[Openstack] NAT ports from external networks to internal networks

Salvatore Orlando sorlando at nicira.com
Sun Aug 4 19:01:50 UTC 2013

Hi Ben,

The closest the thing to what you want to achieve is the Floating IP, but,
as you say, this will not allow for fine-grained control over ports; so you
won't be able, for instance, to expose only port 443 of an internal IP.

However, this is not in the Havana roadmap at the moment - but this surely
is something that can be discussed for the Icehouse release.
This could be implemented as an independent API extension, but could
actually be implemented by both the FWaaS agent and the L3 agent. This
decision will depend on the route we choose for service agents, which is
being discussed at the moment.

For the time being you might try and use the LBaaS extension with pools
consistuted by a single service.


On 4 August 2013 20:40, Ben Firshman <ben at firshman.co.uk> wrote:

> Hi all,
> I have a large number of small VMs on Quantum internal networks. I'm
> trying to find a way to expose services externally without having to attach
> a whole IPv4 address to each machine.
> I'm basically looking for a way to NAT external addresses and ports to
> internal addresses and ports. (TCP/UDP ports that is.) The upcoming FWaaS
> seems to give more fine-grained control over iptables rules, but not NAT it
> seems.
> Perhaps this could be part of FWaaS? Perhaps some kind of separate NATing
> service?
> Thanks,
> Ben
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20130804/a70cdb0b/attachment.html>

More information about the Openstack mailing list