OpenVZ Host is the source IP address rather than actual web surfers?

Question

I have a problem with my VPS. Simple example:

<?php $ip = $_SERVER['REMOTE_ADDR']; 
Echo "User IP : " . $ip; 
?>

That code should display the user IP address, but it's showing the HN IP address (not VPS IP address).

Again when I'm logging via ssh to the virtual container, the IP that was logged in is the Hardware nod's IP.

Similar issue is here: OpenVZ Host is the source IP address rather than actual web surfers?

Here is the openVZ configuration:

# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and
# sysctl.conf(5) for more details.

# Controls IP packet forwarding
net.ipv4.ip_forward = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1

# Controls source route verification
net.ipv4.conf.all.rp_filter = 1

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 1

# Controls whether core dumps will append the PID to the core filename
# Useful for debugging multi-threaded applications
kernel.core_uses_pid = 1

# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1

# Controls the maximum size of a message, in bytes
kernel.msgmnb = 65536

# Controls the default maxmimum size of a mesage queue
kernel.msgmax = 65536

# Controls the maximum shared segment size, in bytes
kernel.shmmax = 68719476736

# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 4294967296
# Disable proxy arp
net.ipv4.conf.default.proxy_arp = 0
# We do not want all our interfaces to send redirects
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.ip_conntrack_max=32760

IPTables config

[root@nod1 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere
           all  --  clienti.alba.rdsnet.ro  anywhere
           all  --  anywhere             clienti.alba.rdsnet.ro
           all  --  clienti.alba.rdsnet.ro  anywhere
           all  --  anywhere             clienti.alba.rdsnet.ro
           all  --  clienti.alba.rdsnet.ro  anywhere
           all  --  anywhere             clienti.alba.rdsnet.ro

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     ah   --  anywhere             anywhere
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTAB                                                                     LISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:s                                                                     sh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:s                                                                     mtp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:h                                                                     ttp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:f                                                                     tp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:h                                                                     ttps
REJECT     all  --  anywhere             anywhere            reject-with icmp-ho      

Can someone please help me ? Also, I'm not an expert so if someone can explain step by step, I would really appreciate it.

Answer 1

OK, so here is what I've done. I've stop the iptables service and removed the section with mangle and nat from /etc/sysconfig/iptables . As instructed by Adam, i've removed "iptable_mangle" from file /etc/sysconfig/vz in line section "## IPv4 iptables kernel modules". I did:

iptables -t nat -L iptables -t mangle -L

I've restarted the iptables service and problem solved.

Now I can se my private IP in the server log :D

Many thank to Adam for pointing out the mangle and nat.

Good luck!

Answer 2

Could you please paste an output of your iptables config? Have you tried what Jerry Tunin suggested as a potential solution?

iptables -t nat -L
iptables -t mangle -L

Answer 3

You most probably have a loopback device on all of your VPS machines , thus please try removing it from the overall configuration, or for testing purposes access the VPS and type :

ifconfig lo down

the check the outgoing IP once again.

Best Regards, B.Bozhev

Answer 4

Do you have a proxy in your HN that sends the request to the server in the CT?

If that's your case, you should tell your proxy to forward the client IP to your CT server, and then reading the X-Forwarding-For header.