Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

asked 2014-05-25 12:22:47 -0600

don gravatar image

Troubles with NAT (MASQUERADE): ICMP works, but not UDP/TCP

I have a host with a /29 available (so after removing 2 for broadcast and 1 for IPMI, not a lot of IP address space). So i am looking to MASQUERADE out for my VMs (with no inbound needd). This is an all-in-one setup, running flat network. I added -t nat -A POSTROUTING -o eth0 -j MASQUERADE.

Something interesting happens, my VM's can now ping to the public internet (going through the masquerade), but cannot do TCP or UDP.

The control network of my VM is 172.16.1/24, and it has IP 172.16.1.16. I can ping 172.16.1.1, its default route (and the IP on my br-ex). My eth0 has a public IP (my only way of reaching this host).

what is causing this ability to ping (ICMP echo) but not TCP or UDP? i do not see them @ all on my eth0 interface. E.g. when i tcpdump br-ex, i see the SYN packet I am trying to send from the VM. When i tcpdump on eth0, i do not see the SYN packet (neither w/ internal nor masqueraded IP).

my neutron secgroup is allow all in, allow all out (-1 for protocol).

any suggestion? how would you set up NAT for this setup? I don't really nead the floatingip since there's no way to reach the VM's anyway.

is there a way to disable the snat in case it is interfering?

    ifconfig -a
    br-ex     Link encap:Ethernet  HWaddr e2:27:cd:ae:cf:4c  
              inet addr:172.16.1.1  Bcast:172.16.1.255  Mask:255.255.255.0
              inet6 addr: fe80::86a:33ff:fe90:54c7/64 Scope:Link
              UP BROADCAST RUNNING  MTU:1500  Metric:1
              RX packets:1294 errors:0 dropped:0 overruns:0 frame:0
              TX packets:1729 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:148260 (148.2 KB)  TX bytes:148149 (148.1 KB)

    br-int    Link encap:Ethernet  HWaddr 16:ce:e6:9f:62:40  
              inet6 addr: fe80::c0d:c6ff:fea2:dc98/64 Scope:Link
              UP BROADCAST RUNNING  MTU:1500  Metric:1
              RX packets:3138 errors:0 dropped:0 overruns:0 frame:0
              TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:543366 (543.3 KB)  TX bytes:648 (648.0 B)

    eth0      Link encap:Ethernet  HWaddr 60:eb:69:3e:97:04  
              inet addr:MYIP  Bcast:MYBCAST  Mask:255.255.255.248
              inet6 addr: fe80::62eb:69ff:fe3e:9704/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:745210 errors:0 dropped:0 overruns:0 frame:0
              TX packets:481915 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:347403469 (347.4 MB)  TX bytes:101782097 (101.7 MB)
              Memory:df6e0000-df700000 

    int-br-ex Link encap:Ethernet  HWaddr 46:30:6f:0d:11:4d  
              inet6 addr: fe80::4430:6fff:fe0d:114d/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:1748 errors:0 dropped:0 overruns:0 frame:0
              TX packets:1182 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:151444 (151.4 KB)  TX bytes:140024 (140.0 KB)

    lo        Link encap:Local Loopback  
              inet addr:127.0.0.1  Mask:255.0.0.0
              inet6 addr: ::1/128 Scope:Host
              UP LOOPBACK RUNNING  MTU:65536  Metric:1
              RX packets:25609045 errors:0 dropped:0 overruns:0 frame:0
              TX packets:25609045 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:40405564753 (40.4 GB)  TX bytes:40405564753 (40.4 GB)

    ovs-system Link encap:Ethernet  HWaddr fe:34:2e:f7:e7:1a  
              BROADCAST MULTICAST  MTU:1500  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

    phy-br-ex Link encap:Ethernet  HWaddr a6:5d:82:b7:fa:c9  
              inet6 addr: fe80::a45d:82ff:feb7:fac9/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:1182 errors:0 dropped:0 overruns:0 frame:0
              TX packets:1748 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:140024 (140.0 KB)  TX bytes:151444 (151.4 KB)

    qbr059bd586-ae Link encap:Ethernet  HWaddr c2:1e:16:da:0f:7b  
              inet6 addr: fe80::306f:42ff:fe78:b2/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:357 errors:0 dropped:0 overruns:0 frame:0
              TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:37495 (37.4 KB)  TX bytes:816 (816.0 B)

