Ask Your Question
2

NAT accessible only one way with floating IPs

asked 2015-07-23 15:47:24 -0500

BuildGuru gravatar image

I can assign a floating IP to to an Instance and ping it from the external network. However, the instance can not ping any thing but the gateway and the compute node. Am i missing a NAT ?

controller_root@controller:~$ nova net-list +--------------------------------------+---------------+-------------+ | ID | Label | CIDR | +--------------------------------------+---------------+-------------+ | ef5a6249-ae84-4c8f-bf4e-0c48bab24650 | OpenStack-net | 10.0.0.0/24 | +--------------------------------------+---------------+-------------+

firewall_driver=nova.virt.firewall.NoopFirewallDriver

$ cat /proc/sys/net/ipv4/ip_forward

1

           compute1_root@compute1:~$ sudo iptables -t filter -S
            -P INPUT ACCEPT
           -P FORWARD ACCEPT
         -P OUTPUT ACCEPT
           -N nova-api-metadat-FORWARD
           -N nova-api-metadat-INPUT
            -N nova-api-metadat-OUTPUT
             -N nova-api-metadat-local
               -N nova-compute-FORWARD
                 -N nova-compute-INPUT
            -N nova-compute-OUTPUT
              -N nova-compute-inst-3
                 -N nova-compute-local
              -N nova-compute-provider
                -N nova-compute-sg-fallback
               -N nova-filter-top
      -N nova-network-FORWARD
           -N nova-network-INPUT
          -N nova-network-OUTPUT
            -N nova-network-local
        -A INPUT -j nova-network-INPUT
           -A INPUT -j nova-compute-INPUT
      -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
          -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
           -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
             -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
             -A INPUT -j nova-api-metadat-INPUT
          -A FORWARD -j nova-filter-top
             -A FORWARD -j nova-network-FORWARD
          -A FORWARD -j nova-compute-FORWARD
              -A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
       -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
               -A FORWARD -i virbr0 -o virbr0 -j ACCEPT
             -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
          -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
              -A FORWARD -j nova-api-metadat-FORWARD
                   -A FORWARD -i eth2 -o br100 -j ACCEPT
                 -A FORWARD -i br100 -o eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
                   -A OUTPUT -j nova-filter-top
                     -A OUTPUT -j nova-network-OUTPUT
                -A OUTPUT -j nova-compute-OUTPUT
                 -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
                 -A OUTPUT -j nova-api-metadat-OUTPUT
           -A nova-api-metadat-INPUT -d 10.8.2.70/32 -p tcp -m tcp --dport 8775 -j ACCEPT
             -A nova-compute-FORWARD -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -j   ACCEPT
            -A nova-compute-INPUT -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
           -A nova-compute-inst-3 -m state --state INVALID -j DROP
           -A nova-compute-inst-3 -m state --state RELATED,ESTABLISHED -j ACCEPT
             -A nova-compute-inst-3 -j nova-compute-provider
       -A nova-compute-inst-3 -s 10.0.0.4/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
           -A nova-compute-inst-3 -s 10.0.0.0/24 -j ACCEPT
          -A nova-compute-inst-3 -p icmp -j ACCEPT
          -A nova-compute-inst-3 -p tcp -m tcp --dport 22 -j ACCEPT
          -A nova-compute-inst-3 -p tcp -m multiport --dports 1:65535 -j ACCEPT
          -A nova-compute-inst-3 -p udp -m multiport --dports 1:65535 -j ACCEPT
        -A nova-compute-inst-3 -j nova-compute-sg-fallback
            -A nova-compute-local -d 10.0.0.3/32 -j nova-compute-inst-3
                 -A nova-compute-sg-fallback -j DROP
               -A nova-filter-top -j nova-network-local
              -A nova-filter-top -j nova-compute-local
           -A nova-filter-top -j nova-api-metadat-local
              -A nova-network-FORWARD -i br100 -j ACCEPT
           -A nova-network-FORWARD -o br100 -j ACCEPT
      -A nova-network-FORWARD -d 10.0.0.2/32 -p udp -m udp --dport 1194 -j ACCEPT
    -A nova-network-INPUT ...
(more)
edit retag flag offensive close merge delete

Comments

Looking at tcp dump the ping packet reaches eth2: tcpdump -i eth2 17:37:19.372715 ARP, Request who-has 10.8.2.28 tell compute1, length 28 17:37:19.373560 ARP, Reply 10.8.2.28 is-at 28:80:23:9a:21:7c (oui Unknown), length 28

BuildGuru gravatar imageBuildGuru ( 2015-07-23 16:39:37 -0500 )edit

1 answer

Sort by ยป oldest newest most voted
1

answered 2015-07-28 10:38:01 -0500

BuildGuru gravatar image

A little bit of freshing up on NAT helps, this did the magic for me

iptables -t nat -A POSTROUTING -o br100 -j MASQUERADE

iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE

also had to delete nova-network and recreate it to see --dns1 and --dns2. This flat bridge setup would cause bottlenecks for the instances, I look forward to Neutron support to XenServer 6.5.

Thanks for the up vote.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2015-07-23 15:47:24 -0500

Seen: 373 times

Last updated: Jul 28 '15