On Wed, Feb 27, 2013 at 12:38:45PM -0800, Barrow Kwan wrote: > [root@optst01 quantum]# service iptables status > Table: nat > Chain PREROUTING (policy ACCEPT) > num target prot opt source destination > 1 nova-compute-PREROUTING all -- 0.0.0.0/0 0.0.0.0/0 > > 2 quantum-l3-agent-PREROUTING all -- 0.0.0.0/0 0.0.0.0/0 > > > 3 nova-api-PREROUTING all -- 0.0.0.0/0 0.0.0.0/0 > > Chain POSTROUTING (policy ACCEPT) > num target prot opt source destination > 1 nova-compute-POSTROUTING all -- 0.0.0.0/0 0.0.0.0/0 > > > 2 quantum-l3-agent-POSTROUTING all -- 0.0.0.0/0 0.0.0.0/0 > > > 3 quantum-postrouting-bottom all -- 0.0.0.0/0 0.0.0.0/0 > > > 4 nova-api-POSTROUTING all -- 0.0.0.0/0 0.0.0.0/0 > 5 nova-postrouting-bottom all -- 0.0.0.0/0 0.0.0.0/0 > > > Chain OUTPUT (policy ACCEPT) > num target prot opt source destination > 1 nova-compute-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0 > 2 quantum-l3-agent-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0 > > 3 nova-api-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0 > > Chain nova-api-OUTPUT (1 references) > num target prot opt source destination > > Chain nova-api-POSTROUTING (1 references) > num target prot opt source destination > > Chain nova-api-PREROUTING (1 references) > num target prot opt source destination > > Chain nova-api-float-snat (1 references) > num target prot opt source destination > > Chain nova-api-snat (1 references) > num target prot opt source destination > 1 nova-api-float-snat all -- 0.0.0.0/0 0.0.0.0/0 > > Chain nova-compute-OUTPUT (1 references) > num target prot opt source destination > > Chain nova-compute-POSTROUTING (1 references) > num target prot opt source destination > > Chain nova-compute-PREROUTING (1 references) > num target prot opt source destination > > Chain nova-compute-float-snat (1 references) > num target prot opt source destination > > Chain nova-compute-snat (1 references) > num target prot opt source destination > 1 nova-compute-float-snat all -- 0.0.0.0/0 0.0.0.0/0 > > > Chain nova-postrouting-bottom (1 references) > num target prot opt source destination > 1 nova-compute-snat all -- 0.0.0.0/0 0.0.0.0/0 > 2 nova-api-snat all -- 0.0.0.0/0 0.0.0.0/0 > > Chain quantum-l3-agent-OUTPUT (1 references) > num target prot opt source destination > > Chain quantum-l3-agent-POSTROUTING (1 references) > num target prot opt source destination > 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ! ctstate > DNAT > > Chain quantum-l3-agent-PREROUTING (1 references) > num target prot opt source destination > > Chain quantum-l3-agent-float-snat (1 references) > num target prot opt source destination > > Chain quantum-l3-agent-snat (1 references) > num target prot opt source destination > 1 quantum-l3-agent-float-snat all -- 0.0.0.0/0 0.0.0.0/0 > > > 2 SNAT all -- 192.168.151.0/24 0.0.0.0/0 > to:10.38.17.1 > > Chain quantum-postrouting-bottom (1 references) > num target prot opt source destination > 1 quantum-l3-agent-snat all -- 0.0.0.0/0 0.0.0.0/0 > > Table: filter > Chain INPUT (policy ACCEPT) > num target prot opt source destination > 1 nova-compute-INPUT all -- 0.0.0.0/0 0.0.0.0/0 > 2 quantum-l3-agent-INPUT all -- 0.0.0.0/0 0.0.0.0/0 > > 3 nova-api-INPUT all -- 0.0.0.0/0 0.0.0.0/0 > > Chain FORWARD (policy ACCEPT) > num target prot opt source destination > 1 nova-filter-top all -- 0.0.0.0/0 0.0.0.0/0 > 2 nova-compute-FORWARD all -- 0.0.0.0/0 0.0.0.0/0 > 3 quantum-filter-top all -- 0.0.0.0/0 0.0.0.0/0 > 4 quantum-l3-agent-FORWARD all -- 0.0.0.0/0 0.0.0.0/0 > > > 5 nova-api-FORWARD all -- 0.0.0.0/0 0.0.0.0/0 > > Chain OUTPUT (policy ACCEPT) > num target prot opt source destination > 1 nova-filter-top all -- 0.0.0.0/0 0.0.0.0/0 > 2 nova-compute-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0 > 3 quantum-filter-top all -- 0.0.0.0/0 0.0.0.0/0 > 4 quantum-l3-agent-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0 > > 5 nova-api-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0 > > Chain nova-api-FORWARD (1 references) > num target prot opt source destination > > Chain nova-api-INPUT (1 references) > num target prot opt source destination > 1 ACCEPT tcp -- 0.0.0.0/0 10.38.15.251 tcp > dpt:8775 > > Chain nova-api-OUTPUT (1 references) > num target prot opt source destination > > Chain nova-api-local (1 references) > num target prot opt source destination > > Chain nova-compute-FORWARD (1 references) > num target prot opt source destination > > Chain nova-compute-INPUT (1 references) > num target prot opt source destination > > Chain nova-compute-OUTPUT (1 references) > num target prot opt source destination > > Chain nova-compute-inst-20 (1 references) > num target prot opt source destination > 1 DROP all -- 0.0.0.0/0 0.0.0.0/0 state > INVALID > 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state > RELATED,ESTABLISHED > 3 nova-compute-provider all -- 0.0.0.0/0 0.0.0.0/0 > 4 ACCEPT udp -- 192.168.151.2 0.0.0.0/0 udp spt:67 > dpt:68 > 5 ACCEPT all -- 192.168.151.0/24 0.0.0.0/0 > 6 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 > 7 ACCEPT icmp -- 192.168.151.3 0.0.0.0/0 > 8 ACCEPT icmp -- 192.168.151.4 0.0.0.0/0 > 9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 > 10 nova-compute-sg-fallback all -- 0.0.0.0/0 0.0.0.0/0 > > > > Chain nova-compute-inst-21 (1 references) > num target prot opt source destination > 1 DROP all -- 0.0.0.0/0 0.0.0.0/0 state > INVALID > 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state > RELATED,ESTABLISHED > 3 nova-compute-provider all -- 0.0.0.0/0 0.0.0.0/0 > 4 ACCEPT udp -- 192.168.151.2 0.0.0.0/0 udp spt:67 > dpt:68 > 5 ACCEPT all -- 192.168.151.0/24 0.0.0.0/0 > 6 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 > 7 ACCEPT icmp -- 192.168.151.3 0.0.0.0/0 > 8 ACCEPT icmp -- 192.168.151.4 0.0.0.0/0 > 9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 > 10 nova-compute-sg-fallback all -- 0.0.0.0/0 0.0.0.0/0 > > > > Chain nova-compute-local (1 references) > num target prot opt source destination > 1 nova-compute-inst-20 all -- 0.0.0.0/0 192.168.151.3 > 2 nova-compute-inst-21 all -- 0.0.0.0/0 192.168.151.4 > > Chain nova-compute-provider (2 references) > num target prot opt source destination > > Chain nova-compute-sg-fallback (2 references) > num target prot opt source destination > 1 DROP all -- 0.0.0.0/0 0.0.0.0/0 > > Chain nova-filter-top (2 references) > num target prot opt source destination > 1 nova-compute-local all -- 0.0.0.0/0 0.0.0.0/0 > 2 nova-api-local all -- 0.0.0.0/0 0.0.0.0/0 > > Chain quantum-filter-top (2 references) > num target prot opt source destination > 1 quantum-l3-agent-local all -- 0.0.0.0/0 0.0.0.0/0 > > > Chain quantum-l3-agent-FORWARD (1 references) > num target prot opt source destination > > Chain quantum-l3-agent-INPUT (1 references) > num target prot opt source destination > > Chain quantum-l3-agent-OUTPUT (1 references) > num target prot opt source destination > > Chain quantum-l3-agent-local (1 references) > num target prot opt source destination
Have you tried running tcpdump on the public interface to see how far the packets are getting? Maybe something like: tcpdump -n -c2 icmp -i em1, then try pinging from the VM. It could be that you're attempting to send unroutable packets, in which case an IP masquerading rule needs adding. Jeff _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
