Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

NAT accessible only one way with floating IPs

I can assign a floating IP to to an Instance and ping it from the external network. However, the instance can not ping any thing but the gateway and the compute node. Am i missing a NAT ?

controller_root@controller:~$ nova net-list +--------------------------------------+---------------+-------------+ | ID | Label | CIDR | +--------------------------------------+---------------+-------------+ | ef5a6249-ae84-4c8f-bf4e-0c48bab24650 | OpenStack-net | 10.0.0.0/24 | +--------------------------------------+---------------+-------------+

firewall_driver=nova.virt.firewall.NoopFirewallDriver

$ cat /proc/sys/net/ipv4/ip_forward

1

           compute1_root@compute1:~$ sudo iptables -t filter -S
            -P INPUT ACCEPT
           -P FORWARD ACCEPT
         -P OUTPUT ACCEPT
           -N nova-api-metadat-FORWARD
           -N nova-api-metadat-INPUT
            -N nova-api-metadat-OUTPUT
             -N nova-api-metadat-local
               -N nova-compute-FORWARD
                 -N nova-compute-INPUT
            -N nova-compute-OUTPUT
              -N nova-compute-inst-3
                 -N nova-compute-local
              -N nova-compute-provider
                -N nova-compute-sg-fallback
               -N nova-filter-top
      -N nova-network-FORWARD
           -N nova-network-INPUT
          -N nova-network-OUTPUT
            -N nova-network-local
        -A INPUT -j nova-network-INPUT
           -A INPUT -j nova-compute-INPUT
      -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
          -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
           -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
             -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
             -A INPUT -j nova-api-metadat-INPUT
          -A FORWARD -j nova-filter-top
             -A FORWARD -j nova-network-FORWARD
          -A FORWARD -j nova-compute-FORWARD
              -A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
       -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
               -A FORWARD -i virbr0 -o virbr0 -j ACCEPT
             -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
          -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
              -A FORWARD -j nova-api-metadat-FORWARD
                   -A FORWARD -i eth2 -o br100 -j ACCEPT
                 -A FORWARD -i br100 -o eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
                   -A OUTPUT -j nova-filter-top
                     -A OUTPUT -j nova-network-OUTPUT
                -A OUTPUT -j nova-compute-OUTPUT
                 -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
                 -A OUTPUT -j nova-api-metadat-OUTPUT
           -A nova-api-metadat-INPUT -d 10.8.2.70/32 -p tcp -m tcp --dport 8775 -j ACCEPT
             -A nova-compute-FORWARD -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -j   ACCEPT
            -A nova-compute-INPUT -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
           -A nova-compute-inst-3 -m state --state INVALID -j DROP
           -A nova-compute-inst-3 -m state --state RELATED,ESTABLISHED -j ACCEPT
             -A nova-compute-inst-3 -j nova-compute-provider
       -A nova-compute-inst-3 -s 10.0.0.4/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
           -A nova-compute-inst-3 -s 10.0.0.0/24 -j ACCEPT
          -A nova-compute-inst-3 -p icmp -j ACCEPT
          -A nova-compute-inst-3 -p tcp -m tcp --dport 22 -j ACCEPT
          -A nova-compute-inst-3 -p tcp -m multiport --dports 1:65535 -j ACCEPT
          -A nova-compute-inst-3 -p udp -m multiport --dports 1:65535 -j ACCEPT
        -A nova-compute-inst-3 -j nova-compute-sg-fallback
            -A nova-compute-local -d 10.0.0.3/32 -j nova-compute-inst-3
                 -A nova-compute-sg-fallback -j DROP
               -A nova-filter-top -j nova-network-local
              -A nova-filter-top -j nova-compute-local
           -A nova-filter-top -j nova-api-metadat-local
              -A nova-network-FORWARD -i br100 -j ACCEPT
           -A nova-network-FORWARD -o br100 -j ACCEPT
      -A nova-network-FORWARD -d 10.0.0.2/32 -p udp -m udp --dport 1194 -j ACCEPT
    -A nova-network-INPUT -i br100 -p udp -m udp --dport 67 -j ACCEPT
    -A nova-network-INPUT -i br100 -p tcp -m tcp --dport 67 -j ACCEPT
      -A nova-network-INPUT -i br100 -p udp -m udp --dport 53 -j ACCEPT
      -A nova-network-INPUT -i br100 -p tcp -m tcp --dport 53 -j ACCEPT

i have also added :

