Ask Your Question
0

Can't Access extenal network from a VM

asked 2012-12-25 23:11:24 -0500

gandalf100 gravatar image

I'm using openstack quantum with linux bridge plugin. I'm trying to access external network (172.30.0.0/16) from a VM (192.168.101.4) but it seems that the packets are going out with the source IP of the internal network.

Here is the iptables of the network node (Running dhcp/l3/linux-bridge agents):

# Generated by iptables-save v1.4.7 on Tue Dec 25 23:57:49 2012
*nat :PREROUTING ACCEPT [2439:381349] :POSTROUTING ACCEPT [27:2655] :OUTPUT ACCEPT [32:3383] :quantum-l3-agent-OUTPUT - [0:0] :quantum-l3-agent-POSTROUTING - [0:0] :quantum-l3-agent-PREROUTING - [0:0] :quantum-l3-agent-float-snat - [0:0] :quantum-l3-agent-snat - [0:0] :quantum-postrouting-bottom - [0:0]
-A PREROUTING -j quantum-l3-agent-PREROUTING
-A POSTROUTING -j quantum-l3-agent-POSTROUTING
-A POSTROUTING -j quantum-postrouting-bottom
-A OUTPUT -j quantum-l3-agent-OUTPUT
-A quantum-l3-agent-POSTROUTING ! -i qg-63ca34c1-fe ! -o qg-63ca34c1-fe -m conntrack ! --ctstate DNAT -j ACCEPT
-A quantum-l3-agent-snat -j quantum-l3-agent-float-snat
-A quantum-l3-agent-snat -s 192.168.101.0/24 -j SNAT --to-source 172.30.40.133
-A quantum-postrouting-bottom -j quantum-l3-agent-snat 
 COMMIT
# Completed on Tue Dec 25 23:57:49 2012
# Generated by iptables-save v1.4.7 on Tue Dec 25 23:57:49 2012
*filter :INPUT ACCEPT [51588:23769810] :FORWARD ACCEPT [52059:23463546] :OUTPUT ACCEPT [1946:526042] :quantum-filter-top - [0:0] :quantum-l3-agent-FORWARD - [0:0] :quantum-l3-agent-INPUT - [0:0] :quantum-l3-agent-OUTPUT - [0:0] :quantum-l3-agent-local - [0:0]
-A INPUT -j quantum-l3-agent-INPUT
-A FORWARD -j quantum-filter-top
-A FORWARD -j quantum-l3-agent-FORWARD
-A OUTPUT -j quantum-filter-top
-A OUTPUT -j quantum-l3-agent-OUTPUT
-A quantum-filter-top -j quantum-l3-agent-local COMMIT
# Completed on Tue Dec 25 23:57:49 2012

Is it correct that the packets are not going through SNAT rule ? What am I missing?

Thanks, Itzik

edit retag flag offensive close merge delete

4 answers

Sort by ยป oldest newest most voted
0

answered 2012-12-26 07:44:06 -0500

gongysh gravatar image

Hi, I mean you can check if your iptables service works by adding a new rule into it.

edit flag offensive delete link more
0

answered 2012-12-26 00:31:55 -0500

gongysh gravatar image

The rules seems good. you can try to add some rules to test if your iptables service works. for example: sudo iptables --delete INPUT --protocol icmp --jump DROP to block ping locally.

edit flag offensive delete link more
0

answered 2012-12-26 07:31:51 -0500

gandalf100 gravatar image

Hi ,

Thanks for you answer. I don't see a DROP rule.The thing is that when I run tcpdump on the host in the external network I see that that packets have the source IP of the internal network and not as it should be with the address of the external network(The network node external IP).

Thanks, Itzik

edit flag offensive delete link more
0

answered 2012-12-26 22:12:39 -0500

gandalf100 gravatar image

As noted by Etsuji Nakai in this guide(Thanks Gary):

http://d.hatena.ne.jp/enakai00/20121118/1353226066 (http://d.hatena.ne.jp/enakai00/201211...)

One should do the following:

  1. Check the following entries in /etc/sysctl.conf. net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0

  2. Create /etc/sysconfig/modules/openstack-quantum-linuxbridge.modules as below. #!/bin/sh

modprobe -b bridge >/dev/null 2>&1

exit 0

  1. # chmod ugo+x /etc/sysconfig/modules/openstack-quantum-linuxbridge.modules

4.reboot

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2012-12-25 23:11:24 -0500

Seen: 219 times

Last updated: Dec 26 '12