    qbr126bb894-1c Link encap:Ethernet  HWaddr 00:00:00:00:00:00  
              inet6 addr: fe80::48c0:5dff:fe61:c6c2/64 Scope:Link
              UP BROADCAST MULTICAST  MTU:1500  Metric:1
              RX packets:175 errors:0 dropped:0 overruns:0 frame:0
              TX packets:17 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:12880 (12.8 KB)  TX bytes:1026 (1.0 KB)

    qbrb84395d8-ef Link encap:Ethernet  HWaddr 00:00:00:00:00:00  
              inet6 addr: fe80::b4f3:69ff:fe28:dd84/64 Scope:Link
              UP BROADCAST MULTICAST  MTU:1500  Metric:1
              RX packets:92 errors:0 dropped:0 overruns:0 frame:0
              TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:18184 (18.1 KB)  TX bytes:648 (648.0 B)

    qbre7e837b6-ce Link encap:Ethernet  HWaddr b6:13:ea:de:75:07  
              inet6 addr: fe80::c8a3:78ff:fe70:b24c/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:32 errors:0 dropped:0 overruns:0 frame:0
              TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:5536 (5.5 KB)  TX bytes:648 (648.0 B)

    qvb059bd586-ae Link encap:Ethernet  HWaddr c2:1e:16:da:0f:7b  
              inet6 addr: fe80::c01e:16ff:feda:f7b/64 Scope:Link
              UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
              RX packets:1727 errors:0 dropped:0 overruns:0 frame:0
              TX packets:1080 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:149218 (149.2 KB)  TX bytes:124292 (124.2 KB)

    qvbe7e837b6-ce Link encap:Ethernet  HWaddr b6:13:ea:de:75:07  
              inet6 addr: fe80::b413:eaff:fede:7507/64 Scope:Link
              UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
              RX packets:14 errors:0 dropped:0 overruns:0 frame:0
              TX packets:36 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:1148 (1.1 KB)  TX bytes:6300 (6.3 KB)

    qvo059bd586-ae Link encap:Ethernet  HWaddr 92:ac:db:f6:62:ce  
              inet6 addr: fe80::90ac:dbff:fef6:62ce/64 Scope:Link
              UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
              RX packets:1080 errors:0 dropped:0 overruns:0 frame:0
              TX packets:1727 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:124292 (124.2 KB)  TX bytes:149218 (149.2 KB)

    qvoe7e837b6-ce Link encap:Ethernet  HWaddr 3e:6e:0b:1a:a3:5a  
              inet6 addr: fe80::3c6e:bff:fe1a:a35a/64 Scope:Link
              UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
              RX packets:36 errors:0 dropped:0 overruns:0 frame:0
              TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:6300 (6.3 KB)  TX bytes:1148 (1.1 KB)

    tap059bd586-ae Link encap:Ethernet  HWaddr fe:16:3e:f0:1d:d6  
              inet6 addr: fe80::fc16:3eff:fef0:1dd6/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:1390 errors:0 dropped:0 overruns:0 frame:0
              TX packets:1724 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:500 
              RX bytes:161751 (161.7 KB)  TX bytes:148752 (148.7 KB)

    tape7e837b6-ce Link encap:Ethernet  HWaddr fe:16:3e:c5:81:5c  
              inet6 addr: fe80::fc16:3eff:fec5:815c/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:21 errors:0 dropped:0 overruns:0 frame:0
              TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:500 
              RX bytes:5094 (5.0 KB)  TX bytes:1128 (1.1 KB)

    vnet0     Link encap:Ethernet  HWaddr d6:8a:84:dc:13:d0  
              inet addr:172.16.0.1  Bcast:172.16.0.255  Mask:255.255.255.0
              inet6 addr: fe80::d48a:84ff:fedc:13d0/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:0 (0.0 B)  TX bytes:648 (648.0 B)

