Thank you, Peter and Remo! Your answers guided me to better understand
security groups and iptables rules. The problem was that I haven't
understood very well the default security group created automatically,
mainly the rules that seems to pass all traffic. Explained bellow.
DVR is enabled.
Version is Liberty.
1 hypervisor and router is OK on compute nodes and controller (snat).
I had not assigned an ICMP rule on default security group neither other
security group.
On default security group we can see these rules (dashboard):
Direction EtherType IP Protocol Port Range Remote IP Prefix
Remote Security Group Actions
Egress IPv6 Any Any ::/0
-
Egress IPv4 Any Any 0.0.0.0/0
-
Ingress IPv6 Any Any
- default
Ingress IPv4 Any Any
- default
I was thinking that the rule "Ingress IPv4 Any Any" could pass all the
traffic, independently if we are using a private IP or a floating IP. But,
when this rule is translated to iptables, neutron uses ipset and the
configured set has just the private IP addresses.
Chain neutron-openvswi-i7a7a669c-3 (1 references)
pkts bytes target prot opt in out source
destination
.....
0 0 RETURN all -- * * 0.0.0.0/0
0.0.0.0/0 match-set NIPv43c228055-2735-4339-b9a8- src
.....
And:
$ ipset list
Name: NIPv43c228055-2735-4339-b9a8-
Type: hash:net
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 512
References: 1
Members:
172.16.0.5
172.16.0.10
Name: NIPv63c228055-2735-4339-b9a8-
Type: hash:net
Revision: 4
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 1152
References: 1
Members:
So, this rule is going to pass just packets that src is in 172.16.0.0/24,
the private (tenant) network.
Although the rules listed have 'IPv4 Any Any' as if passing anything,
theses rules just permit packets from one VM to another in the same private
network.
To allow packets to a floating IP it's required other rules that pass to a
specific floating IP address (or network, or all 0.0.0.0/0). As listed
(dashboard), at right column 'Remote Security Group Actions' we shouldn't
have 'default'.
Direction EtherType IP Protocol Port Range Remote IP Prefix
Remote Security Group Actions
Ingress IPv4 Any Any -
default <--- pass for the private network
and
Ingress IPv4 Any Any 0.0.0.0/0
- <--- pass for floating ips
Iptables is something like:
Chain neutron-openvswi-i7a7a669c-3 (1 references)
pkts bytes target prot opt in out source
destination
.....
0 0 RETURN all -- * * 0.0.0.0/0
0.0.0.0/0 match-set NIPv43c228055-2735-4339-b9a8- src
0 0 RETURN all -- * * 0.0.0.0/0
0.0.0.0/0
.....
So, what I needed to do was create a new security group for traffic from
external networks to internal networks, without use the "default security
group" as destination, because this is translated to the ipset match-set
rule.
Thank you so much!
- JLC
On Fri, Apr 15, 2016 at 11:30 AM, Remo Mattei <r...@italy1.com> wrote:
> one more thing to know what version (liberty? Mitaka?)
>
> The security rules don’t get set with the new Mitaka so just make sure
> that you do set them, I have seen issues where the instance does not behave
> well and if you do set the SG make sure you have the ports open as Peter
> stated below.
>
> Remo
> > On Apr 15, 2016, at 10:14, Erdősi Péter <f...@niif.hu> wrote:
> >
> > 2016. 04. 15. 15:41 keltezéssel, Jorge Luiz Correa írta:
> >> I think that in neutron-openvswi-i7a7a669c-3 should exist some RETURN
> rule using the 172.16.0.5 IP address.
> > Just a fast thought:
> > Did you assigned a security group with icmp enabled rule to your VM?
> >
> > I think, thats will made your exception to avoid DROP at the end...
> >
> > Regards:
> > Peter
> >
> > _______________________________________________
> > Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> > Post to : openstack@lists.openstack.org
> > Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> >
> > !DSPAM:1,5710fa4b172451588514368!
> >
>
>
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
