Custom Search

SUBSCRIBE

SUBSCRIBE : 300 + Free Video Tutorials Programming (Python, golang, Julia), DevOps

Wednesday, July 16, 2014

OpenStack Neutron How to list chains and rules of Filter, NAT, Mangle and Raw iptables tables in a network namespace

1)
List all namespaces


#ip netns

qdhcp-7cc88da5-e38b-4a14-a64a-daa931f1d2d2
qrouter-e7189379-ccd9-44f6-804f-820173f30e26

2)
List all iptables chains and rules of Filter, NAT, Mangle and Raw tables in a network namespace


#sudo ip netns exec qrouter-e7189379-ccd9-44f6-804f-820173f30e26 iptables-save


# Generated by iptables-save v1.4.21 on Wed Jul 16 17:53:18 2014
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [8:564]
COMMIT
# Completed on Wed Jul 16 17:53:18 2014
# Generated by iptables-save v1.4.21 on Wed Jul 16 17:53:18 2014
*nat
:PREROUTING ACCEPT [6:681]
:INPUT ACCEPT [2:393]
:OUTPUT ACCEPT [15:970]
:POSTROUTING ACCEPT [8:550]
:neutron-l3-agent-OUTPUT - [0:0]
:neutron-l3-agent-POSTROUTING - [0:0]
:neutron-l3-agent-PREROUTING - [0:0]
:neutron-l3-agent-float-snat - [0:0]
:neutron-l3-agent-snat - [0:0]
:neutron-postrouting-bottom - [0:0]
-A PREROUTING -j neutron-l3-agent-PREROUTING
-A OUTPUT -j neutron-l3-agent-OUTPUT
-A POSTROUTING -j neutron-l3-agent-POSTROUTING
-A POSTROUTING -j neutron-postrouting-bottom
-A neutron-l3-agent-POSTROUTING ! -i qg-77a4ae69-e3 ! -o qg-77a4ae69-e3 -m conntrack ! --ctstate DNAT -j ACCEPT
-A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697
-A neutron-l3-agent-snat -j neutron-l3-agent-float-snat
-A neutron-l3-agent-snat -s 10.0.0.0/24 -j SNAT --to-source 172.24.4.2
-A neutron-postrouting-bottom -j neutron-l3-agent-snat
COMMIT
# Completed on Wed Jul 16 17:53:18 2014
# Generated by iptables-save v1.4.21 on Wed Jul 16 17:53:18 2014
*mangle
:PREROUTING ACCEPT [311:33164]
:INPUT ACCEPT [64:6090]
:FORWARD ACCEPT [247:27074]
:OUTPUT ACCEPT [86:7130]
:POSTROUTING ACCEPT [333:34204]
COMMIT
# Completed on Wed Jul 16 17:53:18 2014
# Generated by iptables-save v1.4.21 on Wed Jul 16 17:53:18 2014
*filter
:INPUT ACCEPT [29:3778]
:FORWARD ACCEPT [247:27074]
:OUTPUT ACCEPT [86:7130]
:neutron-filter-top - [0:0]
:neutron-l3-agent-FORWARD - [0:0]
:neutron-l3-agent-INPUT - [0:0]
:neutron-l3-agent-OUTPUT - [0:0]
:neutron-l3-agent-local - [0:0]
-A INPUT -j neutron-l3-agent-INPUT
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-l3-agent-FORWARD
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-l3-agent-OUTPUT
-A neutron-filter-top -j neutron-l3-agent-local
-A neutron-l3-agent-INPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 9697 -j ACCEPT
COMMIT
# Completed on Wed Jul 16 17:53:18 2014

3)
List all chains and rules of Filter table in a network namespace


#sudo ip netns exec qrouter-e7189379-ccd9-44f6-804f-820173f30e26 iptables -t filter --list

Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
neutron-l3-agent-INPUT  all  --  anywhere             anywhere           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
neutron-filter-top  all  --  anywhere             anywhere           
neutron-l3-agent-FORWARD  all  --  anywhere             anywhere           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        
neutron-filter-top  all  --  anywhere             anywhere           
neutron-l3-agent-OUTPUT  all  --  anywhere             anywhere           

Chain neutron-filter-top (2 references)
target     prot opt source               destination        
neutron-l3-agent-local  all  --  anywhere             anywhere           

Chain neutron-l3-agent-FORWARD (1 references)
target     prot opt source               destination        

Chain neutron-l3-agent-INPUT (1 references)
target     prot opt source               destination        
ACCEPT     tcp  --  anywhere             localhost            tcp dpt:9697

Chain neutron-l3-agent-OUTPUT (1 references)
target     prot opt source               destination        

Chain neutron-l3-agent-local (1 references)
target     prot opt source               destination

4)
List all chains and rules of NAT table in a network namespace


#sudo ip netns exec qrouter-e7189379-ccd9-44f6-804f-820173f30e26 iptables -t nat --list


Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination        
neutron-l3-agent-PREROUTING  all  --  anywhere             anywhere           

Chain INPUT (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        
neutron-l3-agent-OUTPUT  all  --  anywhere             anywhere           

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination        
neutron-l3-agent-POSTROUTING  all  --  anywhere             anywhere           
neutron-postrouting-bottom  all  --  anywhere             anywhere           

Chain neutron-l3-agent-OUTPUT (1 references)
target     prot opt source               destination        

Chain neutron-l3-agent-POSTROUTING (1 references)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere             ! ctstate DNAT

Chain neutron-l3-agent-PREROUTING (1 references)
target     prot opt source               destination        
REDIRECT   tcp  --  anywhere             169.254.169.254      tcp dpt:http redir ports 9697

Chain neutron-l3-agent-float-snat (1 references)
target     prot opt source               destination        

Chain neutron-l3-agent-snat (1 references)
target     prot opt source               destination        
neutron-l3-agent-float-snat  all  --  anywhere             anywhere           
SNAT       all  --  10.0.0.0/24          anywhere             to:172.24.4.2

Chain neutron-postrouting-bottom (1 references)
target     prot opt source               destination        
neutron-l3-agent-snat  all  --  anywhere             anywhere         

5)
List all chains and rules of Mangle table in a network namespace


#sudo ip netns exec qrouter-e7189379-ccd9-44f6-804f-820173f30e26 iptables -t mangle --list

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination        

Chain INPUT (policy ACCEPT)
target     prot opt source               destination        

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

6)
List all chains and rules of Raw table in a network namespace


#sudo ip netns exec qrouter-e7189379-ccd9-44f6-804f-820173f30e26 iptables -t raw --list

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination








1 comment:

  1. http://www.thegeekstuff.com/2011/01/iptables-fundamentals/

    ReplyDelete