Ask Your Question
1

router portforwarding

asked 2017-03-14 12:01:44 -0600

Javi gravatar image

Hi all,

We have not many public IPs so we must think about to use the Public Router IP to forward the traffic to the VM. As far as I know, we can create some iptables rules to do that.

These are which we are using but they don't work.

ip netns exec qrouter-xxxx iptables -t nat -I neutron-l3-agent-PREROUTING -p tcp -d RouterGW_IP -j DNAT --to VM_Internal_IP:22

ip netns exec qrouter-xxxx iptables -t nat -I neutron-l3-agent-snat -p tcp -s PUBLICfloating_IP --sport 22 -j SNAT --to RouterGW_IP

In this example:

RouterGW_IP is the Instance network gateway

VM_Internal_IP is the Instance Internal IP

PUBLICfloating_IP is the IP reached from Internet

What am I missing???

Note: We are using 3 Controllers with Neutron L3 HA on a Mitaka environment.

I also have followed the instructions from https://blueprints.launchpad.net/neutron/+spec/router-port-forwarding (https://blueprints.launchpad.net/neut...) with no success.

THx in advance

edit retag flag offensive close merge delete
add a comment

2 answers

Sort by » oldest newest most voted
0

answered 2017-03-15 04:32:26 -0600

Vinoth gravatar image

Associating floating IP to any OpenStack’s VM will send the packet via router’s Gateway with the source IP address as floating IP’s IP address. So don't associate floating IPs to the VMs.

Use the below NAT command to access the Openstack VM using the router's elastic IP:

   $ ip netns exec qrouter-f85bxxxx-61b2-xxxx-xxxx-xxxxba0xxxx iptables -t nat -A PREROUTING -p tcp  -d **RouterGW_IP**  –dport 522 -j DNAT –to-destination **VM_Internal_IP:22**

In the above command, I had NAT for forwarding all packets for RouterGW_IP with port 522

Using the above NAT command, All the packets reaching RouterGW_IP with port number 522 will be forwarded to VM_Internal_IP:22

Ref:- http://www.hellovinoth.com/guide-for-...

edit flag offensive delete link more
add a comment
0

answered 2017-03-15 11:26:32 -0600

Javi gravatar image

Thank you for the answer.

I created the rule on the router but I cannot reach the VM from the internet.

The rule I typed is: ip netns exec qrouter-xxx-xx-x-x iptables -t nat -A PREROUTING -p tcp -d RouterGW_IP --dport 522 -j DNAT --to-destination VM_Internal_IP:22

We miss something else because it doesnn't work. When I nmap the PublicIP (RouterGW_IP) from interntet all the ports are filtered. So maybe we must accept the forward ???

Thx in advance

edit flag offensive delete link more
add a comment

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2017-03-14 12:01:44 -0600

Seen: 1,194 times

Last updated: Mar 15 '17

Related questions

Error: Quota exceeded for resource router

Openstack external network subnet issue

Enable ports of neutron subnet and inetrface of a router

Using NAT to assign external IP to floating IP

Help with public networking (instance) communication issue

l3-agent Cannot find device

Router not routing between internal and external network in openstack

Why can my router and dchp not ping each other? [closed]

specify subnet with router set gateway on external net with multiple subnets

How to restart the router in OpenStack?