Open Stack

Thank you Jesse, but these iptables rules are just applied on the
deployment node not the host nodes. do i have to omit these rules even on
the deployment node ?

Thank you

On 17 November 2016 at 14:25, Jesse Pretorius <
Jesse.Pretorius at rackspace.co.uk> wrote:

> *From: *Achi Hamza <h16mara at gmail.com>
>
>
>
> I have set these roles with my iptables earlier (this is just for the
> nodes to get out through the deployment node), can this have an impact ? :
>
>
>
> iptables -A FORWARD -o enp4s0 -i enp5s0 -s 172.16.1.1/24 -m conntrack
> --ctstate NEW -j ACCEPT
>
> iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
>
> iptables -t nat -F POSTROUTING
>
> iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
>
>
>
> That is very likely a problem.
>
>
>
> LXC will automatically NAT through the host’s address for internet access,
> so what you should be doing is ensuring that your hosts have a default
> route to the internet. This could be done by adding a route to whichever
> router you want to use. If your router then needs to NAT for external
> access, then add the NAT there – not on each host.
>
> ------------------------------
> Rackspace Limited is a company registered in England & Wales (company
> registered number 03897010) whose registered office is at 5 Millington
> Road, Hyde Park Hayes, Middlesex UB3 4AZ. Rackspace Limited privacy policy
> can be viewed at www.rackspace.co.uk/legal/privacy-policy - This e-mail
> message may contain confidential or privileged information intended for the
> recipient. Any dissemination, distribution or copying of the enclosed
> material is prohibited. If you receive this transmission in error, please
> notify us immediately by e-mail at abuse at rackspace.com and delete the
> original message. Your cooperation is appreciated.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20161117/c66fdfcb/attachment.html>