<div dir="ltr">Hi, Barrow Kwan.<div style>I have the same problem in ubuntu.</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Mar 5, 2013 at 3:37 AM, Barrow Kwan <span dir="ltr"><<a href="mailto:barrowkwan@yahoo.com" target="_blank">barrowkwan@yahoo.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im HOEnZb">Hi,<br>
Thanks Jeff. this is what I got from tcpdump. The target (10.38.1.2 ) didn't<br>
seem to reply. might be the target ( 10.38.1.2 ) didn't know how to route the<br>
<br>
packet to 192.168.151.3? could that be SNAT issue? or like you said it needs IP<br>
masquerading rule. might be a bug in Quantum?<br>
<br>
<br>
Barrow<br>
<br>
<br>
<br>
<br>
tcpdump: WARNING: em1: no IPv4 address assigned<br>
tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes<br>
11:31:02.825150 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1),<br>
<br>
length 84)<br>
192.168.151.3 > <a href="http://10.38.1.2" target="_blank">10.38.1.2</a>: ICMP echo request, id 11910, seq 133, length 64<br>
11:31:03.825338 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1),<br>
<br>
length 84)<br>
192.168.151.3 > <a href="http://10.38.1.2" target="_blank">10.38.1.2</a>: ICMP echo request, id 11910, seq 134, length 64<br>
2 packets captured<br>
3 packets received by filter<br>
0 packets dropped by kernel<br>
<br>
<br>
<br>
<br>
----- Original Message ----<br>
From: Jeff Peeler <<a href="mailto:jpeeler@redhat.com">jpeeler@redhat.com</a>><br>
To: <a href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a><br>
</div><div class="im HOEnZb">Sent: Mon, March 4, 2013 7:39:03 AM<br>
Subject: Re: [Openstack] VM guest can't access outside world.<br>
<br>
</div><div class="HOEnZb"><div class="h5">On Wed, Feb 27, 2013 at 12:38:45PM -0800, Barrow Kwan wrote:<br>
> [root@optst01 quantum]# service iptables status<br>
> Table: nat<br>
> Chain PREROUTING (policy ACCEPT)<br>
> num target prot opt source destination<br>
> 1 nova-compute-PREROUTING all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
<br>
<br>
> 2 quantum-l3-agent-PREROUTING all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
<br>
<br>
><br>
> 3 nova-api-PREROUTING all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
><br>
> Chain POSTROUTING (policy ACCEPT)<br>
> num target prot opt source destination<br>
> 1 nova-compute-POSTROUTING all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
><br>
> 2 quantum-l3-agent-POSTROUTING all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
><br>
><br>
><br>
> 3 quantum-postrouting-bottom all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
><br>
><br>
><br>
> 4 nova-api-POSTROUTING all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
> 5 nova-postrouting-bottom all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
<br>
<br>
><br>
> Chain OUTPUT (policy ACCEPT)<br>
> num target prot opt source destination<br>
> 1 nova-compute-OUTPUT all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
> 2 quantum-l3-agent-OUTPUT all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
<br>
<br>
> 3 nova-api-OUTPUT all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
><br>
> Chain nova-api-OUTPUT (1 references)<br>
> num target prot opt source destination<br>
><br>
> Chain nova-api-POSTROUTING (1 references)<br>
> num target prot opt source destination<br>
><br>
> Chain nova-api-PREROUTING (1 references)<br>
> num target prot opt source destination<br>
><br>
> Chain nova-api-float-snat (1 references)<br>
> num target prot opt source destination<br>
><br>
> Chain nova-api-snat (1 references)<br>
> num target prot opt source destination<br>
> 1 nova-api-float-snat all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
><br>
> Chain nova-compute-OUTPUT (1 references)<br>
> num target prot opt source destination<br>
><br>
> Chain nova-compute-POSTROUTING (1 references)<br>
> num target prot opt source destination<br>
><br>
> Chain nova-compute-PREROUTING (1 references)<br>
> num target prot opt source destination<br>
><br>
> Chain nova-compute-float-snat (1 references)<br>
> num target prot opt source destination<br>
><br>
> Chain nova-compute-snat (1 references)<br>
> num target prot opt source destination<br>
> 1 nova-compute-float-snat all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
<br>
<br>
><br>
> Chain nova-postrouting-bottom (1 references)<br>
> num target prot opt source destination<br>
> 1 nova-compute-snat all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
> 2 nova-api-snat all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
><br>
> Chain quantum-l3-agent-OUTPUT (1 references)<br>
> num target prot opt source destination<br>
><br>
> Chain quantum-l3-agent-POSTROUTING (1 references)<br>
> num target prot opt source destination<br>
> 1 ACCEPT all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> ! ctstate<br>
> DNAT<br>
><br>
> Chain quantum-l3-agent-PREROUTING (1 references)<br>
> num target prot opt source destination<br>
><br>
> Chain quantum-l3-agent-float-snat (1 references)<br>
> num target prot opt source destination<br>
><br>
> Chain quantum-l3-agent-snat (1 references)<br>
> num target prot opt source destination<br>
> 1 quantum-l3-agent-float-snat all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
<br>
<br>
><br>
> 2 SNAT all -- <a href="http://192.168.151.0/24" target="_blank">192.168.151.0/24</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> to:10.38.17.1<br>
><br>
><br>
><br>
> Chain quantum-postrouting-bottom (1 references)<br>
> num target prot opt source destination<br>
> 1 quantum-l3-agent-snat all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
><br>
> Table: filter<br>
> Chain INPUT (policy ACCEPT)<br>
> num target prot opt source destination<br>
> 1 nova-compute-INPUT all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
> 2 quantum-l3-agent-INPUT all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
> 3 nova-api-INPUT all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