    sudo ovs-vsctl show
    604e6c21-b4c9-44b1-b2d6-c4aff8835c54
        Bridge br-int
            Port br-int
                Interface br-int
                    type: internal
            Port "qvo059bd586-ae"
                tag: 3
                Interface "qvo059bd586-ae"
            Port "qvoe7e837b6-ce"
                tag: 4
                Interface "qvoe7e837b6-ce"
            Port int-br-ex
                Interface int-br-ex
        Bridge br-ex
            Port "tap06ba7977-87"
                Interface "tap06ba7977-87"
                    type: internal
            Port phy-br-ex
                Interface phy-br-ex
            Port br-ex
                Interface br-ex
                    type: internal
            Port "tapd0cbe62c-79"
                Interface "tapd0cbe62c-79"
                    type: internal
        ovs_version: "2.0.1"
    neutron net-list
    +--------------------------------------+-----------+-----------------------------------------------------+
    | id                                   | name      | subnets                                             |
    +--------------------------------------+-----------+-----------------------------------------------------+
    | 40652eda-638d-497d-b108-8166e8dc3549 | public    | 5b3f5741-8ed0-41cf-b44f-566844b52cf1 172.16.1.0/24  |
    | ea2d9c43-d046-478f-ae31-f1434d4bef76 | p-service | 8aaa72a9-4952-48cc-b6ce-a0ba286ee269 172.16.10.0/24 |
    +--------------------------------------+-----------+-----------------------------------------------------+
    neutron subnet-list
    +--------------------------------------+---------------+----------------+---------------------------------------------------+
    | id                                   | name          | cidr           | allocation_pools                                  |
    +--------------------------------------+---------------+----------------+---------------------------------------------------+
    | 5b3f5741-8ed0-41cf-b44f-566844b52cf1 | 172.16.1.0/24 | 172.16.1.0/24  | {"start": "172.16.1.10", "end": "172.16.1.254"}   |
    | 8aaa72a9-4952-48cc-b6ce-a0ba286ee269 | p-service     | 172.16.10.0/24 | {"start": "172.16.10.10", "end": "172.16.10.100"} |
    +--------------------------------------+---------------+----------------+---------------------------------------------------+
    neutron port-list
    +--------------------------------------+-----------+-------------------+-------------------------------------------------------------------------------------+
    | id                                   | name      | mac_address       | fixed_ips                                                                           |
    +--------------------------------------+-----------+-------------------+-------------------------------------------------------------------------------------+
    | 059bd586-ae75-417b-8a1b-8c31f5bcc1da |           | fa:16:3e:f0:1d:d6 | {"subnet_id": "5b3f5741-8ed0-41cf-b44f-566844b52cf1", "ip_address": "172.16.1.16"}  |
    | 06ba7977-87dc-4021-96d7-d18b3dada228 |           | fa:16:3e:12:b4:ab | {"subnet_id": "5b3f5741-8ed0-41cf-b44f-566844b52cf1", "ip_address": "172.16.1.11"}  |
    | d0cbe62c-7972-4819-9cfe-04be28ec80b1 |           | fa:16:3e:5e:68:7f | {"subnet_id": "8aaa72a9-4952-48cc-b6ce-a0ba286ee269", "ip_address": "172.16.10.11"} |
    | e32ded9b-d38c-4e17-9ccb-538727b48c18 |           | fa:16:3e:52:a2:cf | {"subnet_id": "8aaa72a9-4952-48cc-b6ce-a0ba286ee269", "ip_address": "172.16.10.1"}  |
    | e7e837b6-cefb-4c29-aead-37b70fcd8a43 | p-service | fa:16:3e:c5:81:5c | {"subnet_id": "8aaa72a9-4952-48cc-b6ce-a0ba286ee269", "ip_address": "172.16.10.10"} |
    +--------------------------------------+-----------+-------------------+-------------------------------------------------------------------------------------+
    ip netns list
    qdhcp-ea2d9c43-d046-478f-ae31-f1434d4bef76
    qdhcp-40652eda-638d-497d-b108-8166e8dc3549
    sudo ip netns exec qdhcp-ea2d9c43-d046-478f-ae31-f1434d4bef76 ifconfig -a
    lo        Link encap:Local Loopback  
              inet addr:127.0.0.1  Mask:255.0.0.0
              inet6 addr: ::1/128 Scope:Host
              UP LOOPBACK RUNNING  MTU:65536  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

    tapd0cbe62c-79 Link encap:Ethernet  HWaddr fa:16:3e:5e:68:7f  
              inet addr:172.16.10.11  Bcast:172.16.10.255  Mask:255.255.255.0
              inet6 addr: fe80::f816:3eff:fe5e:687f/64 Scope:Link
              UP BROADCAST RUNNING  MTU:1500  Metric:1
              RX packets:35 errors:0 dropped:0 overruns:0 frame:0
              TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:3908 (3.9 KB)  TX bytes:828 (828.0 B)

    sudo ip netns exec qdhcp-40652eda-638d-497d-b108-8166e8dc3549 ifconfig -a
    lo        Link encap:Local Loopback  
              inet addr:127.0.0.1  Mask:255.0.0.0
              inet6 addr: ::1/128 Scope:Host
              UP LOOPBACK RUNNING  MTU:65536  Metric:1
              RX packets:4 errors:0 dropped:0 overruns:0 frame:0
              TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:2304 (2.3 KB)  TX bytes:2304 (2.3 KB)

