<html><head><style>body{font-family:Calibri,Arial;font-size:13px}</style></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div id="bloop_customfont" style="font-family:Calibri,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">Hi Liu,</div><div id="bloop_customfont" style="font-family:Calibri,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;"><br></div><div id="bloop_customfont" style="font-family:Calibri,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">you need that table because by default neutron creates a new table set (rules) where it does -j (which means jump) and that is set to check rules for the outgoing. Think about this .. You create INPUT, OUTPUT and FORWARD, which can be very limited so what people do is to create custom rules (jump) so when a package A comes in and says I need to come in, the INPUT, or FORWARD or OUTPUT says hold on I have a rule set based on your info that needs to be checked, so it will traverse those rules before they can finally go out. If they do not do which could be possible to have everything into one rule (OUTPUT) they you will be not able to know where the package hits, what broke if you troubleshoot etc etc.. Moreover, you are going to have a list of rules that can be huge and you will be crazy not to create special / custom sections (rules, tables) to assure your are protected. So I would suggest if you have hard time to understand how iptables works, to get a good book, section etc and read upon it. Iptables is a very hard, complicated topic but you can do many things with it. I have made several different network routing based on what I was looking for example:</div><div id="bloop_customfont" style="font-family:Calibri,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">if I needed to hit a server on 10.0.0/x network to go out to my vpn gateway</div><div id="bloop_customfont" style="font-family:Calibri,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">if I needed to hit a web server on 20.0.0x/ network to go out on my DSL network (gateway etc)</div><div id="bloop_customfont" style="font-family:Calibri,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;"><br></div><div id="bloop_customfont" style="font-family:Calibri,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">So hopefully this will provide some ideas on what iptables can do. </div> <div id="bloop_sign_1385358087123447040" class="bloop_sign"><span style="font-family:helvetica,arial;font-size:13px"></span>-- <br>Remo Mattei<br><br></div> <br><p style="color:#A0A0A8;"> November 24, 2013 at 21:41:27, Liu Wenmao (<a href="mailto://marvelliu@gmail.com">marvelliu@gmail.com</a>) ha scritto:</p> <blockquote type="cite" class="clean_bq"><span><div><div>
<title></title>
<div dir="ltr">
<div>
<div>Hi Rem:<br>
<br></div>
I know OUTPUT in the native iptables table is go out, but since
l3agent is playing a role of router, all data from VM to extenal
network is FORWARD/PREROUTE/POSTROUT, so why does l3agent add a
neutron-l3-agent-OUTPUT chain in OUTPUT chain in nat table, is this
chain necessary? The pkg amounts of the neutron-l3-agent-OUTPUT
rules are all zero.<br>
<br></div>
p.s. the neutron-l3-agent-OUTPUT chain is in the nat table, not the
default table:<br>
<br>
root@controller:~# ip netns exec
qrouter-9c63d74c-19d0-4a08-93bd-4738dff02505 iptables -L
-nvx<br>
Chain INPUT (policy ACCEPT 2632310 packets, 633146916 bytes)<br>
pkts bytes
target prot opt in
out
source
destination <br>
2632310 633146916 neutron-l3-agent-INPUT all
-- *
* <a href="http://0.0.0.0/0">0.0.0.0/0</a>
<a href="http://0.0.0.0/0">0.0.0.0/0</a> <br>
<br>
Chain FORWARD (policy ACCEPT 37757658 packets, 33160595764
bytes)<br>
pkts bytes
target prot opt in
out
source
destination <br>
37757658 33160595764 neutron-filter-top all --
*
* <a href="http://0.0.0.0/0">0.0.0.0/0</a>
<a href="http://0.0.0.0/0">0.0.0.0/0</a> <br>
37757658 33160595764 neutron-l3-agent-FORWARD all
-- *
* <a href="http://0.0.0.0/0">0.0.0.0/0</a>
<a href="http://0.0.0.0/0">0.0.0.0/0</a> <br>
<br>
Chain OUTPUT (policy ACCEPT 22916 packets, 1850560 bytes)<br>
pkts bytes
target prot opt in
out
source
destination <br>
22916 1850560 neutron-filter-top all
-- *
* <a href="http://0.0.0.0/0">0.0.0.0/0</a>
<a href="http://0.0.0.0/0">0.0.0.0/0</a> <br>
22916 1850560 neutron-l3-agent-OUTPUT
all -- *
* <a href="http://0.0.0.0/0">0.0.0.0/0</a>
<a href="http://0.0.0.0/0">0.0.0.0/0</a> <br>
<br>
Chain neutron-filter-top (2 references)<br>
pkts bytes
target prot opt in
out
source
destination <br>
37780574 33162446324 neutron-l3-agent-local all
-- *
* <a href="http://0.0.0.0/0">0.0.0.0/0</a>