 iptables -A FORWARD -i eth2 -o br100 -j ACCEPT

    iptables -A FORWARD -i br100 -o eth2 -j ACCEPT
      iptables -A FORWARD -i br100 -o eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t nat -A POSTROUTING -o br100 -j MASQUERADE

compute1_root@compute1:~$ ifconfig -a

      br100     Link encap:Ethernet  HWaddr fa:16:3e:1e:56:24
      inet addr:10.0.0.4  Bcast:10.0.0.255  Mask:255.255.255.0
      inet6 addr: fe80::1c23:35ff:fead:73d1/64 Scope:Link
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
      RX packets:10107 errors:0 dropped:0 overruns:0 frame:0
      TX packets:3457 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:0
      RX bytes:4497684 (4.4 MB)  TX bytes:281137 (281.1 KB)

   eth0      Link encap:Ethernet  HWaddr 9a:65:14:a8:60:c9
      inet addr:10.8.2.7  Bcast:0.0.0.0  Mask:255.255.255.255
      BROADCAST MULTICAST  MTU:1500  Metric:1
      RX packets:0 errors:0 dropped:0 overruns:0 frame:0
      TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:1000
      RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

  eth1      Link encap:Ethernet  HWaddr 32:ad:e2:7a:72:dd
      inet6 addr: fe80::30ad:e2ff:fe7a:72dd/64 Scope:Link
      inet6 addr: fdac:fcf1:5f2:1002:30ad:e2ff:fe7a:72dd/64 Scope:Global
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
      RX packets:23169 errors:0 dropped:9 overruns:0 frame:0
      TX packets:3471 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:1000
      RX bytes:5429859 (5.4 MB)  TX bytes:296137 (296.1 KB)

  eth2      Link encap:Ethernet  HWaddr f6:05:cc:16:60:c2
      inet addr:10.8.2.70  Bcast:10.8.2.255  Mask:255.255.255.0
      inet6 addr: fe80::f405:ccff:fe16:60c2/64 Scope:Link
      inet6 addr: fdac:fcf1:5f2:1002:f405:ccff:fe16:60c2/64 Scope:Global
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
      RX packets:54054 errors:0 dropped:9 overruns:0 frame:0
      TX packets:42437 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:1000
      RX bytes:17177049 (17.1 MB)  TX bytes:12211480 (12.2 MB)

 eth3      Link encap:Ethernet  HWaddr 0e:15:63:97:47:b5
      inet6 addr: fdac:fcf1:5f2:1002:c15:63ff:fe97:47b5/64 Scope:Global
      inet6 addr: fe80::c15:63ff:fe97:47b5/64 Scope:Link
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
      RX packets:16291 errors:0 dropped:9 overruns:0 frame:0
      TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:1000
      RX bytes:1369689 (1.3 MB)  TX bytes:586 (586.0 B)

  lo        Link encap:Local Loopback
      inet addr:127.0.0.1  Mask:255.0.0.0
      inet6 addr: ::1/128 Scope:Host
      UP LOOPBACK RUNNING  MTU:65536  Metric:1
      RX packets:41 errors:0 dropped:0 overruns:0 frame:0
      TX packets:41 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:0
      RX bytes:4668 (4.6 KB)  TX bytes:4668 (4.6 KB)

  virbr0    Link encap:Ethernet  HWaddr 82:79:ef:bd:00:37
      inet addr:192.168.122.1  Bcast:192.168.122.255  Mask:255.255.255.0
      UP BROADCAST MULTICAST  MTU:1500  Metric:1
      RX packets:0 errors:0 dropped:0 overruns:0 frame:0
      TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:0
       RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

  vlan100   Link encap:Ethernet  HWaddr fa:16:3e:1e:56:24
      inet6 addr: fe80::f816:3eff:fe1e:5624/64 Scope:Link
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
      RX packets:10107 errors:0 dropped:0 overruns:0 frame:0
      TX packets:3464 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:0
      RX bytes:4499091 (4.4 MB)  TX bytes:281695 (281.6 KB)


    compute1_root@compute1:~$ brctl show
       bridge name     bridge id               STP enabled     interfaces
          br100           8000.fa163e1e5624       no              vlan100
           virbr0          8000.000000000000       yes


          network_api_class = nova.network.api.API
           security_group_api = nova
               firewall_driver = nova.virt.firewall.NoopFirewallDriver
           network_manager = nova.network.manager.FlatDHCPManager
               network_size = 254
        allow_same_net_traffic = True
                   multi_host = True
                   send_arp_for_ha = True
       share_dhcp_address = True
                     force_dhcp_release = True
                    flat_network_bridge = br100
                     flat_interface = eth1

                    public_interface=eth2