Created
July 9, 2014 09:19
-
-
Save kopparam/c9226bfd374fe1f43637 to your computer and use it in GitHub Desktop.
IP tables that work for nova network on compute node
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Generated by iptables-save v1.4.7 on Wed Jul 9 13:55:55 2014 | |
| *filter | |
| :INPUT ACCEPT [109755:28834208] | |
| :FORWARD ACCEPT [315:43569] | |
| :OUTPUT ACCEPT [28584:8957373] | |
| :nova-api-metadat-FORWARD - [0:0] | |
| :nova-api-metadat-INPUT - [0:0] | |
| :nova-api-metadat-OUTPUT - [0:0] | |
| :nova-api-metadat-local - [0:0] | |
| :nova-compute-FORWARD - [0:0] | |
| :nova-compute-INPUT - [0:0] | |
| :nova-compute-OUTPUT - [0:0] | |
| :nova-compute-inst-56 - [0:0] | |
| :nova-compute-inst-59 - [0:0] | |
| :nova-compute-inst-63 - [0:0] | |
| :nova-compute-local - [0:0] | |
| :nova-compute-provider - [0:0] | |
| :nova-compute-sg-fallback - [0:0] | |
| :nova-filter-top - [0:0] | |
| :nova-network-FORWARD - [0:0] | |
| :nova-network-INPUT - [0:0] | |
| :nova-network-OUTPUT - [0:0] | |
| :nova-network-local - [0:0] | |
| -A INPUT -j nova-network-INPUT | |
| -A INPUT -j nova-compute-INPUT | |
| -A INPUT -j nova-api-metadat-INPUT | |
| -A FORWARD -j nova-filter-top | |
| -A FORWARD -j nova-network-FORWARD | |
| -A FORWARD -j nova-compute-FORWARD | |
| -A FORWARD -j nova-api-metadat-FORWARD | |
| -A FORWARD -o eth0 -j ACCEPT | |
| -A FORWARD -i eth0 -j ACCEPT | |
| -A OUTPUT -j nova-filter-top | |
| -A OUTPUT -j nova-network-OUTPUT | |
| -A OUTPUT -j nova-compute-OUTPUT | |
| -A OUTPUT -j nova-api-metadat-OUTPUT | |
| -A nova-api-metadat-INPUT -d 10.4.3.231/32 -p tcp -m tcp --dport 8775 -j ACCEPT | |
| -A nova-compute-FORWARD -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -j ACCEPT | |
| -A nova-compute-INPUT -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -j ACCEPT | |
| -A nova-compute-inst-56 -m state --state INVALID -j DROP | |
| -A nova-compute-inst-56 -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| -A nova-compute-inst-56 -j nova-compute-provider | |
| -A nova-compute-inst-56 -s 192.168.0.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT | |
| -A nova-compute-inst-56 -p tcp -m tcp --dport 22 -j ACCEPT | |
| -A nova-compute-inst-56 -p icmp -j ACCEPT | |
| -A nova-compute-inst-56 -p tcp -m multiport --dports 1:65535 -j ACCEPT | |
| -A nova-compute-inst-56 -s 192.168.0.0/24 -p tcp -m tcp --dport 53 -j ACCEPT | |
| -A nova-compute-inst-56 -j nova-compute-sg-fallback | |
| -A nova-compute-inst-59 -m state --state INVALID -j DROP | |
| -A nova-compute-inst-59 -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| -A nova-compute-inst-59 -j nova-compute-provider | |
| -A nova-compute-inst-59 -s 192.168.0.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT | |
| -A nova-compute-inst-59 -p tcp -m tcp --dport 22 -j ACCEPT | |
| -A nova-compute-inst-59 -p icmp -j ACCEPT | |
| -A nova-compute-inst-59 -p tcp -m multiport --dports 1:65535 -j ACCEPT | |
| -A nova-compute-inst-59 -s 192.168.0.0/24 -p tcp -m tcp --dport 53 -j ACCEPT | |
| -A nova-compute-inst-59 -j nova-compute-sg-fallback | |
