openstack实例无法访问外部网络
openstack实例无法访问外部网络
提问于 2014-07-08 12:24:57
我是OpenStack的新手。我正在使用RDO包栈-allinone设置。
所有openstack节点驻留在一台机器上,只有一个物理以太网接口(eth0,192.168.0.11)
我启动了两个实例(Test6和Test7)并建立了公共和专用网络,然后将浮动ips分配给它们。
网络拓扑图像见此处:http://postimg.org/image/yumejw07n/
公共网络为192.168.0.192/26,专用网络为10.0.0.0/24。
Test6网络为10.0.0.15和192.168.0.204,Test7网络为10.0.0.17和192.168.0.199。
路由器连接在test6 test7和公共网络之间,10.0.0.1连接到专用网络,192.168.0.203连接到公共网络。
在专用网络中,Test6、Test7和路由器之间可以进行平接或访问。(任何公用网络地址或专用网络地址)。
在公共网络中,公共网络中的任何主机都不能访问Test6、Test7或路由器(192.168.0.203),实例也不能访问主机。
我想我错过了一些桥的iptable配置,但我没有弄清楚我应该添加什么过滤器。
主机上的
:
#ovs-vsctl show
bc3a6627-8bfa-4d4a-b75a-a360b1d9ebe2
Bridge br-int
Port patch-tun
Interface patch-tun
type: patch
options: {peer=patch-int}
Port "qvoa86f386a-84"
tag: 1
Interface "qvoa86f386a-84"
Port "tap816bfb16-c3"
tag: 4095
Interface "tap816bfb16-c3"
Port "qvof5f02caa-df"
tag: 1
Interface "qvof5f02caa-df"
Port "tapa37e0f14-18"
tag: 1
Interface "tapa37e0f14-18"
Port "qr-095473ef-8f"
tag: 1
Interface "qr-095473ef-8f"
type: internal
Port br-int
Interface br-int
type: internal
Port "qr-34feb8f5-dd"
tag: 2
Interface "qr-34feb8f5-dd"
type: internal
Bridge br-ex
Port "eth0"
Interface "eth0"
Port br-ex
Interface br-ex
type: internal
Bridge br-tun
Port patch-int
Interface patch-int
type: patch
options: {peer=patch-tun}
Port br-tun
Interface br-tun
type: internal
ovs_version: "1.11.0"# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 br-ex
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1044 0 0 br-ex
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 br-ex#route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.192 0.0.0.0 255.255.255.192 U 0 0 0 qg-92cfa1a7-94
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 qr-095473ef-8f#iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 49201 packets, 7639K bytes)
pkts bytes target prot opt in out source destination
49201 7639K neutron-openvswi-PREROUTING all -- * * 0.0.0.0/0 0.0.0.0/0
42619 6708K nova-api-metadat-PREROUTING all -- * * 0.0.0.0/0 0.0.0.0/0
42619 6708K nova-api-PREROUTING all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 15292 packets, 934K bytes)
pkts bytes target prot opt in out source destination
15292 934K neutron-openvswi-POSTROUTING all -- * * 0.0.0.0/0 0.0.0.0/0
15292 934K neutron-postrouting-bottom all -- * * 0.0.0.0/0 0.0.0.0/0
12768 779K nova-api-metadat-POSTROUTING all -- * * 0.0.0.0/0 0.0.0.0/0
12791 781K nova-api-POSTROUTING all -- * * 0.0.0.0/0 0.0.0.0/0
15292 934K nova-postrouting-bottom all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 15266 packets, 932K bytes)
pkts bytes target prot opt in out source destination
15266 932K neutron-openvswi-OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
12760 779K nova-api-metadat-OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
12783 780K nova-api-OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-openvswi-OUTPUT (1 references)
pkts bytes target prot opt in out source destination
Chain neutron-openvswi-POSTROUTING (1 references)
pkts bytes target prot opt in out source destination
Chain neutron-openvswi-PREROUTING (1 references)
pkts bytes target prot opt in out source destination
Chain neutron-openvswi-float-snat (1 references)
pkts bytes target prot opt in out source destination
Chain neutron-openvswi-snat (1 references)
pkts bytes target prot opt in out source destination
15292 934K neutron-openvswi-float-snat all -- * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-postrouting-bottom (1 references)
pkts bytes target prot opt in out source destination
15292 934K neutron-openvswi-snat all -- * * 0.0.0.0/0 0.0.0.0/0
Chain nova-api-OUTPUT (1 references)
pkts bytes target prot opt in out source destination
Chain nova-api-POSTROUTING (1 references)
pkts bytes target prot opt in out source destination
Chain nova-api-PREROUTING (1 references)
pkts bytes target prot opt in out source destination
Chain nova-api-float-snat (1 references)
pkts bytes target prot opt in out source destination
Chain nova-api-metadat-OUTPUT (1 references)
pkts bytes target prot opt in out source destination
Chain nova-api-metadat-POSTROUTING (1 references)
