Revision history [back]

RDO setup. Instances cannot access external network, while external network cannot ping instances

I'm new to OpenStack. I'm using RDO packstack --allinone setup.

All openstack nodes reside in one single machine, with only one physical ethernet interface (eth0, 192.168.0.11)

I launched two instances(Test6 and Test7) and set up public and private network, then assigned floating ips to both of them.

Public Network is 192.168.0.192/26, Private Network is 10.0.0.0/24.

Test6 network is 10.0.0.15 and 192.168.0.204, Test7 network is 10.0.0.17 and 192.168.0.199

A router connect among test6 test7 and public network, 10.0.0.1 to the private network, 192.168.0.203 to the public network.

In Private network, Test6 , Test7, and Router can ping or access between each other. (any public network address or private network address).

In Public, no hosts in public network can access Test6, Test7 or Router (192.168.0.203), nor instances can access hosts.

I think I missed some iptables configurations for bridge, but I didn't figure it out what filter should I add.

On host:

#ovs-vsctl show
bc3a6627-8bfa-4d4a-b75a-a360b1d9ebe2
Bridge br-int
    Port patch-tun
        Interface patch-tun
            type: patch
            options: {peer=patch-int}
    Port "qvoa86f386a-84"
        tag: 1
        Interface "qvoa86f386a-84"
    Port "tap816bfb16-c3"
        tag: 4095
        Interface "tap816bfb16-c3"
    Port "qvof5f02caa-df"
        tag: 1
        Interface "qvof5f02caa-df"
    Port "tapa37e0f14-18"
        tag: 1
        Interface "tapa37e0f14-18"
    Port "qr-095473ef-8f"
        tag: 1
        Interface "qr-095473ef-8f"
            type: internal
    Port br-int
        Interface br-int
            type: internal
    Port "qr-34feb8f5-dd"
        tag: 2
        Interface "qr-34feb8f5-dd"
            type: internal
Bridge br-ex
    Port "eth0"
        Interface "eth0"
    Port br-ex
        Interface br-ex
            type: internal
Bridge br-tun
    Port patch-int
        Interface patch-int
            type: patch
            options: {peer=patch-tun}
    Port br-tun
        Interface br-tun
            type: internal
ovs_version: "1.11.0"

#iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 49201 packets, 7639K bytes)
 pkts bytes target     prot opt in     out     source               destination
49201 7639K neutron-openvswi-PREROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0
42619 6708K nova-api-metadat-PREROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0
42619 6708K nova-api-PREROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 15292 packets, 934K bytes)
 pkts bytes target     prot opt in     out     source               destination
15292  934K neutron-openvswi-POSTROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0
15292  934K neutron-postrouting-bottom  all  --  *      *       0.0.0.0/0            0.0.0.0/0
12768  779K nova-api-metadat-POSTROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0
12791  781K nova-api-POSTROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0
15292  934K nova-postrouting-bottom  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 15266 packets, 932K bytes)
 pkts bytes target     prot opt in     out     source               destination
15266  932K neutron-openvswi-OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
12760  779K nova-api-metadat-OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
12783  780K nova-api-OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain neutron-openvswi-OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain neutron-openvswi-POSTROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain neutron-openvswi-PREROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain neutron-openvswi-float-snat (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain neutron-openvswi-snat (1 references)
 pkts bytes target     prot opt in     out     source               destination
15292  934K neutron-openvswi-float-snat  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain neutron-postrouting-bottom (1 references)
 pkts bytes target     prot opt in     out     source               destination
15292  934K neutron-openvswi-snat  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain nova-api-OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain nova-api-POSTROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain nova-api-PREROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain nova-api-float-snat (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain nova-api-metadat-OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain nova-api-metadat-POSTROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain nova-api-metadat-PREROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain nova-api-metadat-float-snat (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain nova-api-metadat-snat (1 references)
 pkts bytes target     prot opt in     out     source               destination
12768  779K nova-api-metadat-float-snat  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain nova-api-snat (1 references)
 pkts bytes target     prot opt in     out     source               destination
12791  781K nova-api-float-snat  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain nova-postrouting-bottom (1 references)
 pkts bytes target     prot opt in     out     source               destination
12768  779K nova-api-metadat-snat  all  --  *      *       0.0.0.0/0            0.0.0.0/0
12791  781K nova-api-snat  all  --  *      *       0.0.0.0/0            0.0.0.0/0

#iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N neutron-filter-top
-N neutron-openvswi-FORWARD
-N neutron-openvswi-INPUT
-N neutron-openvswi-OUTPUT
-N neutron-openvswi-ia86f386a-8
-N neutron-openvswi-if5f02caa-d
-N neutron-openvswi-local
-N neutron-openvswi-oa86f386a-8
-N neutron-openvswi-of5f02caa-d
-N neutron-openvswi-sa86f386a-8
-N neutron-openvswi-sf5f02caa-d
-N neutron-openvswi-sg-chain
-N neutron-openvswi-sg-fallback
-N nova-api-FORWARD
-N nova-api-INPUT
-N nova-api-OUTPUT
-N nova-api-local
-N nova-api-metadat-FORWARD
-N nova-api-metadat-INPUT
-N nova-api-metadat-OUTPUT
-N nova-api-metadat-local
-N nova-filter-top
-A INPUT -j neutron-openvswi-INPUT
-A INPUT -j nova-api-metadat-INPUT
-A INPUT -j nova-api-INPUT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 5671,5672 -m comment --comment "001 amqp incoming amqp_192.168.0.11" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 5671,5672 -m comment --comment "001 amqp incoming amqp_192.168.0.81" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8777 -m comment --comment "001 ceilometer-api incoming ceilometer_api" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 3260,8776 -m comment --comment "001 cinder incoming cinder_192.168.0.11" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 3260,8776 -m comment --comment "001 cinder incoming cinder_192.168.0.81" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 9292 -m comment --comment "001 glance incoming glance_192.168.0.11" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 9292 -m comment --comment "001 glance incoming glance_192.168.0.81" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80 -m comment --comment "001 horizon 80  incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 5000,35357 -m comment --comment "001 keystone incoming keystone" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 27017 -m comment --comment "001 mongodb-server incoming swift_storage_and_rsync_192.168.0.11" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 3306 -m comment --comment "001 mysql incoming mysql_192.168.0.11" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80 -m comment --comment "001 nagios incoming" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 5666 -m comment --comment "001 nagios-nrpe incoming nagios_nrpe" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 67 -m comment --comment "001 neutron dhcp in incoming neutron_dhcp_in_192.168.0.11_192.168.0.11" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 67 -m comment --comment "001 neutron dhcp in incoming neutron_dhcp_in_192.168.0.81_192.168.0.81" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 9696 -m comment --comment "001 neutron server incoming neutron_server_192.168.0.11_192.168.0.11" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 9696 -m comment --comment "001 neutron server incoming neutron_server_192.168.0.81_192.168.0.81" -j ACCEPT
-A INPUT -p udp -m multiport --dports 4789 -m comment --comment "001 neutron tunnel port incoming neutron_tunnel" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 5900:5999 -m comment --comment "001 nova compute incoming nova_compute" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 49152:49215 -m comment --comment "001 nova qemu migration incoming nova_qemu_migration_192.168.0.11_192.168.0.11" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 49152:49215 -m comment --comment "001 nova qemu migration incoming nova_qemu_migration_192.168.0.81_192.168.0.81" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8773,8774,8775 -m comment --comment "001 novaapi incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 6080 -m comment --comment "001 novncproxy incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8080 -m comment --comment "001 swift proxy incoming" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 6000,6001,6002,873 -m comment --comment "001 swift storage and rsync incoming swift_storage_and_rsync_192.168.0.11" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 6000,6001,6002,873 -m comment --comment "001 swift storage and rsync incoming swift_storage_and_rsync_192.168.0.81" -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-openvswi-FORWARD
-A FORWARD -j nova-filter-top
-A FORWARD -j nova-api-metadat-FORWARD
-A FORWARD -j nova-api-FORWARD
