[Openstack] VM guest can't access outside world.
Jeff Peeler
jpeeler at redhat.com
Mon Mar 4 15:37:57 UTC 2013
On Wed, Feb 27, 2013 at 12:38:45PM -0800, Barrow Kwan wrote:
> [root at optst01 quantum]# service iptables status
> Table: nat
> Chain PREROUTING (policy ACCEPT)
> num target prot opt source destination
> 1 nova-compute-PREROUTING all -- 0.0.0.0/0 0.0.0.0/0
> 2 quantum-l3-agent-PREROUTING all -- 0.0.0.0/0 0.0.0.0/0
>
> 3 nova-api-PREROUTING all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain POSTROUTING (policy ACCEPT)
> num target prot opt source destination
> 1 nova-compute-POSTROUTING all -- 0.0.0.0/0 0.0.0.0/0
>
> 2 quantum-l3-agent-POSTROUTING all -- 0.0.0.0/0 0.0.0.0/0
>
> 3 quantum-postrouting-bottom all -- 0.0.0.0/0 0.0.0.0/0
>
> 4 nova-api-POSTROUTING all -- 0.0.0.0/0 0.0.0.0/0
> 5 nova-postrouting-bottom all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain OUTPUT (policy ACCEPT)
> num target prot opt source destination
> 1 nova-compute-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0
> 2 quantum-l3-agent-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0
> 3 nova-api-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain nova-api-OUTPUT (1 references)
> num target prot opt source destination
>
> Chain nova-api-POSTROUTING (1 references)
> num target prot opt source destination
>
> Chain nova-api-PREROUTING (1 references)
> num target prot opt source destination
>
> Chain nova-api-float-snat (1 references)
> num target prot opt source destination
>
> Chain nova-api-snat (1 references)
> num target prot opt source destination
> 1 nova-api-float-snat all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain nova-compute-OUTPUT (1 references)
> num target prot opt source destination
>
> Chain nova-compute-POSTROUTING (1 references)
> num target prot opt source destination
>
> Chain nova-compute-PREROUTING (1 references)
> num target prot opt source destination
>
> Chain nova-compute-float-snat (1 references)
> num target prot opt source destination
>
> Chain nova-compute-snat (1 references)
> num target prot opt source destination
> 1 nova-compute-float-snat all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain nova-postrouting-bottom (1 references)
> num target prot opt source destination
> 1 nova-compute-snat all -- 0.0.0.0/0 0.0.0.0/0
> 2 nova-api-snat all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain quantum-l3-agent-OUTPUT (1 references)
> num target prot opt source destination
>
> Chain quantum-l3-agent-POSTROUTING (1 references)
> num target prot opt source destination
> 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ! ctstate
> DNAT
>
> Chain quantum-l3-agent-PREROUTING (1 references)
> num target prot opt source destination
>
> Chain quantum-l3-agent-float-snat (1 references)
> num target prot opt source destination
>
> Chain quantum-l3-agent-snat (1 references)
> num target prot opt source destination
> 1 quantum-l3-agent-float-snat all -- 0.0.0.0/0 0.0.0.0/0
>
> 2 SNAT all -- 192.168.151.0/24 0.0.0.0/0 to:10.38.17.1
>
> Chain quantum-postrouting-bottom (1 references)
> num target prot opt source destination
> 1 quantum-l3-agent-snat all -- 0.0.0.0/0 0.0.0.0/0
>
> Table: filter
> Chain INPUT (policy ACCEPT)
> num target prot opt source destination
> 1 nova-compute-INPUT all -- 0.0.0.0/0 0.0.0.0/0
> 2 quantum-l3-agent-INPUT all -- 0.0.0.0/0 0.0.0.0/0
> 3 nova-api-INPUT all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain FORWARD (policy ACCEPT)
> num target prot opt source destination
> 1 nova-filter-top all -- 0.0.0.0/0 0.0.0.0/0
> 2 nova-compute-FORWARD all -- 0.0.0.0/0 0.0.0.0/0
> 3 quantum-filter-top all -- 0.0.0.0/0 0.0.0.0/0
> 4 quantum-l3-agent-FORWARD all -- 0.0.0.0/0 0.0.0.0/0
>
