[Openstack] [neutron] ICMP host unreachable - admin prohibited

Andreas Scheuring scheuran at linux.vnet.ibm.com
Tue Jun 28 07:11:15 UTC 2016 

Hi Adhi, 
yeah this seems to be iptables blocking you're traffic.
Calling
# iptables-save
gives you an easy to read output of all your rules. 

Probably you'll find some rule like
# -A INPUT -j REJECT --reject-with icmp-host-prohibited

Now the problem with the 2 rules you added is, that you are appending
your rules with -A. Iptables-save should show, that they are processed
after the blocking rule (means never).
So what you need to do is to insert your 2 rules before the blocking
rule. You can do that using -I instead of -A.

Alternatively you could just delete the blocking rule using:
# iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited


Note: 
The commands just add/delete the rules on your running system. After a
reboot the rule will be gone again. You need to persist them.
How to do that depends on if you're using firewalld or iptables-service.
I think the www will help you there.

Hope that helps



-- 
-----
Andreas 
IRC: andreas_s (formerly scheuran)



On Di, 2016-06-28 at 13:14 +0700, Adhi Priharmanto wrote:
> Hi, all I've setup liberty release with neutron-openvswitch using gre
> tunnel at Centos. I've an problems when iptables service started at
> network and compute node.
> Instance couldn't get the internal IP address(DHCP) when it boot, if
> dump the packet using tcpdump on both of tunnel interface it says like
> this :
> 
> 13:03:08.164944 IP 10.24.0.23 > opstcomp1-srg.dev.jcamp.net: ICMP host
> 10.24.0.23 unreachable - admin prohibited, length 106
> 
> 
> 
> 10.24.0.0/24 is my tunnel IP network. I've already add this rule on
> both node but its no luck 
> 
> 
> iptables -A INPUT -p gre -j ACCEPT
> 
> iptables -A FORWARD -p gre -j ACCEPT
> 
> 
> 
> Can someone help me to solve this problem ?
> 
> 
> -- 
> Cheers,
> 
>  
> Adhi Priharmanto
> about.me/a_dhi
> 
>   
> 
> +62-812-82121584
> 
> 
> 
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

More information about the Openstack mailing list