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-openvswi-OUTPUT
-A OUTPUT -j nova-filter-top
-A OUTPUT -j nova-api-metadat-OUTPUT
-A OUTPUT -j nova-api-OUTPUT
-A OUTPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 68 -m comment --comment "001 neutron dhcp out outgoing neutron_dhcp_out_192.168.0.11_192.168.0.11" -j ACCEPT
-A OUTPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 68 -m comment --comment "001 neutron dhcp out outgoing neutron_dhcp_out_192.168.0.81_192.168.0.81" -j ACCEPT
-A neutron-filter-top -j neutron-openvswi-local
-A neutron-openvswi-FORWARD -m physdev --physdev-out tapf5f02caa-df --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tapf5f02caa-df --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-out tapa86f386a-84 --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tapa86f386a-84 --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-INPUT -m physdev --physdev-in tapf5f02caa-df --physdev-is-bridged -j neutron-openvswi-of5f02caa-d
-A neutron-openvswi-INPUT -m physdev --physdev-in tapa86f386a-84 --physdev-is-bridged -j neutron-openvswi-oa86f386a-8
-A neutron-openvswi-ia86f386a-8 -m state --state INVALID -j DROP
-A neutron-openvswi-ia86f386a-8 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-ia86f386a-8 -s 10.0.0.17/32 -j RETURN
-A neutron-openvswi-ia86f386a-8 -p tcp -m tcp --dport 22 -j RETURN
-A neutron-openvswi-ia86f386a-8 -p tcp -m tcp --dport 443 -j RETURN
-A neutron-openvswi-ia86f386a-8 -p icmp -j RETURN
-A neutron-openvswi-ia86f386a-8 -p tcp -m tcp --dport 80 -j RETURN
-A neutron-openvswi-ia86f386a-8 -s 10.0.0.16/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A neutron-openvswi-ia86f386a-8 -j neutron-openvswi-sg-fallback
-A neutron-openvswi-if5f02caa-d -m state --state INVALID -j DROP
-A neutron-openvswi-if5f02caa-d -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-if5f02caa-d -s 10.0.0.15/32 -j RETURN
-A neutron-openvswi-if5f02caa-d -p tcp -m tcp --dport 22 -j RETURN
-A neutron-openvswi-if5f02caa-d -p tcp -m tcp --dport 443 -j RETURN
-A neutron-openvswi-if5f02caa-d -p icmp -j RETURN
-A neutron-openvswi-if5f02caa-d -p tcp -m tcp --dport 80 -j RETURN
-A neutron-openvswi-if5f02caa-d -s 10.0.0.16/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A neutron-openvswi-if5f02caa-d -j neutron-openvswi-sg-fallback
-A neutron-openvswi-oa86f386a-8 -p udp -m udp --sport 68 --dport 67 -j RETURN
-A neutron-openvswi-oa86f386a-8 -j neutron-openvswi-sa86f386a-8
-A neutron-openvswi-oa86f386a-8 -p udp -m udp --sport 67 --dport 68 -j DROP
-A neutron-openvswi-oa86f386a-8 -m state --state INVALID -j DROP
-A neutron-openvswi-oa86f386a-8 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-oa86f386a-8 -j RETURN
-A neutron-openvswi-oa86f386a-8 -j neutron-openvswi-sg-fallback
-A neutron-openvswi-of5f02caa-d -p udp -m udp --sport 68 --dport 67 -j RETURN
-A neutron-openvswi-of5f02caa-d -j neutron-openvswi-sf5f02caa-d
-A neutron-openvswi-of5f02caa-d -p udp -m udp --sport 67 --dport 68 -j DROP
-A neutron-openvswi-of5f02caa-d -m state --state INVALID -j DROP
-A neutron-openvswi-of5f02caa-d -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-of5f02caa-d -j RETURN
-A neutron-openvswi-of5f02caa-d -j neutron-openvswi-sg-fallback
-A neutron-openvswi-sa86f386a-8 -s 10.0.0.15/32 -m mac --mac-source FA:16:3E:55:7F:B5 -j RETURN
-A neutron-openvswi-sa86f386a-8 -j DROP
-A neutron-openvswi-sf5f02caa-d -s 10.0.0.17/32 -m mac --mac-source FA:16:3E:AC:1F:2A -j RETURN
-A neutron-openvswi-sf5f02caa-d -j DROP
-A neutron-openvswi-sg-chain -m physdev --physdev-out tapf5f02caa-df --physdev-is-bridged -j neutron-openvswi-if5f02caa-d
-A neutron-openvswi-sg-chain -m physdev --physdev-in tapf5f02caa-df --physdev-is-bridged -j neutron-openvswi-of5f02caa-d
-A neutron-openvswi-sg-chain -m physdev --physdev-out tapa86f386a-84 --physdev-is-bridged -j neutron-openvswi-ia86f386a-8
-A neutron-openvswi-sg-chain -m physdev --physdev-in tapa86f386a-84 --physdev-is-bridged -j neutron-openvswi-oa86f386a-8
-A neutron-openvswi-sg-chain -j ACCEPT
-A neutron-openvswi-sg-fallback -j DROP
-A nova-api-INPUT -d 192.168.0.11/32 -p tcp -m tcp --dport 8775 -j ACCEPT
-A nova-api-metadat-INPUT -d 192.168.0.11/32 -p tcp -m tcp --dport 8775 -j ACCEPT
-A nova-filter-top -j nova-api-metadat-local
-A nova-filter-top -j nova-api-local

