Ask Your Question
0

cant ping vRouter from other hosts: Destination Host Prohibited

asked 2018-01-04 10:21:23 -0500

Thomas Li gravatar image

updated 2018-01-04 10:47:36 -0500

Hey guys,

i stuck in an other wired problem. I set up pike rdo on latest centos 7, with ip tables because neutron hate firewalld, linuxbridge, 1 externalnet (public)1 internalnet (mgmt, data), 1 api node, 1 networknode and couple computes. I had it running on juno an kilo, but was using network-computenode hybrid in all the releases in between. Created a vrouter (44) and could ping it from the same host but not the others. I dit it in kilo on ovs instead linuxbridge and it worked fine. Doublechecked FW (devsetup)

[root@22 ~]# iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
neutron-linuxbri-INPUT  all  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
ACCEPT     tcp  --  x.x.x.0/27       anywhere             state NEW tcp
ACCEPT     udp  --  x.x.x.0/27       anywhere
ACCEPT     tcp  --  10.1.1.0/24          anywhere             state NEW tcp
ACCEPT     udp  --  10.1.1.0/24          anywhere
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
neutron-filter-top  all  --  anywhere             anywhere
neutron-linuxbri-FORWARD  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
neutron-filter-top  all  --  anywhere             anywhere
neutron-linuxbri-OUTPUT  all  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc

Chain neutron-filter-top (2 references)
target     prot opt source               destination
neutron-linuxbri-local  all  --  anywhere             anywhere

Chain neutron-linuxbri-FORWARD (1 references)
target     prot opt source               destination

Chain neutron-linuxbri-INPUT (1 references)
target     prot opt source               destination

Chain neutron-linuxbri-OUTPUT (1 references)
target     prot opt source               destination

Chain neutron-linuxbri-local (1 references)
target     prot opt source               destination

Chain neutron-linuxbri-sg-chain (0 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain neutron-linuxbri-sg-fallback (0 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere             /* Default drop rule for unmatched traffic. */

but still:

From x.x.x.22 icmp_seq=1 Destination Host Prohibited
l3 is pretty much stock: https://docs.openstack.org/neutron/pi... but later i did and also tested many other configs:
[DEFAULT]
interface_driver = linuxbridge
external_network_bridge = br0
verbose = True
debug = True
use_syslog = True
syslog_log_facility = LOG_LOCAL0
use_namespaces = True
enable_metadata_proxy = True

tcpdump -i br0 |grep -v my_onw_host

15:36:54.608446 IP  11.mydomain >  44.mydomain: ICMP echo request, id 5079, seq 1225, length 64
15:36:54.609838 IP dns.mydomain.domain >  22.mydomain.46497: 57792* 1/4/8 PTR  44.mydomain. (347)
15:37:15.608414 IP  22.mydomain >  11.mydomain: ICMP host  44.mydomain unreachable - admin prohibited, length 92
15:37:15.608431 IP  11.mydomain >  44.mydomain: ICMP echo request, id 5079, seq 1246, length 64
15:37:15 ...
(more)
edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted
1

answered 2018-02-05 11:28:53 -0500

Thomas Li gravatar image

It seems that Iptables in combination with openstack neutron pike on linuxbridge was corrupt in december '17. Line 4,5 wasnt set due iptables deamon false active state, update it, debug inactive state error, install additional iptables packages, rerun neutron installation, they sould be set and the vrouter should be available through ipv4!

iptables -L

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
neutron-filter-top  all  --  anywhere             anywhere
neutron-linuxbri-FORWARD  all  --  anywhere             anywhere
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2018-01-04 10:21:23 -0500

Seen: 449 times

Last updated: Feb 05