    tap06ba7977-87 Link encap:Ethernet  HWaddr fa:16:3e:12:b4:ab  
              inet addr:172.16.1.11  Bcast:172.16.1.255  Mask:255.255.255.0
              inet6 addr: fe80::f816:3eff:fe12:b4ab/64 Scope:Link
              UP BROADCAST RUNNING  MTU:1500  Metric:1
              RX packets:78 errors:0 dropped:0 overruns:0 frame:0
              TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:8878 (8.8 KB)  TX bytes:2601 (2.6 KB)

    ps -ef |grep [d]nsmasq
    nobody    2143     1  0 May24 ?        00:00:00 dnsmasq --no-hosts --no-resolv --strict-order --bind-interfaces --interface=tap06ba7977-87 --except-interface=lo --pid-file=/var/lib/neutron/dhcp/40652eda-638d-497d-b108-8166e8dc3549/pid --dhcp-hostsfile=/var/lib/neutron/dhcp/40652eda-638d-497d-b108-8166e8dc3549/host --addn-hosts=/var/lib/neutron/dhcp/40652eda-638d-497d-b108-8166e8dc3549/addn_hosts --dhcp-optsfile=/var/lib/neutron/dhcp/40652eda-638d-497d-b108-8166e8dc3549/opts --leasefile-ro --dhcp-range=set:tag0,172.16.1.0,static,86400s --dhcp-lease-max=256 --conf-file=/etc/neutron/dnsmasq.conf --server=8.8.8.8 --domain=stack
    nobody    7513     1  0 00:03 ?        00:00:00 dnsmasq --no-hosts --no-resolv --strict-order --bind-interfaces --interface=tapd0cbe62c-79 --except-interface=lo --pid-file=/var/lib/neutron/dhcp/ea2d9c43-d046-478f-ae31-f1434d4bef76/pid --dhcp-hostsfile=/var/lib/neutron/dhcp/ea2d9c43-d046-478f-ae31-f1434d4bef76/host --addn-hosts=/var/lib/neutron/dhcp/ea2d9c43-d046-478f-ae31-f1434d4bef76/addn_hosts --dhcp-optsfile=/var/lib/neutron/dhcp/ea2d9c43-d046-478f-ae31-f1434d4bef76/opts --leasefile-ro --dhcp-range=set:tag0,172.16.10.0,static,86400s --dhcp-lease-max=256 --conf-file=/etc/neutron/dnsmasq.conf --server=8.8.8.8 --domain=stack
    sudo ufw status
    Status: active

    To                         Action      From
    --                         ------      ----
    22                         ALLOW       Anywhere
    Anywhere                   ALLOW       MYWORK
    Anywhere                   ALLOW       MYHOME
    mosh                       ALLOW       Anywhere
    443                        ALLOW       Anywhere
    22 (v6)                    ALLOW       Anywhere (v6)
    mosh (v6)                  ALLOW       Anywhere (v6)
    443 (v6)                   ALLOW       Anywhere (v6)

= /etc/neutron/neutron.conf =

    [DEFAULT]
    nova_admin_auth_url = http://MYHOST:35357/v2.0
    nova_admin_tenant_id = 30efe661299849d5981daa66e93296a0
    nova_admin_password = password
    nova_admin_username = nova
    nova_url = http://MYHOST:8774/v2
    notify_nova_on_port_data_changes = True
    notify_nova_on_port_status_change = True
    auth_strategy = keystone
    allow_overlapping_ips = True
    policy_file = /etc/neutron/policy.json
    debug = False
    verbose = False
    service_plugins = neutron.services.l3_router.l3_router_plugin.L3RouterPlugin
    core_plugin = neutron.plugins.ml2.plugin.Ml2Plugin
    rabbit_password = guest
    rabbit_hosts = localhost
    rabbit_host = localhost
    rpc_backend = neutron.openstack.common.rpc.impl_kombu
    state_path = /var/lib/neutron
    lock_path = $state_path/lock
    log_date_format = %Y-%m-%d %H:%M:%S
    notification_driver = neutron.openstack.common.notifier.rpc_notifier
    [quotas]
    [agent]
    root_helper = sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf
    [keystone_authtoken]
    auth_uri = http://MYHOST:5000
    auth_host = MYHOST
    auth_port = 35357
    auth_protocol = http
    admin_tenant_name = service
    admin_user = neutron
    admin_password = password
    signing_dir = /var/cache/neutron
    [database]
    [service_providers]
    service_provider=LOADBALANCER:Haproxy:neutron.services.loadbalancer.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default
    service_provider=VPN:openswan:neutron.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default

