999
社区成员
发帖
与我相关
我的任务
分享nova-network配置后无法ping通外网
配置如下:
network_manager = nova.network.manager.FlatDHCPManager
firewall_driver = nova.virt.libvirt.firewall.IptalbesFirewallDriver
network_size = 254
allow_same_net_traffic = False
multi_host = True
send_arp_for_ha = True
share_dhcp_address = True
force_dhcp_release = True
flat_interface = eth1
flat_network_bridge = br100
public_interface = eth1
[root@compute1 ~]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.70.0 * 255.255.255.0 U 0 0 0 eth0
10.0.0.0 * 255.255.255.0 U 0 0 0 br100
192.168.122.0 * 255.255.255.0 U 0 0 0 virbr0
link-local * 255.255.0.0 U 1002 0 0 eth0
default 10.0.0.1 0.0.0.0 UG 0 0 0 br100
结果如下:
[root@compute1 ~]# ping www.baidu.com
ping: unknown host www.baidu.com
eth0 配置的192段 eth1 配置的10段
[root@compute1 ~]# iptables -t filter -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N nova-api-metadat-FORWARD
-N nova-api-metadat-INPUT
-N nova-api-metadat-OUTPUT
-N nova-api-metadat-local
-N nova-filter-top
-N nova-network-FORWARD
-N nova-network-INPUT
-N nova-network-OUTPUT
-N nova-network-local
-A INPUT -j nova-network-INPUT
-A INPUT -j nova-api-metadat-INPUT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j nova-filter-top
-A FORWARD -j nova-network-FORWARD
-A FORWARD -j nova-api-metadat-FORWARD
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j nova-filter-top
-A OUTPUT -j nova-network-OUTPUT
-A OUTPUT -j nova-api-metadat-OUTPUT
-A nova-api-metadat-INPUT -d 192.168.70.201/32 -p tcp -m tcp --dport 8775 -j ACCEPT
-A nova-filter-top -j nova-network-local
-A nova-filter-top -j nova-api-metadat-local
-A nova-network-FORWARD -d 255.255.255.255/32 -p udp -m physdev --physdev-in eth1 -m udp --dport 67 -j DROP
-A nova-network-FORWARD -d 255.255.255.255/32 -p udp -m physdev --physdev-out eth1 -m udp --dport 67 -j DROP
-A nova-network-FORWARD -d 10.0.0.1/32 -m physdev --physdev-in eth1 -j DROP
-A nova-network-FORWARD -s 10.0.0.1/32 -m physdev --physdev-out eth1 -j DROP
-A nova-network-FORWARD -i br100 -j ACCEPT
-A nova-network-FORWARD -o br100 -j ACCEPT
-A nova-network-INPUT -i br100 -p udp -m udp --dport 67 -j ACCEPT
-A nova-network-INPUT -i br100 -p tcp -m tcp --dport 67 -j ACCEPT
-A nova-network-INPUT -i br100 -p udp -m udp --dport 53 -j ACCEPT
-A nova-network-INPUT -i br100 -p tcp -m tcp --dport 53 -j ACCEPT
[root@compute1 ~]# iptables -t nat -S
-P PREROUTING ACCEPT
-P POSTROUTING ACCEPT
-P OUTPUT ACCEPT
-N nova-api-metadat-OUTPUT
-N nova-api-metadat-POSTROUTING
-N nova-api-metadat-PREROUTING
-N nova-api-metadat-float-snat
-N nova-api-metadat-snat
-N nova-network-OUTPUT
-N nova-network-POSTROUTING
-N nova-network-PREROUTING
-N nova-network-float-snat
-N nova-network-snat
-N nova-postrouting-bottom
-A PREROUTING -j nova-network-PREROUTING
-A PREROUTING -j nova-api-metadat-PREROUTING
-A POSTROUTING -j nova-network-POSTROUTING
-A POSTROUTING -j nova-api-metadat-POSTROUTING
-A POSTROUTING -j nova-postrouting-bottom
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A OUTPUT -j nova-network-OUTPUT
-A OUTPUT -j nova-api-metadat-OUTPUT
-A nova-api-metadat-snat -j nova-api-metadat-float-snat
-A nova-network-POSTROUTING -s 10.0.0.0/24 -d 192.168.70.201/32 -j ACCEPT
-A nova-network-POSTROUTING -s 10.0.0.0/24 -d 10.0.0.0/24 -m conntrack ! --ctstate DNAT -j ACCEPT
-A nova-network-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.70.201:8775
-A nova-network-snat -j nova-network-float-snat
-A nova-network-snat -s 10.0.0.0/24 -o eth0 -j SNAT --to-source 192.168.70.201
-A nova-postrouting-bottom -j nova-network-snat
-A nova-postrouting-bottom -j nova-api-metadat-snat
求帮助
network_manager = nova.network.manager.FlatDHCPManager
firewall_driver = nova.virt.libvirt.firewall.IptalbesFirewallDriver
network_size = 254