# ip netns exec qrouter-46f858f1-aec7-4516-b148-9110f7d9d90c iptables -L -nv -t nat
Chain PREROUTING (policy ACCEPT 1034 packets, 177K bytes)
 pkts bytes target     prot opt in     out     source               destination
 1040  177K neutron-l3-agent-PREROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 9 packets, 616 bytes)
 pkts bytes target     prot opt in     out     source               destination
   15  1120 neutron-l3-agent-POSTROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0
   12   868 neutron-postrouting-bottom  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 3 packets, 252 bytes)
 pkts bytes target     prot opt in     out     source               destination
    8   576 neutron-l3-agent-OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain neutron-l3-agent-OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    5   324 DNAT       all  --  *      *       0.0.0.0/0            192.168.0.199       to:10.0.0.17
    0     0 DNAT       all  --  *      *       0.0.0.0/0            192.168.0.204       to:10.0.0.15

Chain neutron-l3-agent-POSTROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination
    3   252 ACCEPT     all  --  !qg-92cfa1a7-94 !qg-92cfa1a7-94  0.0.0.0/0            0.0.0.0/0           ! ctstate DNAT

Chain neutron-l3-agent-PREROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0            169.254.169.254     tcp dpt:80 redir ports 9697
    0     0 DNAT       all  --  *      *       0.0.0.0/0            192.168.0.199       to:10.0.0.17
    0     0 DNAT       all  --  *      *       0.0.0.0/0            192.168.0.204       to:10.0.0.15

Chain neutron-l3-agent-float-snat (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 SNAT       all  --  *      *       10.0.0.17            0.0.0.0/0           to:192.168.0.199
    0     0 SNAT       all  --  *      *       10.0.0.15            0.0.0.0/0           to:192.168.0.204

Chain neutron-l3-agent-snat (1 references)
 pkts bytes target     prot opt in     out     source               destination
   12   868 neutron-l3-agent-float-snat  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 SNAT       all  --  *      *       10.0.0.0/24          0.0.0.0/0           to:192.168.0.203

Chain neutron-postrouting-bottom (1 references)
 pkts bytes target     prot opt in     out     source               destination
   12   868 neutron-l3-agent-snat  all  --  *      *       0.0.0.0/0            0.0.0.0/0

# ip netns exec qrouter-46f858f1-aec7-4516-b148-9110f7d9d90c iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N neutron-filter-top
-N neutron-l3-agent-FORWARD
-N neutron-l3-agent-INPUT
-N neutron-l3-agent-OUTPUT
-N neutron-l3-agent-local
-A INPUT -j neutron-l3-agent-INPUT
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-l3-agent-FORWARD
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-l3-agent-OUTPUT
-A neutron-filter-top -j neutron-l3-agent-local
-A neutron-l3-agent-INPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 9697 -j ACCEPT

RDO setup. Instances cannot access external network, while external network cannot ping instances

I'm new to OpenStack. I'm using RDO packstack --allinone setup.

