[Openstack] Outbounding connectivity from the VMs (instances) to the Internet

Tue, 26 May 2015 02:13:15 -0700

Hello,
I'm managing an OpenStack cloud (Havanna... yeah, too old...) with nova-network and ONLY one interface per node (and one interface in controller and network, that are the same server). All traffic flows in eth0 (and, of course, br100).
When I launch an instances, I assign a floating IP address from the public pool, so the instances can be accessible from the Internet with SSH. But, once I have logged into the instance, I can't browse Internet because it seems there is a NAT problem with any iptables rule in controller. I have run this easy test: from the inside the instances (with a private IP assigned by OpenStack and a public floating IP), I ping to another server (in the same public network as the floating IPs) and, then, that server receives ICMP traffic from the private IP of the instances, like NAT is failing in controller.

However, iptables rules in controller seem to be correct:
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
nova-network-PREROUTING  all  --  anywhere             anywhere
nova-api-PREROUTING  all  --  anywhere             anywhere

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
nova-network-POSTROUTING  all  --  anywhere             anywhere
nova-api-POSTROUTING  all  --  anywhere             anywhere
nova-postrouting-bottom  all  --  anywhere             anywhere
MASQUERADE  tcp  --  192.168.122.0/24    !192.168.122.0/24    masq ports: 1024-65535
MASQUERADE  udp  --  192.168.122.0/24    !192.168.122.0/24    masq ports: 1024-65535
MASQUERADE  all  --  192.168.122.0/24    !192.168.122.0/24

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
nova-network-OUTPUT  all  --  anywhere             anywhere
nova-api-OUTPUT  all  --  anywhere             anywhere

Chain nova-api-OUTPUT (1 references)
target     prot opt source               destination

Chain nova-api-POSTROUTING (1 references)
target     prot opt source               destination

Chain nova-api-PREROUTING (1 references)
target     prot opt source               destination

Chain nova-api-float-snat (1 references)
target     prot opt source               destination

Chain nova-api-snat (1 references)
target     prot opt source               destination
nova-api-float-snat  all  --  anywhere             anywhere

Chain nova-network-OUTPUT (1 references)
target     prot opt source               destination
DNAT       all  --  anywhere             FLOATING_PUBLIC_IP  to:192.168.32.13

Chain nova-network-POSTROUTING (1 references)
target     prot opt source               destination
ACCEPT     all  --  192.168.32.0/22      CONTROLLER_PUBLIC_IP
ACCEPT     all  --  192.168.32.0/22      192.168.32.0/22     ! ctstate DNAT
SNAT       all  --  192.168.32.13        anywhere            ctstate DNAT to:FLOATING_PUBLIC_IP

Chain nova-network-PREROUTING (1 references)
target     prot opt source               destination
DNAT       tcp  --  anywhere             169.254.169.254     tcp dpt:http to:CONTROLLER_PUBLIC_IP:8775
DNAT       all  --  anywhere             FLOATING_PUBLIC_IP  to:192.168.32.13

Chain nova-network-float-snat (1 references)
target     prot opt source               destination
SNAT       all  --  192.168.32.13        192.168.32.13       to:FLOATING_PUBLIC_IP
SNAT       all  --  192.168.32.13        anywhere            to:FLOATING_PUBLIC_IP

Chain nova-network-snat (1 references)
target     prot opt source               destination
nova-network-float-snat  all  --  anywhere             anywhere
SNAT       all  --  192.168.32.0/22      anywhere            to:CONTROLLER_PUBLIC_IP

Chain nova-postrouting-bottom (1 references)
target     prot opt source               destination
nova-network-snat  all  --  anywhere             anywhere
nova-api-snat  all  --  anywhere             anywhere

In that rules:
  • CONTROLLER_PUBLIC_IP and FLOATING_PUBLIC_IP are in the same subnet. 192.168.32.13 is the internal instace IP address 10.3.4.200 is another floating IP assigned to the instance automatically, but it is in a private subnet without internet access

Now, after doing several tests, I have found that adding manually this rule "iptables -t nat -I nova-network-POSTROUTING -s 192.168.32.13 -j SNAT --to FLOATING_PUBLIC_IP" my problem is solved!!!! But I need to add this rule dynamically BEFORE the others "nova-network-POSTROUTING" rules existing, because OpenStack excutes an "iptables -A" and does an "append" and I need an "iptables -I" (insert as first rule)...

Could someone help me?

Thanks. 
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Reply via email to