0

I'm using OpenStack and OVS. This is my case:

  • From a remote host, I ping VM with IP A.
  • Local gateway received the echo request, then send a packet with IP A and MAC address A' (based on a fixed IP-MAC map on gateway)
  • The virtual router on host machine (with MAC address R) somehow receive the packet on its external interface. I checked it by tcpdump.
  • On the virtual router, there are NAT rules to translate address A to internal address 192.168.100.40:
Chain neutron-l3-agent-PREROUTING (1 references)

target     prot opt source               destination         
DNAT       all  --  anywhere             46.105.252.217       to:192.168.100.43
DNAT       all  --  anywhere             46.105.252.219       to:192.168.100.40

But the problem is those rules are never hit. I checked it with 

iptables -t nat -L -v -n

and found out hit count of these rule = 0.

I don't know how can I debug this case. Is it because MAC address is different from router's MAC that packets are dropped? If yes, why tcpdump shows message.

If it passed MAC address check, why those packets didn't hit iptables rules. How can I debug this case?

user225627
  • 1
  • 1
  • 1
  • Show your firewall rules. You ran the command but forgot to post the output. – Michael Hampton Jul 01 '14 at 11:46
  • Here is the output of packets hit count [iptables](http://tny.cz/1fa39ff2). Two important DNAT rule had zero hit. – user225627 Jul 01 '14 at 15:25
  • This is the echo request I got from TCPdump at the outer-inteface of the router: `17:29:49.405463 10:bd:18:e5:22:80 (oui Unknown) > 02:00:00:85:83:df (oui Unknown), ethertype IPv4 (0x0800), length 98: 146.187.3.109.rev.sfr.net > 46.105.252.219: ICMP echo request, id 23446, seq 46, length 64` ` – user225627 Jul 01 '14 at 15:30
  • The packet above should be route to 192.168.100.40, but it isn't routed. – user225627 Jul 01 '14 at 15:36

0 Answers0