| -A nova-compute-inst-63 -m state --state INVALID -j DROP | |
| -A nova-compute-inst-63 -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| -A nova-compute-inst-63 -j nova-compute-provider | |
| -A nova-compute-inst-63 -s 192.168.0.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT | |
| -A nova-compute-inst-63 -p tcp -m tcp --dport 22 -j ACCEPT | |
| -A nova-compute-inst-63 -p icmp -j ACCEPT | |
| -A nova-compute-inst-63 -p tcp -m multiport --dports 1:65535 -j ACCEPT | |
| -A nova-compute-inst-63 -s 192.168.0.0/24 -p tcp -m tcp --dport 53 -j ACCEPT | |
| -A nova-compute-inst-63 -j nova-compute-sg-fallback | |
| -A nova-compute-local -d 192.168.0.2/32 -j nova-compute-inst-56 | |
| -A nova-compute-local -d 192.168.0.3/32 -j nova-compute-inst-59 | |
| -A nova-compute-local -d 192.168.0.4/32 -j nova-compute-inst-63 | |
| -A nova-compute-sg-fallback -j DROP | |
| -A nova-filter-top -j nova-network-local | |
| -A nova-filter-top -j nova-compute-local | |
| -A nova-filter-top -j nova-api-metadat-local | |
| -A nova-network-FORWARD -d 255.255.255.255/32 -p udp -m physdev --physdev-in eth0 -m udp --dport 67 -j DROP | |
| -A nova-network-FORWARD -d 255.255.255.255/32 -p udp -m physdev --physdev-out eth0 -m udp --dport 67 -j DROP | |
| -A nova-network-FORWARD -d 192.168.0.1/32 -m physdev --physdev-in eth0 -j DROP | |
| -A nova-network-FORWARD -s 192.168.0.1/32 -m physdev --physdev-out eth0 -j DROP | |
| -A nova-network-FORWARD -i br100 -j ACCEPT | |
| -A nova-network-FORWARD -o br100 -j ACCEPT | |
| -A nova-network-INPUT -i br100 -p udp -m udp --dport 67 -j ACCEPT | |
| -A nova-network-INPUT -i br100 -p tcp -m tcp --dport 67 -j ACCEPT | |
| -A nova-network-INPUT -i br100 -p udp -m udp --dport 53 -j ACCEPT | |
| -A nova-network-INPUT -i br100 -p tcp -m tcp --dport 53 -j ACCEPT | |
| COMMIT | |
| # Completed on Wed Jul 9 13:55:55 2014 | |
| # Generated by iptables-save v1.4.7 on Wed Jul 9 13:55:55 2014 | |
| *mangle | |
| :PREROUTING ACCEPT [7930120:3253630481] | |
| :INPUT ACCEPT [159371:44251936] | |
| :FORWARD ACCEPT [927079:669481732] | |
| :OUTPUT ACCEPT [40831:12361475] | |
| :POSTROUTING ACCEPT [959425:679268549] | |
| :nova-api-metadat-POSTROUTING - [0:0] | |
| :nova-compute-POSTROUTING - [0:0] | |
| :nova-network-POSTROUTING - [0:0] | |
| -A POSTROUTING -j nova-network-POSTROUTING | |
| -A POSTROUTING -j nova-compute-POSTROUTING | |
| -A POSTROUTING -j nova-api-metadat-POSTROUTING | |
| -A nova-network-POSTROUTING -o br100 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill | |
| COMMIT | |
| # Completed on Wed Jul 9 13:55:55 2014 | |
| # Generated by iptables-save v1.4.7 on Wed Jul 9 13:55:55 2014 | |
| *nat | |
| :PREROUTING ACCEPT [460491:52960237] | |
| :POSTROUTING ACCEPT [4863:666027] | |
| :OUTPUT ACCEPT [148:47328] | |
| :nova-api-metadat-OUTPUT - [0:0] | |
| :nova-api-metadat-POSTROUTING - [0:0] | |
| :nova-api-metadat-PREROUTING - [0:0] | |
| :nova-api-metadat-float-snat - [0:0] | |
| :nova-api-metadat-snat - [0:0] | |
| :nova-compute-OUTPUT - [0:0] | |
| :nova-compute-POSTROUTING - [0:0] | |
| :nova-compute-PREROUTING - [0:0] | |
| :nova-compute-float-snat - [0:0] | |
