[
https://issues.apache.org/jira/browse/CLOUDSTACK-8451?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14539919#comment-14539919
]
Andrija Panic edited comment on CLOUDSTACK-8451 at 5/12/15 2:45 PM:
--------------------------------------------------------------------
We found the problem to be in folowing rules (the one with asterisk)
When we remove this rule by hand - remote IP shows normal - her it seems that
excep DNAT (Static NAT) we also do SNAT (source IP replacement for some reason)
and that is the rule down there with asterisks,
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- * eth1 10.10.10.10 0.0.0.0/0
to:XXX.39.228.156
134 9312 SNAT all -- * eth1 0.0.0.0/0 0.0.0.0/0
to:XXX.39.228.155
** 7 705 SNAT all -- * eth2 0.0.0.0/0 0.0.0.0/0
to:XXX.39.228.155 **
0 0 SNAT all -- * eth2 10.10.10.0/24 0.0.0.0/0
to:10.10.10.1
was (Author: andrija):
We found the problem to be in folowing rules (the one with asterisk)
When we remove this rule by hand - remote IP shows normal - her it seems that
excep DNAT (Static NAT) we also do SNAT (source IP replacement for some reason)
and that is the rule down there with asterisks,
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- * eth1 10.10.10.10 0.0.0.0/0
to:XXX.39.228.156
134 9312 SNAT all -- * eth1 0.0.0.0/0 0.0.0.0/0
to:XXX.39.228.155
***** 7 705 SNAT all -- * eth2 0.0.0.0/0
0.0.0.0/0 to:XXX.39.228.155 ******
0 0 SNAT all -- * eth2 10.10.10.0/24 0.0.0.0/0
to:10.10.10.1
> Static Nat show wrong remote IP in VM behind VPC
> ------------------------------------------------
>
> Key: CLOUDSTACK-8451
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8451
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: KVM, Network Controller, Virtual Router
> Affects Versions: 4.4.3, 4.3.2, 4.5.1
> Environment: Ubuntu 14.04, ACS 4.5.1-SNAPSHOT
> Reporter: Andrija Panic
>
> When configuring Port FOrwarding or Static NAT on VPC VR, and connect from
> outside world to VPC IP address, traffic gets forwarded to VM behind VPC.
> But if you run "netstat -antup | grep $PORT" (where port is i.e. ssh port) -
> given result will show that remote connections come from the Source NAT IP of
> the VR, instead of the real remote client IP.
> Example:
> private VM: 192.168.10.10
> Source NAT IP on VPC VR: 1.1.1.1
> Additional Public IP on VPC VR. 1.1.1.2
> Remote client public IP: 4.4.4.4 (external to VPC)
> Test:
> from 4.4.4.4 SSH to 1.1.1.2 port 22 (or any other port)
> inside 192.168.10.10 do "netstat -antup | grep 22"
> Result: Remote IP show is 1.1.1.1 instead of 4.4.4.4
> We found a solution (somwhat tested, and not sure if this would break
> anything...)
> Problem is in VRs iptables NAT table, POSTROUTING chain, rule:
> SNAT all -- * eth2 0.0.0.0/0 0.0.0.0/0 to:1.1.1.1
> where 1.1.1.1 is public IP of VR
> eth2: is Public Interface of VR
> When this rule is deleted, NAT is working fine.
> This is serious issue for anyone using VPC, since there is no way to see real
> remote client IP, and this no firewall funtionality inside VM, SIP doesnt
> work, web server logs are useless etc.
> I also experienced this problem with 4.3.x releases.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