All openstack nodes reside in one single machine, with only one physical ethernet interface (eth0, 192.168.0.11)

I launched two instances(Test6 and Test7) and set up public and private network, then assigned floating ips to both of them.

network topology image see here: http://postimg.org/image/yumejw07n/

Public Network is 192.168.0.192/26, Private Network is 10.0.0.0/24.

Test6 network is 10.0.0.15 and 192.168.0.204, Test7 network is 10.0.0.17 and 192.168.0.199

A router connect among test6 test7 and public network, 10.0.0.1 to the private network, 192.168.0.203 to the public network.

In Private network, Test6 , Test7, and Router can ping or access between each other. (any public network address or private network address).

In Public, no hosts in public network can access Test6, Test7 or Router (192.168.0.203), nor instances can access hosts.

I think I missed some iptables configurations for bridge, but I didn't figure it out what filter should I add.

On host:

#ovs-vsctl show
bc3a6627-8bfa-4d4a-b75a-a360b1d9ebe2
Bridge br-int
    Port patch-tun
        Interface patch-tun
            type: patch
            options: {peer=patch-int}
    Port "qvoa86f386a-84"
        tag: 1
        Interface "qvoa86f386a-84"
    Port "tap816bfb16-c3"
        tag: 4095
        Interface "tap816bfb16-c3"
    Port "qvof5f02caa-df"
        tag: 1
        Interface "qvof5f02caa-df"
    Port "tapa37e0f14-18"
        tag: 1
        Interface "tapa37e0f14-18"
    Port "qr-095473ef-8f"
        tag: 1
        Interface "qr-095473ef-8f"
            type: internal
    Port br-int
        Interface br-int
            type: internal
    Port "qr-34feb8f5-dd"
        tag: 2
        Interface "qr-34feb8f5-dd"
            type: internal
Bridge br-ex
    Port "eth0"
        Interface "eth0"
    Port br-ex
        Interface br-ex
            type: internal
Bridge br-tun
    Port patch-int
        Interface patch-int
            type: patch
            options: {peer=patch-tun}
    Port br-tun
        Interface br-tun
            type: internal
ovs_version: "1.11.0"

#iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 49201 packets, 7639K bytes)
 pkts bytes target     prot opt in     out     source               destination
49201 7639K neutron-openvswi-PREROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0
42619 6708K nova-api-metadat-PREROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0
42619 6708K nova-api-PREROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 15292 packets, 934K bytes)
 pkts bytes target     prot opt in     out     source               destination
15292  934K neutron-openvswi-POSTROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0
15292  934K neutron-postrouting-bottom  all  --  *      *       0.0.0.0/0            0.0.0.0/0
12768  779K nova-api-metadat-POSTROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0
12791  781K nova-api-POSTROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0
15292  934K nova-postrouting-bottom  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 15266 packets, 932K bytes)
 pkts bytes target     prot opt in     out     source               destination
15266  932K neutron-openvswi-OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
12760  779K nova-api-metadat-OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
12783  780K nova-api-OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain neutron-openvswi-OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain neutron-openvswi-POSTROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain neutron-openvswi-PREROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain neutron-openvswi-float-snat (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain neutron-openvswi-snat (1 references)
 pkts bytes target     prot opt in     out     source               destination
15292  934K neutron-openvswi-float-snat  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain neutron-postrouting-bottom (1 references)
 pkts bytes target     prot opt in     out     source               destination
15292  934K neutron-openvswi-snat  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain nova-api-OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain nova-api-POSTROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain nova-api-PREROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain nova-api-float-snat (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain nova-api-metadat-OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain nova-api-metadat-POSTROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain nova-api-metadat-PREROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain nova-api-metadat-float-snat (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain nova-api-metadat-snat (1 references)
 pkts bytes target     prot opt in     out     source               destination
12768  779K nova-api-metadat-float-snat  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain nova-api-snat (1 references)
 pkts bytes target     prot opt in     out     source               destination
12791  781K nova-api-float-snat  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain nova-postrouting-bottom (1 references)
 pkts bytes target     prot opt in     out     source               destination
12768  779K nova-api-metadat-snat  all  --  *      *       0.0.0.0/0            0.0.0.0/0
12791  781K nova-api-snat  all  --  *      *       0.0.0.0/0            0.0.0.0/0

#iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N neutron-filter-top
-N neutron-openvswi-FORWARD
-N neutron-openvswi-INPUT
-N neutron-openvswi-OUTPUT
-N neutron-openvswi-ia86f386a-8
-N neutron-openvswi-if5f02caa-d
-N neutron-openvswi-local
-N neutron-openvswi-oa86f386a-8
-N neutron-openvswi-of5f02caa-d
-N neutron-openvswi-sa86f386a-8
-N neutron-openvswi-sf5f02caa-d
-N neutron-openvswi-sg-chain
-N neutron-openvswi-sg-fallback
-N nova-api-FORWARD
-N nova-api-INPUT
-N nova-api-OUTPUT
-N nova-api-local
-N nova-api-metadat-FORWARD
-N nova-api-metadat-INPUT
-N nova-api-metadat-OUTPUT
-N nova-api-metadat-local
-N nova-filter-top
-A INPUT -j neutron-openvswi-INPUT
-A INPUT -j nova-api-metadat-INPUT
-A INPUT -j nova-api-INPUT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 5671,5672 -m comment --comment "001 amqp incoming amqp_192.168.0.11" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 5671,5672 -m comment --comment "001 amqp incoming amqp_192.168.0.81" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8777 -m comment --comment "001 ceilometer-api incoming ceilometer_api" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 3260,8776 -m comment --comment "001 cinder incoming cinder_192.168.0.11" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 3260,8776 -m comment --comment "001 cinder incoming cinder_192.168.0.81" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 9292 -m comment --comment "001 glance incoming glance_192.168.0.11" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 9292 -m comment --comment "001 glance incoming glance_192.168.0.81" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80 -m comment --comment "001 horizon 80  incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 5000,35357 -m comment --comment "001 keystone incoming keystone" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 27017 -m comment --comment "001 mongodb-server incoming swift_storage_and_rsync_192.168.0.11" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 3306 -m comment --comment "001 mysql incoming mysql_192.168.0.11" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80 -m comment --comment "001 nagios incoming" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 5666 -m comment --comment "001 nagios-nrpe incoming nagios_nrpe" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 67 -m comment --comment "001 neutron dhcp in incoming neutron_dhcp_in_192.168.0.11_192.168.0.11" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 67 -m comment --comment "001 neutron dhcp in incoming neutron_dhcp_in_192.168.0.81_192.168.0.81" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 9696 -m comment --comment "001 neutron server incoming neutron_server_192.168.0.11_192.168.0.11" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 9696 -m comment --comment "001 neutron server incoming neutron_server_192.168.0.81_192.168.0.81" -j ACCEPT
-A INPUT -p udp -m multiport --dports 4789 -m comment --comment "001 neutron tunnel port incoming neutron_tunnel" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 5900:5999 -m comment --comment "001 nova compute incoming nova_compute" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 49152:49215 -m comment --comment "001 nova qemu migration incoming nova_qemu_migration_192.168.0.11_192.168.0.11" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 49152:49215 -m comment --comment "001 nova qemu migration incoming nova_qemu_migration_192.168.0.81_192.168.0.81" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8773,8774,8775 -m comment --comment "001 novaapi incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 6080 -m comment --comment "001 novncproxy incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8080 -m comment --comment "001 swift proxy incoming" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 6000,6001,6002,873 -m comment --comment "001 swift storage and rsync incoming swift_storage_and_rsync_192.168.0.11" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 6000,6001,6002,873 -m comment --comment "001 swift storage and rsync incoming swift_storage_and_rsync_192.168.0.81" -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-openvswi-FORWARD
-A FORWARD -j nova-filter-top
-A FORWARD -j nova-api-metadat-FORWARD
-A FORWARD -j nova-api-FORWARD
