1

I am taking over management of an existing openstack system at work and I have only a little prior experience with openstack.

I have about 8 instances running and all of them appear to function properly in general. Each running various services. The services in question:

DHCP

DNS

MySQL <--- This is the one that I critically need.

I have a homebrew router running IPFire between green and blue interfaces (two subnets, wired and wireless) and I have it allowing basically all traffic between the two subnets to the best of my ability. 

pkts    bytes   target  prot    opt in  out source  destination 

0   0   ACCEPT  all --  *   *   10.1.12.10  10.1.10.228

Services such as ssh and http appear to function. And each of the other services is configured to listen on all adaptors. I have floating IP's setup for each of the instances.

From what I can tell, the machine has a local IP but the floating IP is a forward of some type to the instance. I'm still trying to figure out the nature of the entire config.

My question: Why are services like ssh and http fully functional across subnets while certain services such as mysql and DNS are reachable only within their own subnet?

I see no drop events on the firewall for that IP or for port 3306. I see no drops from the users IP. I see no drops for anything I can attribute being related to the connection I am making or the router between them.

From wireless:

    traceroute to 10.1.10.254 (10.1.10.254), 64 hops max, 52 byte packets
 1  10.1.12.1 (10.1.12.1)  1.558 ms  1.520 ms  1.976 ms
 2  10.1.10.254 (10.1.10.254)  2.772 ms  1.816 ms  1.909 ms

Nmap scan report for 10.1.10.254
Host is up (0.0035s latency).
Not shown: 997 filtered ports
PORT    STATE  SERVICE
22/tcp  open   ssh
80/tcp  closed http
443/tcp closed https

From wired:

Nmap scan report for 10.1.10.254
Host is up (0.0011s latency).
Not shown: 996 filtered ports
PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   closed http
443/tcp  closed https
3306/tcp open   mysql

I don't really know where to even begin at this point. I don't see firewall events and I see no traffic via tcpdump. I am willing to try looking at ANYTHING you suggest.

UPDATE:

Shouldn't this allow forwarding between the subnets? Where blue0 = wireless and green0 = wired.

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts    bytes   target  prot    opt in  out source  destination 
11  672 ACCEPT  tcp --  blue0   green0  0.0.0.0/0   0.0.0.0/0    tcp dpt:3306'
user3546886
  • 11
  • 2
  • Ok. DNS doesn't get outside the VM environment, so it's unrelated. And I believe it makes sense for DHCP not to cross, the NIC's are setup to be managed with separate DHCP servers. It makes sense, they are separate subnets for a reason. So, what? ICMP may be blocking and broadcasts aren't forwarded right? But what do those two things have to do with MySQL? As far as I can tell I have, in various ways, attempted unblocking it and no matter what rule I create it still shows under nmap as a filtered port. – user3546886 Apr 18 '14 at 10:33

0 Answers0