<a href="http://0.0.0.0/0">0.0.0.0/0</a> <br>
<br>
Chain neutron-l3-agent-FORWARD (1 references)<br>
pkts bytes
target prot opt in
out
source
destination <br>
<br>
Chain neutron-l3-agent-INPUT (1 references)<br>
pkts bytes
target prot opt in
out
source
destination <br>
0 0
ACCEPT tcp --
*
* <a href="http://0.0.0.0/0">0.0.0.0/0</a>
127.0.0.1
tcp dpt:9697<br>
<br>
Chain neutron-l3-agent-OUTPUT (1 references)<br>
pkts bytes
target prot opt in
out
source
destination <br>
<br>
Chain neutron-l3-agent-local (1 references)<br>
pkts bytes
target prot opt in
out
source
destination<br>
<br>
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br>
root@controller:~# ip netns exec
qrouter-9c63d74c-19d0-4a08-93bd-4738dff02505 iptables -L -t
nat<br>
Chain PREROUTING (policy ACCEPT)<br>
target prot opt
source
destination <br>
neutron-l3-agent-PREROUTING all --
anywhere
anywhere <br>
<br>
Chain INPUT (policy ACCEPT)<br>
target prot opt
source
destination <br>
<br>
Chain OUTPUT (policy ACCEPT)<br>
target prot opt
source
destination <br>
neutron-l3-agent-OUTPUT all --
anywhere
anywhere <br>
<br>
Chain POSTROUTING (policy ACCEPT)<br>
target prot opt
source
destination <br>
neutron-l3-agent-POSTROUTING all --
anywhere
anywhere <br>
neutron-postrouting-bottom all --
anywhere
anywhere <br>
<br>
Chain neutron-l3-agent-OUTPUT (1 references)<br>
target prot opt
source
destination <br>
DNAT all --
anywhere
u20
to:100.0.0.14<br>
DNAT all --
anywhere
git.expr.nsfocus to:100.0.0.11<br>
DNAT all --
anywhere
u22
to:100.0.0.12<br>
DNAT all --
anywhere
u23
to:100.0.0.15<br>
DNAT all --
anywhere
u24
to:100.0.0.16<br>
DNAT all --
anywhere
u1
to:100.0.0.13<br>
DNAT all --
anywhere
192.168.19.138
to:100.0.0.19<br>
DNAT all --
anywhere
192.168.19.139
to:100.0.0.18<br>
DNAT all --
anywhere
192.168.19.140
to:100.0.0.17<br>
<br>
Chain neutron-l3-agent-POSTROUTING (1 references)<br>
target prot opt
source
destination <br>
ACCEPT all --
anywhere
anywhere
! ctstate DNAT<br>
<br>
Chain neutron-l3-agent-PREROUTING (1 references)<br>
target prot opt
source
destination <br>
REDIRECT tcp --
anywhere
169.254.169.254 tcp dpt:http redir
ports 9697<br>
DNAT all --
anywhere
u20
to:100.0.0.14<br>
DNAT all --
anywhere
git.expr.nsfocus to:100.0.0.11<br>
DNAT all --
anywhere
u22
to:100.0.0.12<br>
DNAT all --
anywhere
u23
to:100.0.0.15<br>
DNAT all --
anywhere
u24
to:100.0.0.16<br>
DNAT all --
anywhere
u1
to:100.0.0.13<br>
DNAT all --
anywhere
192.168.19.138
to:100.0.0.19<br>
DNAT all --
anywhere
192.168.19.139
to:100.0.0.18<br>
DNAT all --
anywhere
192.168.19.140
to:100.0.0.17<br>
<br>
Chain neutron-l3-agent-float-snat (1 references)<br>
target prot opt
source
destination <br>
SNAT all --
100.0.0.14
anywhere
to:192.168.19.133<br>
SNAT all --
100.0.0.11
anywhere
to:192.168.19.134<br>
SNAT all --
100.0.0.12
anywhere
to:192.168.19.135<br>
SNAT all --
100.0.0.15
anywhere
to:192.168.19.136<br>
SNAT all --
100.0.0.16
anywhere
to:192.168.19.137<br>
SNAT all --
100.0.0.13
anywhere
to:192.168.19.141<br>
SNAT all --
100.0.0.19
anywhere
to:192.168.19.138<br>
SNAT all --
100.0.0.18
anywhere
to:192.168.19.139<br>
SNAT all --
100.0.0.17
anywhere
to:192.168.19.140<br>
<br>
Chain neutron-l3-agent-snat (1 references)<br>
target prot opt
source
destination <br>
neutron-l3-agent-float-snat all --
anywhere
anywhere <br>
SNAT all --
<a href="http://200.0.0.0/24">200.0.0.0/24</a>
anywhere
to:192.168.19.130<br>
SNAT all --
<a href="http://100.0.0.0/24">100.0.0.0/24</a>
anywhere
to:192.168.19.130<br>
<br>
Chain neutron-postrouting-bottom (1 references)<br>
target prot opt
source
destination <br>
neutron-l3-agent-snat all --
anywhere
anywhere <br></div>
<div class="gmail_extra"><br clear="all">
<div>
<div dir="ltr">
<div>刘文懋<br></div>
<div>研究员</div>
<div>绿盟科技 战略研究院</div>
<div>地址:北京市海淀区北洼路4号益泰大厦四层</div>
<div>邮编:100089</div>
<div>电话:(010)68438880-8231</div>
<div>传真:(010)68437328</div>
<div>手机:13718994804</div>
<div>邮箱:<a href="mailto:liuwenmao@nsfocus.com" target="_blank">liuwenmao@nsfocus.com</a></div>
<div>网站:<a href="http://www.nsfocus.com" target="_blank">http://www.nsfocus.com</a></div>
</div>
</div>
<br>
<br>
<div class="gmail_quote">On Fri, Nov 22, 2013 at 1:37 PM, Remo
Mattei <span dir="ltr"><<a href="mailto:Remo@mattei.org" target="_blank">Remo@mattei.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word">
<div style="font-family:Calibri,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">
the pre route has noting to do with going out. Packets travel from
PRE to POST. So the OUTPUT are rules allowing the package to
go out. POSTROUTING and PREROUTING are part of the nat module.