> 5 nova-api-FORWARD all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain OUTPUT (policy ACCEPT)
> num target prot opt source destination
> 1 nova-filter-top all -- 0.0.0.0/0 0.0.0.0/0
> 2 nova-compute-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0
> 3 quantum-filter-top all -- 0.0.0.0/0 0.0.0.0/0
> 4 quantum-l3-agent-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0
> 5 nova-api-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain nova-api-FORWARD (1 references)
> num target prot opt source destination
>
> Chain nova-api-INPUT (1 references)
> num target prot opt source destination
> 1 ACCEPT tcp -- 0.0.0.0/0 10.38.15.251 tcp dpt:8775
>
> Chain nova-api-OUTPUT (1 references)
> num target prot opt source destination
>
> Chain nova-api-local (1 references)
> num target prot opt source destination
>
> Chain nova-compute-FORWARD (1 references)
> num target prot opt source destination
>
> Chain nova-compute-INPUT (1 references)
> num target prot opt source destination
>
> Chain nova-compute-OUTPUT (1 references)
> num target prot opt source destination
>
> Chain nova-compute-inst-20 (1 references)
> num target prot opt source destination
> 1 DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
> 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED
> 3 nova-compute-provider all -- 0.0.0.0/0 0.0.0.0/0
> 4 ACCEPT udp -- 192.168.151.2 0.0.0.0/0 udp spt:67
> dpt:68
> 5 ACCEPT all -- 192.168.151.0/24 0.0.0.0/0
> 6 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
> 7 ACCEPT icmp -- 192.168.151.3 0.0.0.0/0
> 8 ACCEPT icmp -- 192.168.151.4 0.0.0.0/0
> 9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
> 10 nova-compute-sg-fallback all -- 0.0.0.0/0 0.0.0.0/0
>
>
> Chain nova-compute-inst-21 (1 references)
> num target prot opt source destination
> 1 DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
> 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED
> 3 nova-compute-provider all -- 0.0.0.0/0 0.0.0.0/0
> 4 ACCEPT udp -- 192.168.151.2 0.0.0.0/0 udp spt:67
> dpt:68
> 5 ACCEPT all -- 192.168.151.0/24 0.0.0.0/0
> 6 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
> 7 ACCEPT icmp -- 192.168.151.3 0.0.0.0/0
> 8 ACCEPT icmp -- 192.168.151.4 0.0.0.0/0
> 9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
> 10 nova-compute-sg-fallback all -- 0.0.0.0/0 0.0.0.0/0
>
>
> Chain nova-compute-local (1 references)
> num target prot opt source destination
> 1 nova-compute-inst-20 all -- 0.0.0.0/0 192.168.151.3
> 2 nova-compute-inst-21 all -- 0.0.0.0/0 192.168.151.4
>
> Chain nova-compute-provider (2 references)
> num target prot opt source destination
>
> Chain nova-compute-sg-fallback (2 references)
> num target prot opt source destination
> 1 DROP all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain nova-filter-top (2 references)
> num target prot opt source destination
> 1 nova-compute-local all -- 0.0.0.0/0 0.0.0.0/0
> 2 nova-api-local all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain quantum-filter-top (2 references)
> num target prot opt source destination
> 1 quantum-l3-agent-local all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain quantum-l3-agent-FORWARD (1 references)
> num target prot opt source destination
>
> Chain quantum-l3-agent-INPUT (1 references)
> num target prot opt source destination
>
> Chain quantum-l3-agent-OUTPUT (1 references)
> num target prot opt source destination
>
> Chain quantum-l3-agent-local (1 references)
> num target prot opt source destination
Have you tried running tcpdump on the public interface to see how far
the packets are getting? Maybe something like: tcpdump -n -c2 icmp -i em1,
then try pinging from the VM. It could be that you're attempting to send
unroutable packets, in which case an IP masquerading rule needs adding.
Jeff
More information about the Openstack
mailing list