><br>
> Chain FORWARD (policy ACCEPT)<br>
> num target prot opt source destination<br>
> 1 nova-filter-top all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
> 2 nova-compute-FORWARD all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
> 3 quantum-filter-top all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
> 4 quantum-l3-agent-FORWARD all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
><br>
> 5 nova-api-FORWARD all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
><br>
> Chain OUTPUT (policy ACCEPT)<br>
> num target prot opt source destination<br>
> 1 nova-filter-top all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
> 2 nova-compute-OUTPUT all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
> 3 quantum-filter-top all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
> 4 quantum-l3-agent-OUTPUT all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
<br>
<br>
> 5 nova-api-OUTPUT all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
><br>
> Chain nova-api-FORWARD (1 references)<br>
> num target prot opt source destination<br>
><br>
> Chain nova-api-INPUT (1 references)<br>
> num target prot opt source destination<br>
> 1 ACCEPT tcp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> 10.38.15.251 tcp dpt:8775<br>
<br>
<br>
><br>
> Chain nova-api-OUTPUT (1 references)<br>
> num target prot opt source destination<br>
><br>
> Chain nova-api-local (1 references)<br>
> num target prot opt source destination<br>
><br>
> Chain nova-compute-FORWARD (1 references)<br>
> num target prot opt source destination<br>
><br>
> Chain nova-compute-INPUT (1 references)<br>
> num target prot opt source destination<br>
><br>
> Chain nova-compute-OUTPUT (1 references)<br>
> num target prot opt source destination<br>
><br>
> Chain nova-compute-inst-20 (1 references)<br>
> num target prot opt source destination<br>
> 1 DROP all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> state INVALID<br>
><br>
><br>
> 2 ACCEPT all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> state<br>
> RELATED,ESTABLISHED<br>
> 3 nova-compute-provider all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
> 4 ACCEPT udp -- 192.168.151.2 <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> udp spt:67<br>
> dpt:68<br>
> 5 ACCEPT all -- <a href="http://192.168.151.0/24" target="_blank">192.168.151.0/24</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
> 6 ACCEPT icmp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
> 7 ACCEPT icmp -- 192.168.151.3 <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
> 8 ACCEPT icmp -- 192.168.151.4 <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
> 9 ACCEPT tcp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> tcp dpt:22<br>
> 10 nova-compute-sg-fallback all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
><br>
><br>
> Chain nova-compute-inst-21 (1 references)<br>
> num target prot opt source destination<br>
> 1 DROP all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> state INVALID<br>
><br>
><br>
> 2 ACCEPT all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> state<br>
> RELATED,ESTABLISHED<br>
> 3 nova-compute-provider all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
> 4 ACCEPT udp -- 192.168.151.2 <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> udp spt:67<br>
> dpt:68<br>
> 5 ACCEPT all -- <a href="http://192.168.151.0/24" target="_blank">192.168.151.0/24</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
> 6 ACCEPT icmp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
> 7 ACCEPT icmp -- 192.168.151.3 <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
> 8 ACCEPT icmp -- 192.168.151.4 <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
> 9 ACCEPT tcp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> tcp dpt:22<br>
> 10 nova-compute-sg-fallback all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
><br>
><br>
> Chain nova-compute-local (1 references)<br>
> num target prot opt source destination<br>
> 1 nova-compute-inst-20 all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> 192.168.151.3<br>
> 2 nova-compute-inst-21 all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> 192.168.151.4<br>
><br>
> Chain nova-compute-provider (2 references)<br>
> num target prot opt source destination<br>
><br>
> Chain nova-compute-sg-fallback (2 references)<br>
> num target prot opt source destination<br>
> 1 DROP all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
><br>
> Chain nova-filter-top (2 references)<br>
> num target prot opt source destination<br>
> 1 nova-compute-local all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
> 2 nova-api-local all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
><br>
> Chain quantum-filter-top (2 references)<br>
> num target prot opt source destination<br>
> 1 quantum-l3-agent-local all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
><br>
> Chain quantum-l3-agent-FORWARD (1 references)<br>
> num target prot opt source destination<br>
><br>
> Chain quantum-l3-agent-INPUT (1 references)<br>
> num target prot opt source destination<br>
><br>
> Chain quantum-l3-agent-OUTPUT (1 references)<br>
> num target prot opt source destination<br>
><br>
> Chain quantum-l3-agent-local (1 references)<br>
> num target prot opt source destination<br>
<br>
Have you tried running tcpdump on the public interface to see how far<br>
the packets are getting? Maybe something like: tcpdump -n -c2 icmp -i em1,<br>
then try pinging from the VM. It could be that you're attempting to send<br>
unroutable packets, in which case an IP masquerading rule needs adding.<br>
<br>
Jeff<br>
<br>
_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
<br>
_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div>Blog Site: <a href="http://livemoon.org" target="_blank">livemoon.org</a></div><div>Twitter: mwjpiero</div><div>非淡薄无以明志,非宁静无以致远</div>
</div>