leaning a bit towards the latter, we'll see what others think.
Comment 6 Jason Guiditta 2014-08-01 21:41:32 UTC 
This may be solved by eck's plan to change for kickstart to not include firewalld to begin with, so I think we should track the outcome of 

https://bugzilla.redhat.com/show_bug.cgi?id=1125075

and then decide how to proceed here.
Comment 8 Mike Burns 2014-08-12 18:52:22 UTC 
Is this still a problem now that 1125075 is fixed?
Comment 9 Jason Guiditta 2014-08-13 19:56:59 UTC 
Yes, still  problem, jistr posted patch here:
https://github.com/redhat-openstack/astapor/pull/329

which I just tested and merged.
Comment 12 Alexander Chuzhoy 2014-08-18 16:07:51 UTC 
Verified: FailedQA with rhel-osp-installer-0.1.10-2.el6ost.noarch

Environment:
rhel-osp-installer-0.1.10-2.el6ost.noarch
openstack-foreman-installer-2.0.21-1.el6ost.noarch
ruby193-rubygem-foreman_openstack_simplify-0.0.6-8.el6ost.noarch
openstack-puppet-modules-2014.1-20.1.el6ost.noarch


As you can see below - no reject rule and the default is ACCEPT.

[root@staypuft yum.repos.d]# iptables -L INPUT
Chain INPUT (policy ACCEPT)                   
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere            multiport ports ssh /* 22 accept - ssh */ 
ACCEPT     tcp  --  anywhere             anywhere            multiport ports https /* 443 accept - apache */ 
ACCEPT     tcp  --  anywhere             anywhere            multiport ports domain /* 53 accept - dns tcp */ 
ACCEPT     udp  --  anywhere             anywhere            multiport ports domain /* 53 accept - dns udp */ 
ACCEPT     udp  --  anywhere             anywhere            multiport ports bootps /* 67 accept - dhcp */    
ACCEPT     udp  --  anywhere             anywhere            multiport ports bootpc /* 68 accept - bootp */   
ACCEPT     udp  --  anywhere             anywhere            multiport ports tftp /* 69 accept - tftp */      
ACCEPT     tcp  --  anywhere             anywhere            multiport ports http /* 80 accept - apache */    
ACCEPT     tcp  --  anywhere             anywhere            multiport ports 8140 /* 8140 accept - puppetmaster */
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:sunrpc
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:sunrpc
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:32803
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:filenet-rpc
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:xinupageserver
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:xinupageserver
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:pftp
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:pftp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:892
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:892
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:rquotad
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:rquotad
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:nfs
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:nfs
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:tftp
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:8140
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:8140
Comment 13 Mike Burns 2014-08-18 16:29:26 UTC 
This bug is for the EL7 hosts we're deploying RHEL-OSP to, not the el6 host running Foreman.
Comment 14 Alexander Chuzhoy 2014-08-18 17:54:13 UTC 
Verified: rhel-osp-installer-0.1.10-2.el6ost.noarch

On controller:

[root@maca25400868097 ~]# iptables -nL                       
Chain INPUT (policy ACCEPT)                                  
target     prot opt source               destination         
nova-network-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           
nova-api-metadat-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           
nova-compute-INPUT  all  --  0.0.0.0/0            0.0.0.0/0               
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53  
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53  
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:67  
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:67  
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 5900:5999 /* 001 nova compute incoming */
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED                                 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0                                                                      
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0                                                                      
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22                                      
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited                          

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
nova-filter-top  all  --  0.0.0.0/0            0.0.0.0/0           
nova-network-FORWARD  all  --  0.0.0.0/0            0.0.0.0/0           
nova-api-metadat-FORWARD  all  --  0.0.0.0/0            0.0.0.0/0           
nova-compute-FORWARD  all  --  0.0.0.0/0            0.0.0.0/0               
ACCEPT     all  --  0.0.0.0/0            192.168.122.0/24     ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     0.0.0.0/0                                       
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0                                       
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
nova-filter-top  all  --  0.0.0.0/0            0.0.0.0/0           
nova-network-OUTPUT  all  --  0.0.0.0/0            0.0.0.0/0           
nova-api-metadat-OUTPUT  all  --  0.0.0.0/0            0.0.0.0/0           
nova-compute-OUTPUT  all  --  0.0.0.0/0            0.0.0.0/0               