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-openvswi-OUTPUT
-A OUTPUT -j nova-filter-top
-A OUTPUT -j nova-api-metadat-OUTPUT
-A OUTPUT -j nova-api-OUTPUT
-A OUTPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 68 -m comment --comment "001 neutron dhcp out outgoing neutron_dhcp_out_192.168.0.11_192.168.0.11" -j ACCEPT
-A OUTPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 68 -m comment --comment "001 neutron dhcp out outgoing neutron_dhcp_out_192.168.0.81_192.168.0.81" -j ACCEPT
-A neutron-filter-top -j neutron-openvswi-local
-A neutron-openvswi-FORWARD -m physdev --physdev-out tapf5f02caa-df --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tapf5f02caa-df --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-out tapa86f386a-84 --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tapa86f386a-84 --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-INPUT -m physdev --physdev-in tapf5f02caa-df --physdev-is-bridged -j neutron-openvswi-of5f02caa-d
-A neutron-openvswi-INPUT -m physdev --physdev-in tapa86f386a-84 --physdev-is-bridged -j neutron-openvswi-oa86f386a-8
-A neutron-openvswi-ia86f386a-8 -m state --state INVALID -j DROP
-A neutron-openvswi-ia86f386a-8 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-ia86f386a-8 -s 10.0.0.17/32 -j RETURN
-A neutron-openvswi-ia86f386a-8 -p tcp -m tcp --dport 22 -j RETURN
-A neutron-openvswi-ia86f386a-8 -p tcp -m tcp --dport 443 -j RETURN
-A neutron-openvswi-ia86f386a-8 -p icmp -j RETURN
-A neutron-openvswi-ia86f386a-8 -p tcp -m tcp --dport 80 -j RETURN
-A neutron-openvswi-ia86f386a-8 -s 10.0.0.16/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A neutron-openvswi-ia86f386a-8 -j neutron-openvswi-sg-fallback
-A neutron-openvswi-if5f02caa-d -m state --state INVALID -j DROP
-A neutron-openvswi-if5f02caa-d -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-if5f02caa-d -s 10.0.0.15/32 -j RETURN
-A neutron-openvswi-if5f02caa-d -p tcp -m tcp --dport 22 -j RETURN
-A neutron-openvswi-if5f02caa-d -p tcp -m tcp --dport 443 -j RETURN
-A neutron-openvswi-if5f02caa-d -p icmp -j RETURN
-A neutron-openvswi-if5f02caa-d -p tcp -m tcp --dport 80 -j RETURN
-A neutron-openvswi-if5f02caa-d -s 10.0.0.16/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A neutron-openvswi-if5f02caa-d -j neutron-openvswi-sg-fallback
-A neutron-openvswi-oa86f386a-8 -p udp -m udp --sport 68 --dport 67 -j RETURN
-A neutron-openvswi-oa86f386a-8 -j neutron-openvswi-sa86f386a-8
-A neutron-openvswi-oa86f386a-8 -p udp -m udp --sport 67 --dport 68 -j DROP
-A neutron-openvswi-oa86f386a-8 -m state --state INVALID -j DROP
-A neutron-openvswi-oa86f386a-8 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-oa86f386a-8 -j RETURN
-A neutron-openvswi-oa86f386a-8 -j neutron-openvswi-sg-fallback
-A neutron-openvswi-of5f02caa-d -p udp -m udp --sport 68 --dport 67 -j RETURN
-A neutron-openvswi-of5f02caa-d -j neutron-openvswi-sf5f02caa-d
-A neutron-openvswi-of5f02caa-d -p udp -m udp --sport 67 --dport 68 -j DROP
-A neutron-openvswi-of5f02caa-d -m state --state INVALID -j DROP
-A neutron-openvswi-of5f02caa-d -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-of5f02caa-d -j RETURN
-A neutron-openvswi-of5f02caa-d -j neutron-openvswi-sg-fallback
-A neutron-openvswi-sa86f386a-8 -s 10.0.0.15/32 -m mac --mac-source FA:16:3E:55:7F:B5 -j RETURN
-A neutron-openvswi-sa86f386a-8 -j DROP
-A neutron-openvswi-sf5f02caa-d -s 10.0.0.17/32 -m mac --mac-source FA:16:3E:AC:1F:2A -j RETURN
-A neutron-openvswi-sf5f02caa-d -j DROP
-A neutron-openvswi-sg-chain -m physdev --physdev-out tapf5f02caa-df --physdev-is-bridged -j neutron-openvswi-if5f02caa-d
-A neutron-openvswi-sg-chain -m physdev --physdev-in tapf5f02caa-df --physdev-is-bridged -j neutron-openvswi-of5f02caa-d
-A neutron-openvswi-sg-chain -m physdev --physdev-out tapa86f386a-84 --physdev-is-bridged -j neutron-openvswi-ia86f386a-8
-A neutron-openvswi-sg-chain -m physdev --physdev-in tapa86f386a-84 --physdev-is-bridged -j neutron-openvswi-oa86f386a-8
-A neutron-openvswi-sg-chain -j ACCEPT
-A neutron-openvswi-sg-fallback -j DROP
-A nova-api-INPUT -d 192.168.0.11/32 -p tcp -m tcp --dport 8775 -j ACCEPT
-A nova-api-metadat-INPUT -d 192.168.0.11/32 -p tcp -m tcp --dport 8775 -j ACCEPT
-A nova-filter-top -j nova-api-metadat-local
-A nova-filter-top -j nova-api-local

