It says default so that applies only to that network. Just add a new rule icmp all source 0/0 then you can ping in and out.
Same for ssh which applies to floating ip as well. In mitaka it works a little differently. Ciao Inviato da iPhone > Il giorno 15 apr 2016, alle ore 10:50, Jorge Luiz Correa <corre...@gmail.com> > ha scritto: > > Thank you, Peter and Remo! Your answers guided me to better understand > security groups and iptables rules. The problem was that I haven't understood > very well the default security group created automatically, mainly the rules > that seems to pass all traffic. Explained bellow. > > DVR is enabled. > Version is Liberty. > 1 hypervisor and router is OK on compute nodes and controller (snat). > I had not assigned an ICMP rule on default security group neither other > security group. > > On default security group we can see these rules (dashboard): > > Direction EtherType IP Protocol Port Range Remote IP Prefix > Remote Security Group Actions > Egress IPv6 Any Any ::/0 > - > Egress IPv4 Any Any 0.0.0.0/0 > - > Ingress IPv6 Any Any - > default > Ingress IPv4 Any Any - > default > > I was thinking that the rule "Ingress IPv4 Any Any" could pass all the > traffic, independently if we are using a private IP or a floating IP. But, > when this rule is translated to iptables, neutron uses ipset and the > configured set has just the private IP addresses. > > Chain neutron-openvswi-i7a7a669c-3 (1 references) > pkts bytes target prot opt in out source > destination > ..... > 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 > match-set NIPv43c228055-2735-4339-b9a8- src > ..... > > And: > > $ ipset list > > Name: NIPv43c228055-2735-4339-b9a8- > Type: hash:net > Revision: 4 > Header: family inet hashsize 1024 maxelem 65536 > Size in memory: 512 > References: 1 > Members: > 172.16.0.5 > 172.16.0.10 > > Name: NIPv63c228055-2735-4339-b9a8- > Type: hash:net > Revision: 4 > Header: family inet6 hashsize 1024 maxelem 65536 > Size in memory: 1152 > References: 1 > Members: > > So, this rule is going to pass just packets that src is in 172.16.0.0/24, the > private (tenant) network. > > Although the rules listed have 'IPv4 Any Any' as if passing anything, theses > rules just permit packets from one VM to another in the same private network. > > To allow packets to a floating IP it's required other rules that pass to a > specific floating IP address (or network, or all 0.0.0.0/0). As listed > (dashboard), at right column 'Remote Security Group Actions' we shouldn't > have 'default'. > > Direction EtherType IP Protocol Port Range Remote IP Prefix > Remote Security Group Actions > Ingress IPv4 Any Any - > default <--- pass for the private network > and > Ingress IPv4 Any Any 0.0.0.0/0 > - <--- pass for floating ips > > Iptables is something like: > > Chain neutron-openvswi-i7a7a669c-3 (1 references) > pkts bytes target prot opt in out source > destination > ..... > 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 > match-set NIPv43c228055-2735-4339-b9a8- src > 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 > > ..... > > So, what I needed to do was create a new security group for traffic from > external networks to internal networks, without use the "default security > group" as destination, because this is translated to the ipset match-set > rule. > > Thank you so much! > > - JLC > >> On Fri, Apr 15, 2016 at 11:30 AM, Remo Mattei <r...@italy1.com> wrote: >> one more thing to know what version (liberty? Mitaka?) >> >> The security rules don’t get set with the new Mitaka so just make sure that >> you do set them, I have seen issues where the instance does not behave well >> and if you do set the SG make sure you have the ports open as Peter stated >> below. >> >> Remo >> > On Apr 15, 2016, at 10:14, Erdősi Péter <f...@niif.hu> wrote: >> > >> > 2016. 04. 15. 15:41 keltezéssel, Jorge Luiz Correa írta: >> >> I think that in neutron-openvswi-i7a7a669c-3 should exist some RETURN >> >> rule using the 172.16.0.5 IP address. >> > Just a fast thought: >> > Did you assigned a security group with icmp enabled rule to your VM? >> > >> > I think, thats will made your exception to avoid DROP at the end... >> > >> > Regards: >> > Peter >> > >> > _______________________________________________ >> > Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack >> > Post to : openstack@lists.openstack.org >> > Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack >> > >> > >> > > > !DSPAM:1,57112b1517039594946585!
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
