NAT problem, VMs like VR can't connect to internet

Fri, 05 Sep 2014 04:11:44 -0700 

Hi there,

i have a problem with my cloudstack/network setup. I hope somebody can help me.

I’m using KVM and on all server is CentOS 6 installed. I have no errors in the 
logs and all instances are running.

Here my current network setup: 
https://www.dropbox.com/s/nzfiy1ilebugi0k/cloud_network.png?dl=0 
<https://www.dropbox.com/s/nzfiy1ilebugi0k/cloud_network.png?dl=0>

I have a cloudstack advanced network and my virtual servers like the VR can’t 
connect to the internet or even ping the gateway. I also can’t ping the VR from 
the public network.
The nodes on which the vms are running are able to ping the public 
network/internet.

I have only one gateway, so i created a nat on the management server. So the VM 
that want connect to my public network must go through an other subnet first. I 
think my problem have something to do with my iptables (nat) settings. For a 
better understanding please see my diagram.

Does somebody have an idea? I appreciate every advice. If this can not work, 
what alternatives do i have to create an advanced network with only 1 gateway?


Please find below my iptables settings:

IPtables of the management server:

# Generated by iptables-save v1.4.7
*nat
:PREROUTING ACCEPT [1158:172626]
:POSTROUTING ACCEPT [119:8872]
:OUTPUT ACCEPT [119:8872]
-A POSTROUTING -o eth0 -j MASQUERADE
# -A POSTROUTING -s 192.168.1.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed
# Generated by iptables-save v1.4.7
*filter
:INPUT ACCEPT [119736:288057978]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [145743:303840575]
-A INPUT -p tcp -m tcp --dport 9090 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8250 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 7080 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p udp -m state --state NEW -m udp --dport 111 -j 
ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 111 -j 
ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 2049 -j 
ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 32803 -j 
ACCEPT
-A INPUT -s 192.168.1.0/24 -p udp -m state --state NEW -m udp --dport 32769 -j 
ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 892 -j 
ACCEPT
-A INPUT -s 192.168.1.0/24 -p udp -m state --state NEW -m udp --dport 892 -j 
ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 875 -j 
ACCEPT
-A INPUT -s 192.168.1.0/24 -p udp -m state --state NEW -m udp --dport 875 -j 
ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 662 -j 
ACCEPT
-A INPUT -s 192.168.1.0/24 -p udp -m state --state NEW -m udp --dport 662 -j 
ACCEPT
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
COMMIT
# Completed

IPtables of the nodes:

# Generated by iptables-save v1.4.7
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Tue Mar 25 14:45:02 2014
# Generated by iptables-save v1.4.7
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed
# Generated by iptables-save v1.4.7
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 49152:49216 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5900:6100 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 16509 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p udp -m state --state NEW -m udp --dport 111 -j 
ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 111 -j 
ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 2049 -j 
ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 32803 -j 
ACCEPT
-A INPUT -s 192.168.1.0/24 -p udp -m state --state NEW -m udp --dport 32769 -j 
ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 892 -j 
ACCEPT
-A INPUT -s 192.168.1.0/24 -p udp -m state --state NEW -m udp --dport 892 -j 
ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 875 -j 
ACCEPT
-A INPUT -s 192.168.1.0/24 -p udp -m state --state NEW -m udp --dport 875 -j 
ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 662 -j 
ACCEPT
-A INPUT -s 192.168.1.0/24 -p udp -m state --state NEW -m udp --dport 662 -j 
ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed

Reply via email to