Ask Your Question
0

port forwarding via dashboard

asked 2017-02-08 05:04:13 -0500

2707974 gravatar image

I wish to enable on Dashboard aka Horizon [Openstack 3.0] option that I can do port forwarding from router public ip to tenant private ip.

Something like

Traffic from internet on port 2222 on public ip on tenant router to forward to private ip on tenant instance on port 22

internet -> 185.56.223.120:2222 -> 172.20.0.99:22

I can do that manually with iptables but like I say, can this be implement in Horizon?

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted
0

answered 2017-06-06 03:49:50 -0500

2707974 gravatar image

This cannot be done via Dashboard. Only way to do this is directly on tenant router.

Example:

  • We have 3 network nodes
  • Tenant routers are in HA

First list tenant routers with command

 neutron router-list

I output you will see tenant router

| ff34f529-ebd8-463d-9eef-351302f4751a | XXX_router| {"network_id": "abdf8375-ee13-4c0f-8d8a -21ea5f44d366","enable_snat": true, "external_fixed_ips": [{"subnet_id": "5b653809-4a2d-4fc0-b8fd-345b33f929d9", "ip_address": "123.45.678.90"}]}

Then we must see on witch network node's are router, because of HA we have primary and one in stand by.

neutron l3-agent-list-hosting-router ff34f529-ebd8-463d-9eef-351302f4751a

output is

+--------------------------------------+--------------------+----------------+-------+----------+
| id                                   | host               | admin_state_up | alive | ha_state |
+--------------------------------------+--------------------+----------------+-------+----------+
| ecce13b3-f920-4803-8fc0-90caaaa586ac | nn-m1 | True           | :-)   | standby  |
| e70f3759-7e48-42b0-b21b-177abd13be68 | nn-m2 | True           | :-)   | active   |
+--------------------------------------+--------------------+----------------+-------+----------+

We must do changes on both routers. Go to first

nn-m1~$ sudo ip netns exec qrouter-ff34f529-ebd8-463d-9eef-351302f4751a bash

First save existing iptables rules

root@nn-m1:/home/stack# iptables-save
# Generated by iptables-save v1.4.21 on Mon Mar 27 11:04:43 2017
*raw
:PREROUTING ACCEPT [1260371:52215836]
:OUTPUT ACCEPT [14:560]
:neutron-vpn-agen-OUTPUT - [0:0]
:neutron-vpn-agen-PREROUTING - [0:0]
-A PREROUTING -j neutron-vpn-agen-PREROUTING
-A OUTPUT -j neutron-vpn-agen-OUTPUT
COMMIT
# Completed on Mon Mar 27 11:04:43 2017
# Generated by iptables-save v1.4.21 on Mon Mar 27 11:04:43 2017
*nat
:PREROUTING ACCEPT [7:367]
:INPUT ACCEPT [1:127]
:OUTPUT ACCEPT [1:40]
:POSTROUTING ACCEPT [0:0]
:neutron-postrouting-bottom - [0:0]
:neutron-vpn-agen-OUTPUT - [0:0]
:neutron-vpn-agen-POSTROUTING - [0:0]
:neutron-vpn-agen-PREROUTING - [0:0]
:neutron-vpn-agen-float-snat - [0:0]
:neutron-vpn-agen-snat - [0:0]
-A PREROUTING -j neutron-vpn-agen-PREROUTING
-A OUTPUT -j neutron-vpn-agen-OUTPUT
-A POSTROUTING -j neutron-vpn-agen-POSTROUTING
-A POSTROUTING -j neutron-postrouting-bottom
-A neutron-postrouting-bottom -m comment --comment "Perform source NAT on outgoing traffic." -j neutron-vpn-agen-snat
-A neutron-vpn-agen-POSTROUTING ! -i qg-51adb648-eb ! -o qg-51adb648-eb -m conntrack ! --ctstate DNAT -j ACCEPT
-A neutron-vpn-agen-PREROUTING -d 169.254.169.254/32 -i qr-+ -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697
-A neutron-vpn-agen-snat -j neutron-vpn-agen-float-snat
-A neutron-vpn-agen-snat -o qg-51adb648-eb -j SNAT --to-source 123.45.678.90
-A neutron-vpn-agen-snat -m mark ! --mark 0x2/0xffff -m conntrack --ctstate DNAT -j SNAT --to-source 123.45.678.90
COMMIT
# Completed on Mon Mar 27 11:04:43 2017
# Generated by iptables-save v1.4.21 on Mon Mar 27 11:04:43 2017
*mangle
:PREROUTING ACCEPT [1260369:52215756]
:INPUT ACCEPT [1260289:52212556]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [13:520]
:POSTROUTING ACCEPT [13:520]
:neutron-vpn-agen-FORWARD - [0:0]
:neutron-vpn-agen-INPUT - [0:0]
:neutron-vpn-agen-OUTPUT - [0:0]
:neutron-vpn-agen-POSTROUTING - [0:0]
:neutron-vpn-agen-PREROUTING - [0:0]
:neutron-vpn-agen-mark - [0:0]
-A PREROUTING -j neutron-vpn-agen-PREROUTING
-A INPUT -j neutron-vpn-agen-INPUT
-A FORWARD -j neutron-vpn-agen-FORWARD
-A OUTPUT -j neutron-vpn-agen-OUTPUT
-A POSTROUTING -j neutron-vpn-agen-POSTROUTING
-A neutron-vpn-agen-PREROUTING -j neutron-vpn-agen-mark
-A neutron-vpn-agen-PREROUTING -d 169.254.169.254/32 -i qr-+ -p tcp -m tcp --dport 80 -j MARK --set-xmark 0x1/0xffff
-A neutron-vpn-agen-mark -i qg-51adb648-eb -j MARK --set-xmark 0x2/0xffff
COMMIT
# Completed on Mon Mar 27 11:04:43 2017
# Generated by iptables-save v1.4.21 on Mon Mar 27 11:04:43 2017
*filter
:INPUT ACCEPT [1260289:52212556]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [13:520]
:neutron-filter-top - [0:0]
:neutron-vpn-agen-FORWARD - [0:0]
:neutron-vpn-agen-INPUT - [0:0]
:neutron-vpn-agen-OUTPUT - [0:0]
:neutron-vpn-agen-local - [0:0]
-A INPUT -j neutron-vpn-agen-INPUT
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-vpn-agen-FORWARD
-A OUTPUT -j neutron-filter-top
-A ...
(more)
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2017-02-08 05:04:13 -0500

Seen: 1,528 times

Last updated: Jun 06 '17