[ubuntu-cloud] Introducing myself and first question
Torsten Spindler
torsten at canonical.com
Thu Feb 17 07:23:57 UTC 2011
Hello Mirto,
thanks for providing the additional information!
On Wed, 2011-02-16 at 20:09 +0100, Mirto Silvio Busico wrote:
...
> The NC machine is able to ping and ssh the frontend (192.168.1.64) but
> doesn't reach the client (192.168.1.127 that is also the gateway to
> reach internet)
>
> The path should be: NC (192.168.64.2) --> FrontEnd (eth0
> 192.168.64.1)--> FrontEnd (eth1 192.168.1.127) --> client (eth0
> 192.168.1.127) --> client (wlan0 10.94.169.14) -->ISP wireless router
> (10.94.169.1) --> ISP and Internet
>
> On the client routing and maquerading is done with shorewall
The problem here is that your front-end is trying to serve a dual
purpose role, one time as UEC front-end, one time as router for the NC.
According to
http://open.eucalyptus.com/wiki/EucalyptusNetworkConfiguration_v2.0
this is not recommended, as Eucalyptus and hence UEC will flush your
firewall rules from the front-end and apply it's own logic, quoting that
page:
"You are not running a firewall on the front end (CC) or your firewall
is compatible with the dynamic changes performed by Eucalyptus when
working with security groups. (Note that Eucalyptus will flush the
'filter' and 'nat' tables upon boot)."
Though also mentioned on the above page is the ability to add rules to a
preload file, with which I admit to have no experience:
"iptables-save > $EUCALYPTUS/var/run/eucalyptus/net/iptables-preload"
Or, in other words, I suspect that UEC's firewall rules on the front-end
hinder the traffic coming from the NCs and going to your client
computer. Would it be possible to use a different system as router for
the NCs? This would be the easiest way to test.
Regards,
Torsten
More information about the Ubuntu-cloud
mailing list