There is no hair pin NAT related rule in the NAT table. Hairpin NAT issue is fixed in 3.0.3.
http://bugs.cloudstack.org/browse/CS-13500 Thanks, Jayapal -----Original Message----- From: Hieu Le [mailto:hieul...@gmail.com] Sent: Tuesday, September 25, 2012 12:24 PM To: cloudstack-dev@incubator.apache.org Subject: Re: Problem with VM private IP Here is VR iptables rules: root@r-17-VRDLAB:~# iptables -nL -v --line-numbers -t filter Chain INPUT (policy DROP 124 packets, 9432 bytes) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT all -- * * 0.0.0.0/0 224.0.0.18 2 0 0 ACCEPT all -- * * 0.0.0.0/0 225.0.0.50 3 38 3648 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 4 11168 1852K ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 5 5 526 ACCEPT all -- eth2 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 6 102 8520 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 7 5 293 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 8 29 9614 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 9 23 1787 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 10 629 37740 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3922 11 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8080 12 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 Chain FORWARD (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 1 60 ACCEPT all -- eth2 eth0 0.0.0.0/0 10.1.1.118 state NEW 3 3 164 ACCEPT all -- eth2 eth0 0.0.0.0/0 10.1.1.132 state NEW 4 21 9986 ACCEPT all -- eth2 eth0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 5 29 1600 ACCEPT all -- eth0 eth2 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 280 packets, 48879 bytes) num pkts bytes target prot opt in out source destination root@r-17-VRDLAB:~# iptables -nL -v --line-numbers -t nat Chain PREROUTING (policy ACCEPT 143 packets, 10644 bytes) num pkts bytes target prot opt in out source destination 1 1 60 DNAT all -- eth2 * 0.0.0.0/0 192.168.3.120 to:10.1.1.118 2 3 164 DNAT all -- eth2 * 0.0.0.0/0 192.168.3.115 to:10.1.1.132 Chain POSTROUTING (policy ACCEPT 4 packets, 224 bytes) num pkts bytes target prot opt in out source destination 1 2 96 SNAT all -- * eth2 10.1.1.132 0.0.0.0/0 to:192.168.3.115 2 4 192 SNAT all -- * eth2 10.1.1.118 0.0.0.0/0 to:192.168.3.120 3 2 138 SNAT all -- * eth2 0.0.0.0/0 0.0.0.0/0 to:192.168.3.116 Chain OUTPUT (policy ACCEPT 2 packets, 138 bytes) num pkts bytes target prot opt in out source destination root@r-17-VRDLAB:~# iptables -nL -v --line-numbers -t mangle Chain PREROUTING (policy ACCEPT 543 packets, 44292 bytes) num pkts bytes target prot opt in out source destination 1 552 346K VPN_192.168.3.116 all -- * * 0.0.0.0/0 192.168.3.116 2 13 5167 FIREWALL_192.168.3.120 all -- * * 0.0.0.0/0 192.168.3.120 3 22 5571 FIREWALL_192.168.3.115 all -- * * 0.0.0.0/0 192.168.3.115 4 118 5980 FIREWALL_192.168.3.116 all -- * * 0.0.0.0/0 192.168.3.116 5 11705 1887K CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED CONNMARK restore 6 1 60 MARK all -- eth2 * 0.0.0.0/0 192.168.3.120 state NEW MARK set 0x2 7 1 60 CONNMARK all -- eth2 * 0.0.0.0/0 192.168.3.120 state NEW CONNMARK save 8 124 10012 MARK all -- eth0 * 10.1.1.118 0.0.0.0/0 state NEW MARK set 0x2 9 124 10012 CONNMARK all -- eth0 * 10.1.1.118 0.0.0.0/0 state NEW CONNMARK save 10 3 164 MARK all -- eth2 * 0.0.0.0/0 192.168.3.115 state NEW MARK set 0x2 11 3 164 CONNMARK all -- eth2 * 0.0.0.0/0 192.168.3.115 state NEW CONNMARK save 12 17 1445 MARK all -- eth0 * 10.1.1.132 0.0.0.0/0 state NEW MARK set 0x2 13 17 1445 CONNMARK all -- eth0 * 10.1.1.132 0.0.0.0/0 state NEW CONNMARK save Chain INPUT (policy ACCEPT 514 packets, 42811 bytes) num pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 54 packets, 11810 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 231 packets, 42784 bytes) num pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 285 packets, 54594 bytes) num pkts bytes target prot opt in out source destination 1 27 9270 CHECKSUM udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68 CHECKSUM fill Chain FIREWALL_192.168.3.115 (1 references) num pkts bytes target prot opt in out source destination 1 15 5203 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 0 0 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:1:65535 3 5 248 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1:65535 4 2 120 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 255 5 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FIREWALL_192.168.3.116 (1 references) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 118 5980 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FIREWALL_192.168.3.120 (1 references) num pkts bytes target prot opt in out source destination 1 8 4903 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 2 120 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 255 3 3 144 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1:65535 4 0 0 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:1:65535 5 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain VPN_192.168.3.116 (1 references) num pkts bytes target prot opt in out source destination 1 434 340K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 118 5980 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 root@r-17-VRDLAB:~# On Tue, Sep 25, 2012 at 12:37 PM, Jayapal Reddy Uradi < jayapalreddy.ur...