Need help.
Im trying to forward all traffic to a public server(A) to another public server(B) except traffic to port 22. Found this on google but cant get it to work. Could someone help me please. Server A has one NIC server B has one NIC. Do i need 2 NICS in server A.
#!/bin/sh iptables -F iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD iptables -X iptables -F -t nat iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A PREROUTING -i eth0 --protocol tcp --destination-port ! 22 -j DNAT --to-destination "IP B" iptables -t nat -A PREROUTING -i eth0 --protocol udp -j DNAT --to-destination "IP B" # END
/etc/rc.d/init.d/iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination
Chain FORWARD (policy ACCEPT) num target prot opt source destination
Chain OUTPUT (policy ACCEPT) num target prot opt source destination
Table: mangle Chain PREROUTING (policy ACCEPT) num target prot opt source destination
Chain INPUT (policy ACCEPT) num target prot opt source destination
Chain FORWARD (policy ACCEPT) num target prot opt source destination
Chain OUTPUT (policy ACCEPT) num target prot opt source destination
Chain POSTROUTING (policy ACCEPT) num target prot opt source destination
Table: nat Chain PREROUTING (policy ACCEPT) num target prot opt source destination 1 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:!22 to:"IP B" 2 DNAT udp -- 0.0.0.0/0 0.0.0.0/0 to:"IP B"
Chain POSTROUTING (policy ACCEPT) num target prot opt source destination
Chain OUTPUT (policy ACCEPT) num target prot opt source destination
/Morten.
Morten Sundstrøm wrote:
Need help.
Im trying to forward all traffic to a public server(A) to another public server(B) except traffic to port 22. Found this on google but cant get it to work. Could someone help me please.
Is server (B) behind server (A) ? It's been a while but last time I checked you couldn't do forwarding to a system unless that system was behind the system that was doing the forwarding using normal iptables.
What I do is use a specialized utility, there are two such utilities that I know of that handle tcp forwarding in this manor: rinetd and redir.
The only downside is the destination system will not see any of the original IP addresses connecting, it will only see IPs of the system doing the forwarding.
I don't think either rinetd or redir are available in the default CentOS installation you probably have to find them elsewhere on the net.
As for non-TCP stuff, I don't know off the top of my head.
nate
nate skrev:
Morten Sundstrøm wrote:
Need help.
Im trying to forward all traffic to a public server(A) to another public server(B) except traffic to port 22. Found this on google but cant get it to work. Could someone help me please.
Is server (B) behind server (A) ? It's been a while but last time I checked you couldn't do forwarding to a system unless that system was behind the system that was doing the forwarding using normal iptables.
What I do is use a specialized utility, there are two such utilities that I know of that handle tcp forwarding in this manor: rinetd and redir.
The only downside is the destination system will not see any of the original IP addresses connecting, it will only see IPs of the system doing the forwarding.
I don't think either rinetd or redir are available in the default CentOS installation you probably have to find them elsewhere on the net.
As for non-TCP stuff, I don't know off the top of my head.
nate
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Server B is not behind server A, two different machines on different public networks.
/Morten
Morten Sundstrøm wrote:
Im trying to forward all traffic to a public server(A) to another public server(B) except traffic to port 22. Found this on google but cant get it to work. Could someone help me please. Server A has one NIC server B has one NIC. Do i need 2 NICS in server A.
Server B is not behind server A, two different machines on different public networks.
Offhand, I'd suggest setting up a VPN between the two servers, perhaps using OpenVPN, configured so server "A" is masquerading the VPN's private addresses, and use ip masquerade style port forwarding to server B's private VPN address.
this still leaves some questionable scenarios... for instance, assuming server B has its own default gateway (which, indeed, it needs for various reasons), if a FTP connection request comes in via server A's port forwarding and NAT, the handling of the FTP dynamic 'data' port will get messy. the same applies to any other protocol that genereates dynamic requests.
for that matter, server "B" generated outbound traffic, like for instance, email... is that to be forwarded out through A ?
