Ooops... I got it. Thought nova-compute has responsibilities in local iptables settings.<div><div>I guess I was misled by the fact that I have default iptables rules setup at boot time in my VM which looks like rules defined in security group but it's just a coincidence.</div>
</div><div>Thanks</div><div>Patrick</div><div><br></div><div class="gmail_extra"><br><br><div class="gmail_quote">2012/12/10 Patrick Petit <span dir="ltr"><<a href="mailto:patrick.michel.petit@gmail.com" target="_blank">patrick.michel.petit@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Lei,<div><br><div>I could spend some more time looking at my "no route to host" issue today.</div><div>I could be very well that the iptables on VM is the root of the problem.</div>
<div><br></div><div>Here is what it looks like.</div>
<div><br></div><div><br></div><div><div><i>$ sudo iptables -L</i></div><div><i>Chain INPUT (policy ACCEPT)</i></div><div><i>target prot opt source destination </i></div><div><i>ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED</i></div>
<div><i>ACCEPT icmp -- anywhere anywhere </i></div><div><i>ACCEPT all -- anywhere anywhere </i></div><div><i>ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh</i></div>
<div><i>REJECT all -- anywhere anywhere reject-with icmp-host-prohibited</i></div><div><i><br></i></div><div><i>Chain FORWARD (policy ACCEPT)</i></div><div><i>target prot opt source destination </i></div>
<div><i>REJECT all -- anywhere anywhere reject-with icmp-host-prohibited</i></div><div><i><br></i></div><div><i>Chain OUTPUT (policy ACCEPT)</i></div><div><i>target prot opt source destination </i> </div>
</div><div><br></div><div>I am not unfortunately very familiar with iptables's rules syntax</div><div>Shouldn't ACCEPT all -- anywhere anywhere allow my http traffic to port 80?</div></div><div><br></div><div>However, running explicitly</div>
<div><br></div><div><i>sudo iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT</i><br></div><div><br></div><div>Does fix the problem. I can access my instance on port 80.</div><div><br></div><div>But my VM is associated with the default security group in which I added a rule to enable http traffic.</div>
<div class="im">
<div><br></div><div><div>$ nova secgroup-list-rules default</div><div>+-------------+-----------+---------+-----------+--------------+</div><div>| IP Protocol | From Port | To Port | IP Range | Source Group |</div><div>
+-------------+-----------+---------+-----------+--------------+</div>
<div>| icmp | -1 | -1 | <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> | |</div><div>| tcp | 22 | 22 | <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> | |</div>
<div>| tcp | 80 | 80 | <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> | |</div>
<div>+-------------+-----------+---------+-----------+--------------+</div></div><div><br></div></div><div>So the big question is why aren't my iptables rules in the VM no setup by the security group specs?</div><div>
I don't see any error in nova logs on the compute node.</div>
<div><br></div><div>Any help would be really appreciated.</div><div>Thanks</div><div>Patrick</div><div><br></div><div><br></div><div><br></div><div class="gmail_extra"><div><div class="h5"><br><br><div class="gmail_quote">
2012/12/6 Lei Zhang <span dir="ltr"><<a href="mailto:zhang.lei.fly@gmail.com" target="_blank">zhang.lei.fly@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Could you check the iptables in the vm? Whether it drop the packets on the port 80<div class="gmail_extra"><br><br><div class="gmail_quote">
<div><div>On Thu, Dec 6, 2012 at 12:29 AM, Patrick Petit <span dir="ltr"><<a href="mailto:patrick.michel.petit@gmail.com" target="_blank">patrick.michel.petit@gmail.com</a>></span> wrote:<br>
</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div>Dear Stackers,<div><br></div><div>I am running instance wordpress.WikiServer</div><div>
<br></div><div><br clear="all">
<div>
<div>$ nova list</div><div>+--------------------------------------+--------------------------+--------+------------------------------------+</div>
<div>| ID | Name | Status | Networks |</div><div>+--------------------------------------+--------------------------+--------+------------------------------------+</div>
<div>| 6be47af7-2e29-4b4c-afeb-0a7f760f5970 | test2 | ACTIVE | xlcloud=172.16.1.6 |</div><div>| 5a4c552f-933c-4a06-8e6f-164176380af5 | wordpress.DatabaseServer | ACTIVE | xlcloud=172.16.1.3 |</div>
<div>| ddb120d9-e1ad-444c-8490-37ecb15f500e | wordpress.WikiServer | ACTIVE | xlcloud=172.16.1.4, 10.197.217.131 |</div><div>+--------------------------------------+--------------------------+--------+------------------------------------+</div>
</div><div><br></div><div><br></div><div>With Security Group setup as:</div><div><br></div><div><div>$ nova secgroup-list</div><div>+-----------------------------------+------------------------------------------------+</div>
<div>| Name | Description |</div><div>+-----------------------------------+------------------------------------------------+</div><div>| default | default |</div>
<div>+-----------------------------------+------------------------------------------------+</div></div><div><br></div><div><dt style="background-color:rgba(255,255,255,0.701961)"></dt><dt><br></dt></div><div><div>$ nova secgroup-list-rules default</div>
<div>+-------------+-----------+---------+-----------+--------------+</div><div>| IP Protocol | From Port | To Port | IP Range | Source Group |</div><div>+-------------+-----------+---------+-----------+--------------+</div>
<div>| icmp | -1 | -1 | <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> | |</div><div>| tcp | 22 | 22 | <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> | |</div>
<div>| tcp | 80 | 80 | <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> | |</div>
<div>+-------------+-----------+---------+-----------+--------------+</div></div><div><br></div><div>I can ping and ssh through the fix or floating IP without any problem (172.16.1.4, 10.197.217.131).</div><div>But HTTP requests on port 80 doesn't go through.</div>
<div>I get a "no route host" error message from wget or telnet for example.</div><div><br></div><div>Ex. $ telnet 172.16.1.4 80</div><div>Trying 172.16.1.4...</div><div>telnet: Unable to connect to remote host: No route to host.</div>
<div>Clearly it's not a routing problem. </div><div><br></div><div>Any idea what the problem could be or hints to debug it.</div><div><br></div><div>Thanks</div><span><font color="#888888"><div>Patrick</div>
<div><br></div><div> </div>
</font></span></div>
<br></div></div>_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
<br></blockquote></div><span><font color="#888888"><br><br clear="all"><div><br></div>-- <br><div><span style="font-family:arial,sans-serif;font-size:13px;border-collapse:collapse">Lei Zhang</span></div><div>
<span style="font-family:arial,sans-serif;font-size:13px;border-collapse:collapse"><br>
</span></div><div><font face="arial, sans-serif">Blog: <a href="http://jeffrey4l.github.com" target="_blank">http://jeffrey4l.github.com</a></font></div><div>twitter/weibo: @jeffrey4l</div><br>
</font></span></div>
</blockquote></div><br><br clear="all"><div><br></div></div></div><span class="HOEnZb"><font color="#888888">-- <br><i>"Give me a place to stand, and I shall move the earth with a lever"</i><br>
</font></span></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><i>"Give me a place to stand, and I shall move the earth with a lever"</i><br>
</div>