[
https://issues.apache.org/jira/browse/CLOUDSTACK-8451?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14558971#comment-14558971
]
Andrija Panic commented on CLOUDSTACK-8451:
-------------------------------------------
I just created empty VPC (no networks attached, so only VR got created), and
yes, the offending rule referencing eth2 (althought there is NO eth2 present at
the moment) is present:
root@r-31-VM:~# iptables -L -nv -t nat
....
Chain POSTROUTING (policy ACCEPT 1 packets, 240 bytes)
pkts bytes target prot opt in out source destination
8 572 SNAT all -- * eth1 0.0.0.0/0 0.0.0.0/0
to:XXX.X39.230.174
**0 0 SNAT all -- * eth2 0.0.0.0/0 0.0.0.0/0
to:XXX.X39.230.174**
root@r-31-VM:~# ifconfig
eth0 Link encap:Ethernet HWaddr 0e:00:a9:fe:00:af
inet addr:169.254.0.175 Bcast:169.254.255.255 Mask:255.255.0.0
...
eth1 Link encap:Ethernet HWaddr 06:f6:68:00:00:71
inet addr:185.39.230.174 Bcast:185.39.230.191 Mask:255.255.255.224
...
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
...
BTW, from /var/log/messages...
May 26 10:34:35 r-31-VM cloud: vpc_ipassoc.sh:Adding ip XXX.X39.230.174 on
interface eth1
May 26 10:34:35 r-31-VM cloud: vpc_ipassoc.sh:Add routing XXX.X39.230.174 on
interface eth1
May 26 10:34:35 r-31-VM cloud: vpc_privateGateway.sh:Added SourceNAT
XXX.X39.230.174 on interface eth1
May 26 10:34:35 r-31-VM cloud: vpc_snat.sh:Added SourceNAT XXX.X39.230.174 on
interface eth2
So for some reason, eth2 (which is not even present on system) gets SNAT
provisioned...
Will try to fix in systemvm/patches/debian/config/opt/cloud/bin/vpc_snat.sh if
possible
> Static Nat show wrong remote IP in VM behind VPC
> ------------------------------------------------
>
> Key: CLOUDSTACK-8451
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8451
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: KVM, Network Controller, Virtual Router
> Affects Versions: 4.4.3, 4.3.2, 4.5.1
> Environment: Ubuntu 14.04, ACS 4.5.1-SNAPSHOT
> Reporter: Andrija Panic
> Assignee: Rohit Yadav
>
> When configuring Port FOrwarding or Static NAT on VPC VR, and connect from
> outside world to VPC IP address, traffic gets forwarded to VM behind VPC.
> But if you run "netstat -antup | grep $PORT" (where port is i.e. ssh port) -
> given result will show that remote connections come from the Source NAT IP of
> the VR, instead of the real remote client IP.
> Example:
> private VM: 192.168.10.10
> Source NAT IP on VPC VR: 1.1.1.1
> Additional Public IP on VPC VR. 1.1.1.2
> Remote client public IP: 4.4.4.4 (external to VPC)
> Test:
> from 4.4.4.4 SSH to 1.1.1.2 port 22 (or any other port)
> inside 192.168.10.10 do "netstat -antup | grep 22"
> Result: Remote IP show is 1.1.1.1 instead of 4.4.4.4
> We found a solution (somwhat tested, and not sure if this would break
> anything...)
> Problem is in VRs iptables NAT table, POSTROUTING chain, rule:
> SNAT all -- * eth2 0.0.0.0/0 0.0.0.0/0 to:1.1.1.1
> where 1.1.1.1 is public IP of VR
> eth2: is Public Interface of VR
> When this rule is deleted, NAT is working fine.
> This is serious issue for anyone using VPC, since there is no way to see real
> remote client IP, and this no firewall funtionality inside VM, SIP doesnt
> work, web server logs are useless etc.
> I also experienced this problem with 4.3.x releases.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
