Return-Path: 
 <dev-return-67872-apmail-cloudstack-dev-archive=cloudstack.apache.org@cloudstack.apache.org>
X-Original-To: apmail-cloudstack-dev-archive@www.apache.org
Delivered-To: apmail-cloudstack-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 17D4CC09A
	for <apmail-cloudstack-dev-archive@www.apache.org>;
 Mon,  8 Dec 2014 23:15:34 +0000 (UTC)
Received: (qmail 17402 invoked by uid 500); 8 Dec 2014 23:15:33 -0000
Delivered-To: apmail-cloudstack-dev-archive@cloudstack.apache.org
Received: (qmail 17353 invoked by uid 500); 8 Dec 2014 23:15:33 -0000
Mailing-List: contact dev-help@cloudstack.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@cloudstack.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@cloudstack.apache.org>
List-Post: <mailto:dev@cloudstack.apache.org>
List-Id: <dev.cloudstack.apache.org>
Reply-To: dev@cloudstack.apache.org
Delivered-To: mailing list dev@cloudstack.apache.org
Received: (qmail 17340 invoked by uid 99); 8 Dec 2014 23:15:32 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 08 Dec 2014 23:15:32 +0000
X-ASF-Spam-Status: No, hits=1.5 required=5.0
	tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of shadowsor@gmail.com
 designates 209.85.220.182 as permitted sender)
Received: from [209.85.220.182] (HELO mail-vc0-f182.google.com)
 (209.85.220.182)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 08 Dec 2014 23:15:27 +0000
Received: by mail-vc0-f182.google.com with SMTP id hq12so2582406vcb.41
        for <dev@cloudstack.apache.org>; Mon, 08 Dec 2014 15:14:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type;
        bh=rCX7AaPw1is2Gls9mzgZwLRv/KqVG7jygV76aopk7cI=;
        b=deE6zJQSS2tKYuVEOxLd/lLPD6jbnFq+caC2+h39X5nqcI0cKa6CoknynS5RbGXL2j
         gFbfJSW7bg/1m5YrH2zEmuII62juPDn/lHRzGA3PEr5/Zb2xzlmVyb1Vb3vrRevKuPI4
         cUvojezdkWm9jECeA0f6QB+IDO04Zkjgojb2ENH5RbzITzPYPFC/b9vilX1Qd97als28
         270ZIJqHjlxZ8H2L40moYsUEmaXPxGc+c4svD7bYPk142Mb2TOpiu1WdZjBcSnZ5/XCM
         YmzwbP8TVccV4ojCspN3poetST5r7icJsy7gLo02aQ3Y+5wrQaHcboHE6+qMulHdebmW
         Ojvw==
MIME-Version: 1.0
X-Received: by 10.220.165.130 with SMTP id i2mr22419798vcy.7.1418080461839;
 Mon, 08 Dec 2014 15:14:21 -0800 (PST)
Received: by 10.52.167.163 with HTTP; Mon, 8 Dec 2014 15:14:21 -0800 (PST)
In-Reply-To: 
 <CAMvtBPOC3_xuoaB_vGgA0+3EKZoCDHa3cayJfirrD6WDkbCsFw@mail.gmail.com>
References: 
 <CAMvtBPN3Amr+u0jCwPPj4sf-KPo-MyN=0xavO_iAq=VMm60TMA@mail.gmail.com>
	<CAMvtBPOO+Mr71Zu4Ou39ApsqudYw5ectfqj0F348F92d6DPfcA@mail.gmail.com>
	<CAP997UdVT90oDL+dM66R2eTa98Xo+ScbrexY2dipehcYZFu_cg@mail.gmail.com>
	<CAMvtBPOC3_xuoaB_vGgA0+3EKZoCDHa3cayJfirrD6WDkbCsFw@mail.gmail.com>
Date: Mon, 8 Dec 2014 15:14:21 -0800
Message-ID: 
 <CALFpzo59Xb1EpzzHUQT1yFQfC+BDVJHyW5c9knsckP0BnyOZeg@mail.gmail.com>
Subject: Re: Port forwarding (web) - doesnt show real client IP
From: Marcus <shadowsor@gmail.com>
To: "dev@cloudstack.apache.org" <dev@cloudstack.apache.org>
Content-Type: multipart/alternative; boundary=089e0158a8ee30e4680509bc96a8
X-Virus-Checked: Checked by ClamAV on apache.org

--089e0158a8ee30e4680509bc96a8
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Or wait, you're not using static NAT, you're just using port forwarding,
correct? Everything will be NAT'ed outbound to the VPC router's public IP
per SNAT, like one would expect behind a NAT. You could force outbound to
match the IP that the port forwarder is on, but what if you have multiple
IPs port forwarding to that instance?

At any rate, if you can find a set of iptables rules you think should be
applied in a certain case to fix an issue, you can find the scripts that
apply these rules in systemvm/patches/debian/config/opt/cloud/bin/. These
scripts adjust iptables whenever a change is made. If you can come up with
a fix for something you can send us in a patch.

On Mon, Dec 8, 2014 at 3:08 PM, Andrija Panic <andrija.panic@gmail.com>
wrote:

> Hi Erik - yes I know of shared network - been using that, but want to mov=
e
> behind VPC to organize stuff a little bit more... ok, for loadbalancing -
> did not check, as that is not my problem at the moment.
>
> But port forwarding really is - this is really bad implemenation or bug i=
n
> my opinion, never saw this kind of behaviour on any router anywhere...
>
> On 9 December 2014 at 00:03, Erik Weber <terbolous@gmail.com> wrote:
>
> > On Mon, Dec 8, 2014 at 11:55 PM, Andrija Panic <andrija.panic@gmail.com=
>
> > wrote:
> >
> > > And just to spice things a little bit, ALL remote connections appears
> to
> > > come from main Public IP of the VPC VR.
> > > So we can not block some stuff on firewall onVM (while doing port
> > > forwading) because all connections appear to come from main Public IP
> of
> > > the VPC VR.
> > >
> > > This is terrible design/bug - can we change this ?
> > > I'm on the ACS 4.3 currently...
> > >
> > >
> > This is a NAT problem. You could use a shared network with Public IPs o=
r
> > Basic Networking with Public IPs.
> >
> > --
> > Erik
> >
>
>
>
> --
>
> Andrija Pani=C4=87
>

--089e0158a8ee30e4680509bc96a8--