pkts bytes target prot opt in out source destination
Chain nova-api-metadat-PREROUTING (1 references)
pkts bytes target prot opt in out source destination
Chain nova-api-metadat-float-snat (1 references)
pkts bytes target prot opt in out source destination
Chain nova-api-metadat-snat (1 references)
pkts bytes target prot opt in out source destination
12768 779K nova-api-metadat-float-snat all -- * * 0.0.0.0/0 0.0.0.0/0
Chain nova-api-snat (1 references)
pkts bytes target prot opt in out source destination
12791 781K nova-api-float-snat all -- * * 0.0.0.0/0 0.0.0.0/0
Chain nova-postrouting-bottom (1 references)
pkts bytes target prot opt in out source destination
12768 779K nova-api-metadat-snat all -- * * 0.0.0.0/0 0.0.0.0/0
12791 781K nova-api-snat all -- * * 0.0.0.0/0 0.0.0.0/0#iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N neutron-filter-top
-N neutron-openvswi-FORWARD
-N neutron-openvswi-INPUT
-N neutron-openvswi-OUTPUT
-N neutron-openvswi-ia86f386a-8
-N neutron-openvswi-if5f02caa-d
-N neutron-openvswi-local
-N neutron-openvswi-oa86f386a-8
-N neutron-openvswi-of5f02caa-d
-N neutron-openvswi-sa86f386a-8
-N neutron-openvswi-sf5f02caa-d
-N neutron-openvswi-sg-chain
-N neutron-openvswi-sg-fallback
-N nova-api-FORWARD
-N nova-api-INPUT
-N nova-api-OUTPUT
-N nova-api-local
-N nova-api-metadat-FORWARD
-N nova-api-metadat-INPUT
-N nova-api-metadat-OUTPUT
-N nova-api-metadat-local
-N nova-filter-top
-A INPUT -j neutron-openvswi-INPUT
-A INPUT -j nova-api-metadat-INPUT
-A INPUT -j nova-api-INPUT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 5671,5672 -m comment --comment "001 amqp incoming amqp_192.168.0.11" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 5671,5672 -m comment --comment "001 amqp incoming amqp_192.168.0.81" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8777 -m comment --comment "001 ceilometer-api incoming ceilometer_api" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 3260,8776 -m comment --comment "001 cinder incoming cinder_192.168.0.11" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 3260,8776 -m comment --comment "001 cinder incoming cinder_192.168.0.81" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 9292 -m comment --comment "001 glance incoming glance_192.168.0.11" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 9292 -m comment --comment "001 glance incoming glance_192.168.0.81" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80 -m comment --comment "001 horizon 80 incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 5000,35357 -m comment --comment "001 keystone incoming keystone" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 27017 -m comment --comment "001 mongodb-server incoming swift_storage_and_rsync_192.168.0.11" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 3306 -m comment --comment "001 mysql incoming mysql_192.168.0.11" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80 -m comment --comment "001 nagios incoming" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 5666 -m comment --comment "001 nagios-nrpe incoming nagios_nrpe" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 67 -m comment --comment "001 neutron dhcp in incoming neutron_dhcp_in_192.168.0.11_192.168.0.11" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 67 -m comment --comment "001 neutron dhcp in incoming neutron_dhcp_in_192.168.0.81_192.168.0.81" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 9696 -m comment --comment "001 neutron server incoming neutron_server_192.168.0.11_192.168.0.11" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 9696 -m comment --comment "001 neutron server incoming neutron_server_192.168.0.81_192.168.0.81" -j ACCEPT