= /etc/neutron/plugins/ml2/ml2_conf.ini =

    [ml2]
    type_drivers = local,flat
    mechanism_drivers = openvswitch
    tenant_network_types = local,flat
    [ml2_type_flat]
    flat_networks = *
    [ml2_type_vlan]
    [ml2_type_gre]
    tunnel_id_ranges = 1:1000
    [ml2_type_vxlan]
    vni_ranges = 1001:2000
    [database]
    connection = mysql://root:password@127.0.0.1/neutron_ml2?charset=utf8
    [securitygroup]
    enable_security_group = True
    firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
    [ovs]
    tenant_network_type = flat
    integration_bridge = br-int
    local_ip = MYIP
    enable_tunneling = False
    network_vlan_ranges = physnet1
    bridge_mappings = physnet1:br-ex
    [linux_bridge]
    physical_interface_mappings = 
    [vlans]
    network_vlan_ranges =
    tenant_network_type = local
    [vxlan]
    enable_vxlan = False
    l2_population = False
    [agent]
    root_helper = sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf
    [l2pop]
    agent_boot_time = 180

= /etc/neutron/l3_agent.ini =

    [DEFAULT]
    l3_agent_manager = neutron.agent.l3_agent.L3NATAgentWithStateReport
    external_network_bridge = br-ex
    interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
    ovs_use_veth = False
    root_helper = sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf
    use_namespaces = True
    debug = True
    verbose = True
    router_delete_namespaces = True

= /etc/neutron/dhcp_agent.ini =

    [DEFAULT]
    dhcp_agent_manager = neutron.agent.dhcp_agent.DhcpAgentWithStateReport
    interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
    ovs_use_veth = False
    root_helper = sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf
    use_namespaces = True
    debug = True
    verbose = True
    ovs_integration_bridge = br-ex
    dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
    dhcp_domain = stack
    dnsmasq_config_file = /etc/neutron/dnsmasq.conf
    dnsmasq_dns_servers = 8.8.8.8

