Revision history [back]

click to hide/show revision 1
initial version

VMs cannot access internet (nova-network)

Hi,

I see that this has been asked a lot, but I just could not find how to make it fixed in my setting. The problem is that from within the VM I cannot access internet. Following the OS network troubleshooting guide, it seems that the problem is related to the firewall.

  • I can access VMs through their private / public IPs
  • VMs can ping each other
  • I can ping the compute node from the VM
  • I see the ping in the compute node that has spawned the VM

    root@16e854c5a23c:/# tcpdump -i any -n -v \ 'icmp[icmptype] = icmp-echoreply or icmp[icmptype] =icmp-echo'
    tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
    
    19:58:02.029020 IP (tos 0x0, ttl 64, id 5373, offset 0, flags [DF], proto ICMP (1), length 84)
        10.1.1.2 > 8.8.8.8: ICMP echo request, id 18433, seq 5, length 64
    

I tried the iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE, but that does make any difference, even after recreating the VM. I have only one interface (eth0) which is declated both as flat and public in nova.conf. If I use a different hypervisor - nova docker - it works, I can access internet from the VM (docker containers).

The OS is installed using the apt install guide for OS icehouse.

Following is the iptables-save:

    # Generated by iptables-save v1.4.21 on Mon Nov  3 19:58:59 2014
    *mangle
    :PREROUTING ACCEPT [10990:16309178]
    :INPUT ACCEPT [10338:16251055]
    :FORWARD ACCEPT [702:73621]
    :OUTPUT ACCEPT [12413:2791856]
    :POSTROUTING ACCEPT [13098:2862397]
    :nova-api-metadat-POSTROUTING - [0:0]
    :nova-compute-POSTROUTING - [0:0]
    :nova-network-POSTROUTING - [0:0]
    -A POSTROUTING -j nova-network-POSTROUTING
    -A POSTROUTING -j nova-compute-POSTROUTING
    -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
    -A POSTROUTING -j nova-api-metadat-POSTROUTING
    COMMIT
    # Completed on Mon Nov  3 19:58:59 2014
    # Generated by iptables-save v1.4.21 on Mon Nov  3 19:58:59 2014
    *nat
    :PREROUTING ACCEPT [13:1621]
    :INPUT ACCEPT [20:1242]
    :OUTPUT ACCEPT [9:1896]
    :POSTROUTING ACCEPT [15:1717]
    :nova-api-metadat-OUTPUT - [0:0]
    :nova-api-metadat-POSTROUTING - [0:0]
    :nova-api-metadat-PREROUTING - [0:0]
    :nova-api-metadat-float-snat - [0:0]
    :nova-api-metadat-snat - [0:0]
    :nova-compute-OUTPUT - [0:0]
    :nova-compute-POSTROUTING - [0:0]
    :nova-compute-PREROUTING - [0:0]
    :nova-compute-float-snat - [0:0]
    :nova-compute-snat - [0:0]
    :nova-network-OUTPUT - [0:0]
    :nova-network-POSTROUTING - [0:0]
    :nova-network-PREROUTING - [0:0]
    :nova-network-float-snat - [0:0]
    :nova-network-snat - [0:0]
    :nova-postrouting-bottom - [0:0]
    -A PREROUTING -j nova-network-PREROUTING
    -A PREROUTING -j nova-compute-PREROUTING
    -A PREROUTING -j nova-api-metadat-PREROUTING
    -A OUTPUT -j nova-network-OUTPUT
    -A OUTPUT -j nova-compute-OUTPUT
    -A OUTPUT -j nova-api-metadat-OUTPUT
    -A POSTROUTING -j nova-network-POSTROUTING
    -A POSTROUTING -j nova-compute-POSTROUTING
    -A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
    -A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
    -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
    -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
    -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
    -A POSTROUTING -j nova-api-metadat-POSTROUTING
    -A POSTROUTING -j nova-postrouting-bottom
    -A POSTROUTING -o eth0 -j MASQUERADE
    -A nova-api-metadat-snat -j nova-api-metadat-float-snat
    -A nova-compute-snat -j nova-compute-float-snat
    -A nova-network-OUTPUT -d 172.17.10.1/32 -j DNAT --to-destination 10.1.1.2
    -A nova-network-POSTROUTING -s 10.1.1.0/24 -d 172.17.0.77/32 -j ACCEPT
    -A nova-network-POSTROUTING -s 10.1.1.0/24 -d 10.1.1.0/24 -m conntrack ! --ctstate DNAT -j ACCEPT
    -A nova-network-POSTROUTING -s 10.1.1.2/32 -m conntrack --ctstate DNAT -j SNAT --to-source 172.17.10.1