allow_same_net_traffic = False
multi_host = True
send_arp_for_ha = True
share_dhcp_address = True
force_dhcp_release = True
flat_interface = eth1
flat_network_bridge = br100
public_interface = eth1
[root@compute1 ~]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.70.0 * 255.255.255.0 U 0 0 0 eth0
10.0.0.0 * 255.255.255.0 U 0 0 0 br100
192.168.122.0 * 255.255.255.0 U 0 0 0 virbr0
link-local * 255.255.0.0 U 1002 0 0 eth0
default 10.0.0.1 0.0.0.0 UG 0 0 0 br100
结果如下:
[root@compute1 ~]# ping www.baidu.com
ping: unknown host www.baidu.com
eth0 配置的192段 eth1 配置的10段
[root@compute1 ~]# iptables -t filter -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N nova-api-metadat-FORWARD
-N nova-api-metadat-INPUT
-N nova-api-metadat-OUTPUT
-N nova-api-metadat-local
-N nova-filter-top
-N nova-network-FORWARD
-N nova-network-INPUT
-N nova-network-OUTPUT
-N nova-network-local
-A INPUT -j nova-network-INPUT
-A INPUT -j nova-api-metadat-INPUT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j nova-filter-top
-A FORWARD -j nova-network-FORWARD
-A FORWARD -j nova-api-metadat-FORWARD
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j nova-filter-top
-A OUTPUT -j nova-network-OUTPUT
-A OUTPUT -j nova-api-metadat-OUTPUT
-A nova-api-metadat-INPUT -d 192.168.70.201/32 -p tcp -m tcp --dport 8775 -j ACCEPT
-A nova-filter-top -j nova-network-local
-A nova-filter-top -j nova-api-metadat-local
-A nova-network-FORWARD -d 255.255.255.255/32 -p udp -m physdev --physdev-in eth1 -m udp --dport 67 -j DROP
-A nova-network-FORWARD -d 255.255.255.255/32 -p udp -m physdev --physdev-out eth1 -m udp --dport 67 -j DROP
-A nova-network-FORWARD -d 10.0.0.1/32 -m physdev --physdev-in eth1 -j DROP
-A nova-network-FORWARD -s 10.0.0.1/32 -m physdev --physdev-out eth1 -j DROP
-A nova-network-FORWARD -i br100 -j ACCEPT
-A nova-network-FORWARD -o br100 -j ACCEPT
-A nova-network-INPUT -i br100 -p udp -m udp --dport 67 -j ACCEPT
-A nova-network-INPUT -i br100 -p tcp -m tcp --dport 67 -j ACCEPT
-A nova-network-INPUT -i br100 -p udp -m udp --dport 53 -j ACCEPT
-A nova-network-INPUT -i br100 -p tcp -m tcp --dport 53 -j ACCEPT
[root@compute1 ~]# iptables -t nat -S
-P PREROUTING ACCEPT
-P POSTROUTING ACCEPT
-P OUTPUT ACCEPT
-N nova-api-metadat-OUTPUT
-N nova-api-metadat-POSTROUTING
-N nova-api-metadat-PREROUTING
-N nova-api-metadat-float-snat
-N nova-api-metadat-snat
-N nova-network-OUTPUT
-N nova-network-POSTROUTING
-N nova-network-PREROUTING
-N nova-network-float-snat
-N nova-network-snat
-N nova-postrouting-bottom
-A PREROUTING -j nova-network-PREROUTING
-A PREROUTING -j nova-api-metadat-PREROUTING
-A POSTROUTING -j nova-network-POSTROUTING
-A POSTROUTING -j nova-api-metadat-POSTROUTING
-A POSTROUTING -j nova-postrouting-bottom
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A OUTPUT -j nova-network-OUTPUT
-A OUTPUT -j nova-api-metadat-OUTPUT
-A nova-api-metadat-snat -j nova-api-metadat-float-snat
-A nova-network-POSTROUTING -s 10.0.0.0/24 -d 192.168.70.201/32 -j ACCEPT
-A nova-network-POSTROUTING -s 10.0.0.0/24 -d 10.0.0.0/24 -m conntrack ! --ctstate DNAT -j ACCEPT
-A nova-network-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.70.201:8775
-A nova-network-snat -j nova-network-float-snat
-A nova-network-snat -s 10.0.0.0/24 -o eth0 -j SNAT --to-source 192.168.70.201
-A nova-postrouting-bottom -j nova-network-snat
-A nova-postrouting-bottom -j nova-api-metadat-snat
求帮助
...全文
请发表友善的回复…
发表回复
dxy_dxy_dxy 2016-05-01
- 打赏
- 举报
The warning is 'unknow host name'.
Maybe there is something wrong with the DNS.
Please check on the /etc/resolve.conf or try to connect www.baidu.com with its public IP.
If you could connect the www.baidu.com with its public IP ,then there maybe something wrong with DNS.
