NAT accessible only one way with floating IPs

asked 2015-07-23 15:47:24 -0600

BuildGuru gravatar image

I can assign a floating IP to to an Instance and ping it from the external network. However, the instance can not ping any thing but the gateway and the compute node. Am i missing a NAT ?

controller_root@controller:~$ nova net-list +--------------------------------------+---------------+-------------+ | ID | Label | CIDR | +--------------------------------------+---------------+-------------+ | ef5a6249-ae84-4c8f-bf4e-0c48bab24650 | OpenStack-net | | +--------------------------------------+---------------+-------------+


$ cat /proc/sys/net/ipv4/ip_forward


           compute1_root@compute1:~$ sudo iptables -t filter -S
            -P INPUT ACCEPT
           -P FORWARD ACCEPT
           -N nova-api-metadat-FORWARD
           -N nova-api-metadat-INPUT
            -N nova-api-metadat-OUTPUT
             -N nova-api-metadat-local
               -N nova-compute-FORWARD
                 -N nova-compute-INPUT
            -N nova-compute-OUTPUT
              -N nova-compute-inst-3
                 -N nova-compute-local
              -N nova-compute-provider
                -N nova-compute-sg-fallback
               -N nova-filter-top
      -N nova-network-FORWARD
           -N nova-network-INPUT
          -N nova-network-OUTPUT
            -N nova-network-local
        -A INPUT -j nova-network-INPUT
           -A INPUT -j nova-compute-INPUT
      -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
          -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
           -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
             -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
             -A INPUT -j nova-api-metadat-INPUT
          -A FORWARD -j nova-filter-top
             -A FORWARD -j nova-network-FORWARD
          -A FORWARD -j nova-compute-FORWARD
              -A FORWARD -d -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
       -A FORWARD -s -i virbr0 -j ACCEPT
               -A FORWARD -i virbr0 -o virbr0 -j ACCEPT
             -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
          -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
              -A FORWARD -j nova-api-metadat-FORWARD
                   -A FORWARD -i eth2 -o br100 -j ACCEPT
                 -A FORWARD -i br100 -o eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
                   -A OUTPUT -j nova-filter-top
                     -A OUTPUT -j nova-network-OUTPUT
                -A OUTPUT -j nova-compute-OUTPUT
                 -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
                 -A OUTPUT -j nova-api-metadat-OUTPUT
           -A nova-api-metadat-INPUT -d -p tcp -m tcp --dport 8775 -j ACCEPT
             -A nova-compute-FORWARD -s -d -p udp -m udp --sport 68 --dport 67 -j   ACCEPT
            -A nova-compute-INPUT -s -d -p udp -m udp --sport 68 --dport 67 -j ACCEPT
           -A nova-compute-inst-3 -m state --state INVALID -j DROP
           -A nova-compute-inst-3 -m state --state RELATED,ESTABLISHED -j ACCEPT
             -A nova-compute-inst-3 -j nova-compute-provider
       -A nova-compute-inst-3 -s -p udp -m udp --sport 67 --dport 68 -j ACCEPT
           -A nova-compute-inst-3 -s -j ACCEPT
          -A nova-compute-inst-3 -p icmp -j ACCEPT
          -A nova-compute-inst-3 -p tcp -m tcp --dport 22 -j ACCEPT
          -A nova-compute-inst-3 -p tcp -m multiport --dports 1:65535 -j ACCEPT
          -A nova-compute-inst-3 -p udp -m multiport --dports 1:65535 -j ACCEPT
        -A nova-compute-inst-3 -j nova-compute-sg-fallback
            -A nova-compute-local -d -j nova-compute-inst-3
                 -A nova-compute-sg-fallback -j DROP
               -A nova-filter-top -j nova-network-local
              -A nova-filter-top -j nova-compute-local
           -A nova-filter-top -j nova-api-metadat-local
              -A nova-network-FORWARD -i br100 -j ACCEPT
           -A nova-network-FORWARD -o br100 -j ACCEPT
      -A nova-network-FORWARD -d -p udp -m udp --dport 1194 -j ACCEPT
    -A nova-network-INPUT ...
edit retag flag offensive close merge delete


Looking at tcp dump the ping packet reaches eth2: tcpdump -i eth2 17:37:19.372715 ARP, Request who-has tell compute1, length 28 17:37:19.373560 ARP, Reply is-at 28:80:23:9a:21:7c (oui Unknown), length 28

BuildGuru gravatar imageBuildGuru ( 2015-07-23 16:39:37 -0600 )edit

1 answer

Sort by ยป oldest newest most voted

answered 2015-07-28 10:38:01 -0600

BuildGuru gravatar image

A little bit of freshing up on NAT helps, this did the magic for me

iptables -t nat -A POSTROUTING -o br100 -j MASQUERADE

iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE

also had to delete nova-network and recreate it to see --dns1 and --dns2. This flat bridge setup would cause bottlenecks for the instances, I look forward to Neutron support to XenServer 6.5.

Thanks for the up vote.

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2015-07-23 15:47:24 -0600

Seen: 453 times

Last updated: Jul 28 '15