-A INPUT -p udp -m multiport --dports 4789 -m comment --comment "001 neutron tunnel port incoming neutron_tunnel" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 5900:5999 -m comment --comment "001 nova compute incoming nova_compute" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 49152:49215 -m comment --comment "001 nova qemu migration incoming nova_qemu_migration_192.168.0.11_192.168.0.11" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 49152:49215 -m comment --comment "001 nova qemu migration incoming nova_qemu_migration_192.168.0.81_192.168.0.81" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8773,8774,8775 -m comment --comment "001 novaapi incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 6080 -m comment --comment "001 novncproxy incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8080 -m comment --comment "001 swift proxy incoming" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 6000,6001,6002,873 -m comment --comment "001 swift storage and rsync incoming swift_storage_and_rsync_192.168.0.11" -j ACCEPT
-A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 6000,6001,6002,873 -m comment --comment "001 swift storage and rsync incoming swift_storage_and_rsync_192.168.0.81" -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-openvswi-FORWARD
-A FORWARD -j nova-filter-top
-A FORWARD -j nova-api-metadat-FORWARD
-A FORWARD -j nova-api-FORWARD
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-openvswi-OUTPUT
-A OUTPUT -j nova-filter-top
-A OUTPUT -j nova-api-metadat-OUTPUT
-A OUTPUT -j nova-api-OUTPUT
-A OUTPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 68 -m comment --comment "001 neutron dhcp out outgoing neutron_dhcp_out_192.168.0.11_192.168.0.11" -j ACCEPT
-A OUTPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 68 -m comment --comment "001 neutron dhcp out outgoing neutron_dhcp_out_192.168.0.81_192.168.0.81" -j ACCEPT
-A neutron-filter-top -j neutron-openvswi-local
-A neutron-openvswi-FORWARD -m physdev --physdev-out tapf5f02caa-df --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tapf5f02caa-df --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-out tapa86f386a-84 --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tapa86f386a-84 --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-INPUT -m physdev --physdev-in tapf5f02caa-df --physdev-is-bridged -j neutron-openvswi-of5f02caa-d
-A neutron-openvswi-INPUT -m physdev --physdev-in tapa86f386a-84 --physdev-is-bridged -j neutron-openvswi-oa86f386a-8
-A neutron-openvswi-ia86f386a-8 -m state --state INVALID -j DROP
-A neutron-openvswi-ia86f386a-8 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-ia86f386a-8 -s 10.0.0.17/32 -j RETURN
-A neutron-openvswi-ia86f386a-8 -p tcp -m tcp --dport 22 -j RETURN
-A neutron-openvswi-ia86f386a-8 -p tcp -m tcp --dport 443 -j RETURN
-A neutron-openvswi-ia86f386a-8 -p icmp -j RETURN
-A neutron-openvswi-ia86f386a-8 -p tcp -m tcp --dport 80 -j RETURN
-A neutron-openvswi-ia86f386a-8 -s 10.0.0.16/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A neutron-openvswi-ia86f386a-8 -j neutron-openvswi-sg-fallback
-A neutron-openvswi-if5f02caa-d -m state --state INVALID -j DROP
-A neutron-openvswi-if5f02caa-d -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-if5f02caa-d -s 10.0.0.15/32 -j RETURN
-A neutron-openvswi-if5f02caa-d -p tcp -m tcp --dport 22 -j RETURN
-A neutron-openvswi-if5f02caa-d -p tcp -m tcp --dport 443 -j RETURN
-A neutron-openvswi-if5f02caa-d -p icmp -j RETURN
-A neutron-openvswi-if5f02caa-d -p tcp -m tcp --dport 80 -j RETURN
-A neutron-openvswi-if5f02caa-d -s 10.0.0.16/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A neutron-openvswi-if5f02caa-d -j neutron-openvswi-sg-fallback
-A neutron-openvswi-oa86f386a-8 -p udp -m udp --sport 68 --dport 67 -j RETURN
-A neutron-openvswi-oa86f386a-8 -j neutron-openvswi-sa86f386a-8
-A neutron-openvswi-oa86f386a-8 -p udp -m udp --sport 67 --dport 68 -j DROP
-A neutron-openvswi-oa86f386a-8 -m state --state INVALID -j DROP
-A neutron-openvswi-oa86f386a-8 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-oa86f386a-8 -j RETURN
-A neutron-openvswi-oa86f386a-8 -j neutron-openvswi-sg-fallback
-A neutron-openvswi-of5f02caa-d -p udp -m udp --sport 68 --dport 67 -j RETURN
-A neutron-openvswi-of5f02caa-d -j neutron-openvswi-sf5f02caa-d
-A neutron-openvswi-of5f02caa-d -p udp -m udp --sport 67 --dport 68 -j DROP
-A neutron-openvswi-of5f02caa-d -m state --state INVALID -j DROP
-A neutron-openvswi-of5f02caa-d -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-of5f02caa-d -j RETURN
