Thank you Jesse, but these iptables rules are just applied on the deployment node not the host nodes. do i have to omit these rules even on the deployment node ?
Thank you On 17 November 2016 at 14:25, Jesse Pretorius < jesse.pretor...@rackspace.co.uk> wrote: > *From: *Achi Hamza <h16m...@gmail.com> > > > > I have set these roles with my iptables earlier (this is just for the > nodes to get out through the deployment node), can this have an impact ? : > > > > iptables -A FORWARD -o enp4s0 -i enp5s0 -s 172.16.1.1/24 -m conntrack > --ctstate NEW -j ACCEPT > > iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT > > iptables -t nat -F POSTROUTING > > iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE > > > > That is very likely a problem. > > > > LXC will automatically NAT through the host’s address for internet access, > so what you should be doing is ensuring that your hosts have a default > route to the internet. This could be done by adding a route to whichever > router you want to use. If your router then needs to NAT for external > access, then add the NAT there – not on each host. > > ------------------------------ > Rackspace Limited is a company registered in England & Wales (company > registered number 03897010) whose registered office is at 5 Millington > Road, Hyde Park Hayes, Middlesex UB3 4AZ. Rackspace Limited privacy policy > can be viewed at www.rackspace.co.uk/legal/privacy-policy - This e-mail > message may contain confidential or privileged information intended for the > recipient. Any dissemination, distribution or copying of the enclosed > material is prohibited. If you receive this transmission in error, please > notify us immediately by e-mail at ab...@rackspace.com and delete the > original message. Your cooperation is appreciated. >
_______________________________________________ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
