cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jayapal Reddy (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CLOUDSTACK-9930) SNAT rule is incorrectly added on for PF rule
Date Tue, 30 May 2017 06:51:04 GMT
Jayapal Reddy created CLOUDSTACK-9930:
-----------------------------------------

             Summary: SNAT rule is incorrectly added on for PF rule
                 Key: CLOUDSTACK-9930
                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9930
             Project: CloudStack
          Issue Type: Bug
      Security Level: Public (Anyone can view this level - this is the default.)
            Reporter: Jayapal Reddy
             Fix For: 4.10.0.0


1. Acquire an ip from the additional public subnet.
2. Configure a port forwarding rule on the isolated network.
3. Check the snat rule added in nat table. It is added on default source nat interface instead
of additional public subnet interface.

eth3 - additional public subnet interface.


{noformat}
root@r-133-QA:~# iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 CONNMARK   tcp  --  eth3   *       0.0.0.0/0            10.147.52.100        tcp
dpt:22 state NEW CONNMARK save
    0     0 DNAT       tcp  --  eth3   *       0.0.0.0/0            10.147.52.100        tcp
dpt:22 to:10.1.1.182:22
    0     0 DNAT       tcp  --  eth0   *       0.0.0.0/0            10.147.52.100        tcp
dpt:22 to:10.1.1.182:22
    0     0 MARK       tcp  --  eth3   *       0.0.0.0/0            10.147.52.100        tcp
dpt:22 MARK set 0x3

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            10.147.52.100        tcp
dpt:22 to:10.1.1.182:22

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   10   500 SNAT       all  --  *      eth2    0.0.0.0/0            0.0.0.0/0            to:10.147.46.107
    0     0 SNAT       all  --  *      eth2    0.0.0.0/0            0.0.0.0/0            to:10.147.52.100
    0     0 SNAT       tcp  --  *      eth0    10.1.1.0/24          10.1.1.182           tcp
dpt:22 to:10.1.1.1
root@r-133-QA:~# 
root@r-133-QA:~# 
root@r-133-QA:~# 
root@r-133-QA:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 02:00:24:c6:00:07 brd ff:ff:ff:ff:ff:ff
    inet 10.1.1.1/24 brd 10.1.1.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 0e:00:a9:fe:02:b7 brd ff:ff:ff:ff:ff:ff
    inet 169.254.2.183/16 brd 169.254.255.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 1e:00:1e:00:00:13 brd ff:ff:ff:ff:ff:ff
    inet 10.147.46.107/24 brd 10.147.46.255 scope global eth2
7: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 1e:00:e0:00:00:33 brd ff:ff:ff:ff:ff:ff
    inet 10.147.52.100/24 brd 10.147.52.255 scope global eth3
root@r-133-QA:~# 
root@r-133-QA:~# ip route show table Table_eth3
default via 10.147.52.1 dev eth3  proto static 
throw 10.1.1.0/24  proto static 
throw 169.254.0.0/16  proto static 
root@r-133-QA:~# ip route show table Table_eth2
default via 10.147.46.1 dev eth2  proto static 
throw 10.1.1.0/24  proto static 
throw 169.254.0.0/16  proto static 
{noformat}




--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message