| :nova-compute-snat - [0:0] | |
| :nova-network-OUTPUT - [0:0] | |
| :nova-network-POSTROUTING - [0:0] | |
| :nova-network-PREROUTING - [0:0] | |
| :nova-network-float-snat - [0:0] | |
| :nova-network-snat - [0:0] | |
| :nova-postrouting-bottom - [0:0] | |
| -A PREROUTING -j nova-network-PREROUTING | |
| -A PREROUTING -j nova-compute-PREROUTING | |
| -A PREROUTING -j nova-api-metadat-PREROUTING | |
| -A POSTROUTING -s 192.168.0.0/24 ! -d 192.168.0.0/24 -j MASQUERADE | |
| -A POSTROUTING -j nova-network-POSTROUTING | |
| -A POSTROUTING -j nova-compute-POSTROUTING | |
| -A POSTROUTING -j nova-api-metadat-POSTROUTING | |
| -A POSTROUTING -j nova-postrouting-bottom | |
| -A OUTPUT -j nova-network-OUTPUT | |
| -A OUTPUT -j nova-compute-OUTPUT | |
| -A OUTPUT -j nova-api-metadat-OUTPUT | |
| -A nova-api-metadat-snat -j nova-api-metadat-float-snat | |
| -A nova-compute-snat -j nova-compute-float-snat | |
| -A nova-network-OUTPUT -d 10.4.200.66/32 -j DNAT --to-destination 192.168.0.2 | |
| -A nova-network-OUTPUT -d 10.4.200.67/32 -j DNAT --to-destination 192.168.0.3 | |
| -A nova-network-OUTPUT -d 10.4.200.68/32 -j DNAT --to-destination 192.168.0.4 | |
| -A nova-network-POSTROUTING -s 192.168.0.0/24 -d 10.4.3.231/32 -j ACCEPT | |
| -A nova-network-POSTROUTING -s 192.168.0.0/24 -d 10.4.200.0/24 -j ACCEPT | |
| -A nova-network-POSTROUTING -s 192.168.0.0/24 -d 192.168.0.0/24 -m conntrack ! --ctstate DNAT -j ACCEPT | |
| -A nova-network-POSTROUTING -s 192.168.0.2/32 -m conntrack --ctstate DNAT -j SNAT --to-source 10.4.200.66 | |
| -A nova-network-POSTROUTING -s 192.168.0.3/32 -m conntrack --ctstate DNAT -j SNAT --to-source 10.4.200.67 | |
| -A nova-network-POSTROUTING -s 192.168.0.4/32 -m conntrack --ctstate DNAT -j SNAT --to-source 10.4.200.68 | |
| -A nova-network-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.4.3.231:8775 | |
| -A nova-network-PREROUTING -d 10.4.200.66/32 -j DNAT --to-destination 192.168.0.2 | |
| -A nova-network-PREROUTING -d 10.4.200.67/32 -j DNAT --to-destination 192.168.0.3 | |
| -A nova-network-PREROUTING -d 10.4.200.68/32 -j DNAT --to-destination 192.168.0.4 | |
| -A nova-network-float-snat -s 192.168.0.2/32 -d 192.168.0.2/32 -j SNAT --to-source 10.4.200.66 | |
| -A nova-network-float-snat -s 192.168.0.2/32 -o eth0 -j SNAT --to-source 10.4.200.66 | |
| -A nova-network-float-snat -s 192.168.0.3/32 -d 192.168.0.3/32 -j SNAT --to-source 10.4.200.67 | |
| -A nova-network-float-snat -s 192.168.0.3/32 -o eth0 -j SNAT --to-source 10.4.200.67 | |
| -A nova-network-float-snat -s 192.168.0.4/32 -d 192.168.0.4/32 -j SNAT --to-source 10.4.200.68 | |
| -A nova-network-float-snat -s 192.168.0.4/32 -o eth0 -j SNAT --to-source 10.4.200.68 | |
| -A nova-network-snat -j nova-network-float-snat | |
| -A nova-network-snat -s 192.168.0.0/24 -o eth0 -j SNAT --to-source 10.4.3.231 | |
| -A nova-postrouting-bottom -j nova-network-snat | |
| -A nova-postrouting-bottom -j nova-compute-snat | |
| -A nova-postrouting-bottom -j nova-api-metadat-snat | |
| COMMIT | |
| # Completed on Wed Jul 9 13:55:55 2014 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment