[SOLVED] Cloud cluster can't "curl" its own public IP address

sundialsvcs · 02-03-2017, 06:16 PM

I ran into the following interesting situation today on a VMWare Cloud Director based cloud site: the computers "on the inside" could not retrieve any HTTP or HTTPS content from their own public IP-address. They could ping the address and trace a route to it, but they couldn't curl it, and ... a serious problem in this case ... couldn't use mod_proxy either.

Well, I [SOLVED] the problem. Here's how.

First, I stumbled on this web site: http://www.the-art-of-web.com/system/iptables-nat/, which described the same fundamental problem ... the "inside" couldn't reach the "outside" address. They referred to something called a "1:1 NAT Firewall." ("Whazzat?")

Nonetheless, it seemed obvious to me that the web-page was indeed describing the fundamental problem, and pointing to a solution. Our case differed in that the IP-address could be pinged, could be looked-up, could have a route traced to it, but could not be reached using exactly two ports: "HTTP, and HTTPS."

Hmmm... "exactly two ports ..." ...

...

!!

Well, it turns out that this VMWare setup has a thingy called an Edge Network which is basically like port-forwarding. Specific public IP-addresses are exposed, but only for specific ports and protocols, and sent to a particular internal IP-address. The two open ports were were ... "HTTP, and HTTPS."

Bingo. A port-specific "NAT Firewall," obviously. "By any other name."

The solution proposed was an IPTables rule, something like this one:

Code:

iptables -t nat -A OUTPUT -d 111.222.111.222/32 -j DNAT --to-destination 10.20.30.40

(The iptables command appears to no longer have a --dport option ... so, all port-numbers are included. No matter.)

What the rule does is to capture anything (coming from the inside) that is destined for the public IP-address (call it 111.222.111.222 ...) and re-map it to the internal IP-address that (in our case) leads into the software load-balancer. This is the path that the packets would have taken had they come in through the Edge Gateway. (And it does appear that, once sent there, they do get load-balanced.)

This command was added as an up command in /etc/network/interfaces so that it would be issued when the interface was brought up, and with that, the problem was [SOLVED].

Q. E. D. ...

TheEzekielProject · 02-03-2017, 06:37 PM

Awesome! Surely this will be helpful to someone. For future reference though, posts like this are probably more appropriate in http://www.linuxquestions.org/questi...ss-stories-23/

sundialsvcs · 02-08-2017, 10:32 AM

Dunno – I have never in these many years spent any time in "Member Success Stories."