<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>It says default so that applies only to that network. Just add a new rule icmp all source 0/0 then you can ping in and out. </div><div id="AppleMailSignature"><br></div><div id="AppleMailSignature">Same for ssh which applies to floating ip as well. In mitaka it works a little differently. </div><div id="AppleMailSignature"><br></div><div id="AppleMailSignature">Ciao<br><br>Inviato da iPhone</div><div><br>Il giorno 15 apr 2016, alle ore 10:50, Jorge Luiz Correa <<a href="mailto:correajl@gmail.com">correajl@gmail.com</a>> ha scritto:<br><br></div><blockquote type="cite"><div><div dir="ltr">Thank you, Peter and Remo! Your answers guided me to better understand security groups and iptables rules. The problem was that I haven't understood very well the default security group created automatically, mainly the rules that seems to pass all traffic. Explained bellow. <br><br>DVR is enabled.<br>Version is Liberty.<br>1 hypervisor and router is OK on compute nodes and controller (snat).<br>I had not assigned an ICMP rule on default security group neither other security group.<br><br>On default security group we can see these rules (dashboard):<br><br>Direction EtherType IP Protocol Port Range Remote IP Prefix Remote Security Group Actions<br>Egress IPv6 Any Any ::/0 - <br>Egress IPv4 Any Any <a href="http://0.0.0.0/0">0.0.0.0/0</a> - <br>Ingress IPv6 Any Any - default<br>Ingress IPv4 Any Any - default<br><br>I was thinking that the rule "Ingress IPv4 Any Any" could pass all the traffic, independently if we are using a private IP or a floating IP. But, when this rule is translated to iptables, neutron uses ipset and the configured set has just the private IP addresses. <br><br>Chain neutron-openvswi-i7a7a669c-3 (1 references)<br> pkts bytes target prot opt in out source destination <br>.....<br> 0 0 RETURN all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> match-set NIPv43c228055-2735-4339-b9a8- src<br>.....<br><br>And:<br><br>$ ipset list<br><br>Name: NIPv43c228055-2735-4339-b9a8-<br>Type: hash:net<br>Revision: 4<br>Header: family inet hashsize 1024 maxelem 65536<br>Size in memory: 512<br>References: 1<br>Members:<br>172.16.0.5<br>172.16.0.10<br><br>Name: NIPv63c228055-2735-4339-b9a8-<br>Type: hash:net<br>Revision: 4<br>Header: family inet6 hashsize 1024 maxelem 65536<br>Size in memory: 1152<br>References: 1<br>Members:<br><br>So, this rule is going to pass just packets that src is in <a href="http://172.16.0.0/24">172.16.0.0/24</a>, the private (tenant) network. <br><br>Although the rules listed have 'IPv4 Any Any' as if passing anything, theses rules just permit packets from one VM to another in the same private network. <br><br>To allow packets to a floating IP it's required other rules that pass to a specific floating IP address (or network, or all <a href="http://0.0.0.0/0">0.0.0.0/0</a>). As listed (dashboard), at right column 'Remote Security Group Actions' we shouldn't have 'default'.<br><br>Direction EtherType IP Protocol Port Range Remote IP Prefix Remote Security Group Actions<br>Ingress IPv4 Any Any - default <--- pass for the private network<br>and <br>Ingress IPv4 Any Any <a href="http://0.0.0.0/0">0.0.0.0/0</a> - <--- pass for floating ips <br><br>Iptables is something like:<br><br>Chain neutron-openvswi-i7a7a669c-3 (1 references)<br> pkts bytes target prot opt in out source destination <br>.....<br> 0 0 RETURN all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> match-set NIPv43c228055-2735-4339-b9a8- src<br> 0 0 RETURN all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> <br>.....<br><br>So, what I needed to do was create a new security group for traffic from external networks to internal networks, without use the "default security group" as destination, because this is translated to the ipset match-set rule. <br><br>Thank you so much!<br></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr">- JLC</div></div></div>
<br><div class="gmail_quote">On Fri, Apr 15, 2016 at 11:30 AM, Remo Mattei <span dir="ltr"><<a href="mailto:remo@italy1.com" target="_blank">remo@italy1.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">one more thing to know what version (liberty? Mitaka?)<br>
<br>
The security rules don’t get set with the new Mitaka so just make sure that you do set them, I have seen issues where the instance does not behave well and if you do set the SG make sure you have the ports open as Peter stated below.<br>
<br>
Remo<br>
<div><div class="h5">> On Apr 15, 2016, at 10:14, Erdősi Péter <<a href="mailto:fazy@niif.hu">fazy@niif.hu</a>> wrote:<br>
><br>
> <a href="tel:2016.%2004.%2015.%2015" value="+12016041515">2016. 04. 15. 15</a>:41 keltezéssel, Jorge Luiz Correa írta:<br>
>> I think that in neutron-openvswi-i7a7a669c-3 should exist some RETURN rule using the 172.16.0.5 IP address.<br>
> Just a fast thought:<br>
> Did you assigned a security group with icmp enabled rule to your VM?<br>
><br>
> I think, thats will made your exception to avoid DROP at the end...<br>
><br>
> Regards:<br>
> Peter<br>
><br>
</div></div><span class="">> _______________________________________________<br>
> Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
> Post to : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
> Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
><br>
</span>> <br>
><br>
<br>
</blockquote></div><br></div>
!DSPAM:1,57112b1517039594946585!
</div></blockquote></body></html>