Chain nova-api-metadat-FORWARD (1 references)
target     prot opt source               destination         

Chain nova-api-metadat-INPUT (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            192.168.32.3         tcp dpt:8775

Chain nova-api-metadat-OUTPUT (1 references)
target     prot opt source               destination         

Chain nova-api-metadat-local (1 references)
target     prot opt source               destination         

Chain nova-compute-FORWARD (1 references)
target     prot opt source               destination         
ACCEPT     udp  --  0.0.0.0              255.255.255.255      udp spt:68 dpt:67

Chain nova-compute-INPUT (1 references)
target     prot opt source               destination         
ACCEPT     udp  --  0.0.0.0              255.255.255.255      udp spt:68 dpt:67

Chain nova-compute-OUTPUT (1 references)
target     prot opt source               destination         

Chain nova-compute-local (1 references)
target     prot opt source               destination         

Chain nova-compute-provider (0 references)
target     prot opt source               destination         

Chain nova-compute-sg-fallback (0 references)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain nova-filter-top (2 references)
target     prot opt source               destination
nova-network-local  all  --  0.0.0.0/0            0.0.0.0/0
nova-api-metadat-local  all  --  0.0.0.0/0            0.0.0.0/0
nova-compute-local  all  --  0.0.0.0/0            0.0.0.0/0

Chain nova-network-FORWARD (1 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain nova-network-INPUT (1 references)
target     prot opt source               destination
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:67
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:67
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53

Chain nova-network-OUTPUT (1 references)
target     prot opt source               destination

Chain nova-network-local (1 references)
target     prot opt source               destination


On compute:
[root@maca25400868096 ~]# iptables -nL                                    
Chain INPUT (policy ACCEPT)                                               
target     prot opt source               destination                      
nova-network-INPUT  all  --  0.0.0.0/0            0.0.0.0/0               
nova-api-metadat-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53  
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53  
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:67  
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:67  
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 5900:5999 /* 001 nova compute incoming */
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED                                 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0                                                                      
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0                                                                      
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22                                      
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited                          

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
nova-filter-top  all  --  0.0.0.0/0            0.0.0.0/0           
nova-network-FORWARD  all  --  0.0.0.0/0            0.0.0.0/0           
nova-api-metadat-FORWARD  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            192.168.122.0/24     ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     0.0.0.0/0                                       
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0                                       
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
nova-filter-top  all  --  0.0.0.0/0            0.0.0.0/0           
nova-network-OUTPUT  all  --  0.0.0.0/0            0.0.0.0/0           
nova-api-metadat-OUTPUT  all  --  0.0.0.0/0            0.0.0.0/0           

Chain nova-api-metadat-FORWARD (1 references)
target     prot opt source               destination         

Chain nova-api-metadat-INPUT (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            192.168.100.254      tcp dpt:8775

Chain nova-api-metadat-OUTPUT (1 references)
target     prot opt source               destination

Chain nova-api-metadat-local (1 references)
target     prot opt source               destination

Chain nova-filter-top (2 references)
target     prot opt source               destination
nova-network-local  all  --  0.0.0.0/0            0.0.0.0/0
nova-api-metadat-local  all  --  0.0.0.0/0            0.0.0.0/0

Chain nova-network-FORWARD (1 references)
target     prot opt source               destination

Chain nova-network-INPUT (1 references)
target     prot opt source               destination

Chain nova-network-OUTPUT (1 references)
target     prot opt source               destination

Chain nova-network-local (1 references)
target     prot opt source               destination
Comment 15 errata-xmlrpc 2014-08-21 18:06:11 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1090.html
Comment 16 Steve Reichard 2014-09-18 14:05:26 UTC 
I finally installed, things looked reasonable to me