cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marcus <shadow...@gmail.com>
Subject Re: Port forwarding (web) - doesnt show real client IP
Date Mon, 08 Dec 2014 23:14:21 GMT
Or wait, you're not using static NAT, you're just using port forwarding,
correct? Everything will be NAT'ed outbound to the VPC router's public IP
per SNAT, like one would expect behind a NAT. You could force outbound to
match the IP that the port forwarder is on, but what if you have multiple
IPs port forwarding to that instance?

At any rate, if you can find a set of iptables rules you think should be
applied in a certain case to fix an issue, you can find the scripts that
apply these rules in systemvm/patches/debian/config/opt/cloud/bin/. These
scripts adjust iptables whenever a change is made. If you can come up with
a fix for something you can send us in a patch.

On Mon, Dec 8, 2014 at 3:08 PM, Andrija Panic <andrija.panic@gmail.com>
wrote:

> Hi Erik - yes I know of shared network - been using that, but want to move
> behind VPC to organize stuff a little bit more... ok, for loadbalancing -
> did not check, as that is not my problem at the moment.
>
> But port forwarding really is - this is really bad implemenation or bug in
> my opinion, never saw this kind of behaviour on any router anywhere...
>
> On 9 December 2014 at 00:03, Erik Weber <terbolous@gmail.com> wrote:
>
> > On Mon, Dec 8, 2014 at 11:55 PM, Andrija Panic <andrija.panic@gmail.com>
> > wrote:
> >
> > > And just to spice things a little bit, ALL remote connections appears
> to
> > > come from main Public IP of the VPC VR.
> > > So we can not block some stuff on firewall onVM (while doing port
> > > forwading) because all connections appear to come from main Public IP
> of
> > > the VPC VR.
> > >
> > > This is terrible design/bug - can we change this ?
> > > I'm on the ACS 4.3 currently...
> > >
> > >
> > This is a NAT problem. You could use a shared network with Public IPs or
> > Basic Networking with Public IPs.
> >
> > --
> > Erik
> >
>
>
>
> --
>
> Andrija Panić
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message