[Openstack] able to ping but not able to ssh to instance

Srinivasreddy R srinivasreddy4390 at gmail.com
Fri Sep 19 07:44:14 UTC 2014 

hi,
i had addeed  a rule for (ingress, tcp, port 22 and cidr 0.0.0.0/0).  still
not able to ssh .

my instance overview
http://paste.openstack.org/show/113170/


i pasted my ip tables [ nat, mangle,filter] output ..

please let me know i want to add or delete any thing in iptables .

http://paste.openstack.org/show/113164/


thanks,
srinivas.



On Fri, Sep 19, 2014 at 12:39 PM, Akilesh K <akilesh1597 at gmail.com> wrote:

> The mail from Andreas was correct you need to add a rule for (ingress,
> tcp, port 22 and cidr 0.0.0.0/0).
>
> In case the rule is already there. check the host firewall rules using
> iptables -t nat -L
> iptables -t mangle -L
> iptables -t filter -L
>
> None of the tables should have any rule.
>
> On Fri, Sep 19, 2014 at 9:41 AM, Srinivasreddy R <
> srinivasreddy4390 at gmail.com> wrote:
>
>> hi,
>> i have checked security group rules .
>> my instance is pinging to router and even a device  in external network .
>> mostly my problem may in host's firewall .
>> how can i identify which rule is dropping the ssh traffic .?
>> how can  i confirm that ssh traffic is blocked at firewall .?
>> i there any way to see the firewall dropped packets ?
>>
>> thanks ,
>> srinivas.
>>
>>
>>
>>
>>
>>
>>
>> On Thu, Sep 18, 2014 at 7:36 PM, Akilesh K <akilesh1597 at gmail.com> wrote:
>>
>>> I believe you have checked the security group rules. Make sure the
>>> instance is able to ping the router. If yes the problem lies in your host's
>>> firewall rules. Flush the hosts iptable rules(you may take a backup before
>>> you do that).
>>>
>>> On Thu, Sep 18, 2014 at 7:32 PM, Srinivasreddy R <
>>> srinivasreddy4390 at gmail.com> wrote:
>>>
>>>> hi ,
>>>> thanks for your reply .
>>>>
>>>> 1. i have checked ssh server is running in instance ..
>>>>     ssh from one instance to another is possible using private
>>>> network[demo-net] .
>>>> 2. checked  ssh is running in port 22
>>>> 3. telnet <ip>  22 is not working .
>>>>
>>>>
>>>> 4. output when i run ssh using verbose  pasted at
>>>>
>>>> http://paste.openstack.org/show/112860/
>>>>
>>>>
>>>>
>>>>
>>>> ==================================
>>>> ip tables output
>>>>
>>>> my internal network for vm is 11.0.0.x and external network is
>>>> 172.0.0.x
>>>>
>>>>
>>>> root at user-ThinkCentre-M73:/home/user# ip netns exec
>>>> qrouter-f6e00f94-1c6d-4cf5-8cae-319e393240fe  iptables -t nat -S
>>>> -P PREROUTING ACCEPT
>>>> -P INPUT ACCEPT
>>>> -P OUTPUT ACCEPT
>>>> -P POSTROUTING ACCEPT
>>>> -N neutron-l3-agent-OUTPUT
>>>> -N neutron-l3-agent-POSTROUTING
>>>> -N neutron-l3-agent-PREROUTING
>>>> -N neutron-l3-agent-float-snat
>>>> -N neutron-l3-agent-snat
>>>> -N neutron-postrouting-bottom
>>>> -A PREROUTING -j neutron-l3-agent-PREROUTING
>>>> -A OUTPUT -j neutron-l3-agent-OUTPUT
>>>> -A POSTROUTING -j neutron-l3-agent-POSTROUTING
>>>> -A POSTROUTING -j neutron-postrouting-bottom
>>>> -A neutron-l3-agent-OUTPUT -d 172.0.0.7/32 -j DNAT --to-destination
>>>> 11.0.0.9
>>>> -A neutron-l3-agent-OUTPUT -d 172.0.0.3/32 -j DNAT --to-destination
>>>> 11.0.0.2
>>>> -A neutron-l3-agent-OUTPUT -d 172.0.0.4/32 -j DNAT --to-destination
>>>> 11.0.0.5
>>>> -A neutron-l3-agent-POSTROUTING ! -i qg-ec80d9fb-82 ! -o qg-ec80d9fb-82