@citrix.com> wrote: > Debug the traffic flow ... whether the traffic sent to VR guest > network interface then public interface . > Please share the VR iptables rules. > > Thanks, > Jayapal > > -----Original Message----- > From: Hieu Le [mailto:hieul...@gmail.com] > Sent: Tuesday, September 25, 2012 8:42 AM > To: cloudstack-dev@incubator.apache.org > Subject: Re: Problem with VM private IP > > Yep, I have read the admin guide and setup firewall rule + enable > static NAT for all tested VM and still facing this problem. > > On Tue, Sep 25, 2012 at 10:01 AM, Ahmad Emneina > <ahmad.emne...@citrix.com > >wrote: > > > Have you looked at the Administration Guide[1]? See page 75 and see > > if that solves your connectivity issue. You still need to poke the > > hole in the firewal and setup a NAT rule from within cloudstack. > > > > [1]: > > http://download.cloud.com/releases/3.0.0/CloudStack3.0AdminGuide.pdf > > > > On 9/24/12 7:56 PM, "Hieu Le" <hieul...@gmail.com> wrote: > > > > >Hi, > > > > > >The telnet packets are not reaching the telnet server VM. > > > > > >I'm using CS 3.0.2. > > > > > >Thanks for replying ! > > > > > >On Mon, Sep 24, 2012 at 5:52 PM, Jayapal Reddy Uradi < > > >jayapalreddy.ur...@citrix.com> wrote: > > > > > >> Using firewall and port forwarding rules only we can access the > > >>VM services from the public network also from the VMs using the > > >>Public > IPs. > > >> For you telnet from outside network success but from failed from > > >>VM to VM using public IP. > > >> Seems hair pin NAT got failed ... > > >> > > >> Please capture the packets on the telnet server VM to see whether > > >> telnet packets are reaching or not ? > > >> > > >> Which version of cloudstack Is it ? > > >> > > >> Thanks, > > >> Jayapal > > >> > > >> -----Original Message----- > > >> From: Hieu Le [mailto:hieul...@gmail.com] > > >> Sent: Monday, September 24, 2012 3:39 PM > > >> To: cloudstack-dev@incubator.apache.org > > >> Subject: Problem with VM private IP > > >> > > >> Hi everyone, > > >> > > >> I have a problem while working with VM private IP. My Cloud > > >>system run 2 VMs in advance zone with private IP is 10.1.1.20 and > > >>10.1.1.21 and VM NAT IP is 192.168.50.160 and 192.168.50.165. > > >>From outside network, I can ping and telnet port 80 to both VMs > > >>with public IPs. But from VM 10.1.1.21, I can't telnet to other > > >>VM with its public IP. > > >> > > >> For details: > > >> From VM1: 10.1.1.20 and 192.168.50.160. > > >> ping 192.168.50.165 and ping 10.1.1.21 success telnet 10.1.1.21 > > >>80 success telnet 192.168.50.165 80 fail > > >> > > >> From VM2: 10.1.1.21 and 192.168.50.165 ping 192.168.50.160 and > > >> ping > > >> 10.1.1.20 success telnet 10.1.1.20 success telnet 192.168.50.160 > > >> 80 fail > > >> > > >> And I can't telnet another ports with public IP. > > >> > > >> Can you suggest some solutions for me to telnet VM from another > > >> VM via public IP. > > >> > > >> Thank ! > > >> > > > > > > > > > > > >-- > > >..:: Hieu LE ::.. > > > > > >Class: Information System - Course 52 School of Information and > > >Communication Technology Hanoi University of Technology No 1, Dai > > >Co Viet street - Hai Ba Trung district - Hanoi > > > > > >High Performance Computing Center > > >Cloud Computing Group > > >Gmail: hieul...@gmail.com > > > > > > > > > -- > > Æ > > > > > > > > > > > -- > ..:: Hieu LE ::.. > > Class: Information System - Course 52 > School of Information and Communication Technology Hanoi University of > Technology No 1, Dai Co Viet street - Hai Ba Trung district - Hanoi > > High Performance Computing Center > Cloud Computing Group > Gmail: hieul...@gmail.com > -- ..:: Hieu LE ::.. Class: Information System - Course 52 School of Information and Communication Technology Hanoi University of Technology No 1, Dai Co Viet street - Hai Ba Trung district - Hanoi High Performance Computing Center Cloud Computing Group Gmail: hieul...@gmail.com
