questions about snat rules in iptables
After creating a instance and router(instance is not associated with floatingip), ssh external vm on instance. I think there should be nat rules with source ip and port in iptables for this ssh session. But fact is no PAT rules for this session in namespace iptables. Iptables is listed below.
Can someone explain my confusion? Thanks!
[root@test ~(keystone_admin)]# ip netns exec qrouter-4b6c0922-d9f9-4f4d-b28d-be4f5c82a769 iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 2857K packets, 126M bytes)
pkts bytes target prot opt in out source destination
2857K 126M neutron-l3-agent-PREROUTING all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 2854K packets, 126M bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2 packets, 140 bytes)
pkts bytes target prot opt in out source destination
3 224 neutron-l3-agent-OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 7 packets, 540 bytes)
pkts bytes target prot opt in out source destination
2221 77452 neutron-l3-agent-POSTROUTING all -- * * 0.0.0.0/0 0.0.0.0/0
2221 77452 neutron-postrouting-bottom all -- * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-l3-agent-OUTPUT (1 references)
pkts bytes target prot opt in out source destination
Chain neutron-l3-agent-POSTROUTING (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- !qg-260ca1a1-5d !qg-260ca1a1-5d 0.0.0.0/0 0.0.0.0/0 ! ctstate DNAT
Chain neutron-l3-agent-PREROUTING (1 references)
pkts bytes target prot opt in out source destination
0 0 REDIRECT tcp -- qr-+ * 0.0.0.0/0 169.254.169.254 tcp dpt:80 redir ports 9697
Chain neutron-l3-agent-float-snat (1 references)
pkts bytes target prot opt in out source destination
Chain neutron-l3-agent-snat (1 references)
pkts bytes target prot opt in out source destination
2221 77452 neutron-l3-agent-float-snat all -- * * 0.0.0.0/0 0.0.0.0/0
1694 58556 SNAT all -- * qg-260ca1a1-5d 0.0.0.0/0 0.0.0.0/0 to:172.168.0.3
1 84 SNAT all -- * * 0.0.0.0/0 0.0.0.0/0 mark match ! 0x2/0xffff ctstate DNAT to:172.168.0.3
Chain neutron-postrouting-bottom (1 references)
pkts bytes target prot opt in out source destination
2221 77452 neutron-l3-agent-snat all -- * * 0.0.0.0/0 0.0.0.0/0 /* Perform source NAT on outgoing traffic. */
[root@test ~(keystone_admin)]#