[
https://issues.apache.org/jira/browse/CLOUDSTACK-8451?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14539907#comment-14539907
]
Andrija Panic edited comment on CLOUDSTACK-8451 at 5/12/15 2:43 PM:
--------------------------------------------------------------------
http://pastebin.com/ihjiDZ9h - iptables-save from inside VR on pastebin - this
is brand new VPC (1 network, 1 VM in network) on 4.4.3 release.
http://snag.gy/V949g.jpg - ACS setup and "proof" :
XXX.39.228.155 - main VPC IP
XXX.39.228.156 - additional IP, configured Static NAT to private VM 10.10.10.10
Connected to XXX39.228.156:22 - and done "netstat -antup | grep 22" - remote
connection seems to come from XXX.39.228.155 - main VPC IP.
This is ACS 4.4.3, Advanced Zone, KVM.
eth0
inet addr:169.254.3.236 Bcast:169.254.255.255 Mask:255.255.0.0
eth1
inet addr:XXX.39.228.155 Bcast:185.39.228.191 Mask:255.255.255.192
eth2 Link encap:Ethernet HWaddr 02:00:14:5e:00:02
inet addr:10.10.10.1 Bcast:10.10.10.255 Mask:255.255.255.0
was (Author: andrija):
http://pastebin.com/ihjiDZ9h - iptables-save from inside VR on pastebin - this
is brand new VPC (1 network, 1 VM in network) on 4.4.3 release.
http://snag.gy/V949g.jpg - ACS setup and "proof" :
XXX.39.228.155 - main VPC IP
XXX.39.228.156 - additional IP, configured Static NAT to private VM 10.10.10.10
Connected to XXX39.228.156:22 - and done "netstat -antup | grep 22" - remote
connection seems to come from XXX.39.228.155 - main VPC IP.
This is ACS 4.4.3, Advanced Zone, KVM.
> Static Nat show wrong remote IP in VM behind VPC
> ------------------------------------------------
>
> Key: CLOUDSTACK-8451
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8451
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: KVM, Network Controller, Virtual Router
> Affects Versions: 4.4.3, 4.3.2, 4.5.1
> Environment: Ubuntu 14.04, ACS 4.5.1-SNAPSHOT
> Reporter: Andrija Panic
>
> When configuring Port FOrwarding or Static NAT on VPC VR, and connect from
> outside world to VPC IP address, traffic gets forwarded to VM behind VPC.
> But if you run "netstat -antup | grep $PORT" (where port is i.e. ssh port) -
> given result will show that remote connections come from the Source NAT IP of
> the VR, instead of the real remote client IP.
> Example:
> private VM: 192.168.10.10
> Source NAT IP on VPC VR: 1.1.1.1
> Additional Public IP on VPC VR. 1.1.1.2
> Remote client public IP: 4.4.4.4 (external to VPC)
> Test:
> from 4.4.4.4 SSH to 1.1.1.2 port 22 (or any other port)
> inside 192.168.10.10 do "netstat -antup | grep 22"
> Result: Remote IP show is 1.1.1.1 instead of 4.4.4.4
> We found a solution (somwhat tested, and not sure if this would break
> anything...)
> Problem is in VRs iptables NAT table, POSTROUTING chain, rule:
> SNAT all -- * eth2 0.0.0.0/0 0.0.0.0/0 to:1.1.1.1
> where 1.1.1.1 is public IP of VR
> eth2: is Public Interface of VR
> When this rule is deleted, NAT is working fine.
> This is serious issue for anyone using VPC, since there is no way to see real
> remote client IP, and this no firewall funtionality inside VM, SIP doesnt
> work, web server logs are useless etc.
> I also experienced this problem with 4.3.x releases.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