    -A nova-network-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.17.0.77:8775
    -A nova-network-PREROUTING -d 172.17.10.1/32 -j DNAT --to-destination 10.1.1.2
    -A nova-network-float-snat -s 10.1.1.2/32 -d 10.1.1.2/32 -j SNAT --to-source 172.17.10.1
    -A nova-network-float-snat -s 10.1.1.2/32 -o eth0 -j SNAT --to-source 172.17.10.1
    -A nova-network-snat -j nova-network-float-snat
    -A nova-network-snat -s 10.1.1.0/24 -o eth0 -j SNAT --to-source 172.17.0.77
    -A nova-postrouting-bottom -j nova-network-snat
    -A nova-postrouting-bottom -j nova-compute-snat
    -A nova-postrouting-bottom -j nova-api-metadat-snat
    COMMIT
    # Completed on Mon Nov  3 19:58:59 2014
    # Generated by iptables-save v1.4.21 on Mon Nov  3 19:58:59 2014
    *filter
    :INPUT ACCEPT [10113:16226850]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [12074:2751157]
    :nova-api-metadat-FORWARD - [0:0]
    :nova-api-metadat-INPUT - [0:0]
    :nova-api-metadat-OUTPUT - [0:0]
    :nova-api-metadat-local - [0:0]
    :nova-compute-FORWARD - [0:0]
    :nova-compute-INPUT - [0:0]
    :nova-compute-OUTPUT - [0:0]
    :nova-compute-inst-3 - [0:0]
    :nova-compute-local - [0:0]
    :nova-compute-provider - [0:0]
    :nova-compute-sg-fallback - [0:0]
    :nova-filter-top - [0:0]
    :nova-network-FORWARD - [0:0]
    :nova-network-INPUT - [0:0]
    :nova-network-OUTPUT - [0:0]
    :nova-network-local - [0:0]
    -A INPUT -j nova-network-INPUT
    -A INPUT -j nova-compute-INPUT
    -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
    -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
    -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
    -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
    -A INPUT -j nova-api-metadat-INPUT
    -A FORWARD -j nova-filter-top
    -A FORWARD -j nova-network-FORWARD
    -A FORWARD -j nova-compute-FORWARD
    -A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
    -A FORWARD -i virbr0 -o virbr0 -j ACCEPT
    -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
    -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
    -A FORWARD -j nova-api-metadat-FORWARD
    -A OUTPUT -j nova-filter-top
    -A OUTPUT -j nova-network-OUTPUT
    -A OUTPUT -j nova-compute-OUTPUT
    -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
    -A OUTPUT -j nova-api-metadat-OUTPUT
    -A nova-api-metadat-INPUT -d 172.17.0.77/32 -p tcp -m tcp --dport 8775 -j ACCEPT
    -A nova-compute-FORWARD -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
    -A nova-compute-INPUT -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
    -A nova-compute-inst-3 -m state --state INVALID -j DROP
    -A nova-compute-inst-3 -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A nova-compute-inst-3 -j nova-compute-provider
    -A nova-compute-inst-3 -s 10.1.1.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
    -A nova-compute-inst-3 -p tcp -m tcp --dport 22 -j ACCEPT
    -A nova-compute-inst-3 -p icmp -j ACCEPT
    -A nova-compute-inst-3 -j nova-compute-sg-fallback
    -A nova-compute-local -d 10.1.1.2/32 -j nova-compute-inst-3
    -A nova-compute-sg-fallback -j DROP
    -A nova-filter-top -j nova-network-local
    -A nova-filter-top -j nova-compute-local
    -A nova-filter-top -j nova-api-metadat-local
    -A nova-network-FORWARD -d 255.255.255.255/32 -p udp -m physdev --physdev-in eth0 -m udp --dport 67 -j DROP
    -A nova-network-FORWARD -d 255.255.255.255/32 -p udp -m physdev --physdev-out eth0 -m udp --dport 67 -j DROP
    -A nova-network-FORWARD -d 10.1.1.1/32 -m physdev --physdev-in eth0 -j DROP
    -A nova-network-FORWARD -s 10.1.1.1/32 -m physdev --physdev-out eth0 -j DROP
    -A nova-network-FORWARD -i br100 -j ACCEPT
    -A nova-network-FORWARD -o br100 -j ACCEPT
    -A nova-network-INPUT -i br100 -p udp -m udp --dport 67 -j ACCEPT
    -A nova-network-INPUT -i br100 -p tcp -m tcp --dport 67 -j ACCEPT
    -A nova-network-INPUT -i br100 -p udp -m udp --dport 53 -j ACCEPT
    -A nova-network-INPUT -i br100 -p tcp -m tcp --dport 53 -j ACCEPT
    COMMIT
    # Completed on Mon Nov  3 19:58:59 2014

Thanks a lot for help