Open Stack

The mail from Andreas was correct you need to add a rule for (ingress, tcp,
port 22 and cidr 0.0.0.0/0).

In case the rule is already there. check the host firewall rules using
iptables -t nat -L
iptables -t mangle -L
iptables -t filter -L

None of the tables should have any rule.

On Fri, Sep 19, 2014 at 9:41 AM, Srinivasreddy R <
srinivasreddy4390 at gmail.com> wrote:

> hi,
> i have checked security group rules .
> my instance is pinging to router and even a device  in external network .
> mostly my problem may in host's firewall .
> how can i identify which rule is dropping the ssh traffic .?
> how can  i confirm that ssh traffic is blocked at firewall .?
> i there any way to see the firewall dropped packets ?
>
> thanks ,
> srinivas.
>
>
>
>
>
>
>
> On Thu, Sep 18, 2014 at 7:36 PM, Akilesh K <akilesh1597 at gmail.com> wrote:
>
>> I believe you have checked the security group rules. Make sure the
>> instance is able to ping the router. If yes the problem lies in your host's
>> firewall rules. Flush the hosts iptable rules(you may take a backup before
>> you do that).
>>
>> On Thu, Sep 18, 2014 at 7:32 PM, Srinivasreddy R <
>> srinivasreddy4390 at gmail.com> wrote:
>>
>>> hi ,
>>> thanks for your reply .
>>>
>>> 1. i have checked ssh server is running in instance ..
>>>     ssh from one instance to another is possible using private
>>> network[demo-net] .
>>> 2. checked  ssh is running in port 22
>>> 3. telnet <ip>  22 is not working .
>>>
>>>
>>> 4. output when i run ssh using verbose  pasted at
>>>
>>> http://paste.openstack.org/show/112860/
>>>
>>>
>>>
>>>
>>> ==================================
>>> ip tables output
>>>
>>> my internal network for vm is 11.0.0.x and external network is 172.0.0.x
>>>
>>>
>>> root at user-ThinkCentre-M73:/home/user# ip netns exec
>>> qrouter-f6e00f94-1c6d-4cf5-8cae-319e393240fe  iptables -t nat -S
>>> -P PREROUTING ACCEPT
>>> -P INPUT ACCEPT
>>> -P OUTPUT ACCEPT
>>> -P POSTROUTING ACCEPT
>>> -N neutron-l3-agent-OUTPUT
>>> -N neutron-l3-agent-POSTROUTING
>>> -N neutron-l3-agent-PREROUTING
>>> -N neutron-l3-agent-float-snat
>>> -N neutron-l3-agent-snat
>>> -N neutron-postrouting-bottom
>>> -A PREROUTING -j neutron-l3-agent-PREROUTING
>>> -A OUTPUT -j neutron-l3-agent-OUTPUT
>>> -A POSTROUTING -j neutron-l3-agent-POSTROUTING
>>> -A POSTROUTING -j neutron-postrouting-bottom
>>> -A neutron-l3-agent-OUTPUT -d 172.0.0.7/32 -j DNAT --to-destination
>>> 11.0.0.9
>>> -A neutron-l3-agent-OUTPUT -d 172.0.0.3/32 -j DNAT --to-destination
>>> 11.0.0.2
>>> -A neutron-l3-agent-OUTPUT -d 172.0.0.4/32 -j DNAT --to-destination
>>> 11.0.0.5
>>> -A neutron-l3-agent-POSTROUTING ! -i qg-ec80d9fb-82 ! -o qg-ec80d9fb-82
>>> -m conntrack ! --ctstate DNAT -j ACCEPT
>>> -A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp
>>> --dport 80 -j REDIRECT --to-ports 9697
>>> -A neutron-l3-agent-PREROUTING -d 172.0.0.7/32 -j DNAT --to-destination
>>> 11.0.0.9
>>> -A neutron-l3-agent-PREROUTING -d 172.0.0.3/32 -j DNAT --to-destination
>>> 11.0.0.2
>>> -A neutron-l3-agent-PREROUTING -d 172.0.0.4/32 -j DNAT --to-destination
>>> 11.0.0.5
>>> -A neutron-l3-agent-float-snat -s 11.0.0.9/32 -j SNAT --to-source
>>> 172.0.0.7
>>> -A neutron-l3-agent-float-snat -s 11.0.0.2/32 -j SNAT --to-source
>>> 172.0.0.3
>>> -A neutron-l3-agent-float-snat -s 11.0.0.5/32 -j SNAT --to-source
>>> 172.0.0.4
>>> -A neutron-l3-agent-snat -j neutron-l3-agent-float-snat
>>> -A neutron-l3-agent-snat -s 11.0.0.0/24 -j SNAT --to-source 172.0.0.2
>>> -A neutron-postrouting-bottom -j neutron-l3-agent-snat
>>>
>>>
>>>
>>>
>>> =====================
>>> i pasted my dump flows of br-tun at
>>> http://paste.openstack.org/show/112859/
>>>
>>>
>>>
>>> as per the doc
>>>  https://openstack.redhat.com/Networking_in_too_much_detail
>>>
>>> br-ex is connected to router , router is connected to br-int , br-int is
>>> connected to bt-tun .
>>>
>>> i have captured at br-int . my ssh request is reaching to br-int but not
>>> going through tunnel .
>>>
>>> please help me .
>>>
>>>
>>>
>>>
>>> thanks,
>>> srinivas.
>>>
>>>
>>>
>>>
>>> On Wed, Sep 17, 2014 at 9:30 PM, Sajith Kariyawasam <sajhak at gmail.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> Could be due to,
>>>>     ssh server is not up and running in your instance,
>>>>     or running in a different port rather than port 22,
>>>>     or, ssh port access is restricted in openstack key pair
>>>> configuration
>>>>
>>>> You could also try telnet to check the connectivity,
>>>> $ telnet <ip> 22
>>>>
>>>> Thanks,
>>>> Sajith
>>>>
>>>>
>>>> On Wed, Sep 17, 2014 at 8:59 PM, Zoltán Lajos Kis <
>>>> zoltan.lajos.kis at ericsson.com> wrote:
>>>>
>>>>>  Hi,
>>>>>
>>>>>
>>>>>
>>>>> What’s the output of running ssh with the verbose (-v) flag?
>>>>>
>>>>>
>>>>>
>>>>> BR,
>>>>>
>>>>> Zoltan
>>>>>
>>>>>
>>>>>
>>>>> *From:* Srinivasreddy R [mailto:srinivasreddy4390 at gmail.com]
>>>>> *Sent:* Wednesday, September 17, 2014 5:16 PM
>>>>> *To:* openstack at lists.openstack.org
>>>>> *Subject:* [Openstack] able to ping but not able to ssh to instance
>>>>>
>>>>>
>>>>>
>>>>> hi,
>>>>>
>>>>> i am able to ping my instance form external network .
>>>>>
>>>>> but  not able to ssh to the instance .
>>>>>
>>>>> i am using floating ip s for ping,ssh.
>>>>>
>>>>> please help me .
>>>>>
>>>>> thanks,
>>>>> srinivas.
>>>>>
>>>>> _______________________________________________
>>>>> Mailing list:
>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>>> Post to     : openstack at lists.openstack.org
>>>>> Unsubscribe :
>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Best Regards
>>>> Sajith
>>>>
>>>
>>>
>>> _______________________________________________
>>> Mailing list:
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>> Post to     : openstack at lists.openstack.org
>>> Unsubscribe :
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140919/76c2906b/attachment.html>