<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hello,<br>
I'm managing an OpenStack cloud (Havanna... yeah, too old...) with
nova-network and ONLY one interface per node (and one interface in
controller and network, that are the same server). All traffic flows
in eth0 (and, of course, br100).<br>
When I launch an instances, I assign a floating IP address from the
public pool, so the instances can be accessible from the Internet
with SSH. But, once I have logged into the instance, I can't browse
Internet because it seems there is a NAT problem with any iptables
rule in controller. I have run this easy test: from the inside the
instances (with a private IP assigned by OpenStack and a public
floating IP), I ping to another server (in the same public network
as the floating IPs) and, then, that server receives ICMP traffic
from the private IP of the instances, like NAT is failing in
controller.<br>
<br>
However, iptables rules in controller seem to be correct:<br>
<blockquote><tt>Chain PREROUTING (policy ACCEPT)</tt><tt><br>
</tt><tt>target prot opt source destination</tt><tt><br>
</tt><tt>nova-network-PREROUTING all -- anywhere
anywhere</tt><tt><br>
</tt><tt>nova-api-PREROUTING all -- anywhere
anywhere</tt><tt><br>
</tt><tt><br>
</tt><tt>Chain POSTROUTING (policy ACCEPT)</tt><tt><br>
</tt><tt>target prot opt source destination</tt><tt><br>
</tt><tt>nova-network-POSTROUTING all -- anywhere
anywhere</tt><tt><br>
</tt><tt>nova-api-POSTROUTING all -- anywhere
anywhere</tt><tt><br>
</tt><tt>nova-postrouting-bottom all -- anywhere
anywhere</tt><tt><br>
</tt><tt>MASQUERADE tcp -- 192.168.122.0/24
!192.168.122.0/24 masq ports: 1024-65535</tt><tt><br>
</tt><tt>MASQUERADE udp -- 192.168.122.0/24
!192.168.122.0/24 masq ports: 1024-65535</tt><tt><br>
</tt><tt>MASQUERADE all -- 192.168.122.0/24
!192.168.122.0/24</tt><tt><br>
</tt><tt><br>
</tt><tt>Chain OUTPUT (policy ACCEPT)</tt><tt><br>
</tt><tt>target prot opt source destination</tt><tt><br>
</tt><tt>nova-network-OUTPUT all -- anywhere
anywhere</tt><tt><br>
</tt><tt>nova-api-OUTPUT all -- anywhere anywhere</tt><tt><br>
</tt><tt><br>
</tt><tt>Chain nova-api-OUTPUT (1 references)</tt><tt><br>
</tt><tt>target prot opt source destination</tt><tt><br>
</tt><tt><br>
</tt><tt>Chain nova-api-POSTROUTING (1 references)</tt><tt><br>
</tt><tt>target prot opt source destination</tt><tt><br>
</tt><tt><br>
</tt><tt>Chain nova-api-PREROUTING (1 references)</tt><tt><br>
</tt><tt>target prot opt source destination</tt><tt><br>
</tt><tt><br>
</tt><tt>Chain nova-api-float-snat (1 references)</tt><tt><br>
</tt><tt>target prot opt source destination</tt><tt><br>
</tt><tt><br>
</tt><tt>Chain nova-api-snat (1 references)</tt><tt><br>
</tt><tt>target prot opt source destination</tt><tt><br>
</tt><tt>nova-api-float-snat all -- anywhere
anywhere</tt><tt><br>
</tt><tt><br>
</tt><tt>Chain nova-network-OUTPUT (1 references)</tt><tt><br>
</tt><tt>target prot opt source destination</tt><tt><br>
</tt><tt>DNAT all -- anywhere
FLOATING_PUBLIC_IP to:192.168.32.13</tt><tt><br>
</tt><tt><br>
</tt><tt>Chain nova-network-POSTROUTING (1 references)</tt><tt><br>
</tt><tt>target prot opt source destination</tt><tt><br>
</tt><tt>ACCEPT all -- 192.168.32.0/22
CONTROLLER_PUBLIC_IP</tt><tt><br>
</tt><tt>ACCEPT all -- 192.168.32.0/22
192.168.32.0/22 ! ctstate DNAT</tt><tt><br>
</tt><tt>SNAT all -- 192.168.32.13
anywhere ctstate DNAT to:FLOATING_PUBLIC_IP</tt><tt><br>
</tt><tt><br>
</tt><tt>Chain nova-network-PREROUTING (1 references)</tt><tt><br>
</tt><tt>target prot opt source destination</tt><tt><br>
</tt><tt>DNAT tcp -- anywhere
169.254.169.254 tcp dpt:http to:CONTROLLER_PUBLIC_IP:8775</tt><tt><br>
</tt><tt>DNAT all -- anywhere
FLOATING_PUBLIC_IP to:192.168.32.13</tt><tt><br>
</tt><tt><br>
</tt><tt>Chain nova-network-float-snat (1 references)</tt><tt><br>
</tt><tt>target prot opt source destination</tt><tt><br>
</tt><tt>SNAT all -- 192.168.32.13
192.168.32.13 to:FLOATING_PUBLIC_IP</tt><tt><br>
</tt><tt>SNAT all -- 192.168.32.13
anywhere to:FLOATING_PUBLIC_IP</tt><tt><br>
</tt><tt><br>
</tt><tt>Chain nova-network-snat (1 references)</tt><tt><br>
</tt><tt>target prot opt source destination</tt><tt><br>
</tt><tt>nova-network-float-snat all -- anywhere
anywhere</tt><tt><br>
</tt><tt>SNAT all -- 192.168.32.0/22
anywhere to:CONTROLLER_PUBLIC_IP</tt><tt><br>
</tt><tt><br>
</tt><tt>Chain nova-postrouting-bottom (1 references)</tt><tt><br>
</tt><tt>target prot opt source destination</tt><tt><br>
</tt><tt>nova-network-snat all -- anywhere anywhere</tt><tt><br>
</tt><tt>nova-api-snat all -- anywhere anywhere</tt><br>
</blockquote>
<font color="#330033"><br>
In that rules:</font><br>
<ul>
<li><font color="#330033">CONTROLLER_PUBLIC_IP and
FLOATING_PUBLIC_IP are in the same subnet. 192.168.32.13 is
the internal instace IP address 10.3.4.200 is another floating
IP assigned to the instance automatically, but it is in a
private subnet without internet access</font></li>
</ul>
<br>
Now, after doing several tests, I have found that adding manually
this rule "iptables -t nat -I nova-network-POSTROUTING -s
192.168.32.13 -j SNAT --to FLOATING_PUBLIC_IP" my problem is
solved!!!! But I need to add this rule dynamically BEFORE the others
"nova-network-POSTROUTING" rules existing, because OpenStack excutes
an "iptables -A" and does an "append" and I need an "iptables -I"
(insert as first rule)...<br>
<br>
Could someone help me?<br>
<br>
Thanks.
</body>
</html>