cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christof Hlipala <christofhlip...@googlemail.com>
Subject NAT problem, VMs like VR can't connect to internet
Date Fri, 05 Sep 2014 06:47:35 GMT
Hi there,

i have a problem with my cloudstack/network setup. I hope somebody can help me.

I’m using KVM and on all server is CentOS 6 installed. I have no errors in the logs and
all instances are running.

Here my current network setup: https://www.dropbox.com/s/nzfiy1ilebugi0k/cloud_network.png?dl=0
<https://www.dropbox.com/s/nzfiy1ilebugi0k/cloud_network.png?dl=0>

I have a cloudstack advanced network and my virtual servers like the VR can’t connect to
the internet or even ping the gateway. I also can’t ping the VR from the public network.
The nodes on which the vms are running are able to ping the public network/internet.

I have only one gateway, so i created a nat on the management server. So the VM that want
connect to my public network must go through an other subnet first. I think my problem have
something to do with my iptables (nat) settings. For a better understanding please see my
diagram.

Does somebody have an idea? I appreciate every advice. If this can not work, what alternatives
do i have to create an advanced network with only 1 gateway?


Please find below my iptables settings:

IPtables of the management server:

# Generated by iptables-save v1.4.7
*nat
:PREROUTING ACCEPT [1158:172626]
:POSTROUTING ACCEPT [119:8872]
:OUTPUT ACCEPT [119:8872]
-A POSTROUTING -o eth0 -j MASQUERADE
# -A POSTROUTING -s 192.168.1.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed
# Generated by iptables-save v1.4.7
*filter
:INPUT ACCEPT [119736:288057978]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [145743:303840575]
-A INPUT -p tcp -m tcp --dport 9090 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8250 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 7080 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p udp -m state --state NEW -m udp --dport 111 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 111 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 32803 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p udp -m state --state NEW -m udp --dport 32769 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 892 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p udp -m state --state NEW -m udp --dport 892 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 875 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p udp -m state --state NEW -m udp --dport 875 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 662 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p udp -m state --state NEW -m udp --dport 662 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
COMMIT
# Completed

IPtables of the nodes:

# Generated by iptables-save v1.4.7
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Tue Mar 25 14:45:02 2014
# Generated by iptables-save v1.4.7
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed
# Generated by iptables-save v1.4.7
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 49152:49216 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5900:6100 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 16509 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p udp -m state --state NEW -m udp --dport 111 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 111 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 32803 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p udp -m state --state NEW -m udp --dport 32769 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 892 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p udp -m state --state NEW -m udp --dport 892 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 875 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p udp -m state --state NEW -m udp --dport 875 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 662 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p udp -m state --state NEW -m udp --dport 662 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed 



Mime
View raw message