= /etc/network/interfaces =

    auto lo
    iface lo inet loopback
    auto eth0
    iface eth0 inet static
        address MYIP
        netmask 255.255.255.248
        gateway MY-UPSTREAM-GW
        dns-nameservers 8.8.8.8 8.8.4.4
        up iptables -t nat -I POSTROUTING 1 -j MASQUERADE -o eth0
        down iptables -t nat -D POSTROUTING 1 -j MASQUERADE -o eth0
    auto br-ex
    iface br-ex inet static
            address 172.16.1.1
            netmask 255.255.255.0
        dns-nameservers 8.8.8.8 8.8.4.4
            #bridge_ports none
            #bridge_maxwait 0
            #bridge_fd 1
            #up iptables -t nat -I POSTROUTING -s 172.16.1.0/24 -j MASQUERADE 
            #down iptables -t nat -D POSTROUTING -s 172.16.1.0/24 -j MASQUERADE
    auto vnet0
    iface vnet0 inet static
            address 172.16.0.1
            netmask 255.255.255.0
        dns-nameservers 8.8.8.8 8.8.4.4
            bridge_ports none
            bridge_maxwait 0
            bridge_fd 1
            up iptables -t nat -I POSTROUTING -s 172.16.0.0/24 -j MASQUERADE 
            down iptables -t nat -D POSTROUTING -s 172.16.0.0/24 -j MASQUERADE
    sudo iptables-save
    # Generated by iptables-save v1.4.21 on Sun May 25 13:18:03 2014
    *mangle
    :PREROUTING ACCEPT [30551:13804280]
    :INPUT ACCEPT [30546:13803908]
    :FORWARD ACCEPT [5:372]
    :OUTPUT ACCEPT [30452:13814980]
    :POSTROUTING ACCEPT [30455:13815232]
    :nova-api-POSTROUTING - [0:0]
    :nova-network-POSTROUTING - [0:0]
    -A POSTROUTING -j nova-network-POSTROUTING
    -A POSTROUTING -j nova-api-POSTROUTING
    COMMIT
    # Completed on Sun May 25 13:18:03 2014
    # Generated by iptables-save v1.4.21 on Sun May 25 13:18:03 2014
    *nat
    :PREROUTING ACCEPT [4:244]
    :INPUT ACCEPT [1:40]
    :OUTPUT ACCEPT [255:15316]
    :POSTROUTING ACCEPT [254:15240]
    :neutron-openvswi-OUTPUT - [0:0]
    :neutron-openvswi-POSTROUTING - [0:0]
    :neutron-openvswi-PREROUTING - [0:0]
    :neutron-openvswi-float-snat - [0:0]
    :neutron-openvswi-snat - [0:0]
    :neutron-postrouting-bottom - [0:0]
    :nova-api-OUTPUT - [0:0]
    :nova-api-POSTROUTING - [0:0]
    :nova-api-PREROUTING - [0:0]
    :nova-api-float-snat - [0:0]
    :nova-api-snat - [0:0]
    :nova-postrouting-bottom - [0:0]
    -A PREROUTING -j neutron-openvswi-PREROUTING
    -A PREROUTING -j nova-api-PREROUTING
    -A OUTPUT -j neutron-openvswi-OUTPUT
    -A OUTPUT -j nova-api-OUTPUT
    -A POSTROUTING -j neutron-openvswi-POSTROUTING
    -A POSTROUTING -j neutron-postrouting-bottom
    -A POSTROUTING -j nova-api-POSTROUTING
    -A POSTROUTING -j nova-postrouting-bottom
    -A POSTROUTING -s 172.16.0.0/24 -j MASQUERADE
    -A POSTROUTING -o eth0 -j MASQUERADE
    -A neutron-openvswi-snat -j neutron-openvswi-float-snat
    -A neutron-postrouting-bottom -j neutron-openvswi-snat
    -A nova-api-snat -j nova-api-float-snat
    -A nova-postrouting-bottom -j nova-api-snat
    COMMIT
    # Completed on Sun May 25 13:18:03 2014
    # Generated by iptables-save v1.4.21 on Sun May 25 13:18:03 2014
    *filter
    :INPUT DROP [0:0]
    :FORWARD DROP [2:120]
    :OUTPUT ACCEPT [0:0]
    :neutron-filter-top - [0:0]
    :neutron-openvswi-FORWARD - [0:0]
    :neutron-openvswi-INPUT - [0:0]
    :neutron-openvswi-OUTPUT - [0:0]
    :neutron-openvswi-i059bd586-a - [0:0]
    :neutron-openvswi-ie7e837b6-c - [0:0]
    :neutron-openvswi-local - [0:0]
    :neutron-openvswi-o059bd586-a - [0:0]
    :neutron-openvswi-oe7e837b6-c - [0:0]
    :neutron-openvswi-s059bd586-a - [0:0]
    :neutron-openvswi-se7e837b6-c - [0:0]
    :neutron-openvswi-sg-chain - [0:0]
    :neutron-openvswi-sg-fallback - [0:0]
    :nova-api-FORWARD - [0:0]
    :nova-api-INPUT - [0:0]
    :nova-api-OUTPUT - [0:0]
    :nova-api-local - [0:0]
    :nova-filter-top - [0:0]
    :ufw-after-forward - [0:0]
    :ufw-after-input - [0:0]
    :ufw-after-logging-forward - [0:0]
    :ufw-after-logging-input - [0:0]
    :ufw-after-logging-output - [0:0]
    :ufw-after-output - [0:0]
    :ufw-before-forward - [0:0]
    :ufw-before-input - [0:0]
    :ufw-before-logging-forward - [0:0]
    :ufw-before-logging-input - [0:0]
    :ufw-before-logging-output - [0:0]
    :ufw-before-output - [0:0]
    :ufw-logging-allow - [0:0]
    :ufw-logging-deny - [0:0]
