0

This is less of an OpenStack question and more of an iptables question. Consider the following chain in the NAT table

Chain nova-network-POSTROUTING (1 references)
pkts bytes target     prot opt in     out     source               destination         
0     0 ACCEPT     all  --  any    any     172.16.100.0/24      10.128.0.223        
0     0 ACCEPT     all  --  any    any     172.16.100.0/24      172.16.100.0/24      ! ctstate DNAT
0     0 SNAT       all  --  any    any     172.16.100.6         anywhere             ctstate DNAT to:10.128.0.161

Can anyone tell me what 1) the "! ctstate DNAT" means in the second rule and 2) the "ctstate DNAT to:10.128.0.161" means in the 3rd rule

Thanks

user6513612
  • 1

1 Answers1

0

The first rule uses the connection tracking extension ctstate and inverts dynamic network address translation protocol ! - I believe the rules are saying, when the source is from 172.16.100.0/24 and the destination is the same network don't NAT the source (so if this is a virtual router then that would be dhcp offers and the like, also any host to host communication on that subnet) - the second part 172.16.100.6 to anywhere should be NAT'ed dynamically to 10.128.0.161. So if 172.16.100.6 is you openstack external router the conntrack module will match rule 2 for internal traffic and rule 3 for everything else, i.e - the router and hosts will always match rule 2 first for internal traffic but one host specifically will have it's source NAT'ed when it leaves the segment, or put another way a proxy server, since default route is likely 172.16.100.6.

Sum1sAdmin
  • 1,934
  • 1
  • 12
  • 20