Determining remote IP from within VM

asked 2011-08-19 16:42:43 -0500

everett-toews gravatar image


When you're inside a VM (KVM in our case) with a floating IP and you receive a connection from a remote machine it always appears as though the IP address is the default gateway of the VM regardless of where the connection is coming from.

For example.

A VM is launched and is given a floating IP.


You ssh to that VM from a completely different network with a machine with the IP

On the VM you run tcpdump.

root@i-000004f7:~# tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 16:14:51.076673 IP i-000004f7.novalocal.ssh > 16:14:51.077239 IP i-000004f7.novalocal.56502 > 53009+ PTR? (39) 16:14:51.077667 IP > i-000004f7.novalocal.ssh 16:14:51.083420 IP > i-000004f7.novalocal.56502: 53009 NXDomain* 0/0/0 (39) 16:14:51.083565 IP i-000004f7.novalocal.48465 > 26532+ PTR? (39) 16:14:51.083942 IP > i-000004f7.novalocal.48465: 26532* 1/0/0 PTR i-000004f7.novalocal. (73) 16:14:51.086649 IP i-000004f7.novalocal.ssh > 16:14:51.087937 IP > i-000004f7.novalocal.ssh 16:14:51.096715 IP i-000004f7.novalocal.ssh > 16:14:51.097941 IP > i-000004f7.novalocal.ssh

tcpdump is showing the ssh connection you've made from So even though you're connecting from the remote address appears to be

Is there a way with OpenStack to determine the remote IP address from within the VM (in Cactus or a future release)?

If not, could it be done manually such that it wouldn't interfere with the iptables rules that OpenStack creates?

BTW, we're using OpenStack Cactus and VLANManager.

Thanks, Everett

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2011-08-25 20:45:26 -0500

everett-toews gravatar image

Turns out (for us) this was a symptom of an overzealous NAT rule in iptables. We're hiding all of our compute nodes behind our management node (aka cloud controller) on a private network and need to do NAT so our compute nodes can get updates and the like from the Internet.

These are the rules we used.

iptables -A FORWARD -i eth0 -o eth1 -s -m conntrack --ctstate NEW -j ACCEPT iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A POSTROUTING -t nat -j MASQUERADE

However if you look at the MASQUERADE rule the last command creates.

root@dair-ua-v01:~# iptables -t nat -L -n -v | grep MASQ 5071 700K MASQUERADE all -- * *

Covers all IPs including the VMs. A more sensible MASQUERADE rule is

iptables -t nat -A POSTROUTING -s -j MASQUERADE

Which only covers NATing for the compute nodes. Once that rule was in place traffic from the outside world showed up with the proper IP address.

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2011-08-19 16:42:43 -0500

Seen: 47 times

Last updated: Aug 25 '11