The mail from Andreas was correct you need to add a rule for (ingress, tcp, port 22 and cidr 0.0.0.0/0).
In case the rule is already there. check the host firewall rules using iptables -t nat -L iptables -t mangle -L iptables -t filter -L None of the tables should have any rule. On Fri, Sep 19, 2014 at 9:41 AM, Srinivasreddy R < srinivasreddy4...@gmail.com> wrote: > hi, > i have checked security group rules . > my instance is pinging to router and even a device in external network . > mostly my problem may in host's firewall . > how can i identify which rule is dropping the ssh traffic .? > how can i confirm that ssh traffic is blocked at firewall .? > i there any way to see the firewall dropped packets ? > > thanks , > srinivas. > > > > > > > > On Thu, Sep 18, 2014 at 7:36 PM, Akilesh K <akilesh1...@gmail.com> wrote: > >> I believe you have checked the security group rules. Make sure the >> instance is able to ping the router. If yes the problem lies in your host's >> firewall rules. Flush the hosts iptable rules(you may take a backup before >> you do that). >> >> On Thu, Sep 18, 2014 at 7:32 PM, Srinivasreddy R < >> srinivasreddy4...@gmail.com> wrote: >> >>> hi , >>> thanks for your reply . >>> >>> 1. i have checked ssh server is running in instance .. >>> ssh from one instance to another is possible using private >>> network[demo-net] . >>> 2. checked ssh is running in port 22 >>> 3. telnet <ip> 22 is not working . >>> >>> >>> 4. output when i run ssh using verbose pasted at >>> >>> http://paste.openstack.org/show/112860/ >>> >>> >>> >>> >>> ================================== >>> ip tables output >>> >>> my internal network for vm is 11.0.0.x and external network is 172.0.0.x >>> >>> >>> root@user-ThinkCentre-M73:/home/user# ip netns exec >>> qrouter-f6e00f94-1c6d-4cf5-8cae-319e393240fe iptables -t nat -S >>> -P PREROUTING ACCEPT >>> -P INPUT ACCEPT >>> -P OUTPUT ACCEPT >>> -P POSTROUTING ACCEPT >>> -N neutron-l3-agent-OUTPUT >>> -N neutron-l3-agent-POSTROUTING >>> -N neutron-l3-agent-PREROUTING >>> -N neutron-l3-agent-float-snat >>> -N neutron-l3-agent-snat >>> -N neutron-postrouting-bottom >>> -A PREROUTING -j neutron-l3-agent-PREROUTING >>> -A OUTPUT -j neutron-l3-agent-OUTPUT >>> -A POSTROUTING -j neutron-l3-agent-POSTROUTING >>> -A POSTROUTING -j neutron-postrouting-bottom >>> -A neutron-l3-agent-OUTPUT -d 172.0.0.7/32 -j DNAT --to-destination >>> 11.0.0.9 >>> -A neutron-l3-agent-OUTPUT -d 172.0.0.3/32 -j DNAT --to-destination >>> 11.0.0.2 >>> -A neutron-l3-agent-OUTPUT -d 172.0.0.4/32 -j DNAT --to-destination >>> 11.0.0.5 >>> -A neutron-l3-agent-POSTROUTING ! -i qg-ec80d9fb-82 ! -o qg-ec80d9fb-82 >>> -m conntrack ! --ctstate DNAT -j ACCEPT >>> -A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp >>> --dport 80 -j REDIRECT --to-ports 9697 >>> -A neutron-l3-agent-PREROUTING -d 172.0.0.7/32 -j DNAT --to-destination >>> 11.0.0.9 >>> -A neutron-l3-agent-PREROUTING -d 172.0.0.3/32 -j DNAT --to-destination >>> 11.0.0.2 >>> -A neutron-l3-agent-PREROUTING -d 172.0.0.4/32 -j DNAT --to-destination >>> 11.0.0.5 >>> -A neutron-l3-agent-float-snat -s 11.0.0.9/32 -j SNAT --to-source >>> 172.0.0.7 >>> -A neutron-l3-agent-float-snat -s 11.0.0.2/32 -j SNAT --to-source >>> 172.0.0.3 >>> -A neutron-l3-agent-float-snat -s 11.0.0.5/32 -j SNAT --to-source >>> 172.0.0.4 >>> -A neutron-l3-agent-snat -j neutron-l3-agent-float-snat >>> -A neutron-l3-agent-snat -s 11.0.0.0/24 -j SNAT --to-source 172.0.0.2 >>> -A neutron-postrouting-bottom -j neutron-l3-agent-snat >>> >>> >>> >>> >>> ===================== >>> i pasted my dump flows of br-tun at >>> http://paste.openstack.org/show/112859/ >>> >>> >>> >>> as per the doc >>> https://openstack.redhat.com/Networking_in_too_much_detail >>> >>> br-ex is connected to router , router is connected to br-int , br-int is >>> connected to bt-tun . >>> >>> i have captured at br-int . my ssh request is reaching to br-int but not >>> going through tunnel . >>> >>> please help me . >>> >>> >>> >>> >>> thanks, >>> srinivas. >>> >>> >>> >>> >>> On Wed, Sep 17, 2014 at 9:30 PM, Sajith Kariyawasam <saj...@gmail.com> >>> wrote: >>> >>>> Hi, >>>> >>>> Could be due to, >>>> ssh server is not up and running in your instance, >>>> or running in a different port rather than port 22, >>>> or, ssh port access is restricted in openstack key pair >>>> configuration >>>> >>>> You could also try telnet to check the connectivity, >>>> $ telnet <ip> 22 >>>> >>>> Thanks, >>>> Sajith >>>> >>>> >>>> On Wed, Sep 17, 2014 at 8:59 PM, Zoltán Lajos Kis < >>>> zoltan.lajos....@ericsson.com> wrote: >>>> >>>>> Hi, >>>>> >>>>> >>>>> >>>>> What’s the output of running ssh with the verbose (-v) flag? >>>>> >>>>> >>>>> >>>>> BR, >>>>> >>>>> Zoltan >>>>> >>>>> >>>>> >>>>> *From:* Srinivasreddy R [mailto:srinivasreddy4...@gmail.com] >>>>> *Sent:* Wednesday, September 17, 2014 5:16 PM >>>>> *To:* openstack@lists.openstack.org >>>>> *Subject:* [Openstack] able to ping but not able to ssh to instance >>>>> >>>>> >>>>> >>>>> hi, >>>>> >>>>> i am able to ping my instance form external network . >>>>> >>>>> but not able to ssh to the instance . >>>>> >>>>> i am using floating ip s for ping,ssh. >>>>> >>>>> please help me . >>>>> >>>>> thanks, >>>>> srinivas. >>>>> >>>>> _______________________________________________ >>>>> Mailing list: >>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack >>>>> Post to : openstack@lists.openstack.org >>>>> Unsubscribe : >>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack >>>>> >>>>> >>>> >>>> >>>> -- >>>> Best Regards >>>> Sajith >>>> >>> >>> >>> _______________________________________________ >>> Mailing list: >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack >>> Post to : openstack@lists.openstack.org >>> Unsubscribe : >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack >>> >>> >> >
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
