Ask Your Question
0

questions about snat rules in iptables

asked 2015-11-09 23:38:05 -0600

Herman Ge gravatar image

updated 2015-11-10 01:57:57 -0600

dbaxps gravatar image

After creating a instance and router(instance is not associated with floatingip), ssh external vm on instance. I think there should be nat rules with source ip and port in iptables for this ssh session. But fact is no PAT rules for this session in namespace iptables. Iptables is listed below.

Can someone explain my confusion? Thanks!

[root@test ~(keystone_admin)]# ip netns exec qrouter-4b6c0922-d9f9-4f4d-b28d-be4f5c82a769 iptables -t nat -nvL

Chain PREROUTING (policy ACCEPT 2857K packets, 126M bytes)
 pkts bytes target     prot opt in     out     source               destination         
2857K  126M neutron-l3-agent-PREROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain INPUT (policy ACCEPT 2854K packets, 126M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 2 packets, 140 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    3   224 neutron-l3-agent-OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain POSTROUTING (policy ACCEPT 7 packets, 540 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 2221 77452 neutron-l3-agent-POSTROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 2221 77452 neutron-postrouting-bottom  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain neutron-l3-agent-OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain neutron-l3-agent-POSTROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  !qg-260ca1a1-5d !qg-260ca1a1-5d  0.0.0.0/0            0.0.0.0/0            ! ctstate DNAT

Chain neutron-l3-agent-PREROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REDIRECT   tcp  --  qr-+   *       0.0.0.0/0            169.254.169.254      tcp dpt:80 redir ports 9697

Chain neutron-l3-agent-float-snat (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain neutron-l3-agent-snat (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 2221 77452 neutron-l3-agent-float-snat  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 1694 58556 SNAT       all  --  *      qg-260ca1a1-5d  0.0.0.0/0            0.0.0.0/0            to:172.168.0.3
    1    84 SNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match ! 0x2/0xffff ctstate DNAT to:172.168.0.3

Chain neutron-postrouting-bottom (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 2221 77452 neutron-l3-agent-snat  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* Perform source NAT on outgoing traffic. */

[root@test ~(keystone_admin)]#

edit retag flag offensive close merge delete
add a comment

1 answer

Sort by ยป oldest newest most voted
0

answered 2015-11-10 03:32:07 -0600

dbaxps gravatar image

Snapshot is done on Network Node both VMs have FIPs

[root@ip-192-169-142-147 ~]#  ip netns exec qrouter-0f8b3d03-b229-4e86-8469-225648ea0b42 iptables -t nat -S | grep SNAT
-A neutron-l3-agent-float-snat -s 50.0.0.11/32 -j SNAT --to-source 172.24.4.228
-A neutron-l3-agent-float-snat -s 50.0.0.12/32 -j SNAT --to-source 172.24.4.229
-A neutron-l3-agent-snat -o qg-4a6156af-6e -j SNAT --to-source 172.24.4.227
-A neutron-l3-agent-snat -m mark ! --mark 0x2/0xffff -m conntrack --ctstate DNAT -j SNAT --to-source 172.24.4.227

FIP 172.24.4.229 has been deassociated via dashboard console 

[root@ip-192-169-142-147 ~]#  ip netns exec qrouter-0f8b3d03-b229-4e86-8469-225648ea0b42 iptables -t nat -S | grep SNAT
-A neutron-l3-agent-float-snat -s 50.0.0.11/32 -j SNAT --to-source 172.24.4.228
-A neutron-l3-agent-snat -o qg-4a6156af-6e -j SNAT --to-source 172.24.4.227
-A neutron-l3-agent-snat -m mark ! --mark 0x2/0xffff -m conntrack --ctstate DNAT -j SNAT --to-source 172.24.4.227

I believe that second rule is providing outbound connectivity for VM without FIP.
Snat-namespace on Network Node works same way in case of DVR deployment, which
provides outbound connectivity for VMs without FIP.

 Neutron router has to assign shared IP to packets forwarding to Internet from VM without FIP, otherwise it won't be able to receive  HTTP response from external Network. Thus  iptables rules working on Neutron Router should be updated to support VM with no FIP
edit flag offensive delete link more

Comments

You're right. Instance without FIP will use router gateway IP to visit external network.

Herman Ge gravatar imageHerman Ge ( 2015-11-10 23:50:08 -0600 )edit

In my setup, router gateway IP is 172.168.0.52. On instance(no fip), ssh to two external nodes test-38 and test-40. TCP sessions are established with external nodes through router gateway 172.168.0.52 with different ports: 172.168.0.52:54081<->test-38:ssh ;172.168.0.52:42224<->test-40:ssh

Herman Ge gravatar imageHerman Ge ( 2015-11-10 23:52:55 -0600 )edit

These two mapping rules with IP and tcp port are not displayed in iptables. These rules should be exesited in some places. I want to know how to display these rules?

Herman Ge gravatar imageHerman Ge ( 2015-11-10 23:54:09 -0600 )edit

I mean how to display overlay to router gateway manpping rules? oerlay IP:port ->gateway:port 10.1.1.4:54081 ->172.168.0.52:54081 10.1.1.4:42224 ->172.168.0.52:42224

Herman Ge gravatar imageHerman Ge ( 2015-11-11 00:25:54 -0600 )edit
add a comment

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2015-11-09 23:38:05 -0600

Seen: 938 times

Last updated: Nov 10 '15

Related questions

Can we disable security group rules created under neutron-openvswi-sg-chain ?

How does neutron manage its iptables config?

ping out working, ping in shows up on bridge but not target device

Access internet from instance

openstack mitaka on VM, can not ping floatingip of inner guest VM

router allowing incoming packets but drops the outgoing -iptables? [closed]

Ocata Neutron Error : Interface name must be shorter than IFNAMSIZ (15)

In iptables INPUT, FORWARD and OUTPUT chains, should nova-compute rules come first or linuxbri rules? [closed]

instances do not receive incoming traffic (no internet)

Internet connection not working in Nova Network