    :ufw-not-local - [0:0]
    :ufw-reject-forward - [0:0]
    :ufw-reject-input - [0:0]
    :ufw-reject-output - [0:0]
    :ufw-skip-to-policy-forward - [0:0]
    :ufw-skip-to-policy-input - [0:0]
    :ufw-skip-to-policy-output - [0:0]
    :ufw-track-forward - [0:0]
    :ufw-track-input - [0:0]
    :ufw-track-output - [0:0]
    :ufw-user-forward - [0:0]
    :ufw-user-input - [0:0]
    :ufw-user-limit - [0:0]
    :ufw-user-limit-accept - [0:0]
    :ufw-user-logging-forward - [0:0]
    :ufw-user-logging-input - [0:0]
    :ufw-user-logging-output - [0:0]
    :ufw-user-output - [0:0]
    -A INPUT -j neutron-openvswi-INPUT
    -A INPUT -j nova-api-INPUT
    -A INPUT -j ufw-before-logging-input
    -A INPUT -j ufw-before-input
    -A INPUT -j ufw-after-input
    -A INPUT -j ufw-after-logging-input
    -A INPUT -j ufw-reject-input
    -A INPUT -j ufw-track-input
    -A FORWARD -j neutron-filter-top
    -A FORWARD -j neutron-openvswi-FORWARD
    -A FORWARD -j nova-filter-top
    -A FORWARD -j nova-api-FORWARD
    -A FORWARD -j ufw-before-logging-forward
    -A FORWARD -j ufw-before-forward
    -A FORWARD -j ufw-after-forward
    -A FORWARD -j ufw-after-logging-forward
    -A FORWARD -j ufw-reject-forward
    -A FORWARD -j ufw-track-forward
    -A OUTPUT -j neutron-filter-top
    -A OUTPUT -j neutron-openvswi-OUTPUT
    -A OUTPUT -j nova-filter-top
    -A OUTPUT -j nova-api-OUTPUT
    -A OUTPUT -j ufw-before-logging-output
    -A OUTPUT -j ufw-before-output
    -A OUTPUT -j ufw-after-output
    -A OUTPUT -j ufw-after-logging-output
    -A OUTPUT -j ufw-reject-output
    -A OUTPUT -j ufw-track-output
    -A neutron-filter-top -j neutron-openvswi-local
    -A neutron-openvswi-FORWARD -m physdev --physdev-out tap059bd586-ae --physdev-is-bridged -j neutron-openvswi-sg-chain
    -A neutron-openvswi-FORWARD -m physdev --physdev-in tap059bd586-ae --physdev-is-bridged -j neutron-openvswi-sg-chain
    -A neutron-openvswi-FORWARD -m physdev --physdev-out tape7e837b6-ce --physdev-is-bridged -j neutron-openvswi-sg-chain
    -A neutron-openvswi-FORWARD -m physdev --physdev-in tape7e837b6-ce --physdev-is-bridged -j neutron-openvswi-sg-chain
    -A neutron-openvswi-INPUT -m physdev --physdev-in tap059bd586-ae --physdev-is-bridged -j neutron-openvswi-o059bd586-a
    -A neutron-openvswi-INPUT -m physdev --physdev-in tape7e837b6-ce --physdev-is-bridged -j neutron-openvswi-oe7e837b6-c
    -A neutron-openvswi-i059bd586-a -m state --state INVALID -j DROP
    -A neutron-openvswi-i059bd586-a -m state --state RELATED,ESTABLISHED -j RETURN
    -A neutron-openvswi-i059bd586-a -p icmp -j RETURN
    -A neutron-openvswi-i059bd586-a -p udp -m udp -m multiport --dports 1:65535 -j RETURN
    -A neutron-openvswi-i059bd586-a -p tcp -m tcp -m multiport --dports 1:65535 -j RETURN
    -A neutron-openvswi-i059bd586-a -j RETURN
    -A neutron-openvswi-i059bd586-a -s 172.16.1.11/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
    -A neutron-openvswi-i059bd586-a -j neutron-openvswi-sg-fallback
    -A neutron-openvswi-ie7e837b6-c -m state --state INVALID -j DROP
    -A neutron-openvswi-ie7e837b6-c -m state --state RELATED,ESTABLISHED -j RETURN
    -A neutron-openvswi-ie7e837b6-c -p icmp -j RETURN
    -A neutron-openvswi-ie7e837b6-c -p udp -m udp -m multiport --dports 1:65535 -j RETURN
    -A neutron-openvswi-ie7e837b6-c -p tcp -m tcp -m multiport --dports 1:65535 -j RETURN
    -A neutron-openvswi-ie7e837b6-c -j RETURN
    -A neutron-openvswi-ie7e837b6-c -s 172.16.10.11/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
    -A neutron-openvswi-ie7e837b6-c -j neutron-openvswi-sg-fallback
    -A neutron-openvswi-o059bd586-a -p udp -m udp --sport 68 --dport 67 -j RETURN
    -A neutron-openvswi-o059bd586-a -j neutron-openvswi-s059bd586-a
    -A neutron-openvswi-o059bd586-a -p udp -m udp --sport 67 --dport 68 -j DROP
    -A neutron-openvswi-o059bd586-a -m state --state INVALID -j DROP
    -A neutron-openvswi-o059bd586-a -m state --state RELATED,ESTABLISHED -j RETURN
    -A neutron-openvswi-o059bd586-a -j RETURN
    -A neutron-openvswi-o059bd586-a -j RETURN
    -A neutron-openvswi-o059bd586-a -j neutron-openvswi-sg-fallback
    -A neutron-openvswi-oe7e837b6-c -p udp -m udp --sport 68 --dport 67 -j RETURN
    -A neutron-openvswi-oe7e837b6-c -j neutron-openvswi-se7e837b6-c
