Mailing List Archive

[openstack][neutron]Iptables snat not work when securitygroup is on

I am building an openstack all-in-one environment in a CentOS7.4 machine. For some reason I have only one network interface(eth0) and one ip address, so I created a linux bridge(br0), and forwarded datas to eth0 using iptables command:

iptables -t nat -A POSTROUTING -s {bridge virtual ip} -j SNAT --to {eth0 ip}

But it seems not work.

When I ping to from br0 and run tcpdump, I can see that datas can be forwared to eth0 and be sent to, but when datas are sent back to eth0, they can not be forwarded to br0.

Ip forwarding, net.bridge.bridge-nf-call-iptables and net.bridge.bridge-nf-call-ip6tablesare set to 1.

If I close security group by setting securitygroup = false, this rule works fine, but if I use iptables -F instead, the rule is not work. Does the securitygroup have a magic to trap iptables?