Ask Your Question

Incoming traffic from the VM is blocked by iptables altough the security group is configured to permit the traffic

asked 2015-06-04 16:58:28 -0600

Vivek gravatar image

updated 2015-06-05 00:16:54 -0600

dbaxps gravatar image

Hello ,

The openstack instance i am running is a network function (virtual router to be precise) and hence this instance supposed to forward traffic received from one neutron network to the other network neutron network.

I have configured a security group to allow all the tcp & udp traffic in both ingress & egress directions and have applied to the instance. However when i check the iptables chain it appears that the the chain neutron-openvswi-s<xxxxxx>-<y> in the FORWARD table which actually controls the traffic coming from the instance to the linux bridge is only allowing the traffic from the specific interface IP and MAC assigned by neutron and not allowing all the tcp or udp traffic as I was expecting it to do.

Am i missing something here or is this a bug/limitation. Also is there some kind of work around to make this work ?

Regards, Vivek

[root@rbu-rpd-ns1 ~(keystone_admin)]# neutron security-group-rule-list | grep -v default
| id                                   | security_group | direction | protocol | remote_ip_prefix | remote_group |
| 51810933-2091-41f1-ad93-b6f97238cda2 | test           | egress    | tcp      |        |              |
| 69e5cf3d-0b3e-42e6-b9cc-75c68f2085df | test           | ingress   | tcp      |        |              |
| c67db669-6f6c-4733-a120-58eb43e95d1e | test           | egress    |          |        |              |
| d89a0568-f951-40ea-98b6-328f3f85826f | test           | ingress   | udp      |        |              |
| dbde6471-8411-4a9a-ad6a-3538aee0aafd | test           | ingress   |          |        |              |
| fbb993c2-9ca0-45e8-be28-0614f7b419e3 | test           | egress    | udp      |        |              |
[root@rbu-rpd-ns1 ~(keystone_admin)]# nova show rtr1 | grep security
| security_groups                      | test                                                     |

[root@rbu-rpd-ns1 ~(keystone_admin)]#

iptable chain :

Chain neutron-openvswi-s744fb19c-1 (1 references)
num      pkts      bytes target     prot opt in     out     source               destination         
1           0        0 RETURN     all  --  *      *             MAC FA:16:3E:89:90:E2
2           0        0 DROP       all  --  *      *  
edit retag flag offensive close merge delete

2 answers

Sort by » oldest newest most voted

answered 2015-08-18 02:37:40 -0600

9lives gravatar image

due to unable to add comments for this question so force to use answer field.

we have met the same problem, the neutron-openvswi-s<xxxxxx>-<y> chain keeps dropping the traffic we have to delete this rule to make the ping thru via a vrouter. My additional question is can we modify this chain use Security Group or not?


edit flag offensive delete link more

answered 2015-08-18 07:57:57 -0600

busyboy gravatar image

updated 2015-08-18 22:06:28 -0600

9lives gravatar image

on your compute node , check this is with

iptables -S

and see if you can modify them.

Due to failed to add comments your answer, have to do edit as comments.


We tried set various security group but seemed none of them can affect the iptables rule in linux bridge, should we say the currently the OpenStack security group cannot modify the iptables rules on linux bridge?


edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools



Asked: 2015-06-04 16:58:28 -0600

Seen: 1,830 times

Last updated: Aug 18 '15