After restarting an OpenStack host you may encouter problems with missing iptables rules (we're on an quite old release of OpenStack currently. Maybe this is fixed in newer releases). The nova chains appear in the iptables -L output but they're empty. NAT is working fine. The reason is, that the NAT chains are configured by nova-network while the filter rules are managed by nova-compute. I didn't manage to find the cause of this behaivour yet, but I think it has something to do with the start order of the nova services. (When nova-network isn't present at nova-compute startup, no rules will be applied at all)

Do you need DevOps-experts?

Your development team has a full backlog? No time for infrastructure architecture? Our DevOps team is ready to support you!

• We build reliable cloud solutions with Infrastructure as code
• We are experts in security, Linux and databases
• We support your dev team to perform

Read more Show archive.org snapshot

You can restart the nova-compute service and nova should insert the rules one by one (you can see this with a tail -f on the nove-compute log). This shouldn't effect the state of your running VMs.

tail -F /var/log/nova/nova-compute.log &
sudo /etc/init.d/nova-compute restart

You have to wait some time until nova used all configured rules. (the time depends on the number of configured rules, the more rules the more time)

When looking at iptables -L again you should see, that the rules are present now.