openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #21506
Re: VM guest can't access outside world.
Hi,
Thanks Jeff. this is what I got from tcpdump. The target (10.38.1.2 ) didn't
seem to reply. might be the target ( 10.38.1.2 ) didn't know how to route the
packet to 192.168.151.3? could that be SNAT issue? or like you said it needs
IP masquerading rule. might be a bug in Quantum?
Barrow
tcpdump: WARNING: em1: no IPv4 address assigned
tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
11:31:02.825150 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1),
length 84)
192.168.151.3 > 10.38.1.2: ICMP echo request, id 11910, seq 133, length 64
11:31:03.825338 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1),
length 84)
192.168.151.3 > 10.38.1.2: ICMP echo request, id 11910, seq 134, length 64
2 packets captured
3 packets received by filter
0 packets dropped by kernel
----- Original Message ----
From: Jeff Peeler <jpeeler@xxxxxxxxxx>
To: openstack@xxxxxxxxxxxxxxxxxxx
Sent: Mon, March 4, 2013 7:39:03 AM
Subject: Re: [Openstack] VM guest can't access outside world.
On Wed, Feb 27, 2013 at 12:38:45PM -0800, Barrow Kwan wrote:
> [root@optst01 quantum]# service iptables status
> Table: nat
> Chain PREROUTING (policy ACCEPT)
> num target prot opt source destination
> 1 nova-compute-PREROUTING all -- 0.0.0.0/0 0.0.0.0/0
> 2 quantum-l3-agent-PREROUTING all -- 0.0.0.0/0 0.0.0.0/0
>
> 3 nova-api-PREROUTING all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain POSTROUTING (policy ACCEPT)
> num target prot opt source destination
> 1 nova-compute-POSTROUTING all -- 0.0.0.0/0 0.0.0.0/0
>
> 2 quantum-l3-agent-POSTROUTING all -- 0.0.0.0/0 0.0.0.0/0
>
>
> 3 quantum-postrouting-bottom all -- 0.0.0.0/0 0.0.0.0/0
>
>
> 4 nova-api-POSTROUTING all -- 0.0.0.0/0 0.0.0.0/0
> 5 nova-postrouting-bottom all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain OUTPUT (policy ACCEPT)
> num target prot opt source destination
> 1 nova-compute-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0
> 2 quantum-l3-agent-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0
> 3 nova-api-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain nova-api-OUTPUT (1 references)
> num target prot opt source destination
>
> Chain nova-api-POSTROUTING (1 references)
> num target prot opt source destination
>
> Chain nova-api-PREROUTING (1 references)
> num target prot opt source destination
>
> Chain nova-api-float-snat (1 references)
> num target prot opt source destination
>
> Chain nova-api-snat (1 references)
> num target prot opt source destination
> 1 nova-api-float-snat all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain nova-compute-OUTPUT (1 references)
> num target prot opt source destination
>
> Chain nova-compute-POSTROUTING (1 references)
> num target prot opt source destination
>
> Chain nova-compute-PREROUTING (1 references)
> num target prot opt source destination
>
> Chain nova-compute-float-snat (1 references)
> num target prot opt source destination
>
> Chain nova-compute-snat (1 references)
> num target prot opt source destination
> 1 nova-compute-float-snat all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain nova-postrouting-bottom (1 references)
> num target prot opt source destination
> 1 nova-compute-snat all -- 0.0.0.0/0 0.0.0.0/0
> 2 nova-api-snat all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain quantum-l3-agent-OUTPUT (1 references)
> num target prot opt source destination
>
> Chain quantum-l3-agent-POSTROUTING (1 references)
> num target prot opt source destination
> 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ! ctstate
> DNAT
>
> Chain quantum-l3-agent-PREROUTING (1 references)
> num target prot opt source destination
>
> Chain quantum-l3-agent-float-snat (1 references)
> num target prot opt source destination
>
> Chain quantum-l3-agent-snat (1 references)
> num target prot opt source destination
> 1 quantum-l3-agent-float-snat all -- 0.0.0.0/0 0.0.0.0/0
>
> 2 SNAT all -- 192.168.151.0/24 0.0.0.0/0 to:10.38.17.1
>
>
> Chain quantum-postrouting-bottom (1 references)
> num target prot opt source destination
> 1 quantum-l3-agent-snat all -- 0.0.0.0/0 0.0.0.0/0
>
> Table: filter
> Chain INPUT (policy ACCEPT)
> num target prot opt source destination
> 1 nova-compute-INPUT all -- 0.0.0.0/0 0.0.0.0/0
