I have a headnode (cloud/cc/sc/walrus) and several nodes (nc). The headnode has 2 network interfaces, eth1 for the private network (with the nodes) and eth0 for the public network.
The setup has no configuration problems and I can create and run VMs. However, I cannot access the Internet from the VM (172.19.1.2).
I can ping 172.19.1.1 which is the IP of eth1:priv on headnode.
I can ping 192.168.0.1 which is the IP of eth1 on headnode (and all hosts on the 192.168.0.0 network).
I can ping the IP of eth0 on headnode. But I cannot ping the gw of headnode or anything else in the public network of the headnode.
Am I missing something?
Here is my NAT table on the headnode:
Chain PREROUTING (policy ACCEPT 65501 packets, 8407895 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 172.19.0.0/16 169.254.169.254 tcp dpt:80 to:169.254.169.254:8773
0 0 DNAT all -- * * 0.0.0.0/0 192.168.0.100 to:172.19.1.2
Chain POSTROUTING (policy ACCEPT 1388 packets, 86788 bytes)
pkts bytes target prot opt in out source destination
7 560 SNAT all -- * * 172.19.1.2 !172.19.0.0/16 to:192.168.0.100
398 35485 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
3850 231177 MASQUERADE all -- * * !127.0.0.0/8 !172.19.0.0/16
Chain OUTPUT (policy ACCEPT 21118 packets, 1272059 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT all -- * * 0.0.0.0/0 192.168.0.100 to:172.19.1.2
The problem is that the main MASQ is left behind after the SNAT for the public IP. You see in the POSTROUTING chain:
Chain POSTROUTING (policy ACCEPT 1388 packets, 86788 bytes)
pkts bytes target prot opt in out source destination
7 560 SNAT all -- * * 172.19.1.2 !172.19.0.0/16 to:192.168.0.100
398 35485 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
3850 231177 MASQUERADE all -- * * !127.0.0.0/8 !172.19.0.0/16
If the MASQ is kept as the first rule, then this problem would not occur. For a quick fix, you need to delete your MASQ and insert it again. The problem would be solved by replacing in vnetwork.c the -I flag with -A
snprintf(cmd, 255, "-I POSTROUTING -s %s -d ! %s/%d -j SNAT --to-source %s", dst, network, slashnet, src);
However, seems like initially -A was used, but resulted in another bug, see on https://bugs.launchpad.net/eucalyptus/+bug/415312.
Then, the best solution seems to me to allow an option in the config file ...
EDIT: or get n the number of rules after the preload, then use -I n.
Hello,
I"m not quite sure why you are having problems, since this is exactly the settings I regularly use and yet my VMs have outside connectivity. I noticed that you do have an extra MASQUERADE rule (MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0) which I assume you add it yourself: can you try to remove it? Which version of Eucalyptus are you running and which distro are you using?
cheers
graziano
The SNAT rule (inserted with -I before the MASQUERADE) takes precedence, and there is no MASQUERADE done after that...
By adding one more MASQUERADE with -I (ahead of SNAT) then the internet works in the VM; however VMs created after that will place their SNAT before the new MASQUERADE, so you need to delete it and add it again.
In my case, it was there before I knew eucalyptus does any masquerading :) But removing or not, it is no different.
Hello,
which distro are you using? And which version of Eucalyptus? Did you install from packages or from source?
We need more information to recreated the problem, since this problem is not appearing in out tests. And we test all network modes.
thanks for looking into it!
cheers
graziano
Hello Graziano,
Thanks for your reply.
I'm using Ubuntu 10.04 (lucid), installed from alpha 3, and currently updated to the latest beta.
Like I said before, eucalyptus is running fine, I am able to start VMs, login to the image and so on. The problem seems to be the iptables rules in the nat chain. In your config, after you start VMs, how does the rules look like?
Thanks,
Marian
Ok, so after paying more attention to the documentation, the IP range has to be PUBLIC addresses, which in my care are not (they are class C in the private network).
Is there a way to disable the public IPs ? what happens if i delete the IP range in the config file?
Thanks,
Marian