SNAT and remote IP problem

[Andrija Panic <an...@gmail.com>]

Hi,

is anybody willing to share the result from the folowing command, run in VR
(VPC VR):

iptables -t nat -nvL

This should preferable be run from SSH-to-VR, instead of
ConsoleProxy-to-VR, because of nice output over SSH.


It seems in 4.3.0 and 4.3.2, SNAT is done on ALL incoming connections, no
matter to WHAT IP  the traffic from internet came - primary IP, or
additional one that is used for i.e. Static NAT - so SNAT rules always
replace remote cleint IP with MAIN IP of the VPC...

Please share your examples - this is serious bug in my opinion, and I wil
raise JIRA - but would like some examples from other guys first.

THanks,

-- 

Andrija Panić

Re: SNAT and remote IP problem

[Andrija Panic <an...@gmail.com>]

we managed once to get it working, after doing PF, DNAT, rebooting VR/VPC
and mixing all this together in no particular oder.... it started working
at some point, but with new VPC deployed again - again doesnt work - have
no idea what the heck is happening... :(

On 19 March 2015 at 17:35, Nux! <nu...@li.nux.ro> wrote:

> It seems fine also in a 4.3.0 VPC (KVM) I run.
>
> --
> Sent from the Delta quadrant using Borg technology!
>
> Nux!
> www.nux.ro
>
> ----- Original Message -----
> > From: "Andrija Panic" <an...@gmail.com>
> > To: dev@cloudstack.apache.org
> > Cc: "Rohit Yadav" <ro...@shapeblue.com>
> > Sent: Wednesday, 18 March, 2015 11:29:54
> > Subject: Re: SNAT and remote IP problem
>
> > I reacall this was fine in clean 4.4.0 or 4.4.1/2....cant remember any
> > more...
> >
> > but anyone willing to share their VR output, as I asked, will I guess
> help
> > us greatly...
> >
> > On 18 March 2015 at 12:28, Erik Weber <te...@gmail.com> wrote:
> >
> >> Has anyone checked if this is present in 4.5? If so we should aim to
> have a
> >> fix available with 4.5.1
> >>
> >> --
> >> Erik
> >>
> >> On Wed, Mar 18, 2015 at 10:47 AM, Paul Shadwell <sh...@me.com>
> wrote:
> >>
> >> > I also have this problem, it effects running vPBX/VoIP services
> behind a
> >> > VR.
> >> >
> >> > In fact any service that requires a view on incoming IPs and domain
> >> names.
> >> >
> >> > For example fail2ban will block ALL access to ssh because it only ever
> >> > sees the VR IP address.
> >> >
> >> > Upgrading to 4.3.2 did not fix it.
> >> >
> >> > This needs fixing urgently.
> >> >
> >> > Best regards
> >> >
> >> > Paul
> >> >
> >> >
> >> >
> >> > > On 17 Mar 2015, at 14:01, Andrija Panic <an...@gmail.com>
> >> wrote:
> >> > >
> >> > > Hi,
> >> > >
> >> > > is anybody willing to share the result from the folowing command,
> run
> >> in
> >> > VR
> >> > > (VPC VR):
> >> > >
> >> > > iptables -t nat -nvL
> >> > >
> >> > > This should preferable be run from SSH-to-VR, instead of
> >> > > ConsoleProxy-to-VR, because of nice output over SSH.
> >> > >
> >> > >
> >> > > It seems in 4.3.0 and 4.3.2, SNAT is done on ALL incoming
> connections,
> >> no
> >> > > matter to WHAT IP  the traffic from internet came - primary IP, or
> >> > > additional one that is used for i.e. Static NAT - so SNAT rules
> always
> >> > > replace remote cleint IP with MAIN IP of the VPC...
> >> > >
> >> > > Please share your examples - this is serious bug in my opinion, and
> I
> >> wil
> >> > > raise JIRA - but would like some examples from other guys first.
> >> > >
> >> > > THanks,
> >> > >
> >> > > --
> >> > >
> >> > > Andrija Panić
> >> >
> >> >
> >>
> >
> >
> >
> > --
> >
> > Andrija Panić
>



-- 

Andrija Panić

Re: SNAT and remote IP problem

[Nux! <nu...@li.nux.ro>]

It seems fine also in a 4.3.0 VPC (KVM) I run.

