[Openstack] Can't access public/floating IP (Was: FWaaS problem - router stopped routing)
Turbo Fredriksson
turbo at bayour.com
Sat Jul 16 18:40:56 UTC 2016
Well, never mind. Redid it a couple of more times, debugging
every step and it seems to be working.
Sort of.
I create rules, policy, firewall etc like this:
----- s n i p -----
for net in 97.0 98.0 99.0 0.250; do
action="reject"
for prot in tcp udp icmp; do
[ "${net}" = "250" ] && action="allow"
if [ "${prot}" = "icmp" ]; then
dest_port=""
else
dest_port="--destination-port 1:65535"
fi
neutron firewall-rule-create --enabled True --protocol "${prot}" \
--ip-version 4 --shared --name "fw-rule-${net}-${prot}" \
--action "${action}" --destination-ip-address "10.${net}.0/24" \
--source-ip-address 0.0.0.0/0 ${dest_port}
done
done
rules="$(neutron firewall-rule-list --format csv --column id --quote none | \
grep -v ^id)"
neutron firewall-policy-create --shared --firewall-rules "${rules}" \
firewall-policy
neutron firewall-create --router provider-tenants --name firewall-tenants \
firewall-policy
----- s n i p -----
On the "10.97.0.0/24" tenant network, I have a CirrOS instance, which
I can access without a problem on that network (if I don't enable/create
a firewall). Which is what I'm trying to hinder! So I deny everything TO
that network.
The "10.0.250.0/24" is my floating IP network. I'm _allowing_ everything
on that network. This network is also part of my 10.0.0.0/16
external/physical network (where my physical Openstack hosts
are and does not need additional routing).
Without a FW, I can access both these IPs (both one on 10.97.0.0/24 and
the floating IP on 10.0.250.0/24) on the instance just fine.
But when enabling/creating the FW, I can't access any of them! Not
accessing the first is obvious (and intentional), but the second I
did not expect. I had expected to be able to access that at least,
which was the whole point..
--
Geologists recently discovered that "earthquakes" are
nothing more than Bruce Schneier and Chuck Norris
communicating via a roundhouse kick-based cryptosystem.
More information about the Openstack
mailing list