taken from https://github.com/marafa/openstack/blob/master/openstack-project-add.sh

write_security_rules(){
echo "todo: use neutron secgroup to add ssh and ping rules instead of nova"
source $ks_dir/keystonerc_$user$id
nova keypair-add key$id > $ks_dir/key$id.pem
chmod 600 $ks_dir/key$id.pem
nova secgroup-create SecGrp$id "Security Group $id"
nova secgroup-add-rule SecGrp$id tcp 22 22 0.0.0.0/0
neutron security-group-rule-create --direction ingress --protocol tcp --port_range_min 1 --port_range_max 65535 SecGrp$id
neutron security-group-rule-create --direction ingress --protocol udp --port_range_min 1 --port_range_max 65535 SecGrp$id
neutron security-group-rule-create --direction ingress --protocol icmp SecGrp$id
}


On Fri, Feb 20, 2015 at 5:07 PM, Pasquale Salza <pasquale.salza@gmail.com> wrote:
Hi Rhys,
I suppose so, because these are my iptables rules:

iptables -F
iptables -t nat -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -d 172.16.58.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -d 172.16.58.0/24 -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -d 172.16.58.0/24 -p tcp --dport www -j ACCEPT
iptables -A INPUT -d 172.16.58.0/24 -p tcp --dport pptp -j ACCEPT
iptables -A INPUT -d 172.16.58.0/24 -p tcp --sport domain -j ACCEPT
iptables -A INPUT -d 172.16.58.0/24 -p tcp --dport domain -j ACCEPT
iptables -A INPUT -d 172.16.58.0/24 -p udp --sport domain -j ACCEPT
iptables -A INPUT -d 172.16.58.0/24 -p udp --dport domain -j ACCEPT
iptables -A INPUT -d 172.16.58.0/24 -p gre -j ACCEPT
iptables -A INPUT -d 172.16.58.0/24 -p icmp -j ACCEPT
iptables -A INPUT -d 172.16.58.0/24 -j DROP
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
service iptables save

Firstly, do you think I planned the network organisation well? Do you have other suggestion (best practices) with 2 interfaces?


2015-02-20 18:30 GMT+01:00 Rhys Oxenham <roxenham@redhat.com>:
Hi Pasquale,

Did you modify your security group rules to allow ICMP and/or 22:tcp access?

Many thanks
Rhys

> On 20 Feb 2015, at 17:11, Pasquale Salza <pasquale.salza@gmail.com> wrote:
>
> Hi there, I have a lot of problems with RDO/OpenStack configuration. Firstly, I need to describe my network situation.
>
> I have 7 machine, each of them with 2 NIC. I would like to use one machine as a controller/network node and the others as compute nodes.
>
> I would like to use the eth0 to connect nodes to internet (and get access by remote sessions) with the network "172.16.58.0/24", in which I have just 7 available IPs, and eth1 as configuration network on the network 10.42.100.0/42.
>
> This is my current configuration, for each node (varying the IPs on each machine):
>
>     eth0:
>     DEVICE=eth0
>     TYPE=Ethernet
>     ONBOOT=yes
>     BOOTPROTO=static
>     IPADDR=172.16.58.50
>     NETMASK=255.255.255.0
>     GATEWAY=172.16.58.254
>     DNS1=172.16.58.50
>     DOMAIN=###
>     DEFROUTE="yes"
>
>     eth1:
>     DEVICE=eth1
>     TYPE=OVSPort
>     DEVICETYPE=ovs
>     OVS_BRIDGE=br-ex
>     ONBOOT=yes
>
>     br-ex:
>     DEVICE=br-ex
>     DEVICETYPE=ovs
>     TYPE=OVSBridge
>     BOOTPROTO=static
>     IPADDR=10.42.100.1
>     NETMASK=255.255.255.0
>     ONBOOT=yes
>
> I'd like to have instances on 10.42.200.0/24 virtual private network and the remaining IPs of 10.42.100.0/24 network as floating IPs.
>
> These are the relevant parts of my answers.txt file:
>
>     CONFIG_CONTROLLER_HOST=10.42.100.1
>     CONFIG_COMPUTE_HOSTS=10.42.100.10,10.42.100.11,10.42.100.12,10.42.100.13,10.42.100.14,10.42.100.15
>     CONFIG_NETWORK_HOSTS=10.42.100.1
>     CONFIG_AMQP_HOST=10.42.100.1
>     CONFIG_MARIADB_HOST=10.42.100.1
>     CONFIG_NOVA_COMPUTE_PRIVIF=eth1
>     CONFIG_NOVA_NETWORK_PUBIF=eth1
>     CONFIG_NOVA_NETWORK_PRIVIF=eth1
>     CONFIG_NOVA_NETWORK_FIXEDRANGE=10.42.200.0/24
>     CONFIG_NOVA_NETWORK_FLOATRANGE=10.42.100.0/24
>     CONFIG_NEUTRON_L3_EXT_BRIDGE=br-ex
>     CONFIG_NEUTRON_ML2_TYPE_DRIVERS=vxlan
>     CONFIG_NEUTRON_ML2_TENANT_NETWORK_TYPES=vxlan
>     CONFIG_NEUTRON_ML2_VNI_RANGES=10:100
>     CONFIG_NEUTRON_LB_INTERFACE_MAPPINGS=
>     CONFIG_NEUTRON_OVS_BRIDGE_MAPPINGS=
>     CONFIG_NEUTRON_OVS_BRIDGE_IFACES=
>     CONFIG_NEUTRON_OVS_TUNNEL_IF=eth1
>
> After the installation, I configure the network like this:
>
>     neutron router-create router
>     neutron net-create private
>     neutron subnet-create private 10.42.200.0/24 --name private-subnet
>     neutron router-interface-add router private-subnet
>     neutron net-create public --router:external=True
>     neutron subnet-create public 10.42.100.0/24 --name public-subnet --enable_dhcp=False --allocation-pool start=10.42.100.100,end=10.42.100.200 --no-gateway
>     neutron router-gateway-set router public
>
> I'm able to launch instances but I can't get access (ping/ssh) to them.
>
> I don't know if I'm doing something wrong starting from planning.
>
> Please, help me!
>
> _______________________________________________
> Rdo-list mailing list
> Rdo-list@redhat.com
> https://www.redhat.com/mailman/listinfo/rdo-list
>
> To unsubscribe: rdo-list-unsubscribe@redhat.com




--
Pasquale Salza

_______________________________________________
Rdo-list mailing list
Rdo-list@redhat.com
https://www.redhat.com/mailman/listinfo/rdo-list

To unsubscribe: rdo-list-unsubscribe@redhat.com



--

805010942448935

GR750055912MA

Link to me on LinkedIn