Ask Your Question
0

router allowing incoming packets but drops the outgoing -iptables? [closed]

asked 2015-04-07 19:19:17 -0500

pradeepcsekar gravatar image

updated 2015-04-08 13:59:48 -0500

My router that connects the provider and tenant network is dropping the outgoing packets. I have attached floating ip to one of my instance and allowing the icmp traffic(both ingress, outgress). When I try to do a ping from outside, I see the echo replies getting dropped at the qg interface inside the router namespace.

   bash-4.2# ip netns exec qrouter-1306cecd-d55e-4a90-a9af-96be92779a1b ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: qg-dbeca7ef-4c: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether fa:16:3e:db:d0:de brd ff:ff:ff:ff:ff:ff
    inet 172.31.231.71/25 brd 172.31.231.127 scope global qg-dbeca7ef-4c
       valid_lft forever preferred_lft forever
    inet 172.31.231.72/32 brd 172.31.231.72 scope global qg-dbeca7ef-4c
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:fedb:d0de/64 scope link
       valid_lft forever preferred_lft forever
3: qr-8e9060b7-b3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether fa:16:3e:67:a4:19 brd ff:ff:ff:ff:ff:ff
    inet 55.0.0.1/24 brd 55.0.0.255 scope global qr-8e9060b7-b3
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:fe67:a419/64 scope link
       valid_lft forever preferred_lft forever

If I do a tcpdump on the qr interface I see the reply from the instance are arriving

bash-4.2# ip netns exec qrouter-1306cecd-d55e-4a90-a9af-96be92779a1b tcpdump -i qr-8e9060b7-b3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on qr-8e9060b7-b3, link-type EN10MB (Ethernet), capture size 65535 bytes
00:14:47.124367 IP 10.157.8.162 > 55.0.0.4: ICMP echo request, id 39434, seq 2172, length 64
00:14:47.124538 IP 55.0.0.4 > 10.157.8.162: ICMP echo reply, id 39434, seq 2172, length 64
00:14:48.127992 IP 10.157.8.162 > 55.0.0.4: ICMP echo request, id 39434, seq 2173, length 64
00:14:48.128133 IP 55.0.0.4 > 10.157.8.162: ICMP echo reply, id 39434, seq 2173, length 64

but on the qg interface the replies are getting dropped

bash-4.2# ip netns exec qrouter-1306cecd-d55e-4a90-a9af-96be92779a1b tcpdump -i qg-dbeca7ef-4c icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on qg-dbeca7ef-4c, link-type EN10MB (Ethernet), capture size 65535 bytes
00:15:37.305216 IP 10.157.8.162 > RackA_control_server-1: ICMP echo request, id 39434, seq 2222, length 64
00:15:38.307587 IP 10.157.8.162 > RackA_control_server-1: ICMP echo request, id 39434, seq 2223, length 64
00:15:39.312015 IP 10.157.8.162 > RackA_control_server-1: ICMP echo request, id 39434, seq 2224, length 64

this is how my router namespace iptables looks ... (more)

edit retag flag offensive reopen merge delete

Closed for the following reason the question is answered, right answer was accepted by pradeepcsekar
close date 2015-04-08 09:54:50.293358

Comments

Please, add :-

1.  ip netns exec qrouter-1306cecd-d55e-4a90-a9af-96be92779a1b iptables -S -t nat
2. ovs-vsctl show
dbaxps gravatar imagedbaxps ( 2015-04-07 22:41:09 -0500 )edit

Also 

    3. neutron router-port-list router
    4. neutron port-show xxxxxxxxxxxxxxxxxxxxxxxxxx
    5. neutron port-show yyyyyyyyyyyyyyyyyyyyyyyyyy
    for both port-ids  @your-router
dbaxps gravatar imagedbaxps ( 2015-04-07 22:58:43 -0500 )edit
add a comment

2 answers

Sort by ยป oldest newest most voted
1

answered 2015-04-08 09:56:32 -0500

pradeepcsekar gravatar image

updated 2015-04-08 13:59:15 -0500

Fixed : L3 agent was not injecting the default routes properly into my external router namespace. Once added, the issue got resolved

edit flag offensive delete link more

Comments

1

"Once added", can you please show what you added? Tks

GLaupre gravatar imageGLaupre ( 2015-04-08 14:01:53 -0500 )edit

ip netns exec qrouter-xxxxx-xxxx-xxxx ip route add default via <gateway_ip>

but still investigation is needed why this didn't happen

pradeepcsekar gravatar imagepradeepcsekar ( 2015-04-08 18:54:58 -0500 )edit

How can we verify that we also are experiencing the problem?

ethode gravatar imageethode ( 2015-04-09 21:20:12 -0500 )edit
add a comment
0

answered 2015-04-08 01:36:44 -0500

ccebrian gravatar image

updated 2015-04-08 01:39:17 -0500

Have you verifiried the "Security Group" policy? If none is defined, then the "default" Group is automatically associated, and depending on installation sometimes the pre-built rules of the default Group precludes the outgoing traffic ...

edit flag offensive delete link more
add a comment

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2015-04-07 19:19:17 -0500

Seen: 758 times

Last updated: Apr 08 '15

Related questions

ip netns - iptables

iptables INVALID rule preventing RST packets on closed ports between VMs

openstack mitaka on VM, can not ping floatingip of inner guest VM

CirrOS is not assigned floating ip

floating ip management

Cause for strange network config?

how to associate floating point IP with VM

OpenStack Rocky Consecutive IPs for instances

how to start with openstack code?

Error populating neutron database