NAT problem on single server install / Can't connect to floating IPs from public internet

did you euca-authorize port 22?

euca-authorize -P tcp -p 22 default

On Mar 14, 2011, at 3:36 AM, Markus Thielmann wrote:

> New question #149013 on OpenStack Compute (nova):
> https://answers.launchpad.net/nova/+question/149013
>
> I'm running nova bexxar as a single server install on a remote web server (one physical internet connection, 4 public IP addresses. Everything works fine, I'm able to run and use instances (ping, ssh) , but I'm unable to use an associated public IP.
>
> As you can see, I'm using FlatDHCPManager and all instances run with IPs out of the 10.0.1.0/24 network. I used nova-manage to create floating IPs and euca-associate-address to associate them to the instances. There's no sign of an error in the log files.
>
> However, I'm unable to connect via SSH to the associated public IPs. I am able to ping though.
>
> I also tried to figure out which iptables setup nova uses and run them directly, but I couldn't find any error messages. I am however not sure, if I got the commands right.
>
> Any help on how figure out how to assign the additional IPs in the "correct" way would be very much appreciated.
>
> See the attached config files for more information.
>
> #cat /etc/nova/nova.conf
> --dhcpbridge_flagfile=/etc/nova/nova.conf
> --dhcpbridge=/usr/bin/nova-dhcpbridge
> --logdir=/var/log/nova
> --state_path=/var/lib/nova
> --verbose
> --my_ip=89.238.83.54
> --daemonize=1
> --state_path=/var/lib/nova
> --sql_connection=mysql://root:QZhUjpeQ@89.238.83.54/nova
> --s3_host=89.238.83.54
> --rabbit_host=89.238.83.54
> --cc_host=89.238.83.54
> --network_host=192.168.1.60
> --verbose
> --ec2_url=http://89.238.83.54:8773/services/Cloud
> --network_manager=nova.network.manager.FlatDHCPManager
> --fixed_range=10.0.0.0/12
> --routing_source_ip=89.238.83.54
> --flat_network_dhcp_start=10.0.1.2
> --flat_injected=False
> --network_size=10
> --public_interface=eth0
>
> #ifconfig
> br100 Link encap:Ethernet HWaddr fe:16:3e:03:b8:d9
> inet addr:10.0.1.1 Bcast:10.0.1.127 Mask:255.255.255.128
> inet6 addr: fe80::c8e9:71ff:fec1:310f/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:4239 errors:0 dropped:0 overruns:0 frame:0
> TX packets:6442 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:511487 (511.4 KB) TX bytes:5823020 (5.8 MB)
>
> eth0 Link encap:Ethernet HWaddr 1c:6f:65:8d:6d:31
> inet addr:89.238.83.54 Bcast:89.238.83.255 Mask:255.255.255.0
> inet6 addr: fe80::1e6f:65ff:fe8d:6d31/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:5274404 errors:0 dropped:0 overruns:0 frame:0
> TX packets:5291 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:399808856 (399.8 MB) TX bytes:717974 (717.9 KB)
> Interrupt:29 Base address:0x8000
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> inet6 addr: ::1/128 Scope:Host
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:10057188 errors:0 dropped:0 overruns:0 frame:0
> TX packets:10057188 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:728429145 (728.4 MB) TX bytes:728429145 (728.4 MB)
>
> virbr0 Link encap:Ethernet HWaddr 92:9d:fb:52:00:74
> inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0
> inet6 addr: fe80::909d:fbff:fe52:74/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:0 (0.0 B) TX bytes:468 (468.0 B)
>
> vnet0 Link encap:Ethernet HWaddr fe:16:3e:03:b8:d9
> inet6 addr: fe80::fc16:3eff:fe03:b8d9/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:4239 errors:0 dropped:0 overruns:0 frame:0
> TX packets:6442 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:500
> RX bytes:570833 (570.8 KB) TX bytes:5823020 (5.8 MB)
>
> # euca-describe-instances
> RESERVATION r-4bok3lkq sethihosting default
> INSTANCE i-00000018 ami-k6t4a3d4 89.238.83.55 10.0.1.15 running mykey (sethihosting, atlas) 0 m1.small 2011-03-13 18:49:57 nova
>
> # iptables -t nat -L -v
> Chain PREROUTING (policy ACCEPT 527K packets, 100M bytes)
> pkts bytes target prot opt in out source destination
> 0 0 DNAT tcp -- any any anywhere 169.254.169.254 tcp dpt:www to:89.238.83.54:8773
> 37 1856 DNAT all -- any any anywhere 55.83.238.89.in-addr.arpa.manitu.net to:10.0.1.15
>
> Chain POSTROUTING (policy ACCEPT 1779 packets, 111K bytes)
> pkts bytes target prot opt in out source destination
> 0 0 ACCEPT all -- any any 10.0.0.0/12 10.0.0.0/12
> 0 0 ACCEPT all -- any any 10.0.0.0/12 10.128.0.0/24
> 0 0 MASQUERADE tcp -- any any 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
> 0 0 MASQUERADE udp -- any any 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
> 0 0 MASQUERADE all -- any any 192.168.122.0/24 !192.168.122.0/24
> 528 32941 SNATTING all -- any any anywhere anywhere
>
> Chain OUTPUT (policy ACCEPT 1775 packets, 111K bytes)
> pkts bytes target prot opt in out source destination
>
> Chain SNATTING (1 references)
> pkts bytes target prot opt in out source destination
> 3 180 SNAT all -- any any 10.0.1.15 anywhere to:89.238.83.55
> 0 0 SNAT all -- any any 10.0.0.0/12 anywhere to:89.238.83.54
>
> # cat /etc/network/interfaces
>
> # This file describes the network interfaces available on your system
> # and how to activate them. For more information, see interfaces(5).
>
> # The loopback network interface
> auto lo
> iface lo inet loopback
>
> # The primary network interface
> auto eth0
> iface eth0 inet static
> address 89.238.83.54
> netmask 255.255.255.0
> network 89.238.83.0
> broadcast 89.238.83.255
> gateway 89.238.83.1
> # dns-* options are implemented by the resolvconf package, if installed
> dns-nameservers 217.11.48.200 217.11.49.200
>
>
>
> You received this question notification because you are a member of Nova
> Core, which is an answer contact for OpenStack Compute (nova).