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

----- Original Message -----
> From: "Andrija Panic" <an...@gmail.com>
> To: dev@cloudstack.apache.org
> Cc: "Rohit Yadav" <ro...@shapeblue.com>
> Sent: Wednesday, 18 March, 2015 11:29:54
> Subject: Re: SNAT and remote IP problem

> I reacall this was fine in clean 4.4.0 or 4.4.1/2....cant remember any
> more...
> 
> but anyone willing to share their VR output, as I asked, will I guess help
> us greatly...
> 
> On 18 March 2015 at 12:28, Erik Weber <te...@gmail.com> wrote:
> 
>> Has anyone checked if this is present in 4.5? If so we should aim to have a
>> fix available with 4.5.1
>>
>> --
>> Erik
>>
>> On Wed, Mar 18, 2015 at 10:47 AM, Paul Shadwell <sh...@me.com> wrote:
>>
>> > I also have this problem, it effects running vPBX/VoIP services behind a
>> > VR.
>> >
>> > In fact any service that requires a view on incoming IPs and domain
>> names.
>> >
>> > For example fail2ban will block ALL access to ssh because it only ever
>> > sees the VR IP address.
>> >
>> > Upgrading to 4.3.2 did not fix it.
>> >
>> > This needs fixing urgently.
>> >
>> > Best regards
>> >
>> > Paul
>> >
>> >
>> >
>> > > On 17 Mar 2015, at 14:01, Andrija Panic <an...@gmail.com>
>> wrote:
>> > >
>> > > Hi,
>> > >
>> > > is anybody willing to share the result from the folowing command, run
>> in
>> > VR
>> > > (VPC VR):
>> > >
>> > > iptables -t nat -nvL
>> > >
>> > > This should preferable be run from SSH-to-VR, instead of
>> > > ConsoleProxy-to-VR, because of nice output over SSH.
>> > >
>> > >
>> > > It seems in 4.3.0 and 4.3.2, SNAT is done on ALL incoming connections,
>> no
>> > > matter to WHAT IP  the traffic from internet came - primary IP, or
>> > > additional one that is used for i.e. Static NAT - so SNAT rules always
>> > > replace remote cleint IP with MAIN IP of the VPC...
>> > >
>> > > Please share your examples - this is serious bug in my opinion, and I
>> wil
>> > > raise JIRA - but would like some examples from other guys first.
>> > >
>> > > THanks,
>> > >
>> > > --
>> > >
>> > > Andrija Panić
>> >
>> >
>>
> 
> 
> 
> --
> 
> Andrija Panić

Re: SNAT and remote IP problem

[Andrija Panic <an...@gmail.com>]

I reacall this was fine in clean 4.4.0 or 4.4.1/2....cant remember any
more...

but anyone willing to share their VR output, as I asked, will I guess help
us greatly...

On 18 March 2015 at 12:28, Erik Weber <te...@gmail.com> wrote:

> Has anyone checked if this is present in 4.5? If so we should aim to have a
> fix available with 4.5.1
>
> --
> Erik
>
> On Wed, Mar 18, 2015 at 10:47 AM, Paul Shadwell <sh...@me.com> wrote:
>
> > I also have this problem, it effects running vPBX/VoIP services behind a
> > VR.
> >
> > In fact any service that requires a view on incoming IPs and domain
> names.
> >
> > For example fail2ban will block ALL access to ssh because it only ever
> > sees the VR IP address.
> >
> > Upgrading to 4.3.2 did not fix it.
> >
> > This needs fixing urgently.
> >
> > Best regards
> >
> > Paul
> >
> >
> >
> > > On 17 Mar 2015, at 14:01, Andrija Panic <an...@gmail.com>
> wrote:
> > >
> > > Hi,
> > >
> > > is anybody willing to share the result from the folowing command, run
> in
> > VR
> > > (VPC VR):
> > >
> > > iptables -t nat -nvL
> > >
> > > This should preferable be run from SSH-to-VR, instead of
> > > ConsoleProxy-to-VR, because of nice output over SSH.
> > >
> > >
> > > It seems in 4.3.0 and 4.3.2, SNAT is done on ALL incoming connections,
> no
> > > matter to WHAT IP  the traffic from internet came - primary IP, or
> > > additional one that is used for i.e. Static NAT - so SNAT rules always
> > > replace remote cleint IP with MAIN IP of the VPC...
> > >
> > > Please share your examples - this is serious bug in my opinion, and I
> wil
> > > raise JIRA - but would like some examples from other guys first.
> > >
> > > THanks,
> > >
> > > --
> > >
> > > Andrija Panić
> >
> >
>



-- 

Andrija Panić

Re: SNAT and remote IP problem

[Erik Weber <te...@gmail.com>]

Has anyone checked if this is present in 4.5? If so we should aim to have a
fix available with 4.5.1

-- 
Erik

On Wed, Mar 18, 2015 at 10:47 AM, Paul Shadwell <sh...@me.com> wrote:

> I also have this problem, it effects running vPBX/VoIP services behind a
> VR.
>
> In fact any service that requires a view on incoming IPs and domain names.
>
> For example fail2ban will block ALL access to ssh because it only ever
> sees the VR IP address.
>
> Upgrading to 4.3.2 did not fix it.
>
> This needs fixing urgently.
>
> Best regards
>
> Paul
>
>
>
> > On 17 Mar 2015, at 14:01, Andrija Panic <an...@gmail.com> wrote:
> >
> > Hi,
> >
> > is anybody willing to share the result from the folowing command, run in
> VR
> > (VPC VR):
> >
> > iptables -t nat -nvL
> >
> > This should preferable be run from SSH-to-VR, instead of
> > ConsoleProxy-to-VR, because of nice output over SSH.
> >
> >
> > It seems in 4.3.0 and 4.3.2, SNAT is done on ALL incoming connections, no
> > matter to WHAT IP  the traffic from internet came - primary IP, or
> > additional one that is used for i.e. Static NAT - so SNAT rules always
> > replace remote cleint IP with MAIN IP of the VPC...
> >
> > Please share your examples - this is serious bug in my opinion, and I wil
> > raise JIRA - but would like some examples from other guys first.
> >
> > THanks,
> >
> > --
> >
> > Andrija Panić
>
>

Re: SNAT and remote IP problem

[Paul Shadwell <sh...@me.com>]

I also have this problem, it effects running vPBX/VoIP services behind a VR.

In fact any service that requires a view on incoming IPs and domain names.

For example fail2ban will block ALL access to ssh because it only ever sees the VR IP address.

Upgrading to 4.3.2 did not fix it.

This needs fixing urgently.

Best regards

Paul



> On 17 Mar 2015, at 14:01, Andrija Panic <an...@gmail.com> wrote:
> 
> Hi,
> 
> is anybody willing to share the result from the folowing command, run in VR
> (VPC VR):
> 
> iptables -t nat -nvL
> 
> This should preferable be run from SSH-to-VR, instead of
> ConsoleProxy-to-VR, because of nice output over SSH.
> 
> 
> It seems in 4.3.0 and 4.3.2, SNAT is done on ALL incoming connections, no
> matter to WHAT IP  the traffic from internet came - primary IP, or
> additional one that is used for i.e. Static NAT - so SNAT rules always
> replace remote cleint IP with MAIN IP of the VPC...
> 
> Please share your examples - this is serious bug in my opinion, and I wil
> raise JIRA - but would like some examples from other guys first.
> 
> THanks,
> 
> -- 
> 
> Andrija Panić

Re: SNAT and remote IP problem

[Paul Shadwell <sh...@me.com>]

I also have this problem, it effects running vPBX/VoIP services behind a VR.

In fact any service that requires a view on incoming IPs and domain names.

For example fail2ban will block ALL access to ssh because it only ever sees the VR IP address.

Upgrading to 4.3.2 did not fix it.

This needs fixing urgently.

Best regards

Paul



> On 17 Mar 2015, at 14:01, Andrija Panic <an...@gmail.com> wrote:
> 
> Hi,
> 
> is anybody willing to share the result from the folowing command, run in VR
> (VPC VR):
> 
> iptables -t nat -nvL
> 
> This should preferable be run from SSH-to-VR, instead of
> ConsoleProxy-to-VR, because of nice output over SSH.
> 
> 
> It seems in 4.3.0 and 4.3.2, SNAT is done on ALL incoming connections, no
> matter to WHAT IP  the traffic from internet came - primary IP, or
> additional one that is used for i.e. Static NAT - so SNAT rules always
> replace remote cleint IP with MAIN IP of the VPC...
> 
> Please share your examples - this is serious bug in my opinion, and I wil
> raise JIRA - but would like some examples from other guys first.
> 
> THanks,
> 
> -- 
> 
> Andrija Panić