>>>> -m conntrack ! --ctstate DNAT -j ACCEPT
>>>> -A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp
>>>> --dport 80 -j REDIRECT --to-ports 9697
>>>> -A neutron-l3-agent-PREROUTING -d 172.0.0.7/32 -j DNAT
>>>> --to-destination 11.0.0.9
>>>> -A neutron-l3-agent-PREROUTING -d 172.0.0.3/32 -j DNAT
>>>> --to-destination 11.0.0.2
>>>> -A neutron-l3-agent-PREROUTING -d 172.0.0.4/32 -j DNAT
>>>> --to-destination 11.0.0.5
>>>> -A neutron-l3-agent-float-snat -s 11.0.0.9/32 -j SNAT --to-source
>>>> 172.0.0.7
>>>> -A neutron-l3-agent-float-snat -s 11.0.0.2/32 -j SNAT --to-source
>>>> 172.0.0.3
>>>> -A neutron-l3-agent-float-snat -s 11.0.0.5/32 -j SNAT --to-source
>>>> 172.0.0.4
>>>> -A neutron-l3-agent-snat -j neutron-l3-agent-float-snat
>>>> -A neutron-l3-agent-snat -s 11.0.0.0/24 -j SNAT --to-source 172.0.0.2
>>>> -A neutron-postrouting-bottom -j neutron-l3-agent-snat
>>>>
>>>>
>>>>
>>>>
>>>> =====================
>>>> i pasted my dump flows of br-tun at
>>>> http://paste.openstack.org/show/112859/
>>>>
>>>>
>>>>
>>>> as per the doc
>>>>  https://openstack.redhat.com/Networking_in_too_much_detail
>>>>
>>>> br-ex is connected to router , router is connected to br-int , br-int
>>>> is connected to bt-tun .
>>>>
>>>> i have captured at br-int . my ssh request is reaching to br-int but
>>>> not going through tunnel .
>>>>
>>>> please help me .
>>>>
>>>>
>>>>
>>>>
>>>> thanks,
>>>> srinivas.
>>>>
>>>>
>>>>
>>>>
>>>> On Wed, Sep 17, 2014 at 9:30 PM, Sajith Kariyawasam <sajhak at gmail.com>
>>>> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> Could be due to,
>>>>>     ssh server is not up and running in your instance,
>>>>>     or running in a different port rather than port 22,
>>>>>     or, ssh port access is restricted in openstack key pair
>>>>> configuration
>>>>>
>>>>> You could also try telnet to check the connectivity,
>>>>> $ telnet <ip> 22
>>>>>
>>>>> Thanks,
>>>>> Sajith
>>>>>
>>>>>
>>>>> On Wed, Sep 17, 2014 at 8:59 PM, Zoltán Lajos Kis <
>>>>> zoltan.lajos.kis at ericsson.com> wrote:
>>>>>
>>>>>>  Hi,
>>>>>>
>>>>>>
>>>>>>
>>>>>> What’s the output of running ssh with the verbose (-v) flag?
>>>>>>
>>>>>>
>>>>>>
>>>>>> BR,
>>>>>>
>>>>>> Zoltan
>>>>>>
>>>>>>
>>>>>>
>>>>>> *From:* Srinivasreddy R [mailto:srinivasreddy4390 at gmail.com]
>>>>>> *Sent:* Wednesday, September 17, 2014 5:16 PM
>>>>>> *To:* openstack at lists.openstack.org
>>>>>> *Subject:* [Openstack] able to ping but not able to ssh to instance
>>>>>>
>>>>>>
>>>>>>
>>>>>> hi,
>>>>>>
>>>>>> i am able to ping my instance form external network .
>>>>>>
>>>>>> but  not able to ssh to the instance .
>>>>>>
>>>>>> i am using floating ip s for ping,ssh.
>>>>>>
>>>>>> please help me .
>>>>>>
>>>>>> thanks,
>>>>>> srinivas.
>>>>>>
>>>>>> _______________________________________________
>>>>>> Mailing list:
>>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>>>> Post to     : openstack at lists.openstack.org
>>>>>> Unsubscribe :
>>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Best Regards
>>>>> Sajith
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Mailing list:
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>> Post to     : openstack at lists.openstack.org
>>>> Unsubscribe :
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140919/aec9eaae/attachment.html>

More information about the Openstack mailing list