Slair1 commented on issue #2680: Using Source NAT option on Private Gateway does not work URL: https://github.com/apache/cloudstack/issues/2680#issuecomment-396402249 @rhtyd /cc @ustcweizhou It looks like that is handled in different code, in configure.py (processStaticNatRule function). I just did some testing: Created two Static NATs and made sure the two VMs could reach each other via their public IPs. That still works fine after this PR. Below is the SNAT/DNAT rules that were created. However, it looks like some of the other NAT code needs some love, several of these rules seem to be invalid and shouldn't be created. #### IP Address and Interfaces ``` root@r-336-VM:~# ip add 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 0e:00:a9:fe:01:dd brd ff:ff:ff:ff:ff:ff inet 169.254.1.221/16 brd 169.254.255.255 scope global eth0 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 06:18:90:00:00:30 brd ff:ff:ff:ff:ff:ff inet 46.99.52.18/26 brd 46.99.52.63 scope global eth1 inet 46.99.52.19/26 brd 46.99.52.63 scope global secondary eth1 inet 46.99.52.20/26 brd 46.99.52.63 scope global secondary eth1 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 06:1d:54:00:02:6b brd ff:ff:ff:ff:ff:ff inet 10.101.41.10/24 brd 10.101.41.255 scope global eth2 5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 02:00:6d:75:00:0a brd ff:ff:ff:ff:ff:ff inet 10.0.0.1/24 brd 10.0.0.255 scope global eth3 ``` #### Output DNATs (looks good) ``` root@r-336-VM:~# iptables -L OUTPUT -t nat -vn Chain OUTPUT (policy ACCEPT 28 packets, 1871 bytes) pkts bytes target prot opt in out source destination 0 0 DNAT all -- * * 0.0.0.0/0 46.99.52.20 to:10.0.0.154 0 0 DNAT all -- * * 0.0.0.0/0 46.99.52.19 to:10.0.0.209 ``` #### PREROUTING DNATs (The 1st and 3rd rule aren't needed) ``` root@r-336-VM:~# iptables -L PREROUTING -t nat -vn Chain PREROUTING (policy ACCEPT 551 packets, 51744 bytes) pkts bytes target prot opt in out source destination 0 0 DNAT all -- eth0 * 0.0.0.0/0 46.99.52.20 to:10.0.0.154 6 240 DNAT all -- * * 0.0.0.0/0 46.99.52.20 to:10.0.0.154 0 0 DNAT all -- eth0 * 0.0.0.0/0 46.99.52.19 to:10.0.0.209 11 492 DNAT all -- * * 0.0.0.0/0 46.99.52.19 to:10.0.0.209 ``` #### POSTROUTING SNAT (1st, 3rd, and 7th rule aren't needed) ``` root@r-336-VM:~# iptables -L POSTROUTING -t nat -vn Chain POSTROUTING (policy ACCEPT 26 packets, 1100 bytes) pkts bytes target prot opt in out source destination 0 0 SNAT all -- * eth0 10.0.0.0/24 10.0.0.154 to:10.0.0.1 34 2584 SNAT all -- * eth1 10.0.0.154 0.0.0.0/0 to:46.99.52.20 0 0 SNAT all -- * eth0 10.0.0.0/24 10.0.0.209 to:10.0.0.1 28 1456 SNAT all -- * eth1 10.0.0.209 0.0.0.0/0 to:46.99.52.19 243 14660 SNAT all -- * eth2 0.0.0.0/0 0.0.0.0/0 to:10.101.41.10 222 14854 SNAT all -- * eth1 0.0.0.0/0 0.0.0.0/0 to:46.99.52.18 0 0 SNAT all -- * eth1 0.0.0.0/0 0.0.0.0/0 to:46.99.52.19 ```
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
