Return-Path: X-Original-To: apmail-cloudstack-dev-archive@www.apache.org Delivered-To: apmail-cloudstack-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 2352117FFF for ; Wed, 18 Mar 2015 10:24:38 +0000 (UTC) Received: (qmail 35071 invoked by uid 500); 18 Mar 2015 10:24:37 -0000 Delivered-To: apmail-cloudstack-dev-archive@cloudstack.apache.org Received: (qmail 35027 invoked by uid 500); 18 Mar 2015 10:24:37 -0000 Mailing-List: contact dev-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list dev@cloudstack.apache.org Delivered-To: moderator for dev@cloudstack.apache.org Received: (qmail 34836 invoked by uid 99); 18 Mar 2015 09:52:11 -0000 X-ASF-Spam-Status: No, hits=-2.3 required=5.0 tests=RCVD_IN_DNSWL_MED,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of shadwell@me.com designates 17.172.220.237 as permitted sender) X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.13.68,1.0.33,0.0.0000 definitions=2015-03-18_04:2015-03-17,2015-03-18,1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=1 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1412110000 definitions=main-1503180090 Content-type: text/plain; charset=utf-8 MIME-version: 1.0 (Mac OS X Mail 8.2 \(2070.6\)) Subject: Re: SNAT and remote IP problem From: Paul Shadwell In-reply-to: Date: Wed, 18 Mar 2015 10:47:54 +0100 Cc: "dev@cloudstack.apache.org" Content-transfer-encoding: quoted-printable Message-id: References: To: users@cloudstack.apache.org X-Mailer: Apple Mail (2.2070.6) X-Virus-Checked: Checked by ClamAV on apache.org I also have this problem, it effects running vPBX/VoIP services behind a = VR. In fact any service that requires a view on incoming IPs and domain = names. For example fail2ban will block ALL access to ssh because it only ever = sees the VR IP address. Upgrading to 4.3.2 did not fix it. This needs fixing urgently. Best regards Paul > On 17 Mar 2015, at 14:01, Andrija Panic = wrote: >=20 > Hi, >=20 > is anybody willing to share the result from the folowing command, run = in VR > (VPC VR): >=20 > iptables -t nat -nvL >=20 > This should preferable be run from SSH-to-VR, instead of > ConsoleProxy-to-VR, because of nice output over SSH. >=20 >=20 > It seems in 4.3.0 and 4.3.2, SNAT is done on ALL incoming connections, = no > matter to WHAT IP the traffic from internet came - primary IP, or > additional one that is used for i.e. Static NAT - so SNAT rules always > replace remote cleint IP with MAIN IP of the VPC... >=20 > Please share your examples - this is serious bug in my opinion, and I = wil > raise JIRA - but would like some examples from other guys first. >=20 > THanks, >=20 > --=20 >=20 > Andrija Pani=C4=87