Bug 976598 - Updating iptables config is inconsistent.
Updating iptables config is inconsistent.
Status: CLOSED CURRENTRELEASE
Product: Red Hat OpenStack
Classification: Red Hat
Component: doc-Installation_and_Configuration_Guide (Show other bugs)
3.0
Unspecified Unspecified
low Severity low
: ---
: 4.0
Assigned To: Don Domingo
ecs-bugs
: Documentation, Triaged
Depends On:
Blocks: 1011085
  Show dependency treegraph
 
Reported: 2013-06-20 21:10 EDT by Summer Long
Modified: 2014-01-05 19:04 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-01-05 19:04:58 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Summer Long 2013-06-20 21:10:40 EDT
Section Number and Name: 
Firewall sections

Describe the issue: 
Currently, the following update methods are used:
--On the command line, with 'iptables -A INPUT' (goes on end of chain)
--On the command line, with 'iptables -I INPUT' (uses a number to determine where to place)
--Updating the /etc/sysconfig/iptables configuration file


Suggestions for improvement: 
Use the update-the-file approach so that it is obvious where the rule needs to be, and so that sysadmins can easily integrate the rule into their iptables script.
Comment 2 Stephen Gordon 2013-06-20 22:42:44 EDT
The other alternative is a tool called lokkit but would have to check if it is always available (need it to be in the @base package group in RHEL).
Comment 3 Stephen Gordon 2013-06-28 14:45:11 EDT
(In reply to Summer Long from comment #0)
> Section Number and Name: 
> Firewall sections
> 
> Describe the issue: 
> Currently, the following update methods are used:
> --On the command line, with 'iptables -A INPUT' (goes on end of chain)
> --On the command line, with 'iptables -I INPUT' (uses a number to determine
> where to place)

I had forgotten but further testing has confirmed, the default RHEL firewall includes a REJECT all rule at the end of the INPUT chain. As a result both of these methods of updating the firewall result in the new rule being inserted *after* the rule that REJECTs the traffic (hence having no impact). That is unless of course you happen to know the exact number to provide with -I (unlikely).

I think that's why I had gone with the update the file approach in the first place (on top of the reasons in the description).
Comment 4 Don Domingo 2013-11-13 18:50:06 EST
Taking this one for now. Will update the BZ status once my RH account gets reactivated. --ddomingo
Comment 5 Don Domingo 2013-11-13 20:24:59 EST
I revised the iptables instructions in the following topics to make them consistent with all the others; they are all of the "update config file" variety now:

	Configuring NRPE
	Firewall Configuration
	Configuring the Object Storage Service Storage Nodes

By the way, the iptables rule in that last topic also opens port 873, not sure why. Left it as is for now.

Note You need to log in before you can comment on or make changes to this bug.