[Openstack] able to ping but not able to ssh to instance
Andreas Scheuring
scheuran at linux.vnet.ibm.com
Fri Sep 19 07:00:37 UTC 2014
Hi Srinivas,
in the past I had a similar issue while I was setting up openstack with
devstack. Not sure if that fits for your issue, as you're not using
devstack if I got it right.
The reason for this where the default security groups and rules config
of devstack. If you have a look at the this concept, you will realize
that there are two types of remotes you can define a rule for:
* CIDR or
* Security Group
The default rule for ingress IPv4 traffic was set to something like
"Allow INGRESS for all IPv4 traffic from remote Security Group default"
--> Only Ingress IPv4 traffic from other instances that have the
security group default where allowed. As my laptop is not member of the
security group default (of course, only instances can!) I was not able
to ssh or even ping from outside into the guest. (vice verca it was
working as egress is defined for CIDR 0.0.0.0/0) From guest to guest of
course ssh was working as both instances where member of the default
group.
So what I had to do is to add a new rule like
"allow Ingress SSH traffic from remote CIDR 0.0.0.0/0"
--> CIDR 0.0.0.0/0 means just everything :)
Hope that helps
Andreas
(irc: scheuran)
On Fri, 2014-09-19 at 09:41 +0530, Srinivasreddy R wrote:
> hi,
> i have checked security group rules .
> my instance is pinging to router and even a device in external
> network .
> mostly my problem may in host's firewall .
> how can i identify which rule is dropping the ssh traffic .?
> how can i confirm that ssh traffic is blocked at firewall .?
> i there any way to see the firewall dropped packets ?
>
>
> thanks ,
> srinivas.
>
>
>
>
>
>
>
>
>
>
>
>
>
> On Thu, Sep 18, 2014 at 7:36 PM, Akilesh K <akilesh1597 at gmail.com>
> wrote:
> I believe you have checked the security group rules. Make sure
> the instance is able to ping the router. If yes the problem
> lies in your host's firewall rules. Flush the hosts iptable
> rules(you may take a backup before you do that).
>
>
> On Thu, Sep 18, 2014 at 7:32 PM, Srinivasreddy R
> <srinivasreddy4390 at gmail.com> wrote:
>
> hi ,
>
> thanks for your reply .
>
>
> 1. i have checked ssh server is running in instance ..
>
> ssh from one instance to another is possible using
> private network[demo-net] .
>
> 2. checked ssh is running in port 22
>
> 3. telnet <ip> 22 is not working .
>
>
>
> 4. output when i run ssh using verbose pasted at
>
> http://paste.openstack.org/show/112860/
>
>
>
>
>
> ==================================
>
> ip tables output
>
>
> my internal network for vm is 11.0.0.x and external
> network is 172.0.0.x
>
>
>
> root at user-ThinkCentre-M73:/home/user# ip netns exec
> qrouter-f6e00f94-1c6d-4cf5-8cae-319e393240fe iptables
> -t nat -S
> -P PREROUTING ACCEPT
> -P INPUT ACCEPT
> -P OUTPUT ACCEPT
> -P POSTROUTING ACCEPT
> -N neutron-l3-agent-OUTPUT
> -N neutron-l3-agent-POSTROUTING
> -N neutron-l3-agent-PREROUTING
> -N neutron-l3-agent-float-snat
> -N neutron-l3-agent-snat
> -N neutron-postrouting-bottom
> -A PREROUTING -j neutron-l3-agent-PREROUTING
> -A OUTPUT -j neutron-l3-agent-OUTPUT
> -A POSTROUTING -j neutron-l3-agent-POSTROUTING
> -A POSTROUTING -j neutron-postrouting-bottom
> -A neutron-l3-agent-OUTPUT -d 172.0.0.7/32 -j DNAT
> --to-destination 11.0.0.9
> -A neutron-l3-agent-OUTPUT -d 172.0.0.3/32 -j DNAT
> --to-destination 11.0.0.2
> -A neutron-l3-agent-OUTPUT -d 172.0.0.4/32 -j DNAT
> --to-destination 11.0.0.5
> -A neutron-l3-agent-POSTROUTING ! -i qg-ec80d9fb-82 !
> -o qg-ec80d9fb-82 -m conntrack ! --ctstate DNAT -j
> ACCEPT
> -A neutron-l3-agent-PREROUTING -d 169.254.169.254/32
> -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697
> -A neutron-l3-agent-PREROUTING -d 172.0.0.7/32 -j DNAT
> --to-destination 11.0.0.9
> -A neutron-l3-agent-PREROUTING -d 172.0.0.3/32 -j DNAT
> --to-destination 11.0.0.2
> -A neutron-l3-agent-PREROUTING -d 172.0.0.4/32 -j DNAT
> --to-destination 11.0.0.5
> -A neutron-l3-agent-float-snat -s 11.0.0.9/32 -j SNAT
> --to-source 172.0.0.7
> -A neutron-l3-agent-float-snat -s 11.0.0.2/32 -j SNAT
> --to-source 172.0.0.3
> -A neutron-l3-agent-float-snat -s 11.0.0.5/32 -j SNAT
> --to-source 172.0.0.4
> -A neutron-l3-agent-snat -j
> neutron-l3-agent-float-snat
> -A neutron-l3-agent-snat -s 11.0.0.0/24 -j SNAT
> --to-source 172.0.0.2
> -A neutron-postrouting-bottom -j neutron-l3-agent-snat
>
>
>
>
> =====================
>
> i pasted my dump flows of br-tun at
> http://paste.openstack.org/show/112859/
>
>
>
>
>
> as per the doc
> https://openstack.redhat.com/Networking_in_too_much_detail
>
>
>
> br-ex is connected to router , router is connected to
> br-int , br-int is connected to bt-tun .
>
>
> i have captured at br-int . my ssh request is reaching
> to br-int but not going through tunnel .
>
>
> please help me .
>
>
>
>
>
>
> thanks,
> srinivas.
>
>
>
>
> On Wed, Sep 17, 2014 at 9:30 PM, Sajith Kariyawasam
> <sajhak at gmail.com> wrote:
> Hi,
>
>
> Could be due to,
> ssh server is not up and running in your
> instance,
> or running in a different port rather than
> port 22,
> or, ssh port access is restricted in
> openstack key pair configuration
>
>
> You could also try telnet to check the
> connectivity,
> $ telnet <ip> 22
>
>
> Thanks,
> Sajith
>
>
> On Wed, Sep 17, 2014 at 8:59 PM, Zoltán Lajos
> Kis <zoltan.lajos.kis at ericsson.com> wrote:
>
> Hi,
>
>
>
> What’s the output of running ssh with
> the verbose (-v) flag?
>
>
>
> BR,
>
> Zoltan
>
>
>
> From: Srinivasreddy R
> [mailto:srinivasreddy4390 at gmail.com]
> Sent: Wednesday, September 17, 2014
> 5:16 PM
> To: openstack at lists.openstack.org
> Subject: [Openstack] able to ping but
> not able to ssh to instance
>
>
>
>
> hi,
>
>
> i am able to ping my instance form
> external network .
>
>
> but not able to ssh to the
> instance .
>
>
> i am using floating ip s for ping,ssh.
>
>
> please help me .
>
> thanks,
> srinivas.
>
>
>
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to :
> openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
>
>
>
> --
> Best Regards
> Sajith
>
>
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
>
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
--
Andreas (irc: scheuran)
More information about the Openstack
mailing list