Help on Glacier2 and port forwarding!!!

[soloman817]

I was confused by using glacier2 in port forwarding for one day, who can help me?

Descript my network env first:

+---------+
| Host A |
+---------+
10.7.0.1/8
|
10.10.10.42/8 (eth0)
+---------+
| Firewall |
+---------+
30.30.30.42/8 (eth1)
|
30.30.30.203/8
+---------+
| Host B |
+---------+

First, I start a sessionserver on Host A of 10001 port
then I start glacier2 on Host A of 10005 port
I use firewall as a route only first, that works, and all traffic is under 10005 tunnel, seems great. (the route on Host B is set to 10.7.0.1:10005)

then i set firewall rule like this:
SNAT on eth1 with masq addr 30.30.30.42
DNAT 30.30.30.42:10005 -> 10.7.0.1:10005 (my glacier2 port)

I change Host B Router setting to 30.30.30.42:10005:
Ice.Default.Router=Glacier2/router:tcp -h 30.30.30.42 -p 10005

The glacier config in Host A is like this :
Glacier2.Client.Endpoints=tcp -h 10.7.0.1 -p 10005
Glacier2.AllowCategories=IcePack
Glacier2.SessionManager=sessionmanager:tcp -h 10.7.0.1 -p 10001
Glacier2.PermissionsVerifier=verifier:tcp -h 10.7.0.1 -p 10001
Ice.Default.Locator=IcePack/Locator:tcp -h 10.7.0.1 -p 20000
(I start IcePackRegistry on 10.7.0.1 on 20000)


my code running on Host B is like this: (python)
router = communicator.getDefaultRouter()
router = Glacier2.RouterPrx.checkedCast(router)
router.createSession("aaa", "111")
print "SetRouterOK"
query = IcePack.QueryPrx.checkedCast(communicator.stringTo Proxy('IcePack/Query'))
...

I failed with such like output:
SetRouterOK
Traceback(most recent call last):
File "indexdumper.py", line 97, in ?
status = run(sys.argv, communicator)
File "indexdumper.py", line 58, in run
query = IcePack.QueryPrx.checkedCast(communicator.stringTo Proxy('IcePack/Query'))
File "F:\newwork\Ice-2.0.0\python\IcePack_Query_ice.py", line 59, in checkedCast...
ConnectionLostException: Ice.ConnectionLostException:
recv() returned zero

I tried tcpdump on Firewall eth1, which i got some strange packet from 30.30.30.203:

,nop,sackOK> (DF)
18:02:47.874251 30.30.30.203.1387 > 30.30.30.42.10005: . ack 1 win 65535 (DF)
18:02:47.890323 30.30.30.42.10005 > 30.30.30.203.1387: P 1:15(14) ack 1 win 65535 (DF)
18:02:47.890662 30.30.30.203.1387 > 30.30.30.42.10005: P 1:71(70) ack 15 win 65521 (DF)
18:02:47.938255 30.30.30.42.10005 > 30.30.30.203.1387: P 15:41(26) ack 71 win 65465 (DF)
18:02:47.938681 30.30.30.203.1387 > 30.30.30.42.10005: P 71:142(71) ack 41 win 65495 (DF)
18:02:48.098134 30.30.30.42.10005 > 30.30.30.203.1387: . ack 142 win 65394 (DF)
18:02:48.141317 30.30.30.42.10005 > 30.30.30.203.1387: P 41:134(93) ack 142 win 65394 (DF)
18:02:48.340190 30.30.30.203.1387 > 30.30.30.42.10005: . ack 134 win 65402 (DF)
18:02:48.366134 30.30.30.203.1387 > 30.30.30.42.10005: P 142:200(58) ack 134 win 65402 (DF)
18:02:48.406012 30.30.30.42.10005 > 30.30.30.203.1387: P 134:196(62) ack 200 win 65336 (DF)
18:02:48.406751 30.30.30.203.1390 > 10.7.0.1.10005: S 4155770398:4155770398(0) win 65535 <mss 1460,nop,nop,sackOK> (DF
18:02:48.407062 10.7.0.1.10005 > 30.30.30.203.1390: S 3585976256:3585976256(0) ack 4155770399 win 65535 <mss 1460,nop,
p,sackOK> (DF)
18:02:48.407218 30.30.30.203.1390 > 10.7.0.1.10005: . ack 1 win 65535 (DF)
18:02:48.427611 10.7.0.1.10005 > 30.30.30.203.1390: P 1:15(14) ack 1 win 65535 (DF)
18:02:48.428053 30.30.30.203.1387 > 30.30.30.42.10005: P 200:271(71) ack 196 win 65340 (DF)
18:02:48.478234 30.30.30.42.10005 > 30.30.30.203.1387: P 196:221(25) ack 271 win 65265 (DF)
18:02:48.478614 30.30.30.203.1390 > 10.7.0.1.10005: P 1:67(66) ack 15 win 65521 (DF)
18:02:48.520785 10.7.0.1.10005 > 30.30.30.203.1390: F 15:15(0) ack 67 win 65469 (DF)
18:02:48.520980 30.30.30.203.1390 > 10.7.0.1.10005: . ack 16 win 65521 (DF)
18:02:48.570635 30.30.30.203.1390 > 10.7.0.1.10005: F 67:67(0) ack 16 win 65521 (DF)
18:02:48.570881 10.7.0.1.10005 > 30.30.30.203.1390: . ack 68 win 65469 (DF)
18:02:48.640613 30.30.30.203.1387 > 30.30.30.42.10005: . ack 221 win 65315 (DF)
18:02:48.743843 30.30.30.203.1387 > 30.30.30.42.10005: P 271:285(14) ack 221 win 65315 (DF)

if you look carefully, you can see the strange 30.30.30.203.1390 > 10.7.0.1.10005, which is not normal, why it's in 10 net ip? not 30 ip?

anybody can help me? and anybody can tell me how to deploy glacier2 under port forwording env? Thanks...

[benoit]

Can you try to add the following property to your Glacier2 configuration file?

Glacier2.Client.PublishedEndpoints=ssl -h 30.30.30.42 -p 10005

This should hopefully fix your issue!

Benoit.

[soloman817]

Thanks alot, I'll try right now!

by the way, do I need to establish a SSL env? I use the simple auth server: sessionserver, which do nothing for auth, do I need change this?

I'm not familiy with SSL.

[soloman817]

Great!!! It works!!! Thanks.

It seems like Glacier should be configured as a SNAT gateway.