Ask Your Question
0

Is that ping instance's private ip via iptables or other setting possible?

asked 2015-09-02 08:01:46 -0500

twskay gravatar image

updated 2015-09-02 10:09:21 -0500

Is the thing that ping instnace's private ip via seting iptables on qrouter possible?

like this:

iptables -t nat -A neutron-l3-agent-PREROUTING -i eth0 -j DNAT -o 10.0.2.4 --to-destination 10.0.2.4

Or could the ip of external net be private ip (like this : 10.0.1.0/24)?

[UPDATE 1]

sudo ip netns exec qrouter-fb703333-202a-4a9f-911e-2b6ab7157bf2 iptables-save -t nat

# Generated by iptables-save v1.4.21 on Wed Sep  2 23:01:38 2015
*nat
:PREROUTING ACCEPT [717636:80312378]
:INPUT ACCEPT [68026:9727468]
:OUTPUT ACCEPT [4:288]
:POSTROUTING ACCEPT [644:47496]
:neutron-l3-agent-OUTPUT - [0:0]
:neutron-l3-agent-POSTROUTING - [0:0]
:neutron-l3-agent-PREROUTING - [0:0]
:neutron-l3-agent-float-snat - [0:0]
:neutron-l3-agent-snat - [0:0]
:neutron-postrouting-bottom - [0:0]
-A PREROUTING -j neutron-l3-agent-PREROUTING
-A OUTPUT -j neutron-l3-agent-OUTPUT
-A POSTROUTING -j neutron-l3-agent-POSTROUTING
-A POSTROUTING -j neutron-postrouting-bottom
-A neutron-l3-agent-OUTPUT -d xxx.64.91.54/32 -j DNAT --to-destination 10.0.2.2
-A neutron-l3-agent-POSTROUTING ! -i qg-54a3e519-12 ! -o qg-54a3e519-12 -m conntrack ! --ctstate DNAT -j ACCEPT
-A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697
-A neutron-l3-agent-PREROUTING -d xxx.64.91.54/32 -j DNAT --to-destination 10.0.2.2
-A neutron-l3-agent-float-snat -s 10.0.2.2/32 -j SNAT --to-source xxx.64.91.54
-A neutron-l3-agent-snat -j neutron-l3-agent-float-snat
-A neutron-l3-agent-snat -s 10.0.92.0/24 -j SNAT --to-source xxx.64.91.42
-A neutron-l3-agent-snat -s 10.0.2.0/24 -j SNAT --to-source xxx.64.91.42
-A neutron-postrouting-bottom -j neutron-l3-agent-snat
COMMIT
# Completed on Wed Sep  2 23:01:38 2015

PS:

external network is xxx.64.91.0/25 
tenant networks are 10.0.2.0/24 and 10.0.92.0/24
edit retag flag offensive close merge delete

Comments

Please, add as UPDATE 1:-

# ip netns exec qrouter-your-router-id  iptables-save -t nat
dbaxps gravatar imagedbaxps ( 2015-09-02 09:04:57 -0500 )edit

I posted to question in UPDATE1

twskay gravatar imagetwskay ( 2015-09-02 10:09:54 -0500 )edit

1 answer

Sort by ยป oldest newest most voted
0

answered 2015-09-02 09:01:30 -0500

dbaxps gravatar image

updated 2015-09-02 10:37:49 -0500

UPDATE
I just tried via horizon and attaching interface to router failed

image description
END UPDATE

Usually it looks like

[root@ip-192-169-142-137 ~]# ip netns exec qrouter-2ba3a798-5964-4ea7-87ed-d8e171afaf23 iptables-save -t nat
# Generated by iptables-save v1.4.21 on Wed Sep  2 16:54:00 2015
*nat
:PREROUTING ACCEPT [1528:98579]
:INPUT ACCEPT [105:7386]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [6:408]
:neutron-l3-agent-OUTPUT - [0:0]
:neutron-l3-agent-POSTROUTING - [0:0]
:neutron-l3-agent-PREROUTING - [0:0]
:neutron-l3-agent-float-snat - [0:0]
:neutron-l3-agent-snat - [0:0]
:neutron-postrouting-bottom - [0:0]
-A PREROUTING -j neutron-l3-agent-PREROUTING
-A OUTPUT -j neutron-l3-agent-OUTPUT
-A POSTROUTING -j neutron-l3-agent-POSTROUTING
-A POSTROUTING -j neutron-postrouting-bottom
-A neutron-l3-agent-OUTPUT -d 192.169.142.158/32 -j DNAT --to-destination 50.0.0.18
-A neutron-l3-agent-OUTPUT -d 192.169.142.151/32 -j DNAT --to-destination 50.0.0.11
-A neutron-l3-agent-POSTROUTING ! -i rfp-2ba3a798-5 ! -o rfp-2ba3a798-5 -m conntrack ! --ctstate DNAT -j ACCEPT
-A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697
-A neutron-l3-agent-PREROUTING -d 192.169.142.158/32 -j DNAT --to-destination 50.0.0.18 <= here
-A neutron-l3-agent-PREROUTING -d 192.169.142.151/32 -j DNAT --to-destination 50.0.0.11 <= here
-A neutron-l3-agent-float-snat -s 50.0.0.18/32 -j SNAT --to-source 192.169.142.158
-A neutron-l3-agent-float-snat -s 50.0.0.11/32 -j SNAT --to-source 192.169.142.151
-A neutron-l3-agent-snat -j neutron-l3-agent-float-snat
-A neutron-postrouting-bottom -j neutron-l3-agent-snat
COMMIT
# Completed on Wed Sep  2 16:54:00 2015

Where external network is 192.169.142.0/24 and tenants network is 50.0.0.0/24

edit flag offensive delete link more

Comments

Is 192.169.142.0/24 private ip ?

twskay gravatar imagetwskay ( 2015-09-02 10:05:20 -0500 )edit

I know that instance get floating ip to be ping from network node or others. If instance have not floating ip,will it ping private ip via adding rule to iptables?

twskay gravatar imagetwskay ( 2015-09-02 10:12:53 -0500 )edit

Or could external network be private ip?

twskay gravatar imagetwskay ( 2015-09-02 10:13:52 -0500 )edit

hello, 192.169.142.0/24 is external network,and why did you operate that you update img. Did router01 set router gateway to External network,right? So,why did you add interface (external network)?.

twskay gravatar imagetwskay ( 2015-09-02 10:57:49 -0500 )edit

No, I created private net the same 192.169.142.0/24 as external. Attempted to to add interface to private already having gateway to external ( same mask 192.169.142.0/24 ). Operation failed.

dbaxps gravatar imagedbaxps ( 2015-09-02 11:23:31 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2015-09-02 08:01:46 -0500

Seen: 245 times

Last updated: Sep 02 '15