[jira] [Assigned] (CLOUDSTACK-8451) Static Nat show wrong remote IP in VM behind VPC

Thu, 21 May 2015 04:11:12 -0700 

     [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8451?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Rohit Yadav reassigned CLOUDSTACK-8451:
---------------------------------------

    Assignee: Rohit Yadav

> Static Nat show wrong remote IP in VM behind VPC
> ------------------------------------------------
>
>                 Key: CLOUDSTACK-8451
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8451
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>          Components: KVM, Network Controller, Virtual Router
>    Affects Versions: 4.4.3, 4.3.2, 4.5.1
>         Environment: Ubuntu 14.04, ACS 4.5.1-SNAPSHOT
>            Reporter: Andrija Panic
>            Assignee: Rohit Yadav
>
> When configuring Port FOrwarding or Static NAT on VPC VR, and connect from 
> outside world to VPC IP address, traffic gets forwarded to VM behind VPC.
> But if you run "netstat -antup | grep $PORT" (where port is i.e. ssh port) - 
> given result will show that remote connections come from the Source NAT IP of 
> the VR, instead of the real remote client IP.
> Example:
> private VM: 192.168.10.10
> Source NAT IP on VPC VR: 1.1.1.1
> Additional Public IP on VPC VR. 1.1.1.2
> Remote client public IP: 4.4.4.4 (external to VPC)
> Test:
> from 4.4.4.4 SSH to 1.1.1.2 port 22 (or any other port)
> inside 192.168.10.10 do "netstat -antup | grep 22"
> Result: Remote IP show is 1.1.1.1 instead of 4.4.4.4
> We found a solution (somwhat tested, and not sure if this would break 
> anything...)
> Problem is in VRs iptables NAT table, POSTROUTING chain, rule:
> SNAT all -- * eth2 0.0.0.0/0 0.0.0.0/0 to:1.1.1.1
> where 1.1.1.1 is public IP of VR
> eth2: is Public Interface of VR
> When this rule is deleted, NAT is working fine.
> This is serious issue for anyone using VPC, since there is no way to see real 
> remote client IP, and this no firewall funtionality inside VM, SIP doesnt 
> work, web server logs are useless etc.
> I also experienced this problem with 4.3.x releases.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to