cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrija Panic (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (CLOUDSTACK-8451) Static Nat show wrong remote IP in VM behind VPC
Date Tue, 12 May 2015 14:45:01 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-8451?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14539907#comment-14539907
] 

Andrija Panic edited comment on CLOUDSTACK-8451 at 5/12/15 2:44 PM:
--------------------------------------------------------------------

http://pastebin.com/ihjiDZ9h - iptables-save from inside VR on pastebin - this is brand new
VPC (1 network, 1 VM in network) on 4.4.3 release.
http://snag.gy/V949g.jpg - ACS setup and "proof" : 

XXX.39.228.155 - main VPC IP
XXX.39.228.156 - additional IP, configured Static NAT to private VM 10.10.10.10
Connected to XXX39.228.156:22 - and done  "netstat -antup | grep 22" - remote connection seems
to come from XXX.39.228.155 - main VPC IP.

This is ACS 4.4.3, Advanced Zone, KVM.
VR interfaces:

eth0 
          inet addr:169.254.3.236  Bcast:169.254.255.255  Mask:255.255.0.0
 eth1      
          inet addr:XXX.39.228.155  Bcast:185.39.228.191  Mask:255.255.255.192
eth2      Link encap:Ethernet  HWaddr 02:00:14:5e:00:02
          inet addr:10.10.10.1  Bcast:10.10.10.255  Mask:255.255.255.0
         



was (Author: andrija):
http://pastebin.com/ihjiDZ9h - iptables-save from inside VR on pastebin - this is brand new
VPC (1 network, 1 VM in network) on 4.4.3 release.
http://snag.gy/V949g.jpg - ACS setup and "proof" : 

XXX.39.228.155 - main VPC IP
XXX.39.228.156 - additional IP, configured Static NAT to private VM 10.10.10.10
Connected to XXX39.228.156:22 - and done  "netstat -antup | grep 22" - remote connection seems
to come from XXX.39.228.155 - main VPC IP.

This is ACS 4.4.3, Advanced Zone, KVM.
eth0 
          inet addr:169.254.3.236  Bcast:169.254.255.255  Mask:255.255.0.0
 
eth1      
          inet addr:XXX.39.228.155  Bcast:185.39.228.191  Mask:255.255.255.192

eth2      Link encap:Ethernet  HWaddr 02:00:14:5e:00:02
          inet addr:10.10.10.1  Bcast:10.10.10.255  Mask:255.255.255.0
         


> Static Nat show wrong remote IP in VM behind VPC
> ------------------------------------------------
>
>                 Key: CLOUDSTACK-8451
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8451
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: KVM, Network Controller, Virtual Router
>    Affects Versions: 4.4.3, 4.3.2, 4.5.1
>         Environment: Ubuntu 14.04, ACS 4.5.1-SNAPSHOT
>            Reporter: Andrija Panic
>
> When configuring Port FOrwarding or Static NAT on VPC VR, and connect from outside world
to VPC IP address, traffic gets forwarded to VM behind VPC.
> But if you run "netstat -antup | grep $PORT" (where port is i.e. ssh port) - given result
will show that remote connections come from the Source NAT IP of the VR, instead of the real
remote client IP.
> Example:
> private VM: 192.168.10.10
> Source NAT IP on VPC VR: 1.1.1.1
> Additional Public IP on VPC VR. 1.1.1.2
> Remote client public IP: 4.4.4.4 (external to VPC)
> Test:
> from 4.4.4.4 SSH to 1.1.1.2 port 22 (or any other port)
> inside 192.168.10.10 do "netstat -antup | grep 22"
> Result: Remote IP show is 1.1.1.1 instead of 4.4.4.4
> We found a solution (somwhat tested, and not sure if this would break anything...)
> Problem is in VRs iptables NAT table, POSTROUTING chain, rule:
> SNAT all -- * eth2 0.0.0.0/0 0.0.0.0/0 to:1.1.1.1
> where 1.1.1.1 is public IP of VR
> eth2: is Public Interface of VR
> When this rule is deleted, NAT is working fine.
> This is serious issue for anyone using VPC, since there is no way to see real remote
client IP, and this no firewall funtionality inside VM, SIP doesnt work, web server logs are
useless etc.
> I also experienced this problem with 4.3.x releases.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message