LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 02-03-2017, 06:16 PM   #1
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,416
Blog Entries: 4

Rep: Reputation: 3836Reputation: 3836Reputation: 3836Reputation: 3836Reputation: 3836Reputation: 3836Reputation: 3836Reputation: 3836Reputation: 3836Reputation: 3836Reputation: 3836
Cloud cluster can't "curl" its own public IP address


I ran into the following interesting situation today on a VMWare Cloud Director based cloud site: the computers "on the inside" could not retrieve any HTTP or HTTPS content from their own public IP-address. They could ping the address and trace a route to it, but they couldn't curl it, and ... a serious problem in this case ... couldn't use mod_proxy either.

Well, I [SOLVED] the problem. Here's how.

First, I stumbled on this web site: http://www.the-art-of-web.com/system/iptables-nat/, which described the same fundamental problem ... the "inside" couldn't reach the "outside" address. They referred to something called a "1:1 NAT Firewall." ("Whazzat?")

Nonetheless, it seemed obvious to me that the web-page was indeed describing the fundamental problem, and pointing to a solution. Our case differed in that the IP-address could be pinged, could be looked-up, could have a route traced to it, but could not be reached using exactly two ports: "HTTP, and HTTPS."

Hmmm... "exactly two ports ..." ... ... ... !!

Well, it turns out that this VMWare setup has a thingy called an Edge Network which is basically like port-forwarding. Specific public IP-addresses are exposed, but only for specific ports and protocols, and sent to a particular internal IP-address. The two open ports were were ... "HTTP, and HTTPS."

Bingo. A port-specific "NAT Firewall," obviously. "By any other name."

The solution proposed was an IPTables rule, something like this one:
Code:
iptables -t nat -A OUTPUT -d 111.222.111.222/32 -j DNAT --to-destination 10.20.30.40
(The iptables command appears to no longer have a --dport option ... so, all port-numbers are included. No matter.)

What the rule does is to capture anything (coming from the inside) that is destined for the public IP-address (call it 111.222.111.222 ...) and re-map it to the internal IP-address that (in our case) leads into the software load-balancer. This is the path that the packets would have taken had they come in through the Edge Gateway. (And it does appear that, once sent there, they do get load-balanced.)

This command was added as an up command in /etc/network/interfaces so that it would be issued when the interface was brought up, and with that, the problem was [SOLVED].

Q. E. D. ...

Last edited by sundialsvcs; 02-08-2017 at 10:34 AM.
 
Old 02-03-2017, 06:37 PM   #2
TheEzekielProject
Member
 
Registered: Dec 2016
Distribution: arch
Posts: 668

Rep: Reputation: 190Reputation: 190
Awesome! Surely this will be helpful to someone. For future reference though, posts like this are probably more appropriate in http://www.linuxquestions.org/questi...ss-stories-23/
 
Old 02-08-2017, 10:32 AM   #3
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,416

Original Poster
Blog Entries: 4

Rep: Reputation: 3836Reputation: 3836Reputation: 3836Reputation: 3836Reputation: 3836Reputation: 3836Reputation: 3836Reputation: 3836Reputation: 3836Reputation: 3836Reputation: 3836
Dunno I have never in these many years spent any time in "Member Success Stories."
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: NSA PRISM puts "public" cloud in a new light LXer Syndicated Linux News 0 06-24-2013 07:30 AM
LXer: Deploy your own "cloud" with Debian "Wheezy" LXer Syndicated Linux News 0 04-25-2012 07:50 PM
Occasionally-- "connected with self-assigned address," "deactivating device eth0" MaxIBoy Debian 4 10-04-2009 11:50 AM
difference between "Web server local URL" and "IPv4 address"? kpachopoulos Linux - General 2 09-17-2004 02:30 PM
Cannot access webserver using "public" address yanar99 Linux - Newbie 2 12-20-2003 08:23 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 04:25 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration