Get remote IP in OpenStack virtual machine accessed via NAT

asked 2017-02-15 03:27:10 -0500

Srij gravatar image

I have a number of Ubuntu 16.04 VMs within a OpenStack project. As I have only one floating IP, I used one of the VMs as a gateway server (IP:10.1.1.1) with iptables port forwarding to have access to all the VMs from outside via Internet. One VM is used as a web server (IP:10.1.1.2). I have a NAT rule for this VM in /etc/iptables/rules.v4 as follows:

...
-A PREROUTING -p tcp -m tcp --dport 8002 -j DNAT --to-destination 10.1.1.2:80
-A POSTROUTING -j MASQUERADE
COMMIT

As I wanted, I have access to the web server from floating_ip:8002. However, as postrouting masquerades any outgoing packet including forwarded packet, all forwarded packets appear to come from the gateway server (10.1.1.1), which is not wanted. My question is how to prevent masquerading the forwarded packet so that I can get the real remote IP accessing the web server. There was a suggestion in http://superuser.com/questions/690427/iptables-nat-doesnt-preserve-remote-ip (http://superuser.com/questions/690427...) to use out-bound interface, but I am not sure which interface to use as I can see only one interface (eth0) in the gateway server and it doesn't work with -o eth0.

I very much appreciate for your suggestion or answer.

edit retag flag offensive close merge delete