Public bug reported:
On Ubuntu Maverick (Eucalyptus 2.0) I'm not able to reach the eucalyptus
instances, due to the firewall rules. I didn't find exactly the problem,
but I only know that it's iptables which drops packages.
Our setup is, a server with CC, Walrus and SC and two additional servers
with NC, all servers have two network cards, one connected to our public
LAN and another one connected to an isolated switch.
CC and walrus listen on the public LAN network, the SC and NC listen on
the private LAN network.
We are able to launch instances and to connect EBS volumes without
problems. From within the instances, we are able to connect to Internet
without problems, either. However our problem comes when we try to
connect to the instances using the public LAN IP address we assigned on
installation time, all packages are dropped.
For the iptables rules I'm going to attach, we have the public IP
address 10.82.3.1 assigned to the CC public interface (br0), which
points to the 172.19.1.2 ip address assigned to the eucalyputs instance.
I just opened the ping port:
sysadmin@europe:~$ sudo iptables -n -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 172.19.0.0/16169.254.169.254 tcp dpt:80
to:169.254.169.254:8773
DNAT all -- 0.0.0.0/010.82.3.1 to:172.19.1.2
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DNAT all -- 0.0.0.0/010.82.3.1 to:172.19.1.2
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 172.19.1.2 !172.19.0.0/16 to:10.82.3.1
MASQUERADE all -- 172.19.0.0/16 !172.19.0.0/16
sysadmin@europe:~$ sudo iptables -n -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/00.0.0.0/0 ctstate
ESTABLISHED
ACCEPT all -- 0.0.0.0/0 !172.19.0.0/16
build-build all -- 0.0.0.0/00.0.0.0/0
ACCEPT all -- 172.19.1.0/27172.19.1.0/27
LOGall -- 0.0.0.0/00.0.0.0/0 limit: avg 5/min
burst 5 LOG flags 0 level 7 prefix `iptables denied (input): '
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain build-build (1 references)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0 172.19.1.0/27
sysadmin@europe:~$ sudo iptables -n -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 172.19.0.0/16169.254.169.254 tcp dpt:80
to:169.254.169.254:8773
DNAT all -- 0.0.0.0/010.82.3.1 to:172.19.1.2
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DNAT all -- 0.0.0.0/010.82.3.1 to:172.19.1.2
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 172.19.1.2 !172.19.0.0/16 to:10.82.3.1
MASQUERADE all -- 172.19.0.0/16 !172.19.0.0/16
And the configured network interfaces:
sysadmin@europe:~$ ifconfig
br0 Link encap:Ethernet HWaddr
inet addr:10.82.0.10 Bcast:10.82.3.255 Mask:255.255.252.0
inet6 addr: fe80::222:19ff:fe55:abd1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3154360 errors:0 dropped:0 overruns:0 frame:0
TX packets:252607 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:250658946 (250.6 MB) TX bytes:555159076 (555.1 MB)
br1 Link encap:Ethernet HWaddr XXX
inet addr:192.168.0.10 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::222:19ff:fe55:abd3/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2727761 errors:0 dropped:0 overruns:0 frame:0
TX packets:3336571 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1876704895 (1.8 GB) TX bytes:1622792007 (1.6 GB)
br0:pub Link encap:Ethernet HWaddr XX
inet addr:10.82.3.1 Bcast:0.0.0.0 Mask:255.255.255.255
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
br1:metadata Link encap:Ethernet HWaddr 00:22:19:55:ab:d3
inet addr:169.254.169.254 Bcast:0.0.0.0 Mask:255.255.255.255
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
br1:priv Link encap:Ethernet HWaddr XXX
inet addr:172.19.1.1 Bcast:172.19.1.31 Mask:255.255.255.224
UP BROADCAST RUNNING MULTICAST MTU:1500