cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marcus <shadow...@gmail.com>
Subject Re: Port forwarding (web) - doesnt show real client IP
Date Mon, 08 Dec 2014 23:09:19 GMT
It sounds like some iptables rules got broken at some point for the static
NAT, and since there's still a catch-all SNAT for outbound it gets caught
by that and still keeps working, but is broken in a subtle way that goes
unnoticed.

On Mon, Dec 8, 2014 at 2:55 PM, Andrija Panic <andrija.panic@gmail.com>
wrote:

> And just to spice things a little bit, ALL remote connections appears to
> come from main Public IP of the VPC VR.
> So we can not block some stuff on firewall onVM (while doing port
> forwading) because all connections appear to come from main Public IP of
> the VPC VR.
>
> This is terrible design/bug - can we change this ?
> I'm on the ACS 4.3 currently...
>
> cheers
>
> On 8 December 2014 at 23:42, Andrija Panic <andrija.panic@gmail.com>
> wrote:
>
> > Hi,
> >
> > when doing port forwarding on VPC VR - port 80 - when some client access
> > web site - only the main Public IP of the VPC is logged in apache access
> > logs as remote IP.
> >
> > Why is this behaviour - and can this be changed ?
> > My understanding is that this is kind of bug (unless needed for some
> other
> > reasons) - port forwading is DNAT in essence, so only the destination
> > IP/port should be changed, not proxied all the way, as it seems to be the
> > case here...
> >
> > I read on other guys mailing list - same behavior for loadbalancer...
> >
> > Any suggestion ?
> >
> > Thanks,
> >
> > --
> >
> > Andrija Panić
> >
>
>
>
> --
>
> Andrija Panić
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message