Default rules in iptables are INPUT,FORWARD and OUTPUT. the nat
(PREROUTING, POSTROUTING) hope this helps a little the iptables
options. </div>
<div style="font-family:Calibri,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">
<br></div>
<div style="font-family:Calibri,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">
Ciao </div>
<div>-- <br>
Remo Mattei<br>
<br></div>
<div>
<div class="h5"><br>
<p style="color:#a0a0a8">On November 21, 2013 at 20:33:39, Liu
Wenmao (<a href="mailto://marvelliu@gmail.com" target="_blank">marvelliu@gmail.com</a>) wrote:</p>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div>
<div class="h5">
<div dir="ltr">
<div>
<div><span>hi:<br>
<br></span></div>
<span>I notice that there are two chains, neutron-l3-agent-OUTPUT
and neutron-l3-agent-PREROUTING, in neutron namespace iptables,
both of which are the same except for the first redirect
rule:<br>
<br></span></div>
<span>I wonder why we need DNATs in the neutron-l3-agent-OUTPUT
chain, are not the rules in neutron-l3-agent-PREROUTING(called by
PREROUTING ) sufficient when foreign hosts connect to inner
VM?<br></span>
<div><span><br>
Chain neutron-l3-agent-OUTPUT (1 references)<br>
pkts bytes
target prot opt in
out
source
destination <br>
0 0
DNAT all --
*
* <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
192.168.19.133
to:100.0.0.14<br>
0 0
DNAT all --
*
* <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
192.168.19.134
to:100.0.0.11<br>
0 0
DNAT all --
*
* <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
192.168.19.135
to:100.0.0.12<br>
0 0
DNAT all --
*
* <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
192.168.19.136
to:100.0.0.15<br>
0 0
DNAT all --
*
* <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
192.168.19.137
to:100.0.0.16<br>
0 0
DNAT all --
*
* <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
192.168.19.141
to:100.0.0.13<br>
0 0
DNAT all --
*
* <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
192.168.19.138
to:100.0.0.19<br>
0 0
DNAT all --
*
* <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
192.168.19.139
to:100.0.0.18<br>
0 0
DNAT all --
*
* <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
192.168.19.140
to:100.0.0.17<br>
<br>
Chain neutron-l3-agent-PREROUTING (1 references)<br>
pkts bytes
target prot opt in
out
source
destination <br>
0 0 REDIRECT
tcp -- *
* <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
169.254.169.254 tcp dpt:80 redir
ports 9697<br>
6 312
DNAT all --
*
* <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
192.168.19.133
to:100.0.0.14<br>
362 18804
DNAT all --
*
* <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
192.168.19.134
to:100.0.0.11<br>
7 356
DNAT all --
*
* <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
192.168.19.135
to:100.0.0.12<br>
1 78
DNAT all --
*
* <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
192.168.19.136
to:100.0.0.15<br>
24 1235
DNAT all --
*
* <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
192.168.19.137
to:100.0.0.16<br>
14 812
DNAT all --
*
* <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
192.168.19.141
to:100.0.0.13<br>
665 35774
DNAT all --
*
* <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
192.168.19.138
to:100.0.0.19<br>
715 38158
DNAT all --
*
* <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
192.168.19.139
to:100.0.0.18<br>
788 42206
DNAT all --
*
* <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
192.168.19.140
to:100.0.0.17<br>
<br></span></div>
<div><span>Thanks<br>
<br></span></div>
<div><span>Liu Wenmao<br></span></div>
</div>
</div>
</div>
<span>_______________________________________________<br>
Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
Post to : <a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a><br>
Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
<br>
<br>
!DSPAM:2,528edea311935482324020!<br></span></div>
</div>
</blockquote>
</div>
</blockquote>
</div>
<br></div>
!DSPAM:2,5292e3a6281941913620037!
</div></div></span></blockquote></body></html>