GCE NAT style addressing and applications [35904650]

Assigned

Feature Request

Status Update

No update yet.

Description

ja...@jperham.com

created issue #1

Mar 25, 2015 03:54AM

I'm talking about the local IP to external public IP. I understand it's some form of static NAT but it causes some problems in certain applications.

For example, you have an application that needs to bind to an interface using the IP address. You specify the local IP which translates to the static external IP. The problem is, the application pushes this as the IP to use for clients to connect. It basically renders the application useless and since some applications are not open source, we're unable to modify it to work properly with the odd networking style GCE instances use.

I know I can setup a network load balancer pool and specify that public IP address in the application config. The thing is, why should we have to pay $20+ extra for basic functionality that should come with a VPS instance.

I don't know how possible it would be to do this but I was thinking, would it be possible to add a eth0:1 with the instance external IP and then do some type of translation on the networking side? Obviously I have no clue how any of the networking backend is setup so I'm just spitballin'.

Thanks for hearing me out,

Jameson

Comments

kh...@google.com <kh...@google.com> #2Apr 14, 2015 03:00AM

Assigned to kh...@google.com.

Can you give me examples of application(s) which has been impacted by this behavior.

be...@gmail.com <be...@gmail.com> #3Apr 14, 2015 03:20AM

One affected application is TeamSpeak, but this is valid for any situation in which a server-side application makes the (relatively reasonable) assumption that the IP address it's explicitly bound to is the same address clients will connect to.

kh...@google.com <kh...@google.com> #4Apr 29, 2015 11:35PM

I have forwarded this request to the engineering team. We will update this issue with any progress updates and a resolution.

go...@google.com <go...@google.com> #5Nov 13, 2015 10:40PM

Adding the external IP to a local interface is just as you said:

ip addr add <IPADDRESS>/32 dev eth0 label eth0:shortlabel

To remove it, replace 'add' with 'del'.

For figuring out the external IP of the network load balancer you can take a look at the code in

https://github.com/GoogleCloudPlatform/compute-image-packages/blob/master/google-daemon/usr/share/google/google_daemon/address_manager.py.

According to that script, you can get the network load balancer IPs configured on the VM by running (there can be more than one):

ip route ls table local type local dev eth0 scope host proto 66

What I do is to run a cronjob every minute that synchronizes the IPs from 'ip route ls' and the IPs configured on eth0 that have the eth0:shortlabel label.

sa...@gmail.com <sa...@gmail.com> #6Nov 16, 2015 07:30AM

2gonza...
It didn't help.
But it's strange.
Before I did
ip addr add <IPADDRESS>/32 dev eth0 label eth0:shortlabel
I could telnet my port and after I couldn't.
But I could telnet 22 port.
So:
1) Before ip addr add <IPADDRESS>/32 dev eth0 label eth0:shortlabel
telnet 104.155.66.4 22 - OK
telnet 104.155.66.4 9042 - OK
After ip addr add <IPADDRESS>/32 dev eth0 label eth0:shortlabel
telnet 104.155.66.4 22 - OK
telnet 104.155.66.4 9042 - Connection refused

ry...@gmail.com <ry...@gmail.com> #7Mar 28, 2016 09:21PM

Have there been any known updates to this topic in another issue?

ov...@gmail.com <ov...@gmail.com> #8May 22, 2017 10:11PM

Any update?

[Deleted User] <[Deleted User]> #9Jul 31, 2017 10:03AM

Any update?

kh...@google.com <kh...@google.com> Aug 1, 2017 09:15PM

Reassigned to gc...@google.com.

he...@gmail.com <he...@gmail.com> #10Nov 8, 2018 05:46AM

Amy update?

ze...@gmail.com <ze...@gmail.com> #11Nov 8, 2018 06:16AM

I think this can basically be achieved on Linux on GCE via un-nat-ting in input (prerouting) and re-nat-ting in output (postrouting). I've been using something which is roughly the following:

#!/bin/bash

main() {
case "$(hostname)" in
your-vm-hostname) # This is your VM's hostname (allows use of same script on multiple VMs)
local -r GW_IP=10.1.0.1 # This is the gateway
local -r MY_IP=10.1.0.2 # This is the VM internal static IP
local -r EXT_IP=123.4.5.6 # This is the VM external static IP
;;
*)
echo "Unknown hostname $(hostname)." 1>&2
return 1
;;
esac

echo "Hostname($(hostname)) MY_IP[${MY_IP}] GW_IP[${GW_IP}] EXT_IP[${EXT_IP}]"

ip addr add "${EXT_IP}/32" dev eth0

iptables -t nat -F PREROUTING
iptables -t nat -A PREROUTING ! -i eth0 -j ACCEPT
iptables -t nat -A PREROUTING -s

0.0.0.0/8 -j ACCEPT
iptables -t nat -A PREROUTING -s

10.0.0.0/8 -j ACCEPT
iptables -t nat -A PREROUTING -s

100.64.0.0/10 -j ACCEPT
iptables -t nat -A PREROUTING -s

127.0.0.0/8 -j ACCEPT
iptables -t nat -A PREROUTING -s

169.254.0.0/16 -j ACCEPT
iptables -t nat -A PREROUTING -s

172.16.0.0/12 -j ACCEPT
iptables -t nat -A PREROUTING -s

192.168.0.0/16 -j ACCEPT
iptables -t nat -A PREROUTING -s

224.0.0.0/3 -j ACCEPT
iptables -t nat -A PREROUTING -d "${MY_IP}" -j DNAT --to-destination "${EXT_IP}"

iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -o eth0 -s "${EXT_IP}" -j SNAT --to-source "${MY_IP}"

ip -4 route del default
ip -4 route del "${GW_IP}" dev eth0 scope link
ip -4 route add "${GW_IP}" dev eth0 scope link src "${MY_IP}"
for SUBNET in

192.168.0.0/16; do
ip -4 route del "${SUBNET}"
ip -4 route add "${SUBNET}" via "${GW_IP}" dev eth0 src "${MY_IP}"
done
ip -4 route add default via "${GW_IP}" dev eth0 src "${EXT_IP}"
}

main "$@"; exit

ov...@gmail.com <ov...@gmail.com> #12Nov 8, 2018 11:30AM

Thank you for this hack. So you rewrite Public IP with Private IP on the kernel level (iptables) and the end application does not notice anything.

Might be Google will support in the future simpler solution as other Cloud Provider.
Just provides two interfaces one for public and another one for private network.

Alex