Ask Your Question
0

questions about snat rules in iptables

asked 2015-11-09 23:38:05 -0500

Herman Ge gravatar image

updated 2015-11-10 01:57:57 -0500

dbaxps gravatar image

After creating a instance and router(instance is not associated with floatingip), ssh external vm on instance. I think there should be nat rules with source ip and port in iptables for this ssh session. But fact is no PAT rules for this session in namespace iptables. Iptables is listed below.

Can someone explain my confusion? Thanks!

[root@test ~(keystone_admin)]# ip netns exec qrouter-4b6c0922-d9f9-4f4d-b28d-be4f5c82a769 iptables -t nat -nvL

Chain PREROUTING (policy ACCEPT 2857K packets, 126M bytes)
 pkts bytes target     prot opt in     out     source               destination         
2857K  126M neutron-l3-agent-PREROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain INPUT (policy ACCEPT 2854K packets, 126M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 2 packets, 140 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    3   224 neutron-l3-agent-OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain POSTROUTING (policy ACCEPT 7 packets, 540 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 2221 77452 neutron-l3-agent-POSTROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 2221 77452 neutron-postrouting-bottom  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain neutron-l3-agent-OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain neutron-l3-agent-POSTROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  !qg-260ca1a1-5d !qg-260ca1a1-5d  0.0.0.0/0            0.0.0.0/0            ! ctstate DNAT

Chain neutron-l3-agent-PREROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REDIRECT   tcp  --  qr-+   *       0.0.0.0/0            169.254.169.254      tcp dpt:80 redir ports 9697

Chain neutron-l3-agent-float-snat (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain neutron-l3-agent-snat (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 2221 77452 neutron-l3-agent-float-snat  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 1694 58556 SNAT       all  --  *      qg-260ca1a1-5d  0.0.0.0/0            0.0.0.0/0            to:172.168.0.3
    1    84 SNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match ! 0x2/0xffff ctstate DNAT to:172.168.0.3

Chain neutron-postrouting-bottom (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 2221 77452 neutron-l3-agent-snat  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* Perform source NAT on outgoing traffic. */

[root@test ~(keystone_admin)]#

edit retag flag offensive close merge delete
add a comment

1 answer

Sort by ยป oldest newest most voted
0

answered 2015-11-10 03:32:07 -0500

dbaxps gravatar image

Snapshot is done on Network Node both VMs have FIPs

[root@ip-192-169-142-147 ~]#  ip netns exec qrouter-0f8b3d03-b229-4e86-8469-225648ea0b42 iptables -t nat -S | grep SNAT
-A neutron-l3-agent-float-snat -s 50.0.0.11/32 -j SNAT --to-source 172.24.4.228
-A neutron-l3-agent-float-snat -s 50.0.0.12/32 -j SNAT --to-source 172.24.4.229
-A neutron-l3-agent-snat -o qg-4a6156af-6e -j SNAT --to-source 172.24.4.227
-A neutron-l3-agent-snat -m mark ! --mark 0x2/0xffff -m conntrack --ctstate DNAT -j SNAT --to-source 172.24.4.227

FIP 172.24.4.229 has been deassociated via dashboard console 

[root@ip-192-169-142-147 ~]#  ip netns exec qrouter-0f8b3d03-b229-4e86-8469-225648ea0b42 iptables -t nat -S | grep SNAT
-A neutron-l3-agent-float-snat -s 50.0.0.11/32 -j SNAT --to-source 172.24.4.228
-A neutron-l3-agent-snat -o qg-4a6156af-6e -j SNAT --to-source 172.24.4.227
-A neutron-l3-agent-snat -m mark ! --mark 0x2/0xffff -m conntrack --ctstate DNAT -j SNAT --to-source 172.24.4.227

I believe that second rule is providing outbound connectivity for VM without FIP.
Snat-namespace on Network Node works same way in case of DVR deployment, which
provides outbound connectivity for VMs without FIP.

 Neutron router has to assign shared IP to packets forwarding to Internet from VM without FIP, otherwise it won't be able to receive  HTTP response from external Network. Thus  iptables rules working on Neutron Router should be updated to support VM with no FIP
edit flag offensive delete link more

Comments

You're right. Instance without FIP will use router gateway IP to visit external network.

Herman Ge gravatar imageHerman Ge ( 2015-11-10 23:50:08 -0500 )edit

In my setup, router gateway IP is 172.168.0.52. On instance(no fip), ssh to two external nodes test-38 and test-40. TCP sessions are established with external nodes through router gateway 172.168.0.52 with different ports: 172.168.0.52:54081<->test-38:ssh ;172.168.0.52:42224<->test-40:ssh

Herman Ge gravatar imageHerman Ge ( 2015-11-10 23:52:55 -0500 )edit

These two mapping rules with IP and tcp port are not displayed in iptables. These rules should be exesited in some places. I want to know how to display these rules?

Herman Ge gravatar imageHerman Ge ( 2015-11-10 23:54:09 -0500 )edit

I mean how to display overlay to router gateway manpping rules? oerlay IP:port ->gateway:port 10.1.1.4:54081 ->172.168.0.52:54081 10.1.1.4:42224 ->172.168.0.52:42224

Herman Ge gravatar imageHerman Ge ( 2015-11-11 00:25:54 -0500 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2015-11-09 23:38:05 -0500

Seen: 722 times

Last updated: Nov 10 '15

Related questions

map VM floating IP to outside IP, to access VM instance.

SNAT DVR not working, missing iptables rules?

compute vlan network not able to send out dhcp requests

router allowing incoming packets but drops the outgoing -iptables? [closed]

neutron router iptables not hit

RDO CentOS 6.5 All-In-One Single NIC instances cannot access internet

Is it possible to tune UFW on Ubuntu 14.04 (12.04) to support IceHouse ?

nova spec provider firewall: is it implemented? any documentation?

iptables INVALID rule preventing RST packets on closed ports between VMs

Access internet from instance