openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #11896
Problems with dnat
Hello everyone, i've this problem,
vm can connect to internet but cannot receive traffic when i assign them a floating ip, these are the iptables rules created by nova-network
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N nova-api-OUTPUT
-N nova-api-POSTROUTING
-N nova-api-PREROUTING
-N nova-api-float-snat
-N nova-api-snat
-N nova-compute-OUTPUT
-N nova-compute-POSTROUTING
-N nova-compute-PREROUTING
-N nova-compute-float-snat
-N nova-compute-snat
-N nova-network-OUTPUT
-N nova-network-POSTROUTING
-N nova-network-PREROUTING
-N nova-network-float-snat
-N nova-network-snat
-N nova-postrouting-bottom
-A PREROUTING -j nova-network-PREROUTING
-A PREROUTING -j nova-compute-PREROUTING
-A PREROUTING -j nova-api-PREROUTING
-A OUTPUT -j nova-network-OUTPUT
-A OUTPUT -j nova-compute-OUTPUT
-A OUTPUT -j nova-api-OUTPUT
-A POSTROUTING -j nova-network-POSTROUTING
-A POSTROUTING -j nova-compute-POSTROUTING
-A POSTROUTING -j nova-api-POSTROUTING
-A POSTROUTING -j nova-postrouting-bottom
-A nova-api-snat -j nova-api-float-snat
-A nova-compute-snat -j nova-compute-float-snat
-A nova-network-OUTPUT -d MY_FLOATING_IP/32 -j DNAT --to-destination 192.168.4.2
-A nova-network-POSTROUTING -s 192.168.4.0/24 -d MY_PUBLIC_IP/32 -j ACCEPT
-A nova-network-POSTROUTING -s 192.168.4.0/24 -d 10.128.0.0/24 -j ACCEPT
-A nova-network-POSTROUTING -s 192.168.4.0/24 -d 192.168.4.0/24 -m conntrack ! --ctstate DNAT -j ACCEPT
-A nova-network-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination MY_PUBLIC_IP:8775
-A nova-network-PREROUTING -d MY_FLOATING_IP/32 -j DNAT --to-destination 192.168.4.2
-A nova-network-float-snat -s 192.168.4.2/32 -j SNAT --to-source MY_FLOATING_IP
-A nova-network-snat -j nova-network-float-snat
-A nova-network-snat -s 192.168.4.0/24 -j SNAT --to-source MY_PUBLIC_IP
-A nova-postrouting-bottom -j nova-network-snat
-A nova-postrouting-bottom -j nova-compute-snat
-A nova-postrouting-bottom -j nova-api-snat
and this my nova.conf
--dhcpbridge_flagfile=/etc/nova/nova.conf
--dhcpbridge=/usr/bin/nova-dhcpbridge
--logdir=/var/log/nova
--state_path=/var/lib/nova
--lock_path=/run/lock/nova
--allow_admin_api=true
--use_deprecated_auth=false
--auth_strategy=keystone
--scheduler_driver=nova.scheduler.simple.SimpleScheduler
--s3_host=MY_PUBLIC_IP
--ec2_host=MY_PUBLIC_IP
--rabbit_host=MY_PUBLIC_IP
--cc_host=MY_PUBLIC_IP
--nova_url=http://MY_PUBLIC_IP:8774/v1.1/
--routing_source_ip=MY_PUBLIC_IP
--glance_api_servers=MY_PUBLIC_IP:9292
--image_service=nova.image.glance.GlanceImageService
--iscsi_ip_prefix=192.168.4
--sql_connection=mysql://novadbadmin:mydbpassword@192.168.3.1/nova
--ec2_url=http://MY_PUBLIC_IP:8773/services/Cloud
--keystone_ec2_url=http://MY_PUBLIC_IP:5000/v2.0/ec2tokens
--api_paste_config=/etc/nova/api-paste.ini
--libvirt_type=kvm
--libvirt_use_virtio_for_bridges=true
--start_guests_on_host_boot=true
--resume_guests_state_on_host_boot=true
# vnc specific configuration
--novnc_enabled=true
--novncproxy_base_url=http://MY_PUBLIC_IP:6080/vnc_auto.html
--vncserver_proxyclient_address=MY_PUBLIC_IP
--vncserver_listen=MY_PUBLIC_IP
# network specific settings
--network_manager=nova.network.manager.FlatDHCPManager
--public_interface=eth0
--flat_interface=eth2
--flat_network_bridge=br100
--fixed_range=192.168.4.0/24
--network_size=254
--flat_network_dhcp_start=192.168.4.1
--flat_injected=False
--force_dhcp_release=true
--iscsi_helper=tgtadm
--connection_type=libvirt
--root_helper=sudo nova-rootwrap
--verbose=true
with tcpdump i correctly see the syn packets on the eth0 (public interface) but can't see them on br100 or eth2 so they're not correctly dnatted.
I've tried with both ip_forward enabled and disabled.
Best
Alessandro
