<div dir="ltr">Hi Andreas,<div><br></div><div>Yes you're right, those blocking rule appears on my iptables</div><div><br></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><font face="monospace, monospace"># iptables -S |grep icmp-host-prohibited<br></font><font face="monospace, monospace">-A INPUT -j REJECT --reject-with icmp-host-prohibited</font></blockquote></div><div><br></div><div>Then after I delete those rule, everything works fine. Thank you so much Andreas.</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jun 28, 2016 at 2:11 PM, Andreas Scheuring <span dir="ltr"><<a href="mailto:scheuran@linux.vnet.ibm.com" target="_blank">scheuran@linux.vnet.ibm.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Adhi,<br>
yeah this seems to be iptables blocking you're traffic.<br>
Calling<br>
# iptables-save<br>
gives you an easy to read output of all your rules.<br>
<br>
Probably you'll find some rule like<br>
# -A INPUT -j REJECT --reject-with icmp-host-prohibited<br>
<br>
Now the problem with the 2 rules you added is, that you are appending<br>
your rules with -A. Iptables-save should show, that they are processed<br>
after the blocking rule (means never).<br>
So what you need to do is to insert your 2 rules before the blocking<br>
rule. You can do that using -I instead of -A.<br>
<br>
Alternatively you could just delete the blocking rule using:<br>
# iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited<br>
<br>
<br>
Note:<br>
The commands just add/delete the rules on your running system. After a<br>
reboot the rule will be gone again. You need to persist them.<br>
How to do that depends on if you're using firewalld or iptables-service.<br>
I think the www will help you there.<br>
<br>
Hope that helps<br>
<br>
<br>
<br>
--<br>
-----<br>
Andreas<br>
IRC: andreas_s (formerly scheuran)<br>
<span class=""><br>
<br>
<br>
On Di, 2016-06-28 at 13:14 +0700, Adhi Priharmanto wrote:<br>
> Hi, all I've setup liberty release with neutron-openvswitch using gre<br>
> tunnel at Centos. I've an problems when iptables service started at<br>
> network and compute node.<br>
> Instance couldn't get the internal IP address(DHCP) when it boot, if<br>
> dump the packet using tcpdump on both of tunnel interface it says like<br>
> this :<br>
><br>
> 13:03:08.164944 IP 10.24.0.23 > <a href="http://opstcomp1-srg.dev.jcamp.net" rel="noreferrer" target="_blank">opstcomp1-srg.dev.jcamp.net</a>: ICMP host<br>
> 10.24.0.23 unreachable - admin prohibited, length 106<br>
><br>
><br>
><br>
> <a href="http://10.24.0.0/24" rel="noreferrer" target="_blank">10.24.0.0/24</a> is my tunnel IP network. I've already add this rule on<br>
> both node but its no luck<br>
><br>
><br>
> iptables -A INPUT -p gre -j ACCEPT<br>
><br>
> iptables -A FORWARD -p gre -j ACCEPT<br>
><br>
><br>
><br>
> Can someone help me to solve this problem ?<br>
><br>
><br>
> --<br>
> Cheers,<br>
><br>
><br>
</span>> Adhi Priharmanto<br>
> <a href="http://about.me/a_dhi" rel="noreferrer" target="_blank">about.me/a_dhi</a><br>
><br>
><br>
><br>
> <a href="tel:%2B62-812-82121584" value="+6281282121584">+62-812-82121584</a><br>
><br>
><br>
><br>
> _______________________________________________<br>
> Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
> Post to     : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
> Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
<br>
<br>
_______________________________________________<br>
Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
Post to     : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><font size="2"><span style="font-family:trebuchet ms,sans-serif">Cheers,</span><br style="font-family:trebuchet ms,sans-serif"><br></font><table border="0" cellpadding="0" cellspacing="0" style="margin:0px;padding:0px;border:0px;outline:0px;font-size:14px;font-family:proxima-nova-1,proxima-nova-2,Tahoma,Helvetica,Verdana,sans-serif;vertical-align:baseline;border-spacing:0px;color:rgb(51,51,51);line-height:18.2000007629395px"><tbody style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline"><tr style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline"><td style="padding:0px;border:0px;outline:0px;font-style:inherit;font-size:0px;font-family:inherit;vertical-align:baseline;width:auto;height:30px"> </td></tr><tr style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline"><td style="padding:0px;border:0px;outline:0px;font-style:inherit;font-family:inherit;vertical-align:baseline;width:auto"><div style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline;line-height:0"><a href="http://about.me/a_dhi?promo=email_sig" style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline;color:rgb(58,169,233);text-decoration:none;display:inline-block" target="_blank"><table border="0" cellpadding="0" cellspacing="0" style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline;border-spacing:0px"><tbody style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline"><tr style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline"><td align="left" valign="top" style="padding:0px;border:0px;outline:0px;font-style:inherit;font-family:inherit;vertical-align:top;width:auto;line-height:1"><img alt="--" width="0" height="0" style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline;display:block;width:0px;height:0px;overflow:hidden"><div style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:bold;font-style:inherit;font-size:18px;font-family:proxima-nova-1,Proxima-Nova,Helvetica,Arial,sans-serif;vertical-align:baseline;line-height:1;color:rgb(51,51,51)">Adhi Priharmanto</div><div style="margin:3px 0px 0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-size:12px;font-family:proxima-nova-1,Proxima-Nova,Helvetica,Arial,sans-serif;vertical-align:baseline;color:rgb(43,130,173)"><img alt="http://" width="0" height="0" style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline;display:block;width:0px;height:0px;overflow:hidden">about.me/a_dhi</div></td></tr><tr style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline"><td align="left" valign="top" style="padding:8px 0px 0px;border:0px;outline:0px;font-style:inherit;font-family:inherit;vertical-align:top;width:auto;line-height:1"><div style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline;text-align:right;height:4px;background-color:rgb(197,208,224)"><img src="http://d13pix9kaak6wt.cloudfront.net/signature/colorbar.png" alt="" width="88" height="4" style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline;float:right;display:block"></div></td></tr></tbody></table></a>                               </div></td></tr><tr style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline"><td style="padding:0px;border:0px;outline:0px;font-style:inherit;font-size:0px;font-family:inherit;vertical-align:baseline;width:auto;height:20px"></td></tr></tbody></table><font size="2"><span style="font-family:trebuchet ms,sans-serif">+62-812-82121584<br></span></font></div><div><font size="2"><span style="font-family:trebuchet ms,sans-serif"><br></span></font></div></div></div></div></div>
</div>