Bug 976598

Summary: Updating iptables config is inconsistent.
Product: Red Hat OpenStack Reporter: Summer Long <slong>
Component: doc-Installation_and_Configuration_GuideAssignee: Don Domingo <ddomingo>
Status: CLOSED CURRENTRELEASE QA Contact: ecs-bugs
Severity: low Docs Contact:
Priority: low    
Version: 3.0CC: alyoung, ddomingo, sgordon, zaitcev
Target Milestone: ---Keywords: Documentation, Triaged
Target Release: 4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-06 00:04:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1011085    

Description Summer Long 2013-06-21 01:10:40 UTC 
Section Number and Name: 
Firewall sections

Describe the issue: 
Currently, the following update methods are used:
--On the command line, with 'iptables -A INPUT' (goes on end of chain)
--On the command line, with 'iptables -I INPUT' (uses a number to determine where to place)
--Updating the /etc/sysconfig/iptables configuration file


Suggestions for improvement: 
Use the update-the-file approach so that it is obvious where the rule needs to be, and so that sysadmins can easily integrate the rule into their iptables script.
Comment 2 Stephen Gordon 2013-06-21 02:42:44 UTC 
The other alternative is a tool called lokkit but would have to check if it is always available (need it to be in the @base package group in RHEL).
Comment 3 Stephen Gordon 2013-06-28 18:45:11 UTC 
(In reply to Summer Long from comment #0)
> Section Number and Name: 
> Firewall sections
> 
> Describe the issue: 
> Currently, the following update methods are used:
> --On the command line, with 'iptables -A INPUT' (goes on end of chain)
> --On the command line, with 'iptables -I INPUT' (uses a number to determine
> where to place)

I had forgotten but further testing has confirmed, the default RHEL firewall includes a REJECT all rule at the end of the INPUT chain. As a result both of these methods of updating the firewall result in the new rule being inserted *after* the rule that REJECTs the traffic (hence having no impact). That is unless of course you happen to know the exact number to provide with -I (unlikely).

I think that's why I had gone with the update the file approach in the first place (on top of the reasons in the description).
Comment 4 Don Domingo 2013-11-13 23:50:06 UTC 
Taking this one for now. Will update the BZ status once my RH account gets reactivated. --ddomingo
Comment 5 Don Domingo 2013-11-14 01:24:59 UTC 
I revised the iptables instructions in the following topics to make them consistent with all the others; they are all of the "update config file" variety now:

	Configuring NRPE
	Firewall Configuration
	Configuring the Object Storage Service Storage Nodes

By the way, the iptables rule in that last topic also opens port 873, not sure why. Left it as is for now.