Outbounding connectivity from the VMs (instances) to the Internet

asked 2015-05-22 04:57:57 -0600

Daniel Ruiz gravatar image

Hello,

I'm managing an OpenStack cloud (Havanna... yeah, too old...) with nova-network and ONLY one interface per node (and one interface in controller and network, that are the same server). All traffic flows in eth0 (and, of course, br100).

When I launch an instances, I assign a floating IP address from the public pool, so the instances can be accessible from the Internet with SSH. But, once I have logged into the instance, I can't browse Internet because it seems there is a NAT problem with any iptables rule in controller. I have run this easy test: from the inside the instances (with a private IP assigned by OpenStack and a public floating IP), I ping to another server (in the same public network as the floating IPs) and, then, that server receives ICMP traffic from the private IP of the instances, like NAT is failing in controller.

However, iptables rules in controller seem to be correct (or maybe it seems for me :( ):

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
nova-network-PREROUTING  all  --  anywhere             anywhere
nova-api-PREROUTING  all  --  anywhere             anywhere

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
nova-network-POSTROUTING  all  --  anywhere             anywhere
nova-api-POSTROUTING  all  --  anywhere             anywhere
nova-postrouting-bottom  all  --  anywhere             anywhere
MASQUERADE  tcp  --  192.168.122.0/24    !192.168.122.0/24    masq ports: 1024-65535
MASQUERADE  udp  --  192.168.122.0/24    !192.168.122.0/24    masq ports: 1024-65535
MASQUERADE  all  --  192.168.122.0/24    !192.168.122.0/24

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
nova-network-OUTPUT  all  --  anywhere             anywhere
nova-api-OUTPUT  all  --  anywhere             anywhere

Chain nova-api-OUTPUT (1 references)
target     prot opt source               destination

Chain nova-api-POSTROUTING (1 references)
target     prot opt source               destination

Chain nova-api-PREROUTING (1 references)
target     prot opt source               destination

Chain nova-api-float-snat (1 references)
target     prot opt source               destination

Chain nova-api-snat (1 references)
target     prot opt source               destination
nova-api-float-snat  all  --  anywhere             anywhere

Chain nova-network-OUTPUT (1 references)
target     prot opt source               destination
DNAT       all  --  anywhere             10.3.4.200          to:192.168.32.13
DNAT       all  --  anywhere             FLOATING_PUBLIC_IP  to:192.168.32.13

Chain nova-network-POSTROUTING (1 references)
target     prot opt source               destination
ACCEPT     all  --  192.168.32.0/22      CONTROLLER_PUBLIC_IP
ACCEPT     all  --  192.168.32.0/22      192.168.32.0/22     ! ctstate DNAT
SNAT       all  --  192.168.32.13        anywhere            ctstate DNAT to:10.3.4.200
SNAT       all  --  192.168.32.13        anywhere            ctstate DNAT to:FLOATING_PUBLIC_IP

Chain nova-network-PREROUTING (1 references)
target     prot opt source               destination
DNAT       tcp  --  anywhere             169.254.169.254     tcp dpt:http to:CONTROLLER_PUBLIC_IP:8775
DNAT       all  --  anywhere             10.3.4.200          to:192.168.32.13
DNAT       all  --  anywhere             FLOATING_PUBLIC_IP  to:192.168.32.13

Chain nova-network-float-snat (1 references)
target     prot opt source               destination
SNAT       all  --  192.168.32.13        192.168.32.13       to:10.3.4.200
SNAT       all  --  192.168.32.13        anywhere            to:10.3.4.200
SNAT       all  --  192.168.32.13        192.168.32.13       to:FLOATING_PUBLIC_IP
SNAT       all  --  192.168.32.13        anywhere            to:FLOATING_PUBLIC_IP

Chain nova-network-snat (1 ...
(more)
edit retag flag offensive close merge delete