    -A neutron-openvswi-oe7e837b6-c -p udp -m udp --sport 67 --dport 68 -j DROP
    -A neutron-openvswi-oe7e837b6-c -m state --state INVALID -j DROP
    -A neutron-openvswi-oe7e837b6-c -m state --state RELATED,ESTABLISHED -j RETURN
    -A neutron-openvswi-oe7e837b6-c -j RETURN
    -A neutron-openvswi-oe7e837b6-c -j RETURN
    -A neutron-openvswi-oe7e837b6-c -j neutron-openvswi-sg-fallback
    -A neutron-openvswi-s059bd586-a -s 172.16.1.16/32 -m mac --mac-source FA:16:3E:F0:1D:D6 -j RETURN
    -A neutron-openvswi-s059bd586-a -j DROP
    -A neutron-openvswi-se7e837b6-c -s 172.16.10.10/32 -m mac --mac-source FA:16:3E:C5:81:5C -j RETURN
    -A neutron-openvswi-se7e837b6-c -j DROP
    -A neutron-openvswi-sg-chain -m physdev --physdev-out tap059bd586-ae --physdev-is-bridged -j neutron-openvswi-i059bd586-a
    -A neutron-openvswi-sg-chain -m physdev --physdev-in tap059bd586-ae --physdev-is-bridged -j neutron-openvswi-o059bd586-a
    -A neutron-openvswi-sg-chain -m physdev --physdev-out tape7e837b6-ce --physdev-is-bridged -j neutron-openvswi-ie7e837b6-c
    -A neutron-openvswi-sg-chain -m physdev --physdev-in tape7e837b6-ce --physdev-is-bridged -j neutron-openvswi-oe7e837b6-c
    -A neutron-openvswi-sg-chain -j ACCEPT
    -A neutron-openvswi-sg-fallback -j DROP
    -A nova-api-INPUT -d 127.0.1.1/32 -p tcp -m tcp --dport 8775 -j ACCEPT
    -A nova-filter-top -j nova-api-local
    -A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
    -A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
    -A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
    -A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
    -A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
    -A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
    -A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
    -A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
    -A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT
    -A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
    -A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
    -A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
    -A ufw-before-forward -j ufw-user-forward
    -A ufw-before-input -i lo -j ACCEPT
    -A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
    -A ufw-before-input -m conntrack --ctstate INVALID -j DROP
    -A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
    -A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
    -A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
    -A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
    -A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
    -A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
    -A ufw-before-input -j ufw-not-local
    -A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
    -A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
    -A ufw-before-input -j ufw-user-input
    -A ufw-before-output -o lo -j ACCEPT
    -A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A ufw-before-output -j ufw-user-output
    -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
    -A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
    -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
    -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
    -A ufw-not-local -j DROP
    -A ufw-skip-to-policy-forward -j DROP
    -A ufw-skip-to-policy-input -j DROP
    -A ufw-skip-to-policy-output -j ACCEPT
    -A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
    -A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
    -A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT
    -A ufw-user-input -p udp -m udp --dport 22 -j ACCEPT
    -A ufw-user-input -s MYWORK/32 -j ACCEPT
    -A ufw-user-input -s MYHOME/32 -j ACCEPT
    -A ufw-user-input -p udp -m multiport --dports 60000:61000 -m comment --comment "\'dapp_mosh\'" -j ACCEPT
    -A ufw-user-input -p tcp -m tcp --dport 443 -j ACCEPT
    -A ufw-user-input -p udp -m udp --dport 443 -j ACCEPT
    -A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
    -A ufw-user-limit-accept -j ACCEPT
    -A ufw-user-logging-forward -j RETURN
    -A ufw-user-logging-input -j RETURN
    -A ufw-user-logging-output -j RETURN
    COMMIT
    # Completed on Sun May 25 13:18:03 2014