Openstack fixed IP address and floating IP Address

We are learning about the openstack network today. We use the flatdhcp network mode. I have been wondering why a fixed IP address cannot be accessed, but a floating IP address can be pinged. How is this done.

In fact, there is no difference between a fixed IP address and a floating IP address. First, you need to take a look at some iptables knowledge.

If we ping the floating IP address 192.168.139.7 on the VM instance, the route table is directed to the local process and the output chain is used.

View iptables rules. You can see that there is a DNAT rule in the NAT table, that is

Chain nova-network-OUTPUT (1 references)target     prot opt source               destination         DNAT       all  --  0.0.0.0/0            192.168.139.7        to:192.168.138.17

Since the output chain in the NAT table is modified, this process changes the target access from a floating IP address to a fixed IP address. This can be done, but directly ping the fixed IP address is not allowed, so it is only through the rules in the output chain of the filter. Check the filter.

Chain nova-compute-inst-43 (1 references) pkts bytes target     prot opt in     out     source               destination         28080 4431K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED    0     0 nova-compute-provider  all  --  *      *       0.0.0.0/0            0.0.0.0/0               0     0 ACCEPT     udp  --  *      *       192.168.138.227      0.0.0.0/0            udp spt:67 dpt:68    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set b0f65738cef046168b1dbed09be4c14 src    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ! ctstate DNAT    0     0 ACCEPT     4    --  *      *       0.0.0.0/0            0.0.0.0/0               0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 1:65535    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0               0     0 nova-compute-sg-fallback  all  --  *      *       0.0.0.0/0            0.0.0.0/0

There is a very important drop! This rule is in the output link of the filter!

So if we ping from other places, how does the packet go? In the above figure, the route from the data packet to the local process is taken, and the route is pinged as long as there is a route.

The above are the cases where security rules are activated

Openstack fixed IP address and floating IP Address