# ip netns exec qrouter-46f858f1-aec7-4516-b148-9110f7d9d90c iptables -L -nv -t nat
Chain PREROUTING (policy ACCEPT 1034 packets, 177K bytes)
 pkts bytes target     prot opt in     out     source               destination
 1040  177K neutron-l3-agent-PREROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 9 packets, 616 bytes)
 pkts bytes target     prot opt in     out     source               destination
   15  1120 neutron-l3-agent-POSTROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0
   12   868 neutron-postrouting-bottom  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 3 packets, 252 bytes)
 pkts bytes target     prot opt in     out     source               destination
    8   576 neutron-l3-agent-OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain neutron-l3-agent-OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    5   324 DNAT       all  --  *      *       0.0.0.0/0            192.168.0.199       to:10.0.0.17
    0     0 DNAT       all  --  *      *       0.0.0.0/0            192.168.0.204       to:10.0.0.15

Chain neutron-l3-agent-POSTROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination
    3   252 ACCEPT     all  --  !qg-92cfa1a7-94 !qg-92cfa1a7-94  0.0.0.0/0            0.0.0.0/0           ! ctstate DNAT

Chain neutron-l3-agent-PREROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0            169.254.169.254     tcp dpt:80 redir ports 9697
    0     0 DNAT       all  --  *      *       0.0.0.0/0            192.168.0.199       to:10.0.0.17
    0     0 DNAT       all  --  *      *       0.0.0.0/0            192.168.0.204       to:10.0.0.15

Chain neutron-l3-agent-float-snat (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 SNAT       all  --  *      *       10.0.0.17            0.0.0.0/0           to:192.168.0.199
    0     0 SNAT       all  --  *      *       10.0.0.15            0.0.0.0/0           to:192.168.0.204

Chain neutron-l3-agent-snat (1 references)
 pkts bytes target     prot opt in     out     source               destination
   12   868 neutron-l3-agent-float-snat  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 SNAT       all  --  *      *       10.0.0.0/24          0.0.0.0/0           to:192.168.0.203

Chain neutron-postrouting-bottom (1 references)
 pkts bytes target     prot opt in     out     source               destination
   12   868 neutron-l3-agent-snat  all  --  *      *       0.0.0.0/0            0.0.0.0/0

# ip netns exec qrouter-46f858f1-aec7-4516-b148-9110f7d9d90c iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N neutron-filter-top
-N neutron-l3-agent-FORWARD
-N neutron-l3-agent-INPUT
-N neutron-l3-agent-OUTPUT
-N neutron-l3-agent-local
-A INPUT -j neutron-l3-agent-INPUT
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-l3-agent-FORWARD
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-l3-agent-OUTPUT
-A neutron-filter-top -j neutron-l3-agent-local
-A neutron-l3-agent-INPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 9697 -j ACCEPT

Revision history [back]

RDO setup. Instances cannot access external network, while external network cannot ping instances

On host:

RDO setup. Instances cannot access external network, while external network cannot ping instances

On host:

Feedback About This Page

OpenStack

Community

Documentation

Branding & Legal