John R Pierce skrev:
Morten Sundstrøm wrote:
Im trying to forward all traffic to a public server(A) to another public server(B) except traffic to port 22. Found this on google but cant get it to work. Could someone help me please. Server A has one NIC server B has one NIC. Do i need 2 NICS in server A.
Server B is not behind server A, two different machines on different public networks.
Offhand, I'd suggest setting up a VPN between the two servers, perhaps using OpenVPN, configured so server "A" is masquerading the VPN's private addresses, and use ip masquerade style port forwarding to server B's private VPN address. this still leaves some questionable scenarios... for instance, assuming server B has its own default gateway (which, indeed, it needs for various reasons), if a FTP connection request comes in via server A's port forwarding and NAT, the handling of the FTP dynamic 'data' port will get messy. the same applies to any other protocol that genereates dynamic requests.
for that matter, server "B" generated outbound traffic, like for instance, email... is that to be forwarded out through A ?
No nothing will go back from B through A, traffic from B vil go directly to the quering host. Sort of like manipulate the header of every packet changing destination IP to New destination IP and let the new destination host answer the query. Maybe im way of here :) and if I am then somone just say it and i will forget the whole ting.
/Morten
Morten Sundstrøm wrote:
No nothing will go back from B through A, traffic from B vil go directly to the quering host. Sort of like manipulate the header of every packet changing destination IP to New destination IP and let the new destination host answer the query. Maybe im way of here :) and if I am then somone just say it and i will forget the whole ting.
I think it is the wrong answer to any possible problem (compared to changing DNS or whatever it takes to make the connection request go to the right place on its own). Your iptables DNAT line would work to get the packet to the other host - and you should be able to see that with tcpdump. However, when host B responds back to the original source address it won't complete a connection to the socket waiting for something from host A.
Morten Sundstrøm wrote:
No nothing will go back from B through A, traffic from B vil go directly to the quering host. Sort of like manipulate the header of every packet changing destination IP to New destination IP and let the new destination host answer the query. Maybe im way of here :) and if I am then somone just say it and i will forget the whole ting.
yeah, that flat won't work.
client C sends packet with source address:C, destination address A, port P A forwards packet to B with src: C, dest: B, port P B replies to C with src: B, dest C
C goes 'wtf is this packet? I don't have any open socket like this' and rejects it.
rather...
client C sends packet with source address:C, destination address A, port P A forwards packet to B with src: C, dest: B, port P B replies to A with src: B, dest C A forwards response to C with src:A dest C,
and this response packet matches C's open outbound socket and is accepted
2008/11/4 Morten Sundstrøm morten@coretek.no:
No nothing will go back from B through A, traffic from B vil go directly to the quering host. Sort of like manipulate the header of every packet
Sounds like what LVS (Linux Virtual Server) ldirectord does in "DR" setup - host "A" publishes virtual IP, receives packets from the world, redirects them at the ethernet-level to host B (which is on the same ethernet segment) which then generates IP packets with the virtual IP as the source address and the initial client as the destination - allowing host B to send the reply directly to the client through its router without bothering the ldirectord.
Is this what you are trying to achieve?
--Amos
Amos Shapira wrote:
2008/11/4 Morten Sundstrøm morten@coretek.no:
No nothing will go back from B through A, traffic from B vil go directly to the quering host. Sort of like manipulate the header of every packet
Sounds like what LVS (Linux Virtual Server) ldirectord does in "DR" setup - host "A" publishes virtual IP, receives packets from the world, redirects them at the ethernet-level to host B (which is on the same ethernet segment) which then generates IP packets with the virtual IP as the source address and the initial client as the destination - allowing host B to send the reply directly to the client through its router without bothering the ldirectord.
Is this what you are trying to achieve?
um, about 3 weeks ago, when this discussion was active, the original poster stated that Servers A and B were... "two different machines on different public networks."
I think that precludes a direct Ethernet connection.
-
Amos Shapira -
John R Pierce -
Les Mikesell -
Morten Sundstrøm -
nate