Ask Your Question
0

questions about snat rules in iptables

asked 2015-11-09 23:38:05 -0500

Herman Ge gravatar image

updated 2015-11-10 01:57:57 -0500

dbaxps gravatar image

After creating a instance and router(instance is not associated with floatingip), ssh external vm on instance. I think there should be nat rules with source ip and port in iptables for this ssh session. But fact is no PAT rules for this session in namespace iptables. Iptables is listed below.

Can someone explain my confusion? Thanks!

[root@test ~(keystone_admin)]# ip netns exec qrouter-4b6c0922-d9f9-4f4d-b28d-be4f5c82a769 iptables -t nat -nvL

Chain PREROUTING (policy ACCEPT 2857K packets, 126M bytes)
 pkts bytes target     prot opt in     out     source               destination         
2857K  126M neutron-l3-agent-PREROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain INPUT (policy ACCEPT 2854K packets, 126M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 2 packets, 140 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    3   224 neutron-l3-agent-OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain POSTROUTING (policy ACCEPT 7 packets, 540 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 2221 77452 neutron-l3-agent-POSTROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 2221 77452 neutron-postrouting-bottom  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain neutron-l3-agent-OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain neutron-l3-agent-POSTROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  !qg-260ca1a1-5d !qg-260ca1a1-5d  0.0.0.0/0            0.0.0.0/0            ! ctstate DNAT

Chain neutron-l3-agent-PREROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REDIRECT   tcp  --  qr-+   *       0.0.0.0/0            169.254.169.254      tcp dpt:80 redir ports 9697

Chain neutron-l3-agent-float-snat (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain neutron-l3-agent-snat (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 2221 77452 neutron-l3-agent-float-snat  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 1694 58556 SNAT       all  --  *      qg-260ca1a1-5d  0.0.0.0/0            0.0.0.0/0            to:172.168.0.3
    1    84 SNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match ! 0x2/0xffff ctstate DNAT to:172.168.0.3

Chain neutron-postrouting-bottom (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 2221 77452 neutron-l3-agent-snat  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* Perform source NAT on outgoing traffic. */

[root@test ~(keystone_admin)]#

edit retag flag offensive close merge delete
add a comment

1 answer

Sort by ยป oldest newest most voted
0

answered 2015-11-10 03:32:07 -0500

dbaxps gravatar image

Snapshot is done on Network Node both VMs have FIPs

[root@ip-192-169-142-147 ~]#  ip netns exec qrouter-0f8b3d03-b229-4e86-8469-225648ea0b42 iptables -t nat -S | grep SNAT
-A neutron-l3-agent-float-snat -s 50.0.0.11/32 -j SNAT --to-source 172.24.4.228
-A neutron-l3-agent-float-snat -s 50.0.0.12/32 -j SNAT --to-source 172.24.4.229
-A neutron-l3-agent-snat -o qg-4a6156af-6e -j SNAT --to-source 172.24.4.227
-A neutron-l3-agent-snat -m mark ! --mark 0x2/0xffff -m conntrack --ctstate DNAT -j SNAT --to-source 172.24.4.227

FIP 172.24.4.229 has been deassociated via dashboard console 

[root@ip-192-169-142-147 ~]#  ip netns exec qrouter-0f8b3d03-b229-4e86-8469-225648ea0b42 iptables -t nat -S | grep SNAT
-A neutron-l3-agent-float-snat -s 50.0.0.11/32 -j SNAT --to-source 172.24.4.228
-A neutron-l3-agent-snat -o qg-4a6156af-6e -j SNAT --to-source 172.24.4.227
-A neutron-l3-agent-snat -m mark ! --mark 0x2/0xffff -m conntrack --ctstate DNAT -j SNAT --to-source 172.24.4.227

I believe that second rule is providing outbound connectivity for VM without FIP.
Snat-namespace on Network Node works same way in case of DVR deployment, which
provides outbound connectivity for VMs without FIP.

 Neutron router has to assign shared IP to packets forwarding to Internet from VM without FIP, otherwise it won't be able to receive  HTTP response from external Network. Thus  iptables rules working on Neutron Router should be updated to support VM with no FIP
edit flag offensive delete link more

Comments

You're right. Instance without FIP will use router gateway IP to visit external network.

Herman Ge gravatar imageHerman Ge ( 2015-11-10 23:50:08 -0500 )edit

In my setup, router gateway IP is 172.168.0.52. On instance(no fip), ssh to two external nodes test-38 and test-40. TCP sessions are established with external nodes through router gateway 172.168.0.52 with different ports: 172.168.0.52:54081<->test-38:ssh ;172.168.0.52:42224<->test-40:ssh

Herman Ge gravatar imageHerman Ge ( 2015-11-10 23:52:55 -0500 )edit

These two mapping rules with IP and tcp port are not displayed in iptables. These rules should be exesited in some places. I want to know how to display these rules?

Herman Ge gravatar imageHerman Ge ( 2015-11-10 23:54:09 -0500 )edit

I mean how to display overlay to router gateway manpping rules? oerlay IP:port ->gateway:port 10.1.1.4:54081 ->172.168.0.52:54081 10.1.1.4:42224 ->172.168.0.52:42224

Herman Ge gravatar imageHerman Ge ( 2015-11-11 00:25:54 -0500 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2015-11-09 23:38:05 -0500

Seen: 420 times

Last updated: Nov 10 '15

Related questions

iptables dropping decapsulated packets

iptables rules are deleted

Allow VM server to receive petitions on devstack singlemachine

Installing with DevStack in Docker container

[CLOSED] Neutron SNAT not forwarding return packets

How does neutron manage its iptables config?

neutron security group entry only works after iptables alteration on instance

guest to hypervisor traffic is unfiltered

Get remote IP in OpenStack virtual machine accessed via NAT

iptables issue between spawned instance and compute host