Thanks for your answer Vish, very much appreciated. Yes, I did authorize for SSH and ICMP, via

#euca-authorize -P icmp -t -1:-1 default
#euca-authorize -P tcp -p 22 default

As I said, I'm able to ssh into the instance, as long as I'm using the local IP (10.0.1.x) of the instance. But I'm unable to ssh from outside the host, if I'm using a floating IP.

I'm having the exact same problem at the moment. Can't ssh to a publicly routable floating IP from outside the host.

One thing I tried on the host with nova-network running was to enable IP forwarding but it didn't help. Try

sysctl net.ipv4.ip_forward # tells you if IP forwarding is enabled
sysctl -w net.ipv4.ip_forward=1 # enable IP forwarding until reboot
vim /etc/sysctl.conf # uncomment the line net.ipv4.ip_forward = 1 to enable IP forwarding permanently

Hope it works for you.

Everett

Thank for your answer, Everett.

I already check IP forwarding, it's set to "1".

I found out what the problem was in my situation. I had accidentally
specified the wrong block of public routable IP addresses for that
particular set of machines. As soon as I used the proper block of addresses
everything worked fine.

Here's some stuff you can try/check:

Setting up the addresses.

nova-manage floating create my-hostname 68.99.26.170/31
euca-allocate-address 68.99.26.170
euca-associate-address -i i-1 68.99.26.170

Make sure the security groups are open.

root@my-hostname:~# euca-describe-groups
GROUP admin-project default default
PERMISSION admin-project default ALLOWS icmp -1 -1
FROM CIDR 0.0.0.0/0
PERMISSION admin-project default ALLOWS tcp 22 22
FROM CIDR 0.0.0.0/0

Check the nat rules have been added to iptables.

-A nova-network-OUTPUT -d 68.99.26.170/32 -j DNAT --to-destination 10.0.0.3
-A nova-network-PREROUTING -d 68.99.26.170/32 -j DNAT --to-destination
10.0.0.3
-A nova-network-floating-snat -s 10.0.0.3/32 -j SNAT --to-source
68.99.26.170

Check that 68.99.26.170 has been added to your public interface, which you
should see when you type "ip addr".

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen
1000
    link/ether xx:xx:xx:17:4b:c2 brd ff:ff:ff:ff:ff:ff
    inet 13.22.194.80/24 brd 13.22.194.255 scope global eth0
    inet 68.99.26.170/32 scope global eth0
    inet6 fe80::82b:2bf:fe1:4b2/64 scope link
       valid_lft forever preferred_lft forever

You will need to set --public_interface in your nova.conf on the network
node so that nova knows where to bind public IP addresses. Don't forget to
restart nova-network if you do change nova.conf.

Hope this helps,
Everett

P.S. IP and MAC address changed to protect the innocent.

#euca-allocate-address
an unknown error has occurred.please try your request again.

 i am unable to solve this problem.
how can i resolve it?