-A neutron-openvswi-of5f02caa-d -j neutron-openvswi-sg-fallback
-A neutron-openvswi-sa86f386a-8 -s 10.0.0.15/32 -m mac --mac-source FA:16:3E:55:7F:B5 -j RETURN
-A neutron-openvswi-sa86f386a-8 -j DROP
-A neutron-openvswi-sf5f02caa-d -s 10.0.0.17/32 -m mac --mac-source FA:16:3E:AC:1F:2A -j RETURN
-A neutron-openvswi-sf5f02caa-d -j DROP
-A neutron-openvswi-sg-chain -m physdev --physdev-out tapf5f02caa-df --physdev-is-bridged -j neutron-openvswi-if5f02caa-d
-A neutron-openvswi-sg-chain -m physdev --physdev-in tapf5f02caa-df --physdev-is-bridged -j neutron-openvswi-of5f02caa-d
-A neutron-openvswi-sg-chain -m physdev --physdev-out tapa86f386a-84 --physdev-is-bridged -j neutron-openvswi-ia86f386a-8
-A neutron-openvswi-sg-chain -m physdev --physdev-in tapa86f386a-84 --physdev-is-bridged -j neutron-openvswi-oa86f386a-8
-A neutron-openvswi-sg-chain -j ACCEPT
-A neutron-openvswi-sg-fallback -j DROP
-A nova-api-INPUT -d 192.168.0.11/32 -p tcp -m tcp --dport 8775 -j ACCEPT
-A nova-api-metadat-INPUT -d 192.168.0.11/32 -p tcp -m tcp --dport 8775 -j ACCEPT
-A nova-filter-top -j nova-api-metadat-local
-A nova-filter-top -j nova-api-local# ip netns exec qrouter-46f858f1-aec7-4516-b148-9110f7d9d90c iptables -L -nv -t nat
Chain PREROUTING (policy ACCEPT 1034 packets, 177K bytes)
pkts bytes target prot opt in out source destination
1040 177K neutron-l3-agent-PREROUTING all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 9 packets, 616 bytes)
pkts bytes target prot opt in out source destination
15 1120 neutron-l3-agent-POSTROUTING all -- * * 0.0.0.0/0 0.0.0.0/0
12 868 neutron-postrouting-bottom all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 3 packets, 252 bytes)
pkts bytes target prot opt in out source destination
8 576 neutron-l3-agent-OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-l3-agent-OUTPUT (1 references)
pkts bytes target prot opt in out source destination
5 324 DNAT all -- * * 0.0.0.0/0 192.168.0.199 to:10.0.0.17
0 0 DNAT all -- * * 0.0.0.0/0 192.168.0.204 to:10.0.0.15
Chain neutron-l3-agent-POSTROUTING (1 references)
pkts bytes target prot opt in out source destination
3 252 ACCEPT all -- !qg-92cfa1a7-94 !qg-92cfa1a7-94 0.0.0.0/0 0.0.0.0/0 ! ctstate DNAT
Chain neutron-l3-agent-PREROUTING (1 references)
pkts bytes target prot opt in out source destination
0 0 REDIRECT tcp -- * * 0.0.0.0/0 169.254.169.254 tcp dpt:80 redir ports 9697
0 0 DNAT all -- * * 0.0.0.0/0 192.168.0.199 to:10.0.0.17
0 0 DNAT all -- * * 0.0.0.0/0 192.168.0.204 to:10.0.0.15
Chain neutron-l3-agent-float-snat (1 references)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- * * 10.0.0.17 0.0.0.0/0 to:192.168.0.199
0 0 SNAT all -- * * 10.0.0.15 0.0.0.0/0 to:192.168.0.204
Chain neutron-l3-agent-snat (1 references)
pkts bytes target prot opt in out source destination
12 868 neutron-l3-agent-float-snat all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 SNAT all -- * * 10.0.0.0/24 0.0.0.0/0 to:192.168.0.203
Chain neutron-postrouting-bottom (1 references)
pkts bytes target prot opt in out source destination
12 868 neutron-l3-agent-snat all -- * * 0.0.0.0/0 0.0.0.0/0# ip netns exec qrouter-46f858f1-aec7-4516-b148-9110f7d9d90c iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N neutron-filter-top
-N neutron-l3-agent-FORWARD
-N neutron-l3-agent-INPUT
-N neutron-l3-agent-OUTPUT
-N neutron-l3-agent-local
-A INPUT -j neutron-l3-agent-INPUT
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-l3-agent-FORWARD
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-l3-agent-OUTPUT
-A neutron-filter-top -j neutron-l3-agent-local
-A neutron-l3-agent-INPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 9697 -j ACCEPT回答 2
Server Fault用户
回答已采纳
发布于 2014-07-11 15:01:02
我刚刚重新安装了openstack包和包堆栈--allinone。
现在网络开始运作了!
我认为唯一不同的设置是public_net网络地址CIDR,是192.168.0.192/26,现在是192.168.0.0/24。
我不擅长网络管理。网络掩码是否影响网络路由表或其他什么?
Server Fault用户
发布于 2014-07-09 06:04:01
可能您的机器上没有配置ip和arp代理。
它们可以在主机上设置如下:
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE在这里可以获得更多详细信息:盒子中的Openstack
页面原文内容由Server Fault提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://serverfault.com/questions/610929
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号