> 2 quantum-l3-agent-INPUT all -- 0.0.0.0/0 0.0.0.0/0
> 3 nova-api-INPUT all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain FORWARD (policy ACCEPT)
> num target prot opt source destination
> 1 nova-filter-top all -- 0.0.0.0/0 0.0.0.0/0
> 2 nova-compute-FORWARD all -- 0.0.0.0/0 0.0.0.0/0
> 3 quantum-filter-top all -- 0.0.0.0/0 0.0.0.0/0
> 4 quantum-l3-agent-FORWARD all -- 0.0.0.0/0 0.0.0.0/0
>
> 5 nova-api-FORWARD all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain OUTPUT (policy ACCEPT)
> num target prot opt source destination
> 1 nova-filter-top all -- 0.0.0.0/0 0.0.0.0/0
> 2 nova-compute-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0
> 3 quantum-filter-top all -- 0.0.0.0/0 0.0.0.0/0
> 4 quantum-l3-agent-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0
> 5 nova-api-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain nova-api-FORWARD (1 references)
> num target prot opt source destination
>
> Chain nova-api-INPUT (1 references)
> num target prot opt source destination
> 1 ACCEPT tcp -- 0.0.0.0/0 10.38.15.251 tcp dpt:8775
>
> Chain nova-api-OUTPUT (1 references)
> num target prot opt source destination
>
> Chain nova-api-local (1 references)
> num target prot opt source destination
>
> Chain nova-compute-FORWARD (1 references)
> num target prot opt source destination
>
> Chain nova-compute-INPUT (1 references)
> num target prot opt source destination
>
> Chain nova-compute-OUTPUT (1 references)
> num target prot opt source destination
>
> Chain nova-compute-inst-20 (1 references)
> num target prot opt source destination
> 1 DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
>
> 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED
> 3 nova-compute-provider all -- 0.0.0.0/0 0.0.0.0/0
> 4 ACCEPT udp -- 192.168.151.2 0.0.0.0/0 udp spt:67
> dpt:68
> 5 ACCEPT all -- 192.168.151.0/24 0.0.0.0/0
> 6 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
> 7 ACCEPT icmp -- 192.168.151.3 0.0.0.0/0
> 8 ACCEPT icmp -- 192.168.151.4 0.0.0.0/0
> 9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
> 10 nova-compute-sg-fallback all -- 0.0.0.0/0 0.0.0.0/0
>
>
> Chain nova-compute-inst-21 (1 references)
> num target prot opt source destination
> 1 DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
>
> 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED
> 3 nova-compute-provider all -- 0.0.0.0/0 0.0.0.0/0
> 4 ACCEPT udp -- 192.168.151.2 0.0.0.0/0 udp spt:67
> dpt:68
> 5 ACCEPT all -- 192.168.151.0/24 0.0.0.0/0
> 6 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
> 7 ACCEPT icmp -- 192.168.151.3 0.0.0.0/0
> 8 ACCEPT icmp -- 192.168.151.4 0.0.0.0/0
> 9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
> 10 nova-compute-sg-fallback all -- 0.0.0.0/0 0.0.0.0/0
>
>
> Chain nova-compute-local (1 references)
> num target prot opt source destination
> 1 nova-compute-inst-20 all -- 0.0.0.0/0 192.168.151.3
> 2 nova-compute-inst-21 all -- 0.0.0.0/0 192.168.151.4
>
> Chain nova-compute-provider (2 references)
> num target prot opt source destination
>
> Chain nova-compute-sg-fallback (2 references)
> num target prot opt source destination
> 1 DROP all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain nova-filter-top (2 references)
> num target prot opt source destination
> 1 nova-compute-local all -- 0.0.0.0/0 0.0.0.0/0
> 2 nova-api-local all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain quantum-filter-top (2 references)
> num target prot opt source destination
> 1 quantum-l3-agent-local all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain quantum-l3-agent-FORWARD (1 references)
> num target prot opt source destination
>
> Chain quantum-l3-agent-INPUT (1 references)
> num target prot opt source destination
>
> Chain quantum-l3-agent-OUTPUT (1 references)
> num target prot opt source destination
>
> Chain quantum-l3-agent-local (1 references)
> num target prot opt source destination
Have you tried running tcpdump on the public interface to see how far
the packets are getting? Maybe something like: tcpdump -n -c2 icmp -i em1,
then try pinging from the VM. It could be that you're attempting to send
unroutable packets, in which case an IP masquerading rule needs adding.
Jeff
_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to : openstack@xxxxxxxxxxxxxxxxxxx
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
References
