I have a Fedora 22 machine where I am running devstack. Almost everything seems to be working properly except my VMs can not ping external (internet) hosts. Hopefully, someone can get me over that hump.

Here is a snippet from my local.conf (enp5s0 is my wired ethernet connection):

FLAT_INTERFACE=enp5s0
IP_VERSION=4
FLOATING_RANGE=192.168.3.0/24
PUBLIC_NETWORK_GATEWAY=192.168.3.1
FIXED_RANGE=10.3.0.0/24
NETWORK_GATEWAY=10.3.0.1

I have run iptables -t nat -A POSTROUTING -o enp5s0 -j MASQUERADE, which has worked for me on older versions of Fedora.

In the event it helps, here is a dump of my iptables rules.

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
neutron-openvswi-INPUT  all  --  anywhere             anywhere            
nova-api-INPUT  all  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
neutron-filter-top  all  --  anywhere             anywhere            
neutron-openvswi-FORWARD  all  --  anywhere             anywhere            
nova-filter-top  all  --  anywhere             anywhere            
nova-api-FORWARD  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
neutron-filter-top  all  --  anywhere             anywhere            
neutron-openvswi-OUTPUT  all  --  anywhere             anywhere            
nova-filter-top  all  --  anywhere             anywhere            
nova-api-OUTPUT  all  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc

Chain DOCKER (1 references)
target     prot opt source               destination         

Chain neutron-filter-top (2 references)
target     prot opt source               destination         
neutron-openvswi-local  all  --  anywhere             anywhere            

Chain neutron-openvswi-FORWARD (1 references)
target     prot opt source               destination         
neutron-openvswi-sg-chain  all  --  anywhere             anywhere             PHYSDEV match --physdev-out tap5d908dd9-18 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */
neutron-openvswi-sg-chain  all  --  anywhere             anywhere             PHYSDEV match --physdev-in tap5d908dd9-18 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */
neutron-openvswi-sg-chain  all  --  anywhere             anywhere             PHYSDEV match --physdev-out tapbafd0f82-43 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */
neutron-openvswi-sg-chain  all  --  anywhere             anywhere             PHYSDEV match --physdev-in tapbafd0f82-43 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */

Chain neutron-openvswi-INPUT (1 references)
target     prot opt source               destination         
neutron-openvswi-o5d908dd9-1  all  --  anywhere             anywhere             PHYSDEV match --physdev-in tap5d908dd9-18 --physdev-is-bridged /* Direct incoming traffic from VM to the security group chain. */
neutron-openvswi-obafd0f82-4  all  --  anywhere             anywhere             PHYSDEV match --physdev-in tapbafd0f82-43 --physdev-is-bridged /* Direct incoming traffic from VM to the security group chain. */

Chain neutron-openvswi-OUTPUT (1 references)
target     prot opt source               destination         

Chain neutron-openvswi-i5d908dd9-1 (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
RETURN     all  --  anywhere             anywhere             state RELATED ...